Saturday, March 23, 2013

CFATS PSP – Data Submission Options

This is the second in a series of blog posts about the CFATS Personnel Surety Program that was described in a 60-day information collection request (ICR) notice in Friday’s Federal Register. This post will look at the data submission options for vetting personnel against the Terrorist Screening Database (TSDB). The earlier post in the series is listed below.

The PSP Requirement

The CFATS program regulations require facilities to establish a personnel surety program (PSP) vetting process {6 CFR 27.230(a)(12)}. That program is required to perform four types of background checks on “facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets”. Those required checks are:

• Measures designed to verify and validate identity;
• Measures designed to check criminal history;
• Measures designed to verify and validate legal authorization to work; and
• Measures designed to identify people with terrorist ties.

Facility management has a wide degree of latitude in establishing the methodology for conducting the first three types of checks. The last measure “is an inherently governmental function and necessarily requires the use of information held in government-maintained databases that are unavailable to high-risk chemical facilities” (FR 17681). It is this vetting requirement that is addressed in this ICR notice.

Data Submission

The DHS Infrastructure Security Compliance Division (ISCD) has plans to introduce a new data collection application in the Chemical Security Assessment Tool (CSAT) to allow facility security managers or their designees to submit information to ISCD to complete the vetting process. This ICR, if/when approved by the Office of Management and Budget (OMB), serves as the approval of that application to collect the required information.

DHS outlines in this notice three different options that facilities will have for conducting the vetting of personnel against the government’s TSDB. Facilities will be able to use almost any combination of the three options in the establishment of their PSP that will be outlined in the facility site security plan.

The three options are:

• Option One - Direct Vetting
• Option Two - Use of Vetting Conducted Under Other DHS Programs
• Option Three - Electronic Verification of TWIC

Option One

Option One requires the most comprehensive submission of information to ISCD via the PSP application. The following information would be required for each individual vetted under Option One:

• For U.S. Persons (U.S. citizens and nationals as well as U.S. lawful permanent residents):
• Full Name
• Date of Birth
• Citizenship or Gender
• For Non-U.S. Persons:
• Full Name
• Date of Birth
• Citizenship
• Passport information and/or alien registration number

Interestingly, there is no requirement to supply biometric information (finger prints for instance) to verify the identity of the individual. Apparently ISCD believes that the identify verification requirements that the facility is already required to perform under other provisions of its PSP will be adequate to ensure that the information required above will be adequate to the task of vetting against the TSDB.

The PSP CSAT application will also allow the submission of the following information under Option One to help avoid misidentification of individuals:

• Aliases
• Gender (for Non-U.S. Persons)
• Place of Birth
• Redress Number

TSA has a program to allow people who believe that they have been improperly identified as having potential terrorist ties to have a more thorough investigation completed to correct the record. The ‘Redress Number’ provides a reference to that investigation to ensure that the same mistaken identification is not made again. This ‘Redress Number’ is probably the only item of information that the high-risk chemical facility is not already collecting in support of its personnel surety program.

Option Two

There are already a number of DHS programs that vet various people against the TSDB. Those programs include:

• Transportation Worker Identification Credential (TWIC) Program;
• Hazardous Materials Endorsement (HME) Program;
Free and Secure Trade (FAST); and

If individuals have already been vetted under one of these programs DHS does not need to complete the same level of investigation to ensure that they are not listed on the TSDB. All ISCD needs to do is to verify that the previous vetting is still current and valid. To do that the following information would need to be submitted via the PSP application:

• Full Name;
• Date of Birth; and
• Program-specific information or credential information, such as unique number, or issuing entity (e.g., State for Commercial Driver's License (CDL) associated with an HME).

Again, there would be provisions for submitting additional information to help to avoid misidentification of personnel. For Option 2 these include:

• Aliases
• Gender
• Place of Birth
• Citizenship

Option Three

When the original PSP ICR was submitted a couple of years ago one of the main industry complaints was having to submit information on personnel that had a TWIC. At the time ISCD maintained that they needed to collect the information to ensure that the TWIC was still valid. While this is still the justification for the use of Option 2, the availability of TWIC readers that have been validated by TSA provides a new alternative.

Option 3 would allow a “high-risk chemical facility (or others acting on their behalf) electronically verify and validate the affected individuals' TWICs through the use of TWIC readers (or other technology that is periodically updated using the Canceled Card List)”. It is not clear from the description in the notice whether this would require daily presentation of the card at the facility or whether it could be accomplished on a less frequent basis as a personnel action.

Option Four

While there is no official Option Four the notice does mention some ways that the high-risk chemical facility can limit the number of people that have to be vetted under the PSP. This discussion in the notice does not specifically state that it applies only to visitors (and perhaps contractors) since all facility employees are required by the CFATS regulations {6 CFR 27.230(a)(12)} to be vetted, whether or not they have unescorted access to restricted or sensitive areas of the high-risk facility.

The options outlined in the notice include:

• Restricting the numbers and types of persons whom they allow to access their restricted areas and critical assets, thus limiting the number of persons who will need to be checked for terrorist ties;
• Defining the restricted areas and critical assets in the SSPs or ASPs, thus potentially limiting the number of persons who will need to be checked for terrorist ties; or
• Choosing to escort visitors to restricted areas and critical assets in lieu of performing the background checks required by RBPS 12.

Combining Options

There is nothing in the notice that would even appear to suggest that a high-risk chemical facility is limited to just one of the options in establishing the terrorist link vetting portion of their PSP. In fact there are a number of areas where it is suggested that different classes of employees or visitors may be better covered by different options.

All a facility has to do in their site security plan (or alternative site security plan) is to outline how they will determine which class of employees will be addressed by each of the three options provided by the ISCD program. It will also have to address how it will ensure that all employees, and the contractors and visitors with unescorted access to restricted or sensitive areas are vetted through at least one of the options provided.

NOTE: I have taken the liberty of lumping ‘contractors’ with visitors in the above statement. The CFATS regulations do not specify how contractors will be treated in the vetting process. An argument could certainly be made that at many high-risk chemical facilities contractors are essentially employees since they will be working at the facility on a daily basis for long periods of time. Legalistically, however, a contractor is not an employee of the facility. The distinction should be clearly made in the facility site security plan to avoid possible repercussions down the line.

No comments:

/* Use this with templates/template-twocol.html */