CVI for Sales People

It is amazing where you find CFATS information on the web. Thanks to Google® I found a press release for “Henry Bros. Electronics, Inc. (Nasdaq: HBE), a turnkey provider of technology-based integrated electronic security solutions”. It is a press release announcing their second quarter results. While you would expect that they would talk about their sales into the chemical sector, they actually spent more time talking about Chemical-Terrorism Vulnerability Information (CVI). They note that:

“We are also positioning ourselves to benefit from activity coming from the new Chemical Facility Anti-Terrorism Standards (or CFATS) legislation. Before a company in our industry can even speak with a prospective CFATS client, you are required to have a CVI number, which encompasses the passing of a qualifying test to be registered. To date, 19 of our sales people have qualified for their CVI number, and we expect to focus intently on this potentially lucrative market over the next six to eight quarters.”

CVI Requirements for Contractors I’m not sure that it would be absolutely necessary for a contractor to be CVI certified to be able to sell, install and service a ‘technology-based integrated electronic security solutions’. As long as the contractor was not privy to actual SVA or SSP documents the only CVI restrictions would be those under §27.400(b)(6), “Any records required to be created or retained by a covered facility under §27.255”. Those records would be associated with training records or maintenance, calibration and testing of security equipment. If those records were maintained by facility personnel then the CVI rules would probably be met without contractor certification. Having said that, I think that a CVI certified sales force would certainly be a good sales point for a security related contractor. If I were a facility security officer, I would also probably ask about the CVI status of maintenance and back-office people since they would also have access to ‘sensitive information’ about the security systems. While records developed and maintained by this third-party are not technically covered by the CVI rules, they do contain nearly identical information to covered records maintained by the facility. This is a major loophole in the CVI rules, but one that cannot be easily closed. So it would be reasonable to ask contractors to protect this information as if it were CVI, and that would only be possible to do if they had received the CVI training. Background Checks One item that was not mentioned in the press release is the matter of background checks having been conducted on the company personnel. DHS does not currently (because it is prohibited by §550 restrictions) specify what background checks are adequate for high-risk facilities other than the review of the TSA terrorist database. If contractor personnel are not given ‘unescorted access to critical areas’ of the facility, it is not clear that CFATS rules require any level of background checks. Most security related companies have their people bonded, so some level of background checks have been done. We have not yet seen the details of the CSAT application that DHS is developing for the TSDB check, but it may not be accessible by contractors. The explanations given to date indicate that only CSAT registered facilities will have access to the TSDB check tool. This would mean that contractors would not have access because they would not be registered in CSAT. It would be helpful if DHS would make provisions for contractors to be able to access the TSDB check tool.