Download:
pdf |
pdfCSAT Security
Vulnerability Assessment
Questions
June 2008
Version 1.0
Version 1.0
1
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
General ................................................................................................................4
Facility Information .............................................................................................5
Facility Coordinates............................................................................................5
ASP Documents ......................................................................................................................... 6
Upload Plot Plans/Maps ............................................................................................................ 8
Facility Security Information ............................................................................10
DHS Initial Notification Letter – Security Issues................................................................... 10
Release Toxic Chemicals of Interest ..................................................................................... 12
Release Flammable Chemicals of Interest ............................................................................ 16
Release Explosive Chemicals of Interest .............................................................................. 22
Theft/Diversion Explosive/Improvised Explosive Device Precursor (EXP/IEDP) Chemicals
of Interest.................................................................................................................................. 25
Theft/Diversion Weapon of Mass Effect (WME) Chemicals of Interest .............................. 29
Theft/Diversion Chemical Weapon/Chemical Weapon Precursor (CW/CWP) Chemicals of
Interest ...................................................................................................................................... 32
Sabotage/Contamination Chemicals of Interest ................................................................... 36
Facility Characteristics............................................................................................................ 39
Security Equipment at the Facility ......................................................................................... 39
Utility Systems and Infrastructure Support .......................................................................... 41
Inventory Control ..................................................................................................................... 42
Inventory Control - Details ...................................................................................................... 43
Personnel Access Control Measures at the Facility ............................................................ 47
Shipping and Receiving Control Measures at the Facility .................................................. 49
Shipping and Receiving Control Measures – Details ........................................................... 50
Post-Release Measures and Equipment................................................................................ 54
Site Vulnerability Factors ........................................................................................................ 55
Asset Characterization .....................................................................................56
Facility Assets .......................................................................................................................... 56
Facility Assets - Description ................................................................................................... 57
Primary Security Issue For This Asset .................................................................................. 57
Facility Assets - Detail ............................................................................................................. 58
Facility Asset Directions ......................................................................................................... 58
Release Chemicals of Interest ................................................................................................61
Toxic Chemicals of Interest .................................................................................................... 62
Primary Release Toxic............................................................................................................. 63
Toxic Release – Mitigation ...................................................................................................... 63
Theft/Diversion Primary COI ................................................................................................... 66
Facility Assets - Packaging Detail .......................................................................................... 66
Cyber Control Systems ........................................................................................................... 67
Cyber Business Systems ........................................................................................................ 68
Vulnerability Analysis .......................................................................................69
Attack Scenarios...................................................................................................................... 69
Attack Scenario Descriptions .................................................................................................70
Aircraft Scenario ...................................................................................................................... 72
Maritime Scenario .................................................................................................................... 75
Vehicle Scenario ...................................................................................................................... 78
Assault Team Scenario ........................................................................................................... 81
Standoff Scenario .................................................................................................................... 83
Sabotage Scenario ................................................................................................................... 84
Theft Scenario .......................................................................................................................... 85
Diversion Scenario .................................................................................................................. 86
Mitigation Measures ................................................................................................................ 87
Identifiability Probability ......................................................................................................... 88
DHS Form 9015
Page 2 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Accessibility Probability ......................................................................................................... 89
Facility Security Response Force Capability ........................................................................ 90
Offsite Security Response Force Capability ......................................................................... 91
Achievability Probability ......................................................................................................... 92
Target Hardness Probability ................................................................................................... 93
Availability Probability ............................................................................................................ 94
Unauthorized Customer Registration .................................................................................... 95
Unauthorized Order Placement .............................................................................................. 96
Unauthorized Order Pickup ....................................................................................................97
Computer Systems Analysis ...........................................................................98
Control System Analysis....................................................................................................... 100
Security Policy ....................................................................................................................... 101
Cyber Access Control ........................................................................................................... 102
Personnel Security ................................................................................................................ 103
Physical and Environmental ................................................................................................. 103
Awareness and Training .......................................................................................................103
Monitoring and Incident Response ...................................................................................... 104
Configuration Management .................................................................................................. 105
Risk and Vulnerability Management .................................................................................... 106
DHS Form 9015
Page 3 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
General
Paperwork Burden Disclosure Notice:
The public reporting burden for this form is estimated to be 250 hours. The burden
estimate includes time for reviewing instructions, researching existing data sources,
gathering and maintaining the needed data, and completing and submitting the form. You
may send comments regarding the accuracy of the burden estimate and any suggestions
for reducing the burden to: NPPD/OIP/Infrastructure Security Compliance Division,
Attention: Dennis Deziel, Project Manager, U.S. Department of Homeland Security, Mail
Stop 8100, Washington, DC 20528-8100.
(OMB Control No. (1670-0007)). Your completion of the CSAT Security Vulnerability
Assessment is mandatory according to Public Law 109- 295 Section 550. You are not
required to respond to this collection of information (i.e., the CSAT SVA) unless a valid
OMB control number is displayed. NOTE: DO NOT send the completed CSAT SVA to the
above address.
Submission Statement:
My statements in this submission are true, complete, and correct to the best of my
knowledge and belief and are made in good faith. I understand that a knowing and willful
false statement on this form can be punished by fine or imprisonment or both. (See
section 1001 of title 18, United States Code).
Enter the facility identification number from the DHS Initial Notification Letter.
[Q:1.01-3311]
Does the DHS Initial Notification letter indicate that the facility is a Tier 4 facility?
[Q:1.01-3314]
Yes
No
Provide a short description of the functional operation of this facility, particularly with
respect to the COI listed in your letter.
[Q:1.01-13011]
For example:
"this facility produces XYZ chemical as an intermediate product for further refining"
or
"this facility purchases XYZ chemical in bulk containers and packages it in retail containers for
sale"
DHS Form 9015
Page 4 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Facility Information
Facility Name
[Note: The address should be the facility's physical location. This
may be different from the mailing address.]
Facility Location
Address
Facility Location
Address (continued)
Facility Location
Address (continued)
Facility Location City
Facility Location State
Facility Location
ZIP Code
Facility Coordinates
Facility Latitude
Facility Longitude
DHS Form 9015
Page 5 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Submit ASP Document
As detailed in CFATS, facilities with a Tier 4 ranking have the option of either completing
and submitting an SVA using the CSAT SVA, or uploading an Alternate Security Program
(ASP) in lieu of an SVA. If a Tier 4 facility elects to submit an ASP, rather than complete the
CSAT SVA, this section describes the process to upload the relevant files (ASP
documentation and site plans or maps) into the CSAT SVA tool.
If the facility is not Tier 4, skip the ASP section questions and go to Facility Security
Information (page 10).
Do you want to upload an alternate security program (ASP) in lieu of performing a CSAT
SVA? (If you select No, you will be directed to the process for completing and submitting a
CSAT SVA.)
[Q:1.05-3315]
Yes
No
If No, skip the ASP Documents questions and go to Facility Security Information (page 10).
ASP Documents
The alternate security program (ASP) documentation that you upload should satisfy the following
factors that are conditions for completeness.
Does the ASP cover all of the facility assets that are associated with the security issues
and chemicals of interest specified in the DHS Initial Notification letter?
[Q:1.1-3316]
Yes
No
Does the ASP use a Center for Chemical Process Safety (CCPS)-approved methodology?
[Q:1.1-11671]
Yes
No
Does the ASP address the asset characterization factors described in 6 CFR 27.215?
[Q:1.1-11672]
Yes
No
Asset Characterization includes the identification and characterization of potential critical
assets; identification of hazards and consequences of concern for the facility, its surroundings, its
identified critical asset(s), and its supporting infrastructure; and identification of existing layers of
protection. See 6 CFR 27.
DHS Form 9015
Page 6 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Does the ASP address the threat assessment factors described in 6 CFR 27.215?
[Q:1.1-11673]
Yes
No
Threat assessment includes a description of possible internal threats, external threats, and
internally-assisted threats. See 6 CFR 27.
Does the ASP cover all of the applicable attack modes covered in the CSAT SVA?
[Q:1.1-3317]
Yes
No
See the CFATS CVI Document Repository for the list of attack modes covered in the CSAT
SVA.
Does the ASP address the countermeasures factors described in 6 CFR 27.215?
[Q:1.1-11674]
Yes
No
Security vulnerability analysis includes the identification of potential security vulnerabilities and
the identification of existing countermeasures and their level of effectiveness in both reducing
identified vulnerabilities and in meeting the applicable Risk-Based Performance Standards. See 6
CFR 27.
Does the ASP address the risk assessment requirements described in 6 CFR 27.215?
[Q:1.1-11675]
Yes
No
Risk assessment includes a determination of the relative degree of risk to the facility in terms of
the expected effect on each critical asset and the likelihood of the success of an attack. See 6
CFR 27.
If “Yes” selected for all of the ASP document questions, skip the next question.
ASP Does Not Address All of the Factors
The ASP does not address all of the factors in 6 CFR 27. Do you still want to upload the
ASP for consideration? (If you select “No,” you will be directed to the process for
completing and submitting a CSAT SVA.)
Continue ASP Upload Process?
[Q:1.12-12451]
Yes
No
If “No” go to Facility Security Information (page 10).
DHS Form 9015
Page 7 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Enter the name of the non-CSAT security vulnerability methodology.
[Q:1.13-3320]
What is the date of the non-CSAT security vulnerability assessment?
[Q:1.13-3331]
The response format is mm/dd/yyyy.
(e.g. May 1, 2006 is entered as 05/01/2006.)
Upload ASP Documents
Enter names for the ASP files to upload.
Enter a brief description of the uploaded ASP file.
ASP Files
Brief description of the ASP file.
[Q:1.14-6911]
[Q:1.15-6912]
Upload Plot Plans/Maps
Are the locations of assets that were analyzed in the ASP
for each COI and security issue marked on the plot plans/maps?
[Q:1.2-3351]
Yes
No
DHS Form 9015
Page 8 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Names of Plot Plans/Maps.
Enter the image width and image height in miles.
Enter names for the ASP plot plan/map files to upload.
Ensure that the locations of assets that were analyzed in the ASP for each COI and
security issue are marked on the plot plans/maps. If necessary, include within the map a
legend to icons/assets that are used in the plot plans/maps.
Plot Plan/Map Name to
Upload
Image width (miles):
Image height (miles):
[Q:1.31-3356]
[Q:1.31-3357]
[Q:1.3-3354]
To complete a CSAT SVA, go to page 10.
DHS Form 9015
Page 9 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Facility Security Information
DHS Initial Notification Letter – Security Issues
Please use the DHS Initial Notification Letter to answer the following questions.
Does the DHS Initial Notification Letter indicate that the facility should address security
issues related to release-toxic COI?
[Q:2.0 -971]
Yes
No
Does the DHS Initial Notification letter indicate that the facility should address security
issues related to release-flammable COI?
[Q:2.0 -3131]
Yes
No
Does the DHS Initial Notification letter indicate that the facility should address security
issues related to release-explosive COI?
[Q:2.0 -3132]
Yes
No
Does the DHS Initial Notification letter indicate that the facility should address security
issues related to theft-EXP/IEDP COI?
[Q:2.0 -3172]
Yes
No
Does the DHS Initial Notification letter indicate that the facility should address security
issues related to theft-WME COI?
[Q:2.0 -3171]
Yes
No
Does the DHS initial notification letter indicate that the facility should address security
issues related to theft-CW/CWP COI?
[Q:2.0 -3151]
Yes
No
DHS Form 9015
Page 10 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Does the DHS Initial Notification letter indicate that the facility should address security
issues related to sabotage/contamination COI?
[Q:2.0 -3173]
Yes
No
DHS Form 9015
Page 11 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Release Toxic Chemicals of Interest
Indicate which release toxic chemicals of interest are listed in the DHS Initial Notification
Letter.
If answered No for all chemicals, go to Release Flammable Chemicals of Interest (page 16).
Chemical Name
CAS#
Was the chemical
listed in the letter?
[Q:2.1-1037]
Yes
Acrolein
[2-Propenal or Acrylaldehyde]
107-02-8
Allyl alcohol
[2-Propen-1-ol]
107-18-6
Ammonia (anhydrous)
7664-41-7
Ammonia (conc. 20% or greater)
7664-41-7
Arsenic trichloride
[Arsenous trichloride]
7784-34-1
Arsine
7784-42-1
Boron trichloride
[Borane, trichloro]
10294-34-5
Boron trifluoride
[Borane, trifluoro]
7637-07-2
Boron trifluoride compound with methyl
ether (1:1)
[Boron, trifluoro [oxybis (methane)]-, T-4-]
353-42-4
Bromine
7726-95-6
Carbon disulfide
75-15-0
Chlorine
7782-50-5
Chlorine dioxide
[Chlorine oxide, ClO2]
10049-04-4
Chloroform
[Methane, trichloro-]
DHS Form 9015
No
67-66-3
Page 12 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.1-1037]
Yes
Chloromethyl ether
[Methane, oxybis(chloro-)]
542-88-1
Chloromethyl methyl ether
[Methane, chloromethoxy-]
107-30-2
Cyanogen chloride
506-77-4
Cyclohexylamine
[Cyclohexanamine]
108-91-8
Diborane
19287-45-7
Epichlorohydrin
[Oxirane, (chloromethyl)-]
106-89-8
Ethylenediamine
[1,2-Ethanediamine]
107-15-3
Fluorine
7782-41-4
Formaldehyde (solution)
Hydrochloric acid (conc. 37% or greater)
Hydrocyanic acid
50-00-0
7647-01-0
74-90-8
Hydrofluoric acid (conc. 50% or greater)
7664-39-3
Hydrogen chloride (anhydrous)
7647-01-0
Hydrogen fluoride (anhydrous)
7664-39-3
Hydrogen sulfide
7783-06-4
Isobutyronitrile
[Propanenitrile, 2-methyl-]
78-82-0
Isopropyl chloroformate
[Carbonochloridic acid, 1-methylethyl ester]
108-23-6
Methacrylonitrile
[2-Propenenitrile, 2-methyl-]
126-98-7
DHS Form 9015
No
Page 13 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Chemical Name
CAS#
Was the chemical
listed in the letter?
