On June 14, 2011, the Department of Homeland Security (DHS or the Department) announced the submission to the Office of Management and Budget (OMB) of a new Information Collection Request (ICR) related to the implementation of the Chemical Facility Anti-Terrorism Standards (CFATS) Personnel Surety Program (PSP). DHS seeks OMB review and clearance of the ICR under the Paperwork Reduction Act (PRA). 76 Fed. Reg. 34720 (2011). The Federal Register notice also responds to extensive stakeholder comments submitted to DHS in response to an earlier notice related to the PSP. DHS anticipates launching the final PSP in the fall of 2011.

Background on CFATS Personnel Surety Program:

The DHS Appropriations Act of 2007 provides the Department with authority to regulate, and establish risk-based performance standards (RBPS) for, the security of “high-risk” chemical facilities. In general, facilities possessing chemicals of interest (defined in CFATS Appendix A) are considered “high-risk” and must perform a Security Vulnerability Assessment and develop a Site Security Plan (SSP). DHS has established RBPS for incorporation by a facility into each of its facility-specific SSPs. RBPS #12 addresses personnel sureties and requires covered facilities to “[p]erform appropriate background checks on and ensure appropriate credentials for facility personnel and, as appropriate, for unescorted visitors with access to restricted areas or critical assets” including measures designed to verify and validate identity, check criminal history, verify and validate legal authorization to work, and “identify people with terrorist ties.”

New CFATS Personnel Surety Program:

The new PSP is intended by DHS to serve as the mechanism to implement RBPS #12 and, specifically, to ensure that certain individuals are screened for ties to terrorism. DHS has concluded that the ability to identify individuals with terrorist ties is an inherently governmental function and requires the use of information held in government-maintained databases, which are not publicly available.

Under the PSP process, each high-risk chemical facility is required to submit for review by DHS certain personal information of every “affected individual” it employs. Generally, for U.S. citizens or lawful permanent residents, the information collected will include the individual’s full name, date of birth and either gender or citizenship. If an affected individual is not a U.S. citizen, the facility also will be required to submit the individual’s passport information or alien registration number. Facilities will have to affirm that they provided affected individuals with notice as required by the Privacy Act of 1974 prior to submitting their information to DHS.

As used in the Federal Register notice, the term “affected individuals” refers to “facility personnel who have or are seeking access, either unescorted or otherwise, to a facility’s restricted areas or critical assets” and “unescorted visitors who have or are seeking access to a facility’s restricted areas or critical assets.” “Restricted areas” and “critical assets” are not defined. Covered facilities have discretion to classify contractors either as “facility personnel” or as “visitors” based on facility security, operational requirements and business practices. Facility personnel and visitors without access to restricted areas or critical assets are not included in the program.

Upon receipt of the affected individual’s personal information from the facility, DHS will send a copy to the Transportation Security Administration (TSA) for comparison by TSA against the Terrorist Screening Database (TSDB). TSA will determine whether the individual’s information is a “match” to a record in the TSDB.

Under the program, facilities are required to submit additional, updated or corrected information to DHS as appropriate, and to notify DHS when an individual whose information has been submitted for screening no longer has access to restricted areas or critical assets. DHS indicates that it will not share the results of the TSDB screening with facilities or with the individuals screened. In the case of a verified match by TSA, DHS will coordinate with appropriate law enforcement entities. DHS states that providing a vetting result back to the facility or the individual being vetted would conflict with the U.S. government policy to neither confirm nor deny an individual’s status in the TSDB.

Several industry stakeholders had commented to DHS that the PSP should not duplicate other equivalent vetting programs and that evidence of vetting under the DHS Transportation Worker Identification Credential (TWIC™) program, hazardous materials endorsement (HME) program, NEXUS program, Secure Electronic Network for Travelers Rapid Inspection (SENTRI) program, or Free and Secure Trade (FAST) program should be adequate for checking for terrorist ties under CFATS. In response, DHS concludes that it must collect information to verify that the affected individual is currently enrolled in the DHS program, and to enable DHS to access both the original enrollment data and the TSDB vetting results already in the possession of the Department, when necessary.

Companies operating multiple CFATS facilities will need to identify each specific facility to which each affected individual has access. In response to industry comments that the DHS is placing undue burdens and costs on businesses that operate multiple regulated facilities, DHS states that:

[f]acilities can restrict the numbers and types of persons whom they allow to access their restricted areas and critical assets, thus limiting the number of persons who will need to be vetted against the TSDB. Facilities additionally have wide latitude in how they define their restricted areas and critical assets in their SSPs, and thus are able to limit or control the numbers and types of persons requiring TSDB screening. Facilities can choose to escort visitors to restricted areas and critical assets in lieu of performing the background checks required by RBPS–12 on them. Facilities can also submit different biographic information to DHS through CSAT for affected individuals holding TWIC, HME, NEXUS, SENTRI, or FAST credentials than for affected individuals not holding such credentials.

DHS states its intent to publish a schedule for requiring high-risk chemical facilities to submit the information of new affected individuals prior to access to restricted areas or critical assets and is considering whether to establish that high-risk chemical facilities be required to submit the information at least 48 hours prior to access to restricted areas or critical assets. The Department states that it “may, on a case by case basis, allow for variances from the schedule.”

Concurrent with the June 14, 2011, PRA notice, DHS also published a system of records notice proposing the establishment of a DHS system of records and a notice of proposed rulemaking (NPRM) seeking comments for 30 days from the public about DHS’s intention to exempt portions of the CFATS Personnel Surety Program System of Records from certain provisions of the Privacy Act.  

Outlook:

Facilities subject to CFATS requirements should be prepared to address the requirements contained in the PSP as they develop their Site Security Plans and submit them to DHS for approval. Among other things, high-risk chemical facilities should review their characterization of restricted areas and critical assets and determine which personnel and unescorted visitors will have access to these areas and assets. In addition, covered facilities should review their internal policies on managing and handling affected individuals’ information that will be provided to DHS.