Isc occupant emergency plan

Facility Security Plan: An Interagency Security Committee Guide

February 2015 1st Edition

This page left intentionally blank.

ii Facility Security Plan: An Interagency Security Committee Guide

Message from the Interagency Security Committee Executive Director One of the Department of Homeland Security’s (DHS) priorities is the protection of Federal employees and private citizens who work within and visit U.S. Government-owned or leased facilities. The Interagency Security Committee (ISC), chaired by DHS, consists of 54 Federal departments and agencies and has as its mission the development of security standards and best practices for nonmilitary Federal facilities in the United States.

As Executive Director of the ISC, I am pleased to introduce the new ISC document titled Facility Security Plan: An Interagency Security Committee Guide (Guide). This ISC Guide aims to provide guidance for organizations in formulating and ultimately implementing an operable and effective Facility Security Plan (FSP). A Facility Security Plan is a critical component of an effective security program. The guidelines contained in this document are based on recognized industry best practices and provide broad recommendations for the protection of Federal facilities and Federal employees, contractors, and visitors within them.

Consistent with Executive Order 12977 (October 19, 1995), Facility Security Plan: An Interagency Security Committee Guide is intended to be applied to all buildings and facilities in the United States occupied by Federal employees for nonmilitary activities. These include existing owned, to be purchased or leased facilities; stand-alone facilities; Federal campuses; individual facilities on Federal campuses; and special-use facilities.

This standard represents exemplary collaboration within the ISC working groups and across the entire ISC. ISC primary members approved the Guide with full concurrence on February 20, 2015 and will review and update this document as necessary.

Austin Smith

Executive Director, Interagency Security Committee

Facility Security Plan: An Interagency Security Committee Guide iii Message from the Executive Director

This page left intentionally blank.

iv Facility Security Plan: An Interagency Security Committee Guide

Table of Contents Message from the Interagency Security Committee Executive Director ................................ iii

1 Background ................................................................................................................................ 1 2 Applicability and Scope ............................................................................................................. 2 3 Document Control ..................................................................................................................... 3

3.1 Identification ........................................................................................................................ 3 3.2 Storage and Distribution ....................................................................................................... 3 3.3 Retention .............................................................................................................................. 3 3.4 Disposition............................................................................................................................ 3 3.5 Protection and Classification ................................................................................................ 3

4 Roles and Responsibilities for Plan Development................................................................... 4 4.1 Facility Security Committee ................................................................................................. 4 4.2 Designated Official............................................................................................................... 4 4.3 Security Organization ........................................................................................................... 4 4.4 Organizational Director of Security/Chief Security Officer ................................................ 4 4.5 Tenant Security Representative ............................................................................................ 5 4.6 Tenant Managers/Supervisors .............................................................................................. 5 4.7 Facility Occupant ................................................................................................................. 5 4.8 Financial Authority............................................................................................................... 5 4.9 Chief Information Officer .................................................................................................... 5

5 Plan Development ...................................................................................................................... 6 5.1 Risk Management Process.................................................................................................... 6

5.1.1 Process .......................................................................................................................... 6 5.1.1.1 Threat Assessment ................................................................................................. 6 5.1.1.2 Consequence (Criticality) Assessment .................................................................. 7 5.1.1.3 Vulnerability Assessment ...................................................................................... 7 5.1.1.4 Risk Assessment .................................................................................................... 7

5.2 Elements of a Facility Security Plan .................................................................................... 8 5.2.1 Facility Profile............................................................................................................... 8 5.2.2 Roles and Responsibilities ............................................................................................ 8 5.2.3 Risk Management Strategy ........................................................................................... 8 5.2.4 Security Countermeasures............................................................................................. 9

Facility Security Plan: An Interagency Security Committee Guide v Message from the Executive Director

5.2.5 Maintenance, Repair, and Testing Procedures .............................................................. 9 5.2.6 Incident Response Management and Procedures .......................................................... 9 5.2.7 Facility Specific Policies ............................................................................................... 9 5.2.8 Special Events ............................................................................................................... 9 5.2.9 Information Security ..................................................................................................... 9 5.2.10 Cyber Security .......................................................................................................... 10 5.2.11 Government Property ................................................................................................ 10 5.2.12 Training and Exercising the Plan .............................................................................. 10 5.2.13 Program Review ....................................................................................................... 10 5.2.14 Resource Support ...................................................................................................... 10

6 Training and Exercises ............................................................................................................ 11 6.1 Training .............................................................................................................................. 11 6.2 Exercises ............................................................................................................................. 11 6.3 Occupant Emergency Plan Exercise Coordination ............................................................ 11