[Q:2.1-1037]
Yes
Methyl hydrazine
[Hydrazine, methyl-]
60-34-4
Methyl isocyanate
[Methane, isocyanato-]
624-83-9
Methyl thiocyanate
[Thiocyanic acid, methyl ester]
556-64-9
Nitric acid
7697-37-2
Nitric oxide
[Nitrogen oxide (NO)]
10102-43-9
Oleum (Fuming Sulfuric acid)
[Sulfuric acid, mixture with sulfur trioxide]
8014-95-7
Perchloromethylmercaptan
[Methanesulfenyl chloride, trichloro-]
594-42-3
Phosgene
[Carbonic dichloride] or [carbonyl dichloride]
75-44-5
Phosphorus oxychloride
[Phosphoryl chloride]
10025-87-3
Phosphorus trichloride
7719-12-2
Propionitrile
[Propanenitrile]
107-12-0
Propyleneimine
[Aziridine, 2-methyl-]
75-55-8
Sulfur dioxide (anhydrous)
7446-09-5
Sulfur tetrafluoride
[Sulfur fluoride (SF4), (T-4)-]
7783-60-0
Sulfur trioxide
7446-11-9
Tetramethyllead
[Plumbane, tetramethyl-]
DHS Form 9015
No
75-74-1
Page 14 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.1-1037]
Yes
Titanium tetrachloride
[Titanium chloride (TiCl4) (T-4)-]
DHS Form 9015
No
7550-45-0
Page 15 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Release Flammable Chemicals of Interest
Indicate which release flammable chemicals of interest are listed in the DHS Initial
Notification Letter.
If answered No for all chemicals, go to Release Explosive Chemicals of Interest (page 22).
Chemical Name
CAS#
Was the chemical
listed in the letter?
[Q:2.2-1038]
Yes
Acetaldehyde
75-07-0
Acetylene
[Ethyne]
74-86-2
Acrylonitrile
[2-Propenenitrile]
107-13-1
Acrylyl chloride
[2-Propenoyl chloride]
814-68-6
Allylamine
[2-Propen-1-amine]
107-11-9
Bromotrifluorethylene
[Ethene, bromotrifluoro-]
598-73-2
1,3-Butadiene
106-99-0
Butane
106-97-8
Butene
25167-67-3
1-Butene
106-98-9
2-Butene
107-01-7
2-Butene-cis
590-18-1
2-Butene-trans
[2-Butene, (E)]
624-64-6
Carbon oxysulfide
[Carbon oxide sulfide (COS); carbonyl
sulfide]
463-58-1
Chlorine monoxide
[Chlorine oxide]
7791-21-1
DHS Form 9015
Page 16 of 105
No
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.2-1038]
Yes
1-Chloropropylene
[1-Propene, 1-chloro-]
590-21-6
2-Chloropropylene
[1-Propene, 2-chloro-]
557-98-2
Crotonaldehyde
[2-Butenal]
4170-30-3
Crotonaldehyde, (E)[2-Butenal], (E)-]
123-73-9
Cyanogen
[Ethanedinitrile]
460-19-5
Cyclopropane
75-19-4
Dichlorosilane
[Silane, dichloro-]e
4109-96-0
Difluoroethane
[Ethane, 1,1-difluoro-]
75-37-6
Dimethylamine
[Methanamine, N-methyl-]
124-40-3
Dimethyldichlorosilane
[Silane, dichlorodimethyl-]
75-78-5
1,1-Dimethylhydrazine
[Hydrazine, 1, 1-dimethyl-]
57-14-7
2,2-Dimethylpropane
[Propane, 2,2-dimethyl-]
463-82-1
Ethane
74-84-0
Ethyl acetylene
[1-Butyne]
107-00-6
Ethyl chloride
[Ethane, chloro-]
75-00-3
Ethyl ether
[Ethane, 1,1-oxybis-]
60-29-7
DHS Form 9015
No
Page 17 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.2-1038]
Yes
Ethyl mercaptan
[Ethanethiol]
75-08-1
Ethyl nitrite
[Nitrous acid, ethyl ester]
109-95-5
Ethylamine
[Ethanamine]
75-04-7
Ethylene
[Ethene]
74-85-1
Ethylene oxide
[Oxirane]
75-21-8
Ethyleneimine
[Aziridine]
151-56-4
Furan
110-00-9
Hydrazine
302-01-2
Hydrogen
1333-74-0
Hydrogen selenide
7783-07-5
Iron, pentacarbonyl[Iron carbonyl (Fe(CO)5), (TB5-11)-]
13463-40-6
Isobutane
[Propane, 2-methyl]
75-28-5
Isopentane
[Butane, 2-methyl-]
78-78-4
Isoprene
[1,3-Butadiene, 2-methyl-]
78-79-5
Isopropyl chloride
[Propane, 2-chloro-]
75-29-6
Isopropylamine
[2-Propanamine]
75-31-0
Methane
74-82-8
DHS Form 9015
Page 18 of 105
No
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.2-1038]
Yes
2-Methyl-1-butene
563-46-2
3-Methyl-1-butene
563-45-1
Methyl chloride
[Methane, chloro-]
74-87-3
Methyl chloroformate
[Carbonochloridic acid, methyl ester]
79-22-1
Methyl ether
[Methane, oxybis-]
115-10-6
Methyl formate
[Formic acid Methyl ester]
107-31-3
Methyl mercaptan
[Methanethiol]
74-93-1
Methylamine
[Methanamine]
74-89-5
2-Methylpropene
[1-Propene, 2-methyl-]
115-11-7
Methyltrichlorosilane
[Silane, trichloromethyl-]
75-79-6
Nickel Carbonyl
13463-39-3
1,3-Pentadiene
504-60-9
Pentane
109-66-0
2-Pentene, (E)-
646-04-8
2-Pentene, (Z)-
627-20-3
Peracetic acid
[Ethaneperoxic acid]
79-21-0
Phosphine
7803-51-2
Piperidine
110-89-4
DHS Form 9015
Page 19 of 105
No
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.2-1038]
Yes
Propadiene
[1,2-Propadiene]
463-49-0
Propane
74-98-6
Propyl chloroformate
[Carbonchloridic acid, propylester]
109-61-5
Propylene
[1-Propene]
115-07-1
Propylene oxide
[Oxirane, methyl-]
75-56-9
Propyne
[1-Propyne]
74-99-7
Silane
7803-62-5
Tetrafluoroethylene
[Ethene, tetrafluoro-]
116-14-3
Tetramethylsilane
[Silane, tetramethyl-]
75-76-3
Tetranitromethane
[Methane, tetranitro-]
509-14-8
Trichlorosilane
[Silane, trichloro-]
10025-78-2
Trifluorochloroethylene
[Ethene, chlorotrifluoro]
79-38-9
Trimethylamine
[Methanamine, N,N-dimethyl-]
75-50-3
Trimethylchlorosilane
[Silane, chlorotrimethyl-]
75-77-4
Vinyl acetate monomer
[Acetic acid ethenyl ester]
108-05-4
Vinyl acteylene
[1-Buten-3-yne]
689-97-4
DHS Form 9015
No
Page 20 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.2-1038]
Yes
Vinyl chloride
[Ethene, chloro-]
75-01-4
Vinyl ethyl ether
[Ethene, ethoxy-]
109-92-2
Vinyl fluoride
[Ethene, fluoro-]
75-02-5
Vinyl methyl ether
[Ethene, methoxy-]
107-25-5
Vinylidene chloride
[Ethene, 1,1-dichloro-]
75-35-4
Vinylidene fluoride
[Ethene, 1,1-difluoro-]
75-38-7
No
Fuels: Bunker fuel
Fuels: Diesel
Fuels: Gasoline
Fuels: Home heating oil
Fuels: JP A (jet fuel)
Fuels: JP 5 (jet fuel)
Fuels: JP 8 (jet fuel)
Fuels: Kerosene
Fuels: LPG
DHS Form 9015
Page 21 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Release Explosive Chemicals of Interest
Indicate which release explosive chemicals of interest are listed in the DHS Initial
Notification Letter.
If answered No for all chemicals, go to Theft/Diversion Explosive/Improvised Explosive Device
Precursor (EXP/IEDP) Chemicals of Interest (page 25).
Chemical Name
CAS#
Was the chemical
listed in the letter?
[Q:2.3-1039]
Yes
Ammonium nitrate, [with more than 0.2
percent combustible substances, including
any organic substance calculated as
carbon, to the exclusion of any other added
substance]
6484-52-2
Ammonium perchlorate
7790-98-9
Ammonium picrate
131-74-8
Barium azide
No
18810-58-7
Diazodinitrophenol
87-31-0
Diethyleneglycol dinitrate
693-21-0
Dingu
[Dinitroglycoluril]
55510-04-8
Dinitrophenol
25550-58-7
Dinitroresorcinol
519-44-8
Dipicryl sulfide
2217-06-3
Dipicrylamine [or] Hexyl
[Hexanitrodiphenylamine]
131-73-7
Guanyl nitrosaminoguanylidene hydrazine
Hexanitrostilbene
20062-22-0
Hexolite
[Hexotol]
121-82-4
HMX
[Cyclotetramethylene-tetranitramine]
2691-41-0
DHS Form 9015
Page 22 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.3-1039]
Yes
Lead azide
13424-46-9
Lead styphnate
[Lead trinitroresorcinate]
15245-44-0
Mercury fulminate
628-86-4
5-Nitrobenzotriazol
2338-12-7
Nitrocellulose
9004-70-0
Nitroglycerine
55-63-0
Nitromannite
[Mannitol hexanitrate, wetted]
15825-70-4
Nitrostarch
9056-38-6
Nitrotriazolone
932-64-9
Octolite
57607-37-1
Octonal
78413-87-3
Pentolite
8066-33-9
PETN
[Pentaerythritol tetranitrate]
78-11-5
Picrite
[Nitroguanidine]
556-88-7
RDX
[Cyclotrimethylenetrinitramine]
121-82-4
RDX and HMX mixtures
121-82-4
Tetranitroaniline
53014-37-2
Tetrazene
[Guanyl nitrosaminoguanyltetrazene]
109-27-3
1H-Tetrazole
288-94-8
DHS Form 9015
No
Page 23 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.3-1039]
Yes
TNT
[Trinitrotoluene]
118-96-7
Torpex
[Hexotonal]
67713-16-0
Trinitroaniline
26952-42-1
Trinitroanisole
606-35-9
Trinitrobenzene
99-35-4
Trinitrobenzenesulfonic acid
2508-19-2
Trinitrobenzoic acid
129-66-8
Trinitrochlorobenzene
88-88-0
Trinitrofluorenone
129-79-3
Trinitro-meta-cresol
602-99-3
Trinitronaphthalene
55810-17-8
Trinitrophenetole
4732-14-3
Trinitrophenol
88-89-1
Trinitroresorcinol
82-71-3
Tritonal
DHS Form 9015
No
54413-15-9
Page 24 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Theft/Diversion Explosive/Improvised Explosive Device Precursor
(EXP/IEDP) Chemicals of Interest
Indicate which theft/diversion EXP/IEDP chemicals of interest are listed in the DHS Initial
Notification Letter.
If answered No for all chemicals, go to Theft/Diversion Weapon of Mass Effect (WME) Chemicals
of Interest (page 29).
Chemical Name
CAS#
Was the chemical
listed in the letter?
