This is part of a continuing series of blog posts about the CFATS Personnel Surety Program that was described in a 60-day information collection request (ICR) notice in Friday’s Federal Register. This post will look at how ISCD expects facilities to organize the submission of the required personally identifiable information (PII). The earlier posts in the series is listed below.
The individual high-risk chemical facility covered under the CFATS program is responsible for implementing the Personnel Surety Program (PSP) as part of their facility site security plan (SSP). That does not mean, however, that they will be submitting the personal information on all of the people that work at the facility or will have unescorted access to critical areas of the facility as visitors, contractors or vendors. DHS has provided for a number of different options for the facility to use as part of its PSP. The four basic options are:
• The facility submits information on all affected individuals for the facility;
• The parent company submits information on all affected individuals for the facility;
• Either the facility or the parent company designates a third-party to submit the information; or
• The PSP includes some combination of the three for different classes of affected personnel.
The notice explains that vendors and contractors would have essentially the same options available for vetting their personnel that would have unescorted access to critical areas of high-risk chemical facilities. What is not made clear is how the vetting done by vendors and contractors would be communicated to the facility security manager and how those records would be made available to ISCD Chemical Facility Inspectors conducting compliance inspections. Would facilities have to submit the same type of abbreviated information that it does for personnel that had already undergone a TSA security threat assessment?
Anyone that is familiar with the various roles defined in the current CSAT applications will quickly realize that only one of the options outline above could be directly rolled into the current CSAT roles of Authorizer, Submitter, Preparer and Reviewer. With this in mind the notice mentions a new role for the CSAT process; the Personnel Surety Submitter (PSS). As we saw when ISCD allowed for multiple submitters with the advent of the SSP tool, the notice makes clear that they expect that many facilities will use multiple PSS.
There is not a great deal of information in the notice about the PSS, but we can expect that the PSS will have to go through a similar process of identifying and notifying ISCD of the appointment of PSS. One would also expect that when an individual is logged into CSAT in a PSS role, they will only have access to facility PSP information. What is not so readily apparent is whether or not personnel with current access to the CSAT application in existing roles will be able to access the PSP information as well. Privacy issues may require limiting access to that information.
Another thing that is not immediately clear from this discussion in the PSP notice is the CVI status of the submitted information. Currently the Registration application and the Top Screen application do require that someone with access to those CSAT applications have completed the Chemical-Terrorism Vulnerability Information (CVI) training program. The two remaining CSAT applications (Security Vulnerability Assessment – SVA – and the Site Security Plan – SSP) do require the possession of a CVI training certificate to be able to access the applications. If it is determined that PSP information is not CVI, then it is likely that ISCD will not require CVI training for personnel performing PSS duties.
The CSAT User Roles and Responsibilities section of the notice does not address how vendors and contractors that will be submitting the information on their employees fit into this CSAT application process. Will their PSS have to be appointed by the Authorizer of the supported high-risk chemical facility or will a management member from the vendor or contractor be able to appoint their own PSS?
Realistically, these details will be more suited to explication in the inevitable revision of the CSAT Registration Manual that will be necessitated by the addition of the PSS to the list of positions that require CSAT Registration.