ISCD Publishes 60-day CVI ICR

CISA is publishing a 60-day ICR notice in Monday’s (available online today) Federal Register (85 FR 17593-17594) for an extension of the current Chemical-Terrorism Vulnerability Information (CVI) information collection request (ICR). This would cover the information ISCD would collect on-line from personnel requesting to become a CVI authorized user.

ICR Burden

The key to estimating the burden of the ICR is to determine the number of  people that will be attempting to become CVI certified. CISA provides the last three-year data on the applications, but notes: “Due to past fluctuations and uncertainty regarding the number of future respondents, CISA believes that 20,000 continues to be a reasonable estimate.” This results in an extension of the current burden (estimate below) without change.

• Number of respondents – 20,000

• Time per respondent – 30-min

• Annual time burden – 10,000-hours

With an estimated average hourly wage for requestors being $79.75 this brings the annual cost burden to $797,474 per year.

Public Comments

CISA is soliciting public comments on this ICR notice. Comments may be solicited on the Federal eRulemaking Portal (www.Regulations.gov; Docket # CISA-2020-0002). Comments are due by May 29^th, 2020.

FRA 60-day ICR Notice for Oil Train Reporting Order

Today the DOT’s Federal Railroad Administration (FRA) published a 60-day information collection request (ICR) renewal notice in the Federal Register (79 FR 36860-36861) to cover the reporting of crude oil unit train routing information under DOT Secretary’s emergency order published May 7^th, 2014. The OMB’s Office of Information and Regulatory Affairs (OIRA) provided a 180-day emergency ICR to cover that order. This renewal would provide for the public comment period not afforded under the emergency ICR process.

Today’s notice provides the same regulatory burden data [Word® download link] submitted to OIRA in the original request for the emergency ICR. That annual data is summarized in the table below.

	Respondents	Responses	Time/Response	Burden
Initial notification to SERCs	47	120	30	3600
Updated notifications	47	25	4	100
Notifications to FRA	47	10	1	10
Requests by SERCs	47	60	1	60

The number of initial notifications seems to be low to me. The only way that the number makes any sense is if there are only 120 possible routes that these crude oil unit trains could possibly take out of the Bakken oil loading region. That would mean that each of the listed responses would be addressed to multiple states along that route. That may be a reasonable way of accounting for the burden, but I doubt that that would be the method by which the notification would be compiled and delivered.

The FRA is soliciting public comments on this ICR. Comments may be submitted to Mr. Brogan at Robert.Brogan@dot.gov. Public comments should be submitted by August 29^th, 2014.

BTW: There is a major error in OIRA’s listing of the current emergency ICR. It shows two Federal Register citations for the submission of the original request. The first citation is for a totally unrelated ICR and the second citation is for an issue of the FR that has yet to be published. The only FR notice that mentions this oil route reporting requirement was the one published on May 13^th, 2014 (79 FR 27363) and it contains no mention of an ICR.

First Responders Community of Practice ICR Notice – Again

Today the DHS Science and Technology Directorate (S&T) published a 60-day ICR renewal notice in the Federal Register (79 FR 34545) for their First Responders Community of Practice Program (FRCoP). I wrote about the previous submission of this ICR to OMB last year; that submission has not yet been acted upon by OMB. This ICR notice completely ignores that previous submission.

I noted in my earlier blog that the previous approval of this ICR (which expired last October) was a short term approval because OMB wanted additional information about the program and its efficacy. I noted that S&T had not included that information in its published ICR notices. Looking back now at the actual ICR submission supporting documents there is an attempt [Word® download link] by S&T to fulfill that requirement. There is no indication on the OMB site if that was considered to be an adequate response.

One interesting item of information from that S&T document is the report that there are 5,000 active members of the FRCoP. Since this ICR only covers the submission of registration information that is supplied on a one time basis, it would seem that there is a pretty good retention of site members. The site has been active since somewhere in 2010 and S&T indicates that there have been an average of 2000 registrations per year. That means that between 6,000 and 8,000 registrations have taken place. Retaining 5,000 members from that number would seem to be a pretty high success rate.

