This month’s S&A blog series to start out a new year focuses on using the Seebald Facility Security Pyramid to create a solid security organization.  Like any structure, your organization needs a strong foundation.  Our Facility Security Pyramid must be grounded by a solid Facility Security Assessment, which leads to generating an effective Facility Security Plan.

Your Facility Security Assessment (FSA) is the first step toward building your Facility Security Plan (FSP).  Subpart C of 33 CFR 105 lays out requirements for your FSA.  The FSA is based on a collection of facility background information, a complete facility on-scene survey, and an analysis of information collected.  Part of this assessment requires you to conduct a Risk Based Analysis (RBA).  The RBA is scenario-based and focuses on risk components made up of threats, vulnerabilities and consequences, which assists you in developing risk mitigating security measures.  

Your FSP must address the risks identified in your FSA.  Subpart D of 33 CFR 105 provides the FSP’s format, content, submission & approval, amendment and audit requirements.  The FSP documents security measures required to protect your facility.  Your FSP defines the roles and responsibilities of all facility employees – FSO, Personnel with Security Duties and All Others.  The FSP also describes security measures to be taken for each MARSEC Level as well as defines appropriate actions in emergency situations.  The FSP is required for re-submission every five years on its anniversary date.  Also remember, the FSP is Sensitive Security Information and must be protected per 49 CFR part 1520.

 

Seebald Security Pyramid.png

Documenting Your Drills & Exercises

You may remember our adage from our FSO and PSD courses that “If it’s not documented, then it didn’t happen.”  This certainly applies to Drills & Exercises.  Be sure to keep your documentation in a central location, such as an S&A Documentation Kit. 

Drills and Exercises documentation is low-hanging fruit for a Coast Guard Inspector looking for compliance violations.  It’s relatively easy to go through your records to find flaws.  The first is to ensure that Drills and Exercises are conducted at the required frequency.  For Drills, that means at least once every three months.  For Exercises, it’s at least once each calendar year, with no more than 18 months between exercises.  If you use an electronic system for your Drills & Exercises, we’ve found a best practice where FSOs print a copy of the Drill Log or Exercise Report and place it in their Documentation Kit.

For each Drill or Exercise, the documentation should include the date held, the FSP element tested (for Drills), a description of the Drill or Exercise, a list of participants, and any best practices or lessons learned that might improve your FSP.  Describing the best practices or lessons learned is often the weak part of the documentation we see when we conduct facility security Audits.  When I see “N/A” or “None” under best practices or lessons learned, it means to me that the person leading the Drill or Exercise failed in doing their job. 

On a side note, when you find best practices or lessons learned in your Drills or Exercises, please share them with us at Seebald & Associates.  We keep track of them and share them with our clients and students.  They’re not attributed to you, unless you say it’s okay.  We believe in this collaboration as a way to strengthen our Maritime Transportation System.  We’ve started this compilation to augment our courses and build a “Good, Bad, and Ugly” session for our 2018 Facility Security Symposium.

That’ll do for this month’s blog topic.  No blog next week as we turn to our families and loved ones to celebrate the holiday season.  We at Seebald & Associates wish you the very best for safe, secure, and happy holidays – see you next year!

Conducting Your Drills & Exercises

Last week’s blog discussed planning your Drills & Exercises.  Once you’ve decided on what you’re testing and planned a scenario, it’s time to put your plan into action.  Remember that we’re focusing on a single element of your FSP for a Drill, while an Exercise tests the entire FSP and requires active and substantial FSO participation.

Since you’ve taken the time to plan your Drill or Exercise, conducting the evolution becomes a matter of choosing a time and location.  We have found it’s best to test personnel at the places where they work (e.g., at guard posts, or at their work areas) and at access points.  We suggest finding a time during the shift when there are fewer distractions and personnel can focus on the drill, such as after the morning or afternoon rush hour at your vehicle or pedestrian gates. 

Explain the Drill or Exercise to the participants.  It’s okay to remind the personnel that you’re only testing the specified FSP element to keep the Drill focused.  Once you’ve described the scenario, then allow the participants to explain and demonstrate what they would do in response.  Use your pre-planned questions to help guide the drill and ensure you’re thoroughly exploring the FSP element.

