This is part of an ongoing series of blog posts about the
recently published 30-day
information collection request (ICR) published in the Federal Register by
DHS. This ICR would support the long overdue personnel surety program
requirements for the Chemical Facility Anti-Terrorism Standards (CFATS)
program. Earlier posts in the series include:
In the previous post in the series I briefly discussed the
roll of background check agencies in the PSP process as described (in passing)
in the ICR. A reader asked me to expand on the idea so in this post I’ll take a
more detailed look at how BGCAs will fit into the PSP processes.
Visitors
One of the major problems that many commenters have had with
the PSP process outlined in the ICR is the issue of visitor’s being vetted 48
hours before they are given unescorted access to the facility. There are a wide
number of folks that periodically visit chemical facilities to provide a wide variety
of services. Some of these personnel are asked in on extremely short notice to
provide high value services.
While the facility could get around the PSP vetting rules by
providing vetted escorts for these visitors, this is frequently not a realistic
option given the limited number of personnel working at many of these
facilities. Relying on the escort provisions of the vetting rules would end up
in many cases where there is escort in name only and facility managers are
smart enough to realize this in advance of the situation arising.
Organizations that routinely provide these types of services
could register with the folks at DHS as a sort of BGCA. The PII for their field
support personnel would be entered into the PSP tool and would be linked with
all of the covered chemical facilities that they had support contracts with.
When the vendor linked an employee’s information to a covered facility, that facility
would be notified by ISCD that the vetting information had been provided to
DHS.
In the event that one of the employees at one of these
vendors had to be assigned to a new facility on short notice, it would not be
problem as long as their PII had already been submitted to ISCD. As long as
there was enough time for ISCD to notify the facility that the person’s
information had been submitted, the visitor would be properly vetted.
Facilities would have to have some way to identify these
individuals when they arrived at the facility gate. This process could easily
be established by the vendor emailing a copy of their employee’s corporate ID to
the facility security manager in advance of visitor’s arrival. This information
could be provided to the gate personnel as part of a daily expected visitors
list. Checking the identification against that list would provide the means for
closing the loop on the vetting process.
Truck Drivers
Most chemical facilities see a daily parade of local and
long haul truck drivers picking up and delivering materials at the facility. In
many cases it is not possible to keep those trucks away from critical areas of
the facility and it is typically going to be difficult to provide an escort for
a truck moving through the facility.
A large number of truck drivers already have already been
vetted for their Hazardous Materials Endorsement (HME) or a Transportation
Workers Identification Credential (TWIC). For reasons that I discussed in the ‘Three
Options’ blog in this series ISCD is still requiring a PII submission on these
folks to ensure that credential vetting is up-to-date. An alternative method is
provided for the TWIC folks; no data submission is required if their TWIC is
periodically validated by a TWIC Reader or checked against the Canceled
Card List (CCL) and the Certificate
Revocation List (CRL).
Plants fully realize that they will not be able to do the
required PII submissions when a truck driver shows up at their gate. The
facilities will get around this by requiring all delivery companies to ensure
that their drivers have been vetted against the CFATS PSP before they will be
allowed to deliver or pick-up loads at the facility. Maritime Transportation
Security Act (MTSA) covered facilities are already using that tactic with
requiring drivers to have TWICs for similar reasons.
Trucking companies that routinely service MTSA covered
facilities are going to have little problem certifying that their drivers’
TWICs are periodically validated by TWIC Readers. For companies located further
from port facilities that certification will be harder to do.
Again, the trucking company could set itself up in the CFATS
PSP tool as a BGCA and register their drivers. HME and TWIC holders would be
entered in one portion of the tool and the remainder of the drivers in the
other portion. Those registered drivers would be linked to the facilities to
which they would be expected to deliver. For driver changes, all that would be
necessary would be for there to be enough time for ISCD to notify the facility
that the driver’s PII had been submitted.
And again, there would have to be some way to close the loop
by adequately identifying the driver to the facility. This would be
accomplished in the same way that I described in the Visitor’s Section above.
Contractors
Contractor is kind of an undefined term used in the ICR and
the CFATS regulations. Generally speaking there are two groups of people that
fit into this category. One is a large company that provides a variety of
direct services to the facility under a blanket contract. These folks will
almost certainly want to avail themselves of the BGCA provisions to get their
people vetted. Many of these people will be moved from facility to facility as
needs change so it would provide a lot more versatility to the organization if
they would not have to go through a new vetting process every time they were
moved.
The second kind of contractor is usually a professional that
is hired individually on a contract basis for providing a specific service for
a specific amount of time. The longer the expected period of the service the
more likely it will be that the individual facility will handle the vetting
process. For those individuals that move between facilities more frequently, it
may be worthwhile to find a BGCA that provides CFATS PSP vetting services and
pay them to submit his PII. In other cases it may be more appropriate for the individual
contractor to handle those BGCA activities on their own.
Site Security Plan
ISCD has made clear in the ICR discussions that they intend
to provide a certain amount of creative leeway for facilities to tailor the PSP
program to their situation. This means that if a facility intends to allow the
use of a BGCA to vet the various non-employees that periodically show up at the
facility gates to work then there will have to be a decent description of how
that second-party vetting process would be conducted.
ISCD also reminds folks fairly frequently in the ICR
discussion that the DHS vetting against the TSDB is only one portion of the
background check requirements outlined in the personnel surety Risk-Based
Performance Standard. The CFATS regulations (6
CFR §27.230(12)) outline three additional types of background checks that
need to be done as part of the facility PSP. Those are:
• Measures designed to verify and validate
identity;
• Measures designed to check criminal
history;
• Measures designed to verify and validate
legal authorization to work;
The first and last of those requirements are fairly straight
forward and are outlined in more general labor regulations. The second provides
the facility management with a lot more leeway in what is determined to be
acceptable findings in the individuals criminal history. What criminal offenses
and/or times since completion of the jail time for those offenses is deemed to
be disqualifying is up to the facility management.
When a facility uses a BGCA to vet some or all of their
employees there needs to be clear rules spelled out for that BGCA to make those
criminal history assessments. This is particularly true when non-employee
vetting is being done by someone different than does the employee vetting. It
would seem to be prudent to have a standard Memorandum of Understanding with
each vendor, contractor or trucking company that will be serving as its own
BGCA that outlines the acceptable criminal background that the facility will
allow as part of its Site Security Plan.
Posts
No comments:
Post a Comment