One other interesting administrative note; this ICR notice uses the same docket number as the ICR submission that was withdrawn last year. It seems that everyone, both at DHS and OMB, is ignoring the ICR that was submitted last year. That seems to be more than a little strange.

Anyway, S&T is soliciting public comments on this ICR submission. Public comments may be made via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2012-0013). Comments need to be submitted by August 18^th, 2014.

TSA Publishes 60-Day ICR Notice for Exercise Program

Today the Transportation Security Administration (TSA) published a 60-day information collection request (ICR) renewal notice in the Federal Register (79 FR 24742-24744) for their Exercise Information System (EXIS).

I provided a brief description of the system three years ago when the initial ICR 60-day notice was published. Since that ICR was approved I have been checking the EXIS web site weekly to see if there has been any sharing of information about the planning or conduct of transportation security exercises, and there has been none on the public web site. This public sharing of tools and templates for exercises appears to be a unfulfilled aspect of the program.

Data included in today’s notice, however, would seem to indicate that program is somewhat more successful away from the public portion of the web site. There are currently 364 registered users of the program and 35% of those (127) have used the site to plan or conduct an exercise. According to the notice TSA expects to increase the number of registered users to 12,998 over the next three years, a really impressive goal (a 3470% increase). There is no mention in how TSA expects to achieve that goal other than a vague mention of use of ‘outreach events’.

TSA is soliciting public comments on this ICR notice. TSA is not using the Federal eRulemaking Portal for their comment submission process, taking any possible submissions out of public view. Comments may be submitted via email (TSAPRA@dhs.gov) and should be submitted by June 30^th, 2014.

FMCSA Publishes HAZMAT Safety Permit ICR Revision

Today the Federal Motor Carrier Safety Administration (FMCSA) published a 60-day ICR renewal-revision notice in the Federal Register (78 FR 74221-74222) to revise and update the information collection request supporting the HAZMAT Safety Permit program under 49 CFR §385.401 et seq.

This ICR provides for the collection of information by FMCSA as part of the permit application process under 49 CFR §385.405(a). It also covers the requirement under 49 CFR §385.407(b)(2) to maintain records of communications between the carrier and the hazmat transport driver. The driver is required to “make contact with the carrier at the beginning and end of each duty tour, and at the pickup and delivery of each permitted load” {49 CFR §385.415(c)(1)}

ICR Burden Revision

As part of its requirement to periodically renew this ICR, FMCSA is updating the burden requirements for this ICR based upon changes in the number of affected hazmat carriers requesting permits and the number of hazmat loads requiring the maintenance of communications records. The table below shows the change in those numbers over the last two renewal requests.

	2007	2010	2013
Motor Carriers	2515	1425	1382
Hazmat Trips	1.6 Million	4.2 Million	11.6 Million
Annual Burden	131,000	350,000	967,000

FMCSA estimates the annual burden hours by assuming that each driver takes a total of five minutes during each hazmat trip to record his required contacts with the carrier. The earlier data comes from the Federal Register notices (72 FR 39879-39880 and 75 FR 54941-54942) for the respective 60-day ICR notice.

There is no mention of the burden associated with filling out the permit application (Form MCS-150B). While this is a relatively complex form, I don’t suspect that it will take more than an hour to complete the application. This means that the 1382 burden hours for filling out that form will be lost in the rounding of the number calculated for the communications recording requirement.

Public Comments

FMCSA is soliciting public comments on this ICR notice. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FMCSA-2013-0349). Comments will need to be submitted by February 10^th, 2014.

TSA Publishes 60-day TWIC ICR Notice

Today the Transportation Security Administration published a 60-day information collection request (ICR) notice in the Federal Register (78 FR 32417-32418). This is a follow-up to the March approval of an emergency ICR extension to reflect changes in the Transportation Workers Identification Credential (TWIC) information collection process brought about by the short-term renewal process initiated last summer.

