A little over a week into the comment period on the CFATS
Personnel Surety Program (PSP) ICR and there is a single comment in the docket
on the Federal eRulemaking Portal. There are six unusual supporting documents
also to be found in the docket.
Supporting Documents
After the previous version of the PSP ICR was submitted to
OMB (ultimately fated to be withdrawn last summer) there were a number of
comments filed on the 30-day notice that had not been previously addressed by
ISCD. David Wulf, Director of ISCD, took the unusual step of replying to those
comments just about 11 days before the new ICR was published in the Federal
Register in letters to the commenting parties. Those letters were addressed to:
• Shell
Chemical Company; and
Alternative Vetting
Options
In each of the letters Wulf addresses the issue of supplying
information on individuals that have already been vetted by the Department in
one of the other TSA executed reviews of the TSDB. He makes the point that ISCD
needs a limited amount of information on these personnel to:
• Verify that the affected
individuals are currently enrolled in the Department program; and
• Enable the Department to access
both the original enrollment data and the results of the vetting against TSDB
information already in the possession of the Department, when necessary.
In responses to similar questions in the previous ICR ISCD
repeatedly made the comment that they would also use the data to periodically
recheck personnel against the TSDB to see if new information had been added.
That point was re-made in the letter to Dr. Constantinides when Wulf states: “Facilities
must notify the Department when individuals no longer have access, so that the
Department knows when to stop performing recurrent vetting on them.” (page 2)
This point was reinforced in the same letter when Wulf said that the Department
would not grant reciprocity to the ATF vetting because the ATF “schedule for
re-processing names against information in the TSDB as part of the ATF’s
licensing/permitting regime is not equivalent to the recurrent vetting for
terrorist ties that the Department plans to perform as part of the CFATS
Personnel Surety Program” (page 3; also seen in the IMF letter).
This raises an interesting question in regards to the use of
a TWIC Reader to validate an individual’s identity and the currency and
validity of the TWIC in lieu of providing vetting or vetting verification
information to ISCD. There is nothing in the wording of the ICR that would
indicate that the facility would have to periodically have to require TWIC
holders to re-use a TWIC Reader. In fact, it seemed to me that facilities using
a third party (or consolidated corporate submission) to conduct PSP screening
and data submission could use the TWIC Reader to validate a person’s TWIC to
fulfill the PSP terrorist screening requirements and the facility would never
have to acquire a TWIC Reader. I plan on submitting a question about this to
ISCD as part of a comment on the ICR.
Computer System Access
and PSP
The letter to the Chamber of Commerce addressed another
interesting issue with regards to computer networks that are designated as
critical assets in the SSP. The Chamber had addressed the issue in their
comment noting that the facility’s cyber personnel could be located any where
in the United States and even in other countries. Wulf’s response noted that
PSP coverage included “facility personnel and as appropriate, for unescorted
visitors with access to restricted areas or critical assets” (page 3) and then
added the somewhat cryptic comment: “CFATS may include individuals with access
to certain networked computer systems.”
I have always maintained that anyone with remote access to a
critical computer systems (like an ICS) must be covered by the facility PSP.
Admittedly this would cause some problems with vendors providing system service
via remote access. The latest version of the ICR seems to make this somewhat
easier in that vendors have the capability to submit PSP information to ISCD
for the vetting process. There is still the question of how the facility can be
assured that whomever is accessing their system has been properly vetted.
This is an issue that will have to be addressed in the SSP
and it would be helpful if ISCD could offer some guidelines on the types of
methodology that would be acceptable (always keeping in mind that ISCD is
prohibited from requiring a specific method). I would suspect that a memorandum
of understanding between the facility and the vendor that all personnel
accessing a particular system will be vetted by the vendor would be a minimum
requirement.
Comment Filed
The one public
comment on the current ICR posted to the docket was, as expected this early
in the game, from an individual. It appears that the commentor was unfamiliar with
the purpose of the ISCD vetting program. It was not designed, as apparently
assumed, to search for the most qualified people to access restricted areas but
to just ensure that people with known terrorist ties were not allowed access.
Posts
No comments:
Post a Comment