This is part of a continuing series of blog posts on the
newly released Expedited Approval Program (EAP) guidance
document for Tier 3 and Tier 4 facilities under the Chemical Facility
Anti-Terrorism Standards (CFATS) program. Other posts in the series are:
In this post I will look at the personnel surety
requirements of the EAP. These are covered in section F (pg 50 and pg 86) of
the EAP guidance document along with a number of other security management
measures. The personnel surety program is covered under the Risk-Based
Performance Standard #12 in the RBPS
guidance document. In the CFATS regulations there are four personnel surety
requirements at 6
CFR 27.230(12). They are:
∙ Measures designed to verify and
validate identity;
∙ Measures designed to check
criminal history;
∙ Measures designed to verify and
validate legal authorization to work; and
∙ Measures designed to identify people with terrorist
ties;
The EAP guidance document only specifically addresses the
first three requirement because ISCD has yet to complete their Personnel Surety
Program (PSP) that would address the method of identifying people with
terrorist ties. I’ll discuss this further at the end of this post.
EAP Checklist
The EAP checklist lists eight personnel surety requirements:
∙ The facility has identified all
affected individuals;
∙ The facility verifies and
validates the identity of all affected individuals by a government
issued ID or identification document as listed on the I-9 form;
∙ The facility conducts a criminal
history check on all affected individuals through a third party
background investigation company, national program, or local law enforcement
agency. This background check includes national, state, and local resources for
a timeframe of no fewer than five years and the report identifies all felonies,
at a minimum;
∙ The facility has a process for
adjudicating the results of background checks and determining access restrictions
in a reasonable manner;
∙ Upon notification from DHS, the
facility will implement a process to identify all affected individuals with
terrorist ties;
∙ The facility escorts all visitors
which do not have background investigations via an approved and trained escort;
and
∙ The facility maintains
documentation (at a minimum: employee name, how the required checks were
conducted, and the results of the checks) of background checks for all current
affected individuals in order to demonstrate compliance with personnel surety
requirements.
The term ‘all affected individuals’ is specifically defined
as:
∙ Facility personnel who have or
are seeking access, either unescorted or otherwise [emphasis added], to restricted
areas or critical assets; and
∙ Unescorted visitors who have or
are seeking access to restricted areas or critical assets.
There are two items from the RBPS Metrics (pgs 99-100) that
are not addressed in the EAP guidance. First Metric 12.2 for Tier 3 facilities
requires that investigations “are repeated for all individuals at regular
intervals”. And Metric 12.5 for all facilities requires that the background
check program is audited annually.
Additional EAP
Information
The discussion of the personnel surety program in the EAP
guidance (pgs 50-52) provides only limited amounts of additional information.
Most importantly, the guidance does make it clear that owners have some leeway
in determining whether or not contractors are included in the term ‘facility
personnel’.
There is surprisingly detailed guidance as to what
constitutes ‘verifying ID. It includes:
∙ Comparing the picture on the card
with the owner;
∙ Comparing the physical characteristics
against the person’s physical appearance;
∙ Checking for tampering;
∙ Reviewing both sides of the card;
and
∙ Checking the expiration date.
Terrorist Ties
Checking
There is currently no approved method for facilities to
check for personnel with terrorist ties. ISCD is responsible for setting up
this program and has had problems getting the PSP program approved by the
Office of Management and Budget due to industry
opposition to many of the program elements. The most
current proposal has been under review since March of 2014.
The most vociferous critics, and certainly the most
influential, have been in Congress. The CFATS statute passed last session (HR
4007) specifically addressed those congressional concerns with the PSP
program {6 USC 622(d)(2)}.
While that statute requires DHS to establish a CFATS program to identify
personnel with terrorist ties, it also allows facility owners to use other “Federal
screening program that periodically vets individuals against the terrorist
screening database” {§622(d)(2)(B)(i)(I)}.
Additionally it requires that a facility accept any credential from such ‘Federal
screening program’ if offered by an individual as proof that a covered
individual has been screened for terrorist ties.
These new requirements for the PSP program will require a
substantial re-write of the program that was submitted to OMB last year. It
appears that ISCD is still going to rely on the Information Collection Request (ICR)
route for obtaining approval of the PSP program. A footnote on page 6 of the
EAP guidance notes that:
“Compliance with RBPS 12(iv) will
be required for Tiers 1 and 2 upon approval of an Information Collection
Request under the Paperwork Reduction Act, and upon notification to facilities
by DHS that the CFATS Personnel Surety Program (i.e., the program enabling
compliance with RBPS 12(iv)) has been implemented.”
This is the same two-stage implementation plan that ISCD had
proposed in its last PSP proposal. This would allow it to implement the program
at the highest risk facilities (and a smaller number of facilities) first. As
the bugs were worked out and ISCD had a better idea of the number of
individuals that would be affected at the Tier 3 and Tier 4 facilities, ISCD
would then go back with a revision to the ICR to allow application of the PSP
to Tier 3 and 4 facilities. This means that it could be quite some time before
Tier 3 and Tier 4 facilities have to worry about the terrorist ties vetting of
their covered personnel.
Commentary
Like the cybersecurity requirements the personnel surety
requirements of the EAP are rather vague and potentially allow facilities a
great deal of latitude in how those requirements are met. It also means that
facilities might face the very real prospect of having DHS specify particular
vetting requirements that must be taken when the compliance inspection is
completed. This potentially could substantially increase the cost of the
personnel surety program and those new costs could come with a very short
implementation period.
There is also an interesting new requirement for the Tier 3
and Tier 4 programs that was not included in the original personnel surety
requirements outlined in the RPBS guidance document. It is the fifth point in
the personnel surety checklist:
∙ The facility has a process for
adjudicating the results of background checks and determining access restrictions
in a reasonable manner;
This was undoubtedly added due to the new requirement in the
CFATS statute {6 USC 622(d)(2)(A)(iii)(II)} for establishing a redress process.
That requirement, however, was specifically targeted at individuals who had
been vetted against the terrorist screening database via the ISCD PSP. The way
it is implemented in the EAP expands that requirement (legitimately so in my
opinion) to include all of the background checks in that redress program.
What is not clear is if ISCD has been ‘requiring’ such a
redress program in all of the site security plans that it has been authorizing
and/or approving to date. There certainly has not been anything publicly
discussed about such a requirement. If not, it will be interesting to see if
and how ISCD goes back to the non-EAP facilities with approved SSPs to get such
a program put in place for non-PSP background checks.
Posts
No comments:
Post a Comment