Tuesday, June 14, 2011

CFATS Personal Surety Program Moves Forward

Today DHS published three notices in the Federal Register outlining the requirements for submitting data on personnel to DHS as part of the CFATS Personal Surety Program. These notices are:
Reply to comments from the 30-day CFATS Personal Surety Program Information Collection Request (ICR) (76 FR 34720-34732; ICR Notice)

Notice of the establishment of a Privacy Act system of records supporting the CFATS Personal Surety Program (76 FR 34732-34736; Privacy Act Notice)

Notice of proposed rule making (NPRM) proposing a Privacy Act exemption for the CFATS Personal Surety Program system of records (76 FR 34616-34618; Privacy Act NPRM)
These three notices are part of the establishment of a system within CFATS to require covered high-risk chemical facilities to submit information to DHS to allow a determination of whether affected personnel are on the list of known/suspected terrorists, a check required by 6 CFR 27.230(a)(12)(iv). These notices are a legal follow-up to a 60-day ICR notice published on June 10th, 2009 (74 FR 27555) and the 30-day ICR notice published on April 13th, 2010 (75 FR 18850).

Affected Personnel

The ICR Notice outlines two classes of personnel that are covered by the requirement for a high-risk facility to submit personal identifying information to DHS to compare against the TSA Terrorist Screening Data Base (TSDB); these are known as ‘affected personnel’. Additionally, three classes of individuals are listed as being exempted from the terrorist ties screening requirement.

The affected personnel are:

● Facility personnel who have or are seeking access, either unescorted or otherwise, to restricted areas or critical assets; and

● Unescorted visitors who have or are seeking access to restricted areas or critical assets.
The first category caused more than a few complaints in the earlier comment process. Most people who objected to this read §27.230(a)(12) to mean that only people with unaccompanied access required the background checks, including the check for terrorist ties. Unfortunately, the wording of that section is quite clear; the term ‘facility personnel’ is not modified by any discussion of access, so it should apply to all facility personnel. Visitors, however, only require the background checks listed in this paragraph if they have “unaccompanied access to restricted areas or critical assets”.

The one vague area in this discussion is the issue of dealing with contractors and vendors; are they visitors or facility personnel. DHS noted that that “determination should be a facility-specific determination, and should be based on facility security, operational requirements, and business practices”. The facility would outline how it handled the situation as part of its site security plan.

DHS addressed an issue that I have mentioned a couple of times here in this blog in discussing remote access to control systems computers. They specifically note that if “a networked computer system is listed as a restricted area or critical asset in an approved SSP, then individuals with access to that networked computer system would be affected individuals for purposes of RBPS-12”.

The three categories of personnel that are exempted from the background check requirements of RBPS 12, and thus the terrorist ties checks in particular, are:

● Federal officials that gain unescorted access to restricted areas or critical assets as part of the performance of their official duties;

● Law enforcement officials at the State or local level that gain unescorted access to restricted areas or critical assets as part of the performance of their official duties; and

● Emergency responders at the state or local level that gain unescorted access to restricted areas or critical assets during emergency situations.
It is an unfortunate distinction between how law enforcement and emergency response personnel receive their exemption. If an emergency responder is taking part in training or an exercise at a high-risk facility, the ICR Notice seems to indicate that they would require background checks since that is not ‘during emergency situations’. Law enforcement personnel would retain their exemption since they would clearly be in ‘the performance of their official duties’. I’m sure that DHS did not intend for this distinction to exist, but that is the way the wrote their notice.

Other Federal Credentials

There are a number of other Federal programs that require that personnel are vetted against the TSDB. These include:

● Transportation Worker Identification Credential (TWIC) program,

● Hazardous Materials Endorsement (HME) program,

● NEXUS program,

● Secure Electronic Network for Travelers Rapid Inspection (SENTRI) program, or

● Free and Secure Trade (FAST) program.
DHS will ‘accept’ the credentials from these programs, but will still require the facility to submit data to allow DHS to check that the credentials are still current and valid. A slightly different set of data will be acceptable for checking these credentials and a facility is not required to accept these alternative credentials.

Procedure

While we won’t know the details of the procedure until the appropriate manuals are published, the ICR Notice provides an overview of how the personal surety program will work. DHS will develop a Personal Surety Program tool in CSAT. As with the other tools in CSAT, facility management will designate a submitter and other agents to enter data into the tool. Once the data has been submitted and checked by DHS for format and completeness of data, DHS will provide the facility with an acknowledgement of receipt of the data; facilities will use those acknowledgements to demonstrate compliance with the submission requirement for RBPS 12.

Facilities will be able to use a third party background check vendor to submit data in the personal surety tool in CSAT, by designating an individual from that vendor in the appropriate role in CSAT for that tool. Companies with multiple CFATS facilities could consolidate their submission at the corporate level using the same technique; though the individual facility would have to be identified as a place where the individual would have access. Presumably the tool would be designed to make that a relatively simple operation.

Once the data is submitted and checked DHS will then submit the data to TSA’s Office of Transportation Threat Assessment and Credentialing (TTAC) for the check against the TSDB for an initial check of potential terrorist ties. If a match occurs at this point, TSA will forward the data to the FBI’s Terrorist Screening Center (TSC) for a final determination if the individual has been identified as someone with known or suspected terrorist ties.

DHS still maintains that they will not routinely notify a facility if a submitted name comes up as a match through this system. They insist that it could compromise an investigation if routine notice were provided to the facility or the individual prematurely.

This is the main reason for DHS to publish the Privacy Act NPRM today. Privacy Act rules would normally require individuals to be informed when personal information was collected and adverse information was placed into the record. DHS is claiming one of the standard law enforcement exemptions to that Privacy Act communication requirement in their NPRM Notice.

Program Comments

The public comment process has now been completed on the Information Collection Request with the publication of this reply to the 30-day Notice. The Privacy NPRM has a 30-day comment period that starts today. Comments on that NPRM can be made on the Federal eRulemaking Portal (http://www.regulations.gov/; Docket Number DHS-2011-0033). Those comments should be filed by July 14, 2011.

I would expect that the Office of Management and Budget can be expected to make their final ruling on the acceptability of the ICR within the 30-day comment period of the NPRM. Then all that would remain to allow implementation of the program would be the publication of the final rule on the Privacy Act exemption. That process could go fairly quickly and we could have a new CSAT manual covering this new tool being published as early as late July or early August (hopefully this year).

1 comment:

Bob Burbach said...

If you want easier to read links to the regulations they are available at federalregister.gov - you can even subscribe to an agencies documents or custom searches there.

For comparison here are the links on federalregister.gov:

http://federalregister.gov/a/2011-14382
http://federalregister.gov/a/2011-14383
http://federalregister.gov/a/2011-14386

 
/* Use this with templates/template-twocol.html */