Remember that your Drill or Exercise is not a training event.  As you proceed through the evolution and it’s clear that the participants are failing, stop the Drill or Exercise evolution and shift to training instead.  Return at a different time and try the Drill or Exercise again.  If you have contract security personnel who fail, it’s important to hold the contractor accountable, especially if they’re responsible for providing qualified personnel to your facility!

Next up will be documenting your Drills & Exercises – stay tuned for next week…

Planning Your Drills & Exercises

The success of your drill or exercise depends largely on how well you plan it.  The first step is to decide what you will test.  Remember that Drills test individual elements of your FSP, while Exercises are a full test of the security program and must include substantial and active participation of FSOs. 

This leaves us to choose the single FSP element to focus on for our Drill.  There are many options, but where can we find them?  Your menu of FSP elements is located in 33 CFR 105’s table of contents.  For example there are 18 elements listed in Subpart B (plus four additional elements for specially designated facilities.)  Each one of these elements can serve as the basis for your Drill.

The second step is to develop a scenario.  Here’s where you can get creative.  Think of a simple situation that will test the individual FSP element.  Be careful not to overcomplicate things!  For examples of Drill scenarios, look to the monthly Drill reminders that Seebald & Associates provide to our Platinum members. 

The scenario for an Exercise is often more complicated than a Drill, as we’re testing the entire FSP.  Remember, the exercise must have a security focus and the FSO must substantially and actively participate.  Each exercise must test communication and notification procedures, and elements of coordination, resource availability, and response.  In many cases, the Exercise is a series of scenarios or events.  If you are plugged into your local AMSC, there may be opportunities to participate in area or regional exercises for credit.

The third step is to decide who will be tested.  This can include your Alternate FSO(s), Personnel with Security Duties, and All Other personnel.  As we do with the S&A monthly Drill reminders for Platinum members, develop a series of questions to ask beforehand to help guide the Drill or Exercise.  Here’s a hint:  Refer to the specific section of your FSP for the element tested to develop poignant questions.

If you have a vessel moored at your facility, you can ask the Master or VSO if they’d like to participate in your Drill or Exercise.  Similar to maritime facilities, vessels also have Drill & Exercise requirements. 

Next week we’ll explore how to conduct your Drills & Exercises…

In our previous Blogs, we discussed protecting our networks from cyber attacks, the reasons why we protect our networks, and some common cyber-attacks.  The U.S. Coast Guard is acutely aware of the impacts of cyber security to the maritime transportation system.  Cyber security will become an integral component to your FSP.  This final blog addresses how the U.S. Coast Guard is addressing these topics as they review and approve your FSP.

In October, Cyber Security Awareness month, the U.S. Coast Guard provided five key cyber security questions and challenges in the maritime industry.  Here is the link to that information:  http://mariners.coastguard.dodlive.mil/2017/10/30/10302017-natl-cybersecurity-awareness-month-five-key-cyber-questions-and-challenges-facing-the-maritime-industry/

The U.S. Coast Guard has prepared a draft NVIC to help guide inclusion of cyber security in your FSP.  The draft is “based on the National Institute of Standards and Technology (NIST) Cyber security Framework (CSF) and NIST Special Publication 800-82.”  As we teach in our FSO courses, the U.S. Coast Guard is utilizing cyber industry standards and requirements to aid in providing this guidance.  Specifically, the draft states “how those existing requirements relate to cyber security measures, and what would be recommended to be included in the FSP. “

Seebald & Associates provided feedback to the U.S. Coast Guard office that drafted this NVIC draft, and we will closely monitor the development of the cyber security requirement(s) for your FSP.  At Seebald & Associates, we are committed to keeping abreast of this topic and will share any updates as they become available after ensuring their validity.  The Seebald & Associates team is standing by to assist your facility when including this new requirement in your FSP becomes a requirement.

Remember, being vigilant in the maritime security environment is more than the physical aspect, it also includes cyber security for your networks.