CFATS Personnel Surety
The following content was provided by:
Chemical Security Group LLC / Roberts Law Group PLLC
This information is offered only as a courtesy and is not intended as legal advice and cannot be relied on as such. Please consult Chemical Security Group LLC / Roberts Law Group PLCC or your legal counsel regarding applicable legal obligations.
Chemical Facility Anti-Terrorism Standards (CFATS) Program Update
In December 2014, Congress passed the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (the CFATS Act of 2014). The CFATS Act of 2014, which comes after more than 6 years of congressional debate regarding reauthorization periods and the general scope of CFATS program, provides independent CFATS authorization (and funding) through 2018.
The Department of Homeland Security (DHS) continues to make significant progress in authorizing and approving Site Security Plans (SSPs) and Alternate Security Programs (ASPs). As of August 2015, DHS has authorized 3,139 SSPs/ASPs and fully approved 2,021 SSPs/ASPs following an on-site Authorization Inspection. DHS is currently conducting approximately 100 Authorization Inspections per month and anticipates that it will complete the approval process for all facilities by Summer 2016.
DHS has also begun conducting Compliance Inspections at facilities with approved SSPs/ASPs. The primary purpose of a Compliance Inspection is to determine whether facilities are, in fact, following their approved SSP or ASP. In most instances, however, DHS’s focus at the Compliance Inspection has been reviewing implementation of Planned Security Measures. For example, if a facility indicated that it would implement specific security measures “no later than one year after ASP or SSP approval,” then DHS now seeks to verify completion (and thus compliance).
CFATS Personnel Surety Requirements
DHS’s CFATS regulation and Risk-Based Performance Standard (RBPS) 12 require facilities to perform appropriate background checks on and ensure appropriate credentials for facility personnel and, as appropriate, for unescorted visitors with access to restricted areas or critical assets, including:
- Measures Designed to Verify and Validate Identity – This typically involves a social security/name trace search, which reveals names associated with a social security number, past and present addresses, and fraudulent use of social security numbers.
- Measures Designed to Check Criminal History – This typically involves a search of commercially available databases, such as county, state and/or federal criminal record repositories for jurisdictions in which the individual has worked or resided. The search should uncover any criminal charges, outstanding warrants, dates, sentencing, and disposition for felonies and/or misdemeanors.
- Measures Designed to Verify and Validate Legal Authorization to Work – This typically involves the filing of U.S. Citizenship and Immigration Services (USCIS) Form I-9: Employment Eligibility Verification or through DHS’s E-Verify program. Note that this option is not available for existing employees who were hired on or before November 6, 1986.
- Measures Designed to Identify People With Terrorist Ties – This is an inherently governmental function that requires a check of the Terrorist Screening Database (TSDB), which is not commercially available.
DHS’s RBPS Guidance document provides a Metric Table with a narrative summary of the personnel surety measures a hypothetical facility may choose to implement at each risk-tier for the purposes of RBPS 12. Learn more.
CFATS Act of 2014 and Personnel Surety
The CFATS Act of 2014 allows facilities to satisfy the requirement to identify individuals with terrorist ties by using any federal screening program that periodically vets individuals against the TSDB. Such federal programs include the Transportation Security Administration’s (TSA’s) Transportation Worker Identification Credential (TWIC), Hazardous Materials Endorsement (HME), and TSA Pre-check programs as well as Customs and Border Protection’s (CBP’s) Free and Secure Trade (FAST), Secure Electronic Network for Travelers Rapid Inspection (SENTRI), Global Entry, and NEXUS programs. Each of the federal programs listed above require individuals to undergo a Security Threat Assessment (STA) that includes vetting against the TSDB as a condition of enrollment. Therefore, individuals who are enrolled in one of these programs are subject to recurrent TSDB vetting. Importantly however, the CFATS Act of 2014 states that visual inspection of the federal credential or documentation is sufficient to verify that an affected individual’s enrollment in the program is current.
The CFATS Act of 2014 also clarifies that DHS may not require facilities that voluntarily participate in the PSP to submit information about affected individual’s more than one time. In other words, DHS cannot require facilities to submit information about individuals who have already submitted information under another federal screening program (e.g., TWIC, Global Entry, etc.).