[Q:2.4-1043]
Yes
Aluminum (powder)
7429-90-5
Ammonium nitrate, [with more than 0.2
percent combustible substances, including
any organic substance calculated as
carbon, to the exclusion of any other added
substance]
6484-52-2
Ammonium nitrate, solid [nitrogen
concentration of 23% nitrogen or greater]
6484-52-2
Ammonium perchlorate
7790-98-9
Ammonium picrate
131-74-8
Barium azide
No
18810-58-7
Diazodinitrophenol
87-31-0
Diethyleneglycol dinitrate
693-21-0
Dingu
[Dinitroglycoluril]
55510-04-8
Dinitrophenol
25550-58-7
Dinitroresorcinol
519-44-8
Dipicryl sulfide
2217-06-3
Dipicrylamine [or] Hexyl
[Hexanitrodiphenylamine]
131-73-7
Guanyl nitrosaminoguanylidene hydrazine
DHS Form 9015
Page 25 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.4-1043]
Yes
Hexanitrostilbene
20062-22-0
Hexolite
[Hexotol]
121-82-4
HMX
[Cyclotetramethylene-tetranitramine]
2691-41-0
Hydrogen peroxide (concentration of at
least 35%)
7722-84-1
Lead azide
13424-46-9
Lead styphnate
[Lead trinitroresorcinate]
15245-44-0
Magnesium (powder)
7439-95-4
Mercury fulminate
628-86-4
Nitric acid
7697-37-2
Nitrobenzene
98-95-3
5-Nitrobenzotriazol
2338-12-7
Nitrocellulose
9004-70-0
Nitroglycerine
55-63-0
Nitromannite
[Mannitol hexanitrate, wetted]
Nitromethane
15825-70-4
75-52-5
Nitrostarch
9056-38-6
Nitrotriazolone
932-64-9
Octolite
57607-37-1
Octonal
78413-87-3
Pentolite
8066-33-9
DHS Form 9015
No
Page 26 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.4-1043]
Yes
PETN
[Pentaerythritol tetranitrate]
78-11-5
Phosphorus
7723-14-0
Picrite
[Nitroguanidine]
556-88-7
Potassium chlorate
3811-04-9
Potassium nitrate
7757-79-1
Potassium perchlorate
7778-74-7
Potassium permanganate
7722-64-7
RDX
[Cyclotrimethylenetrinitramine]
121-82-4
RDX and HMX mixtures
121-82-4
Sodium azide
26628-22-8
Sodium chlorate
7775-09-9
Sodium nitrate
7631-99-4
Tetranitroaniline
53014-37-2
Tetrazene
[Guanyl nitrosaminoguanyltetrazene]
109-27-3
1H-Tetrazole
288-94-8
TNT
[Trinitrotoluene]
118-96-7
Torpex
[Hexotonal]
67713-16-0
Trinitroaniline
26952-42-1
Trinitroanisole
606-35-9
Trinitrobenzene
99-35-4
DHS Form 9015
No
Page 27 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.4-1043]
Yes
Trinitrobenzenesulfonic acid
2508-19-2
Trinitrobenzoic acid
129-66-8
Trinitrochlorobenzene
88-88-0
Trinitrofluorenone
129-79-3
Trinitro-meta-cresol
602-99-3
Trinitronaphthalene
55810-17-8
Trinitrophenetole
4732-14-3
Trinitrophenol
88-89-1
Trinitroresorcinol
82-71-3
Tritonal
DHS Form 9015
No
54413-15-9
Page 28 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Theft/Diversion Weapon of Mass Effect (WME) Chemicals of
Interest
Indicate which theft/diversion WME chemicals of interest are listed in the DHS Initial
Notification Letter.
If answered No for all chemicals, go to Theft/Diversion Chemical Weapon/Chemical Weapon
Precursor (CW/CWP) Chemicals of Interest (page 32).
Chemical Name
CAS#
Was the chemical
listed in the letter?
[Q:2.5-1042]
Yes
Arsine
7784-42-1
Boron tribromide
10294-33-4
Boron trichloride
[Borane, trichloro]
10294-34-5
Boron trifluoride
[Borane, trifluoro]
7637-07-2
Bromine chloride
13863-41-7
Bromine trifluoride
7787-71-5
Carbonyl fluoride
353-50-4
Carbonyl sulfide
463-58-1
Chlorine
7782-50-5
Chlorine pentafluoride
13637-63-3
Chlorine trifluoride
7790-91-2
Cyanogen
[Ethanedinitrile]
460-19-5
Cyanogen chloride
506-77-4
Diborane
19287-45-7
Dichlorosilane
[Silane, dichloro-]
4109-96-0
Dinitrogen tetroxide
10544-72-6
DHS Form 9015
Page 29 of 105
No
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.5-1042]
Yes
Fluorine
7782-41-4
Germane
7782-65-2
Germanium tetrafluoride
7783-58-6
Hexaethyl tetraphosphate and compressed
gas mixtures
757-58-4
Hexafluoroacetone
684-16-2
Hydrogen bromide (anhydrous)
10035-10-6
Hydrogen chloride (anhydrous)
7647-01-0
Hydrogen cyanide
[Hydrocyanic acid]
74-90-8
Hydrogen fluoride (anhydrous)
7664-39-3
Hydrogen iodide, anhydrous
10034-85-2
Hydrogen selenide
7783-07-5
Hydrogen sulfide
7783-06-4
Methyl mercaptan
[Methanethiol]
74-93-1
Methylchlorosilane
993-00-0
Nitric oxide
[Nitrogen oxide (NO)]
10102-43-9
Nitrogen trioxide
10544-73-7
Nitrosyl chloride
2696-92-6
Oxygen difluoride
7783-41-7
Perchloryl fluoride
7616-94-6
Phosgene
[Carbonic dichloride] or [carbonyl dichloride]
DHS Form 9015
No
75-44-5
Page 30 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.5-1042]
Yes
Phosphine
7803-51-2
Phosphorus trichloride
7719-12-2
Selenium hexafluoride
7783-79-1
Silicon tetrafluoride
No
7783-61-1
Stibine
7803-52-3
Sulfur dioxide (anhydrous)
7446-09-5
Sulfur tetrafluoride
[Sulfur fluoride (SF4), (T-4)-]
7783-60-0
Tellurium hexafluoride
7783-80-4
Titanium tetrachloride
[Titanium chloride (TiCl4) (T-4)-]
7550-45-0
Trifluoroacetyl chloride
354-32-5
Trifluorochloroethylene
[Ethene, chlorotrifluoro]
79-38-9
Tungsten hexafluoride
7783-82-6
DHS Form 9015
Page 31 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Theft/Diversion Chemical Weapon/Chemical Weapon Precursor
(CW/CWP) Chemicals of Interest
Indicate which theft/diversion CW/CWP chemicals of interest are listed in the DHS Initial
Notification Letter.
If answered No for all chemicals, go to Sabotage/Contamination Chemicals of Interest (page 35).
Chemical Name
CAS#
Was the chemical
listed in the letter?
[Q:2.6-1041]
Yes
Arsenic trichloride
[Arsenous trichloride]
7784-34-1
1,4-Bis(2-chloroethylthio)-n-butane
142868-93-7
Bis(2-chloroethylthio)methane
63869-13-6
Bis(2-chloroethylthiomethyl)ether
63918-90-1
1,5-Bis(2-chloroethylthio)-n-pentane
142868-94-8
1,3-Bis(2-chloroethylthio)-n-propane
63905-10-2
2-Chloroethylchloro-methylsulfide
2625-76-5
Chlorosarin
[o-Isopropyl methylphosphonochloridate]
1445-76-7
Chlorosoman
[o-Pinacolyl methylphosphonochloridate]
7040-57-5
DF
[Methyl phosphonyl difluoride]
676-99-3
N,N-(2-diethylamino)ethanethiol
100-38-9
o,o-Diethyl S-[2-(diethylamino)ethyl]
phosphorothiolate
78-53-5
Diethyl methylphosphonite
15715-41-0
N,N-Diethyl phosphoramidic dichloride
1498-54-0
N,N-(2-diisopropylamino)ethanethiol
[N,N-diisopropyl-β-aminoethane thiol]
5842-07-9
DHS Form 9015
No
Page 32 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.6-1041]
Yes
N,N-Diisopropyl phosphoramidic dichloride
23306-80-1
N,N-(2-dimethylamino)ethanethiol
108-02-1
N,N-Dimethyl phosphoramidic dichloride
[Dimethylphosphoramido-dichloridate]
677-43-0
N,N-(2-dipropylamino)ethanethiol
5842-06-8
N,N-Dipropyl phosphoramidic dichloride
40881-98-9
Ethyl phosphonyl difluoride
753-98-0
Ethyldiethanolamine
139-87-7
Ethylphosphonothioic dichloride
993-43-1
HN1 (Nitrogen Mustard-1)
[Bis(2-chloroethyl)ethylamine]
538-07-8
HN2 (Nitrogen Mustard-2)
[Bis(2-chloroethyl)methylamine]
51-75-2
HN3 (Nitrogen Mustard-3)
[Tris(2-chloroethyl)amine]
555-77-1
Isopropylphosphonothioic dichloride
1498-60-8
Isopropylphosphonyl difluoride
677-42-9
Lewisite 1
[2-chlorovinyldichloroarsine]
541-25-3
Lewisite 2
[Bis(2-chlorovinyl)chloroarsine]
40334-69-8
Lewisite 3
[Tris(2-chlorovinyl)arsine]
40334-70-1
MDEA
[Methyldiethanolamine]
105-59-9
Methylphosphonothioic dichloride
676-98-2
DHS Form 9015
No
Page 33 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.6-1041]
Yes
O-Mustard (T)
[Bis(2-chloroethylthioethyl)ether]
63918-89-8
Nitrogen mustard hydrochloride
[Bis(2-chloroethyl)methylamine
hydrochloride]
55-86-7
Phosphorus oxychloride
[Phosphoryl chloride]
10025-87-3
Propylphosphonothioic dichloride
2524-01-8
Propylphosphonyl difluoride
690-14-2
QL
[o-Ethyl-o-2-diisopropylaminoethyl
methylphosphonite]
Sarin
[o-Isopropyl methylphosphonofluoridate]
Sesquimustard
[1,2-Bis(2-chloroethylthio)ethane]
57856-11-8
107-44-8
3563-36-8
Soman
[o-Pinacolyl methylphosphonofluoridate]
96-64-0
Sulfur Mustard (Mustard gas (H))
[Bis(2-chloroethyl)sulfide]
505-60-2
Tabun
[o-Ethyl-N,N-dimethylphosphoramidocyanidate]
77-81-6
Thiodiglycol
[Bis(2-hydroxyethyl)sulfide]
111-48-8
Triethanolamine
102-71-6
Triethanolamine hydrochloride
637-39-8
Triethyl phosphite
122-52-1
Trimethyl phosphite
121-45-9
DHS Form 9015
No
Page 34 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.6-1041]
Yes
VX
[o-Ethyl-S-2-diisopropylaminoethyl methyl
phosphonothiolate]
DHS Form 9015
No
50782-69-9
Page 35 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Sabotage/Contamination Chemicals of Interest
Indicate which sabotage/contamination chemicals of interest are listed in the DHS Initial
Notification Letter.
If answered No for all chemicals, go to Facility Characteristics (page 39).
Chemical Name
CAS#
Was the chemical
listed in the letter?
[Q:2.7-1671]
Yes
Acetone cyanohydrin, stabilized
75-86-5
Acetyl bromide
506-96-7
Acetyl chloride
75-36-5
Acetyl iodide
507-02-8
Allyltrichlorosilane, stabilized
107-37-9
Aluminum bromide, anhydrous
7727-15-3
Aluminum chloride, anhydrous
7446-70-0
Aluminum phosphide
20859-73-8
Amyltrichlorosilane
107-72-2
Antimony pentafluoride
7783-70-2
Boron tribromide
10294-33-4
Bromine pentafluoride
7789-30-2
Bromine trifluoride
7787-71-5
Butyltrichlorosilane
7521-80-4
Calcium hydrosulfite
[Calcium dithionite]
15512-36-4
Calcium phosphide
1305-99-3
Chlorine dioxide
[Chlorine oxide, (ClO2)]
10049-04-4
Chloroacetyl chloride
DHS Form 9015
No
79-04-9
Page 36 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.7-1671]
Yes
Chlorosulfonic acid
7790-94-5
Chromium oxychloride
14977-61-8
Cyclohexyltrichlorosilane
Diethyldichlorosilane
98-12-4
1719-53-5
Dimethyldichlorosilane
[Silane, dichlorodimethyl-]
75-78-5
Diphenyldichlorosilane
80-10-4
Dodecyltrichlorosilane
4484-72-4
Ethyltrichlorosilane
115-21-9
Fluorosulfonic acid
7789-21-1
Hexyltrichlorosilane
928-65-4
Iodine pentafluoride
7783-66-6
Lithium amide
7782-89-0
Lithium nitride
26134-62-3
Magnesium diamide
7803-54-5
Magnesium phosphide
12057-74-8
Methyldichlorosilane
75-54-7
Methylphenyldichlorosilane
149-74-6
Methyltrichlorosilane
[Silane, trichloromethyl-]
75-79-6
Nonyltrichlorosilane
5283-67-0
Octadecyltrichlorosilane
112-04-9
Octyltrichlorosilane
5283-66-9
Phenyltrichlorosilane
DHS Form 9015
No
98-13-5
Page 37 of 105
Version 1.0
�CSAT SVA Questions
Chemical Name
OMB PRA # 1670-0007
Expires: 3/31/2013
CAS#
Was the chemical
listed in the letter?
