National Security

 

 

https://sm.asisonline.org/Pages/Next-Gen-911.aspxNext-Gen 911GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-06-01T04:00:00Zhttps://adminsm.asisonline.org/pages/lilly-chapa.aspx, Lilly Chapa<p>​Overall, 2017 was a landmark year for catastrophic natural disasters in the United States, leading to dozens of deaths and revealing weaknesses in emergency response systems. Two regions were hit particularly hard—the Houston, Texas, area where more than 80 people were killed during a hurricane in August, and northern California where wildfires were responsible for more than 40 deaths in October.</p><p>These multiday disasters were far-reaching and overwhelming—for both citizens and first responders. During the Houston floods, overloaded 911 dispatch centers led hundreds of people to turn to social media for help, and kayak-paddling citizens pitched in to help rescue efforts. Criticism of emergency response during the California wildfires was swift—evacuation warnings during the rapidly evolving blaze were either delayed or nonexistent, and emergency lines were constantly tied up.</p><p>After-action reports by state and local officials are still being conducted, but the emergency communications failures have left citizens, law enforcement, and legislators looking for solutions.</p><p>The question of how people can seamlessly use their phones for a myriad of activities yet not use that same technology when calling 911 has been asked for years as mobile devices have become the standard—more than 80 percent of 911 calls are made from wireless devices. There is a mobile-friendly solution—albeit one that has not been widely adopted. Known as Next Generation 911 (NG911), the program is IP-based and would allow citizens to call, text, and send multimedia transmissions to dispatch centers, which would have enhanced response capabilities. </p><p>Many of the problems experienced during the Texas and California disasters—especially overloaded phone lines—could be avoided with such a system. NG911's enhanced location capabilities and ability to reroute calls to other dispatch centers would allow for more seamless emergency response, especially during high-volume call times.</p><p>While potential for such emergency communications technology improvements has been discussed for almost a decade, there is no federal requirement for dispatch centers to upgrade 911 technology, and it's up to states and localities to implement—and pay for—the new system. Legislation was passed in 2012 that outlines the federal role in helping communities transition to NG911 and calls on the U.S. National Highway Traffic Safety Administration (NHTSA) to coordinate efforts among U.S. federal, state, and local stakeholders. The overarching goal of the legislation is to connect the more than 6,000 independently operating systems in the United States into a nationwide interconnected system with modernized capabilities. </p><p>The U.S. Government Accountability Office (GAO) reviewed these federal efforts—known as the National 911 Program—and found that key challenges include addressing funding, governance, and interoperability and technology concerns. This year, NHTSA is planning to implement a $115 million grant program and outline a roadmap dictating national-level efforts to encourage NG911 adoption at the state and local levels.</p><p>"Collaborating with the appropriate federal agencies to determine federal roles and responsibilities to carry out the roadmap's national-level tasks could reduce barriers to agencies effectively working together to achieve those tasks," the GAO report states. "Furthermore, developing an implementation plan that details how the roadmap's tasks will be achieved would place the National 911 Program in a better position to effectively lead interagency efforts to implement NG911 nationwide."</p><p>At the end of the day, however, it's still up to each of the country's almost 6,000 dispatch centers to make the upgrade, if they choose. A U.S. Federal Communications Commission (FCC) congressional report released at the end of 2017 surveyed almost all states on their NG911 implementation efforts, finding that many were taking some steps to pave the way for the upgrades but they face funding challenges. </p><p>The FCC report details how dispatch centers are raising money to implement NG911 capabilities—a huge hurdle for localities, experts say. The National 911 Program commissioned a study last year assessing the cost of nationwide NG911 implementation, but it has been under review for months and has not been released publicly. However, some officials estimate it will cost $10 billion to implement across the country.</p><p>Officials at each state and locality are taking a different approach to raising money—often a combination of state funding and increased fees for phone subscribers. However, not all money raised so far is dedicated to upgrading 911 services. In 2016, states raised more than $2.7 billion in 911 fees, but only 7 percent of that money was spent on NG911 efforts versus maintaining legacy systems. Additionally, about 5 percent of the money collected was diverted to nonpublic safety uses, the report notes.</p><p>Localities also face challenges collecting subscriber fees. It's up to telecommunications companies to collect the fees and give them to the states and localities that have implemented them, but 20 states lack the ability to audit the companies to make sure they are collecting fees from all applicable subscribers. It's a common concern—counties are required to notify telecom companies of the fee increase and trust they will pay up.