Chemical Facility Anti-Terrorism Standards; Personnel Surety Program Implementation Notice, 32768-32777 [2019-14591]

Download as PDF 32768 Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Notices 75 percent of the total eligible costs. In order to provide Federal assistance, you are hereby authorized to allocate from funds available for these purposes such amounts as you find necessary for Federal emergency assistance and administrative expenses. Further, you are authorized to make changes to this declaration for the approved assistance to the extent allowable under the Stafford Act. The Federal Emergency Management Agency (FEMA) hereby gives notice that pursuant to the authority vested in the Administrator, Department of Homeland Security, under Executive Order 12148, as amended, Gerard M. Stolar, of FEMA is appointed to act as the Federal Coordinating Officer for this declared emergency. The following areas of the State of Oklahoma have been designated as adversely affected by this declared emergency: Haskell, Kay, Le Flore, Muskogee, Noble, Osage, Pawnee, Sequoyah, Tulsa, and Wagoner Counties for emergency protective measures (Category B), limited to direct federal assistance, under the Public Assistance program. The following Catalog of Federal Domestic Assistance Numbers (CFDA) are to be used for reporting and drawing funds: 97.030, Community Disaster Loans; 97.031, Cora Brown Fund; 97.032, Crisis Counseling; 97.033, Disaster Legal Services; 97.034, Disaster Unemployment Assistance (DUA); 97.046, Fire Management Assistance Grant; 97.048, Disaster Housing Assistance to Individuals and Households in Presidentially Declared Disaster Areas; 97.049, Presidentially Declared Disaster Assistance— Disaster Housing Operations for Individuals and Households; 97.050, Presidentially Declared Disaster Assistance to Individuals and Households—Other Needs; 97.036, Disaster Grants—Public Assistance (Presidentially Declared Disasters); 97.039, Hazard Mitigation Grant. Pete Gaynor, Acting Administrator, Federal Emergency Management Agency. [FR Doc. 2019–14609 Filed 7–8–19; 8:45 am] BILLING CODE 9111–23–P DEPARTMENT OF HOMELAND SECURITY Chemical Facility Anti-Terrorism Standards; Personnel Surety Program Implementation Notice Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS). ACTION: Notice Implementing the CFATS Personnel Surety Program at All High-risk Chemical Facilities. khammond on DSKBBV9HB2PROD with NOTICES AGENCY: CISA is providing notice to the public and chemical facilities SUMMARY: VerDate Sep<11>2014 17:47 Jul 08, 2019 Jkt 247001 regulated under the Chemical Facility Anti-Terrorism Standards (CFATS) that it is commencing full implementation of the CFATS Personnel Surety Program at all high-risk chemical facilities. CFATS requires regulated chemical facilities to implement security measures designed to ensure that certain individuals with or seeking access to the restricted areas or critical assets at those chemical facilities are screened for terrorist ties. The CFATS Personnel Surety Program enables regulated chemical facilities to meet this requirement. DATES: This notice is applicable July 9, 2019. SUPPLEMENTARY INFORMATION: Table of Contents I. Notice of Full Implementation II. Statutory and Regulatory History of the CFATS Personnel Surety Program III. Contents and Requirements of the CFATS Personnel Surety Program A. Who must be Checked for Terrorist Ties? B. Checking for Terrorist Ties during an Emergency or Exigent Situation C. High-Risk Chemical Facilities have Flexibility when Implementing the CFATS Personnel Surety Program D. Options Available to High-Risk Chemical Facilities to Comply with RBPS 12(iv) E. High-Risk Chemical Facilities may Use More Than One Option F. High-Risk Chemical Facilities may Propose Additional Options G. Security Considerations for High-risk Chemical Facilities to Weigh in Selecting Options H. When the Check for Terrorist Ties must be Completed IV. Additional Details about Option 1 and Option 2 (Which Involve the Submission of Information to CISA) A. Submission of a New Affected Individual’s Information under Option 1 or Option 2 B. Updates & Corrections to Information about Affected Individuals under Option 1 or Option 2 C. Notification that an Affected Individual No Longer Has Access under Option 1 or Option 2 D. What/Who is the Source of the Information under Option 1 and Option 2 V. CSAT User Roles and Responsibilities VI. Privacy Considerations A. Privacy Act Requirements to Enable Option 1 and Option 2 B. Redress C. Additional Privacy Considerations Related to Option 1 and Option 2 D. Additional Privacy Considerations for Option 3 and Option 4 VII. Information a High-Risk Chemical Facility may Wish to Consider Including in its SSP I. Notice of Full Implementation CISA is publishing this notice to inform high-risk chemical facilities, in PO 00000 Frm 00070 Fmt 4703 Sfmt 4703 particular Tier 3 and Tier 4 facilities, regulated under CFATS of the full implementation of the CFATS Personnel Surety Program at all high-risk chemical facilities. CISA has previously implemented the Personnel Surety Program at Tier 1 and 2 facilities.1 CISA will now implement