Wednesday, January 6, 2016

Potential PSP Problems

This is part of a continuing series of blog posts about the recently released Federal Register notice about the implementation of the Chemical Facility Anti-Terrorism Standards (CFATS) personnel surety program (PSP). The notice outlines how the Infrastructure Security Compliance Division (ISCD) is planning to implement the vetting of covered chemical facility personnel and visitors against the FBI’s Terrorist Screening Database (TSDB) to determine if any covered personnel are suspected of having ties to terrorist organizations. Other posts in this series include:

In this post I will be looking at some of the problems that can be expected to arise as the new terrorist ties portion of the CFATS Personnel Surety Program is put into operation. Some of these potential problems will have reasonable workarounds readily available and others will require programmatic changes by ISCD. This discussion, however, is predicated on my current understanding of the PSP implementation that we have not yet seen published. A lot will depend on the way that ISCD sets up the data submission tool in CSAT.

Multiple Facilities

There are a significant number of companies in the United States that have multiple facilities covered under the CFATS program. ISCD has been accommodating in the past in allowing for these types of organizations to submit data to CSAT from the corporate level that is common to two or more facilities and I suspect that they intend to continue this practice with the PSP.

ISCD has made it clear in their Notice that they would like to see individual TSDB screening tied to facilities so that if subsequent changes to the TSDB turn up terrorist ties, ISCD will be able (law enforcement rules allowing) to notify the affected facility of the problem. While most of the employees whose screening data is submitted from corporate will be tied to a particular facility, that will not be the case for all employees. There will be corporate level personnel that will need to be able to move through all of the covered facilities.

It is conceivable that ISCD would require the information on those corporate level individuals to be submitted on each facility CSAT account. While this would not technically violate the 6 USC 622(d)(2)(A)(i) prohibition of requiring more than one data submission on an individual by a covered facility, it would certainly conflict with the Congressional intent. And it would likely put ISCD in the position of having to pay for multiple TSDB screenings of an individual.

The simplest way around this problem would be for ISCD, in allowing for corporate data submissions for multiple facilities to not tie the names submitted to an individual facility, but rather to the larger organization. That way ISCD would still have a point of contact about the individual in the event of a positive match or question about identification, but the individuals would be able to move about all of the covered facilities within the organization.

Facility Turnaround Contractors

Many chemical facilities (continuous process facilities in particular) conduct periodic facility shutdowns for maintenance called turnarounds. A contractor typically provides a large temporary workforce to quickly conduct the large scale repair, replacement and system upgrades that are part of this maintenance activity. These contractors serve multiple facilities and have a high employee turnover, especially when seen from the facility point of view.

It is extremely impractical for facilities to do individual information submissions for the contractor employees in this type of situation. Additionally, such data submissions would place an unreasonable load on the administration of the PSP at ISCD.

This would be an ideal situation for the use of Option 3. Each of the turnaround employees would be required to have a Transportation Workers Identification Credential (TWIC) and the contractor would be required to operate a TWIC Reader at the contractor entrance to the facility.

Local Delivery Drivers

While a facility may well be able to require over-the-road truck drivers delivering to the facility to have TWIC or HME for facility entrance, that is less likely for local less-than-load truck drivers, and completely beyond the bounds of reason for local deliveries from retail establishments and package delivery services.

The easiest way to deal with these drivers under the PSP program is to exclude them from the program. This can be done by setting up a specially designated delivery location outside of the facility’s restricted area or an area in clear view of the security personnel (either visually or via CCTV). They can be met there by facility personnel and if they have to enter the restricted area they would be escorted during that time.

Electronic Access

Many facilities routinely provide remote access to computer systems to a variety of folks. While employees are already covered under the PSP. A serious problem arises, however, when various outside service personnel or contractors are provided access to covered computer systems. Contractors with routine off-site access can presumably be covered in the same way as on-site contractors are but I would suspect that ISCD is going to want to see strong evidence that the facility has some sort of strong control on a contractors vetting of personnel. What is going to be much more problematic will be large vendors (and especially internationally based vendors) where the facility does not have a significant measure of economic influence on the vendor to require that they limit personnel to those that have been appropriately vetted by the PSP. ISCD is going to have to provide some clearer guidance on this issue.

False Positives

The biggest problem with the PSP program will be the issue of false positive matches with the TSDB. The TSDB is a name-based database that includes little or no biometric information on the individuals on the list. It is inevitable that there will be matches of names submitted by chemical facilities to TSDB listings that actually have no relationship to the individual on the TSDB. I suspect that the rate of false positives will be such that larger CFATS facilities will have to deal with multiple instances of receiving unfounded notifications of possible terrorist ties. All facilities must be prepared to deal with this situation when they submit their initial lists under Option 1.

After the initial data submissions this problem will be less important as most employment agreements will provide for termination of new hires that come back as positive on the TSDB screening in much the same way as drug screens and background checks call for termination and requests for redress will be handled as an individual matter. With this initial data submission for all current employees the situation is quite a bit different. When a key employee comes back with a positive TSDB match that is likely a false positive, then the organization has a stake in the redress process that is not anticipated in the ISCD privacy documentation [Note: this is the latest Privacy Impact Assessment document for the PSP]. The current redress procedures are:

“If you believe that the information submitted by [INSERT NAME OF CFATS COVERED FACILITY AND OF THEIR DESIGNEE(S) (IF APPLICABLE)] has been improperly matched by DHS to the identity of a known or suspected terrorist, you may write to the NPPD FOIA Officer at 245 Murray Lane SW, Washington, D.C. 20528-0380. You may also request an administrative adjudication under CFATS [6 CFR 27.310(a)(1)].”

Facilities are almost certainly going to need to have procedures in place in their newly revised SSP to cover how they are going to deal with the receipt of notification of a TSDB match for current personnel. Those procedures are going to have to be able to deal with a relatively new hourly worker, a well-known and respected long-time employee, and a manager coming back with a positive match. If the facility expects to keep any of these employees around during the almost certainly lengthy redress process, they are going to have to be able to convince ISCD that mitigating controls are in place to address the risk that these employees actually do have terrorist ties. I have no idea what mitigating controls other than personal escort might be acceptable to ISCD.

Other Situations Will Come Up

Facilities are going to have to take a hard look at their specific situation to see what areas of their facility are routinely entered by non-employees. Where there is little advance notice of who that non-employee is going to be, facilities are going to have to come up with ways to provide PSP vetted escorts. Where there is sufficient advance notice to provide for execution of one of the four TSDB vetting options, facilities will have to decide in advance how they are going to select the appropriate option.

As more of these complicated situations arise, I would certainly like to hear about them. I would particularly like to hear about those situations where ISCD has agreed to an innovative way of dealing with the problem.

No comments:

/* Use this with templates/template-twocol.html */