Security Quick Reference Guide

Guidance Documents

Example Laws and Regulations

National Strategy for the Physical Protection of Critical Infrastructures and Key Assets 
United States White House (2003)

This document illustrates the national effort to secure critical facilities against potential attacks.[1] It is intended to identify and assure the protection of those infrastructures and assets deemed most critical. This national strategy is the result of consultation between numerous groups including federal agencies, public and private infrastructure owners, state and local governments, and the scientific community.[2] The document is very broad in scope, but it addresses several industry sectors specifically. It provides guidance for Agriculture and Food, Public Health, Energy, Transportation, the Chemical Industry and Hazardous Materials, Nuclear Power Plants, and several other industry sectors. The document addresses security challenges facing these industries and strategies for protecting them.

Catalog of Control Systems Security: Recommendations for Standards Developers
Department of Homeland Security (2008)

This document is intended to provide various industries helpful information for developing control system security. "The term 'Control systems' . . . includes Supervisory Control and Data Acquisition Systems [SCADA], Process Control Systems, Distributed Control Systems, and other control systems specific to any of the critical infrastructure industry sectors."[3] It states that "[d]ecisions regarding when, where, and how these standards should be used are best determined by the specific industry sectors."[4] However, the document serves as a useful overview of techniques for creating effective security standards in any industry. Issues addressed, among many others, are Management Accountability and Physical and Environmental Security, including Physical Access Control, and Security Awareness and Training.

Pipeline Modal Annex
Transportation Security Administration (2007)

This document provides a nationwide plan for securing pipeline facilities. It offers a description of the pipeline sector in the United States and discusses the type of threats to pipelines as well as the "Federal Agencies Responsible for Pipelines."[5] The plan discusses its goals and objectives which include prevention of terrorist threats to the transportation system, enhancing the transportation system's resiliency, and improvements in the area of cost-effective use of transportation security resources.[6] The document also includes a section describing the way in which "TSA will use risk-based programs to achieve the overarching Transportation Sector goals."[7] The Pipeline Modal Annex is a helpful source of information to which pipeline operators may turn to see the direction DHS and TSA have taken regarding pipeline security.

Security Guidelines for the Petroleum Industry
American Petroleum Institute (2003, 2005)

This document was published in 2003 and again in 2005.[8] The 2003 document is more sector specific and contains sections that pertain directly to pipelines, refineries, and marine transport, as well as other areas.[9] The 2005 version applies more generally and does not contain individual sections for different areas of the petroleum industry.[10] Both documents provide recommendations for threat and vulnerability assessment and management of the security process.[11] The documents also provide examples for developing a security plan.[12] This document serves as a useful tool for operators seeking guidance for security planning in the petroleum industry.

Defense of United States Agriculture and Food - Homeland Security Presidential Directive - 9
United States White House (2004)

This document sets forth a policy for protecting the U.S. agriculture and food system against a range of threats. The U.S. agriculture and food system faces potential threats from disease, pests, and substances that occur naturally or are introduced either accidentally or maliciously. This policy outlined in this document seeks to protect the agriculture and food system through threat recognition and mitigation, screening, response and recovery, and several other important procedures.

National Strategy to Secure Cyberspace
United States White House (2003)

Cyberspace is a vast interconnected group of servers, computers, cables, and other equipment that work together to ensure the functionality of our economy and critical infrastructures. This document establishes steps that can be taken by governments, private organizations, and individuals to improve cyber security. It sets out critical priorities, actions, and initiatives for addressing those priorities. The document also addresses, among other things, vulnerability reduction, security awareness and training, and international cooperation.

Chemical Facility Anti-Terrorism Standards (CFATS)
6 CFR § 27 (2007)

This section imposes requirements on certain chemical facilities in an effort to lower the terrorist risk associated with those facilities. The first phase of CFATS implementation involves determination of which facilities are covered. In order to determine which facilities represent the highest risk, DHS requires certain facilities to complete a Chemical Security Assessment Tool (CSAT) Top-Screen. According to DHS, most facilities required to complete a Top-Screen fall into one of three categories:

  1. Chemical manufacturing, storage, and distribution facilities;
  2. Petroleum refineries; and
  3. Liquefied natural gas storage (peak shaving) facilities.

However, any facility may be regulated under CFATS if the facility possesses any of the chemicals of interest (COI) at or above the screening threshold quantity (STQ) listed in CFATS Appendix A. Thus, high-risk chemical facilities are not limited to those that would traditionally be recognized as such, like chemical plants or petroleum facilities. Instead, the types and quantities of chemicals at facilities are determinative, at least with respect to the obligation to file the initial registration and complete the initial screening under the regulation. Therefore, industries and institutions such as agriculture, electronics, food manufacturing and handling, transportation, and universities may all be subject to this regulation.