the program in a phased manner at all high-risk chemical facilities, to include Tier 3 and 4 facilities.2 High-risk chemical facilities will be individually notified when to begin implementing risk based performance standard (RBPS) 12(iv) in accordance with its Site Security Plan (SSP).3 High-risk chemical facilities at which the CFATS Personnel Surety Program is already implemented are unaffected by this notice. II. Statutory and Regulatory History of the CFATS Personnel Surety Program Section 550 of the Department of Homeland Security Appropriations Act of 2007, Public Law 109–295 (2006) (‘‘Section 550’’), provided the Department with the authority to identify and regulate the security of high-risk chemical facilities using a riskbased approach. On April 9, 2007, the Department issued the CFATS Interim Final Rule (IFR) implementing this statutory mandate. 72 FR 17688. Section 550 required that the Department establish risk-based performance standards for high-risk chemical facilities, and through the CFATS regulations the Department promulgated 18 RBPSs, including RBPS 12—Personnel Surety. Under RBPS 12, high-risk chemical facilities regulated under CFATS are required to account for the conduct of certain types of background checks in their Site Security Plans. Specifically, RBPS 12 requires high-risk chemical facilities to: Perform appropriate background checks on and ensure appropriate credentials for facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical 1 On December 18, 2015 at 80 FR 79058, the Department published the initial implementation notice for the CFATS Personnel Surety Program. The initial implementation was limited to Tier 1 and Tier 2 high-risk chemical facilities. The initial implementation notice may be viewed at https:// www.federalregister.gov/d/2015-31625. 2 CISA is implementing in a phased manner based upon its experience implementing the CFATS Personnel Surety Program at Tier 1 and Tier 2 facilities, requests by commenters to the 60-day PRA notice and 30-day notice, and the terms of clearance within the Notice of Action issued by OMB when it approved the CFATS Personnel Surety Program Information Collection Request in May of 2019. 3 Throughout this notice any reference to SSPs also refers to Alternative Security Programs submitted by high-risk chemical facilities as described in 6 CFR 27.235. E:\FR\FM\09JYN1.SGM 09JYN1 khammond on DSKBBV9HB2PROD with NOTICES Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Notices assets, including, (i) Measures designed to verify and validate identity; (ii) Measures designed to check criminal history; (iii) Measures designed to verify and validate legal authorization to work; and (iv) Measures designed to identify people with terrorist ties[.]6 CFR 27.230(a)(12). The first three aspects of RBPS 12 (checks for identity, criminal history, and legal authorization to work) have already been implemented, and all highrisk chemical facilities have addressed these aspects of RBPS 12 in their Site Security Plans. This notice announces to the public and chemical facilities that it is commencing full implementation of the CFATS Personnel Surety Program at all high-risk chemical facilities, which requires high-risk chemical facilities to implement security measures designed to ensure that certain individuals with or seeking access to the restricted areas or critical assets at those chemical facilities are screened for terrorist ties. Identifying affected individuals who have terrorist ties is an inherently governmental function and requires the use of information held in governmentmaintained databases that are unavailable to high-risk chemical facilities. 72 FR 17688, 17709 (April 9, 2007). Thus, under RBPS 12(iv), CISA and high-risk chemical facilities must work together to satisfy the ‘‘terrorist ties’’ aspect of the Personnel Surety performance standard. To implement the provisions of RBPS 12(iv), and in accordance with Title XXI of the Homeland Security Act of 2002, as amended,4 the following options will be available to enable high-risk chemical facilities to facilitate terrorist-ties vetting of affected individuals. Option 1. High-risk chemical facilities may submit certain information about affected individuals that CISA will use to vet those individuals for terrorist ties. Specifically, the identifying information about affected individuals will be compared against identifying information of known or suspected terrorists contained in the federal government’s consolidated and integrated terrorist watchlist, the Terrorist Screening Database (TSDB), which is maintained by the Department of Justice (DOJ) Federal Bureau of Investigation (FBI) in the Terrorist Screening Center (TSC).5 Option 2. High-risk chemical facilities may submit information about affected individuals who already possess certain credentials that rely on security threat 46 U.S.C. 621 et seq. more information about the TSDB, see DOJ/ FBI–019 Terrorist Screening Records System, 72 FR 47073 (August 22, 2007). 