There is little actual information in this notice beyond a brief statement of burden estimates. As shown in the table below the burden estimates in this notice are higher than those published in the approved emergency extension. Without a number for the number of expected responses it is difficult to explain the change in time burden and cost. Based upon the number of folks currently enrolled in the TWIC program (2,556,783) we would expect to see about 500,000 renewals alone each year.

	Current Burden	This ICR
Responses	852,310	Not Reported
Time Burden (hours)	741,879	829,774
Cost	$42,786,620	$47,633,777

TSA does not explain the cost burden (and again I applaud TSA for including this figure; it is inexplicably absent from most ICR notices) estimation process. Based on the current published data the cost is just about $50 per response, so it does not include the actual cost of the application fee for either the extended TWIC ($60) or  the new/renewed TWIC ($129.75).

The TSA is soliciting public comments on this ICR. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # TSA-2006-24191). Comments should be submitted by July 29^th, 2013.

NOTE: This ICR has nothing to do (directly) with the current Coast Guard TWIC Reader NPRM.

CFATS PSP – TWIC Readers

This is part of a continuing series of blog posts about the CFATS Personnel Surety Program that was described in a 60-day information collection request (ICR) notice in Friday’s Federal Register. This post will look at how TWIC Readers could be used in PSP. The earlier posts in the series are listed below.

DHS Publishes CFATS PSP 60-day ICR Notice

CFATS PSP – Data Submission Options

CFATS PSP – Who Gets Screened

CFATS PSP – Who Submits Information?

CFATS PSP – Other Information to be Collected

CFATS PSP – Only Tier 1 and 2 Facilities Impacted

CFATS PSP Comments – 03-30-31

CFATS PSP – Facility Analysis

Many high-risk chemical facilities covered by CFATS share a significant work force, corporate and contract, with MTSA covered facilities. Additionally transportation workers (truck drivers and railroad personnel) may make up a significant number of the ‘visitors’ that a site might expect to extend some level of unescorted access to critical areas of the facility. As a result there was a major level of vocal concern with the original CFATS PSP proposal because it did not provide an easy option for facilities to take advantage of the fact that TWIC holders had already been vetted against the Terrorist Screening Database (TSDB). The new ICR notice specifically addresses this concern providing for the use of TWIC Readers as one of the vetting alternatives specifically available to facility security managers.

TWIC Reader Requirements

The ICR notice does not provide any specific guidance on how the TWIC Readers would be used at a high-risk chemical facility. This is not surprising given the §550 prohibition against requiring any specific security measure for the approval of a facility’s SSP. The notice provides the following guidance:

“High-risk chemical facilities could propose, in their SSPs or ASPs, to share the costs of TWIC readers and any associated infrastructure at central locations, or high-risk chemical facilities could propose to purchase and install TWIC readers for their own use. The Department will assess the adequacy of such proposals on a facility-by-facility basis, in the course of evaluating each facility's SSP or ASP.”

TWIC Reader at the Gates

The classic implementation of the TWIC Reader would be to install readers at a gate to allow security personnel to automate the verification of identity and appropriate vetting against the TSDB. This is the type of use expected to be employed at high-risk MTSA facilities where all personnel with unescorted access to the covered facilities or vessels are required to have a TWIC.

If TWIC Readers were to be used for vetting all personnel entering a facility for unescorted access each time they entered the facility, this would be a significant extension of the vetting requirements outline in the other two vetting options provided in this ICR notice as personnel would effectively be vetted against the TSDB every time the TWIC Reader updated its access to the Canceled Card List (CCL).

For facilities that have a large number of recurring visitors that are to be given even some limited amount of unescorted access to the facility, truck drivers and delivery personnel for instance, this could simplify the vetting requirements for these personnel by simply requiring that they possess a TWIC and then validating that TWIC with a TWIC Reader each time they access the facility.

