It is sometimes difficult to remember a time before the advent of the Homeland Security Presidential Directive. Before the first one was issued on Oct. 29, 2001, the regulatory landscape for security in many private-sector industries was different than it is today. For some, it has only been the difference between mountains and slightly bigger mountains. For others, it has been like starting out in green pastures and ending up in the Gobi Desert.
For the industries that make up our nation’s critical infrastructure, homeland security guidelines and laws have only added to an already robust tradition of federal and state policing. These industries have weathered regulatory storms before, and while new security-related rules still cause waves, the frameworks are often already in place to deal with them.
Security Executive Council members from the food, energy and financial services sectors recently shared the lessons they have learned from years of successful security compliance. Finding the commonalities in compliance among all industries can help both the new and seasoned security practitioner in plotting a course for his or her own organization.
The FDA, DHS, USDA, EPA and other agencies have launched initiatives since 2002 that work to provide food protection — a relatively new term that encompasses both defense against intentional harm and safety from accidents and unintentional contamination. However, the security of food companies is not considered highly regulated at the federal level, because most of these initiatives have resulted in guidelines and voluntary programs instead of laws and regulations.
The USA PATRIOT Act and the Bioterror Act of 2002 are two of the recent federal laws that do apply to food and agriculture companies. Their main concern is record-keeping rather than strict physical or IT security; they require that companies maintain logs to show chain of custody as products are moved from suppliers to manufacturers to customers and elsewhere. Other regulations that touch food protection include 33 CFR 105, a Coast Guard Regulation that mandates facility security for food plants on coastal waterways, and the new DHS Chemical Regulations (CFATS); these rules only affect certain groups within the food industry. State laws and regulations can impact the security of operations for some agricultural commodities as well.
The guidelines put forth by the FDA and USDA provide the bulk of the government’s direction for security in the food industry, from food processors to manufacturers, to agriculture and transport, says Bill Ramsey, director of security for McCormick & Company Inc. The USDA issued a directive in 2006 for its inspection arm, the Food Safety Inspection Service (FSIS), asking inspectors to look at various areas of food defense in each of the plants they inspect. But because guidelines are voluntary, non-compliance does not carry the penalties often mandated by laws and regulations.
Ramsey believes the emphasis on guidance rather than regulation resulted in part from the industry’s commitment to work proactively with government agencies to discuss security needs and solutions. “Through our work with these governmental agencies, we have been able to straighten out many misconceptions about appropriate security for the food industry — what works and what does not. There are major differences between securing an embassy or military installation in a hostile country and securing a food processing plant that needs to make a profit to stay in business. We, as an industry, were able to point this out to government on many occasions and, as a result, unworkable regulations have not been forthcoming,” he says.
Trade organizations and industry associations provide one of the best outlets for security professionals who recognize the need to collaborate with government for proactive security policies like these. They usually have government relations units that watch for talk of regulation, solicit information from members and the industry, and communicate the needs of the industry to the government. By remaining involved in these initiatives, security professionals in every field can ease their regulatory burden by ensuring that guidelines and regulations are reasonable and needed.