</p><p>One county in Nevada—one of the states that is unable to audit telecom companies—has one of 12 emergency communications systems in the United States that is three generations old. In trying to upgrade its system to NG911, the county implemented an increased subscriber fee in 2016 but has not received the expected amount of money due to sporadic telecom payments. The county expected to collect $150,000 for NG911 by now but has only received about $46,000.</p><p>Many localities are waiting for the NHTSA grants to become available, but experts agree that $115 million across almost 6,000 dispatch centers will not go far. In March, representatives of emergency communications organizations requested that Congress consider funding its own grant program for NG911.</p><p>"Without significant federal funding, we are concerned that 911 networks across the country, including in rural and urban areas, will not be upgraded quickly and efficiently," the letter notes.</p><p>"The grants will not cover it all—there will need to be significant local funding," says Andrew Huddleston, an assistant director at the GAO who worked on the NG911 report. "The grants are there to provide financial assistance—that's why we highlighted funding as a key challenge area for the states, because it can be a significant cost."</p><p>Huddleston says he visited several dispatch centers and saw how funding was a challenge for small and large communities alike.</p><p>"It can be more challenging for local governments that might have a smaller tax base, and even for larger ones because they have more infrastructure," Huddleston explains. "We visited a fairly large call center in an urban area that would seem like they had more resources than average, but they did talk about how during the transition time they would have to maintain their legacy 911 system as well as bring the NG911 system online—so basically paying for both while they are transitioning. That's hard from a money perspective."</p><p>Other challenges to nationwide NG911 implementation include interoperability and technology challenges. Thirteen states have deployed IP networks for local emergency services to use, but most dispatch centers remain on legacy networks, the report notes. An estimated 1,800 centers can receive text messages, but there is no data on how often citizens text instead of call emergency services. One Houston emergency operations center reported that it only received a handful of texts during the height of the floods, compared to tens of thousands of calls and hundreds of posts on social media. </p><p>While being NG911, compliant requires a set list of capabilities—securely using additional data for routing and answering calls, processing all types of calls and multimedia, and transferring calls with added data to other call centers or first responders—there are several ways to implement the upgrades. Even if two neighboring states are NG911 compliant, they may not have seamless interoperability if they are using different equipment or software solutions, the GAO report notes.</p><p>"The systems are supposed to be all interconnected—if you call one call center and it's overloaded, that call can be transferred to the next center seamlessly, and they can answer the call, so you still get emergency response and not put on hold," Huddleston says. "To be able to do those things you have to have interoperability. There are multiple software solutions that could be employed for NG911, so that's definitely something state and local governments will need to be willing to consider."</p><p>An IP-based emergency communications system will have to address cybersecurity challenges as well. The FCC report notes that in 2016, just eleven states and the District of Columbia had spent money on cybersecurity for their dispatch centers. Additionally, the GAO report discusses the federal government's role in assisting dispatch centers in strengthening their cybersecurity when switching to the new system. The U.S. Department of Homeland Security (DHS) issued a guide outlining cybersecurity risks of NG911 and what centers could do to mitigate them, the report notes.</p><p>"We talked about cyber risk because we're moving to an IT system, and that opens potential for different kinds of attacks than you'd have with the traditional 911 system," Huddleston explains. </p><p>Indeed, Baltimore's computer-based 911 system experienced outages in March due to a ransomware attack. The program that the city uses automatically populates the caller's location and dispatches the emergency responders closest to the caller, but the attack shut down the system for about 24 hours, requiring call centers to manually dispatch first responders.</p><p>Another challenge facing dispatch centers is setting up technology and guidelines for dealing with photos and videos sent through NG911. None of the states that GAO spoke with were processing multimedia through their 911 systems due to concerns related to privacy, liability, and the ability to store and manage the data.</p><p>"We highlighted multimedia as a challenge, since one of the intentions of NG911 is to allow not just voice calls but also video or images to be part of what citizens can share when they're trying to contact 911," Huddleston says. "But that creates challenges on the end of the 911 call centers—what do they do with the video? They have protocol for phone calls, but video is a different beast in terms of what to look for if there are privacy concerns."</p>

