This is the second in a series of blog posts about the CFATS
Personnel Surety Program that was described in a 60-day information collection
request (ICR) notice in Friday’s Federal Register. This post will look at the
data submission options for vetting personnel against the Terrorist Screening
Database (TSDB). The earlier post in the series is listed below.
The PSP Requirement
The CFATS program regulations require facilities to
establish a personnel surety program (PSP) vetting process {
6
CFR 27.230(a)(12)}. That program is required to perform four types of
background checks on “facility personnel, and as appropriate, for unescorted
visitors with access to restricted areas or critical assets”. Those required checks
are:
• Measures designed to verify and validate
identity;
• Measures designed to check criminal
history;
• Measures designed to verify and validate
legal authorization to work; and
• Measures designed to identify people
with terrorist ties.
Facility management has a wide degree of latitude in
establishing the methodology for conducting the first three types of checks.
The last measure “is an inherently governmental function and necessarily
requires the use of information held in government-maintained databases that
are unavailable to high-risk chemical facilities” (
FR 17681). It is
this vetting requirement that is addressed in this ICR notice.
Data Submission
The DHS Infrastructure Security Compliance Division (ISCD)
has plans to introduce a new data collection application in the
Chemical Security
Assessment Tool (CSAT) to allow facility security managers or their
designees to submit information to ISCD to complete the vetting process. This
ICR, if/when approved by the Office of Management and Budget (OMB), serves as
the approval of that application to collect the required information.
DHS outlines in this notice three different options that
facilities will have for conducting the vetting of personnel against the
government’s TSDB. Facilities will be able to use almost any combination of the
three options in the establishment of their PSP that will be outlined in the
facility site security plan.
The three options are:
• Option One - Direct Vetting
• Option Two - Use of Vetting Conducted Under Other DHS
Programs
• Option Three - Electronic Verification of TWIC
Option One
Option One requires the most comprehensive submission of
information to ISCD via the PSP application. The following information
would be required
for each individual vetted under Option One:
• For U.S. Persons (U.S. citizens
and nationals as well as U.S. lawful permanent residents):
• Full Name
• Date of Birth
• Citizenship or Gender
• For Non-U.S. Persons:
• Full Name
• Date of Birth
• Citizenship
• Passport information and/or alien
registration number
Interestingly, there is no requirement to supply biometric
information (finger prints for instance) to verify the identity of the
individual. Apparently ISCD believes that the identify verification
requirements that the facility is already required to perform under other
provisions of its PSP will be adequate to ensure that the information required
above will be adequate to the task of vetting against the TSDB.
The PSP CSAT application
will also allow
the submission of the following information under Option One to help avoid
misidentification of individuals:
• Aliases
• Gender (for Non-U.S. Persons)
• Place of Birth
• Redress Number
TSA has a program to allow people who believe that they have
been improperly identified as having potential terrorist ties to have a more
thorough investigation completed to correct the record. The ‘
Redress Number’ provides
a reference to that investigation to ensure that the same mistaken
identification is not made again. This ‘Redress Number’ is probably the only
item of information that the high-risk chemical facility is not already
collecting in support of its personnel surety program.
Option Two
There are already a number of DHS programs that vet various
people against the TSDB. Those
programs include:
• Transportation Worker Identification
Credential (TWIC) Program;
• Hazardous Materials Endorsement
(HME) Program;
If individuals have already been vetted under one of these
programs DHS does not need to complete the same level of investigation to
ensure that they are not listed on the TSDB. All ISCD needs to do is to verify
that the previous vetting is still current and valid. To do that the following
information
would
need to be submitted via the PSP application:
• Full Name;
• Date of Birth; and
• Program-specific information or
credential information, such as unique number, or issuing entity (e.g., State
for Commercial Driver's License (CDL) associated with an HME).
Again, there would be provisions for submitting
additional information
to help to avoid misidentification of personnel. For Option 2 these include:
• Aliases
• Gender
• Place of Birth
• Citizenship
Option Three
When the original PSP ICR was submitted a couple of years
ago one of the main industry complaints was having to submit information on
personnel that had a TWIC. At the time ISCD maintained that they needed to
collect the information to ensure that the TWIC was still valid. While this is
still the justification for the use of Option 2, the availability of TWIC
readers that have been validated by TSA provides a new alternative.
Option 3
would allow a “high-risk
chemical facility (or others acting on their behalf) electronically verify and
validate the affected individuals' TWICs through the use of TWIC readers (or
other technology that is periodically updated using the Canceled Card List)”.
It is not clear from the description in the notice whether this would require daily
presentation of the card at the facility or whether it could be accomplished on
a less frequent basis as a personnel action.
Option Four
While there is no official Option Four the notice does mention
some ways that the high-risk chemical facility can limit the number of people
that have to be vetted under the PSP. This discussion in the notice does not
specifically state that it applies only to visitors (and perhaps contractors)
since all facility employees are required by the CFATS regulations {
6
CFR 27.230(a)(12)} to be vetted, whether or not they have unescorted access
to restricted or sensitive areas of the high-risk facility.
• Restricting the numbers and types
of persons whom they allow to access their restricted areas and critical
assets, thus limiting the number of persons who will need to be checked for
terrorist ties;
• Defining the restricted areas and
critical assets in the SSPs or ASPs, thus potentially limiting the number of
persons who will need to be checked for terrorist ties; or
• Choosing to escort visitors to
restricted areas and critical assets in lieu of performing the background
checks required by RBPS 12.
Combining Options
There is nothing in the notice that would even appear to
suggest that a high-risk chemical facility is limited to just one of the
options in establishing the terrorist link vetting portion of their PSP. In
fact there are a number of areas where it is suggested that different classes
of employees or visitors may be better covered by different options.
All a facility has to do in their site security plan (or
alternative site security plan) is to outline how they will determine which
class of employees will be addressed by each of the three options provided by
the ISCD program. It will also have to address how it will ensure that all
employees, and the contractors and visitors with unescorted access to
restricted or sensitive areas are vetted through at least one of the options
provided.
NOTE: I have taken the liberty of lumping ‘contractors’ with
visitors in the above statement. The CFATS regulations do not specify how
contractors will be treated in the vetting process. An argument could certainly
be made that at many high-risk chemical facilities contractors are essentially
employees since they will be working at the facility on a daily basis for long
periods of time. Legalistically, however, a contractor is not an employee of
the facility. The distinction should be clearly made in the facility site
security plan to avoid possible repercussions down the line.