Today the DHS National Protection and Programs Directorate
(NPPD) published a notice in the Federal Register (80 FR
79058-79066) concerning the “Implementation of the CFATS Personnel Surety
Program”. This explains how Tier I and Tier II facilities under the Chemical
Facility Anti-Terrorism Standards (CFATS) program will implement the portion of
the personnel surety program pertaining to vetting facility personnel and
visitors with unaccompanied access to CFATS facilities against the Terrorism
Screening Database (TSDB).
Requirement for
Vetting
The requirement for vetting facility personnel and
unescorted visitors wishing to gain access to restricted or critical areas of a
CFATS covered facility can be found in 6
CFR 27.230(a)(12). Facilities with approved site security plan (SSP) have
already been completing the requirements under subparagraphs (i) thru (iii).
This notice pertains to the requirements under subparagraph (iv); measures
designed to identify people with terrorist ties.
Additional congressional guidance on the implementation of
the CFATS Personnel Surety Program was provided last year with the passage of
the Protecting and Securing Chemical
Facilities from Terrorist Attacks Act of 2014 (PL 113-254).
The provisions regarding the PSP were codified at 6
USC 622(d)(2).
In August of this year the OMB’s Office of Information and
Regulatory Affairs (OIRA) approved
the CFATS Personnel Surety ICR (1670-0029)
that ISCD had used to outline how it intended to implement the PSP. The version
of the ICR approved by OMB included the addition of a fourth option for
implementation of the vetting program that was required by the new congressional
direction.
Who Must Be Vetted
Today’s notice reiterates the position of ISCD as to what the regulation
means when it says “facility personnel, and as appropriate, for unescorted
visitors with access to restricted areas or critical assets”. In effect the term
‘facility personnel’ mean all facility employees and those contractor personnel
designated in the SSP as facility personnel for the purpose of the PSP.
Visitors are only required to be vetted if they have ‘unaccompanied access’ and
the facility is given certain latitude in defining in the SSP what constitutes ‘accompanied
access’.
The notice also goes into some detail about
specific categories of personnel that do not require vetting under any portion
of the PSP (including the terrorist ties requirement outlined in today’s
notice). They include:
• Federal officials who gain
unescorted access to restricted areas or critical assets as part of their
official duties;
• State and local law enforcement
officials who gain unescorted access to restricted areas or critical assets as
part of their official duties; and
• Emergency responders at the state or local level
who gain unescorted access to restricted areas or critical assets during
emergency situations.
TSDB Vetting Options
The notice describes four
specific options that facilities have to conduct the TSDB vetting of personnel.
Facilities may use any
combination of the four options that they desire; they just have to be
outlined in the Site Security Plan approved by ISCD (more on that later). Those
options are:
Option 1 - The high-risk
chemical facilities (or designee(s)) submits certain information about affected
individuals to the Department through a Personnel Surety Program application in
the CSAT Tool.
Option
2 – The high-risk chemical facilities (or designee(s)) submits certain
information about affected individuals to the Department through the CSAT
Personnel Surety Program CSAT application on personnel that have already been
vetted by another Federal TSDB vetting program (TWIC, HME, SENTRI and FAST for
example).
Option 3 – The high-risk
chemical facilities (or designee(s)) does not submit information to ISCD, but
will rather electronically verify and validate the affected individuals' TWICs
through the use of TWIC readers (or other technology that is periodically
updated with revoked card information).
Option 4 - The high-risk
chemical facilities (or designee(s)) does not submit information to ISCD, but
will rather visually inspect a credential from a Federal screening program that
periodically vets individuals against the TSDB.
Facilities are reminded that
they have an additional option of proposing some alternative vetting process in
their SSP that may be approved by ISCD if it is found to provide an equivalent
process.
The notice also provides a discussion
of the relative level of security provided by each of the options described
above.
When Will Vetting
Have to be Completed?
The notice explains
that before the vetting process can begin, the facility will have to revise
their approved SSP to include a description of their terrorist screening
process (more on this later). ISCD will notify each Tier I and Tier II facility
when they must complete that SSP revision (ISCD is going to stagger this so
that they can provide assistance from Chemical Security Inspectors throughout
this process). Once that revision is approved, facilities will generally have
60-days to complete the vetting process (submitting data for Options 1 and 2)
on existing employees. New employees and all visitors requiring unaccompanied
access will require vetting (again, submitting data for Options 1 and 2) before
they are given access to restricted or critical areas within the facility.
Privacy Notice
The notice outlines
the Privacy Act provisions (and other applicable privacy regulation provisions)
that the Department has complied with in developing this program. From the
perspective of the Facility Security Manager, probably the most important will
be the May 1st, 2014, update
to the CFATS Personnel Surety Program Privacy Impact Assessment. That is
because it provides a suggested copy (at Attachment 1) of the Privacy Act
notification that should be provided to each person about which the facility is
submitting information under Option 1 or Option 2.
The notice mentions a new update (that presumably includes
mention of Option 4) that was supposed to have been printed today, but it has
not yet been posted to the NPPD
PIA web site.
Site Security Plan
Revisions
CFATS Facilities that already have had their site security
plan authorized or approved will have to revise their plan to include the
terrorist screening process. The notice provides
some detailed information about the types of information that they are going to
expect to see in that revision.
When ISCD individually notifies each Tier 1 and Tier 2 that
it is required to update their SSP, it will also include a date by which that
update must be submitted for authorization/approval.
Moving Forward
I have heard that ISCD intends to work very closely with at
least the first few facilities as they go through the process of changing their
SSP and then submitting data (for those that intend to utilize Options 1 and/or
Option 2) for the PSP. Given that the Christmas holidays are upon us, I would
not be surprised to hear that ISCD will not send out the first notifications
until after the first of the year. I also suspect that they may actually
informally contact the early facilities to arrange times when their CSI are
available before they send out the notification letters.
ISCD still has a CSAT manual to publish for the PSP data
submissions and perhaps a revision to the Account Management User Guide if they
are going to come up with a new data submission user role for 3rd
party PSP data submissions.
We are going to see an interesting couple of months in the
CFATS program as the PSP implementation moves forward.
Posts
No comments:
Post a Comment