 

 

https://sm.asisonline.org/Pages/Postal-Peculiarities.aspx2017-12-01T05:00:00ZPostal Peculiarities
https://sm.asisonline.org/Pages/How-to-Build-a-Wall.aspx2017-06-01T04:00:00ZHow to Build a Wall
https://sm.asisonline.org/Pages/How-Smugglers-and-High-Risk-Travelers-Enter-the-US.aspx2017-05-04T04:00:00ZHow Smugglers and High Risk Travelers Enter the United States

 

 

https://sm.asisonline.org/Pages/Attacks-on-the-Record.aspx2018-06-01T04:00:00ZAttacks on the Record
https://sm.asisonline.org/Pages/Next-Gen-911.aspx2018-06-01T04:00:00ZNext-Gen 911
https://sm.asisonline.org/Pages/Far-Distant-Clearings.aspx2018-06-01T04:00:00ZFar Distant Clearings

 

 

https://sm.asisonline.org/Pages/Far-Distant-Clearings.aspx2018-06-01T04:00:00ZFar Distant Clearings
https://sm.asisonline.org/Pages/Space-Jam.aspx2018-05-01T04:00:00ZSpace Jam
https://sm.asisonline.org/Pages/The-Land-of-Plunder.aspx2018-04-01T04:00:00ZThe Land of Plunder?

 

 

https://sm.asisonline.org/Pages/Book Review-Misunderstanding Terrorism.aspx2018-06-01T04:00:00ZBook Review: Misunderstanding Terrorism
https://sm.asisonline.org/Pages/Book-Review---Nanoweapons.aspx2018-05-01T04:00:00ZBook Review: Nanoweapons
https://sm.asisonline.org/Pages/Book-Review---Emergency-Planning-for-Nuclear-Power-Plants-.aspx2018-05-01T04:00:00ZBook Review: Emergency Planning for Nuclear Power Plants