[Q:2.7-1671]
Yes
Phosphorus oxychloride
[Phosphoryl chloride]
10025-87-3
Phosphorus pentabromide
7789-69-7
Phosphorus pentachloride
10026-13-8
Phosphorus pentasulfide
1314-80-3
Phosphorus trichloride
7719-12-2
Potassium cyanide
151-50-8
Potassium phosphide
20770-41-6
Propyltrichlorosilane
141-57-1
Silicon tetrachloride
10026-04-7
Sodium cyanide
143-33-9
Sodium hydrosulfite
[Sodium dithionite]
7775-14-6
Sodium phosphide
12058-85-4
Strontium phosphide
12504-16-4
Sulfuryl chloride
7791-25-5
Thionyl chloride
7719-09-7
Titanium tetrachloride
[Titanium chloride (TiCl4) (T-4)-]
7550-45-0
Trichlorosilane
[Silane, trichloro-]
10025-78-2
Trimethylchlorosilane
[Silane, chlorotrimethyl-]
75-77-4
Vinyltrichlorosilane
75-94-5
Zinc hydrosulfite
[Zinc dithionite]
DHS Form 9015
No
7779-86-4
Page 38 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Facility Characteristics
What is the surrounding topography of the facility?
[Q:2.92-5911]
Note: Only answer if the facility has issues related to toxic chemicals.
Urban
Rural
Select the option, Urban or Rural, that best defines the area surrounding the facility. The entry
here should match the corresponding entry in the CSAT Top-Screen. As in the Top-Screen, if a
facility is covered by EPA's Risk Management Plan, the selection of urban or rural should be
consistent with the facility's current RMP on file with EPA. If a facility is not covered by a current
RMP and the terrain surrounding the facility varies depending on the approach to the facility,
select the topography (urban or rural) that is most representative of the facility's location. If still
unsure, select Rural.
Is the facility located on a navigable waterway?
[Q:2.92-3313]
Yes
No
Facilities should answer Yes to this question if a waterway along any portion of the facility
perimeter can accommodate small to large watercraft. This includes vessels ranging from small
pleasure craft, barges, and deep draft vessels. Facilities responding No will not evaluate a
Maritime attack mode as part of the vulnerability analysis because it is not applicable for this
facility.
Security Equipment at the Facility
List the types of security equipment that help to reduce the vulnerability of COI at the
facility.
List any security equipment at the facility that helps reduce the vulnerability of COI that the DHS
Initial Notification letter noted as contributing to a high level of security risk. List only security
equipment that applies across the facility, as opposed to a specific COI or asset. See the SVA
Instructions document for examples of responses.
If you have multiple entries of the same type or need more space, copy the following page as
necessary.
DHS Form 9015
Page 39 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Security Equipment
Location
Support System Required
[Q:2.93-8331]
[Q:2.93-8332]
[Q:2.93-8333]
CCTV monitoring systems
for COI areas
Intrusion detection system
for facility perimeter
Intrusion detection system
with 24-hour monitoring
Security response team
Security response vehicles
Security communications
system
Redundant security
communications systems
Vehicle screening at access
point for dangerous
materials
Personal screening at
access points for dangerous
materials
Other:
DHS Form 9015
Page 40 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Utility Systems and Infrastructure Support
List below any utility systems or other infrastructure support required for the security equipment
and the location of the systems or equipment. See the SVA Instructions document for examples
of responses.
Select an item from the list, and complete the utility systems or infrastructure support information.
Add entries until all applicable items have been provided. If the facility has none of the utility
systems or infrastructure support systems shown in the list, leave this question blank.
If you have multiple entries of the same type or need more space, copy this page as necessary.
System/Infrastructure
Location
[Q:2.94-8351]
[Q:2.94-8352]
Electric power system
Redundant offsite electric power sources
Backup AC power system from onsite generators
Backup DC power system from UPS equipment
Other:
Electric power system
Redundant offsite electric power sources
Backup AC power system from onsite generators
Backup DC power system from UPS equipment
Other:
DHS Form 9015
Page 41 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Inventory Control
If the facility does not have any Theft/Diversion chemicals present, go to Personnel Access
Control Measures at the Facility (page 47).
List any inventory control measures used at the facility that would help reduce vulnerability to
theft/diversion. If the facility does not have any inventory control measures, leave this question
blank. For each identified inventory control measure, complete additional questions.
Inventory Control/Measures
[Q:2.95-8371]
Copy the Inventory Control Pages as necessary to answer for all controls/measures listed here.
DHS Form 9015
Page 42 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Copy the following Inventory Control/Measure pages (43-46), fill in the control/measure you are
answering questions for here, and then answer the questions regarding that specific
Control/Measure.
Inventory Control/Measure
[Q:2.95-8371]
Inventory Control - Details
Please note if the inventory control measure is automated, the frequency with which it is applied,
the location of the measure, the inventory features, and whether the features apply to the COI.
See the SVA Instruction document for examples of responses.
Is the inventory measure automated?
[Q:2.951-8711]
Yes
No
Frequency Applied
[Q:2.951-8372]
Daily
Weekly
Monthly
Quarterly
Semi-annually
Annually
Other
Location
[Q:2.951-8373]
DHS Form 9015
Page 43 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Select all the features that apply to this Control Measure.
Inventory Control Feature
Is the feature used
in this control
measure?
[Q:2.951-12191]
Continuous electronic inventory accounting for all COI
Yes
No
Periodic electronic inventory accounting for all COI
Yes
No
Periodic, manual inventory accounting for all COI
Yes
No
Recordkeeping procedures that track customer orders
Yes
No
Recordkeeping procedures that identify suspicious orders and inquiries
Yes
No
Recordkeeping procedures that report inventory discrepancies to
regulatory and/or law enforcement agencies
Yes
No
Restricted access to customer ordering system
Yes
No
Restricted access to customer information
Yes
No
Training for customer sales representatives on handling suspicious
orders or inquiries
Yes
No
Background checks for customer sales representatives
Yes
No
Inventory reconciliation procedures
Yes
No
Inventory reconciliation procedures that identify, investigate, and resolve
shortages
Yes
No
Procedures for reporting shortages to regulatory and/or law enforcement
agencies
Yes
No
Product segregation procedures
Yes
No
Restricted access to segregated products
Yes
No
Enter the chemicals present at the facility in the appropriate list.
DHS Form 9015
Page 44 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Theft/Diversion Explosive/Improvised Explosive Device Precursor (EXP/IEDP) Chemicals
of Interest
Chemical Name
CAS#
Does the measure apply to
COI?
[Q:2.951-8511]
Yes
No
Theft/Diversion Weapon of Mass Effect (WME) Chemicals of Interest
Chemical Name
CAS#
Does the measure apply to
COI?
[Q:2.951-8571]
Yes
DHS Form 9015
Page 45 of 105
No
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Theft/Diversion Chemical Weapon/Chemical Weapon Precursor (CW/CWP) Chemicals of
Interest
Chemical Name
CAS#
Does the measure apply to
COI?
[Q:2.951-8573]
Yes
DHS Form 9015
Page 46 of 105
No
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 3/31/2013
Personnel Access Control Measures at the Facility
List below any personnel access control measures used at the facility that could help reduce
vulnerability to an attack. See the Instructions document for examples of responses.
Complete the applicable personnel access control measure information. If the facility has none of
the personnel access control measures shown in the drop-down list, leave this question blank.
Personnel recognition by officer - Access control system based on personnel
recognition by security officer with no picture or electronic badge
Manual badge validation by officer - Access control system with manual badge
validation by security officer
Biometric validation - Access control system with biometric validation
Computerized access with no validation - Access control system with computerized
access with no validation (e.g., swipe or proximity card system with no guard or computer
validation process)
Personnel access allowed on foot only - Personnel access allowed on foot only (i.e.,
employee and visitor vehicles not allowed inside facility process boundary)
Copy the following page as needed to answer all personnel access control measures at the
facility. Use the blank space provided under Access Control Measure to answer with one that is
not listed.
DHS Form 9015
Page 47 of 105
Version 1.0
�CSAT SVA Questions
Access Control
Measure
[Q:2.96-8431]
OMB PRA # 1670-0007
Expires: 3/01/2011
Is the
control
measure
automated?
Frequency Applied
Location
Personnel Covered
[Q:2.94-8432]
[Q:2.94-8433]
[Q:2.94-8434]
[Q:2.94-8351]
Personnel
recognition by officer
Manual badge
validation by officer
Daily
Biometric validation
Weekly
Computerized
access with no validation
Personal access
allowed on foot only
Yes
Monthly
Quarterly
No
Visitor access
clearance and badging
Semi-annually
Visitors require
advance registration
Annually
Visitors require full
time escort
Other
Other:
DHS Form 9015
Page 48 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Shipping and Receiving Control Measures at the Facility
If the facility does not have any Theft/Diversion or Sabotage chemicals present, go to PostRelease Measures and Equipment (page 53).
List below any shipping and receiving measures at the facility that would be useful in reducing
vulnerability to an attack. If the facility does not have any shipping and receiving measures, leave
this question blank. For each identified shipping and receiving measure, complete additional
questions.
Control Measures
[Q:2.97-8611]
Copy the Shipping and Receiving Control Measures as necessary to answer regarding all control
measures listed here.
DHS Form 9015
Page 49 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Copy the following Control Measure pages (50-52), fill in the control/measure you are answering
questions for here, and then answer the questions regarding that specific Control Measure.
Control Measure
[Q:2.97-8611]
Shipping and Receiving Control Measures – Details
Please note if the shipping and receiving inventory control measure is automated, the frequency
with which it is applied, the location of the measure, the inventory features, and whether the
features apply to the COI. See the Instruction Guide for examples of responses.
Is the control measure automated?
[Q:2.971-8719]
Yes
No
Frequency Applied
[Q:2.971-8612]
Daily
Weekly
Monthly
Quarterly
Semi-annually
Annually
Other
Location
[Q:2.971-8613]
Select all the features that apply to this Control Measure.
Control Measure Feature
Is the feature used
in this control
measure?
[Q:2.971-12171]
Restricted access to shipping and receiving area
Yes
No
Restricted access to staging area for shipments
Yes
No
Reconciliation of outbound shipments with customer orders
Yes
No
Reconciliation of intra-company shipments
Yes
No
DHS Form 9015
Page 50 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Control Measure Feature
Is the feature used
in this control
measure?
[Q:2.971-12171]
Reconciliation of intra-company receipts
Yes
No
Confirm receipt of customer’s orders
Yes
No
Confirm receipt of intra-company shipments
Yes
No
Confirm receipt of intra-company receipts
Yes
No
Customer verification procedures that validate new customers’ business
and product end-use
Yes
No
Customer verification procedures that periodically validate established
customer’s business and product end-use
Yes
No
Customer verification procedures that include on-site visit(s) to customer
facility
Yes
No
Training for shipping and receiving personnel on validating the accuracy
and completeness of receipts and shipments
Yes
No
Training for shipping and receiving personnel on securing the shipping
and receiving area
Yes
No
Background check on shipping and receiving personnel
Yes
No
Theft/Diversion Explosive/Improvised Explosive Device Precursor (EXP/IEDP) Chemicals
of Interest
Chemical Name
CAS#
Does the measure apply to
COI?
[Q:2.971-8659]
Yes
DHS Form 9015
Page 51 of 105
No
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Theft/Diversion Weapon of Mass Effect (WME) Chemicals of Interest
Chemical Name
CAS#
Does the measure apply to
COI?
[Q:2.971-8571]
Yes
No
Theft/Diversion Chemical Weapon/Chemical Weapon Precursor (CW/CWP) Chemicals of
Interest
Chemical Name
CAS#
Does the measure apply to
COI?
[Q:2.971-8666]
Yes
No
Sabotage/Contamination Chemicals of Interest
Chemical Name
CAS#
Does the measure apply to
COI?
[Q:2.971-8671]
Yes
DHS Form 9015
Page 52 of 105
No
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Post-Release Measures and Equipment
List below any post-release measures or equipment that would be considered useful in reducing
the consequence of a release-toxic COI release. Do not list mitigation systems that only apply to
a single asset (e.g., a secondary containment dike around toxic liquid storage). See the SVA
Instructions document for examples of responses.
Select applicable items from the list, and complete the post-release measures or equipment
information. If the facility has none of the post-release measures or equipment shown, leave this
question blank.
If you have multiple entries of the same type or need more space, copy the following page as
necessary.
Post-Release
Equipment/Application
Location
Support Systems Required
[Q:2.98-8452]
[Q:2.98-8453]
[Q:2.98-8451]
Community emergency
warning system – telephone autodialer
Community emergency
warning system – community
sirens
Community outreach on
evacuation/sheltering (if warning
system provided)
Other:
Community emergency
warning system – telephone autodialer
Community emergency
warning system – community
sirens
Community outreach on
evacuation/sheltering (if warning
system provided)
Other:
DHS Form 9015
Page 53 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Site Vulnerability Factors
List below any facility features, offsite terrain, or infrastructure items that potentially increase the
site's vulnerability to attack. See the Instructions document for examples of responses.
Enter the site vulnerability, and complete the information. Continue adding entries until all
applicable items have been provided. If the facility has no site vulnerabilities, leave this question
blank.
Site Vulnerability
Comment
[Q:2.99-8454]
[Q:2.99-84545]
DHS Form 9015
Page 54 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Asset Characterization
Facility Assets
Identify one or more assets for each COI.
Each COI described in the facility's DHS initial notification letter must have one or more assets
defined (i.e., each COI must be listed as a primary COI for at least one asset). A primary COI is
the COI for which the consequences of damage to that asset will be estimated. As each asset
can have only one primary COI associated with it, an asset that is associated with more than one
COI might need to be defined multiple times, listing each COI as primary.
