FAQs for SEMS Security
(Guidance Documents and Instrutions) [PDF] SEMS Installation Instructions [PDF] SEMS Update [PDF] SEMS System Security [PDF] SEMS Consumer Confidence Report [PDF] SEMS Cross Connection Control Plan (Vulnerability Assessment and Emergency Response Plan) 1. I think that I have completed a section but the percent complete bar indicates that I have not completed it 100%. What is the problem? 2. I want to put in more than 1 employee who is responsible for a particular task in the Plans/Actions/Procedures portion of the 'Emergency Response Plan.' How can I do that? 3. How do I submit my vulnerability assessment (VA), VA certification letter, and emergency response plan (ERP) certification letter to U.S. EPA? 4. If I serve fewer than 3,300 people do I have to comply with the 2002 Bioterrorism Act and submit my VA and ERP certification letter to EPA? 5. I saved my information and then shut the program down. Now when I go back into the program and select my system, the information is no longer available. What happened to all the information? 6. Why is the video playing slow, the words are not matching up with the sound or the sound is not understandable? 7. I put multiple infrastructure items into one category, like groundwater ' I had 3 wells. I know that I put in the information but I do not see them when I return to the Critical Infrastructure Screen. What happened to my data? 8. I want to use this to develop my entire emergency response plan including natural disasters. Can this program do that? 9. How do I edit something in the report that I printed? 10. How do I get back to the main vulnerability assessment or emergency response plan pages? 11. Do I have to go through all 45 security assessment questions every time I need to change one answer? 12. I have 8 wells with 8 different pws numbers. Can I do 1 VA and ERP for all of them? 13. I have the two different systems with two different PWS ID numbers and they enter the same distribution system and are almost identical. Can I copy the information that I developed for one of them into my other nearly identical system and modify it to create another va and erp? 14. I can not pull up my system information by manually entering my PWS ID number? 15. The windows (e.g. the 'critical infrastructure? or 'assess critical assets' screens) are skewed and are not fully visible. What is the problem? 16. I serve more than 10,000 people. Can I use this program to comply with the law? 17. If I complete the VA and ERP on this software will I comply with the 2002 Bioterrorism Act? 1. I think that I have completed a section but the percent complete bar indicates that I have not completed it 100%. What is the problem? If you have not checked off the 'Not applicable' button in the 'Vulnerability Assessment' Critical Infrastructure and Critical Customer or the 'Emergency Response Plan' Notification Information and System Specific Information, then it will register incomplete. If a particular item in one of those sections does not apply to your water system then simply click the does not apply check box. Also, if you enter text in one of the fields then you must enter something in every field in that row to be 100% complete. Be sure to go through the 'Add/View? buttons to make sure that you have not omitted information in 1 or more fields about additional critical infrastructure that you may have identified. If it is in the 'Vulnerability Assessment' Security Assessment portion where you must answer 45 questions ' click on the progress report button (the notebook with a red check mark) next to the section. It will list every question and what is missing in the incomplete questions. Click on the question and it will automatically link you to that question so that you can finish the incomplete portion. If it is in the
'Vulnerability Assessment' Contact Information, Mission/Threat, and Assess
Critical Equipment or the 'Emergency Response Plan' Local Emergency
Planning, Plans/Actions/Procedures, and Coordination sections ? you must
have typed text in every field. You can put in whatever response you want
such as typing in 'does not apply' in the field. 2. I want to put in more than 1 employee who is responsible for a particular task in the Plans/Actions/Procedures portion of the 'Emergency Response Plan.' How can I do that? Once you have picked the
primary person who is responsible, you can manually type other employee
names in the field separated by commas. 3. How do I submit my vulnerability assessment (VA), VA certification letter, and emergency response plan (ERP) certification letter to U.S. EPA? After you have completed
the VA and ERP, log onto the web through your internet provider (e.g. aol,
msnbc, etc.) and click on the connect to
www.vulnerabilityassessment.org button and you will get
complete instructions for submitting your VA to the U.S. EPA. 4. If I serve fewer than 3,300 people do I have to comply with the 2002 Bioterrorism Act and submit my VA and ERP certification letter to EPA? NO ' Please do not, EPA
will return the package because they do not have procedures to protect the
information for systems serving fewer than 3,300 people. 5. I saved my information and then shut the program down. Now when I go back into the program and select my system, the information is no longer available. What happened to all the information? The program does not save
the information in the software application because of potential security
concerns. Rather when you initially shut down the program, it asked you to
save it on a floppy disk or on your hard drive. If you saved it on your hard
drive and forgot where you saved it do a search of your C:/ drive from the
start menu on your desktop. Search for files with an extension '.sems'. This
should locate the file. Once you have found the file open up the SEMS
software and go to 'file', 'open' and go to the location that you have saved
your information and hit, 'open'. All your information should be loaded into
the program.