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Banks-Balk-on-Bud.aspxBanks Balk on Bud<p>​When seasoned security manager and longtime ASIS International member Brian Gouin started working as a consultant and virtual security manager for a medical marijuana production facility in Maryland, he certainly had some questions about the security challenges that the new gig might pose.  </p><p>Would external theft be a problem?  He had no experience in this sector, and dark visions of criminal cartels stormtrooping the facility to steal product occasionally crossed his mind. Luckily, that never happened.</p><p>"External theft has really not been a big problem. Surprisingly, there has not been a lot of that," says Gouin, who has spent nearly 30 years in the security industry and is currently owner of Strategic Design Services, a firm specializing in security design and project management services.</p><p>Still, the marijuana production facility did employ armed guards, because it held product that was worth at least $5 million. "That's more dollar value than 99 percent of banks in the state," Gouin explains. And since marijuana is so easy to sell, that product can be considered almost the equivalent of cash, he adds.   </p><p>But unlike external theft, internal theft was a problem. Employees sometimes helped themselves to a bit of product "to go" when leaving the facility for the day. Finding ways to screen workers on the way out was difficult. Complicating this matter is that keeping track of the on-hand marijuana supply can be a complex task. "You can't inventory it the way you inventory other products. You have to dry the plant; when you dry the plant, it loses weight," Gouin explains.  </p><p>And working with certain company employees was an unusual experience, even for a veteran security consultant well-accustomed to adjusting to different types of office cultures.  "It's so unique because of the type of person working there. Most of these people five years ago were running from the cops and making this stuff in their basement," Gouin says. "They are naturally distrusting of security."  </p><p>Overall, many of the facility's biggest security challenges stemmed from the fact that it is a nearly all-cash business. The ramifications of this are many. For instance, cash at a thriving marijuana business can accumulate quickly; but when it comes time to deposit the money earned, banks generally do not want to accept huge currency bundles, which can result in scrutiny from federal regulators, Gouin explains.</p><p>Given this, many marijuana businesses are forced to keep significant cash on hand. Some outgoing expenses, like compensation for day workers and certain bills, can be paid in cash, Gouin explains. Much of the rest can be deposited in smaller amounts that are spread out, so the bank will accept them. Of course, transiting large amounts of cash can also be risky, so the operation bought and used an armored vehicle, described by Gouin as "a small vanny-type thing."</p><p>Still, in one way the business that Gouin works for is lucky—it found a local bank that will take its money.  </p><p>Because U.S. federal law still includes marijuana on its Schedule I list of illegal substances, no large "tier one" bank will do business with cannabis companies now, says Joshua Laterman, CEO and founder, National Association of Cannabis Businesses (NACB). This is the "black letter of the law" that means that banks can be charged with crimes like money laundering if funds they have accepted from cannabis companies are mixed with other funds and enter the U.S. federal wire deposit system. This could lead to a federal indictment. </p><p>"No tier one bank enters the sector unless the law changes or some type of [exception] is put into place, like a safe harbor," Laterman says. "There is no cure, full stop."</p><p>This is a significant problem, given the growth and revenue-generating power of the cannabis industry. Going into 2018, nine states and Washington, D.C., had legalized marijuana outright; for medical purposes, marijuana is legal in 29 states and D.C. This year, at least 12 states are poised to consider marijuana legalization; Vermont already did so in January. On the whole, the industry generated $7 billion in revenue in the last 12 months, and this figure is expected to rise to $10 billion this year, according to NACB.</p><p>Given this revenue generation, some local banks (like the one working with Gouin's facility) and credit unions have tried to step in and fill in the vacuum. "It's the only show in town right now," Laterman says. These local banks often charge an extra compliance fee, and they usually just provide an account and some checks, without offering more involved services like credit cards. On the whole, these banks believe that the potential reward is worth the potential risk, and that working with local business is "in service of their mission." </p><p>"It's all very hyper-local," Laterman says. "They do it in a very personal way."</p><p>Nonetheless, these local banks usually cap the amount of deposited funds at $250,000, the limit that the Federal Deposit Insurance Corporation (FDIC) will insure. All things considered, there are not nearly enough of these smaller banks willing to accommodate all the revenue. "It's like trying to handle a two-liter soda with a Dixie cup," Laterman says.  </p><p>Across the northern border, no such problem exists. Canada has legalized marijuana for medicinal purposes throughout the country, and banks and other financial institutions have no problem working in the industry. "You're seeing investment banks, you're seeing accounting firms, and you're seeing law firms who will not do any transactions in the United States, but they are doing a lot in Canada," Laterman explains.</p><p>However, back in the United States, it is possible that there will be some movement on the legal issue in the near future. Some analysts have said that if more states continue to legalize marijuana, it will simply not be tenable for the country to have two sets of applicable law. Congress will have to act and change the banking laws to allow for an exception, so that a licensed marijuana distributor can use the banking system.</p><p>Moreover, what may help drive an effort for a solution is the U.S. government's realization that an industry generating billions in revenue without a banking and finance structure to support it could turn into a security nightmare. </p><p>"The money needs a place to be put, and there's not enough places to put it in. That's a growing public safety risk," Laterman says. California, he adds, holds some promise as a potential solution driver. As part of that state's legalization effort, officials set up a high-powered working group to address the legal issues. "It's a great effort; they are getting great people around the table," Laterman says.</p><p>He adds that NACB, which describes itself as the only self-regulatory organization (SRO) in U.S. cannabis, will continue its work of professionalizing the industry with credentialing, licensing, education, and other such programs. "We need to address the trust and information gaps, and better understand who the players are," Laterman explains. </p><p>Meanwhile, security managers who are curious about what it is like to work in the U.S. cannabis industry may want to check out The Marijuana Project, a novel published by Gouin (under the pen name Brian Laslow) that was in part inspired by his experiences in the industry. </p><p>In the book, security expert Sam Burnett, a conservative family man who runs a security program at a medical marijuana production facility, wrestles with the moral issues of working with the drug while he navigates the dangerous plot twists and turns that the thriller storyline takes him through. Although the book is fiction, the various industry issues and scenarios that the main character, a security expert, is involved with may be of educational value.</p><p>As for the real-life Gouin, who initially wondered if working in the cannabis sector would tarnish his professional reputation, he now says his experience was a positive one for his business: "It gave me another niche." And so his advice for fellow security managers who are interested in following his lead is "go for it"—as long as they do their due diligence beforehand.</p><p>"You have to understand the quirks of the industry," he says. ​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Assessing-the-Safety-of-Chemical-Facilities.aspxAn Explosive Act: Assessing the Safety of Chemical Facilities<p>​Just before Hurricane Harvey made landfall on Friday, August 25, 2017, chemical manufacturer Arkema made the decision to shut down its plant in Crosby, Texas, to brace for the storm. The plant soon lost power and received almost 40 inches of rain by Monday afternoon, causing heavy flooding that inundated its backup generators. A small crew of 11 people remained on site to monitor the storm damage and the safety of the organic peroxides that were stored at the plant.</p><p>These chemicals needed to be stored at a low temperature. But after the plant's backup generators were flooded, refrigeration failed. So, the crew transferred the chemicals from their current storage in warehouses into diesel-powered refrigerated containers and continued to monitor the situation—which worsened as the rain continued to pour down.</p><p>With the water continuing to rise, Arkema was forced to make another difficult decision: evacuate the plant and the 1.5-mile radius around it.</p><p>"Arkema is limited in what it can do to address the site conditions until the storm abates," the company said in a press release. "We are monitoring the temperature of each refrigeration container remotely. At this time, while we do not believe there is any imminent danger, the potential for a chemical reaction leading to a fire and/or explosion within the site confines is real."</p><p>To reduce the threat of an explosion injuring others, Arkema worked with the U.S. Department of Homeland Security (DHS) and the State of Texas to continue to monitor the situation. They soon realized that while the chemicals were not fully igniting as they began to warm up, they were beginning to degrade. To address the threat, Arkema decided to ignite the containers the chemicals were housed in to eliminate the threat of an uncontrolled blast.</p><p> "This decision was made by Arkema Inc. in full coordination with unified command," the company said. "These measures do not pose any additional risk to the community, and both Arkema and members of the unified command believe this is the safest approach."</p><p>While the situation in Crosby was not ideal, it showed how facilities that manufacture, store, and transport chemicals in the United States are embracing a new mindset towards security and planning how to handle the worst-case scenario when it happens—whether it is a power outage or a terror attack.