Last week the OMB’s Office of Information and Regulatory
Affairs (OIRA) announced
that it had approved the information collection request (ICR) from DHS National
Protection and Programs Directorate to support the Personnel Surety Program
(PSP) for the Chemical Facility Anti-Terrorism Standards (CFATS program. There
were no changes made in the burden estimates for the program, but there were
some changes made to the way the program will be implemented to account for
requirements of the Protecting and Securing Chemical Facilities from Terrorist
Attacks Act of 2014 (PL
113-254, CFATS Act of 2014).
David Wulf, the Director of the Infrastructure Security
Compliance Division sent letters to each of the commenters on the ICR
submission explaining what changes were included; both in response to public
comments and the new law. Those letters went to (the link is to a copy of each
letter):
The first two pages or so of those letters were identical,
outlining the general changes that were made in the PSP. The remainder of each
letter consisted of individual (mainly) responses to specific negative comments
that had been made by that organization. The responses to similar comments were
identical throughout each of the applicable letters.
Option 4
The main change to the PSP operation was required by CFATS
Act of 2014; in particular the new 6
USC 622(d)(2). In particular §622(d)(2)(B)(ii)
required that facilities be given the option to meet the terrorist screening requirement
through the visual inspection of other Federal screening program that
periodically vets individuals against the terrorist screening database, or any
successor program. With that requirement in mind ISCD added a new Option 4 to
the three options previously described in the 30-day
ICR notice.
The NPPD
submission to OIRA [WORD® Download] describes Option 4 this way (pg 4):
“In accordance with the CFATS Act
of 2014 the Department will offer a fourth option of Visual Verification. Option 4, Visual Verification of Credentials
Conducting Periodic Vetting, complies with section 2102(d)(2)(B) of the
Homeland Security Act and will allow a high risk chemical facility to satisfy
its obligation under 6 CFR 27.230(a)(12)(iv) to identify individuals with
terrorist ties by using any Federal screening program that periodically vets
individuals against the TSDB if:
∙
“The Federal screening program issues a credential or document; and
∙ “The high risk chemical facility is
presented a credential or document by the affected individual; and
∙ “The high risk chemical facility (in
accordance with its SSP or ASP) visually inspects the credential or document to
assess whether it is current.
“Pursuant to section
2101(d)(2)(B)(i)(II) of the Homeland Security Act, high-risk chemical
facilities shall accept credentials from Federal screening programs and address
in their SSPs or ASPs the measures they would take to verify that a credential
or document is current.”
While not specifically spelled out in the OIRA submission
document the letters from Director Wulf make it clear that facilities have the
ability to combine elements of all four options in their Site Security Plan
(SSP) and suggest alternatives of their own.
Other Changes
Based upon the information provided in the response letters
there have been a couple of other programmatic changes made to the PSP. The
first deals with the requirement to submit information on new employees or
visitors at least 48 hours before they are authorized unaccompanied access to
the facility. In the letter to the National Association of Chemical
Distributors (NACD) Director Wulf replies:
“Nonetheless, in response to
comments, the Department has removed the requirement that a high-risk chemical
facility must submit information about new affected individuals 48 hours in
advance of access being granted to the restricted areas or critical assets at a
high-risk chemical facility.”
The next two changes were explained in the letter to Institute
of Makers of Explosives. First the letter provides notice of the first non-DHS
screening documentation that will be accepted by the CFATS SSP under Option 4.
It explains:
“Of particular significance to IME
and the explosives industry, it bears noting that the Department has determined
that vetting conducted by the Bureau of Alcohol, Tobacco, Firearms and Explosives
(ATF) in conjunction with the issuance of ATF explosives licenses or permits
may be leveraged by high-risk chemical facilities under Option 4.”
The next deals with the requirement to notify ISCD when the
affected individual no longer has access to any restricted areas or critical
assets. This now becomes an option under Option 1 or Option 2, but it is not
required. DHS still would like to see these notifications, explaining:
“The Department strongly encourages
high-risk chemical facilities to notify the Department when an affected
individual no longer has access to restricted areas or critical assets to
ensure the accuracy of the Department's data and, in so doing, to stop the
recurrent vetting of the person who is no longer an affected individual.”
They do go on to note in the next paragraph, however that:
“If a high-risk chemical facility
is either unable or unwilling to update or correct an affected individual's
information, an affected individual may seek redress as described in the CFATS
Personnel Surety Program Privacy Impact Assessment.”
TSDB Positives
Notifications
Over the years that this PSP has been under development
there has been gradual change in the DHS response to the question about what
happens when there is a positive match between an persons submitted information
and the Terrorist Screening Database (TSDB). Initially DHS was fairly blunt
about it not being able to provide notification to the covered facilities about
such a match. That language has continued to soften at each iteration of the
approval process. In the letter to NACD they state:
“In the event of a positive match
against the TSDB and in order to prevent a significant threat to a high-risk
chemical facility or loss of life, a high-risk chemical facility will be
contacted where appropriate and in accordance with federal law and policy, as
well as law enforcement and intelligence requirements. This policy is
consistent with other federal security vetting programs and is consistent with
RBPS 12.”
There is still not guarantee that DHS will notify the
facility and they will never be able to provide that assurance. Wulf fully
understands the importance of facilities knowing about personnel potentially on
site that have ties to terrorists, but he will not be the one to make the
decision not to inform the facilities. If a hold is placed on that information
it will come from the Justice Department that actually owns the database. If,
in the opinion of DOJ, notification could potentially affect an on-going investigation
then the notification will not be made.
Moving Forward
We will be receiving more information in the coming days
about how the implementation of the PSP will begin. For Tier 1 and Tier 2
facilities it will start with a revision to their approved site security plan.
Generally, once that revision is approved, the facilities will have 60-days to
have submitted information on their current employees (If Option 1 or 2 is
being utilized).
I expect that we will be seeing more information about the
details of the implementation of the PSP in the coming days and weeks.
Posts
No comments:
Post a Comment