5 For VerDate Sep<11>2014 17:47 Jul 08, 2019 Jkt 247001 assessments conducted by the Department. See 72 FR 17688, 17709 (April 9, 2007). This will enable CISA to verify the continuing validity of these credentials. Option 3. High-risk chemical facilities may comply with RBPS 12(iv) without submitting to CISA information about affected individuals who possess Transportation Worker Identification Credentials (TWICs), if a high-risk chemical facility electronically verifies and validates the affected individual’s TWICs through the use of TWIC readers (or other technology that is periodically updated using the Canceled Card List). Option 4. High-risk chemical facilities may visually verify certain credentials or documents that are issued by a Federal screening program that periodically vets enrolled individuals against the Terrorist Screening Database (TSDB). CISA continues to believe that visual verification has significant security limitations and, accordingly, encourages high-risk chemical facilities choosing this option to identify in their Site Security Plans the means by which they plan to address these limitations. Each of these options is described in further detail below in Section III.D. III. Contents and Requirements of the CFATS Personnel Surety Program The CFATS Personnel Surety Program enables CISA and high-risk chemical facilities to mitigate the risk that certain individuals with or seeking access to restricted areas or critical assets at highrisk chemical facilities may have terrorist ties. A. Who must be checked for terrorist ties? RBPS 12(iv) requires that certain individuals with or seeking access to restricted areas or critical assets at highrisk chemical facilities be checked for terrorist ties. These individuals are referred to as ‘‘affected individuals.’’ Specifically, affected individuals are facility personnel or unescorted visitors with or seeking access to restricted areas or critical assets at high-risk chemical facilities. High-risk facilities may classify particular contractors or categories of contractors either as ‘‘facility personnel’’ or as ‘‘visitors.’’ This determination should be a facilityspecific determination, and should be based on facility-security considerations, operational requirements, and business practices. There are also certain groups of persons, which CISA does not consider to be affected individuals, such as (1) federal officials who gain unescorted access to restricted areas or critical assets as part of their official duties; (2) PO 00000 Frm 00071 Fmt 4703 Sfmt 4703 32769 state and local law enforcement officials who gain unescorted access to restricted areas or critical assets as part of their official duties; and (3) emergency responders at the state or local level who gain unescorted access to restricted areas or critical assets during emergency situations. B. Checking for Terrorist Ties During an Emergency or Exigent Situation In some emergency or exigent situations, access to restricted areas or critical assets by other individuals who have not had appropriate background checks under RBPS 12 may be necessary. For example, emergency responders who are not emergency responders at the state or local level may require such access as part of their official duties under appropriate circumstances. If high-risk chemical facilities anticipate that an individual will require access to restricted areas or critical assets without visitor escorts or without the background checks listed in RBPS 12 under exceptional circumstances (e.g., foreseeable but unpredictable circumstances), high-risk chemical facilities may describe such situations and the types of individuals who might require access in those situations in their SSPs. CISA will assess the situations described, and any security measures the high-risk chemical facility plans to take to mitigate vulnerabilities presented by these situations, as it reviews each highrisk chemical facility’s SSP. C. High-Risk Chemical Facilities Have Flexibility When Implementing the CFATS Personnel Surety Program A high-risk chemical facility will have flexibility to tailor its implementation of the CFATS Personnel Surety Program to fit its individual circumstances and, in this regard, to best balance who qualifies as an affected individual, unique security issues, costs, and burden. For example a high-risk chemical facility may, in its Site Security Plan: • Restrict the numbers and types of persons allowed to access its restricted areas and critical assets, thus limiting the number of persons who will need to be checked for terrorist ties. • Define its restricted areas and critical assets, thus potentially limiting the number of persons who will need to be checked for terrorist ties. • Choose to escort visitors accessing restricted areas and critical assets in lieu of performing terrorist ties background checks under the CFATS Personnel Surety Program. The high-risk chemical facility may propose in its SSP traditional escorting solutions and/or E:\FR\FM\09JYN1.SGM 09JYN1 32770 Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Notices innovative escorting alternatives such as video monitoring (which may reduce facility security costs), as appropriate, to address the unique security risks present at the facility. D. Options Available to High-Risk Chemical Facilities To