</p><p>One effort that's helping to spearhead this mindset is DHS's Chemical Facility Anti-Terrorism Standards (CFATS) program, which has sought to address and mitigate the threat of chemicals since its inception in 2007. </p><p> "In 2007, chemical security was fairly new and people weren't really sure what it meant," says CFATS Acting Director Amy Graydon. "We've since been able to foster this environment of chemical security."</p><p>But that environment could be in danger if Congress does not reauthorize the CFATS program, which is set to expire in January 2019. </p><p>"We think that reauthorization is the key to reducing the threat of terrorists using chemicals," Graydon explains. "We think that the program has really reduced the risks and is an important element of making the country more secure."</p><h4>CFATS Basics</h4><p>In the 2007 DHS Approp­riations Act, Congress required the agency to create regulations that established risk-based performance standards for chemical facilities that present high levels of risk. DHS was also mandated to subject these facilities to vulnerability assessments and require them to develop and implement site security plans.</p><p>To do this, DHS worked with industry to create the CFATS program—which is part of its Infrastructure Security Compliance Division (ISCD). The program identifies and regulates facilities that possess chemicals of interest at specific concentrations and quantities.</p><p>These concentrations and quantities are listed in what's referred to as Appendix A of the CFATS regulation. More than 300 chemicals are included, along with their screening threshold quantities. The chemicals are also categorized into three groups depending on the potential security threat of the substances: release, theft or diversion, and sabotage.</p><p>Facilities that meet or exceed the screening threshold quantities for chemicals of interest listed in Appendix A are required to report their possessions to DHS via a questionnaire called a Top-Screen.</p><p>ISCD then reviews that Top-Screen and notifies facilities if they are considered high risk and ranks them into Tier 1, 2, 3, or 4—with Tier 1 the highest. As of February 2018, ISCD had received Top-Screens from more than 40,000 facilities and determined that roughly 3,500 of those are high risk and must comply with CFATS.</p><p>Facilities that are tiered then must submit a Security Vulnerability Assessment and a Site Security Plan, or an Alternative Security Plan, that meets risk-based performance standards detailed in the CFATS regulation. These standards address factors such as perimeter security, access control, personnel security, and cybersecurity. The stringency of the requirements varies based on what tier a facility falls into, and facilities can create their own security plans—rather than having CFATS create a prescriptive security plan for them.</p><p>Once the plans have been submitted, ISCD inspectors perform a facilities inspection before approving the plans for implementation. </p><p>This process has proved beneficial to facility operators, says Jennifer Gibson, vice president of regulatory affairs for the National Association of Chemical Distributors.</p><p>"Those visits, while cumbersome, allowed for a lot of back and forth, getting clarity on what the agency was looking for," Gibson explains. "Usually it turned out that a facility would make changes to its plan, based on that inspection."</p><p>After inspectors approve the plans, facilities are expected to implement them. If they do not, they can be ordered to cease operations or issued a civil fine, with a maximum penalty of $33,333 per day per violation, as of February 2018.</p><p>Facilities are also required to resubmit their Top-Screen if they have a change in holdings, such as using new chemicals of interest for business processes.</p><p>"It could be that they may need some other security measures because we look at the type of chemical and its risks," Graydon says. "So, for theft and diversion, we're worried that a terrorist could be intentionally trying to either steal or divert the chemical for misuse; whereas for release, it's that the terrorist would be coming to the facility to cause a release."</p><p>During its first five years, CFATS did not approve a single facility site security plan. But since then, it has made major strides and completely eliminated its backlog to move into the compliance phase of the program. Now, approximately 140 inspectors are visiting sites based on risk—there is no mandated requirement for how often inspections occur.</p><p>"We have the compliance inspection index, and it takes into consideration a facility's tier, the number of planned measures that a facility has, and the amount of time since the last inspection," Graydon says. "So, we can get to folks in an appropriate manner." </p><h4>CFATS Changes</h4><p>After CFATS was up and running, some members of Congress and the chemical sector expressed concerns about the program. Primarily, concerns centered around the "administrative burden associated with the development of facility security plans and the pace of DHS efforts to process and approve them," according to a U.S. Government Accountability Office (GAO) report. </p><p>Congress addressed these concerns by passing the Protecting and Securing Chemical Facilities from Terrorists Attacks Act in 2014. It reauthorized the CFATS program and created an Expedited Approval Program (EAP), a voluntary option for Tier 3 and 4 facilities regulated under CFATS.