For example: The user has a building housing COI "x" and "y".
Asset 1 would be the building and list the primary COI as "x".
Asset 2 would be the same building but list the primary COI as "y".
Also, if a COI presents two separate security issues (e.g., release toxic and theft) separate assets
need to be defined for each security issue and the primary security issue for each asset must be
specified. The primary security issue is the security issue for which the vulnerability and
consequence associated with attacks on the asset are estimated.
The asset names should be distinct enough to identify the asset. This field can be up to 34
characters in length. A suggestion would be to include the equipment, primary COI and/or primary
security issue (e.g., Bulk Storage Tank 1103-Chem X).
Include all applicable assets have been provided. Then describe each asset and provide the
requested information. See the SVA Instructions document for information on asset selection.
DHS Form 9015
Page 55 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Asset Name
Facility Assets - Description
Enter a brief description of the asset.
Provide a brief description of the asset including:
The primary function (e.g., storage, production, loading/unloading);
Number and type of grouped or interconnected vessels; and
Any additional facility identifying number or name. (For example, raw material
storage area, including two storage tanks T-1 and T-2)
[Q:3.2-3831]
Enter the Primary COI for this asset.
Primary Security Issue For This Asset
Indicate which primary security issue the Primary COI belongs to.
Select only one primary security issue.
Select the primary security issue that will be examined for this asset (i.e., the security issue for
which the vulnerability and consequence analyses for this asset apply). If there are two or more
security issues associated with COI that pertain to this asset, separate assets must be defined for
each security issue/COI combination. See the SVA Instructions document for additional
information.
Release of Toxic COI [Q:3.2-10211]
Release of Flammable COI [Q:3.2-10212]
Release of Explosive CO I [Q:3.2-10213]
Theft/Diversion of Explosive/IEDP COI [Q:3.2-10214]
Theft/Diversion of WME COI [Q:3.2-10215]
Theft/Diversion of CW/CWP COI [Q:3.2-10216]
Sabotage/Contamination of COI [Q:3.2-10217]
DHS Form 9015
Page 56 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Facility Assets - Detail
Is there a cyber control system related to this asset?
[Q:3.56-3659]
Yes
No
These cyber control systems should be limited to those systems that have the ability to control
the process and could result in a release or contamination. Possible examples of these types of
systems include SCADA systems, Distributed Control Systems (DCS), Process Control Systems
(PCS), and Industrial Control Systems (ICS).
If Primary COI is Theft/Diversion, answer the following question.
Is there a cyber business system related to this asset?
[Q:3.561-4292]
Yes
No
Examples include business management systems like SAP™ or inventory management
systems.
Facility Asset Directions
Answer the questions regarding the chemicals of interest present at the asset (pages 58-59).
If the Primary COI is Release, answer the containment type questions on page 60.
If the Primary COI is Release-Toxic, answer the storage questions on page 61 and the mitigation
questions on pages 62-64.
If the Primary COI is Theft/Diversion, answer the packaging detail questions on page 65.
After all of your assets have been listed, complete the questions about cyber control systems on
page 66 and cyber business systems on page 67 for each system you have present. If none,
leave those questions blank.
DHS Form 9015
Page 57 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Enter in all chemicals of interest (COI) associated with this asset. Be sure to include the Primary COI listed above.
Enter the quantity of each chemical of interest associated with this asset (pounds).
Is the Theft/Diversion chemical shipped offsite from this asset?
Round the quantity to two significant digits (e.g., round 247500 pounds to 250000 pounds, and round 7625 pounds to 7600 pounds).
Do not use commas when entering data.
Toxic Chemicals of Interest
Quantity
(pounds)
Facility’s largest
inventory of the
COI?
Yes
No
Flammable Chemicals of Interest
Quantity
(pounds)
Yes
No
Explosive Chemicals of Interest
Quantity
(pounds)
Yes
No
DHS Form 9015
Page 58 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Theft/Diversion Explosive/Improvised Explosive Device
Precursor (EXP/IEDP) Chemicals of Interest
Quantity
(pounds)
Facility’s largest
inventory of the
COI?
Yes
No
Shipped Offsite?
Yes
No
Theft/Diversion Weapon of Mass Effect (WME) Chemicals
of Interest
Quantity
(pounds)
Yes
No
Yes
No
Theft/Diversion Chemical Weapon/Chemical Weapon
Precursor (CW/CWP) Chemicals of Interest
Quantity
(pounds)
Yes
No
Yes
No
Sabotage/Contamination Chemicals of Interest
Quantity
(pounds)
Yes
No
DHS Form 9015
Page 59 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Release Chemicals of Interest
Check the items below where the COI is located or contained within this asset. Check all
that apply.
[Q:3.31-5472]
Containment Type
Is the containment type used for this asset?
[Q:3.31-12192]
Barge
Yes
No
Cylinder
Yes
No
Isotainer
Yes
No
Low Pressure Storage Tank
Yes
No
Mounded Storage
Yes
No
Pipeline
Yes
No
Piping
Yes
No
Pressure Vessel
Yes
No
Process Unit
Yes
No
Rail Car
Yes
No
Reactor
Yes
No
Spheres
Yes
No
Tank Trunk
Yes
No
Tube Trailers
Yes
No
Underground Storage
Yes
No
Other
Yes
No
DHS Form 9015
Page 60 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Toxic Chemicals of Interest
Select the predominant chemical phase of the chemical at this asset.
Select liquid for the predominant phase if the chemical is a liquid at or near atmospheric temperature and pressure.
If the Toxic COI is process/stored as a gas, leave the other questions in this table blank.
Enter the liquid process or storage temperature and pressure of the toxic COI. Enter the maximum height of the liquid in the
vessel. Indicate whether the liquid is an aqueous solution. Enter the initial percent concentration by weight of the toxic
chemical in aqueous solution associated with this asset.
If the Toxic COI liquid is not an aqueous solution, skip the concentration percentage by weight question.
Chemical Name
Process/Storage
Condition
[Q:3.41-6993]
Temperature
(degree
Fahrenheit)
Process or
storage
pressure (psig)
Liquid
height
(feet)
Percent
Concentration
by Weight
[Q:3.412-6995]
[Q:3.412-8893]
[Q:3.412-8894]
[Q:3.413-7011]
Gas Liquid
Pressurized
Liquefied Gas
Refrigerated
Liquefied Gas
Gas
LiquidPressurized
Liquefied Gas
Refrigerated
Liquefied Gas
DHS Form 9015
Page 61 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Primary Release Toxic
Mitigation measures in place that you expect to help mitigate a toxic release (check all that
apply):
Dike, berm, or other similar containment [Q:3.42-10471]
Leak detection system [Q:3.42-10472]
Fixed vapor suppression system [Q:3.42-10473]
Notification system for offsite evacuation or sheltering in place
Other measures [Q:3.42-10475]
[Q:3.42-10474]
Toxic Release – Mitigation
Dike, berm, or other similar containment
Description of containment
[Q:3.421-9211]
Containment area (sq ft)
[Q:3.421-9212]
Containment capacity (gallons)
[Q:3.421-9213]
Leak detection system (e.g., fixed chemical detectors with alarm)
Description of system
[Q:3.421-9214]
Estimated time to detection for a toxic release (minutes)
DHS Form 9015
Page 62 of 105
[Q:3.421-9215]
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Fixed vapor suppression system (e.g., foam or dry chemical cover,
water spray system)
Description of system
[Q:3.421-9216]
Estimated time to activation for a toxic release (minutes)
Estimated vapor reduction for a toxic release (%)
[Q:3.421-9218]
[Q:3.421-9219]
Notification system for offsite evacuation or sheltering in place (e.g.,
phone dialing system, alarm system)
Description of system
[Q:3.421-9220]
Estimated time to activation of system (minutes)
[Q:3.421-9221]
Description of community outreach/training on evacuation and sheltering in place
[Q:3.421-9222]
DHS Form 9015
Page 63 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Other measures
Description of other measures
[Q:3.421-9223]
Description of mitigation provided by this measure for a toxic release
[Q:3.421-9224]
DHS Form 9015
Page 64 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Theft/Diversion Primary COI
Facility Assets - Packaging Detail
Provide the following information for all instances of the COI listed above at this asset.
For facilities with multiple instances of the COI at the asset, enter the first instance and complete the related questions.
Continue adding entries until all applicable instances have been provided.
Concentration range
(% by weight)
Packaging type description
Transportation
packaging type
[Q:3.48-9031, Q:3.5-9097, Q:3.52-9172]
[Q:3.48-9011, Q:3.5-9096,
Q:3.52-9171]
[Q:3.48-9032, Q:3.5-9098,
Q:3.52-9174]
Total quantity of COI
in this transportation
packaging type (lbs)
[Q:3.48-9091, Q:3.5-9165,
Q:3.52-9173]
0 – 30%
31 – 50%
Bulk Storage
Portable
51 – 80%
81 – 100%
Bulk
Transportation
0 – 30%
31 – 50%
Bulk Storage
Portable
51 – 80%
81 – 100%
Bulk
Transportation
0 – 30%
31 – 50%
Bulk Storage
Portable
51 – 80%
81 – 100%
DHS Form 9015
Bulk
Page 65 of 105
Transportation
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Cyber Control Systems
List the cyber control systems that are associated with assets that have been identified. Enter cyber control system description.
Indicate which assets are associated with the system.
These cyber control systems should be limited to those systems that have the ability to control the process and could result in a release or
contamination. Possible examples of these types of systems include SCADA systems, Distributed Control Systems (DCS), Process
Control Systems (PCS), and Industrial Control Systems (ICS).
Control System Name
[Q:3.7-3711]
DHS Form 9015
Control System Description
Assets controlled by this system.
[Q:3.71-3719]
[Q:3.71-3835]
Page 66 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Cyber Business Systems
List the cyber business systems that are associated with assets that have been identified. Enter cyber control system
description. Indicate which assets with theft/diversion as their primary COI are associated with the system.
Possible examples of these types of systems include business management systems like SAP or inventory management systems.
Business System Name
[Q:3.8-3715]
DHS Form 9015
Control System Description
Assets controlled by this system.
[Q:3.81-3720]
[Q:3.81-3837]
Page 67 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Vulnerability Analysis
Answer the following scenarios based on what type of primary COI you have selected for the asset. Use the following tables to determine
what sections should be answered for a specific asset. Copy the pages needed as necessary. Only fill out the Maritime section if the
facility is located on a navigable waterway (page 39) [Q:2.92-3313]. Only fill out the Diversion section if the facility ships the Primary-COI
offsite (page 59). For example, if you have an asset with a primary toxic COI, fill out the Aircraft, Maritime (if on waterway), Vehicle,
Assault Team, and Standoff Attack Scenarios. Then for the Aircraft Attack Scenario, fill out the sections regarding Identifiability
Probability, Achievability Probability, and Availability Probability. Be sure to fill out the attack description for each attack scenario indicated
in the Attack Scenario Table.
The online application requires the user to annotate the CSAT facility imagery (or upload and annotate imagery for the facility), to indicate
each asset location, attack location, and the radius of the damage zone for each scenario.
Asset Name
Attack Scenarios
Release
Toxic
(include the
Mitigation Measures
page with these
attack scenarios)
Flammable
Explosive
DHS Form 9015
Aircraft
Maritime
only if facility is on
navigable waterway
(page 39) [Q:2.92-3313]
Vehicle
Assault
Team
Standoff
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Page 68 of 105
Theft
Diversion
only if Primary
COI shipped
offsite (page 59)
Sabotage
Version 1.0
�CSAT SVA Questions
Aircraft
OMB PRA # 1670-0007
Expires: 5/31/2011
Vehicle
Maritime
only if facility is on
navigable waterway
(page 39) [Q:2.92-3313]
Assault
Team
Standoff
Theft/
Diversion
EXP/IEDP
Theft
X
X
X
WME
CW/CWP
Diversion
only if Primary
COI shipped
offsite (page 59)
Sabotage
X
X
X
X
Sabotage
Attack
Scenario Descriptions
Identifiability Probability
Aircraft
Maritime
only if facility is on
navigable waterway
(page 39) [Q:2.92-3313]
Vehicle
Assault
Team
Standoff
Theft
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Accessibility Probability
Vulnerability Questions
Facility Security Response
Force Capability
Offsite Security Response
Force Capability
Achievability Probability
Target Hardness
Probability
Availability Probability
Unauthorized Customer
Registration
Unauthorized Order
Placement
Unauthorized Order
Pickup (if customer is
allowed to pick up orders
at the asset) [Q:12.6-7736]
DHS Form 9015
X
X
X
Diversion
only if Primary
COI shipped
offsite (page 59)
Sabotage
X
X
X
X
X
X
X
X
X
X
X
Page 69 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Aircraft Scenario
Select one standard scenario below OR choose "Other" to provide an alternative scenario
description.
For each Attack Scenario the user may select from one of the standard attack scenario
descriptions or identify a new scenario that better reflects a facility's situation. For each asset and
attack mode, select a standard attack scenario that applies to the facility and to which the asset
would be most vulnerable (compared to the other standard scenarios). If there is another attack
scenario (i.e., not one of the standard scenarios) to which the asset would be more vulnerable,
use the "other" option and evaluate it instead of one of the standard scenarios.
