Saturday, October 4, 2008

Sharing CVI in the Private Sector

When DHS released its new CVI Procedures Manual earlier this month one of the thing that they intended to do was to replace “the previous suggested models for access and disclosure of CVI within and between private and public entities with new, more effective models”. Today we will take a look at the ‘new, more effective models’.




Before we can understand any discussion about CVI access and disclosure we need to understand what DHS means by certain terms. There are three critical terms that are used throughout CVI Manual: Authorized User, Covered Person, and Need to Know.


An Authorized User (page 5) is any “person who has:


  • “completed DHS on-line CVI training, which includes obtaining an Authorized User number, or equivalent measures approved by DHS; and
  • “complied with any background checks or other requirements for personal identification or trustworthiness that DHS may require under 6  CFR §§ 27.400(e)(2)(iii) and 27.400(e)(3).”

A Covered Person (page 5) is “anyone who:


  • “has a ‘need to know’ as described in 6 CFR § 27.400(e), or
  • “otherwise receives or gains access to what they know or should reasonably know constitutes CVI.”

The Need to Know is a determination that a prospective recipient requires accessto specific CVI to perform or assist in a lawful and authorized function. A person has a need to know (page 10) “when:


  • “that person requires access to specific CVI to carry out chemical facility security activities approved, accepted, funded, recommended, or directed by DHS,
  • “that person needs the CVI to receive training to carry out chemical facility security activities approved, accepted, funded, recommended, or directed by DHS,
  • “that person needs the CVI to supervise or otherwise manage individuals carrying out chemical facility security activities approved, accepted, funded, recommended, or directed by DHS,
  • “that person needs the CVI to provide technical or legal advice to a covered person , who has a need to know that CVI, regarding chemical facility security requirements of Federal law”.
NDA is No Longer Needed


In the old CVI Manual the definition of an Authorized User included the requirement for that individual to have a non-disclosure agreement (NDA) on file with DHS. That NDA was completed as part of the on-line CVI Training Program. DHS did not issue an Authorized User Certificate/Number until it had received that NDA.


In the current CVI Manual DHS has removed that requirement. They decided that regulation requiring non-disclosure was adequate to the task, though they have reserved the right {contained in 6 CFR § 27.400(e)(2)(iii)} to require a signed NDA at some future time if they deem it necessary.


Facilities are still completely within their right to require that employees, contractors and other private or corporate entities sign an NDA prior to disclosing company data to include CVI. DHS is still requiring that their contractors (companies and individuals) sign an NDA as a prerequisite to working with DHS.


Disclosing CVI


Whether or not the disclosure of CVI is authorized depends on three general rules (page 11);


  • “CVI may only be disclosed to Authorized Users with a need to know.
  • “A need to know should be assessed on a case-by-case basis (including an individualized assessment of the documents involved).
  • “A covered person in possession of CVI should take reasonable steps to confirm that any individual seeking access to CVI is an Authorized User and has a need to know.”

Disclosure of CVI to personnel within the high-risk chemical facility is governed by these rules. This means that someone at the facility should maintain a list or roster of personnel that are Authorized Users. That can be done at smaller facilities by keeping a simple file of Authorized User Certificates. At larger facilities an actual list of names will be more useful, though the facility should still maintain the file of certificates. It should be noted that neither the list nor the supporting certificates are considered to be CVI.


Disclosure of CVI to personnel outside of the facility becomes a bit more problematic. Contractors and consultants should be required to provide copies of their certificates as a prerequisite to working on any security related jobs. Contracts should specify that only Authorized Persons within that organization would see and or handle CVI.


Anyone else presenting a legitimate request for CVI (management above the facility level, bankers or insurance agents verifying security status, accreditation agencies, etc) should be required to present copies of certificates or provide Authorized User numbers issued by DHS.


Verify Authorized User Status


Certificates/numbers should be verified with DHS. The old CVI Manual provided that contacting the Help Desk (866-323-2957 or for confirmation. Appendix B of the new CVI Manual offers this as an option while other areas of the manual suggests contacting the “DHS chemical facility security inspector working with the facility” (page 9 for example).


Actually I find this recommendation kind of surprising. The way I understand that these inspectors will be working I would think that it would be very difficult to track down and talk with that inspector. With the number of facilities that each inspector will be dealing with they will be spending most of their time on the road. Even if a facility has been given the cell phone number or email address of the inspector, the inspector is not going to have the time or resources to verify authorized user status. Contacting the Help Desk seems to me to be a much more reasonable exercise.


Notifying DHS of Disclosure


The old CVI Manual required that any time that a facility shared/disclosed CVI data with someone outside of the facility that DHS had to be notified. The new manual no longer requires this (page 12) nor does it require the use of a CVI Tracking Log. The new CVI Manual does recommend the use of such a log and even provides information about how such a log might be set up (Appendix D).


DHS must still be notified about any unauthorized or suspected unauthorized disclosure of CVI. Again the Help Desk or the DHS chemical facility security inspector is given as the point of contact for such notification. More over, DHS wants to be notified even if a non-Authorized User requests access to CVI.

Tags: , ,

No comments:

/* Use this with templates/template-twocol.html */