This is part of an on-going series of blog posts about the new Chemical Facility Anti-Terrorism Standards (CFATS) personnel surety plan (PSP) User Manual. This manual sets forth the instructions for using the new PSP tool in the on-line Chemical Security Assessment Tool (CSAT). Other blogs in this series include:
Groups and Submitters Overview
Again, because the PSP tool involves the handling and access of personally identifiable information (PII) steps have to be taken to ensure that only those personnel with a need-to-know have access to that information. With the multiple ways that information may be submitted ISCD set up the PSP tool to require the formation of Groups and to only allow designated personnel to view the PII of personnel within that group. This required the establishment of PSP Submitters (separate from the Submitter used in other CSAT tools) so that a single PSP Submitter would only be able to access PII from the Group to which they are assigned.
As a default every CSAT account will initially have a single Group; called the Corporation Group. If a PSP Submitter(s) is authorized to have access to the PII on all of the affected personnel at a facility, then only the Corporation Group is necessary. However, if a facility is going to have to submit data on contractors or other companies, then it is likely that other Groups will have to be created. Or if a facility is going to use an outside company to submit data of facility personnel, but corporate HR will be submitting data on personnel from other facilities, then multiple Groups will probably have to be established.
The User Manual explains it this way:
“The Department expects an Authorizer will carefully consider the best group structure so information about affected individuals can be protected from unauthorized disclosure. Specifically, the Department expects the Authorizer will create one or more groups if needed so PSP Submitter(s) will (1) have access to only those records about affected individuals they should have access to, and (2) not have access to those records about affected individuals they should not. Several examples of how groups might be constructed to align with a facility’s (or its designees’) business operations are provided in Appendix C [pg 24]. It is also possible that the best group structure for some facilities may be to not create any additional groups at all and rely on the default “Corporation” group.”
The User Manual provides instructions on how to:
• Create a Group (pg 11);
• Edit a Group’s Name;
• Merge a Group in to the Corporation Group; and
• Remove a Group
As I noted earlier the PSP Submitter(s) will be entering PII into the PSP tool for all data submissions under Option 1 (Full data submission) or Option 2 (Data submission on holders of DHS vetted ID). This is a separate CSAT position from the Submitter who has been submitting data in the Top Screen, Security Vulnerability Analysis (SVA) or Site Security Plan (SSP) tools in CSAT. A Submitter may be assigned to the role of PSP Submitter. For the rest of this post I will be referring to the PSP Submitter as ‘Submitter’.
When a facility first tries to access the PSP tool, the only person that will be able to effect that access is the Authorizer. The Authorizer can submit data in the Corporation Group (and only that Group) so it is possible that a facility may not need to have a Submitter. More likely, however, we would see the Authorizer designate a Submitter for the Corporation Group and any other Groups that the Authorizer sets up.
The important thing to remember is that a Submitter can only be assigned to a single Group and will only be able to see or submit data for that Group. This is going to have to be taken into account as Groups are established.
For companies that have multiple CFATS covered facilities under a single Authorizer should remember that the Corporation Group for the Authorizer would appear to apply to all facilities under that Authorizer (though this is not explicitly stated in the User Manual). Separate Submitters could be designated for each covered facility under the Corporation Group, but they would be able to see the PII for all individuals from any facility submitted under the Corporation Group.
Submitters from outside of the company may be designated. This would be useful when an outside organization is doing the data submission for a facility or when contractors/vendors are doing data submissions for their employees that would have access to the facility. The Appendix C description of Group organization would seem to suggest that DHS would prefer to see these outside organizations submitting data under separate Groups. This would certainly make sense where more than one outside organization would be submitting data, as it would limit the visibility of the PII to those for whom the organization had submitted data.
While all submitters are going to be governed by the Rules of Behavior (ROB; discussed in the previous post in this series) about access to the PSP Tool and the data contained in that tool, facilities will do well to remember that the data collected prior to data submission is also covered by Federal, State, and local privacy and data protection rules. Since the data that the Submitters are entering into the system is not yet covered by the ROB, the Submitters need to be fully trained about, and in compliance with, those other rules.
For many facilities the single Corporation Group with a single Submitter will certainly be sufficient. The larger the organization the less likely that is going to be true. For companies with multiple locations and a number of contractors and vendors that require unaccompanied access to critical areas of the facility, I seriously suggest that the corporate security manager set up a meeting with all of the affected facility security managers and DHS Chemical Security Inspectors to try to work out the details of how the organization is going to organize its PSP data submission program. This meeting needs to be done early in the process; it would probably be best done before the SSP revisions are made.
Remember, it is fairly easy to set up Groups. If you end up setting up too many Groups initially, you can always reduce the number of groups by merging them later. Setting up new Groups after data submission has started will be very difficult as there is not currently any method for moving some data from one Group to another.