This is part of an ongoing series of blog posts about the
recently published 30-day
information collection request (ICR) published in the Federal Register by
DHS. This ICR would support the long overdue personnel surety program
requirements for the Chemical Facility Anti-Terrorism Standards (CFATS)
program. Earlier posts in the series include:
Since control systems, security systems and business
networks will likely be on the list of critical assets for most facilities
(depending on which DHS chemicals of interest – COI – are present) personnel
with access to these systems will almost certainly require vetting under the
site personnel surety plan as it is difficult to imagine when such access would
be not be considered unaccompanied.
Remote System
Maintenance
Most complex cyber systems (which certainly includes control
systems) now comes with the option for remote system maintenance support. CFATS
covered facilities that utilize such options have an obligation to ensure that
the vendor’s personnel who have such access are properly vetted under the
facility’s PSP. This would appear to be another instance where the background
check agency provisions (discussed in the last post in the series) of the ICR
would come into play.
Since there is no way that the facility will actually know
which individual is remotely accessing the facility’s computer systems there
will have to be some shifting of responsibility to the vendor. This would have
to be done through some formal document like a memorandum of understanding and
this would have to be included in the facility’s site security plan so that
ISCD could review the provisions as part of the SSP authorization and approval
process. This would also mean that changes in vendors would have to be reported
to ISCD as part of the ‘material change’ provisions of §27.210(d),
§27.215(d)
or §27.225(d)(2).
Remote Monitoring
Many facilities will opt for the use of off-site security
monitoring programs. Since such monitoring programs will be a significant part
of the security apparatus for the facility it will certainly fall under the
critical area rule requiring vetting under RSPB #12. Again the vendor providing
such services would most likely fall under the Background Check Agency
provisions described earlier. Again, there would have to be some formal
document in the site security plan outlining the vendor’s responsibility for
conducting the vetting.
Posts
No comments:
Post a Comment