On March 22, 2013, the Department of Homeland Security (“DHS”) announced that it will submit to the Office of Management and Budget (“OMB”) a new Information Collection Request (“ICR”) related to the implementation of the Chemical Facility Anti-Terrorism Standards (“CFATS”) Personnel Surety Program (“PSP”). DHS is soliciting comments during a 60-day public comment period (which ends May 21, 2013) prior to the submission of the ICR to OMB. The Federal Register notice in which DHS announced the ICR also responds to stakeholder comments submitted to DHS in response to an earlier PSP notice and follows the withdrawal of previous ICRs on the same topic.
Background on CFATS Personnel Surety Program
The DHS Appropriations Act of 2007 provides DHS with authority to regulate and establish risk-based performance standards (“RBPS”) for the security of “high-risk” chemical facilities, which are defined by DHS as facilities possessing certain chemicals of interest above designated threshold quantities (these chemicals and their threshold quantities are listed in CFATS Appendix A). The CFATS regulations require covered facilities to develop Site Security Plans for review and approval by DHS which address implementation of each of the RBPS.
RBPS #12 addresses personnel surety and requires covered facilities to perform appropriate background checks and check credentials for facility personnel and unescorted visitors with access to the facility’s restricted areas and critical assets. RBPS #12 also requires that a covered facility’s Site Security Plan include measures designed to verify and validate identity, check criminal history, verify and validate legal authorization to work, and identify people with terrorist ties.
CFATS Personnel Surety Program
The PSP described in the new ICR is intended by DHS to serve as the mechanism to implement RBPS #12 and, specifically, to ensure that certain individuals who have or are seeking access to the restricted areas or critical assets of high-risk facilities are screened for ties to terrorism. DHS has concluded that the ability to identify individuals with terrorist ties is an inherently governmental function and requires the use of information held in government-maintained databases, which are not publicly available.
Under the screening process outlined in the new ICR, each covered facility will have at least three options to comply with RBPS #12 as follows:
- Option 1-Direct Vetting: Under this option, a high-risk facility (or its designee) may submit information to DHS about an affected individual to be compared against information about known or suspected terrorists. DHS will send a copy to the Transportation Security Administration (“TSA”) for comparison by TSA against the Terrorist Screening Database. TSA will determine whether the individual’s information is a “match” to a record in the Terrorist Screening Database.
- Option 2-Use of Vetting Conducted Under Other DHS Programs: A high-risk facility (or its designee) may submit information to DHS about an affected individual’s enrollment in another DHS program so that DHS can electronically verify and validate that the affected individual is enrolled in the other program. This option would allow facilities to take advantage of the vetting for terrorist ties already being conducted on individuals involved in the Transportation Worker Identification Credential (“TWIC”) Program and other similar government programs.
- Option 3-Electronic Verification of a TWIC: A high-risk facility (or its designee) may electronically verify and validate an affected individual’s TWIC through the use of TWIC readers (or other technology that periodically is updated using the Canceled Card List) rather than submitting information about the affected individual to DHS. DHS intends to periodically re-verify affected individuals’ enrollment and send notification of an expiration. (Elsewhere in the March 22, 2013 Federal Register, the U.S. Coast Guard published a notice of proposed rulemaking for “TWIC Reader Requirements” applicable to maritime facilities or vessels regulated by the Coast Guard. DHS indicates in the proposed ICR that the proposed Coast Guard requirements would not apply to CFATS high-risk facilities.)
In addition to offering these three options, DHS provides that a high-risk facility may propose an alternative screening process in its CFATS Site Security Plan for DHS’s consideration.
As used by DHS, the term “affected individuals” refers to facility personnel or unescorted visitors with access to restricted areas or critical assets at high-risk chemical facilities. In the case of a verified match of an affected individual found on a terrorist database, DHS will coordinate with appropriate law enforcement entities.
In response to industry comments that DHS is placing undue burdens and costs on businesses that operate multiple regulated facilities, DHS stated that facilities can restrict the numbers and types of persons whom they allow unescorted access to restricted areas and critical assets, thus limiting the number of persons who will need to be vetted. In other words, facilities can choose to escort visitors to restricted areas and critical assets in lieu of performing background checks. DHS also indicated that facilities have wide latitude in how they define their restricted areas and critical assets, and thus are able to limit or control the numbers and types of affected individuals. Addressing another previously controversial issue, DHS stated that covered facilities may use, as appropriate, innovative escorting alternatives such as video monitoring which may help reduce facility security costs.
The ICR states that DHS is proposing to limit initial implementation of the PSP to so-called Tier 1 and Tier 2 high-risk facilities. Under CFATS, DHS designates high-risk facilities as Tier 1, 2, 3 or 4 (in order of risk, with Tier 1 as the highest). DHS stated that a phased approach would enable DHS to implement the PSP for those facilities presenting the highest risk while not imposing a burden on all CFATS-regulated facilities. DHS proposed incorporating any lessons learned and potential improvements to the PSP prior to collecting information from Tier 3 and 4 high-risk facilities.
CFATS regulations currently cover 4,000 facilities nationwide.
Data Privacy Considerations
DHS indicated that there are various privacy requirements for high-risk facilities, their designees, and DHS related to the exchange of personally-identifiable information for the CFATS PSP. Facilities are responsible for complying with the government privacy laws applicable to the jurisdictions in which they do business.
Facilities subject to CFATS requirements should be prepared to address the requirements contained in the PSP as they develop their Site Security Plans and submit them to DHS for approval. Among other items, high-risk facilities should review their characterization of restricted areas and critical assets and determine which personnel and unescorted visitors will have access to these areas and assets. Facilities also may consider innovative escorting methods. In addition, covered facilities should review their internal policies on managing and handling affected individuals’ information that will be provided to DHS.