This is part of an on-going series of blog posts about the new Chemical Facility Anti-Terrorism Standards (CFATS) personnel surety plan (PSP) User Manual. This manual sets forth the instructions for using the new PSP tool in the on-line Chemical Security Assessment Tool (CSAT). Other blogs in this series include:
Rules of Behavior Overview
Before we can start to talk about access to the PSP tool a new concept needs to be addressed; the DHS CSAT Personnel Surety Application Rules of Behavior (ROB). Because personnel with access to the PSP tool will be dealing with personally identifiable information there are certain rules of behavior that DHS has established as part of its Privacy Impact Assessment (PIA) that covers the operation of the PSP tool. The rules of behavior are spelled out in Attachment 3 to the PIA. Whenever an authorized user accesses the PSP tool they will be required to review and acknowledge the ROB as part of the sign-on process.
The ROB includes the following sections:
• Application access;
• Data Protection; and
• Incident reporting.
Access and Passwords
The first two sections in the ROB are items about which every CSAT user should already be aware. The CSAT tool is on a Federal government computer system and access is provided for specific reasons. Unauthorized access or unauthorized use beyond what is specifically required is prohibited.
The use of a password is required to access that system and DHS has set standards for passwords and their protection. There is nothing really new here as the same passwords are used for access to all parts of the CSAT tool to which a user is authorized access.
CSAT users should be well versed in the information protection standards for Chemical-Terrorism Vulnerability Information (CVI). Unlike other portions of the CSAT tool, the information in the PSP tool is not specifically protected by the CVI standards. Instead the DHS rules for protecting personally identifiable information apply to the information in the PSP Tool. The DHS Handbook outlining these required protections can be found here.
That 30-page Handbook is the governing document for PII data protection but the ROB specifically highlights four specific standards:
• Encrypt or password-protect electronic files containing sensitive PII.
• When there is a need to print, copy, or extract sensitive PII from a larger data set,
limit the new data set to include only the specific data elements needed to perform
the task at hand.
• Physically secure sensitive PII (e.g., in a locked drawer, cabinet, desk, or safe)
when not in use or not otherwise under the control of a person with a need-to-know.
• If there is a need to create duplicate copies of sensitive PII (e.g., a PDF Report of
detailed PII about affected individuals) to perform a particular task or project,
delete or destroy any copies (e.g., using a shredder) when they are no longer needed.
The DHS handbook should be referred to for more details about requirements for protecting PII:
• In the office, or while traveling or teleworking
• On a portable electronic device, such as a Blackberry, laptop, or USB flash drive
• When emailing, faxing, or by other electronic transfer
• When mailing externally, overseas and inter-office
• When storing on a shared drive or SharePoint
The CFATS program has specific requirements for reporting security incidents at covered facilities. The incident reporting standards in the ROB are separate from the standard CFATS reporting requirements because the ROB, again, is dealing with separate security requirements for PII. Some of the ROB incidents may require dual reporting under both standards.
The ROB requires reporting for two types of security incidents. Both types of incidents would be reported to the CFATS Help Desk (866-323-2957). The two types of incidents are:
• IT security incidents; and
• Privacy incidents
IT security incidents involve the compromise of CSAT username and password. It appears that the only user that would have the same password for the PSP tool and other CSAT tools would be the Authorizer. That should mean that the only IT security incident under the ROB that would also be a CFATS incident would be the compromise of the Authorizer’s username and password.
Privacy incidents would include the compromise or suspected compromise of personally identifiable information entered into or copied from the PSP tool. This would include PII emailed to the facility by ISCD. It would not seem that the information collected by the facility to complete the PSP submission would be considered in privacy incidents in the ROB, though it would still be covered by Federal, State and local privacy statutes.
With this understanding of the ROB, authorized users can access the PSP tool. I’ll discuss that access in a future blog post.