6. Why is the video playing slow, the words are not matching up with the sound or the sound is not understandable? This is a problem with the
amount of memory your computer has. First try to close any other programs
that are open and then run the video. If that does not solve the problem,
you may be using too much memory with other files and programs loaded onto
your computer. Try deleting the documents in your recycle bin and any other
large files that are no longer being used. If this does not work, your need
to upgrade your computer. 7. I put multiple infrastructure items into one category, like groundwater ' I had 3 wells. I know that I put in the information but I do not see them when I return to the Critical Infrastructure Screen. What happened to my data? Click on the 'view/add'
button to scroll through additional items under that category. These items
will be printed in the final report; they are just in the software program a
little differently. Add faq that says if you run out of fields then group
together your medn highs and lows. 8. I want to use this to develop my entire emergency response plan including natural disasters. Can this program do that? Yes. On the erp
Plans/Actions/Procedures menu continue to answer questions to all
automatically generated scenarios until the program ask you if you would
like to create your own scenario. Click yes and write down the potential
disaster (i.e. If a hurricane wiped out the power supply how would I
respond). 9. How do I edit something in the report that I printed? You can not edit the
report. However you can change your responses in the program and reprint the
report. 10. How do I get back to the main vulnerability assessment or emergency response plan pages? Click on the navigate
button and select the place that you would like to go to. Also see question
11. 11. Do I have to go through all 45 security assessment questions every time I need to change one answer? No, there are a couple ways
to get to a specific question in the security assessment. You can click on
the 'progress report' (A clipboard with a check mark) next to the 'security
assessment' and it will list every question. If you click on that question
you can go right to that question. If you want to get back after you have
answered the question, go to the 'navigate' option in the upper most left
hand side of your screen and click on the area that you want to go to.
Alternatively, you can go to the navigate option, go to 'security
assessment' and all 45 questions are identified by question number that you
can link to. Also see question 10. 12. I have 8 wells with 8 different pws numbers. Can I do 1 VA and ERP for all of them? In most circumstances, yes.
Just write on the cover page and certification letter the additional pws
numbers and be sure that you include each well in your source water
inventory. Also see question 13. 13. I have the two different systems with two different PWS ID numbers and they enter the same distribution system and are almost identical. Can I copy the information that I developed for one of them into my other nearly identical system and modify it to create another va and erp? Yes. Once you complete your
first va and erp, save the information to a floppy disk or your hard drive
(only save the va and erp to your have drive if the computer will never be
connected to the internet). And log onto the internet an connect to
www.vulnerabilityassessment.org through the link in SEMS.
