Restricted Area, Secure Area, Secure/Restricted Area - What does that really means.
- Posted by John Bingaman
Restricted Area, Secure Area, Secure/Restricted Area
We sometimes are asked:
“What is a Secure/Restricted Area? That designation is not listed or referred to in the regulations.”
To address these differences, we begin this month’s Blog series with regulatory definitions and their interpretation.
33CFR101.105 DEFINITIONS: Unless otherwise specified, as used in this subchapter:
Restricted areas mean the infrastructures or locations identified in a facility security assessment or by the operator that require limited access and a higher degree of security protection. The entire facility may be designated the restricted area, as long as the entire facility is provided the appropriate level of security.
Secure area means the area at a facility over which the owner/operator has implemented security measures for access control in accordance with a Coast Guard approved security plan. It does not include public access areas, as that term is defined in §§105.106 of this subchapter. Facilities subject to part 105 of this subchapter located in the Commonwealth of the Northern Mariana Islands and American Samoa have no secure areas. Facilities subject to part 105 of this subchapter may, with approval of the Coast Guard, designate only those portions of their facility that are directly connected to maritime transportation or are at risk of being involved in a transportation security incident as their secure areas.
Let’s review the Implementation of the National Maritime Security Initiatives Final Rule published July 1, 2003. An important and insightful aspect of every Final Rule is the Agency’s responses to public comments. In response to a request that TWIC requirements be promulgated quickly – the Coast Guard states: ‘46 U.S.C. 70105, Transportation Security Cards, addresses unescorted personnel access to secure areas of facilities [emphasis added] and vessels. Other agencies of DHS (e.g., TSA) are responsible for implementing this section of the MTSA. Other agencies of DHS (e.g., TSA) are developing the Transportation Worker Identification Credential (TWIC) that will be a transportation system-wide common credential, used across all modes, for all U.S. transportation workers requiring unescorted physical and logical access to secure areas of our transportation system [emphasis added]. The goal is to have one standardized credential that is universally recognized and accepted across our transportation system and can be used locally within the current facility infrastructure.’
INTERPRETATION: This tells us that to be granted unescorted access to a Secure Area one must possess a valid TWIC [and have a reason to be in the secure area]. There is no regulatory requirement to possess a valid TWIC for unescorted access to a Restricted Area.
However, according to 33CFR105.200 (b)(7) – the facility owner or operator must ensure that restricted areas are controlled and TWIC provisions are coordinated, if applied to such restricted areas. [emphasis added]
INTERPRETATION: This tells us that if a portion of your Secure Area is also a Restricted Area, e.g. a Secure/Restricted Area, TWIC provisions must be coordinated.
Join us this month while we review these regulatory definitions and how they apply to your facility. Suggested Reading - National Maritime Security Initiatives , 33 CFR 101.105 and 33 CFR 105.200.
The Audit is Done, Now What?
- Posted by Thomas Venezio
33CFR105.415, doesn’t let us off the hook just yet. The regulation goes on to say, “If the results of an audit require amendment of either the FSA or FSP, the FSO must submit, in accordance with § 105.410 of this subpart, the amendments to the cognizant COTP for review and approval no later than 30 days after completion of the audit and a letter certifying that the amended FSP meets the applicable requirements of this part.” So, if an amendment is required, we need to address this promptly!
As we manage the paperwork related to the audit it is also important to be reminded that 18 USC 47 applies to all § 1001 states: “Whoever … knowingly and willfully—
(1) falsifies, conceals, or covers up by any trick, scheme, or device a material fact;
(2) makes any materially false, fictitious, or fraudulent statement or representation; or
(3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry;
shall be fined under this title, imprisoned not more than 5 years or, if the offense involves international or domestic terrorism (as defined in section 2331), imprisoned not more than 8 years, or both.”
Well, there you have it, the audit is an important part of your facility’s overall security culture! Be conscientious and keep your personnel, your facility your community and our Country safe and secure!!!
What Does An Audit Include?
- Posted by Thomas Venezio
So, we now know that we must conduct audits annually and we also know who can conduct the audit, but what does the audit include?
- First the audit must include an extensive review of the physical site and the security systems being utilized. This is not just a quick 15 minute drive around the facility! The auditor must test your systems, look at your fence lines, gate systems, CCTV systems and all security equipment listed in your FSP.
- Second, the auditor must test your people ensuring that they have the required security awareness understanding and that they are fully carrying out their security responsibilities.
- Third, the auditor must also review all security records and documents to ensure that they are fully compliant.
- After the audit is complete, the auditor should provide the FSO with an Audit letter that should be included with your Records and Documents. Additionally, the auditor should provide you with a detailed report of what they found. This is for your information ONLY. It is not to be provided to the Coast Guard.
A comprehensive audit might also include the conducting of a Drill and Exercise and may include Security Awareness training for your All Other personnel. The Audit is a critical tool to improve your FSP and your personnel!
Who Can Conduct An Audit?
- Posted by Thomas Venezio
Once again 33CFR105.415 provides guidance regarding who can conduct the annual audit. The regulation states, “personnel conducting internal audits of the security measures specified in the FSP or evaluating its implementation must:
(i) Have knowledge of methods for conducting audits and inspections, and
security, control, and monitoring techniques;
(ii) Not have regularly assigned security duties; and
(iii) Be independent of any security measures being audited.”
In simple terms, the requirement is that the person needs to be an “expert” and not be part of your facility’s security organization. A pretty good test of whether your auditor is up to the task is to ask yourself the question, “Do I know more than the auditor?” If the answer is “yes”, keep looking for a real expert!
Your auditor must have enough expertise in conducting audits to be your “critical best friend”. They need the knowledge and experience to find your potential flaws, weaknesses and vulnerabilities before the Coast Guard does, or worse yet, the BAD Guys!
The Regulatory Requirements for Audits
- Posted by Thomas Venezio
Yep, there is a requirement in 33CFR105 that mandates that we have a Security Audit conducted annually at our facilities!
33CFR105.415 (4)(b) states that, “The FSO must ensure an audit of the FSP is performed annually, beginning no later than one year from the initial date of approval, and attach a letter to the FSP certifying that the FSP meets the applicable requirements of this part.”
So, that seems simple enough …….. not so fast, there are additional times when an audit may be required. 33CFR105 goes on to say, ” The FSP must be audited if there
is a change in the facility’s ownership or operator, or if there have been modifications to the facility, including but not limited to physical structure, emergency response procedures, security measures, or operations.”
We now know when we must have an audit conducted. In our next blogs we’ll discuss what should be included in the audit, who can conduct an audit and what documentation is required.