This is part of an on-going series of blog posts about the new Chemical Facility Anti-Terrorism Standards (CFATS) personnel surety plan (PSP) User Manual. This manual sets forth the instructions for using the new PSP tool in the on-line Chemical Security Assessment Tool (CSAT). Other blogs in this series include:
Potential Problems Identified
Back in in early January, after DHS published their PSP program notice in the Federal Register, I wrote a blog post about potential problems with the system as it was explained in that notice. The potential problem areas identified in that post include:
• Multiple facilities
• Facility turnaround contractors
• Local delivery drivers
• Electronic access
• False positives
As expected, the User Manual did not specifically address any of these problems. It did, however, provide information to help resolve three of these problems; multiple facilities, facility turnaround contractors and electronic access.
As long as all corporate facilities all have a single authorizer (the most likely situation), the PSP can be set up so that the Corporation Group would be a single account listing all company personnel with access to any of the covered facilities within the company. The Corporate Group could have a single submitter to support all facilities or individual submitters from each of the covered facilities. The latter would allow for a person at each covered facility who was able to review all of the personnel for whom PSP data submissions had been made.
If the company set up separate Groups for each facility that would still allow the Corporate Group to be set up for personnel from headquarters that could be visiting any of the covered sites within the company and might require unaccompanied access as ‘visitors’. Unfortunately, there would be no one at the facility who could verify data submission on those personnel in the Corporate Group, because the local Submitter would not have access to the Corporate Group data and one person cannot be a Submitter in multiple Groups within the same company.
A way around this would be to make someone else at the local facility a Submitter on the Corporate Group. Another way around the problem would be for HR to forward a completed template spread sheet with the required information for those company personnel that might be visiting the covered facility for that facility Submitter to upload to the local facility Group.
Facility Turnaround Contractors
The new PSP CSAT tool provides an easy solution for the problem of facility turnaround contractors without having to require possession of a TWIC or HME. The Authorizer can set up a Group for the main contractor responsible for turnarounds with a Submitter from that contractor.
The contractor would then be responsible for uploading the individual data for all personnel who would be working on that site. The contractor could then provide a status report for that facility that showed that all personnel data had been submitted. That document would, of course, be a Chemical-terrorism Vulnerability Information (CVI) protected document. The facility could then prepare a sign-in/sign-out sheet to help keep track of the contractors on site. As long as the sheet did not reference the PSP program or PSP status, this would not be a CVI protected document.
Facilities that are going to allow vendors routine electronic access to physical components of control systems, building access systems, or security monitoring systems for maintenance purposes are going to have to include the vendor personnel who will have that access in their PSP program. This would require that they be set up as a separate Group on the PSP tool. Again the Authorizer would set up a vendor employee as a Submitter for that Group and establish an oversight Submitter from the company so that there would be someone in the company that could verify that data had been submitted.
In a couple of places above I have suggested that the Authorizer establish a company employee as an ‘oversight Submitter’ on Groups that are being used to submit data on personnel who are not company employees. The idea here is that there would be someone from the covered facility that could access the Group data on the PSP tool to verify that an individual’s data had been submitted to the PSP tool prior to allowing that person access to a covered facility.
This is somewhat complicated by the fact that a person can only be a Submitter on one group under a given Authorizer. Small facilities could quickly run out of people who could verify the PSP status on multiple contractor or vendor Groups.
What is really needed is for the tool to be modified by adding a PSP Reviewer position. A reviewer would typically be the Security Manager or person fulfilling that type role on a local basis. The Authorizer could then specify multiple Groups within the company that each reviewer would be authorized to access to verify the submission status of contractor, vendor or corporate personnel desiring unaccompanied access to the critical areas of the facility.
The way things are currently structured in the PSP tool there is only one person who has access to the PSP status of all personnel in multiple groups; the Authorizer. It does not make any kind of sense in having a corporate officer put in the position of potentially having to be available at all hours to verify that someone has been properly vetted through the PSP program.