This morning the DHS Infrastructure Security Compliance Division (ISCD) updated the frequently asked question list on the CFATS Knowledge Center. There was no accompanying notice in the ‘Latest News’ section of the landing page, but three new FAQ’s were added and an older FAQ dating back to 2008 was updated.
Two of the FAQs deal with Chemical-terrorism Vulnerability Information (CVI) and the other two deal with compliance inspections for facilities that utilized the Expedited Approval Program (EAP). The four FAQ’s in question are:
#1490 Do all of the employees involved in filling out the Security Vulnerability Assessment (SVA) at my facility have to be Chemical-terrorism Vulnerability Information (CVI) Authorized Users?
#1770 Can Chemical-terrorism Vulnerability Information (CVI) be released under the Freedom of Information Act (FOIA)?
#1771 What documentation will I be asked to provide or make available for the inspector during an Expedited Approval Program (EAP) Compliance Inspection (CI)?
#1772 Who will conduct the Chemical Facility Anti-Terrorism Standards (CFATS) Compliance Inspections for facilities in the Expedited Approval Program (EAP)?
The response to #1490 deals with the fact that information is only covered under the CVI rules when it is specifically associated with the CFATS program. Much of the information submitted to ISCD via the Chemical Security Assessment Tool (CSAT) is normal business information that is routinely used outside of the CFATS program. Things like the facility address, inventory levels and the like are only considered CVI once they have been entered into the CSAT, and even then only in association with the CSAT forms (either paper or electronic copies).
Anyone that handles CVI material must be a CVI Authorized User (completed the on-line CVI training and have a need-to-know). The actual data being input to the CSAT tool is CVI so anyone doing that entry must be a CVI Authorized User. Upstream of that data entry, during the data collection process, the question is murkier so the FAQ response suggest contacting the CFATS Help Desk for help in making an exact determination.
The response to #1770 explains that CVI is exempted from disclosure under the Federal Freedom of Information Act (FOIA) as well as State and local versions of that law under provisions of 6 USC 623(e) and 6 CFR §27.400(g). It goes on to explain that State and local FOIA requests for CVI information should be forwarded to the DHS Information Management and Disclosure Office, (NPPD.FOIA@hq.dhs.gov).
EAP Compliance Inspection FAQs
The response to #1771 explains that a compliance inspection under the EAP will be looking for the same information that compliance inspection under the standard site security plan (SSP) would be looking for. Not mentioned in the ISCD response is another ISCD document that briefly outlines what to expect from a CFATS inspection.
The response to #1772 explains that while ISCD is allowed to use a mixture of governmental and non-governmental inspectors [authorized by 6 USC 622(d)(1)(B)], that they are currently only using government employees, known as Chemical Security Inspectors (CSI).