Once again 33CFR105.415 provides guidance regarding who can conduct the annual audit.  The regulation states, “personnel conducting internal audits of the security measures specified in the FSP or evaluating its implementation must:

            (i) Have knowledge of methods for conducting audits and inspections, and

                        security, control, and monitoring techniques;

            (ii) Not have regularly assigned security duties; and

            (iii) Be independent of any security measures being audited.”

In simple terms, the requirement is that the person needs to be an “expert” and not be part of your facility’s security organization.  A pretty good test of whether your auditor is up to the task is to ask yourself the question, “Do I know more than the auditor?”  If the answer is “yes”, keep looking for a real expert!

Your auditor must have enough expertise in conducting audits to be your “critical best friend”.  They need the knowledge and experience to find your potential flaws, weaknesses and vulnerabilities before the Coast Guard does, or worse yet, the BAD Guys!

Yep, there is a requirement in 33CFR105 that mandates that we have a Security Audit conducted annually at our facilities!

33CFR105.415 (4)(b) states that, “The FSO must ensure an audit of the FSP is performed annually, beginning no later than one year from the initial date of approval, and attach a letter to the FSP certifying that the FSP meets the applicable requirements of this part.”

So, that seems simple enough …….. not so fast, there are additional times when an audit may be required.  33CFR105 goes on to say, ” The FSP must be audited if there

is a change in the facility’s ownership or operator, or if there have been modifications to the facility, including but not limited to physical structure, emergency response procedures, security measures, or operations.”

We now know when we must have an audit conducted.  In our next blogs we’ll discuss what should be included in the audit, who can conduct an audit and what documentation is required.

Ok, we have covered The Good, The Bad and now to what you all have been waiting for, The Ugly.  Here are some actual examples that will make you say, “No way, that can’t be true”

Access Control

Security Measures for Restricted Areas – At several facilities, pedestrian gates were left wide open during the day with no security guard present – an open invitation for a breach of security.  At another facility, a computer server room door consisted of a shower curtain hanging from a shower curtain rod and it was not even marked “Restricted Area” – need we say more?  For the rest of the story; that shower curtain was replaced with a steel cage door and is properly marked now.

Physical Security

Perimeter fencing and gates – One facility had a shipping gate with no lock providing easy access to the secure regulated footprint and often this gate was left wide open during business hours for convenience so the loading dock workers did not have to open and shut it after delivery trucks came and gone.  While on a tour of a facility during an audit, a five-foot by six-foot hole was found in the perimeter fence line, which appeared to be there for some time – how can that be?  How did no one notice it or if they did, why did they not report it?  Another facility’s employee parking lot located outside the secure facility where vehicles were parked up against the 5-foot fence, allowing for an easy access over the fence into the secure/restricted area.  To make matters worse, there was a container on the inside blocking the view of the security office and making unauthorized access almost undetectable. 

Security procedures

Record keeping – There a few FSOs that are unorganized, papers everywhere and when asked to find something, they can’t - in another words, they’re a Hot Mess!!!  Now this is during our audit, what is it like during a Coast Guard compliance inspection?  One could only imagine.  On three separate occasions, an approved FSP had NO Sensitive Security Information (SSI) markings, that’s right no SSI markings on any page.  How did this get approved by the local Captain of the Port and not get noticed during previous compliance inspections?

All these examples were found, some in plain sight but others were found because a thorough audit or assessment was conducted.  Who does your facility security audits?  Would they have found these?  FSOs – don’t rely on your auditor to find these discrepancies, you find them before your Coast Guard compliance inspector does.  Get out and do reviews, conduct regular drills, and establish a security training program.  These are only a few things to start building a security culture that puts security on the same level as safety.  Remember, “The Bads & Uglies” can become “Goods!”

The past two weeks we touched on “The Good” but this week we’ll provide you with “The Bad” - examples of how improper security measures or lack of them will foster a poor security culture and potentially lead to security violations and breaches of security.

Access Control

  • TWIC credentialing – When TWIC card inspections are not done properly, whether at a 100% rate or not, fraudulent TWIC cards will not be detected. For example, one facility discovered fake TWIC cards on two separate occasions in the same month inside the secure regulated facility during a drill to verify TWIC cards.    
  • Random screening techniques – During separate audits while observing vehicle and pedestrian screening, some improper techniques were discovered. A security guard climbed into the rig of a semitruck and was moving things around – You can only step up and look inside, you cannot climb in the cab of a truck because it is NOT a search.  Remember only law enforcement officers are allowed to conduct searches.  Another instance a security guard was asking pedestrians that were being screened to lift up their shirts so their waist line can be observed.  This will get you in all kinds of trouble.

Physical Security

  • Perimeter fencing and gates – On several occasions, we have seen fence lines with so much vegetation and tree overgrowth you cannot see the fence; gaps underneath the fence and between gates large enough for a 200-lb person to squeeze through; Jersey barriers up against the outside of the fence line providing a nice step to climb over or a large, heavy throw rug hanging over the top of the barbed wire fence; swing set chain used to lock the gate to the secure/restricted dock area or little to no fence around pipelines entering the facility, or not restricting access to critical kill points, such as electrical substations.

Security procedures

  • Record keeping – There are so many FSOs that are afraid to delete, throw away or shred documents, especially when it comes to security matters. We cannot count how many times during an audit that several years’ worth of paperwork is unnecessarily kept.  One facility had over 9 years’ worth of stuff – which equated to 12 two-foot-high stacks of paper on a table that was mostly Sensitive Security Information (SSI) in the FSO’s office, which most of the time was left open.  You only need to keep security documents for two years and Declarations of Security (DoS) for 90 days past expiration.  Training records are kept for the duration that individual is employed at your facility.

It’s hard to believe a lot of these poor security practices exist, and they are not hard to find if an audit is done properly or if an FSO conducts a thorough review of their facility and documentation.

The TWIC Reader Final Rule, scheduled to go into effect August 23, 2018, has been delayed.  A court order from the United States District Court for the Eastern District of Virginia has delayed the enforcement of TWIC Reader Final Rule for facilities that transfer and non-transfer facilities handling bulk cargoes of certain dangerous cargo (CDC).  This court order is a result of a lawsuit against the Department of Homeland Security.  The timeframe for completing this litigation is unknown.

The court ruling ordered that the TWIC Reader Final Rule will go into effect on August 23, 2018, for facilities that receive vessels certified to carry 1,000 or more passengers.

 

Pending legislation on TWIC Reader Final Rule  

I am going to provide a rudimentary “School House Rock” lesson and explain why this bill came to be.   The House of Representatives last week passed a bill and the Senate passed it today, July 26, which now goes to the President’s desk to be signed into law.  The bill was introduced to delay the August 23, 2018, TWIC Reader Final Rule until after an assessment study on the effectiveness of the transportation security card program can been completed and submitted to Congress for review. 

If the President signs this bill and it becomes a law, it will now depend on how long the study takes, which has period of performance ending in the spring of 2019.  If the study determines the transportation security card program to be an effective security strategy for CDC facilities, it may take several more months to implement the TWIC Reader Final Rule, which puts us into the late summer of 2019, but that could easily change to be sooner or later. 

The bottom line is we are looking at a potential six-month to one-year delay that is being driven by a court order and a bill going through the legislation process.  As soon as we learn more, we will put out an updated blog.  If you have any questions, please do not hesitate to contact me or any of my Associates.