A1 - Medium-range, medium-lift aircraft (i.e., 737 size) crashes into facility in attempt to
destroy large storage tanks of COI located in the tank farm area, separate from other process
equipment.
A2 - Adversary crashes medium-range, medium-lift aircraft (i.e., 737 size) into facility in
attempt to destroy large chemical processing area containing a variety of process
equipment, including in-process inventories of COI.
Other – user-defined aircraft scenario.
Annotate a plot of the site to indicate the asset and a 950 foot damage radius surrounding the
asset attacked in the scenario.
If Other, describe the scenario.
Describe the attack scenario relevant to this asset.
[Q:9.01-7588]
What is the expected number of people at the facility within the outer damage radius (950
feet)?
Expected number of people includes the number of employees or contractors that would be in the
specified area of the explosion based on the assumptions for the scenario (e.g., random time,
shift change, at night, weekend, holiday).
[Q:9.21-4063]
DHS Form 9015
Page 70 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Fill in quantities of the appropriate COI that match the same chemical list as the primary COI.
Calculate the quantity using the same counting rules provided by CFATS for calculating the STQs
for the applicable release chemicals of interest.
Enter all quantities (pounds) of the same release COI within the inner damage radius (490
feet).
Primary COI Name
CAS#
Quantity
(pounds)
[Q:9.3-9706]
Enter quantities of all release-flammable COI within the inner damage radius (490 feet).
Chemical Name
CAS#
Total
Quantity
(pounds)
[Q:9.4-9738]
DHS Form 9015
Page 71 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Enter quantities of all release-explosive COI within the inner damage radius (490 feet).
Chemical Name
CAS#
Total
Quantity
(pounds)
[Q:9.5-9743]
DHS Form 9015
Page 72 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Maritime Scenario
Select one standard scenario below OR choose "Other" to provide an alternative scenario
description.
For each Attack Scenario the user may select from one of the standard attack scenario
descriptions or identify a new scenario that better reflects a facility's situation. For each asset and
attack mode, select a standard attack scenario that applies to the facility and to which the asset
would be most vulnerable (compared to the other standard scenarios). If there is another attack
scenario (i.e., not one of the standard scenarios) to which the asset would be more vulnerable,
use the "other" option and evaluate it instead of one of the standard scenarios.
B1 - Adversary drives boat carrying IED on an offsite waterway that comes within the
proximity of the asset and explodes the boat at the closest approach point to the asset
B2 - Adversary drives boat carrying IED into an onsite waterway or channel that comes
within the proximity of the asset and explodes the boat at the closest approach point to
the asset.
Other – user-defined maritime scenario.
Annotate a plot of the site to indicate the location of the boat when the attack takes place, the
location of the asset, and the inner and outer (140 and 270 foot) damage radii surrounding the
asset attacked in the scenario.
If Other, describe the scenario.
Describe the attack scenario relevant to this asset.
[Q:7.01-7275]
Is any portion of the asset within the inner damage radius (140 feet)?
Yes
No
If Yes, answer the following questions and answer the attack scenario descriptions associated
with this asset.
DHS Form 9015
Page 73 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
What is the expected number of people at the facility within the outer damage radius (270
feet)?
Expected number of people includes the number of employees or contractors that would be in the
specified area of the explosion based on the assumptions for the scenario (e.g., random time,
shift change, at night, weekend, holiday).
[Q:7.21-3896]
Calculate the quantity using the same counting rules provided by CFATS for calculating the STQs
for the applicable release chemicals of interest.
Fill in quantities of the appropriate COI that match the same chemical list as the primary COI.
Enter all quantities (pounds) of the same release COI within the inner damage radius (140
feet).
Primary COI Name
CAS#
Quantity
(pounds)
[Q:7.3-9170]
Enter quantities of all release-flammable COI within the inner damage radius (140 feet).
Chemical Name
CAS#
Total
Quantity
(pounds)
[Q:7.4-9226]
DHS Form 9015
Page 74 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Enter quantities of all release-explosive COI within the inner damage radius (140 feet).
Chemical Name
CAS#
Total
Quantity
(pounds)
[Q:7.5-9228]
DHS Form 9015
Page 75 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Vehicle Scenario
Select one standard scenario below OR choose "Other" to provide an alternative scenario
description.
For each Attack Scenario the user may select from one of the standard attack scenario
descriptions or identify a new scenario that better reflects a facility's situation. For each asset and
attack mode, select a standard attack scenario that applies to the facility and to which the asset
would be most vulnerable (compared to the other standard scenarios). If there is another attack
scenario (i.e., not one of the standard scenarios) to which the asset would be more vulnerable,
use the "other" option and evaluate it instead of one of the standard scenarios.
V1 - Adversary places VBIED outside of the facility perimeter, but located close enough
for the vehicle bomb to destroy the COI storage tank or area considered the asset.
V2 - The adversary cuts the facility back gate open during off hours (i.e., night or
weekend operation) and drives the VBIED to a location at the end of the secondary
containment closest to tank/area that is this asset.
V3 - The adversary accesses the facility with a VBIED by entering the plant site behind a
vehicle making an authorized entry or by crashing through a controlled access gate. The
adversary drives the VBIED to the storage area or process unit that represents this asset
and detonates the device there.
Other – user-defined vehicle scenario.
Annotate a plot of the site to indicate the location of the vehicle when the attack takes place, the
location of the asset, and the inner and outer (170 and 340 foot) damage radii surrounding the
asset attacked in the scenario.
If Other, describe the scenario.
Describe the attack scenario relevant to this asset.
[Q:8.01-7563]
Is any portion of the asset within the inner damage radius (170 feet)?
Yes
No
If Yes, answer the follow questions and answer the attack scenario descriptions associated with
this asset.
DHS Form 9015
Page 76 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
What is the expected number of people at the facility within the outer damage radius (340
feet)?
Expected number of people includes the number of employees or contractors that would be in the
specified area of the explosion based on the assumptions for the scenario (e.g., random time,
shift change, at night, weekend, holiday).
[Q:8.21-3995]
Calculate the quantity using the same counting rules provided by CFATS for calculating the STQs
for the applicable release chemicals of interest.
Fill in quantities of the appropriate COI that match the same chemical list as the primary COI.
Enter all quantities (pounds) of the same release COI within the inner damage radius (170
feet).
Primary COI Name
CAS#
Quantity
(pounds)
[Q:8.3-9636]
Enter quantities of all release-flammable COI within the inner damage radius (170 feet).
Chemical Name
CAS#
Total
Quantity
(pounds)
[Q:8.4-9668]
DHS Form 9015
Page 77 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Enter quantities of all release-explosive COI within the inner damage radius (170 feet).
Chemical Name
CAS#
Total
Quantity
(pounds)
[Q:8.5-9673]
DHS Form 9015
Page 78 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Assault Team Scenario
Select one standard scenario below OR choose "Other" to provide an alternative scenario
description.
For each Attack Scenario the user may select from one of the standard attack scenario
descriptions or identify a new scenario that better reflects a facility's situation. For each asset and
attack mode, select a standard attack scenario that applies to the facility and to which the asset
would be most vulnerable (compared to the other standard scenarios). If there is another attack
scenario (i.e., not one of the standard scenarios) to which the asset would be more vulnerable,
use the "other" option and evaluate it instead of one of the standard scenarios.
AT1 - Adversary team climbs or cuts the facility perimeter fence and places two explosive
charges against the asset.
AT2 - Adversary assault team attacks security assets at access control point and then
moves through the plant on foot and places two explosive charges on this asset.
Other – user-defined assault team scenario.
Annotate a plot of the site to indicate the asset and a 110 foot damage radius surrounding the
asset attacked in the scenario.
If Other, describe the scenario.
Describe the attack scenario relevant to this asset.
[Q:10.01-7613]
What is the expected number of people at the facility within the outer damage radius (110
feet)?
Expected number of people includes the number of employees or contractors that would be in the
specified area of the explosion based on the assumptions for the scenario (e.g., random time,
shift change, at night, weekend, holiday).
[Q:10.21-4080]
DHS Form 9015
Page 79 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Fill in quantities of the appropriate COI that match the same chemical list as the primary COI.
Calculate the quantity using the same counting rules provided by CFATS for calculating the STQs
for the applicable release chemicals of interest.
Enter all quantities (pounds) of the same release COI within the inner damage radius (55
feet).
Primary COI Name
CAS#
Quantity
(pounds)
[Q:10.3-9793]
Enter quantities of all release-flammable COI within the inner damage radius (55 feet).
Chemical Name
CAS#
Quantity
(pounds)
[Q:10.4-9825]
Enter quantities of all release-explosive COI within the inner damage radius (55 feet).
Chemical Name
CAS#
Quantity
(pounds)
[Q:10.5-9830]
DHS Form 9015
Page 80 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Standoff Scenario
Select one standard scenario below OR choose "Other" to provide an alternative scenario
description.
For each Attack Scenario the user may select from one of the standard attack scenario
descriptions or identify a new scenario that better reflects a facility's situation. For each asset and
attack mode, select a standard attack scenario that applies to the facility and to which the asset
would be most vulnerable (compared to the other standard scenarios). If there is another attack
scenario (i.e., not one of the standard scenarios) to which the asset would be more vulnerable,
use the "other" option and evaluate it instead of one of the standard scenarios.
SO1 - The adversary accesses the facility and fires the stand-off weapon (i.e., light antitank weapon with shaped charge warhead) into the asset from a distance no greater than
200 meters initiating a release of a COI.
SO2 - The facility is surrounded by a contiguous 7ft. in height chain-link fence. Asset is
within 100 meters of the facility perimeter and is easily visible from outside the fence. The
adversary drives a van or delivery truck into the parking lot of an adjacent facility and
uses the top of the vehicle as an elevated platform to launch a stand-off weapon (i.e.,
light anti-tank weapon with shaped charge warhead) at the asset from a distance of 100
to 200 meters.
Other – user-defined standoff scenario.
Annotate a plot of the site to indicate the location of the asset, the location from which the
standoff attack takes place, and a 657 foot range radius centered on the location of the standoff
weapon.
If Other, describe the scenario.
Describe the attack scenario relevant to this asset.
[Q:11.01-7631]
Is any portion of the asset within the range of the standoff weapon (657 feet)?
Yes
No
If No and answering for a Primary-Toxic COI attack description, skip the mitigation measures
questions.
DHS Form 9015
Page 81 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Sabotage Scenario
Select one standard scenario below OR choose "Other" to provide an alternative scenario
description.
For each Attack Scenario the user may select from one of the standard attack scenario
descriptions or identify a new scenario that better reflects a facility's situation. For each asset and
attack mode, select a standard attack scenario that applies to the facility and to which the asset
would be most vulnerable (compared to the other standard scenarios). If there is another attack
scenario (i.e., not one of the standard scenarios) to which the asset would be more vulnerable,
use the "other" option and evaluate it instead of one of the standard scenarios.
SA1 - Adversary (insider or outsider) accesses a placarded amount of a
sabotage/contamination COI that is destined for shipment and contaminates the
shipment in a manner that will result in an explosion or release once shipped from the
facility.
SA2 - Adversary (insider or outsider) accesses a placarded amount of a
sabotage/contamination COI destined for shipment and tampers with the shipment. The
tampering results in an explosion or release once shipped from the facility.
Other – user-defined sabotage scenario.
If Other, describe the scenario.
Describe the attack scenario relevant to this asset.
Answer the following questions relating to the primary COI.
Quantity of COI at Risk in this scenario (pounds)
[Q:13.2-11372]
Percent Concentration by Weight in this scenario
[Q:13.2-11373]
DHS Form 9015
Page 82 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Theft Scenario
T1 - Adversary team enters the facility and steals largest portable package, leaving the
facility in a vehicle without immediate awareness by facility staff (i.e., no immediate law
enforcement notification and pursuit).
T2 - Adversary team enters the facility in a vehicle, obtains one or more portable package
of the theft COI, and successfully leaves the facility in the vehicle without being detected.
T3 - Adversary enters the facility on foot and steals one or more man-portable package,
moving them to transport vehicles outside of the facility.
Other – user-defined theft scenario.
If Other, describe the scenario.
Describe the attack scenario relevant to this asset.
Answer the following questions relating to the primary COI.
Quantity of COI at Risk in this scenario (pounds)
[Q:12.2-11343]
Percent Concentration by Weight in this scenario
[Q:12.2-11344]
DHS Form 9015
Page 83 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Diversion Scenario
Is the customer permitted to pick up orders at this asset?
[Q:12.6-7736]
Yes
No
Composite Diversion Scenario, consisting of any of these three elements:
Adversary is allowed to register as a customer to purchase COI and have it
shipped to the adversary's chosen location, or
Adversary is allowed to file a false order for an existing customer that results in
shipping the COI container to a location that is not controlled by the approved
customer, or
Adversary is allowed to accept shipment of or pick up an order of the COI that is
intended for an approved customer.
Answer the following questions relating to the primary COI.
Quantity of COI at Risk in this scenario (pounds)
[Q:12.7-11351]
Percent Concentration by Weight in this scenario
[Q:12.7-11352]
DHS Form 9015
Page 84 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Mitigation Measures only apply to attack scenarios for assets the have toxic as their primary COI.