TWIC Reader at Personnel Processing Center

The other option suggested in this ICR notice is the use of the TWIC Reader at a shared central location. The most obvious example of this would be to have a TWIC Reader at the Corporate Human Resources Department where an individual’s TWIC would be validated as part of the corporate hiring process. One would suppose that ISCD would prefer to see some sort of periodic revalidation of the TWIC outlined in the SSP since they intend to do periodic rechecks against the TSDB for personnel whom facilities submit information under the PSP.

Because of the high-cost of TWIC Readers (this notice suggests that the annualized three year cost of a TWIC reader and its upkeep at $99,953.33 per reader) smaller facilities, or facilities separated from corporate HR might wish to contract out the TWIC Reader validation to a third-party such as a back-ground check vendor or security contractor. Again one would suppose that there should be some sort of periodic revalidation of those checks outlined in the facility SSP.

ISCD TWIC Expectations

ISCD clearly does not expect very many facilities to avail themselves of the TWIC Reader option for personnel vetting. According to Table 22 in the notice they only expect that four facilities will install TWIC Readers as part of their PSP, three at Tier 2 theft/diversion facilities and one at a Tier 2 Group C (distribution type facility) facility. They base that on the number of facilities that share MTSA and CFATS status. This would be the type facility that would already be intending to use the TWIC Reader because of the impending requirements under the recently published TWIC Reader NPRM.

Does this mean that only those facilities will be allowed to use TWIC Readers as part of their PSP? I don’t think so. These are clearly facilities that would be expected to find the use of TWIC Readers to be most valuable since they will already be in use at certain entrances (MTSA covered areas of the facility) and virtually all personnel will already be required to possess a TWIC. But, ISCD clearly expects that the cost of the TWIC Reader will be a disincentive for its general use at facilities that are not already required to implement use of the TWIC for facility access.

CFATS PSP – Facility Analysis

This is part of a continuing series of blog posts about the CFATS Personnel Surety Program that was described in a 60-day information collection request (ICR) notice in Friday’s Federal Register. This post will look at the facility analysis used to calculate the regulatory burden caused by this ICR. The earlier posts in the series are listed below.

DHS Publishes CFATS PSP 60-day ICR Notice

CFATS PSP – Data Submission Options

CFATS PSP – Who Gets Screened

CFATS PSP – Who Submits Information?

CFATS PSP – Other Information to be Collected

CFATS PSP – Only Tier 1 and 2 Facilities Impacted

CFATS PSP Comments – 03-30-31

This ICR notice provides a relatively detailed look at the facilities that are included in the CFATS program; providing information that has been difficult to obtain because of the Department’s security concerns.

Categorizing Facilities

The Department has established four general descriptive categories of high-risk chemical facilities based upon the types of DHS chemicals of interest (COI) they have on site and the size of the facility. Three of the categories describe facilities where the primary security concern is based upon the possession of release hazard COI and the fourth describes facilities where theft/diversion of COI is the major security challenge.

ISCD divides the release COI facilities, ‘loss of containment’ is the term used in the notice, into three groups based upon the size of the facility:

• Group A includes open facilities with 100 or more employees;

• Group B includes open facilities with 99 or fewer employee; and

• Group C facilities are enclosed facilities.

Table 4 in the notice provides a breakdown of the number of facilities in each category. I have provided a summary of that data in a slightly more readable format below.

	Tier 1	Tier 2	Tier 3	Tier 4	Total
Group A	4	8	22	72	106
Group B	6	16	33	190	245
Group C	10	15	66	13	104
T/D	93	400	935	1683	3111
Total	113	439	1056	1958	3566

Table 1: Number of Facilities

What is very interesting is that theft/diversion facilities clearly predominate in every tier, with only a total of 455 facilities where a catastrophic on-site chemical release is the primary security challenge. The notice addresses points out that:

“In the original 2007 CFATS Regulatory Assessment, conducted prior to implementation of the CFATS Program, the Department assumed that 38 percent of all high-risk chemical facilities would be regulated due to the risk that one or more chemicals could be subject to theft or diversion for purposes of creating an explosion or producing an improvised explosive device. However, the 2012 CFATS Personnel Surety Program Analysis found that 87 percent of all currently regulated CFATS high-risk chemical facilities are regulated due to the risk that a chemical could be subject to theft or diversion for purposes of creating an explosion or producing an improvised explosive device.”

