Monday, August 17, 2009

CFATS Background Check ICR Comments – 07-14-09

Last Monday marked the requested end of the comment period on the proposed DHS CSAT Personnel Surety Program information collection request (ICR) filing. These ICR filings seldom garner many comments, but the CFATS background check program broke that standard with twelve comments in the last week. Comments were received from:

Institute of Makers of Explosives;
Compressed Gas Association;
American Trucking Association;
American Air Liquide USA;
First Advantage Background Services Corp;
Industrial Safety Training Council;
International Society of Explosives Engineers;
American Chemistry Council;
International Liquid Terminals Association;
National Petrochemical and Refinery Association; and
American Petroleum Institute

Institute of Makers of Explosives Comments 

The IME expressed their disappointment that ISCD “implement this regulatory requirement through an ICR to OMB”. IME also requested that ISCD formally implement the reciprocity of background checks outlined in the Risk-Based Performance Standards Guidance (Guidance) document. Specifically IME would like to see that reciprocity extended to ATF background checks. IME would like to see ISCD notify facilities when individuals fail the TSDB check. IME believes that an individual’s possession of TWIC should relieve the facility of the responsibility of submitting that individual’s information for the TSDB check. IME believes that the information provided in the ICR notification is really inadequate to completely evaluate the proposed program.

Compressed Gas Association Comments

The CGA objects to the apparent requirement that facility personnel, regardless of whether or not they have unescorted access to restricted areas, in the background check requirement. CGA suggests that the requirement for periodic updates of PII reports be changed to an annual requirement. CGA recommends that DHS develop and publish a procedure for appealing disputed background check findings. CGA recommends that DHS allow facilities use a third-party vendor of background check services to submit the PII for the TSDB check.

American Trucking Association Comments

The ATA recommends that the Guidance document specifically state that DHS identification that requires TSDB background checks is an acceptable substitute for background checks by the facility. ATA recommends that the CSAT Personnel Surety Tool include provisions for inputting the name, type credential and ID number for personnel who hold DHS vetted IDs in lieu of submitting PII for those individuals.

BP Comments

BP objects to the potential inclusion of physical description information in the PII submission requirements. BP suggests that large facilities be allowed to upload a file containing PII rather than manually enter each individual’s PII into the CSAT tool. BP recommends that third-party vendors of background check services be allowed to enter PII data for the facility. BP objects to the expansion of the list of personnel required to undergo a TSDB check to include all facility personnel (employees and contractors) regardless of whether or not they have unrestricted access to critical areas in the facility.

American Air Liquide USA Comments

ALUSA objects to the inclusion of facility personnel without unescorted access to critical areas in the requirement for conducting a TSDB check. ALUSA suggests that DHS should notify the facility and individual in the event that a TSDB check results in an adverse determination. This would allow for the individual to initiate an appropriate appeals process and the facility to restrict individual access pending resolution of the appeal. ALUSA recommends that third-part be authorized to assist facilities in the submission of PII. ALUSA is concerned about the PII update requirements since the actual PII to be included has not yet been officially defined. ALUSA does recommend that PII should be limited to that necessary for the TSDB check and be allowed to be updated on an annual basis.

First Advantage Background Services Corp Comments

FABSC suggests that third-party vendors be allowed to submit PII on behalf of covered facilities. They note that background check service providers are fully cognizant of the legal requirements for the protection of PII and already have compliance procedures in place.

Industrial Safety Training Council Comments

ISTC supports the inclusion of all facility personnel, including contractors, in the population requiring TSDB check, regardless of their access status for critical areas of the covered facility. ISTC suggests that third-party vendors be allowed to collect and submit PII on behalf of covered facilities. ISTC notes that DHS already allows such vendors to submit data for TWIC.

International Society of Explosives Engineers Comments

ISEE supports comments submitted by IME

American Chemistry Council Comments 

The ACC objects to the expansion of covered individuals to include facility personnel with only escorted access to critical areas of the facility. ACC questions whether ISCD has accurately identified the internal resources required to implement this program. ACC recommends that DHS establish procedures for notifying the individual and covered facility when an adverse determination is made as a result of the TSDB. ACC notes that many companies would prefer to conduct background checks on a company-wide basis instead of on a facility basis due to the frequent movement of personnel through multiple covered facilities. ACC questions how DHS can establish an adjudication process when they are not notifying personnel or facilities when an adverse determination is made. ACC objects to the inclusion of a compliance statement with regards to state, local and tribal privacy laws.