Mitigation Measures
Mitigation Measures in place that you expect to help mitigate this scenario.
Answer the questions relevant to what mitigation measures you indicated were present at this
asset.
Dike, berm, or other similar containment
Does the dike or berm containment survive the attack?
[Q:7.3-9177,Q:8.3-9637,Q:9.3-9707, Q:10.3-9794, Q:11.3-9974]
Yes
No
Leak detection system (e.g., fixed chemical detectors with alarm)
Does the leak detection system survive the attack?
[Q:7.3-9191, Q:8.3-9638,Q:9.3-9708, Q:10.3-9795, Q:11.3-9975]
Yes
No
Fixed vapor suppression system (e.g., foam or dry chemical cover, water spray system)
Does the vapor suppression system survive the attack?
[Q:7.3-9192, Q:8.3-9639,Q:9.3-9709, Q:10.3-9796, Q:11.3-9976]
Yes
No
Notification system for offsite evacuation or sheltering in place (e.g., phone dialing
system, alarm system)
Does the offsite notification system survive the attack?
[Q:7.3-9193, Q:8.3-9640,Q:9.3-9710, Q:10.3-9797, Q:11.3-9977]
Yes
No
Other Mitigation Measures
Does the other mitigation measure survive the attack?
[Q:7.3-9194, Q:8.3-9641, Q:9.3-9711, Q:10.3-9798, Q:11.3-9978]
Yes
No
DHS Form 9015
Page 85 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Identifiability Probability
This refers to the probability that the adversary can identify the specific target asset during the
course of planning and executing an attack. Identifiability is a function of the size, labeling, and
nature of the asset and its similarity to others at the facility.
When estimating identifiability, a facility should consider it difficult for an adversary to distinguish
between several similar items of equipment, only some of which would be viable targets. Labeling
of equipment is also a factor in this assessment.
How likely is the adversary, in the course of planning and/or executing this attack scenario
against this asset, to identify the specific asset(s) that must be attacked or stolen to
achieve significant consequences?
[Q:7.22-7276, Q:8.22-9609, Q:9.22-9687, Q:10.22-9767, Q:11.22-9900, Q:12.22-7657, Q:13.22-9948]
a. Adversary is extremely unlikely to successfully identify the specific asset they desire to
attack during this scenario. Prob(0 to 0.2)
b. Adversary is unlikely to successfully identify the specific asset they desire to attack
during this scenario. Prob(0.2 to 0.4)
c. Adversary is equally likely to succeed or fail in identifying the specific target in the
scenario. Prob(0.4 to 0.6)
d. Adversary success in identifying the specific target in the scenario is likely.
Prob(0.6 to 0.8)
e. Adversary is almost certain to successfully identify the specific asset they desire to
attack during this scenario. Prob(0.8 to 1.0)
Identifiability assumptions:
[Q:7.22-7277, Q:8.22-9610, Q:9.22-9688, Q:10.22-9768, Q:11.22-9901, Q:12.22-7658, Q:13.22-9949]
DHS Form 9015
Page 86 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Accessibility Probability
This refers to the probability that an adversary is successful in reaching the location that they
must access to successfully execute an attack, given the security measures currently
implemented at the facility (not counting facility or offsite security force response capability).
This factor should reflect the ability of existing security systems and processes (without counting
for response force actions) to prevent the adversary from reaching a location close enough to the
asset to launch the specific type of attack (i.e., close enough to place an explosive device or use
a standoff weapon).
How likely do you think that the adversary would be in successfully breaching existing
security measures and accessing a location from which they can attack the asset?
[Q:7.22-7371, Q:8.22-9611, Q:10.22-9769, Q:11.22-9902, Q:12.22-7659, Q:13.22-9950]
a. Adversary is extremely unlikely to successfully access the asset. Prob(0 to 0.2)
b. Adversary is unlikely to successfully access the asset. Prob(0.2 to 0.4)
c. Adversary is equally likely to succeed or fail in accessing this asset with this attack.
Prob(0.4 to 0.6)
d. Adversary is likely to successfully access the asset. Prob(0.6 to 0.8)
e. Adversary is almost certain to successfully access the asset. Prob(0.8 to 1.0)
Accessibility assumptions:
[Q:7.22-7372, Q:8.22-9612, Q:10.22-9769, Q:11.22-9903, Q:12.22-7659, Q:13.22-9951]
DHS Form 9015
Page 87 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Facility Security Response Force Capability
This refers to the probability that a facility (i.e., onsite) security response force (if any) is able to
interdict an adversary force before it succeeds in executing an attack (assuming the security
measures alone were not adequate).
This vulnerability factor reflects the ability of the onsite security force to intervene in time to stop a
specific type of attack. Assume that the accessibility controls discussed above would not have
stopped the adversary, but would have offered a delay consistent with the types of physical
security measures at the facility.
How likely is the facility security response force to successfully interdict the adversary
before they are successful in executing their attack (assuming that other security
measures alone are not successful in stopping the attack)?
[Q:7.22-7391, Q:8.22-9613, Q:10.22-9771, Q:12.22-7661, Q:13.22-9952]
a. Facility security response force is almost certain to successfully interdict this type of
attack. Prob(0.8 to 1.0)
b. Facility security response force is likely to successfully interdict this type of attack.
Prob(0.6 to 0.8)
c. Facility security response force is almost equally likely to succeed or fail in interdicting
this type of attack. Prob(0.4 to 0.6)
d. Facility security response force is unlikely to successfully interdict this type of attack.
Prob(0.2 to 0.4)
e. Facility security response force is extremely unlikely to successfully interdict this type
of attack. Prob(0 to 0.2)
Facility security response force capability assumptions:
[Q:7.22-7411, Q:8.22-9614, Q:10.22-9772, Q:12.22-7662, Q:13.22-9953]
DHS Form 9015
Page 88 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Offsite Security Response Force Capability
This refers to the probability that an offsite security response force (if any) is able to interdict an
adversary force before it is successful in executing an attack (assuming the onsite force failed).
The likelihood of success of an offsite response force may be low unless the facility has
coordinated with local law enforcement and integrated them into facility planning (including
exercises). Also, the staffing, training, and equipment of the response force for the type of attack
should be considered before credit is given for response force effectiveness in interdicting an
attack.
How likely is the designated offsite security response force (such as local law
enforcement personnel) to successfully interdict the adversary force before they are
successful in executing their attack (given that the onsite team failed)?
[Q:7.22-7412, Q:8.22-9615, Q:10.22-9773, Q:12.22-7663, Q:13.22-9954]
a. Offsite security response force is almost certain to successfully interdict this type of
attack, assuming that the facility force was not successful. Prob(0.8 to 1.0)
b. Offsite security response force is likely to successfully interdict this type of attack,
assuming that the facility force was not successful. Prob(0.6 to 0.8)
c. Offsite security response force is almost equally likely to succeed or fail in interdicting
this type of attack, assuming that the facility force was not successful. Prob(0.4 to 0.6)
d. Offsite security response force is unlikely to successfully interdict this type of attack,
assuming that the facility force was not successful. Prob(0.2 to 0.4)
e. Offsite security response force is extremely unlikely to successfully interdict this type of
attack, assuming that the facility force was not successful. Prob(0 to 0.2)
Offsite security response force capability assumptions:
[Q:7.22-7413, Q:8.22-9616, Q:10.22-9774, Q:12.22-7664, Q:13.22-9955]
DHS Form 9015
Page 89 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Achievability Probability
This refers to the probability that an adversary could execute a successful attack assuming the
absence of all security measures. Achievability is a function of the difficulty for the adversary to
attack the specific target asset.
Factors which may contribute to an achievability probability less than 1.0 could include:
Inaccuracy of a standoff weapon
Difficulty in attacking a point target with the specified aircraft (particularly if the asset is in
among many other pieces of equipment or units)
Difficulty in loading a large but portable package
Difficulty in effectively contaminating a COI shipment
How likely is the adversary to succeed in accomplishing this attack (giving no credit for
any facility or asset security measures)?
[Q:7.22-7414, Q:8.22-9617, Q:9.22-9689, Q:10.22-9775, Q:11.22-9904, Q:12.22-7665, Q:13.22-9956]
a. Adversary is extremely unlikely achieve success with this attack even if security
measures are not implemented. Prob(0 to 0.2)
b. Adversary is unlikely to achieve success with this attack even if security measures are
not implemented. Prob(0.2 to 0.4)
c. Adversary is equally likely to succeed or fail in this attack if security measures are not
implemented. Prob(0.4 to 0.6)
d. Adversary is likely to achieve success with this attack assuming security measures are
not implemented. Prob(0.6 to 0.8)
e. Adversary is almost certain to achieve success with this attack assuming security
measures are not implemented. Prob(0.8 to 1.0)
Achievability assumptions:
[Q:7.22-7415, Q:8.22-9618, Q:9.22-9690, Q:10.22-9776, Q:11.22-9905, Q:12.22-7666, Q:13.22-9957]
DHS Form 9015
Page 90 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Target Hardness Probability
This refers to the probability that an adversary that reached a target and executed the attack did
not damage the asset sufficiently to cause the intended COI release event onsite or successfully
steal/divert the COI for use in an attack.
Do not give additional credit for considerations you have already credited in evaluation of earlier
factors (e.g., achievability, identifiability). This factor represents the inherent hardness or location
of the target that protects it from the effects of an attack that was successfully initiated. Examples
of situations where credit could be assessed include:
Tanks located in a manner (e.g., underground or mounded) where an explosive device
located at the closest point available would not necessarily cause its catastrophic failure
A vessel with multiple layers or insulation that provides spacing such that a standoff
weapon would not be effective in penetrating the vessel
What is the probability that the asset would withstand the attack (i.e., suffers less than a
catastrophic release/explosion or loss of COI to theft/diversion), assuming that the
adversary is successful at accessing the target and executing the specific type of attack?
[Q:7.22-7416, Q:8.22-9619, Q:10.22-9777, Q:11.22-9906, Q:13.22-9958]
a. The target is very hard against/resistant to this kind of attack, it is almost certain that
this type of attack will not create a catastrophic release, explosion, or loss of COI to
theft/diversion. Prob(0.8 to 1.0)
b. The target is relatively hardened against/resistant to this type of attack, it is likely that
this type of attack will not create a catastrophic release, explosion, or loss of COI to
theft/diversion. Prob(0.6 to 0.8)
c. The target is equally likely to withstand to this type of attack or to fail (resulting in a
catastrophic release, explosion, or loss of COI to theft/diversion). Prob(0.4 to 0.6)
d. The target is not very resistant to this type of attack and is unlikely to survive this type
of attack without catastrophic release, explosion, or loss of COI to theft/diversion.
Prob(0.2 to 0.4)
e. The target is not resistant to this type of attack, and is extremely unlikely to survive this
type of attack without catastrophic release, explosion, or loss of COI to theft/diversion.
Prob(0 to 0.2)
Target hardness assumptions:
[Q:7.22-7417, Q:8.22-9619, Q:10.22-9778, Q:11.22-9907, Q:13.22-9959]
DHS Form 9015
Page 91 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Availability Probability
This factor accounts for situations where the asset (or group of assets) only contains the
applicable COI for a limited amount of time, on a schedule not readily available to the adversary.
For example, select "a" for a batch process tank that only contains the COI for one hour every 24
hours, on a schedule not available or visible to the adversary.
How likely is the specific asset attacked to contain the relevant COI, assuming that the
adversary identifies and attacks the correct target asset?
[Q:7.22-8911, Q:8.22-9624, Q:9.22-9694, Q:10.22-9782, Q:11.22-9911, Q:12.22-9361, Q:13.22-9961]
a. Attack is extremely unlikely to occur at a time the asset contains a significant quantity
of the COI. Prob(0 to 0.2)
b. Attack is unlikely to occur at a time the asset contains a significant quantity of the COI.
Prob(0.2 to 0.4)
c. Attack is equally likely to occur at a time the asset contains or does not contain a
significant quantity of the COI. Prob(0.4 to 0.6)
d. Attack is likely to occur at a time the asset contains a significant quantity of the COI.
Prob(0.6 to 0.8)
e. Attack is almost certain to occur at a time the asset contains a significant quantity of
the COI. Prob(0.8 to 1.0)
Availability assumptions:
[Q:7.22-8912, Q:8.22-9625, Q:9.22-9695, Q:10.22-9783, Q:11.22-9912, Q:12.22-9362, Q:13.22-9962]
DHS Form 9015
Page 92 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Unauthorized Customer Registration
This refers to the probability that an adversary can register himself/herself as a customer for
purchase of the COI.
This vulnerability assesses the probability of success or failure of the facility's customer validation
procedures. For example, many customer validation programs verify (1) customers' end-use for
the COI, (2) integrity of the customers' business operations, (3) the customers’ ability to pay and
method of payment, and (4) the customers' packaging and shipping requirements. Another
aspect of this vulnerability is the strength (or weakness) in the facility's cyber business system
that maintains the approved customer list such that it prevents (or allows) the adversary to
establish itself as an approved customer.
How likely is the adversary to be able to register as a new customer that is approved to
purchase theft/diversion COI?
