Monday, February 8, 2016

DHS Updates CFATS FAQ List

Today the DHS Infrastructure Security Compliance Division (ISCD) updated their frequently asked questions (FAQ) list on the CFATS Knowledge Center page. There is no listing of the 8 new FAQs and one updated FAQ response in the ‘Latest News’ section of the page.

# 1450 What is the URL to the CSAT Web Portal?
# 1761 I have misplaced my Chemical-terrorism Vulnerability Information (CVI) certificate. How can I retrieve a copy?
# 1762 Can our company’s human resources department request a change in contact information to receive the Chemical-terrorism Vulnerability Information (CVI) certificates?
# 1763 Why are my Chemical-terrorism Vulnerability Information (CVI) documents and information located in my Chemical Security Assessment Tool (CSAT) account inaccessible?
# 1764 How long will a facility have to implement the approved security measures to check for terrorist ties (Risk-Based Performance Standard (RBPS) 12(iv)) in its Site Security Plan (SSP)/Alternative Security Program (ASP)?
# 1765 What does a facility need to do to comply with the Chemical Facility Anti-Terrorism Standards (CFATS) Personnel Surety Program requirements that are in effect now that the program has been implemented?
# 1766 Does DHS allow facilities to contract out the submission of information under Option 1 or Option 2 for the Personnel Surety Program in Risk-Based Performance Standards (RBPS) 12(iv) to third parties?
# 1767 Will the facility be notified if the Department learns that an affected individual has terrorist ties?
# 1768 When will DHS grant access to the Chemical Security Assessment Tool (CSAT) Personnel Surety Program application if a facility chooses to meet Risk-Based Performance Standard (RBPS) 12(iv) by selecting Option 1 or Option 2 in its Site Security Plan (SSP)/Alternative Security Program (ASP)?

Updated FAQ

The FAQ that has been updated is #1450. As far as I can tell there is no new information for either of the links provided in the response.


The first three new FAQs (# 1761, # 1762, and # 1763) all have to deal with the Chemical-Terrorism Vulnerability Information (CVI) training certificate. This certificate is issued when you complete the on-line CVI training course. Having this certificate is one of the prerequisites for accessing CVI information on the CSAT web site. The information in the first two FAQs is relatively straight forward and self-explanatory.

The third new CVI FAQ is a tad bit more complicated than the response sets forth. One of the common reasons for the CVI certificate not being synced with a user’s CSAT account is that the email provided for the CVI training is different than the email used on the CSAT account. For those of us who took the CVI training using a personal email account, we may not want to (or be allowed to) use that personal email on our CSAT account. In other cases, an individual may have taken the CVI training under a different employer’s email system and probably no longer has access to that email address. Neither of these cases is specifically addressed in the response to the FAQ.

I am pretty sure, however, that these two problems can be resolved by a phone call to the CFATS Help Desk {(866) 323-2957}.

Personnel Surety Program FAQs

The final five new FAQs all deal with the Personnel Surety Program (PSP) still being rolled out by ISCD. We are still waiting on a promised CFATS Personnel Surety Program Application User Manual and possibly a revised CSAT Account Management user guide to reflect new user types for PSP data submissions.

There is nothing in the new PSP FAQs that was not already covered in the December 18th, 2015 Federal Register notice.

TSDB Match Notifications

The one FAQ that is likely to cause some industry consternation is the response to # 1767: Will the facility be notified if the Department learns that an affected individual has terrorist ties? No one in industry (and few, if any, in DHS) will really be satisfied with this weasel worded response:

“To prevent a significant threat to a facility or loss of life, a high-risk chemical facility will be contacted where appropriate and in accordance with federal law and policy and law enforcement and intelligence requirements [emphasis added].”

If the folks at ISCD had their druthers, they would notify the facility security officer as soon as they were notified that an individual’s name submitted by a covered facility matched a name on the Terrorist Screening Database (TSDB). Unfortunately, it is easy to imagine a situation where ISCD would not be allowed to make that notification by the powers that be at the Department of Justice that own the TSDB information. In fact, it is entirely too likely that there will be instances where even ISCD is not informed.

If the DOJ or some investigative agency within the national security apparat has an on-going criminal or national security investigation connected with someone whose name has been submitted under the CFATS PSP, those agencies are not going to want to have their investigation compromised by notifying the facility (and thus the individual) of a TSDB match. If such a notification is going to be made, it is likely to be made by the investigative agency, not ISCD.

Additional Questions

Anyone from a CFATS covered facility with additional questions can contact the CFATS Help Desk (866-323-2957).

No comments:

/* Use this with templates/template-twocol.html */