Thursday, February 20, 2014

30 Day CFATS PSP ICR – Moving Forward

This is part of an ongoing series of blog posts about the recently published 30-day information collection request (ICR) published in the Federal Register by DHS. This ICR would support the long overdue personnel surety program requirements for the Chemical Facility Anti-Terrorism Standards (CFATS) program. Earlier posts in the series include:

With less than 2 weeks left in the comment period, and no comments posted to the web site it may be time to look at what this PSP would look like in actual practice. First, we need to remember that ISCD is only going to apply the PSP requirements to Tier 1 and Tier 2 facilities. This was done to reduce the initial work load on the new PSP system and give ISCD a chance to work the bugs out before they apply it to the bulk of the facilities. This means that another round of ICRs will be required to make that change since the current burden estimate is only based upon the participation of the Tier 1 and Tier 2 facilities.

I also understand that ICS is going to go back to their earlier rollout method of initially only requiring a limited number of Tier 1 facilities to implement the PSP. This will allow those facilities to have their Chemical Facility Inspectors (CSI) on hand during the start up to help work through any of the problems in the system. This was successfully used in the initial rollout of the Top Screen and Security Vulnerability Assessment tools.

System Design

There is going to be some time lag between the time that OMB approves the ICR and the actual implementation of the PSP tools in CSAT. This is because DHS has spent only a limited amount of time and money on developing the tools and manuals. Given the history of this program, I think that we can forgive the ISCD team for thinking that they might be required to make some changes in their current plan by the time OMB gets done with their approval process.

I think that we will see a delay of at least 60 to 90 days between the time that OMB approves the ICR and the time that ISCD announces the initial deployment of the CSAT tools and the limited initial roll out.

Registration Tool

One thing that is going to have to change is the current CSAT Registration Tool. Currently the facility registers specific people to allow them to have access to the various portions of CSAT that affects that facility. Currently the tool allows for the registration of an Authorizer (Executive responsible for CFATS implementation at the facility), Submitter (Person who actually submits completed information to ISCD via CSAT), Lead Preparer/Preparers (the folks that actually enter data into the various tools) and Reviewers (people that are authorized to look at but not touch CSAT information).

For facilities that are doing all of their own data submission in-house, there will probably be a need to add one or two folks from HR to the list of Preparers for the facility. This will not require any CSAT changes.

For facilities that are going to rely on an outside agency to handle the submission of data for their PSP, things get a bit more complicated. The easy way out (and as usual the worst way to do things) would be to authorize one person at the background check agency (BGCA) to do all of the submissions for the facility; this could be done under the current registration rules. The reason that this is the worst way to handle the registration is that we all know that there will not be just one person handling all of the data submission from the BGCA. With just one person ‘registered’ there will inevitably be login credential sharing which tends to compromise the security of the system, a system that will be handling Personally Identifiable Information (PII).

What I suspect that ISCD will do will be to allow a facility to register the use of a BGCA. The BGCA will be enrolled in the ISCD PSP and will register individual employees as Preparers for the BGCA. This will make things simpler for everybody involved. This will also allow vendors and contractors to provide information to a BGCA so that their employees that require access to CFATS facilities on a routine basis can be easily vetted for multiple facilities.

PSP Tool

With the use of BGCA I suspect that we will see effectively a dual PSP tool; one for facilities and one for BGCAs. I think that it may be listed as a single tool, but depending on how one signs in you will see two different sets tools. The basic data being submitted will be exactly the same set of PII, but there will have to be some way for the BGCA to indicate for which facility that PII will be submitted.

I would like to make a suggestion here. I think that it would be much simpler (and eliminate a number of potential errors). The BGCA should be allowed to enter an individual’s PII into the ISCD PSP tool without a chemical facility initially being listed. As they were notified by their clients (vendors, contractors and potentially even individuals) that a person was going to need to have access to a facility, they would add a facility identification number to that individual’s PSP information. Since that person would already be vetted through the PSP, the 48 hour notice would not be necessary and ISCD could send a message to the facility that the person had been vetted through the PSP.

How Long?

On March 5th, barring some unforeseen eventuality, the folks at NPPD will submit this PSP ICR request to the OMB’s Office of Information and Regulatory Affairs (OIRA). The big question is how long the approval process will take at OIRA. I have seen ICRs approved on the day of their submission, but those were either entirely non-controversial simple exercises or they were politically driven by the Administration. Neither of those applies to the CFATS PSP ICR.

A large part of the inevitable delay in OIRA is trying to work out the political bugs in the program. The more people (or the more powerful the people) that complain about an ICR the longer it will take.

I expect that we will see some negative comments from the same people that complained about the 60-day ICR. Some will go through the eRulemaking Portal, but most will go directly to OIRA outside of public scrutiny. Many of those will be politely ignored and OIRA will try to iron out compromise solutions with the complainer and NPPD/ISCD. How long that will take is anybody’s guess.

I will be very surprised if it takes less than 60 days and I would not be very surprised if it takes six month. The longer it takes past six months, however, the more likely it will be that NPPD will again have to withdraw the ICR and start all over again. I give that about a 40% chance of occurring.

No comments:

/* Use this with templates/template-twocol.html */