Comply With Rbps 12(IV) CISA has developed a CFATS Personnel Surety Program that provides high-risk chemical facilities several options to comply with RBPS 12(iv). In addition to the alternatives expressly described in this notice, CISA will also permit high-risk chemical facilities to propose alternative measures for terrorist ties identification in their SSPs, which CISA will consider on a case-bycase basis in evaluating high-risk chemical facilities’ SSPs. Of note, and as discussed further below, a high-risk chemical facility may choose one option or a combination of options to comply with RBPS 12(iv). Overview of Option 1 The first option allows high-risk chemical facilities (or designee(s)) 6 to submit certain information about affected individuals to CISA through a Personnel Surety Program application in an online technology system developed under CFATS called the Chemical Security Assessment Tool (CSAT). Access to and the use of CSAT is provided free of charge to high-risk chemical facilities (or their designee(s)). Under this option, information about affected individuals submitted by, or on behalf of, high-risk chemical facilities will be compared against identifying information of known or suspected terrorists contained in the TSDB.7 If Option 1 is selected by a high-risk chemical facility in its SSP, the facility (or its designee(s)) must submit the following information about an affected individual to satisfy RBPS 12(iv): • For U.S. Persons (U.S. citizens and nationals as well as U.S. lawful permanent residents): Æ Full Name Æ Date of Birth Æ Citizenship or Gender • For Non-U.S. Persons: Æ Full Name Æ Date of Birth Æ Citizenship Æ Passport information and/or alien registration number To reduce the likelihood of false positives in matching against records in the Federal Government’s consolidated and integrated terrorist watchlist, highrisk chemical facilities (or their designee(s)) are encouraged, but not required, to submit the following optional information about each affected individual: • Aliases • Gender (for Non-U.S. Persons) • Place of Birth • Redress Number 8 If a high-risk chemical facility chooses to submit information about an affected individual under Option 1, the following table summarizes the biographic data that would be submitted to CISA. TABLE 01—AFFECTED INDIVIDUAL REQUIRED AND OPTIONAL DATA UNDER OPTION 1 For a U.S. person Data elements submitted to CISA Full Name .......................................................... Required. Date of Birth ...................................................... Required. Gender ............................................................... Citizenship ......................................................... Passport Information and/or Alien Registration Number. Must provide Citizenship or Gender ................ ...................................................................... N/A .................................................................... Optional. Required. Required. Aliases ............................................................... Optional. Place of Birth ..................................................... Optional. Redress Number ............................................... Optional. The second option also allows highrisk chemical facilities (or designee(s)) to submit certain information about affected individuals to CISA through a Personnel Surety Program application.9 This option allows high-risk chemical facilities and CISA to take advantage of the vetting for terrorist ties already being conducted on affected individuals enrolled in the TWIC Program, Hazardous Materials Endorsement (HME) Program, as well as the NEXUS, Secure Electronic Network for Travelers Rapid Inspection (SENTRI), Free and Secure Trade (FAST), and Global Entry Trusted Traveler Programs. Under Option 2, high-risk chemical facilities (or designee(s)) may submit information to CISA about affected individuals possessing the appropriate credentials to enable CISA to electronically verify the affected individuals’ enrollments in these other programs. CISA will subsequently notify the Submitter 10 of the high-risk chemical facility whether or not an affected individual’s enrollment in one of these other DHS programs was electronically verified. CISA will also periodically re-verify each affected individual’s continued enrollment in one of these other programs, and notify the high-risk chemical facility and/or designee(s) of significant changes in the status of an affected individual’s enrollment (e.g., if an affected individual who has been enrolled in the HME Program ceases to be enrolled, 6 A designee is a third party that submits information about affected individuals to CISA on behalf of a high-risk chemical facility. 7 Detailed information about the submission of information about affected individuals under Option 1 to the Department for vetting purposes via CSAT can be found in the CSAT Personnel Surety Program User Manual available on www.dhs.gov/ chemicalsecurity. 8 For more information about Redress Numbers, please go to https://www.dhs.gov/one-stop-travelersredress-process#1. 