[Q:12.8-7682]
a. Adversary is extremely unlikely to successfully register as a new client to purchase the
specific COI involved in this scenario. Prob(0 to 0.2)
b. Adversary is unlikely to successfully register as a new client to purchase the COI
involved in this scenario. Prob(0.2 to 0.4)
c. Adversary is equally likely to succeed or fail in registering as a new client approved to
purchase COI involved in this scenario. Prob(0.4 to 0.6)
d. Adversary is likely to succeed in registering as a new client approved to purchase COI.
Prob(0.6 to 0.8)
e. Adversary is almost certain to successfully register as a new client authorized to
purchase COI. Prob(0.8 to 1.0)
Unauthorized customer registration assumptions:
[Q:12.8-7683]
DHS Form 9015
Page 93 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Unauthorized Order Placement
This vulnerability factor assumes the adversary (who is not an authorized customer) is misusing
an established customer's account and can place an order for shipment to his/her chosen
location. This factor is designed to assess an individual's (adversary) ability to defeat the facility's
(or company's) procedures for identifying, validating and vetting a customer seeking to purchase
and receive delivery of a COI. For example, certain COI are prohibited from pick up and always
delivered directly to a customer by the facility. Other companies only ship to pre-determined and
approved locations. This factor aims to assess the reliability of the facility's (or company's) order
processing procedures.
How likely is the adversary to be able to place an order for this COI for an authorized
customer that would allow shipment to a location where the adversary could accept the
shipment?
[Q:12.8-7684]
a. Adversary is extremely unlikely to successfully place an order for an existing client that
would result in the specific COI being delivered to a location where the adversary could
accept the shipment. Prob(0 to 0.2)
b. Adversary is unlikely to successfully place an order for an existing client that would
result in the specific COI being delivered to a location where the adversary could accept
the shipment. Prob(0.2 to 0.4)
c. Adversary is equally likely to succeed or fail in placing an order for an existing client
that would result in the specific COI being delivered to a location where the adversary
could accept the shipment. Prob(0.4 to 0.6)
d. Adversary is likely to succeed in placing an order for an existing client that would result
in the specific COI being delivered to a location where the adversary could accept the
shipment. Prob(0.6 to 0.8)
e. Adversary is almost certain to successfully place an order for an existing client that
would result in the specific COI being delivered to a location where the adversary could
accept the shipment. Prob(0.8 to 1.0)
Unauthorized order placement assumptions:
[Q:12.8-7685]
DHS Form 9015
Page 94 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Unauthorized Order Pickup
If the answer to "Is the customer permitted to pick up orders at this asset?" [Q:12.6-7736] is No, skip
Unauthorized Order Pickup.
This refers to the probability that an adversary could pick up an order being held for an authorized
customer.
This vulnerability assumes that the adversary has not been able to place an order. The ability of
the adversary to pick up an authorized customer's order could result, for example, from a facility's
failure to secure its shipping and receiving. Another possible factor in this assessment is the
trustworthiness of the facility's personnel involved in the physical packing, staging and shipping
processes.
How likely is the adversary to be able to pick up an order for an authorized customer for
this COI?
[Q:12.8-7686]
a. Adversary is extremely unlikely to successfully pick up an order that is intended for
pickup by an authorized customer. Prob(0 to 0.2)
b. Adversary is unlikely to successfully pick up an order that is intended for pickup by an
authorized customer. Prob(0.2 to 0.4)
c. Adversary is equally likely to succeed or fail in picking up an order that is intended for
pickup by an authorized customer. Prob(0.4 to 0.6)
d. Adversary is likely to succeed in picking up an order that is intended for pickup by an
authorized customer. Prob(0.6 to 0.8)
e. Adversary is almost certain to successfully pick up an order that is intended for pickup
by an authorized customer. Prob(0.8 to 1.0)
Unauthorized order pickup assumptions:
[Q:12.8-7687]
DHS Form 9015
Page 95 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Computer Systems Analysis
Are personnel allowed to carry portable cyber equipment into the facility (e.g., laptop
computers, personal digital assistants (PDAs), flash drives, data disks, and smart cell
phones)?
[Q:14.09-4151]
Yes
No
Are personnel screened at facility entrances for unauthorized cyber related equipment?
[Q:14.09-4152]
Yes
No
If No, skip the next question.
Has the personnel screening process been validated through testing by professional
security services?
[Q:14.091-4153]
Yes
No
DHS Form 9015
Page 96 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
The following pages should be answered for each cyber control system and cyber business
system you have listed.
Copy the following pages (98 - 105) relating to cyber control and cyber business systems and
answer the questions for each system listed above Enter each control system (cyber control or
cyber business) listed on page 66 or 67, and answer the following questions pertaining to that
system. Each system must be answered separately.
Cyber Name
If the control system is cyber control, skip the next two questions.
Is this cyber system physically located at the facility?
[Q:14.61-4175]
Yes
No
If No, please provide the address of the cyber business system.
If Yes, the application will require the user to identify the location of the cyber business system on
a map of the facility.
Enter the cyber system location.
Enter the Country
[Q:14.62-8232]
Location/Building Name
[Q:14.63-4177]
Street
[Q:14.63-4178]
Street Line 2
[Q:14.63-8271]
City
[Q:14.63-4179]
Province or State
[Q:14.63-4180, Q:14.63-8233]
ZIP Code
[Q:14.63-4181]
DHS Form 9015
Page 97 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Cyber System Map
Provide a map that identifies the location of the cyber control system.
If the answer to [Q:14.61-4175] “Is this cyber system physically located at the facility?” is Yes,
provide a map that identifies the location of the cyber business system.
Control System Analysis
Is external access (e.g., Internet, modem, wireless) to cyber systems allowed?
[Q:14.3-1614, Q:14.8-1033]
Yes
No
If No, skip the next question.
Has the lack of external access been validated through testing by IT security professional
services?
[Q:14.31-1633, Q:14.81-1034]
Yes
No
Are the capabilities of the cyber systems in the facility limited in regard to
communications with portable cyber equipment (authorized or not) (e.g. laptop computers,
personal digital assistants (PDAs), flash drives, data disks, smart cell phones)?
[Q:14.32-1635, Q:14.82-1035]
Yes
No
If Yes, skip the next question.
Has the disabling of communication capabilities been validated through testing by a
professional IT security service?
[Q:14.33-1637, Q:14.83-1036]
Yes
No
DHS Form 9015
Page 98 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Security Policy
Does the facility have documented and distributed cyber security policies, plans and
supporting procedures commensurate with the current information technology operating
environment?
[Q:14.34-1692, Q:14.84-1051]
Policies, plans, and procedures
(Policies or plans) and procedures
(Policies and/or plans) but no procedures
Procedures only
Any of the above, but not distributed
Not at all
Does the facility have a documented and distributed cyber change management policy and
supporting procedures (e.g., new hardware/software, employee access)?
[Q:14.34-1693, Q:14.84-1071]
Policies and procedures
Policies or procedures
Either of the above, but not distributed
Not at all
Has an individual(s) been designated as responsible for cyber security at the facility?
[Q:14.34-1694, Q:14.84-1072]
Yes
Informal
No
DHS Form 9015
Page 99 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Cyber Access Control
Does the facility allow systems to have external connections with portable electronic
devices configured for minimum business needs and verified with scans?
[Q:14.34-2851, Q:14.84-2811]
External connections with or without portable electronic devices, and/or not configured for
minimum business needs, and/or not verified with scans
No external connections, no portable electronic devices allowed, systems block external
devices and media, and verified with scans
External connections are configured for minimum business needs and verified with
scans, no portable electronic devices allowed, systems block external devices and
media, and verified with scans
External connections with portable electronic devices allowed - configured for minimum
business needs and verified with scans
Other
Does the facility practice the concept of least privilege (e.g., users are only granted access
to those files and applications based on roles and responsibilities)?
[Q:14.34-1695, Q:14.84-1092]
Yes
Users of critical processes or systems
No
Have all default passwords been changed to user-specific passwords?
[Q:14.34-1696, Q:14.84-1093]
Yes
Partial or critical systems
No
Are accounts locked out after several unsuccessful login attempts?
[Q:14.34-1697, Q:14.84-1094]
3 or fewer attempts
4 – 5 attempts
> 5 attempts
Not at all
DHS Form 9015
Page 100 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Personnel Security
Does the facility perform background checks for personnel in critical/sensitive positions?
[Q:14.35-1719, Q:14.85-1100]
Employees and contractors on a periodic basis
Employees only on a periodic basis
Employees and contractors on a one-time basis
Employees only on a one-time basis
Not at all
Does the facility actively maintain the access control list to ensure that all cyber system
accounts are modified, deleted, or de-activated as personnel leave the company or
transfer into new roles?
[Q:14.35-1720, Q:14.85-1101]
Immediately
Before close of business
Within one week
Not at all
Physical and Environmental
Does the facility restrict physical access to sensitive or restricted IT, telecommunications,
media storage and control areas to those with appropriate need?
[Q:14.35-1721, Q:14.85-1105]
Yes
Not at all
No
Awareness and Training
Does the facility provide cyber security training?
[Q:14.35-1723, Q:14.85-1107]
Prior to system access
Within first week
Within first month
Not at all
DHS Form 9015
Page 101 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Monitoring and Incident Response
Does the facility log cyber security events on systems and review them on a regular
basis?
[Q:14.36-1727, Q:14.86-1151]
Yes – review by automated means
Yes – reviewed at least weekly
Yes – review manually at least monthly
Some degree of logging with some degree of review
Not at all
Does the facility log cyber security events on servers, and review them on a regular basis?
[Q:14.36-2852, Q:14.86-2831]
Yes – review by automated means
Yes – reviewed at least weekly
Yes – review manually at least monthly
Some degree of logging with some degree of review
Not at all
Does the facility report significant cyber security events to senior management?
[Q:14.36-1728, Q:14.86-1152]
Yes
Sometimes
No
Does the facility mandate malicious code protection on all systems?
[Q:14.36-1730, Q:14.86-1153]
Not at all, or not DAT file updates
Yes
No
Does the cyber system allow email?
[Q:14.37-1735, Q:14.87-1173]
Yes
No
If No, skip the next question.
Are email attachments (e.g., executable files) filtered on incoming email?
[Q:14.38-1737, Q:14.88-1174]
Not at all, or not DAT file updates
Yes
No
DHS Form 9015
Page 102 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
If the control system is business related, skip the next two questions.
Are there Safety Instrumented Systems (SIS) or other watch-dog systems, independent of
the systems they monitor, that provide interlocks or response to prevent or mitigate
catastrophic events and/or the consequences of a cyber attack?
[Q:14.39-1175]
Yes – with external connections
Yes – not networked with their control systems and no external connections
Yes – but networked with their control systems – no other external connections
Yes – with external connections
No
If Yes, skip the next question.
Has the facility disabled all modems or other external access connections to these
systems?
[Q:14.391-1176]
Yes
No
Configuration Management
Has a business requirement been established for every external connection into the
network/environment, including wireless and modem connections?
[Q:14.4-1741, Q:14.9-1191]
Yes
Partial
No
Does the facility apply/perform regular software and hardware, patches, updates,
upgrades, and replacements?
[Q:14.4-1742, Q:14.9-1192]
Dynamic
As available
Monthly
More than once a month
Not at all
DHS Form 9015
Page 103 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Are configuration changes to the network and application's hardware and software
reviewed by an IT security professional and by management to assess the security impact
prior to the changes being implemented to the operational environment?
[Q:14.4-1743, Q:14.9-1193]
IT security and management review for network and applications
IT security or management review for network and applications
Partial
Not at all
Risk and Vulnerability Management
Have potential vulnerabilities of critical assets, systems, and networks been identified and
evaluated?
[Q:14.4-2854, Q:14.9-2832]
Partial or not at all
Identified and evaluated
Identified but not evaluated
Does the facility have a means to identify and measure cyber security risk (including
requirements, processes, and procedures) that is based on recognized cyber security
methodologies, standards, or best practices?
[Q:14.4-1744, Q:14.9-1195]
Yes
Partial
No
Are network and system (application) level security tests performed (vulnerability scans,
penetration tests, open communication line scans, authorized hardware and software
scans) on a regular basis; and after configuration changes or being patched or upgraded before being put into operation?
[Q:14.4-2855, Q:14.9-2833]
Partial or not at all
Network and applications monthly or more often; and after all configuration changes,
patches, and upgrades
Network and applications quarterly or longer; and after all configuration changes,
patches, and upgrades
Network and applications after all configuration changes, patches, and upgrades, but not
on a regularly scheduled basis
Network and applications monthly or more often
Network and applications quarterly or longer
DHS Form 9015
Page 104 of 105
Version 1.0
�CSAT SVA Questions
OMB PRA # 1670-0007
Expires: 5/31/2011
Has the facility incorporated the vulnerability solutions that are applicable and appropriate
for the environment (e.g., are firewalls configured for minimum business or operational
needs)?
[Q:14.4-2856, Q:14.9-2834]
Incorporated all appropriate historic and current solutions
Partial
Not at all
DHS Form 9015
Page 105 of 105
Version 1.0
�
| File Type | application/pdf |
| File Title | CSAT Security Vulnerability Assessment Questions |
| Author | U.S. Department of Homeland Security |
| File Modified | 2014-09-16 |
| File Created | 2013-03-06 |