PSP Program – Conversation with ISCD

I had an interesting telephone conversation with Kelly Murray, the Compliance Branch Chief at the DHS Infrastructure Compliance Division (ISCD) about the Chemical Facility Anti-Terrorism Standards (CFATS) personnel surety program. She wanted to call attention to an error in my post on the expansion of the CFATS Personnel Surety Program (PSP) to Tier III and IV facilities. She was also kind enough to answer questions about the PSP and some new tools that ISCD had added since my earlier post.

Error Correction

In my earlier post I wrote:

First, once notified by ISCD that the facility will begin the implementation process (and that notice will start the 60-day clock implementation clock [emphasis added]), the facility will update their site security plan to include information about how they will implement the process at their facility.

Kelly pointed out that the initial notice triggers a 30-day clock for the submission of the facility site security plan (SSP) revision concerning the PSP. The 60-day clock is for the actual implementation of the SSP PSP provisions and it starts once ISCD notifies the facility that their SSP revision has been approved.

New PSP Tools

Later the same day as I posted about the PSP expansion, ISCD published the following notice on the CFATS Knowledge Center about additional tools that they had made available to assist facilities in dealing with the new PSP requirements:

07/11/19: CISA published a Federal Register notice (84 FR 32768) announcing the implementation of the CFATS Personnel Surety Program (PSP) at all high-risk chemical facilities—including Tier 3 and Tier 4 facilities. This implementation closes the final gap in vetting individuals with access to critical assets and restricted areas for terrorist ties.

Visit the PSP page for more details, the PSP Toolkit with new resources (e.g., updated RBPS 12(iv) fact sheet, PSP Samples Supplement, PSP Sample Bulk Upload, etc.), and a webinar demo of the PSP in the CSAT 2.0 portal.

In my opinion, one of the most valuable tools is the PSP Samples Supplement (.DOCX download link). It provides examples that facilities can use to answer the questions in the SSP Tool that relate to the PSP. It shows various ways that facilities can use the Four Options at their facilities.

Questions

There is an odd footnote at the end of the PSP Samples Supplement; footnote 1 reads:

“To date, DHS has not received any Site Security Plans selecting Option 3 and therefore the sample answers have been provided as an example but is not based on lessons learned or best practices.”

Given the clamor from industry during the development of the PSP to be able to use TWIC Readers and the subsequent demands from Congress on the same, I found this rather odd. Kelly did tell me that the footnote is no longer technically correct; since the document was approved a facility has submitted an SSP that designates Option 3 as one of the options that the facility will use to screen personnel.

I asked her why she thought facilities were not using this option and she noted that she thought it was because Option 1 (the most common option used according to her) was so easy to use/implement.

I did ask her the inevitable question; had any facilities been notified that an employee had been identified as having terrorist ties through this vetting process? As expected, she could not answer that question. An answer to a subsequent question, however, seemed to imply (not surprisingly) that such notifications had been received.

I asked her about the process for correcting an inappropriate response of potential terrorist ties. The ISCD privacy documentation does provide a process for employees to question the accuracy of information submitted via the PSP tool under Option 1 or 2, but that does not address the issue of legitimate bad Terrorist Screening Database information. Kelly noted that the PSP tool for Option 1 includes provisions for providing additional information about an individual and that ISCD could ask for that additional information if there was a terrorist association result from TSA. It sounded as if these questions had been asked in some number of instances.

Additional Information

Kelly noted that facilities could expect some sort of delay between submitting the SSP revision and receiving notification that the revision had been approved and the 60-day compliance clock starting. How long a delay would depend on how many facilities had submitted their SSP updates. Facilities should not be concerned about a lengthy delay being an indication that the SSP revision would be disapproved.

One other thing that did come up was a reinforcement of a point I had made in my post. ISCD is planning for substantial support from Chemical Security Inspectors during this process.