9 Detailed information about the submission of information about affected individuals under Option 2 to the Department via CSAT can be found in the CSAT Personnel Surety Program User Manual available on www.dhs.gov/ chemicalsecurity. 10 A Submitter is a person who is responsible for the submission of information through the CSAT system as required in 6 CFR 27.200(b)(3). Overview of Option 2 khammond on DSKBBV9HB2PROD with NOTICES For a Non-U.S. person VerDate Sep<11>2014 19:52 Jul 08, 2019 Jkt 247001 PO 00000 Frm 00072 Fmt 4703 Sfmt 4703 E:\FR\FM\09JYN1.SGM 09JYN1 Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Notices then CISA would change the status of the affected individual in the CSAT Personnel Surety Program application and notify the Submitter).11 Electronic verification and re-verification ensure that both CISA and the high-risk chemical facility can rely upon the continuing validity of an affected individual’s credential or endorsement. As a condition of choosing Option 2, a high-risk chemical facility must describe in its SSP what action(s) it, or its designee(s), will take in the event CISA is unable to verify, or no longer able to verify, an affected individual’s enrollment in the other DHS program. The high-risk facility must take some action and not leave the situation unresolved. If Option 2 is selected by a high-risk chemical facility in it SSP, the high-risk chemical facility (or designee(s)) must submit the following information about an affected individual to satisfy RBPS 12(iv): • Full Name; • Date of Birth; and • Program-specific information or credential information, such as unique number, or issuing entity (e.g., State for Commercial Driver’s License (CDL) associated with an HME). 32771 To further reduce the potential for misidentification, high-risk chemical facilities (or designee(s)) are encouraged, but not required, to submit the following optional information about affected individuals to CISA: • Aliases • Gender • Place of Birth • Citizenship If a high-risk chemical facility chooses to submit information about an affected individual under Option 2, the following table summarizes the biographic data that would be submitted to CISA. TABLE 02—AFFECTED INDIVIDUAL REQUIRED AND OPTIONAL DATA UNDER OPTION 2 Data elements submitted to CISA For affected individual with a TWIC Full Name ...................................... Required. Date of Birth ................................... Required. Expiration Date .............................. Required. Unique Identifying Number ............ Issuing State of CDL ..................... TWIC Serial Number: Required ... N/A ................................................ Optional. Gender ........................................... Optional. Place of Birth ................................. Optional. Citizenship ..................................... Optional. Under Option 3—Electronic Verification of TWIC, a high-risk chemical facility (or its designee(s)) will not submit to CISA information about affected individuals in possession of TWICs, but rather will electronically verify and validate the affected individuals’ TWICs 12 through the use of TWIC readers (or other technology that is periodically updated with revoked card information). Any high-risk chemical facility that chooses this option must describe in its SSP the process and procedures it will follow if it chooses to use TWIC readers, khammond on DSKBBV9HB2PROD with NOTICES CDL Number: Required ................ Required* ...................................... Aliases ........................................... Overview of Option 3 11 When the Department notifies the Submitter of the high-risk chemical facility of significant changes in the status of an affected individual’s enrollment, such a notification should not be construed to indicate that an individual has terrorist ties or be treated as derogatory information. 12 Electronic verification and validation of an affected individual’s TWIC requires authentication that the affected individual’s TWIC (1) is a valid credential issued by TSA, and (2) has not been cancelled by the TSA, and (3) the biometric live sample matches the biometric template on the TWIC. VerDate Sep<11>2014 17:47 Jul 08, 2019 Jkt 247001 For affected individual enrolled in a trusted traveler program (NEXUS, SENTRI, FAST, or Global Entry) For affected individual with an HME PASS ID Number: Required. N/A. Overview of Option 4 Option 4—Visual Verification Of Credentials Conducting Periodic Vetting complies with section 2102(d)(2) of the Homeland Security Act and allows a high-risk chemical facility to satisfy its obligation under 6 CFR 27.230(a)(12)(iv) to identify individuals with terrorist ties using any Federal screening program that periodically vets individuals against the TSDB if: • The Federal screening program issues a credential or document,13 • The high-risk chemical facility is presented 14 a credential or document by the affected individual,15 and • The high-risk chemical facility verifies the credential or document is current in accordance with its SSP.16 As a result, a high-risk chemical facility may verify that a credential or 13 This requirement is derived from section 2102(d)(2)(B)(i) of the Homeland Security Act. 14 The Department considers records of credentials or documents maintained by the highrisk chemical facility, or designee, as having been presented by the affected individual. For example, if high-risk chemical facility (or designee) has in its personnel or access control files a photocopy of an affected individual’s CDL with an HME, the highrisk chemical facility may consider the copy in its files as having been presented by the affected individual. 