CFATS: Personnel Surety Program
Posted: April 22nd, 2020Authors: Lizzie S.
This article is part of ALL4’s 4 The Record: Quarantine Series.
The U.S. Department of Homeland Security (DHS) administers the Chemical Facility Anti-Terrorism Standards (CFATS) program, intended to set standards and monitor the security of listed hazardous chemicals stored at certain locations. Each “high risk” facility covered by the CFATS program is required to submit and maintain an Alternative Security Program (ASP) or Site Security Program (SSP), which contains security measures that sufficiently meet all Risk-Based Performance Standards (RBPS). The vetting of facility personnel and unescorted visitors who have access to critical assets is one such standard. RBPS 12 – Personnel Surety requires facilities to account for four types of background checks on facility personnel and unescorted visitors who have or seek access to restricted areas and critical assets at high-risk facilities. These checks include measures designed to:
- Verify and validate identity
- Check criminal history
- Verify and validate legal authorization to work
- Identify people with terrorist ties
CFATS Personnel Surety Program (PSP) Process
Part iv., screening people for terrorist ties, is implemented through the Personnel Surety Program (PSP). The Cybersecurity and Infrastructure Security Agency (CISA) has previously implemented the PSP at Tier 1 and 2 facilities; however, the Agency published a notice in the Federal Register (84 FR 32768) on July 9, 2019, that announced the full implementation of the PSP at all covered chemical facilities—including Tier 3 and Tier 4 facilities. Therefore, all facilities subject to CFATS that have not yet been required to implement RBPS 12(iv) will be required to do so in the near future. These high-risk chemical facilities will be individually notified by DHS in a phased manner when to begin implementing RBPS 12(iv). Each Tier 3 or 4 facility, when notified by DHS, will have 60 days to incorporate RBPS 12(iv) into their ASP or SSP by adopting measures to identify individuals with terrorist ties. Once the updated ASP or SSP is approved, facilities will have 60 days to implement RBPS 12(iv) and be actively identifying individuals. Figure 1 provides a visual representation of the PSP process.
There are two options for implementing RBPS 12(iv); both involve submitting certain information about affected individuals through a PSP Application located in the Chemical Security Assessment Tool (CSAT):
- Option 1 – allows impacted chemical facilities to submit certain information about affected individuals, and the Department will use that information to vet the individuals for terrorist ties, or
- Option 2 – allows DHS to verify affected individuals’ enrollments in other programs, including the Transportation Worker Identification Credential (TWIC) program, Hazardous Materials Endorsement (HME) program, and the Trusted Traveler Program. If Option 2 is selected, the facility can opt for DHS to automatically revert to Option 1 when DHS is unable to verify an affected individual.
An Authorizer, Administrator, or PSP Submitter can access the CSAT PSP Application through the PSP tab in the CSAT Portal after their facility has been approved to implement RBPS 12(iv). Facilities will have 60 days from approval of their updated ASP or SSP to submit all affected personnel with access to the Chemical of Interest (COI) area, including:
- Facility personnel
- Unescorted visitors
- Unescorted contractors
Note that any facility personnel who accesses the critical asset, regardless of whether he or she is accompanied by a screened employee, must also be screened for terrorist ties. All individuals should be notified prior to screening.
An Authorizer or an Administrator can assign facility employees or third-party contractors to a PSP Submitter role. Facilities can have multiple PSP Submitters to share responsibilities for different personnel. Multiple groups can be created for different sections of affected individuals, and a PSP Submitter can be assigned for each group. Facilities may wish to assign an HR official as a PSP Submitter in order to incorporate the CSAT submission for an affected employee into the normal hiring process. They may also wish to designate an employee of a contracted company to handle the PSP Submissions of their contractors. Regardless of how the responsibility is shared, the Authorizer is encouraged to establish user roles and groups in CSAT to implement reasonable privacy limitations. The information submitted to DHS through the PSP process is considered Personally Identifiable Information (PII) and must be safeguarded. More information about user and group management can be found in their manual.
Submission of affected personnel information into CSAT can be done individually; however, those with a large number of affected personnel should take advantage of the bulk upload feature, which can process up to 10,000 individuals at a time. The Sample Bulk Upload template is an XLS file that can be accessed through the PSP tab in the CSAT Portal. The PII required for PSP screening varies between Options 1 and 2, but the minimum information required includes the affected individual’s full name, date of birth, and gender OR country of citizenship. Option 2 requires specific information pertaining to the program the individual is enrolled in. Additional information such as alias name, passport number, redress number and location of birth is optional.
Once the PSP Submission is uploaded through CSAT, the status of submittals will be “Submitted”. There is no more immediate action required by the facility or employee, and the Submission should be considered complete.
Ongoing PSP Requirements
Once the facility has completed the initial implementation of PSP, any new personnel or contracted employees must be submitted to DHS prior to being granted access to CFATS-restricted areas. Likewise, if an individual’s access to the CFATS-restricted area is removed (i.e. in the event of an employee leaving the facility or moving to a different area of the facility), DHS must be notified by removing the individual in the PSP tab of the CSAT portal. If an individual has temporary access to the CFATS-restricted area, you can enter the date that the individual’s access will expire in the optional field dated “Date Affected Individual Will No Longer Have Access.”
DHS encourages high-risk chemical facilities to submit updates and corrections to PSP data as needed in order to ensure that DHS’s checks for terrorist ties, which are done on a recurrent basis, are accurate.
Facilities should complete an annual review of the PSP database to ensure the list of individuals is accurate. More information can be found in the CSAT PSP Instructions.
If you have questions regarding CFATS or the PSP process, please contact me at firstname.lastname@example.org or at (770) 999-0269. ALL4 has assisted clients with completing top-screens, ASP/SSP development, implementation of planned measures, compliance documentation, and compliance inspections. Look for more CFATS content from ALL4!