Today the DHS National Protection and Programs Directorate (NPPD) published a notice in the Federal Register (80 FR 79058-79066) concerning the “Implementation of the CFATS Personnel Surety Program”. This explains how Tier I and Tier II facilities under the Chemical Facility Anti-Terrorism Standards (CFATS) program will implement the portion of the personnel surety program pertaining to vetting facility personnel and visitors with unaccompanied access to CFATS facilities against the Terrorism Screening Database (TSDB).
Requirement for Vetting
The requirement for vetting facility personnel and unescorted visitors wishing to gain access to restricted or critical areas of a CFATS covered facility can be found in 6 CFR 27.230(a)(12). Facilities with approved site security plan (SSP) have already been completing the requirements under subparagraphs (i) thru (iii). This notice pertains to the requirements under subparagraph (iv); measures designed to identify people with terrorist ties.
Additional congressional guidance on the implementation of the CFATS Personnel Surety Program was provided last year with the passage of the Protecting and Securing Chemical
Facilities from Terrorist Attacks Act of 2014 (PL 113-254). The provisions regarding the PSP were codified at 6 USC 622(d)(2).
In August of this year the OMB’s Office of Information and Regulatory Affairs (OIRA) approved the CFATS Personnel Surety ICR (1670-0029) that ISCD had used to outline how it intended to implement the PSP. The version of the ICR approved by OMB included the addition of a fourth option for implementation of the vetting program that was required by the new congressional direction.
Who Must Be Vetted
Today’s notice reiterates the position of ISCD as to what the regulation means when it says “facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets”. In effect the term ‘facility personnel’ mean all facility employees and those contractor personnel designated in the SSP as facility personnel for the purpose of the PSP. Visitors are only required to be vetted if they have ‘unaccompanied access’ and the facility is given certain latitude in defining in the SSP what constitutes ‘accompanied access’.
The notice also goes into some detail about specific categories of personnel that do not require vetting under any portion of the PSP (including the terrorist ties requirement outlined in today’s notice). They include:
• Federal officials who gain unescorted access to restricted areas or critical assets as part of their official duties;
• State and local law enforcement officials who gain unescorted access to restricted areas or critical assets as part of their official duties; and
• Emergency responders at the state or local level who gain unescorted access to restricted areas or critical assets during emergency situations.
TSDB Vetting Options
The notice describes four specific options that facilities have to conduct the TSDB vetting of personnel. Facilities may use any combination of the four options that they desire; they just have to be outlined in the Site Security Plan approved by ISCD (more on that later). Those options are:
Option 1 - The high-risk chemical facilities (or designee(s)) submits certain information about affected individuals to the Department through a Personnel Surety Program application in the CSAT Tool.
Option 2 – The high-risk chemical facilities (or designee(s)) submits certain information about affected individuals to the Department through the CSAT Personnel Surety Program CSAT application on personnel that have already been vetted by another Federal TSDB vetting program (TWIC, HME, SENTRI and FAST for example).
Option 3 – The high-risk chemical facilities (or designee(s)) does not submit information to ISCD, but will rather electronically verify and validate the affected individuals' TWICs through the use of TWIC readers (or other technology that is periodically updated with revoked card information).
Option 4 - The high-risk chemical facilities (or designee(s)) does not submit information to ISCD, but will rather visually inspect a credential from a Federal screening program that periodically vets individuals against the TSDB.
Facilities are reminded that they have an additional option of proposing some alternative vetting process in their SSP that may be approved by ISCD if it is found to provide an equivalent process.
The notice also provides a discussion of the relative level of security provided by each of the options described above.
When Will Vetting Have to be Completed?
The notice explains that before the vetting process can begin, the facility will have to revise their approved SSP to include a description of their terrorist screening process (more on this later). ISCD will notify each Tier I and Tier II facility when they must complete that SSP revision (ISCD is going to stagger this so that they can provide assistance from Chemical Security Inspectors throughout this process). Once that revision is approved, facilities will generally have 60-days to complete the vetting process (submitting data for Options 1 and 2) on existing employees. New employees and all visitors requiring unaccompanied access will require vetting (again, submitting data for Options 1 and 2) before they are given access to restricted or critical areas within the facility.
The notice outlines the Privacy Act provisions (and other applicable privacy regulation provisions) that the Department has complied with in developing this program. From the perspective of the Facility Security Manager, probably the most important will be the May 1st, 2014, update to the CFATS Personnel Surety Program Privacy Impact Assessment. That is because it provides a suggested copy (at Attachment 1) of the Privacy Act notification that should be provided to each person about which the facility is submitting information under Option 1 or Option 2.
The notice mentions a new update (that presumably includes mention of Option 4) that was supposed to have been printed today, but it has not yet been posted to the NPPD PIA web site.
Site Security Plan Revisions
CFATS Facilities that already have had their site security plan authorized or approved will have to revise their plan to include the terrorist screening process. The notice provides some detailed information about the types of information that they are going to expect to see in that revision.
When ISCD individually notifies each Tier 1 and Tier 2 that it is required to update their SSP, it will also include a date by which that update must be submitted for authorization/approval.
I have heard that ISCD intends to work very closely with at least the first few facilities as they go through the process of changing their SSP and then submitting data (for those that intend to utilize Options 1 and/or Option 2) for the PSP. Given that the Christmas holidays are upon us, I would not be surprised to hear that ISCD will not send out the first notifications until after the first of the year. I also suspect that they may actually informally contact the early facilities to arrange times when their CSI are available before they send out the notification letters.
ISCD still has a CSAT manual to publish for the PSP data submissions and perhaps a revision to the Account Management User Guide if they are going to come up with a new data submission user role for 3rd party PSP data submissions.
We are going to see an interesting couple of months in the CFATS program as the PSP implementation moves forward.