</p><p>The EAP allows DHS to identify specific security measures that meet the risk-based performance standards of CFATS that facilities must implement to be compliant. </p><p>For example, release facilities would have to certify that their emergency equipment included at least one of the following: a redundant radio system that's interoperable with law enforcement and first responders, at least one backup communications system, an emergency notification system, an automated control system or process safeguards to place critical assets in a "safe and stable condition," or emergency safe-shutdown procedures.</p><p>"The EAP is expected to reduce the time and burden on smaller chemical companies, which may lack the compliance infrastructure and resources of large chemical facilities," GAO said. </p><p>CFATS implemented the EAP in June 2015. But as of April 2017, GAO found that only two organizations of 2,496 eligible facilities had used the EAP. </p><p>"Officials representing the two EAP chemical facilities told us that their companies involve small operations that store a single chemical of interest on site and do not have staff with extensive experience or expertise in chemical security," GAO reported. </p><p>Representatives from the two facilities also said they used the EAP because it helped them reduce the time and cost to prepare and submit their site security plans.</p><p>"For example, the contractor who prepared the site security plan for one of the two EAP facilities said that the facility probably saved $2,500 to $3,500 in consulting fees by using the EAP instead of a standard security plan."</p><p>Ultimately, only one of these organizations followed through with the EAP process because the other was later re-tiered and no longer considered a high-risk facility subject to CFATS.</p><p>Since the GAO report was issued, 16 facilities have used the EAP and Graydon says she is optimistic that more facilities will use the program moving forward.</p><p>"We think that only two facilities might have taken advantage of the EAP program because of where all facilities were in the process already by the time it rolled out," she adds. "Most facilities had already completed their site security plans or their alternative security programs."</p><p>Graydon's sentiments echo GAO's analysis, which found that the timing of EAP's implementation, its prescriptive nature, the lack of an authorization inspection, and a certification form requirement may have initially hindered participation in the program.</p><p>"DHS conducts in-person authorization inspections to confirm that security plans address risks under the standard process, but does not conduct them under the expedited program," GAO said. "DHS officials noted that some facilities may prefer having this inspection because it provides them useful information."</p><p>Since the EAP's rollout, CFATS has made other changes to the program that might also affect participation. For instance, DHS updated the online tool that facilities use to send data to ISCD for their Top-Screen to make it a much more streamlined process.</p><p>"We really took the opportunity to streamline and bring it up into the 21st century so we were using smart tools with logic," Graydon says. "We were able to reduce some duplicative questions, reducing the time it would take people by 50 percent—down to six hours."</p><p>This streamlining effort cascaded throughout CFATS data collection processes, dropping the time it took to complete a security vulnerability assessment from 65 hours to 2.5 hours, and site security plans from 225 hours to 20 hours.</p><p>"We were able to do that because the reauthorization had given us the stability to move forward," Graydon says. "The reauthorization gave not only industry the stability it needed to make capital investments…it gave us the opportunity to make some internal changes as well."</p><p>CFATS also launched a re-tiering effort looking at 27,000 facilities' initial Top-Screens from 2007 and 2008, and asking them to resubmit. It then re-tiered some facilities by incorporating threat and vulnerability into the overall tiering methodology, which is not public.</p><p>"We refined what we were looking at, particularly for facilities for theft and diversion," Graydon says. "We were able to incorporate some inherent vulnerability in that." For instance, Graydon gave the example of looking at the portability of chemicals and taking that into account when determining the risk level for a facility.</p><p>"It would be easier to steal a vial than a big tank; we were able to model the actual amount of the chemicals…," and include them in the tiering methodology, Graydon adds.</p><p>In a recent hearing before the U.S. House Homeland Security Subcommittee on Cybersecurity & Infrastructure Protection, Chet Thompson—president of the American Fuel and Petrochemical Manufacturers—said the re-tiering effort was an improvement on the old system.</p><p>"Folks believe risks are being better assessed, and a number of our facilities have been re-tiered," he explained. </p><p>However, Kirsten Meskill, director of corporate security for BASF Corporation, testifying on behalf of the American Chemistry Council (ACC), said that while ACC has seen a reduction in higher-risk facilities under the re-tiering, there's still a lack of transparency in the process.