Once complete, go to the navigate tool bar, and select the "system
selection" option. (NOTE: you must have your existing system va and erp
information that you completed open when selecting another system). Select
the new system or enter the new pws I'd number and select next. All the
information will be the same except for the contact information. You should
go through the VA an ERP process again on the new system to make sure that
you have not omitted or included any wrong information. Also see question
12. 14. I can not pull up my system information by manually entering my PWS ID number? You must make sure that the
PWS id number is in the correct format. For systems under the control of the
state or EPA primacy (such as Wyoming), you must include the abbreviation of
the State in front of the 7 digit PWS identification number. For example, if
you are a system in Florida and your PWS id number is '5130003? you must
enter 'FL5130003' under system identification number. If you are an Indian
tribe, you must enter the region number in front of your seven digit PWS id
number. For example, if you are an Indian tribe in EPA Region 2 and your PWS
id number is5107651, you must enter '025107651.' 15. The windows (e.g. the 'critical infrastructure? or 'assess critical assets' screens) are skewed and are not fully visible. What is the problem? You must have a screen
resolution of at least 800x600 pixels. To change your screen resolution,
right click on your desktop, click on properties, click on settings (or
appropriate tab that shows your screen resolution) and increase your screen
resolution to 800x600 pixels or more. 16. I serve more than 10,000 people. Can I use this program to comply with the law? The 'Public Health Security and Bioterrorism Preparedness and Response Act of 2002' has explicit instructions regarding a CWS responsibility to complete a vulnerability assessment under the law. In Section 1433(a) (Terrorist and Other Intentional Acts ' Vulnerability Assessments), the law says that water systems greater than 3,300 must conduct a vulnerability assessment to evaluate the vulnerability of a terrorist attack to provide safe and reliable source of water that includes a review of, pipes and constructed conveyances, physical barriers, water collection, pretreatment, treatment, storage and distribution facilities, electronic, computer or other automated systems which are utilized by the public water system, the use, storage, or handling of various chemicals, and the operation and maintenance of such system.' This software program clearly does everything the law requires. The software program walks systems through a sequential process to identify all the components of the water system including the critical infrastructure, critical customers and redundant items. and ensures that systems review all components including 'but not limited to' the ones contained in the law. The 45 questions then are used to evaluate each of the components contained in the law and inventory. Further, question 14 asks the system explicitly about operation and maintenance of security systems. Further, EPA has reviewed this document and has indicated that it not only meets the requirements of the bioterrorism law but it also meets the six elements that are common to a vulnerability assessment. We were very careful to make sure that EPA reviewed and indicated that it meets the elements that they thought would satisfy their guidelines. Further, EPA has added a link to their website that links to the NRWA vulnerability assessment web site at www.vulnerabilityassessment.org. I would like to stress the word 'guidelines'. Even though the document meets all six of the EPA identified elements common to a comprehensive Vulnerability Assessment, Congress clearly indicated in the conference report (Page H2844) that EPA has no authority to tell water systems what tool they can or cannot use to comply with the Bioterrorism law. The report reads, 'Chairman GILLMOR, EPA has no power to promulgate regulations or guidance to define what is an ``acceptable'' vulnerability assessment; there is only a one-time duty to provide information to community water systems by August 1, 2002. In addition, Section 1433 only defines a vulnerability assessment to the extent that it includes a review of certain specified items, most of which are based on the definition of a public water system under Section 1401 of the SDWA. Thus, no community water system is required to use any particular vulnerability assessment tool, to conduct any specific type of analysis, to determine the consequences of any intentional or terrorist acts, analyze the use of any specific chemicals or characterize the risk of any offsite impacts.' The 2002 Bioterrorism Act also requires systems to, 'Each community water system serving a population greater than 3,300 shall prepare or revise, where necessary, an emergency response plan that incorporates the results of vulnerability assessments that have been completed. Each such community water system shall certify to the Administrator, as soon as reasonably possible after the enactment of this section, but not later than 6 months after the completion of the vulnerability assessment under subsection (a), that the system has completed such plan. The emergency response plan shall include, but not be limited to, plans, procedures, and identification of equipment that can be implemented or utilized in the event of a terrorist or other intentional attack on the public water system. The emergency response plan shall also include actions, procedures, and identification of equipment which can obviate or significantly lessen the impact of terrorist attacks or other intentional actions on the public health and the safety and supply of drinking water provided to communities and individuals. Community water systems shall, to the extent possible, coordinate with existing Local Emergency Planning Committees established under the Emergency Planning and Community Right-to-Know Act (42 U.S.C. 11001 et seq.) when preparing or revising an emergency response plan under this subsection.' Clearly, the emergency
response plan incorporates the results of the VA. It develops scenarios to
respond to based on the identified threats and critical infrastructure that
you have identified in your VA. It also requires the user to understand how
they would react in situations to ensure that critical customers, identified
in the VA, are ensured that they will be enabled to complete their mission.
In addition it enables the system to define how they would respond to
redundant items that may become compromised. For each scenario that is based
on the VA, the system develops plans, actions, and procedures to mitigate
the event. Further each scenario has equipment identified that can be
implemented or utilized in the event of a the threat identified in the VA
(i.e. 'a terrorist or other intentional attack on public water systems').
The list of equipment also includes things that can be used to significantly
lessen the impact of a terrorist attack or other intentional act on the PWS.