International Liquid Terminals Association Comments

The ILTA suggests that DHS provide TSDB cleared individuals with appropriate identification so that company employees that have undergone the check will not have to have their PII re-submitted when they work at another covered facility. ILTA recommends that resubmission of PII only be required every 3 to 5 years. ILTA suggests that all four RBPS ‘required’ background checks be handled through the same DHS CSAT tool. ILTA objects to the proposed exemption to Paperwork Reduction Act requirements. ILTA recommends that the TSA directly accept data from covered facilities rather than requiring submission through ISCD. ILTA believes that the 35 min/PII submission may grossly underestimate the time burden. ILTA suggests that ISCD adopt the TWIC program or initiate a similar program.

National Petrochemical and Refinery Association Comments

The NPRA notes that PII requirements outlined in separate ISCD presentations include substantially more PII than briefly outlined in the ICR and suggest that those expanded requirements are not justified. NPRA objects to the requirement to re-submit PII data on TWIC holders. NPRA objects to the lack of clear definition of ‘critical assets’ and ‘restricted areas’. NPRA questions the advisability of using third-party vendors because of potential CVI, security and privacy issues. NPRA suggests that DHS establish time limits for initial data submission. NPRA objects to the proposed policy of not notifying facilities when an adverse determination is made during the TSDB check. NPRA objects to the proposed exemption to the Paperwork Reduction Act. NPRA is concerned about the definition of personnel for whom a TSDB check is required, noting that there are at least two disparate discussions of which facility personnel are covered.

American Petroleum Institute Comments 

The API is concerned about the lack of a clear definition of PII in the ICR. API suggests that personnel vetting be tied to the individual not the facility, similar to the process used by the TWIC program. API is concerned that without notifying the individual of adverse TSDB determinations, there exists the possibility that individual liberties may be affected. API believes that the requested Paperwork Reduction Act exemption is unwarranted. API suggests that unnecessary duplication of TSDB check efforts may be avoided by requiring ISCD to use the TWIC process.

My Comments on Comments

There is near universal objection to the coverage of facility personnel without unescorted access to critical areas of the facility. The only two commentors that did not object to the expansion of coverage were background check service providers, and only one of them ‘supported’ the expansion. Such service providers would have a vested interest in expanding the list of personnel to be checked even if they are not allowed to do the TSDB PII submission, since three other data base searches would presumably be required for the personnel.

The one point that was not discussed in any of the objections was how the facility stopped employees without unescorted access from accessing the critical or restricted areas of the facility. DHS will make that determination during the review of the Site Security Plan. Where adequate controls are in place DHS need not ‘require’ that facilities conduct TSDB checks on personnel without unescorted access. Where adequate controls to not exist, there are no employees that should be exempt from such checks.

The idea of allowing facilities to use service providers to submit PII information certainly makes sense. Presumably the same providers are doing the other background checks for the facility so they would already have the required information. The point made by FABSC that they already have the data protection processes in place is an important point to consider. API’s objection to the use of such vendors based on CVI or CSAT security concerns ignore the way that ISCD has used the CSAT registration process. Presumably ISCD would develop another category of user that is just authorized to submit data for TSDB checks. Those users would still have to be verified by the Authorizer and would only be allowed data submission access and would not be able to access other information in CFATS.

I have already expressed my opposition to not notifying facilities and individuals when adverse determinations result from the TSDB. I did find it interesting that an industry group (API) and not a labor group raised an individual’s right to redress as a reason to oppose not notifying individuals of an adverse determination; shame on organized labor. The problem of individuals working at multiple facilities provides a good example of why public comments are so necessary to the regulatory process. Having worked in a company where I provided support to at least two different manufacturing facilities and worked in an R&D lab all of which might have been covered facilities under CFATS regulation, I can testify that I had unescorted access to critical areas of all three facilities. It would have made much more sense to have a single company background check instead of three separate checks. Furthermore, there were contractors that worked at all three facilities that also had access to certain critical areas in these facilities and a large number of other potentially covered facilities. Having a single clearance procedure with its attendant identification card would make the security vetting process much more efficient. The only problem is how to verify that the card is ‘good’ and the individual possessing the card is the vetted individual. This is a problem that is being discussed separately in the TWIC Reader regulation process underway at TSA.

It will be interesting to see how DHS deals with these comments in preparing their actual ICR submission to OMB. We can expect to see that in the coming weeks.

No comments:

/* Use this with templates/template-twocol.html */