If DHS determines the facility is regulated, then the facility will be required to complete a Security Vulnerability Assessment (SVA) or a similar assessment depending on the tier designation. The purpose of the SVA is to provide the DHS with detailed information pertaining to the facility. DHS will use this information to assign a final tier designation to the facility. Should the company believe the designation is incorrect, the company may petition DHS for a change in tier designation. After completion and submission of the SVA or a similar assessment, the facility will be required to create and submit to DHS a Site Security Plan (SSP) or a similar document, again depending on the tier designation. In certain cases the facility may be allowed to submit an Alternative Security Plan (ASP).

This regulation also creates a new category of information called Chemical-terrorism Vulnerability Information (CVI). CVI includes the CSAT, SVA, SSP, and ASP, among other information. Information designated as CVI and submitted to DHS must bear the proper markings[13] and must be properly physically controlled and protected.[14] CVI is exempt from public disclosure requirements such as the Freedom of Information Act.

Failure to comply with any portion of the CFATS may result in monetary civil fines of up to $25,000 per day, DHS inspection and audit, or an order to cease operations.

Transportation of Hazardous Liquids by Pipeline
49 CFR § 195 (1981)

Title 49, section 195, of the Code of Federal Regulations pertains to liquid pipelines and simply states that "[e]ach operator shall provide protection for each pumping station and breakout tank area and other exposed facility . . . from vandalism and unauthorized entry."[15] The same is said with respect to valves.[16]

Liquefied Natural Gas Facilities: Federal Safety Standards
49 CFR § 193 (1980)

Title 49, section 193, of the Code of Federal Regulations pertains to natural gas pipelines. This section requires each operator to prepare and follow at least one manual of written security procedures.[17] The section also includes specific information to be included in the security manuals. At a minimum the manuals should include: 

  1. A description and schedule of security inspections and patrols performed in accordance with [required monitoring];
  2. A list of security personnel positions or responsibilities utilized at the . . . plant;
  3. A brief description of the duties associated with each security personnel position or responsibility;
  4. Instructions for actions to be taken, including notification of other appropriate plant personnel and law enforcement officials, when there is any indication of an actual or attempted breach of security;
  5. Methods for determining which persons are allowed access to the . . . plant;
  6. Positive identification of all persons entering the plant and on the plant, including methods at least as effective as picture badges; and
  7. Liaison with local law enforcement officials to keep them informed about current security procedures under this section.[18]

In addition to these requirements, this section of the CFR includes information pertaining to security enclosures, communications, and monitoring, among other pertinent security topics.

[ 1 ] United States White House, National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (2003).

[ 2 ] Id.

[ 3 ] Department of Homeland Security, Catalog of Control Systems Security: Recommendations for Standards Developers, p.1 (2008).

[ 4 ] Id.

[ 5 ] Transportation Security Administration, Pipeline Modal Annex, pp. 4-6 (2007) available at http://www.tsa.gov/assets/pdf/modal_annex_pipeline.pdf .

[ 6 ] Id. at 8-9.

[ 7 ] Id. at 14.

[ 8 ] American Petroleum Institute, Security Guidelines for the Petroleum Institute (2003) & (2005).

[ 9 ] American Petroleum Institute, Security Guidelines for the Petroleum Institute (2003).

[ 10 ] American Petroleum Institute, Security Guidelines for the Petroleum Institute (2005).

[ 11 ] American Petroleum Institute, Security Guidelines for the Petroleum Institute (2003) & (2005).

[ 12 ] American Petroleum Institute, Security Guidelines for the Petroleum Institute (2003) & (2005).

[ 13 ] The CVI Warning Language includes the Protective Marking "CHEMICAL-TERRORISM VULNERABILITY INFORMATION" as well as the distribution limitation statement: "WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR § 27.400. Do not disclose to persons without a 'need to know' in accordance with 6 CFR § 27.400(e). Unauthorized release may result in civil penalties or other action. In an administrative or judicial proceeding, this information shall be treated as classified information in accordance with 6 CFR §§ 27.400(h) and (i)."

[ 14 ] Physical protection requirements include: secure storage, appropriate destruction, document marking, restricted access, secure transmission, limited reproduction, and enhanced data processing system controls. http://www.dhs.gov/xlibrary/assets/chemsec_cvi_proceduresmanual.pdf .

[ 15 ] 49 CFR § 195.436 (2007).

[ 16 ] 49 CFR § 195.420 (2007).

[ 17 ] 49 CFR § 193.2903 (2007).

[ 18 ] Id.