</p><p>"We don't know how these risk tierings were applied to the general sites," she said, adding that—from her perspective—there was no way to know whether the new method is addressing "real risks out there."</p><p>To address this, panelists at the hearing suggested that the GAO be brought in to review the new CFATS tiering methodology and issue a report on its effectiveness.​</p><h4>Future of CFATS</h4><p>Despite some complaints about lack of transparency, all the panelists at the subcommittee hearing were in favor of reauthorizing the CFATS program. </p><p>"Any lapse in the program would be a serious concern to us," said Pete Mutschler, environment, health, and safety director for CHS Inc., adding that it would be "highly disruptive to both the industry and the regulated community" if CFATS were allowed to lapse and then be reinstated.</p><p>Mutschler said he was in favor of a multiyear reauthorization for CFATS to provide certainty to the regulated community so it can make "long-term investments" in security to comply with the program.</p><p>Doug Leigh, who serves as manager of legislative affairs for the National Association of Chemical Distributors, says that his members are also in favor of a lengthy reauthorization for the CFATS program. </p><p>"The last thing we want to see is a three-month reauthorization," Leigh says. "It would be going backwards instead of going forwards."</p><p>Graydon says she is optimistic about CFATS being reauthorized by Congress, due to its track record over the past several years in improving processes and reducing risk.</p><p>"We feel that we have demonstrated that we are a smart regulatory program—that we look for efficiencies," Graydon explains. "We are able to incorporate lessons learned, and we would like permanent or long-term reauthorization to make sure we have continued stability for industry and the program to continue to make efficiencies."</p><p>As of <em>Security Management'</em>s press time, no member of Congress had introduced a bill to reauthorize the CFATS program. </p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/What’s-New-in-Technology.aspxQ&A: What’s New in Technology<p>​Steve Surfaro, industry liaison with Axis Communications and chair of the ASIS Security Applied Sciences Council, discusses emerging technology that cities and organizations can use to become smarter and safer.</p><p><em><strong>Q. </strong>How can smart buildings increase the safety of those who work there?</em></p><p><strong>A. </strong>First responders with mobile devices can use mobile location technology to find victims inside a building without relying on GPS. If all tenants who live or work in a smart building register their mobile devices, it’s possible to find out whose phone is not registered and potentially identify the approximate location of an active shooter. Seconds count on this. </p><p><strong><em>Q.</em></strong><em> What about the future of gunshot detection and triangulation?</em></p><p><strong>A.</strong> Gunshot detection is a really controversial issue. There are companies that use triangulation technology that estimates the location of a gunshot based on strategically placed microphones, but they can produce false alarms. Newer technologies use acoustic signature recognition. It employs deep learning and can be fine-tuned to listen for a particular pattern, and, once that pattern is established, it’s repeatable and does not create as many false alarms. In an environment where there’s noise of one type, like vehicles passing by, and there’s an explosion or a gunshot or glass is broken, that is a definitive acoustic signature. </p><p><strong><em>Q. </em></strong><em>What trends can we expect to see from surveillance cameras?</em></p><p><strong>A. </strong>Thermal imaging is such a tremendous technology and is getting better. Cooled thermal imaging sensors are expensive, especially when mounted on a helicopter—but they can save lives. One such sensor located the Boston bomber after the Boston Marathon bombing. Some lower-cost thermal imaging cameras can detect temperature gradients as well, so they can discern between people moving around and an explosion. This will also help firefighters. I’m from Phoenix, and out there, and in California, people suffer so much and have lost firefighters to these rapidly spreading fires. Through this technology, you’re able to have early warning if fires start to get too close to firefighters.</p><p><strong><em>Q.</em></strong><em> What about facial recognition?</em></p><p><strong>A. </strong>It’s used largely for forensics, so if investigators are trying to find an individual based on a photo, they can run a search on a facial recognition database. But the technology is being used in other ways as well. For example, airlines are testing it to streamline boarding. Stores in St. Louis, Missouri, were being robbed a few times a month, and one chain worked with the St. Louis Police Department, which had pictures of the robbery suspects. They created technology that stored images of the robbers in a microcomputer and compared them to a camera feed of people walking up to the convenience store door. The person looks up at the camera and the door is automatically unlocked in stride. If it’s not unlocked, either you’re not looking at the camera, or your picture is one of those tagged ones. Their faces aren’t being recorded, just compared to a list of potential suspects. During the test period of six months, there were no false positives and no armed robberies.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465