With the launch of CSAT 2.0 in October 2016, DHS combined the Security Vulnerability Assessment (SVA) and Site Security Plan (SSP) / Alternate Security Program (ASP) processes into a single submission. All tiered facilities have 120 calendar days, from receipt of a Risk Tier Notification, to submit a SVA and SSP or ASP to DHS via the CSAT. DHS has provided SVA / SSP Instructions to assist with SVA and SSP / ASP submissions.
The CSAT 2.0 SVA requires facilities to describe the security measures they have implemented and any vulnerabilities they have identified across five areas:
For each SVA section, facilities are provided with a free from text box, limited to 4,000 characters, and are asked to describe their security posture and potential related vulnerabilities.
The SSP/ASP must, among other things, identify and describe how each security measure will meet, as applicable, the eighteen Risk-Based Performance Standards (RBPSs). In order to assist facilities in developing their SSPs/ASPs, DHS published the CFATS RBPS Guidance document in final form on May 15, 2009.
The CSAT 2.0 SSP is organized into five overarching security objectives, which collectively account for all of the requirements of the eighteen RBPSs:
Before DHS approves a facility’s SSP or ASP, it conducts an on-site Authorization Inspection to verify that the information is accurate and complete and that existing and planned security measures are appropriate and sufficient to meet the established RBPS requirements. Following the Authorization Inspection, DHS will either approve the SSP/ASP or require the facility to revise and re-submit the plan.