Unfortunately, that description fails to take into account that some of the COI where theft/diversion is the primary security hazard are not used to make explosive devices, but rather chemical weapons. It probably doesn’t affect any of the numbers, but it provides some misleading information.

Number of Employees

DHS makes an attempt to estimate the number of employees and resident contractors working at these facilities. This initial estimate is based upon 2007 CFATS program estimates plus some recommendations for changes included in the comments from the earlier ICR submission. The table below summarizes the data from Table 9 in the notice which provides the estimate for the average number of full time employees/contractors at a facility in the category, plus 20% for turnover (they are using this number to estimate the number of people that will undergo a personnel surety check).

	Tier 1	Tier 2	Tier 3	Tier 4
Group A	3050	2176	3799	2207
Group B	50	49	68	200
Group C	201	418	409	265
T/D	46	46	46	46

Table 2: Update of 2007 CFATS personnel estimate

Looking at the numbers in the table above there seems to be some obvious problems with the models used to come up with these estimates. The variation in employee numbers from Tier to Tier within the same category is hard to explain when there is no variation in the numbers for threat/diversion facilities. With such a wide variance for data that is supposed to represent an average suggests that the standard variation within the data set is quite large. And, oh yes, the Group B definition was facilities with less than 99 employees; how did Tier 4 Group B get an average 200 employees and contractors?

One of the alternatives that ISCD mentions in the ICR notice is using data submitted by the facilities in their Top Screen submission. Table 3 below is a summary of that data reported in Table 10 in the notice. It includes the average Top Screen personnel numbers and an ACC estimate of the number of visitors to facilities (not by Tier) that will be given unescorted access requiring vetting.

	Tier 1	Tier 2	Tier 3	Tier 4	ACC Visitors
Group A	719	267	713	884	1746
Group B	43	36	39	20	437
Group C	360	587	225	211	437
T/D	783	499	279	234	73

Table 3: CFATS Top Screen Personnel Data plus ACC visitor estimates

Using the data from Table 3, and plant numbers from Table 1 ISCD estimates that they would have to process 1,806,966 personnel surety screenings in the first year of the program and a three year average processing of 864,678 per year if ISCD were going to require all four tiers to participate in the personnel screening program. Since initially only Tier 1 and Tier 2 facilities will participate the numbers are reduced to 412,647 in the first year and average 191,845 per year.

CFATS PSP – Only Tier 1 and 2 Facilities Impacted

This is part of a continuing series of blog posts about the CFATS Personnel Surety Program that was described in a 60-day information collection request (ICR) notice in Friday’s Federal Register. This post will look at the decision to only apply this ICR to Tier 1 and Tier 2 facilities. The earlier posts in the series are listed below.

DHS Publishes CFATS PSP 60-day ICR Notice

CFATS PSP – Data Submission Options

CFATS PSP – Who Gets Screened

CFATS PSP – Who Submits Information?

CFATS PSP – Other Information to be Collected

While the discussion through much of the ICR notice mentions all CFATS facilities, buried in the discussion of calculating the burden of the ICR is a statement that the ICR will only apply to Tier 1 and Tier 2 facilities.

Testing PSP

One of the suggestions that ISCD received after the last 30-day ICR notice was forwarded to OMB (and subsequently withdrawn) was that ISCD should do the same thing that it had done with most major CSAT tool deployments (excepting the SSP) and test the tool before it was officially deployed. This would allow the bugs to be worked out of the program.

