Wednesday, September 2, 2015

OMB Approves CFATS Personnel Surety Plan ICR

Last week the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the information collection request (ICR) from DHS National Protection and Programs Directorate to support the Personnel Surety Program (PSP) for the Chemical Facility Anti-Terrorism Standards (CFATS program. There were no changes made in the burden estimates for the program, but there were some changes made to the way the program will be implemented to account for requirements of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (PL 113-254, CFATS Act of 2014).

David Wulf, the Director of the Infrastructure Security Compliance Division sent letters to each of the commenters on the ICR submission explaining what changes were included; both in response to public comments and the new law. Those letters went to (the link is to a copy of each letter):

The first two pages or so of those letters were identical, outlining the general changes that were made in the PSP. The remainder of each letter consisted of individual (mainly) responses to specific negative comments that had been made by that organization. The responses to similar comments were identical throughout each of the applicable letters.

Option 4

The main change to the PSP operation was required by CFATS Act of 2014; in particular the new 6 USC 622(d)(2). In particular §622(d)(2)(B)(ii) required that facilities be given the option to meet the terrorist screening requirement through the visual inspection of other Federal screening program that periodically vets individuals against the terrorist screening database, or any successor program. With that requirement in mind ISCD added a new Option 4 to the three options previously described in the 30-day ICR notice.

The NPPD submission to OIRA [WORD® Download] describes Option 4 this way (pg 4):

“In accordance with the CFATS Act of 2014 the Department will offer a fourth option of Visual Verification.  Option 4, Visual Verification of Credentials Conducting Periodic Vetting, complies with section 2102(d)(2)(B) of the Homeland Security Act and will allow a high risk chemical facility to satisfy its obligation under 6 CFR 27.230(a)(12)(iv) to identify individuals with terrorist ties by using any Federal screening program that periodically vets individuals against the TSDB if:

∙ “The Federal screening program issues a credential or document; and
∙ “The high risk chemical facility is presented a credential or document by the affected individual; and
∙ “The high risk chemical facility (in accordance with its SSP or ASP) visually inspects the credential or document to assess whether it is current.

“Pursuant to section 2101(d)(2)(B)(i)(II) of the Homeland Security Act, high-risk chemical facilities shall accept credentials from Federal screening programs and address in their SSPs or ASPs the measures they would take to verify that a credential or document is current.”

While not specifically spelled out in the OIRA submission document the letters from Director Wulf make it clear that facilities have the ability to combine elements of all four options in their Site Security Plan (SSP) and suggest alternatives of their own.

Other Changes

Based upon the information provided in the response letters there have been a couple of other programmatic changes made to the PSP. The first deals with the requirement to submit information on new employees or visitors at least 48 hours before they are authorized unaccompanied access to the facility. In the letter to the National Association of Chemical Distributors (NACD) Director Wulf replies:

“Nonetheless, in response to comments, the Department has removed the requirement that a high-risk chemical facility must submit information about new affected individuals 48 hours in advance of access being granted to the restricted areas or critical assets at a high-risk chemical facility.”

The next two changes were explained in the letter to Institute of Makers of Explosives. First the letter provides notice of the first non-DHS screening documentation that will be accepted by the CFATS SSP under Option 4. It explains:

“Of particular significance to IME and the explosives industry, it bears noting that the Department has determined that vetting conducted by the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) in conjunction with the issuance of ATF explosives licenses or permits may be leveraged by high-risk chemical facilities under Option 4.”
The next deals with the requirement to notify ISCD when the affected individual no longer has access to any restricted areas or critical assets. This now becomes an option under Option 1 or Option 2, but it is not required. DHS still would like to see these notifications, explaining:

“The Department strongly encourages high-risk chemical facilities to notify the Department when an affected individual no longer has access to restricted areas or critical assets to ensure the accuracy of the Department's data and, in so doing, to stop the recurrent vetting of the person who is no longer an affected individual.”

They do go on to note in the next paragraph, however that:

“If a high-risk chemical facility is either unable or unwilling to update or correct an affected individual's information, an affected individual may seek redress as described in the CFATS Personnel Surety Program Privacy Impact Assessment.”

TSDB Positives Notifications

Over the years that this PSP has been under development there has been gradual change in the DHS response to the question about what happens when there is a positive match between an persons submitted information and the Terrorist Screening Database (TSDB). Initially DHS was fairly blunt about it not being able to provide notification to the covered facilities about such a match. That language has continued to soften at each iteration of the approval process. In the letter to NACD they state:

“In the event of a positive match against the TSDB and in order to prevent a significant threat to a high-risk chemical facility or loss of life, a high-risk chemical facility will be contacted where appropriate and in accordance with federal law and policy, as well as law enforcement and intelligence requirements. This policy is consistent with other federal security vetting programs and is consistent with RBPS 12.”

There is still not guarantee that DHS will notify the facility and they will never be able to provide that assurance. Wulf fully understands the importance of facilities knowing about personnel potentially on site that have ties to terrorists, but he will not be the one to make the decision not to inform the facilities. If a hold is placed on that information it will come from the Justice Department that actually owns the database. If, in the opinion of DOJ, notification could potentially affect an on-going investigation then the notification will not be made.

Moving Forward

We will be receiving more information in the coming days about how the implementation of the PSP will begin. For Tier 1 and Tier 2 facilities it will start with a revision to their approved site security plan. Generally, once that revision is approved, the facilities will have 60-days to have submitted information on their current employees (If Option 1 or 2 is being utilized).

I expect that we will be seeing more information about the details of the implementation of the PSP in the coming days and weeks.

No comments:

/* Use this with templates/template-twocol.html */