This is part of an on-going series of blog posts about the
new Chemical Facility Anti-Terrorism Standards (CFATS) personnel surety plan
(PSP) User
Manual. This manual sets forth the instructions for using the new PSP tool
in the on-line Chemical Security Assessment Tool (CSAT). Other blogs in this
series include:
Potential Problems Identified
Back in in early January, after DHS published their PSP program
notice in the Federal Register, I wrote a blog
post about potential problems with the system as it was explained in that
notice. The potential problem areas identified in that post include:
• Multiple facilities
• Facility turnaround contractors
• Local delivery drivers
• Electronic access
• False positives
As expected, the User Manual did not specifically address
any of these problems. It did, however, provide information to help resolve three
of these problems; multiple facilities, facility turnaround contractors and
electronic access.
Multiple Facilities
As long as all corporate facilities all have a single
authorizer (the most likely situation), the PSP can be set up so that the
Corporation Group would be a single account listing all company personnel with
access to any of the covered facilities within the company. The Corporate Group
could have a single submitter to support all facilities or individual
submitters from each of the covered facilities. The latter would allow for a
person at each covered facility who was able to review all of the personnel for
whom PSP data submissions had been made.
If the company set up separate Groups for each facility that
would still allow the Corporate Group to be set up for personnel from
headquarters that could be visiting any of the covered sites within the company
and might require unaccompanied access as ‘visitors’. Unfortunately, there
would be no one at the facility who could verify data submission on those
personnel in the Corporate Group, because the local Submitter would not have
access to the Corporate Group data and one person cannot be a Submitter in
multiple Groups within the same company.
A way around this would be to make someone else at the local
facility a Submitter on the Corporate Group. Another way around the problem
would be for HR to forward a completed template spread sheet with the required
information for those company personnel that might be visiting the covered
facility for that facility Submitter to upload to the local facility Group.
Facility Turnaround Contractors
The new PSP CSAT tool provides an easy solution for the
problem of facility turnaround contractors without having to require possession
of a TWIC or HME. The Authorizer can set up a Group for the main contractor
responsible for turnarounds with a Submitter from that contractor.
The contractor would then be responsible for uploading the
individual data for all personnel who would be working on that site. The
contractor could then provide a status report for that facility that showed
that all personnel data had been submitted. That document would, of course, be
a Chemical-terrorism Vulnerability Information (CVI) protected document. The
facility could then prepare a sign-in/sign-out sheet to help keep track of the
contractors on site. As long as the sheet did not reference the PSP program or
PSP status, this would not be a CVI protected document.
Electronic Access
Facilities that are going to allow vendors routine
electronic access to physical components of control systems, building access
systems, or security monitoring systems for maintenance purposes are going to
have to include the vendor personnel who will have that access in their PSP program.
This would require that they be set up as a separate Group on the PSP tool.
Again the Authorizer would set up a vendor employee as a Submitter for that
Group and establish an oversight Submitter from the company so that there would
be someone in the company that could verify that data had been submitted.
Oversight Submitter
In a couple of places above I have suggested that the
Authorizer establish a company employee as an ‘oversight Submitter’ on Groups
that are being used to submit data on personnel who are not company employees.
The idea here is that there would be someone from the covered facility that
could access the Group data on the PSP tool to verify that an individual’s data
had been submitted to the PSP tool prior to allowing that person access to a
covered facility.
This is somewhat complicated by the fact that a person can
only be a Submitter on one group under a given Authorizer. Small facilities
could quickly run out of people who could verify the PSP status on multiple contractor
or vendor Groups.
What is really needed is for the tool to be modified by
adding a PSP Reviewer position. A reviewer would typically be the Security
Manager or person fulfilling that type role on a local basis. The Authorizer
could then specify multiple Groups within the company that each reviewer would
be authorized to access to verify the submission status of contractor, vendor
or corporate personnel desiring unaccompanied access to the critical areas of
the facility.
The way things are currently structured in the PSP tool
there is only one person who has access to the PSP status of all personnel in
multiple groups; the Authorizer. It does not make any kind of sense in having a
corporate officer put in the position of potentially having to be available at
all hours to verify that someone has been properly vetted through the PSP
program.
Posts
No comments:
Post a Comment