This is part of an ongoing series of blog posts about the
recently published 30-day
information collection request (ICR) published in the Federal Register by
DHS. This ICR would support the long overdue personnel surety program
requirements for the Chemical Facility Anti-Terrorism Standards (CFATS)
program. Earlier posts in the series include:
With less than 2 weeks left in the comment period, and no
comments posted to the www.Regulations.gov
web site it may be time to look at what this PSP would look like in actual
practice. First, we need to remember that ISCD is only going to apply the PSP
requirements to Tier 1 and Tier 2 facilities. This was done to reduce the
initial work load on the new PSP system and give ISCD a chance to work the bugs
out before they apply it to the bulk of the facilities. This means that another
round of ICRs will be required to make that change since the current burden
estimate is only based upon the participation of the Tier 1 and Tier 2
facilities.
I also understand that ICS is going to go back to their earlier
rollout method of initially only requiring a limited number of Tier 1
facilities to implement the PSP. This will allow those facilities to have their
Chemical Facility Inspectors (CSI) on hand during the start up to help work
through any of the problems in the system. This was successfully used in the
initial rollout of the Top Screen and Security Vulnerability Assessment tools.
System Design
There is going to be some time lag between the time that OMB
approves the ICR and the actual implementation of the PSP tools in CSAT. This
is because DHS has spent only a limited amount of time and money on developing
the tools and manuals. Given the history of this program, I think that we can
forgive the ISCD team for thinking that they might be required to make some
changes in their current plan by the time OMB gets done with their approval
process.
I think that we will see a delay of at least 60 to 90 days
between the time that OMB approves the ICR and the time that ISCD announces the
initial deployment of the CSAT tools and the limited initial roll out.
Registration Tool
One thing that is going to have to change is the current CSAT Registration Tool.
Currently the facility registers specific people to allow them to have access
to the various portions of CSAT that affects that facility. Currently the tool
allows for the registration of an Authorizer (Executive responsible for CFATS
implementation at the facility), Submitter (Person who actually submits
completed information to ISCD via CSAT), Lead Preparer/Preparers (the folks
that actually enter data into the various tools) and Reviewers (people that are
authorized to look at but not touch CSAT information).
For facilities that are doing all of their own data
submission in-house, there will probably be a need to add one or two folks from
HR to the list of Preparers for the facility. This will not require any CSAT
changes.
For facilities that are going to rely on an outside agency
to handle the submission of data for their PSP, things get a bit more
complicated. The easy way out (and as usual the worst way to do things) would
be to authorize one person at the background check agency (BGCA) to do all of
the submissions for the facility; this could be done under the current
registration rules. The reason that this is the worst way to handle the
registration is that we all know that there will not be just one person
handling all of the data submission from the BGCA. With just one person
‘registered’ there will inevitably be login credential sharing which tends to
compromise the security of the system, a system that will be handling
Personally Identifiable Information (PII).
What I suspect that ISCD will do will be to allow a facility
to register the use of a BGCA. The BGCA will be enrolled in the ISCD PSP and
will register individual employees as Preparers for the BGCA. This will make
things simpler for everybody involved. This will also allow vendors and
contractors to provide information to a BGCA so that their employees that
require access to CFATS facilities on a routine basis can be easily vetted for
multiple facilities.
PSP Tool
With the use of BGCA I suspect that we will see effectively
a dual PSP tool; one for facilities and one for BGCAs. I think that it may be
listed as a single tool, but depending on how one signs in you will see two
different sets tools. The basic data being submitted will be exactly the same
set of PII, but there will have to be some way for the BGCA to indicate for
which facility that PII will be submitted.
I would like to make a suggestion here. I think that it
would be much simpler (and eliminate a number of potential errors). The BGCA
should be allowed to enter an individual’s PII into the ISCD PSP tool without a
chemical facility initially being listed. As they were notified by their
clients (vendors, contractors and potentially even individuals) that a person
was going to need to have access to a facility, they would add a facility
identification number to that individual’s PSP information. Since that person
would already be vetted through the PSP, the 48 hour notice would not be
necessary and ISCD could send a message to the facility that the person had
been vetted through the PSP.
How Long?
On March 5th, barring some unforeseen
eventuality, the folks at NPPD will submit this PSP ICR request to the OMB’s
Office of Information and Regulatory Affairs (OIRA). The big question is how
long the approval process will take at OIRA. I have seen ICRs approved on the
day of their submission, but those were either entirely non-controversial
simple exercises or they were politically driven by the Administration. Neither
of those applies to the CFATS PSP ICR.
A large part of the inevitable delay in OIRA is trying to
work out the political bugs in the program. The more people (or the more
powerful the people) that complain about an ICR the longer it will take.
I expect that we will see some negative comments from the
same people that complained about the 60-day ICR. Some will go through the
eRulemaking Portal, but most will go directly to OIRA outside of public
scrutiny. Many of those will be politely ignored and OIRA will try to iron out
compromise solutions with the complainer and NPPD/ISCD. How long that will take
is anybody’s guess.
I will be very surprised if it takes less than 60 days and I
would not be very surprised if it takes six month. The longer it takes past six
months, however, the more likely it will be that NPPD will again have to
withdraw the ICR and start all over again. I give that about a 40% chance of
occurring.
Posts
No comments:
Post a Comment