The CFATS Act of 2014 notes that nothing required under the CFATS Personnel Surety Program (PSP) will affect a facility’s right to maintain its own background check policies, including defining its own parameters for permitting access to restricted areas or critical assets that may be more or less thorough than the background check conducted under federal screening programs. Accordingly, for many reasons, companies may want to consider conducting more in-depth background checks on employees – even if leveraging federal screening programs to manage their CFATS PSPs.
Personnel Surety Program (PSP) Update
As part of the CFATS PSP under Risk-Based Performance Standard (RBPS) 12, facilities are required to identify individuals with terrorist ties. DHS has long recognized that this ability is an inherently governmental function that requires the use of information held in government-maintained databases (i.e., Terrorism Screening Database (TSDB)) that are unavailable to the public. On February 3, 2014, DHS published its most recent Information Collection Request (ICR) describing the different options to submit information about “affected individuals” to DHS for vetting against the TSDB.
Importantly, DHS is proposing to initially limit the requirements of the PSP to Tier 1 and Tier 2 facilities, but notes that it will publish and submit a subsequent ICR that incorporates any lessons learned and improvements before collecting information from Tier 3 and Tier 4 facilities. It remains unclear when DHS will begin to require Tier 1 and Tier 2 facilities to submit information for TSDB vetting, but it is likely to be in late 2015 or early 2016.
Affected Individuals Under the PSP
Affected individuals include (1) facility personnel who have access, either unescorted or otherwise, to restricted areas or critical assets; and (2) unescorted visitors who have access to restricted areas or critical assets. The following groups are not considered affected individuals under the PSP: (1) federal officials acting in the scope of their officials duties; (2) state and local law enforcement officials acting in the scope of their official duties; and (3) emergency responders at the state and local level who gain unescorted access to restricted areas or critical assets during emergency situations. Importantly, DHS understands that in some emergency situations access by individuals (not described above), who have not had appropriate background checks, may be necessary. DHS urges facilities to describe such circumstances in their SSPs/ASPs.
Submission Options
The CFATS PSP ICR proposes three (3) different options to vet affected individuals:
- Option 1: Direct Vetting – Facilities may directly submit information to DHS about an affected individual.
- Option 2: Use of Vetting – Facilities may submit information to DHS about an affected individual’s enrollment in another DHS program so that DHS can electronically verify and validate that the individual is enrolled in the other program.
- Option 3: Electronic Verification of Transportation Worker Identification Credential (TWIC) – Facilities may electronically verify and validate an affected individual’s TWIC through the use of TWIC readers instead of submitting information about the affected individual to DHS.
However, as a result of the personnel surety provisions in the CFATS Act of 2014, it is expected that DHS will significantly adjust or even altogether remove some of its proposed submission options:
- Option 1: Direct Vetting – Submitting information about affected individuals directly to DHS will likely remain a viable option for some facilities under the PSP. For example, a facility with a small number of affected individuals may choose to simply submit information to DHS rather than require those persons to enroll in a federal screening program. Other facilities may choose this option to avoid the cost of enrolling their affected individuals in a federal screening program, which can vary from $85 (for TSA Pre-Check) to $128 (for TWIC). Accordingly, we expect DHS to keep Option 1 available under the PSP, likely via submissions in the Chemical Security Assessment Tool (CSAT).
- Option 2: Use of Vetting – Because the CFATS Act of 2014 allows facilities to use visual inspection to verify that an individual’s federal screening program credential or documentation is current, there will be no need to submit information to DHS about an affected individual’s enrollment in another federal screening program. Further, the CFATS Act of 2014 explicitly prohibits DHS from requiring facilities to submit information about individuals who have already submitted information under another federal screening program (e.g., TWIC, Global Entry, etc.). As a result, we expect DHS to remove Option 2 from the PSP.
- Option 3: Electronic Verification of TWIC – Because the CFATS Act of 2014 allows facilities to use visual inspection to verify that an individual’s federal screening program credential or documentation is current (including TWIC), there will be no need to use TWIC readers to electronically verify an individual’s TWIC. Although DHS would presumably still accept this approach, purchasing and installing TWIC readers would not make sense for a facility from a time and cost perspective given the option to utilize visual inspection. It is currently unknown at this time whether DHS will keep Option 3 available.
