What is a Facility Security Plan?  It is more than a plan describing your facility’s security measures.  This month’s S&A blog series focuses on what is your FSP’s purpose; What content is required in your FSP; Amending and Auditing your FSP; and Your FSP Submission and Approval.

A Facility Security Plan (FSP) is a promise to the U.S. Government that you will carry out documented security measures to protect your facility.  The FSP must identify the Facility Security Officer by name and position, and provide a 24-hour contact information.  It is a written plan that identifies vulnerabilities and how to deal with security threats captured in the Facility Security Assessment (which we covered in last month’s blogs).  Your FSP defines the roles and responsibilities of all facility employees – FSO, Personnel with Security Duties and All Others.  The FSP also describes security measures to be taken for each MARSEC level as well as defines appropriate actions in emergency situations.  The FSP is required for re-submission every five years on its anniversary date.  Also remember, the FSP is Sensitive Security Information and must be protected per 49 CFR part 1520.

Friends and Maritime Professionals,

We pray for our fellow professionals and hope they and their families are safe and sound in the aftermath of Harvey.  Whenever we go through a crisis, we focus (as we should) on our families, loved ones, and friends.  Lower on our list of priorities is often the security of our facility. 

We learned many lessons during and after events like Super Storm Sandy and Hurricanes Katrina, Ike, and Rita, when complete facilities were under water.  Many facilities had no operational back-up plans, or their plans overlooked the security aspect of recovery.  Other facilities had plans, but did not exercise or practice their plans, so the stage was not set for success when the time came for action. 

While those affected by this storm respond and recover, we can take this moment to ensure our Facility Security Plans are fully integrated with our Emergency Response Plan and Natural Disaster Plans.  The time to test our FSP is not when the storm hits!

While there are many aspects to security’s role in an event requiring emergency response, some minor preparation can save countless hours in the recovery operations aftermath.  Your security continuity of operations plans should address protecting your facility and what remains after an event.

For example, simple things like protecting your Sensitive Security Information and having electronic back-ups should be on your checklist.  Maintain a secondary site for your SSI material.  When disaster strikes and you have to conduct a full evacuation, you should have at least electronic copies of your Plans, including your FSP, and lock up your documents in a Restricted Area.  If your hard copies are completely destroyed, then you can reproduce your (password protected) files from an external memory device.  If you find yourself in this situation and your documents are destroyed, then we can help you recover with a documentation kit that can be repopulated with your documents very quickly.

Remember, we all need to stay prepared.  Integrate your facility’s plans, exercise your plans, conduct drills to test individual elements of your plans, and use checklists to ensure consistent, reliable performance.

Keep your powder dry…

ed

We audit a lot of Facility Security Plans, so we get to see many Facility Security Assessments. This week we'll look at the good ones, the bad ones, and the "how the heck did this ever get approved?" ugly ones. 

It's easy to find the good FSAs - they comply with Subpart C of 33 CFR 105 and have all the "Satisfactory" blocks checked in Enclosure 3 to NVIC 03-03 Change 2. The FSA is contemporary (no more than five years old) and it includes a quality Risk Based Analysis. Many facility respresentatives participated and their viewpoints are reflected in the FSA. 

Bad FSAs miss key elements we discussed in previous blogs - they don't include a wide represtation of the many aspects of a facility (Managment, Human Resources, Operations, Engineering, Maintenance, Security, IT/Cyber, Legal, Safety), they don't reflect current threats (Does your FSA consider Cyber & Active Shooter threats>), and they don't fulfill the many regulatory requirements (Check the checklist!)

It's not rare to find ugly FSAs. Heck, even, sometimes we see FSPs that don't contain an FSA at all! Incredible as it seems, there are Coast Guard approved FSPs that don't have an FSA - thats ugly on the facility and the Coast Guard. Also, there are far too many FSAs that do not contain a Risk Based Analysis (RBA). That's "low-hanging fruit" for your Coast Guard Inspector's deficiency list. If you don't have an RBA, then your FSA is incomplete. Lastly, if your FSA contains the same typos as its predecessor, then you probabley have yourself a gun-decked FSA. That's not only lazy, it's a set-up for failure. 

Remember, you can and should have an FSA that services as the foundation for your facility security organization. It takes expertise, energy, and time to build your reliable foundation, but it's worth it in the long run. 

One of the persistent questions from our students and mentees involves how to conduct a Facility Security Assessment. If you refer to Subpart C of 33 CFR 105, you can see that the Coast Guard spends a lot of effort to ensure we cover all the bases in our FSA. Also, Enclosure 3 to NVIC 03-03 Change 2 gives you the checklist your Coast Guard Inspector should use when reviewing your FSA.

As we previously noted, you need expertise, energy, and time to assemble the facility's background information, conduct an on-scene survey, compile observations, analyze the data, and make recommendations to improve security performance - thus, mitigation business, operational, and compliance risks. That's already a lot of work! Your FSA should contain the many areas of emphasis that reflects your facility's vulnerabilities and mitigation actions that can reduce your risk exposure. Using a checklist (like the one in Enclosure 3 to NVIC 03-03 Change 2) helps ensure your FSA addresses the key elements. 

But it's not about just checking the boxes. Writing the FSA takes quite a lot of perspective and effort. You need to document how the FSA was conducted, the facility elements your FSA addressed, a list of things "important to protect," the faciltiy's vulnerabilities, and a discussion and evaluation of key facility measures and operations. That's a lot of ground to cover!

Remember, your FSA must be a product of many facility viewpoints! A one- or two- author FSA that doesn't involve the many experts on your facility is a prescription for a narrow-minded assessment. 

Ultimately, the Facility Security Officer is responsible for ensuring that the Facility Security Plan is based on a quality Facility Security Assessment. We at S&A audit a lot of FSPs, and a lousy FSP is often linked to a poor FSA. That reflects poorly on the FSO, the FSP, and then entire Facility Security Organization (remember the pyramid!)

The FSA must involve representatives from as many facility disciplines as possible - Management, Human Resourses, Operations, Engineering, Maintenance, Security, IT/Cyber, Legal, and Safety to name a few. It takes expertise, energy and time to do an FSA! Most FSOs have the expertise and energy, but few have the time. That's why many FSAs are superficial, and all too many are simple repetitions of the previous FSA- many times including the same typos! If you don't have all three requirements (expertise, energy, and time), then you need help conducting a trustworthy FSA.

Remember, if you want a solid FSP, then you need a reliable FSA. There's no getting around it.