15 Section 2102(d)(2)(B)(i)(II)(aa) of the Homeland Security Act requires high-risk chemical facilities to accept the credential or document from any federal screening program that conducts periodic vetting against the TSDB. Under Option 4, a high-risk chemical facility may contact the Department when drafting its SSP to determine if a specific credential or document is from a federal screening program that conducts periodic vetting against the TSDB. 16 This requirement is derived from section 2102(d)(2)(B)(i)(II)(bb) of the Homeland Security Act. including what action(s) it, or its designee(s), will take in the event the high-risk chemical facility is unable to verify the TWIC, or subsequently unable to verify an affected individual’s TWIC. For example, if a TWIC cannot be verified through the use of a TWIC Reader, the high-risk chemical facility may choose to verify the affected individual’s enrollment in TWIC under Option 2, or submit information about the affected individual under Option 1. PO 00000 Frm 00073 Fmt 4703 Sfmt 4703 E:\FR\FM\09JYN1.SGM 09JYN1 32772 Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Notices khammond on DSKBBV9HB2PROD with NOTICES document is current based upon visual inspection, if the processes for conducting such visual inspections are described in its SSP. When developing such processes, CISA encourages highrisk chemical facilities to consider any rules, processes, and procedures prescribed by the entity issuing the credential or document. CISA believes that visual verification has inherent limitations and provides less security value than the other options available under the CFATS Personnel Surety Program. CISA encourages every highrisk chemical facility to consider a means of verification that is consistent with its specific circumstances and its assessment of the threat posed by the acceptance of such credentials. If a facility chooses to use Option 4, in whole or in part, it should also identify in its Site Security Plan the means by which it plans to address these limitations. An example of Option 4 that could be implemented by a high-risk chemical facility is to leverage the vetting conducted by the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) on affected individuals who are employee possessors of a Federal explosives licensee/permittee. For example, a high-risk chemical facility may rely on a ‘‘letter of clearance’’ issued by ATF when presented by an affected individual who is also an employee-possessor of explosives. The high-risk chemical facility should describe in its SSP the procedures it will use to verify the letter of clearance is current. CISA will consider high-risk chemical facilities’ proposals in the course of evaluating individual SSPs. E. High-Risk Chemical Facilities May Use More Than One Option High-risk chemical facilities have discretion as to which option(s) to use for an affected individual. For example, if an affected individual possesses a TWIC or some other credential or document, a high-risk chemical facility could choose to use Option 1 for that individual. Similarly, a high-risk chemical facility, at its discretion, may choose to use Option 1 or Option 2 rather than Option 3 or Option 4 for affected individuals who have TWICs or some other credential or document. High-risk chemical facilities also may choose to combine Option 1 with Option 2, Option 3, and/or Option 4, as appropriate, to ensure that adequate terrorist ties checks are performed on different types of affected individuals (e.g., employees, contractors, unescorted visitors). Each high-risk chemical facility must describe how it will comply with RBPS 12(iv) in its SSP. VerDate Sep<11>2014 17:47 Jul 08, 2019 Jkt 247001 F. High-Risk Chemical Facilities May Propose Additional Options In addition to the options described above for satisfying RBPS 12(iv), a highrisk chemical facility is welcome to propose alternative or supplemental options not described in this document in its SSPs. CISA will assess the adequacy of such alternative or supplemental options on a facility-byfacility basis, in the course of evaluating each facility’s SSP. G. Security Considerations for High-Risk Chemical Facilities To Weigh in Selecting Options CISA believes the greatest security benefit is achieved when a high-risk chemical facility selects either Option 1 and/or Option 2. Option 3 also provides significant security benefit. Option 4 provides some security benefit but less than Option 1, Option 2, or Option 3. Option 1 and Option 2 provide the greatest security benefit because the information submitted about each affected individual will be recurrently vetted against the TSDB. Recurrent