Information Collection Under Option 1
The following table identifies the information that facilities would be required to submit to DHS for affected individuals under Option 1:
Requirement | Required Information (US Persons) | Required Information (Non-US Persons) | Optional Information |
Option 1 (Direct Vetting) | Full Name Date of Birth Citizenship or Gender | Full Name Date of Birth Citizenship Passport Information and/or Alien Registration Number | Aliases Gender (for Non-US Persons) Place of Birth Redress Number |
Submission Schedule
DHS expects each facility to begin submitting information about affected individuals after (1) the facility has received a Letter of Authorization or Approval for its SSP/ASP that directs it to comply; and (2) the facility has been notified that DHS has implemented the CFATS PSP in the CSAT portal:
Requirement | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
Initial Submission | 60 days after letter of approval directing facility to comply and notification that DHS has implemented the PSP in the CSAT | 60 days after letter of approval directing facility to comply and notification that DHS has implemented the PSP in the CSAT | 90 days after letter of approval directing facility to comply and notification that DHS has implemented the PSP in the CSAT | 90 days after letter of approval directing facility to comply and notification that DHS has implemented the PSP in the CSAT |
Submission of New Affected Individual Information | 48 hours prior to access to restricted area | 48 hours prior to access to restricted area | 48 hours prior to access to restricted area | 48 hours prior to access to restricted area |
Submissions of Updates and Corrections | Within 90 days of becoming aware of the need for an update or correction | Within 90 days of becoming aware of the need for an update or correction | Within 90 days of becoming aware of the need for an update or correction | Within 90 days of becoming aware of the need for an update or correction |
Submission of Notification That Affected Individual No Longer Has Access | Within 90 days of access being removed | Within 90 days of access being removed | Within 90 days of access being removed | Within 90 days of access being removed |
All facilities would be expected to submit information regarding new affected individuals at least 48 hours prior to the individual being granted unescorted access to a restricted area or critical asset, and within 90 days of an individual’s access to a restricted area or critical asset being removed. In the ICR, DHS clarifies that facilities will not be required to re-submit information about affected individuals 48 hours prior to each instance of access to a restricted area or critical asset. Rather, facilities will be able to structure CSAT data submissions in order to indicate that the affected individual will have access to a restricted area or critical asset on an ongoing basis.
Scope of CFATS Personnel Surety Requirements
The scope of individuals affected by the regulation is broad. For instance, individuals may require screening under CFATS despite the fact that they have, by virtue of the length of their employment, been “grandfathered in” by the company. DHS has specifically indicated that “[m]erely because an individual has worked in a chemical facility for a period of time without incident does not automatically mean that they do not pose a terrorism risk and should be given free access to restricted areas and critical assets without a background check.” 72 Fed. Reg. 17,708. Further, the regulation does not limit application in any manner to a specific type of “covered person.” This, in turn, raises contract considerations for certain classes of third-parties, such as security guards and security integrators.
The number and type of personnel requiring background checks pursuant to CFATS often may depend on how the facility defines its assets and/or restricted areas in its CFATS SSP. Conceptually, only individuals with access to CFATS-Designated Restricted Areas at a facility would be subject to the CFATS personnel surety requirements. This may involve identifying (or creating) assets under RBPS 2 – Secure Site Assets.
Additional Resources:
Protecting and Securing Chemical Facilities From Terrorist Attack Act of 2014
CFATS Advanced Notice of Proposed Rulemaking (ANPRM) (2014)
CFATS Final Rule – 6 CFR Part 27
Appendix A to CFATS
RBPS Guidance (Full)
RBPS Guidance (RBPS 12)
Personnel Surety ICR June 2009
First Advantage Comments to June 2009 ICR
DHS Responses to First Advantage Comments June 2009 ICR
First Advantage Comments to RBPS Guidance Document
DHS CFATS Homepage
DHS CFATS Knowledge Center
Top-Screen Questions
Top-Screen Instructions
SVA Questions
SVA Instructions
SSP Questions
SSP Instructions