A little over a week into the comment period on the CFATS Personnel Surety Program (PSP) ICR and there is a single comment in the docket on the Federal eRulemaking Portal. There are six unusual supporting documents also to be found in the docket.
After the previous version of the PSP ICR was submitted to OMB (ultimately fated to be withdrawn last summer) there were a number of comments filed on the 30-day notice that had not been previously addressed by ISCD. David Wulf, Director of ISCD, took the unusual step of replying to those comments just about 11 days before the new ICR was published in the Federal Register in letters to the commenting parties. Those letters were addressed to:
• Shell Chemical Company; and
Alternative Vetting Options
In each of the letters Wulf addresses the issue of supplying information on individuals that have already been vetted by the Department in one of the other TSA executed reviews of the TSDB. He makes the point that ISCD needs a limited amount of information on these personnel to:
• Verify that the affected individuals are currently enrolled in the Department program; and
• Enable the Department to access both the original enrollment data and the results of the vetting against TSDB information already in the possession of the Department, when necessary.
In responses to similar questions in the previous ICR ISCD repeatedly made the comment that they would also use the data to periodically recheck personnel against the TSDB to see if new information had been added. That point was re-made in the letter to Dr. Constantinides when Wulf states: “Facilities must notify the Department when individuals no longer have access, so that the Department knows when to stop performing recurrent vetting on them.” (page 2) This point was reinforced in the same letter when Wulf said that the Department would not grant reciprocity to the ATF vetting because the ATF “schedule for re-processing names against information in the TSDB as part of the ATF’s licensing/permitting regime is not equivalent to the recurrent vetting for terrorist ties that the Department plans to perform as part of the CFATS Personnel Surety Program” (page 3; also seen in the IMF letter).
This raises an interesting question in regards to the use of a TWIC Reader to validate an individual’s identity and the currency and validity of the TWIC in lieu of providing vetting or vetting verification information to ISCD. There is nothing in the wording of the ICR that would indicate that the facility would have to periodically have to require TWIC holders to re-use a TWIC Reader. In fact, it seemed to me that facilities using a third party (or consolidated corporate submission) to conduct PSP screening and data submission could use the TWIC Reader to validate a person’s TWIC to fulfill the PSP terrorist screening requirements and the facility would never have to acquire a TWIC Reader. I plan on submitting a question about this to ISCD as part of a comment on the ICR.
Computer System Access and PSP
The letter to the Chamber of Commerce addressed another interesting issue with regards to computer networks that are designated as critical assets in the SSP. The Chamber had addressed the issue in their comment noting that the facility’s cyber personnel could be located any where in the United States and even in other countries. Wulf’s response noted that PSP coverage included “facility personnel and as appropriate, for unescorted visitors with access to restricted areas or critical assets” (page 3) and then added the somewhat cryptic comment: “CFATS may include individuals with access to certain networked computer systems.”
I have always maintained that anyone with remote access to a critical computer systems (like an ICS) must be covered by the facility PSP. Admittedly this would cause some problems with vendors providing system service via remote access. The latest version of the ICR seems to make this somewhat easier in that vendors have the capability to submit PSP information to ISCD for the vetting process. There is still the question of how the facility can be assured that whomever is accessing their system has been properly vetted.
This is an issue that will have to be addressed in the SSP and it would be helpful if ISCD could offer some guidelines on the types of methodology that would be acceptable (always keeping in mind that ISCD is prohibited from requiring a specific method). I would suspect that a memorandum of understanding between the facility and the vendor that all personnel accessing a particular system will be vetted by the vendor would be a minimum requirement.
The one public comment on the current ICR posted to the docket was, as expected this early in the game, from an individual. It appears that the commentor was unfamiliar with the purpose of the ISCD vetting program. It was not designed, as apparently assumed, to search for the most qualified people to access restricted areas but to just ensure that people with known terrorist ties were not allowed access.