Friday, May 29, 2015

EAP Guidance – Personnel Surety

This is part of a continuing series of blog posts on the newly released Expedited Approval Program (EAP) guidance document for Tier 3 and Tier 4 facilities under the Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in the series are:


In this post I will look at the personnel surety requirements of the EAP. These are covered in section F (pg 50 and pg 86) of the EAP guidance document along with a number of other security management measures. The personnel surety program is covered under the Risk-Based Performance Standard #12 in the RBPS guidance document. In the CFATS regulations there are four personnel surety requirements at 6 CFR 27.230(12). They are:

∙ Measures designed to verify and validate identity;
∙ Measures designed to check criminal history;
∙ Measures designed to verify and validate legal authorization to work; and
∙ Measures designed to identify people with terrorist ties;

The EAP guidance document only specifically addresses the first three requirement because ISCD has yet to complete their Personnel Surety Program (PSP) that would address the method of identifying people with terrorist ties. I’ll discuss this further at the end of this post.

EAP Checklist

The EAP checklist lists eight personnel surety requirements:

∙ The facility has identified all affected individuals;
∙ The facility verifies and validates the identity of all affected individuals by a government issued ID or identification document as listed on the I-9 form;
∙ The facility conducts a criminal history check on all affected individuals through a third party background investigation company, national program, or local law enforcement agency. This background check includes national, state, and local resources for a timeframe of no fewer than five years and the report identifies all felonies, at a minimum;
∙ The facility has a process for adjudicating the results of background checks and determining access restrictions in a reasonable manner;
∙ Upon notification from DHS, the facility will implement a process to identify all affected individuals with terrorist ties;
∙ The facility escorts all visitors which do not have background investigations via an approved and trained escort; and
∙ The facility maintains documentation (at a minimum: employee name, how the required checks were conducted, and the results of the checks) of background checks for all current affected individuals in order to demonstrate compliance with personnel surety requirements.

The term ‘all affected individuals’ is specifically defined as:

∙ Facility personnel who have or are seeking access, either unescorted or otherwise [emphasis added], to restricted areas or critical assets; and
∙ Unescorted visitors who have or are seeking access to restricted areas or critical assets.

There are two items from the RBPS Metrics (pgs 99-100) that are not addressed in the EAP guidance. First Metric 12.2 for Tier 3 facilities requires that investigations “are repeated for all individuals at regular intervals”. And Metric 12.5 for all facilities requires that the background check program is audited annually.

Additional EAP Information

The discussion of the personnel surety program in the EAP guidance (pgs 50-52) provides only limited amounts of additional information. Most importantly, the guidance does make it clear that owners have some leeway in determining whether or not contractors are included in the term ‘facility personnel’.

There is surprisingly detailed guidance as to what constitutes ‘verifying ID. It includes:

∙ Comparing the picture on the card with the owner;
∙ Comparing the physical characteristics against the person’s physical appearance;
∙ Checking for tampering;
∙ Reviewing both sides of the card; and
∙ Checking the expiration date.

Terrorist Ties Checking

There is currently no approved method for facilities to check for personnel with terrorist ties. ISCD is responsible for setting up this program and has had problems getting the PSP program approved by the Office of Management and Budget due to industry opposition to many of the program elements. The most current proposal has been under review since March of 2014.

The most vociferous critics, and certainly the most influential, have been in Congress. The CFATS statute passed last session (HR 4007) specifically addressed those congressional concerns with the PSP program {6 USC 622(d)(2)}. While that statute requires DHS to establish a CFATS program to identify personnel with terrorist ties, it also allows facility owners to use other “Federal screening program that periodically vets individuals against the terrorist screening database” {§622(d)(2)(B)(i)(I)}. Additionally it requires that a facility accept any credential from such ‘Federal screening program’ if offered by an individual as proof that a covered individual has been screened for terrorist ties.

These new requirements for the PSP program will require a substantial re-write of the program that was submitted to OMB last year. It appears that ISCD is still going to rely on the Information Collection Request (ICR) route for obtaining approval of the PSP program. A footnote on page 6 of the EAP guidance notes that:

“Compliance with RBPS 12(iv) will be required for Tiers 1 and 2 upon approval of an Information Collection Request under the Paperwork Reduction Act, and upon notification to facilities by DHS that the CFATS Personnel Surety Program (i.e., the program enabling compliance with RBPS 12(iv)) has been implemented.”

This is the same two-stage implementation plan that ISCD had proposed in its last PSP proposal. This would allow it to implement the program at the highest risk facilities (and a smaller number of facilities) first. As the bugs were worked out and ISCD had a better idea of the number of individuals that would be affected at the Tier 3 and Tier 4 facilities, ISCD would then go back with a revision to the ICR to allow application of the PSP to Tier 3 and 4 facilities. This means that it could be quite some time before Tier 3 and Tier 4 facilities have to worry about the terrorist ties vetting of their covered personnel.

Commentary

Like the cybersecurity requirements the personnel surety requirements of the EAP are rather vague and potentially allow facilities a great deal of latitude in how those requirements are met. It also means that facilities might face the very real prospect of having DHS specify particular vetting requirements that must be taken when the compliance inspection is completed. This potentially could substantially increase the cost of the personnel surety program and those new costs could come with a very short implementation period.

There is also an interesting new requirement for the Tier 3 and Tier 4 programs that was not included in the original personnel surety requirements outlined in the RPBS guidance document. It is the fifth point in the personnel surety checklist:

∙ The facility has a process for adjudicating the results of background checks and determining access restrictions in a reasonable manner;

This was undoubtedly added due to the new requirement in the CFATS statute {6 USC 622(d)(2)(A)(iii)(II)} for establishing a redress process. That requirement, however, was specifically targeted at individuals who had been vetted against the terrorist screening database via the ISCD PSP. The way it is implemented in the EAP expands that requirement (legitimately so in my opinion) to include all of the background checks in that redress program.


What is not clear is if ISCD has been ‘requiring’ such a redress program in all of the site security plans that it has been authorizing and/or approving to date. There certainly has not been anything publicly discussed about such a requirement. If not, it will be interesting to see if and how ISCD goes back to the non-EAP facilities with approved SSPs to get such a program put in place for non-PSP background checks.

No comments:

 
/* Use this with templates/template-twocol.html */