vetting is a Department best practice and compares an affected individual’s information against new and/or updated TSDB records as such records become available. Further, in the event that an affected individual with terrorist ties has or is seeking access to restricted areas or critical assets, if information about that affected individual is submitted to CISA under Option 1 or Option 2, CISA will be able to ensure that an appropriate Federal law enforcement agency is notified and that, as appropriate and consistent with lawenforcement and intelligence requirements, the facility receives notification as well. Option 3 also provides significant security benefit because information about affected individuals with TWICs is recurrently vetted against the TSDB. However, since CISA does not receive information about these affected individuals from high-risk chemical facilities under Option 3, CISA cannot ensure that the appropriate Federal law enforcement agency is provided information about the high-risk chemical facility at which any such affected individual with terrorist ties has or is seeking access. Finally, Option 4 provides a morelimited security benefit, as some Federal screening programs do not conduct recurrent vetting. Recurrent vetting compares an affected individual’s information against new and/or updated TSDB records as those new and/or updated records become available. Recurrent vetting is a Department best PO 00000 Frm 00074 Fmt 4703 Sfmt 4703 practice because often records about terrorists are either created or updated in the TSDB after the initial vetting has already occurred. Consequently, recurrent vetting results in additional matches and provides substantial security value. In addition, relying on a visual inspection of a credential or document is not as secure as electronic verification because visual inspection may make it more difficult to ascertain whether a credential or document has expired, been revoked, or is fraudulent. For example, the visual verification of a TWIC will not reveal whether the TWIC has been revoked by the Transportation Security Administration. Similarly, visual verification of a Hazardous Material Endorsement on a commercial driver’s license will not reveal if the endorsement has expired or been revoked. Finally, since CISA will not receive from high-risk chemical facilities information about affected individuals whose credentials are visually verified, CISA will be unable to ensure the appropriate Federal law enforcement agency is provided information regarding the risks posed to a high-risk chemical facility by any such affected individual with terrorist ties, nor will it be able to ensure that the facility receives appropriate notification of the risk. For the reasons described above, Option 4 provides less security value than the other options available to highrisk chemical facilities under the CFATS Personnel Surety Program. H. When the Check for Terrorist Ties Must Be Completed CISA will notify high-risk chemical facilities, individually, when it will require each to address RBPS 12(iv) in its SSP. After that notification, a facility must update or draft its SSP to address RBPS 12(iv), as appropriate, prior to authorization or approval by CISA. After authorization or approval, a high-risk chemical facility (as described in its authorized or approved SSP) must complete the terrorist ties check required to be conducted on a particular affected individual by 6 CFR 27.230(a)(iv) prior to the affected individual being granted access to any restricted area or critical asset. For affected individuals with existing access, CISA will expect, unless otherwise noted in an authorized or approved SSP or ASP, that the terrorist ties check will be completed within 60 days after receiving authorization or approval of an SSP requiring the facility to implement measures to comply with RBPS 12(iv). A high-risk chemical E:\FR\FM\09JYN1.SGM 09JYN1 Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Notices facility may suggest an alternative schedule based on its unique circumstances in its SSP. Table 03 below outlines the four primary options, and the expected time a high-risk chemical facility will have to complete the required activity(ies) outlined in the authorized or approved SSP to comply 32773 with RBPS 12(iv) for new affected individual as well as affected individuals with existing access. TABLE 03—SUMMARY OF OPTIONS TO CHECK FOR TERRORIST TIES. Facility activity description Option for compliance OPTION 1—Direct Vetting ............. Facility submits CISA. information to OPTION 2—Use of Vetting Conducted Under Other DHS Programs. OPTION 3—Electronic Verification of TWIC. OPTION 4—Visual Verification of Credentials Conducting Periodic Vetting. Facility submits CISA. information to Facility-Proposed Alternative ......... Facility conducts visual verifications by examining affected individuals’ credentials or documents. Details about facility-proposed alternatives could vary significantly from facility to facility. A. Submission of a New Affected Individual’s Information Under Option 1 or Option 2 Under Option 1 or Option 2, a highrisk chemical facility may