While this probably would have been a good idea two years ago when the PSP was initially proposed (and before the Department started evaluating SSPs), this is no longer a reasonable prospect before the PSP ICR is submitted and approved. Too many facilities are receiving provisional authorizations for their SSP without a method being available to complete the personnel surety terrorist vetting required under RBSP #12.

Besides, even in conducting a test version of the PSP tool with live data (the only type of test that would be really worth while) would still require an approved ICR to collect the data and have it entered into the CSAT application. Thus the ICR must go forward without a live system test.

Limited PSP Implementation

ISCD has worked out a way to test the PSP application and the data collection and submission process from a variety of facilities, as well as evaluate the assumptions underlying the burden estimates in the ICR. They will limit the initial application of the PSP tool to just Tier 1 and Tier 2 facilities. They estimate that this will entail only 552 facilities and about 192,000 individual. This is compared to about 4,000 facilities and over 2 million individuals for a full deployment of the PSP.

Tier 3 and Tier 4 facilities are not being exempted from the PSP. ISCD intends that “ a subsequent ICR would be published and submitted to OMB for approval to incorporate any lessons learned and potential improvements to the CFATS Personnel Surety Program prior to collecting information from Tier 3 and Tier 4 high-risk chemical facilities” (78 FR 17696).

CFATS PSP – Other Information to be Collected

This is part of a continuing series of blog posts about the CFATS Personnel Surety Program that was described in a 60-day information collection request (ICR) notice in Friday’s Federal Register. This post will look at what additional information (in addition to the personally identifiable information (PII) previously discussed) ISCD might require a high-risk chemical facility to submit to DHS under the CFATS PSP. The earlier posts in the series are listed below.

DHS Publishes CFATS PSP 60-day ICR Notice

CFATS PSP – Data Submission Options

CFATS PSP – Who Gets Screened

CFATS PSP – Who Submits Information?

While the bulk of the information collection covered under this ICR will be the PII used to vet personnel against the Terrorist Screening Database (TSDB), there is additional information that ISCD will be collecting in its administration of the PSP at the Department level.

Information about the High-Risk Facility

Since the Department envisions that many high-risk facilities will use third-party organizations to submit the PII required for the PSP on it facility personnel, the PSP tool in the on-line Chemical Security Assessment Tool (CSAT) will require information “ that identifies the high-risk chemical facility, or facilities, at which each affected individual has or is seeking access to restricted areas or critical assets” (78 FR 17686). From that wording it would seem that vendors and contractors supporting multiple high-risk facilities will be required to identify which facilities they routinely support as part of their data submissions in the PSP tool.

Additional information may be collected from the facility about its PSP in support of adjudications under Subchapter C of 6 CFR Part 27; in processing requests for extensions,

High-risk chemical facilities will also be required to provide ISCD with a point of contact for the collection of additional information about the facility, its PSP, and individuals who have had their PII submitted for screening.

Additional PII

The previously identified PII will be routinely collected on any individual based upon which submission option the facility chooses to use in their PSP filings. ISCD realizes that from time to time they will have to request additional information about an individual to better confirm or deny potential matches in the TSDB. ISCD and law enforcement agencies might also be expected to contact the facility for further information about individuals that have been identified as matches against the TSDB. The notice makes the point that a “request for additional information from the Department does not imply, and should not be construed to indicate, that an individual is known or suspected to be associated with terrorism” (78 FR 17686).

Additional information may be collected about individuals in the PSP as part of the adjudications under Subchapter C described above. Additionally redress requests by individuals may require facilities to provide additional information about an individual. Unfortunately, this is the only mention of ‘redress’ for individuals who feel that they are wrongly identified as having terrorist ties. This may be because the Department will not necessarily notify the facility if an individual is identified as having terrorist ties and thus individuals are unlikely to know if they are wrongly identified.

The reference in this ICR to redress does mention (in a footnote) a series of Privacy Act documents that the Department issued in June of 2011 as part of the original ICR submission to OMB that was subsequently withdrawn. Those documents will certainly be revised as this new ICR moves forward.

