Friday, July 3, 2015

PSP Congressional Mandate vs ISCD ICR

Last month I reported that ISCD Director Wulf had announced (in response to my question) during the most recent EO 13650 update that he expected the OMB’s Office of Information and Regulatory Affairs (OIRA) to approve the pending CFATS Personnel Surety Program (PSP) information collection request (ICR) sometime in the near future. He then noted that the DHS Infrastructure Security Compliance Division would then publish a guidance document outlining how Tier I and Tier II facilities would be implementing the PSP requirements.

I was surprised to hear this as I had assumed (as had most people) that the PSP requirements outlined in the new 6 USC 622 requirements from HR 4007 would have killed the current PSP program and would have required ISCD to re-start the ICR process. I am pretty sure that that was the intention of Rep. Meehan (R,PA) when he introduced HR 4007 in February of 2014, just after the 30-day ICR notice was published.

Proposed PSP Process

First let me go back and review what the PSP ICR outlined for the vetting of personnel against the Terrorist Screening Database (TSDB). ISCD outline three options that a facility would have to complete the vetting process on all facility employees (and that could include contractors at the facility’s option):

OPTION 1 – Direct vetting;
OPTION 2 – Use of vetting conducted under other DHS programs; and
OPTION 3—Electronic verification of TWIC

Actually, there is a fourth option described in the ICR. Facilities could suggest alternative methods of vetting personnel which would be reviewed by ISCD on a case-by-case basis. In this post I’ll call that Option 4.

Option 1

This is fairly uncontroversial, but the most time consuming option. The facility would have to enter into the on-line Chemical Security Assessment Tool (CSAT) into a new tool that will be released presumably after the guidance document is issued. For US citizens and legal permanent residents the information required would be:

Full Name
Date of Birth
Citizenship or Gender (Gender for US citizens)

Provisions would be made in the CSAT PSP Tool to provide additional, optional information to reduce the possibility of false positives. Facilities could enter this information or they could designate a 3rd party to submit the information for them. ISCD has also said that they would set up a system for bulk-upload of this data rather than just requiring manual data entry in the CSAT PSP Tool.

The only place where Option 1 conflicts with the new law is the requirement at §622(d)(2)(B)(i)(II)(aa) that requires a facility to accept the presentation of a DHS vetted credential from a covered individual which then preempts the requirement to provide information on those individuals to the PSP. I suppose that this would be easy enough to address in the guidance document.

Option 2

This is where the most dramatic conflicts with the new statute would apparently occur. For individuals with other credentials that include DHS vetting against the TSDB (including TWIC, HME and various Trusted Traveler Programs) ISCD proposed to require facilities to report much the same information as in Option 1 with the addition of the document number of the credential which substantiates the TSDB vetting.

This option has drawn the ire of many in the industry and Congress. The opposition insists that the mere presentation of the credential (and probably copying it for records sake) should satisfy the vetting requirement and no information should be submitted to DHS. This certainly seems to be the intent §622(d)(2)(B)(iii)(I).

ISCD has in the past responded that the information that it is requiring to be submitted to the CSAT Tool is not being used to vet the individuals against the TSDB, they are simply going to use the information to ensure that the credential being used is valid and current. This is the problem with all of the credentials being used under Option 2 (with the potential exception of the TWIC); the casual observer has no way to validate the credential or ensure that it has not been withdrawn because of subsequent investigative data.

The statute addresses this in §622(d)(2)(B)(i)(II)(bb). It requires facilities to outline in their site security plan (or authorized alternative) “the measures it will take to verify that a credential or documentation from a Federal screening program described in subclause (I) is current”. This requirement is where ISCD has an out to continue to use Option 2. Facilities could voluntarily use Option 2 as the way they fulfill the requirement described above. Facilities wishing to use some other method of verifying the credential data would annotate that in their plan, effectively Option 4. ISCD is, of course, capable of invalidating the designated process if it proves to be inadequate leaving the facility to revise Option 4 or use one of the other options.

Personally, I don’t think that there is an alternative method for facilities to verify these other credentials (other than TWIC which I’ll discuss in Option 3), so facilities are going to be forced to use Option 2 for any employee that offers one of these credentials. If any of my erudite readers knows of a legitimate verification option, please let me know.

Option 3

This option addresses the credential verification and validation process for Transportation Workers Identification Credentials (TWIC). TWICs were designed to be verified and validated on site through the use of a TWIC reader. It was originally envisioned that each MTSA covered facility or vessel would check the TWIC with a TWIC reader each time the holder entered the facility. This has yet to be required since the Coast Guard has yet to issue their final rule on TWIC Readers.

The CFATS PSP would not require daily checking of the TWIC. The ICR does not, in fact, say anything about how often TWICs should be checked. But in keeping with the requirements of the new statute, ISCD will not be requiring the submission of any information on individuals if their TWIC has been electronically verified.

Moving Forward

It looks like it would be possible for the PSP outlined in the ICR submitted to OIRA on February 10th, 2014 to be interpreted as meeting the requirements of 6 USC 622. We would still need to see the guidance document and the new CSAT Tool instruction manual to know that ISCD has included the necessary caveats and instructions so that it does not run afoul of the congressional mandate.

I am fairly certain that the legal staff at DHS is fully capable of ensuring that those documents will be appropriately worded. If not, there will almost certainly be law suits from a number of organizations to point out the errors of their ways.

No comments:

/* Use this with templates/template-twocol.html */