Last month I
reported that ISCD Director Wulf had announced (in response to my question)
during the most recent EO 13650 update that he expected the OMB’s Office of
Information and Regulatory Affairs (OIRA) to approve the pending CFATS
Personnel Surety Program (PSP) information collection request (ICR) sometime in
the near future. He then noted that the DHS Infrastructure Security Compliance
Division would then publish a guidance document outlining how Tier I and Tier
II facilities would be implementing the PSP requirements.
I was surprised to hear this as I had assumed (as had most
people) that the PSP requirements outlined in the new 6 USC 622 requirements
from HR 4007 would have killed the current PSP program and would have required
ISCD to re-start the ICR process. I am pretty sure that that was the intention
of Rep. Meehan (R,PA) when he introduced HR 4007 in February of 2014, just
after the 30-day ICR
notice was published.
Proposed PSP Process
First let me go back and review what the PSP ICR outlined
for the vetting of personnel against the Terrorist Screening Database (TSDB).
ISCD outline three options that a facility would have to complete the vetting
process on all facility employees (and that could include contractors at the
facility’s option):
OPTION 1 – Direct vetting;
OPTION 2 – Use of
vetting conducted under other DHS programs; and
OPTION 3—Electronic
verification of TWIC
Actually, there is a fourth option described in the ICR.
Facilities could suggest alternative methods of vetting personnel which would
be reviewed by ISCD on a case-by-case basis. In this post I’ll call that Option
4.
Option 1
This is fairly uncontroversial, but the most time consuming
option. The facility would have to enter into the on-line Chemical Security
Assessment Tool (CSAT) into a new tool that will be released presumably after
the guidance document is issued. For US citizens and legal permanent residents
the information required would be:
∙ Full Name
∙ Date of Birth
∙ Citizenship
or Gender (Gender for US citizens)
Provisions would be made in the CSAT PSP Tool to provide additional,
optional information to reduce the possibility of false positives.
Facilities could enter this information or they could designate a 3rd
party to submit the information for them. ISCD has also said that they would
set up a system for bulk-upload of this data rather than just requiring manual
data entry in the CSAT PSP Tool.
The only place where Option 1 conflicts with the new law is
the requirement at §622(d)(2)(B)(i)(II)(aa)
that requires a facility to accept the presentation of a DHS vetted credential
from a covered individual which then preempts the requirement to provide
information on those individuals to the PSP. I suppose that this would be easy
enough to address in the guidance document.
Option 2
This is where the most dramatic conflicts with the new
statute would apparently occur. For individuals with other credentials that
include DHS vetting against the TSDB (including TWIC, HME and various Trusted
Traveler Programs) ISCD proposed to require facilities to report much the same
information as in Option 1 with the addition of the document number of the
credential which substantiates the TSDB vetting.
This option has drawn the ire of many in the industry and
Congress. The opposition insists that the mere presentation of the credential
(and probably copying it for records sake) should satisfy the vetting
requirement and no information should be submitted to DHS. This certainly seems
to be the intent §622(d)(2)(B)(iii)(I).
ISCD has in the past responded that the information that it
is requiring to be submitted to the CSAT Tool is not being used to vet the
individuals against the TSDB, they are simply going to use the information to
ensure that the credential being used is valid and current. This is the problem
with all of the credentials being used under Option 2 (with the potential
exception of the TWIC); the casual observer has no way to validate the
credential or ensure that it has not been withdrawn because of subsequent
investigative data.
The statute addresses this in §622(d)(2)(B)(i)(II)(bb). It
requires facilities to outline in their site security plan (or authorized
alternative) “the measures it will take to verify that a credential or
documentation from a Federal screening program described in subclause (I) is
current”. This requirement is where ISCD has an out to continue to use Option
2. Facilities could voluntarily use Option 2 as the way they fulfill the
requirement described above. Facilities wishing to use some other method of
verifying the credential data would annotate that in their plan, effectively Option
4. ISCD is, of course, capable of invalidating the designated process if it
proves to be inadequate leaving the facility to revise Option 4 or use one of
the other options.
Personally, I don’t think that there is an alternative
method for facilities to verify these other credentials (other than TWIC which I’ll
discuss in Option 3), so facilities are going to be forced to use Option 2 for
any employee that offers one of these credentials. If any of my erudite readers
knows of a legitimate verification option, please let me know.
Option 3
This option addresses the credential verification and
validation process for Transportation Workers Identification Credentials
(TWIC). TWICs were designed to be verified and validated on site through the
use of a TWIC reader. It was originally envisioned that each MTSA covered
facility or vessel would check the TWIC with a TWIC reader each time the holder
entered the facility. This has yet to be required since the Coast Guard has yet
to issue their final rule on TWIC Readers.
The CFATS PSP would not require daily checking of the TWIC.
The ICR does not, in fact, say anything about how often TWICs should be
checked. But in keeping with the requirements of the new statute, ISCD will not
be requiring the submission of any information on individuals if their TWIC has
been electronically verified.
Moving Forward
It looks like it would be possible for the PSP outlined in
the ICR submitted to OIRA on February 10th, 2014 to be interpreted
as meeting the requirements of 6 USC 622. We would still need to see the
guidance document and the new CSAT Tool instruction manual to know that ISCD
has included the necessary caveats and instructions so that it does not run
afoul of the congressional mandate.
I am fairly certain that the legal staff at DHS is fully
capable of ensuring that those documents will be appropriately worded. If not,
there will almost certainly be law suits from a number of organizations to
point out the errors of their ways.
Posts
No comments:
Post a Comment