September 11, 2017

The facility owner or operator must ensure the FSP consists of the 18 individual sections listed below per 33 CFR 105.405.  If the FSP does not follow the order as it appears in the list, the facility owner or operator must ensure the FSP contains an index identifying the location of each of the following sections:

1 - Security administration and organization of the facility

2 - Personnel training

3 - Drills and Exercises

4 - Records and Documentation

5 - Response to change in MARSEC level

6 - Procedures for interfacing with vessels

7 - Declaration of Security (DoS)

8 - Communications

9 - Security systems and equipment maintenance

10 - Security measures for access control, including designated public access areas

11 - Security measures for restricted areas

12 - Security measures for handling cargo

13 - Security measures for delivery of vessel stores and bunkers

14 - Security measures for monitoring

15 - Security incident procedures

16 - Audits and security plan amendments

17 - Facility Security Assessment

18 - Facility Vulnerability and Security Measures Summary (Form CG-6025)

The FSP must describe in detail how the requirements of 33 CFR 105 subpart B Facility Security Requirements will be met.  Note that when Seebald & Associates helps you in writing your FSP, there are additional FSP sections that we create to improve your FSP, make it meaningful, and easier to use.

Posted by Edward Seebald

September 5, 2017

What is a Facility Security Plan?  It is more than a plan describing your facility’s security measures.  This month’s S&A blog series focuses on what is your FSP’s purpose; What content is required in your FSP; Amending and Auditing your FSP; and Your FSP Submission and Approval.

A Facility Security Plan (FSP) is a promise to the U.S. Government that you will carry out documented security measures to protect your facility.  The FSP must identify the Facility Security Officer by name and position, and provide a 24-hour contact information.  It is a written plan that identifies vulnerabilities and how to deal with security threats captured in the Facility Security Assessment (which we covered in last month’s blogs).  Your FSP defines the roles and responsibilities of all facility employees – FSO, Personnel with Security Duties and All Others.  The FSP also describes security measures to be taken for each MARSEC level as well as defines appropriate actions in emergency situations.  The FSP is required for re-submission every five years on its anniversary date.  Also remember, the FSP is Sensitive Security Information and must be protected per 49 CFR part 1520.

Posted by Edward Seebald

August 31, 2017

Friends and Maritime Professionals,

We pray for our fellow professionals and hope they and their families are safe and sound in the aftermath of Harvey.  Whenever we go through a crisis, we focus (as we should) on our families, loved ones, and friends.  Lower on our list of priorities is often the security of our facility. 

We learned many lessons during and after events like Super Storm Sandy and Hurricanes Katrina, Ike, and Rita, when complete facilities were under water.  Many facilities had no operational back-up plans, or their plans overlooked the security aspect of recovery.  Other facilities had plans, but did not exercise or practice their plans, so the stage was not set for success when the time came for action. 

While those affected by this storm respond and recover, we can take this moment to ensure our Facility Security Plans are fully integrated with our Emergency Response Plan and Natural Disaster Plans.  The time to test our FSP is not when the storm hits!

While there are many aspects to security’s role in an event requiring emergency response, some minor preparation can save countless hours in the recovery operations aftermath.  Your security continuity of operations plans should address protecting your facility and what remains after an event.

For example, simple things like protecting your Sensitive Security Information and having electronic back-ups should be on your checklist.  Maintain a secondary site for your SSI material.  When disaster strikes and you have to conduct a full evacuation, you should have at least electronic copies of your Plans, including your FSP, and lock up your documents in a Restricted Area.  If your hard copies are completely destroyed, then you can reproduce your (password protected) files from an external memory device.  If you find yourself in this situation and your documents are destroyed, then we can help you recover with a documentation kit that can be repopulated with your documents very quickly.

Remember, we all need to stay prepared.  Integrate your facility’s plans, exercise your plans, conduct drills to test individual elements of your plans, and use checklists to ensure consistent, reliable performance.

Keep your powder dry…

ed

Posted by Brian Kelley

August 21, 2017

We audit a lot of Facility Security Plans, so we get to see many Facility Security Assessments. This week we'll look at the good ones, the bad ones, and the "how the heck did this ever get approved?" ugly ones. 

It's easy to find the good FSAs - they comply with Subpart C of 33 CFR 105 and have all the "Satisfactory" blocks checked in Enclosure 3 to NVIC 03-03 Change 2. The FSA is contemporary (no more than five years old) and it includes a quality Risk Based Analysis. Many facility respresentatives participated and their viewpoints are reflected in the FSA. 

Bad FSAs miss key elements we discussed in previous blogs - they don't include a wide represtation of the many aspects of a facility (Managment, Human Resources, Operations, Engineering, Maintenance, Security, IT/Cyber, Legal, Safety), they don't reflect current threats (Does your FSA consider Cyber & Active Shooter threats>), and they don't fulfill the many regulatory requirements (Check the checklist!)

It's not rare to find ugly FSAs. Heck, even, sometimes we see FSPs that don't contain an FSA at all! Incredible as it seems, there are Coast Guard approved FSPs that don't have an FSA - thats ugly on the facility and the Coast Guard. Also, there are far too many FSAs that do not contain a Risk Based Analysis (RBA). That's "low-hanging fruit" for your Coast Guard Inspector's deficiency list. If you don't have an RBA, then your FSA is incomplete. Lastly, if your FSA contains the same typos as its predecessor, then you probabley have yourself a gun-decked FSA. That's not only lazy, it's a set-up for failure. 

Remember, you can and should have an FSA that services as the foundation for your facility security organization. It takes expertise, energy, and time to build your reliable foundation, but it's worth it in the long run. 

Posted by Brian Kelley

August 14, 2017

One of the persistent questions from our students and mentees involves how to conduct a Facility Security Assessment. If you refer to Subpart C of 33 CFR 105, you can see that the Coast Guard spends a lot of effort to ensure we cover all the bases in our FSA. Also, Enclosure 3 to NVIC 03-03 Change 2 gives you the checklist your Coast Guard Inspector should use when reviewing your FSA.

As we previously noted, you need expertise, energy, and time to assemble the facility's background information, conduct an on-scene survey, compile observations, analyze the data, and make recommendations to improve security performance - thus, mitigation business, operational, and compliance risks. That's already a lot of work! Your FSA should contain the many areas of emphasis that reflects your facility's vulnerabilities and mitigation actions that can reduce your risk exposure. Using a checklist (like the one in Enclosure 3 to NVIC 03-03 Change 2) helps ensure your FSA addresses the key elements. 

But it's not about just checking the boxes. Writing the FSA takes quite a lot of perspective and effort. You need to document how the FSA was conducted, the facility elements your FSA addressed, a list of things "important to protect," the faciltiy's vulnerabilities, and a discussion and evaluation of key facility measures and operations. That's a lot of ground to cover!

Remember, your FSA must be a product of many facility viewpoints! A one- or two- author FSA that doesn't involve the many experts on your facility is a prescription for a narrow-minded assessment.