Thursday, June 11, 2009

CFATS Personnel Surety Program ICR

Yesterday DHS published a notice in the Federal Register about the initiation of a new information collection request. The publication of such ICR’s is a fairly routine occurrence and I frequently mention chemical security related ICR’s in a brief posting in this blog. This particular ICR is going to get much more than a routine treatment in this blog; it is directly related to CFATS and Site Security Plans and it is more than a little unusual. Also, this is the first ‘60-day notice’ and a request for comments; this does not actually count as the filing of the ICR with the OMB.

Screening for Terrorist Ties

In this ICR notice the National Protection and Programs Directorate is announcing a new program of collecting information on individuals working at high-risk chemical facilities in support of the requirements of RBPS #12, Personnel Surety {6 CFR 27.230(a)(12)}. Sub-paragraph (iv) of that section requires facilities to address “measures designed to identify people with terrorist ties” among “facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets”.

DHS is proposing to establish a new CSAT tool to allow high-risk facilities to submit ‘personally identifiable information’ (PII) on facility personnel and unescorted visitors so that the Federal Government can check to see if those personnel appear on the “integrated terrorist watch list maintained by the Federal Government in the Terrorist Screening Database (TSDB)” So far, so good; a high-risk facility will prepare a list of employees and contractors with routine access to ‘restricted or secure areas’ of the facility.

They will require those individuals to provide PII (probably full name, SSN and possibly biometric data) to the facility management. The Facility will enter that data into a secure, on-line application that will become another tool in the Chemical Security Assessment Tool. TSA (they ‘own’ the TSDB) will then check that PII against the entries in the database. Any apparent matches will be turned over to the Terrorist Screening Center (TSC) for final determination of whether or not the indicated individual is actually on the TSDB.

The submitting facility would not be notified by DHS of the results of the TSDB screening. What they will receive is a ‘Verifications of Submission’ that will be used to demonstrate compliance with the ‘terrorist ties’ requirement of risk-based performance standards. Any potential terrorists or personnel with suspected terrorist ties identified by this screening will be identified to an appropriate Federal law enforcement agency for further investigation and/or action. The facility may be contacted by that law enforcement agency as part of their investigation. One final note on the RBPS 12 requirements; DHS is making it clear that this new CSAT Tool will have no affect on the other background checks required under 6 CFR §27.230(a)(12). Facilities will still have to address the issues of identity, criminal history, and authorization to work in their Site Security Plan.

Paperwork Reduction Act Exemption Request

DHS notes that they intend to request an exemption from certain notification requirements of the Paperwork Reduction Act. Those provisions {5 CFR 1320.8(b)(3)} require that “affected individuals whose PII is submitted by high-risk chemical facilities be notified of the reasons for the collection, be notified how the information will be used, be given an estimate of the average burden associated with the collection, and be notified whether responses to the collection are voluntary or mandatory)” (74 FR 27556). Instead, DHS intends to provide a general notification to potentially affected chemical workers via a series of Federal Register notices. Those notices will include:
A specific Privacy Impact Assessment; A specific System of Records Notice; The proposed exemptions for disclosure as required by the Privacy Act; and The final exemptions for disclosure as required by the Privacy Act.
Additionally, DHS will shift the burden of specific notification that the information is being collected and submitted to the high-risk chemical facility. The notice says that they intend to require the individual facility to explain how they will complete their personnel notifications as part of their Site Security Plan submission. Actually this is already included in the SSP; on page 250 of the Questions Manual question number 18.32-18804 asks:
“Will the facility provide notification to facility personnel, and as appropriate unescorted visitors, with access to the restricted areas or critical assets that personal information about them has been or will be submitted to DHS to determine if they have terrorist ties?”
This Federal Register Notice specifically states that this intended request for exemption will not “exempt high-risk chemical facilities from having to adhere to applicable Federal, State, local, or tribal laws, regulations or policies pertaining to the privacy of facility personnel and the privacy of unescorted visitors.”

Request for Comments

The major purpose for this Notice, besides notifying the ‘affected community’ of the initiation of the ICR process, is to request feedback from that community (high-risk chemical facilities and their employees and contractors). OMB has a standard list of questions that they would like to see addressed in any ICR, but DHS is looking for some additional information. DHS is looking for comments that (74 FR 27556):
“Respond to the Department's interpretation of the population affected by RBPS 12 background checks outlined in 6 CFR 27.230(a)(12); “Respond to fact that a Federal law enforcement agency may, if appropriate, contact the high-risk chemical facility as a part of a law enforcement investigation into terrorist ties of facility personnel; and “Respond to the Department on its intention to seek an exception to the notice requirement under 5 CFR 1320.8(b)(3).”
Comments may be submitted electronically at, citing docket number DHS-2009-0026. Comments need to be submitted by August 10th, 2009. This will be one of those dockets where I will be tracking and reporting on the comments posted.


mvincenti said...

Is the background screening for CSAT tool more detailed that for that of TWIC? I am just curious as to whether the same types of procedures are being used for background checks both CFATS and TWIC. I did a quick google search to see if I could find the criteria used to check a TWIC applicant's background without success.

Anonymous said...

No, it's not. It's the same check. And the TWIC will take care of the other requirements under RBPS 12 (background checks essentially) but not this check TSDB check because they are looking to tie persons back to the site where they work.

Also, the PII includes name, home address, phone number, physical description and visa info if applicable.
The details aren't available in the Federal Register notice, but the department is holding meetings with an outline of what they're thinking and making that information available to these certain groups.

Anonymous said...

It's good to know that there are lots of different types of employee background checks. That way you only need run a check on the things that concern your type of business.

/* Use this with templates/template-twocol.html */