Sunday, February 2, 2014

30 Day CFATS PSP ICR – Three Options

This is part of an ongoing series of blog posts about the recently published 30-day information collection request (ICR) published in the Federal Register by DHS. This ICR would support the long overdue personnel surety program requirements for the Chemical Facility Anti-Terrorism Standards (CFATS) program. Earlier posts in the series include:

Scope of the PSP

Risk-Based Performance Standard 12 {6 CFR §27.230(12)} outlines the general requirements for a personnel surety program for personnel. It requires that CFATS covered facilities:

“Perform appropriate background checks on and ensure appropriate credentials for facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets,”

Most of the background checks listed in the subsequent subparagraphs are conducted by the facility through a variety of governmental and non-governmental agencies. Facilities have a great deal of leeway about the scope of such checks and what negative information will be disqualifying information for determining which individuals will be employed at the facility or which visitors will be provided unescorted access to critical or sensitive areas of the facility.

The background check requirements of §27.230(12)(iv); “Measures designed to identify people with terrorist ties” require access to the Terrorist Screening Database (TSDB) maintained by the FBI. Vetting against that database is described in this ICR as an “inherently governmental function” which requires action by DHS. This ICR describes how individual facilities will initiate such action.

The Options

This ICR provides a description of the three options that DHS has currently designed for fulfilling the facility portion of the requirements for the TSDB vetting. Two of those options require submission of information by the facility; the third utilizes TWIC readers to verify that information on an individual has already been submitted and vetted against the TSDB. The notice continues to maintain that ISCD will consider, on a case by case basis, alternative methods for vetting against the TSDB that facilities might propose in their Site Security Plan (SSP) or Alternative Security Plan (ASP).

The two data submission options would require facilities to submit specific personally identifiable information (PII) to the DHS Infrastructure Security Compliance Division (ISCD) via a new on-line PSP tool within the current Chemical Security Assessment Tool (CSAT). Data submission could be done through either manual entry of individual’s information, submission of an Excel file containing information on multiple individuals, or the Department may allow the submission of the information through a Web-service (a software system designed to support interoperable machine-to-machine interaction over a network).

The first option is direct vetting of individuals. DHS would take PII provided by the facility through the PSP tool and submit it to the FBI’s Terrorist Screening Center for comparison to the TSDB. Periodically, ISCD would re-submit the same information to determine if an previously vetted individual has been added to the TSDB. This re-vetting would require no action by the facility. There is nothing in the ICR which identifies the frequency of the re-vetting process.

The second option allows DHS to use a slightly different set of PII provided by the facility to verify that other DHS agencies have already vetted the individual against the TSDB. The accepted programs already periodically re-vet against the TSDB (this is a DHS ‘best practice’) so ISCD would be able to periodically (again no definition of the period in ‘periodically’ is provided) re-validate the TSDB status of the individuals by re-checking with the issuing agency. There is no real need to define periodically here since it is purely an internal matter and does not require any action by facility owners or operators.

Presumably ISCD will continue to use TSA to conduct the actual check of the TSDB. Since TSA is charged with recovering the costs of their ‘security assessments’, they will ‘charge’ ISCD for each check of the TSDB that they conduct (I seem to remember hearing that ISCD was already ‘paying’ for this service, but I haven’t been able to track down a source for that information). Checking DHS records for the current status of other security vetting’s will not cost ISCD anything (or possibly just much less).

For facilities, there is no practical difference between option 1 and option 2. They are still required to have information (with minimal differences it the information) submitted to ISCD. They will either do it themselves, or will pay to have a third party do it for them.

There is one DHS vetting program that gets special treatment in the CFATS PSP; the TWIC card. The Department is requiring records checks of the other programs because there is no way to visually verify if the covered identity document is current and/or real. The TWIC, via a TWIC reader can be so confirmed. In the third option, the facility would not have to submit information to the CFATS PSP tool for individuals “if the high-risk chemical facility (or others acting on their behalf) electronically verify and validate the affected individuals' TWICs through the use of TWIC readers (or other technology that is periodically updated using the with revoked card information).” Presumably the last comment refers to either the Canceled Card List (CCL) or the Certificate Revocation List (CRL).

Responses to Comments about Options

There were two comments that suggested alternative methods for vetting personnel that were not employees or contractor employees. NPPD responded that the two suggested methods were outside the scope of the current ICR and implied that they would require a rulemaking to implement.

There was a comment that the proposed options in the 60-day notice did not follow recommendation #16 of the Surface Transportation Security Priority Assessment concerning the reciprocal use of various security threat assessment information. NPPD responded that “the Department has defined, and continues to define, the “enroll once, use many” concept as the ability to reuse previously submitted program enrollment information and/or vetting results upon collection of sufficient information to confirm an individual's prior enrollment in a Department program or prior vetting results”.

There were several comments to the effect that the data submission requirements for the second option actually constituted a second background check. As I noted above, ISCD would not use the provided information to conduct an actual check of the TSDB, but rather to verify a current and valid vetting under the other DHS program.

There was a similar response to comments that Option 2 violated the ‘no additional background check’ requirement of violates 49 U.S.C. 5103a(g)(1)(B)(i) [Note the link in the ICR notice went to §5103 instead of §5103a]. NPPD reiterated that no additional background checks were being done; ISCD was using the information to verify that a claimed vetting document was current. This is being done not only to prevent the use of revoked documents, but also counterfeit documents.

The Details

Once the 30-day ICR is approved by OMB’s Office of Information and Regulatory Affairs (OIRA), we can expect to see ISCD introduce the PSP tool in CFATS. They will publish at least one User’s Manual for the PSP and we can expect to see a new revision of the CSAT Registration manual to reflect the use of outside agencies for the submission of PSP data.

I expect that the actual PSP tool will be a relatively simple tool with a typical CSAT fill in the blanks type format. The ICR notice makes it clear that there will be provisions for uploading MS Excel files or XML files for bulk submissions to the system. The site will either specify the column format or will provide a template for the file (I would bet on the later).

The registration manual revision will be a completely different story. With DHS pushing hard for the use of contract organizations to submit employee data and thousands of vendors who will need to get their employees vetted (frequently for more than one facility) the registration problems look to be really complicated. I would bet that DHS will set up a separate registration program for organizations other than chemical facilities and then provide some method for covered chemical facilities to link their PSP tool to those organizations.

While the ICR notice makes it clear that employee vetting information is not Chemical-Terrorism Vulnerability Information (CVI), under current rules the fact that a facility is considered to be a CFATS covered facility is CVI. I expect that ISCD will relax that particular provision.

No comments:

/* Use this with templates/template-twocol.html */