DHS Publishes PSP Program Announcement – 07-09-19

On Tuesday the DHS Cybersecurity and Infrastructure Security Agency (CISA) published a notice in the Federal Register (84 FR 32768-32777) outlining the implementation process for the expansion of the Personnel Surety Program (PSP) to Tier III and IV facilities. Yesterday they updated the Chemical Facility Anti-Terrorism Standards (CFATS) program landing page with a note about that expansion that pointed at the revised PSP web site.

Overview

Back in 2016 the DHS Infrastructure Security Compliance Division (ISCD, now part of CISA) implemented the portion of the PSP that provided for identifying CFATS employees and contractors or visitors with unaccompanied access to critical areas in covered facilities that may have ties to terrorist. The initial implementation was limited to Tier I and II facilities. In late 2017, ISCD started the process to expand the PSP process to Tier III and IV facilities.

The PSP web site has an interesting graphic that conceptually explains the PSP implementation process:

First, once notified by ISCD that the facility will begin the implementation process (and that notice will start the 60-day clock implementation clock), the facility will update their site security plan to include information about how they will implement the process at their facility. This weeks’ notice provides a look at what types of information ISCD will be looking for in that SSP modification. When ISCD approves that amended SSP the clock will again start on the facility’s actual implementation of that facility specific process.

ISCD will phase this implementation in over the next two years or so. They will provide each Tier III and IV facility with a notice of when they will officially begin the implementation process and the date of that notice begins the 60-day period in which the facility must submit a revised SSP. Facilities can begin work on that SSP revision now, or they can wait until they receive the notice. Facilities can even submit the amended SSP before they receive their notice.

Tier III and IV facilities that have not yet had their SSP approved (or perhaps even authorized) should expect that their SSP will have to include PSP implementation before ISCD give approval to the plan.

PSP Options

The CFATS PSP provides four different options that facilities may use to screen individuals for possible terrorist ties; actually five since ISCD included an obligatory possibility for facilities to propose some sort of alternative that would accomplish the same thing. Facilities may use any option or combination of options that they wish.

The notice describes each of these four options (imaginatively entitled: Option 1, Option 2, Option 3 and Option 4) in some detail. In my 2016 blog post I described them this way:

Option 1 – Facility submits data and ISCD has TSA conduct screening;

Option 2 – Facility submits data on personnel with previous screening and ISCD has TSA confirm that screening is current;

Option 3 – Facility uses TWIC Reader to verify identity and screening status of Transportation Workers Identification Credential (TWIC) holder; and

Option 4 – Facility visually inspects TSDB based identity document to verify that person had been screened against TSDB.

Commentary

I will keep this brief today since I already said most of what I want to say back in 2016. In fact, I did an entire blog post about what problems I expected facilities to face in implementing the PSP. I have not seen anything since then that would significantly change those observations.

Most facilities are going to find that they need a blended approach using two or more of the options that ISCD has provided. I think that every facility should probably expect to use all four options at one point or another. If the initial SSP revision addresses all four options, then the facility will have the maximum amount of flexibility in the PSP implementation. It would certainly save time down the road.

Remember, facilities can (should) begin their SSP revision process before they receive their notice from ISCD. I would not recommend submitting the revised SSP before that notice is received, because the official notice is also going to trigger specific Chemical Security Inspector support for the revision process.