Odd Information

There is one odd paragraph in this section of the ICR; it deals with the collection of what would generally be described as file numbers. The notice states that there will be ‘blank data fields’ in the PSP tool in CSAT that will allow the facility to enter a designation or number unique to an individual so that a facility may better track the data submission. I can’t see any reason why a facility submitting information on their own employees would really need this, but it would sure come in handy for third-party submitters, vendors and contractors who might need to keep track of what facilities are associated with a particular individual.

CFATS PSP – Who Submits Information?

This is part of a continuing series of blog posts about the CFATS Personnel Surety Program that was described in a 60-day information collection request (ICR) notice in Friday’s Federal Register. This post will look at how ISCD expects facilities to organize the submission of the required personally identifiable information (PII). The earlier posts in the series is listed below.

DHS Publishes CFATS PSP 60-day ICR Notice

CFATS PSP – Data Submission Options

CFATS PSP – Who Gets Screened

Facility Responsibility

The individual high-risk chemical facility covered under the CFATS program is responsible for implementing the Personnel Surety Program (PSP) as part of their facility site security plan (SSP). That does not mean, however, that they will be submitting the personal information on all of the people that work at the facility or will have unescorted access to critical areas of the facility as visitors, contractors or vendors. DHS has provided for a number of different options for the facility to use as part of its PSP. The four basic options are:

• The facility submits information on all affected individuals for the facility;

• The parent company submits information on all affected individuals for the facility;

• Either the facility or the parent company designates a third-party to submit the information; or

• The PSP includes some combination of the three for different classes of affected personnel.

The notice explains that vendors and contractors would have essentially the same options available for vetting their personnel that would have unescorted access to critical areas of high-risk chemical facilities. What is not made clear is how the vetting done by vendors and contractors would be communicated to the facility security manager and how those records would be made available to ISCD Chemical Facility Inspectors conducting compliance inspections. Would facilities have to submit the same type of abbreviated information that it does for personnel that had already undergone a TSA security threat assessment?

CSAT Application

Anyone that is familiar with the various roles defined in the current CSAT applications will quickly realize that only one of the options outline above could be directly rolled into the current CSAT roles of Authorizer, Submitter, Preparer and Reviewer. With this in mind the notice mentions a new role for the CSAT process; the Personnel Surety Submitter (PSS). As we saw when ISCD allowed for multiple submitters with the advent of the SSP tool, the notice makes clear that they expect that many facilities will use multiple PSS.

There is not a great deal of information in the notice about the PSS, but we can expect that the PSS will have to go through a similar process of identifying and notifying ISCD of the appointment of PSS. One would also expect that when an individual is logged into CSAT in a PSS role, they will only have access to facility PSP information. What is not so readily apparent is whether or not personnel with current access to the CSAT application in existing roles will be able to access the PSP information as well. Privacy issues may require limiting access to that information.

Another thing that is not immediately clear from this discussion in the PSP notice is the CVI status of the submitted information. Currently the Registration application and the Top Screen application do require that someone with access to those CSAT applications have completed the Chemical-Terrorism Vulnerability Information (CVI) training program. The two remaining CSAT applications (Security Vulnerability Assessment – SVA – and the Site Security Plan – SSP) do require the possession of a CVI training certificate to be able to access the applications. If it is determined that PSP information is not CVI, then it is likely that ISCD will not require CVI training for personnel performing PSS duties.

The CSAT User Roles and Responsibilities section of the notice does not address how vendors and contractors that will be submitting the information on their employees fit into this CSAT application process. Will their PSS have to be appointed by the Authorizer of the supported high-risk chemical facility or will a management member from the vendor or contractor be able to appoint their own PSS?

Realistically, these details will be more suited to explication in the inevitable revision of the CSAT Registration Manual that will be necessitated by the addition of the PSS to the list of positions that require CSAT Registration.