7 Plan Maintenance .................................................................................................................... 12 8 References and Resources ....................................................................................................... 13 9 Interagency Security Committee Participants ...................................................................... 14 List of Abbreviations/Acronyms/Initializations ....................................................................... 15 Glossary of Terms ....................................................................................................................... 16 Appendix A: Facility Security Plan Template.......................................................................... 19

vi Facility Security Plan: An Interagency Security Committee Guide Contents

1 Background On April 20, 1995, the day after the bombing of the Alfred P. Murrah Building in Oklahoma City, Oklahoma, the President directed the U.S. Department of Justice (DOJ) to assess the vulnerability of Federal facilities to terrorism and other acts of violence. On June 28, 1995, DOJ issued the Vulnerability Assessment of Federal Facilities Report (1995 Report) establishing government-wide facility security standards. The 1995 Report laid the foundation for all subsequent Interagency Security Committee (ISC) security standards documents.

In 2013, the ISC released The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard (RMP) which includes a list of physical security criteria. The intent of the document is to provide cohesive guidance for the application of physical security countermeasures at Federal facilities. In May 2013, the ISC established the Facility Security Plan Working Group in response to concerns raised by its membership. The Working Group was tasked with preparing reference guidance for agencies to use in developing and implementing an operable and effective Facility Security Plan (FSP) as required by the physical security criteria set forth in the RMP.

Facility Security Plan: An Interagency Security Committee Guide 1 Background

2 Applicability and Scope This document is issued pursuant to the authority granted to the Interagency Security Committee (ISC) in Executive Order (EO) 12977 as amended by Executive Order 13286. The EO directs the ISC to “…take such actions as may be necessary to enhance the quality and effectiveness of security and protection of Federal facilities.” The purpose of this document is to provide guidance for organizations in formulating and ultimately implementing an operable and effective Facility Security Plan (FSP).

A Facility Security Plan is a critical component of an effective security program. The guidelines contained in this document are based on recognized industry best practices and provide broad recommendations for the protection of Federal facilities and Federal employees, contractors, and visitors within them. Facility Security Plan: An Interagency Security Committee Guide identifies and defines the basic guidelines and procedures used in establishing and implementing an FSP. This document is generally applicable to all buildings and facilities in the United States occupied by Federal employees, including:

• Buildings and facilities owned or leased by the Federal government;

• Federally leased rooms or suites within privately owned buildings;

• Stand-alone Federal facilities;

• Federal campuses; and

• Individual facilities on Federal campuses and special-use facilities where appropriate. This document is intended to provide the initial guidance to be used by all agencies and facilities. When developing an FSP, departments and agencies may make the necessary adjustments to the basic guidelines and procedures presented to meet specific requirements or needs. Regardless of the FSP developed by an agency, it should have mechanisms in place to validate the plan’s effectiveness and manage its maintenance.

This guidance may be used to assist Federal agencies in selecting, implementing, and evaluating appropriate protective measures and practices against identifiable security risks and threats; and to implement appropriate responses and countermeasures. When utilizing this guidance, an agency may choose to consider all or part of its overall facility security strategy. This document is not meant to supersede agency policies and funding guidelines, or impose any undue burdens on an agency.

2 Facility Security Plan: An Interagency Security Committee Guide Applicability and Scope

3 Document Control 3.1 Identification The document can be titled as the “Facility Security Plan” (FSP) or similar title as required by individual agency policy.

3.2 Storage and Distribution At a minimum, the FSP should be stored in an electronic format in a central location for ease of access. The Designated Official (DO) and other emergency management personnel (i.e. security organizations, facility managers, etc.) must have access to the document 24 hours a day.

3.3 Retention Current copies of the Facility Security Plan should be retained for three years or until superseded. Where there are conflicts, retention periods outlined in agency-specific requirements for storage, retention, disposition, and protection of FSPs will supersede all other guidelines.

3.4 Disposition The plan should be discarded in accordance with agency-specific policies for destruction, based on the overall classification of the document.

3.5 Protection and Classification At a minimum, protect the FSP as “For Official Use Only” (FOUO) or in accordance with agency-specific classification guidelines. Consideration should be given to the sensitivity of a customized FSP developed by individual agencies and departments (i.e., floor plans, specific facility information, etc.) and how this information should be protected. Plans including National Security Information (classified information) shall be classified in accordance with applicable classification standards and access to the document shall be restricted to appropriately cleared personnel with a valid need-to-know.

Facility Security Plan: An Interagency Security Committee Guide 3 Document Control

4 Roles and Responsibilities for Plan Development 4.1 Facility Security Committee The Facility Security Committee (FSC) is the committee responsible for addressing facility- specific security issues and approving the implementation of protective measures and practices. At facilities where an FSC is required in accordance with Interagency Security Committee (ISC) standards, the Facility Security Plan should be submitted for review and appr