This is part of an ongoing series of blog posts about the recently published 30-day information collection request (ICR) published in the Federal Register by DHS. This ICR would support the long overdue personnel surety program requirements for the Chemical Facility Anti-Terrorism Standards (CFATS) program. Earlier posts in the series include:
Since control systems, security systems and business networks will likely be on the list of critical assets for most facilities (depending on which DHS chemicals of interest – COI – are present) personnel with access to these systems will almost certainly require vetting under the site personnel surety plan as it is difficult to imagine when such access would be not be considered unaccompanied.
Remote System Maintenance
Most complex cyber systems (which certainly includes control systems) now comes with the option for remote system maintenance support. CFATS covered facilities that utilize such options have an obligation to ensure that the vendor’s personnel who have such access are properly vetted under the facility’s PSP. This would appear to be another instance where the background check agency provisions (discussed in the last post in the series) of the ICR would come into play.
Since there is no way that the facility will actually know which individual is remotely accessing the facility’s computer systems there will have to be some shifting of responsibility to the vendor. This would have to be done through some formal document like a memorandum of understanding and this would have to be included in the facility’s site security plan so that ISCD could review the provisions as part of the SSP authorization and approval process. This would also mean that changes in vendors would have to be reported to ISCD as part of the ‘material change’ provisions of §27.210(d), §27.215(d) or §27.225(d)(2).
Many facilities will opt for the use of off-site security monitoring programs. Since such monitoring programs will be a significant part of the security apparatus for the facility it will certainly fall under the critical area rule requiring vetting under RSPB #12. Again the vendor providing such services would most likely fall under the Background Check Agency provisions described earlier. Again, there would have to be some formal document in the site security plan outlining the vendor’s responsibility for conducting the vetting.