Friday, February 21, 2014

30 Day CFATS PSP ICR – Background Check Agency

This is part of an ongoing series of blog posts about the recently published 30-day information collection request (ICR) published in the Federal Register by DHS. This ICR would support the long overdue personnel surety program requirements for the Chemical Facility Anti-Terrorism Standards (CFATS) program. Earlier posts in the series include:


In the previous post in the series I briefly discussed the roll of background check agencies in the PSP process as described (in passing) in the ICR. A reader asked me to expand on the idea so in this post I’ll take a more detailed look at how BGCAs will fit into the PSP processes.

Visitors

One of the major problems that many commenters have had with the PSP process outlined in the ICR is the issue of visitor’s being vetted 48 hours before they are given unescorted access to the facility. There are a wide number of folks that periodically visit chemical facilities to provide a wide variety of services. Some of these personnel are asked in on extremely short notice to provide high value services.

While the facility could get around the PSP vetting rules by providing vetted escorts for these visitors, this is frequently not a realistic option given the limited number of personnel working at many of these facilities. Relying on the escort provisions of the vetting rules would end up in many cases where there is escort in name only and facility managers are smart enough to realize this in advance of the situation arising.

Organizations that routinely provide these types of services could register with the folks at DHS as a sort of BGCA. The PII for their field support personnel would be entered into the PSP tool and would be linked with all of the covered chemical facilities that they had support contracts with. When the vendor linked an employee’s information to a covered facility, that facility would be notified by ISCD that the vetting information had been provided to DHS.

In the event that one of the employees at one of these vendors had to be assigned to a new facility on short notice, it would not be problem as long as their PII had already been submitted to ISCD. As long as there was enough time for ISCD to notify the facility that the person’s information had been submitted, the visitor would be properly vetted.

Facilities would have to have some way to identify these individuals when they arrived at the facility gate. This process could easily be established by the vendor emailing a copy of their employee’s corporate ID to the facility security manager in advance of visitor’s arrival. This information could be provided to the gate personnel as part of a daily expected visitors list. Checking the identification against that list would provide the means for closing the loop on the vetting process.

Truck Drivers

Most chemical facilities see a daily parade of local and long haul truck drivers picking up and delivering materials at the facility. In many cases it is not possible to keep those trucks away from critical areas of the facility and it is typically going to be difficult to provide an escort for a truck moving through the facility.

A large number of truck drivers already have already been vetted for their Hazardous Materials Endorsement (HME) or a Transportation Workers Identification Credential (TWIC). For reasons that I discussed in the ‘Three Options’ blog in this series ISCD is still requiring a PII submission on these folks to ensure that credential vetting is up-to-date. An alternative method is provided for the TWIC folks; no data submission is required if their TWIC is periodically validated by a TWIC Reader or checked against the Canceled Card List (CCL) and the Certificate Revocation List (CRL).

Plants fully realize that they will not be able to do the required PII submissions when a truck driver shows up at their gate. The facilities will get around this by requiring all delivery companies to ensure that their drivers have been vetted against the CFATS PSP before they will be allowed to deliver or pick-up loads at the facility. Maritime Transportation Security Act (MTSA) covered facilities are already using that tactic with requiring drivers to have TWICs for similar reasons.

Trucking companies that routinely service MTSA covered facilities are going to have little problem certifying that their drivers’ TWICs are periodically validated by TWIC Readers. For companies located further from port facilities that certification will be harder to do.

Again, the trucking company could set itself up in the CFATS PSP tool as a BGCA and register their drivers. HME and TWIC holders would be entered in one portion of the tool and the remainder of the drivers in the other portion. Those registered drivers would be linked to the facilities to which they would be expected to deliver. For driver changes, all that would be necessary would be for there to be enough time for ISCD to notify the facility that the driver’s PII had been submitted.

And again, there would have to be some way to close the loop by adequately identifying the driver to the facility. This would be accomplished in the same way that I described in the Visitor’s Section above.

Contractors

Contractor is kind of an undefined term used in the ICR and the CFATS regulations. Generally speaking there are two groups of people that fit into this category. One is a large company that provides a variety of direct services to the facility under a blanket contract. These folks will almost certainly want to avail themselves of the BGCA provisions to get their people vetted. Many of these people will be moved from facility to facility as needs change so it would provide a lot more versatility to the organization if they would not have to go through a new vetting process every time they were moved.

The second kind of contractor is usually a professional that is hired individually on a contract basis for providing a specific service for a specific amount of time. The longer the expected period of the service the more likely it will be that the individual facility will handle the vetting process. For those individuals that move between facilities more frequently, it may be worthwhile to find a BGCA that provides CFATS PSP vetting services and pay them to submit his PII. In other cases it may be more appropriate for the individual contractor to handle those BGCA activities on their own.

Site Security Plan

ISCD has made clear in the ICR discussions that they intend to provide a certain amount of creative leeway for facilities to tailor the PSP program to their situation. This means that if a facility intends to allow the use of a BGCA to vet the various non-employees that periodically show up at the facility gates to work then there will have to be a decent description of how that second-party vetting process would be conducted.

ISCD also reminds folks fairly frequently in the ICR discussion that the DHS vetting against the TSDB is only one portion of the background check requirements outlined in the personnel surety Risk-Based Performance Standard. The CFATS regulations (6 CFR §27.230(12)) outline three additional types of background checks that need to be done as part of the facility PSP. Those are:

• Measures designed to verify and validate identity;
• Measures designed to check criminal history;
• Measures designed to verify and validate legal authorization to work;

The first and last of those requirements are fairly straight forward and are outlined in more general labor regulations. The second provides the facility management with a lot more leeway in what is determined to be acceptable findings in the individuals criminal history. What criminal offenses and/or times since completion of the jail time for those offenses is deemed to be disqualifying is up to the facility management.


When a facility uses a BGCA to vet some or all of their employees there needs to be clear rules spelled out for that BGCA to make those criminal history assessments. This is particularly true when non-employee vetting is being done by someone different than does the employee vetting. It would seem to be prudent to have a standard Memorandum of Understanding with each vendor, contractor or trucking company that will be serving as its own BGCA that outlines the acceptable criminal background that the facility will allow as part of its Site Security Plan.

No comments:

 
/* Use this with templates/template-twocol.html */