Lastly, the emergency response plan requires that the PWS work with the LEPC
and requires clear documentation of when this requirement was met and
identification of the individuals that were contacted. 17. If I complete the VA and ERP on this software will I comply with the 2002 Bioterrorism Act? The 'Public Health Security and Bioterrorism Preparedness and Response Act of 2002' has explicit instructions regarding a CWS responsibility to complete a vulnerability assessment under the law. In Section 1433(a) (Terrorist and Other Intentional Acts ' Vulnerability Assessments), the law says that water systems greater than 3,300 must conduct a vulnerability assessment to evaluate the vulnerability of a terrorist attack to provide safe and reliable source of water that includes a review of, 'pipes and constructed conveyances, physical barriers, water collection, pretreatment, treatment, storage and distribution facilities, electronic, computer or other automated systems which are utilized by the public water system, the use, storage, or handling of various chemicals, and the operation and maintenance of such system.' This software program clearly does everything the law requires. The software program walks systems through a sequential process to identify all the components of the water system including the critical infrastructure, critical customers and redundant items. and ensures that systems review all components including 'but not limited to' the ones contained in the law. The 45 questions then are used to evaluate each of the components contained in the law and inventory. Further, question 14 asks the system explicitly about operation and maintenance of security systems. Further, EPA has reviewed this document and has indicated that it not only meets the requirements of the bioterrorism law but it also meets the six elements that are common to a vulnerability assessment. We were very careful to make sure that EPA reviewed and indicated that it meets the elements that they thought would satisfy their guidelines. Further, EPA has added a link to their website that links to the NRWA vulnerability assessment web site at www.vulnerabilityassessment.org. I would like to stress the word 'guidelines'. Even though the document meets all six of the EPA identified elements common to a comprehensive Vulnerability Assessment, Congress clearly indicated in the conference report (Page H2844) that EPA has no authority to tell water systems what tool they can or cannot use to comply with the Bioterrorism law. The report reads, 'Chairman GILLMOR, EPA has no power to promulgate regulations or guidance to define what is an ``acceptable'' vulnerability assessment; there is only a one-time duty to provide information to community water systems by August 1, 2002. In addition, Section 1433 only defines a vulnerability assessment to the extent that it includes a review of certain specified items, most of which are based on the definition of a public water system under Section 1401 of the SDWA. Thus, no community water system is required to use any particular vulnerability assessment tool, to conduct any specific type of analysis, to determine the consequences of any intentional or terrorist acts, analyze the use of any specific chemicals or characterize the risk of any offsite impacts.' The 2002 Bioterrorism Act also requires systems to, 'Each community water system serving a population greater than 3,300 shall prepare or revise, where necessary, an emergency response plan that incorporates the results of vulnerability assessments that have been completed. Each such community water system shall certify to the Administrator, as soon as reasonably possible after the enactment of this section, but not later than 6 months after the completion of the vulnerability assessment under subsection (a), that the system has completed such plan. The emergency response plan shall include, but not be limited to, plans, procedures, and identification of equipment that can be implemented or utilized in the event of a terrorist or other intentional attack on the public water system. The emergency response plan shall also include actions, procedures, and identification of equipment which can obviate or significantly lessen the impact of terrorist attacks or other intentional actions on the public health and the safety and supply of drinking water provided to communities and individuals. Community water systems shall, to the extent possible, coordinate with existing Local Emergency Planning Committees established under the Emergency Planning and Community Right-to-Know Act (42 U.S.C. 11001 et seq.) when preparing or revising an emergency response plan under this subsection.' Clearly, the emergency
response plan incorporates the results of the VA. It develops scenarios to
respond to based on the identified threats and critical infrastructure that
you have identified in your VA. It also requires the user to understand how
they would react in situations to ensure that critical customers, identified
in the VA, are ensured that they will be enabled to complete their mission.
In addition it enables the system to define how they would respond to
redundant items that may become compromised. For each scenario that is based
on the VA, the system develops plans, actions, and procedures to mitigate
the event. Further each scenario has equipment identified that can be
implemented or utilized in the event of a the threat identified in the VA
(i.e. 'a terrorist or other intentional attack on public water systems').
The list of equipment also includes things that can be used to significantly
lessen the impact of a terrorist attack or other intentional act on the PWS.
Lastly, the emergency response plan requires that the PWS work with the LEPC
and requires clear documentation of when this requirement was met and
identification of the individuals that were contacted. |
