Compliance Scorecard: Be Careful What You Wish For

For many years, the security profession has struggled to determine how high the bar should be set for asset protection programs. With a few exceptions like nuclear security programs, defense contractor security programs, and some other industry pockets, security has consisted primarily of accepted practices — derivatives of regulated or proscriptive programs, outcomes of litigation, “expert” opinions or peer comparisons (a.k.a benchmarking). In other words, programs were generally developed based on whatever could be gleaned from existing or prior practices. The advent of the ASIS Protection of Assets Manual helped provide some focus, but in the ongoing competition for limited resources in industry, there was little to point to that compelled security programs or practices. That all changed after the Sept. 11 attacks.

The Evolving Regulatory Climate
Since the end of 2001, a veritable alphabet soup of regulations and standards has emerged to set prescriptive security measures and programs — some with substantial sanctions for non-compliance. These include C-TPAT, OFAC, CFATS, FCRA, NIPP, CEII, NFPA-1600, CIP, MTSA, HSPD-7, TWIC, FCPA, PCII, NERC, FERC, DHS, DOE, NRC, TSAREGS, OSHA, BSA, HIPAA, SOX, BTPAA, FHML, CMOD, COPPA, ATSA, FDA, FSIS — and the list grows weekly. Currently, there are additional hearings underway in Congress for even more regulation in the security realm.

Not to be outdone, ASIS International has gotten into the standards and guidelines business, as has the National Fire Prevention Association (NFPA) with the issuance of NFPA-1600, which seeks to certify all personnel engaged in emergency planning. While the NFPA and ASIS standards and guidelines are largely voluntary at this point, these sorts of efforts have a tendency to become codified over time, or woven into legislative efforts.

Onerous Standards for Energy
An example of the politicalization of standards is the current struggle over the level of rigor applied to the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Standards for Cyber Security. These standards were developed over a multi-year period by an industry-wide drafting team, with the intent of providing sufficient flexibility for implementation across the industry, without undue un-funded mandates. These standards also apply to non-U.S. entities, since the footprint of NERC includes Canada and part of Northern Mexico.
Since their issuance, and due to a controlled experiment at the Idaho National Lab regarding potential vulnerabilities in process control equipment that is widely used by energy and water sectors, there has been a concerted effort by the Federal Energy Regulatory Commission (FERC) and the House Committee on Homeland Security to significantly tighten the standards, making them potentially very costly to implement and maintain across the industry.

Accompanied with the standards will be a new level of bureaucracy around the auditing processes and sanctions for non-compliance. While it is helpful to have some direction in certain areas of security processes, many of the new and developing regulations will require significant resources to manage.

Add Another Hat
How should security professionals deal with such difficult requirements? The simple answer is that everyone needs to put on another hat, to go with the multiple hats most security professionals already wear. We need to add “compliance management” and “legislative review” to our lexicon. The reality is, some of these issues are so complex that they almost demand full-time attention, which is a luxury only large enterprises can afford. In addition, standards are usually developed by peer groups and subject matter experts, and it is sometimes a struggle to populate the drafting committees with sufficient asset owners to provide a balance between operating practicalities and regulatory requirements. Again, generally only large enterprises can support such activities due to expenses and resources required. However, it is vitally important that industries impacted by regulations and standards have as big a stake as possible in crafting the future.

What does all this mean? That we will all have to add regulation and compliance to our already loaded platters, stay as informed as possible about the ever-changing landscape, and participate in the processes through trade groups, committees, sector councils, industry contacts and governmental liaison. In many respects, we finally got what we wanted. Now we need to learn how to live with it.

Bob Sypult is a member of the Security Executive Council’s Emeritus Faculty and has more than 35 years of combined experience in energy sector security and with the FBI. He was a member of the NERC Cyber Security Standards drafting team. The Security Executive Council maintains a large and growing list of laws, regulations, standards and guidelines that impact security ( For more information, visit