submit information about new affected individuals in accordance with its SSP. CISA encourages high-risk chemical facilities to submit information about affected individuals as soon as possible after an individual has been determined to be an affected individual. As described earlier in this notice, the highrisk chemical facilities must submit information prior to a new affected individual obtaining access to any restricted area or critical asset. khammond on DSKBBV9HB2PROD with NOTICES B. Updates & Corrections to Information About Affected Individuals Under Option 1 or Option 2 Section 2102(d)(2)(A)(i) of the Homeland Security Act prohibits CISA from requiring a high-risk chemical facility to submit information about an individual more than one time under Option 1 or Option 2. Therefore, under Option 1 or Option 2, a high-risk chemical facility may choose whether to submit data updates or corrections about affected individuals. CISA believes that there are substantial privacy risks if a high-risk chemical facility opts not to provide 17:47 Jul 08, 2019 Timeline for affected individuals with existing access Unless otherwise noted in an authorized or approved SSP, CISA expects that this activity will be completed prior to the affected individual being granted access to any restricted area or critical asset. Unless otherwise noted in an authorized or approved SSP, CISA expects that this activity will be completed within 60 days after receiving authorization or approval of an SSP requiring the facility to implement measures to comply with RBPS 12(iv). Details about facility-proposed alternatives could vary significantly from facility to facility. Details about facility-proposed alternatives could vary significantly from facility to facility Facility uses a TWIC Reader. IV. Additional Details About Option 1 and Option 2 (Which Involve the Submission of Information to CISA) VerDate Sep<11>2014 Timeline for new affected individuals Jkt 247001 updates and corrections (e.g., updating or correcting a name or date of birth) about affected individuals. Specifically, the accuracy of an affected individual’s personal data being vetted against the TSDB for terrorist ties may be affected. Accurate information both (1) increases the likelihood of correct matches against information about known or suspected terrorists, and (2) decreases the likelihood of incorrect matches that associate affected individuals without terrorist ties with known and suspected terrorist identities. As a result, CISA encourages high-risk chemical facilities to submit updates and corrections as they become known so that the Department’s checks for terrorist ties, which are done on a recurrent basis, are accurate. A lesson learned from the implementation of the CFATS Personnel Surety Program since December of 2015 was that high-risk chemical facilities could reduce the burden of continuous updates or corrections by reducing the frequency of updates or correction. For example, a high-risk chemical facility could conduct audits of submitted information on a regular basis such as quarterly or annually and then subsequently update or correct the information. If a high-risk chemical facility is either unable or unwilling to update or correct an affected individual’s information, the affected individual may seek redress as described in the CFATS Personnel PO 00000 Frm 00075 Fmt 4703 Sfmt 4703 Surety Program Privacy Impact Assessment. C. Notification That an Affected Individual No Longer Has Access Under Option 1 or Option 2 Section 2102(d)(2)(A)(i) of the Homeland Security Act also prohibits CISA from requiring a high-risk chemical facility to notify CISA when an affected individual no longer has access to the restricted areas or critical assets of a high-risk chemical facility. Therefore, under Option 1 or Option 2, a high-risk chemical facility has the option to notify CISA when the affected individual no longer has access to any restricted areas or critical assets, but such notification is not required. CISA strongly encourages high-risk chemical facilities to notify CISA when an affected individual no longer has access to restricted areas or critical assets to ensure the accuracy of CISA’s data and to stop the recurrent vetting on the person who is no longer an affected individual. A lesson learned from the implementation of the CFATS Personnel Surety Program since December of 2015 was that high-risk chemical facilities could reduce the burden of immediately updating the affected individual’s record within CSAT to reflect they no longer have access by reducing the frequency of these updates. For example, a high-risk chemical facility could conduct audits of submitted information on a regular basis such as E:\FR\FM\09JYN1.SGM 09JYN1 32774 Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Notices quarterly or annually rather and then subsequently update the affected individual’s information. Alternatively, a high-risk chemical facility could submit the date an individual will no longer have access (e.g., a badge expiration date of an employee or contractor, or the date a contract expires for contractors). If a high-risk chemical facility is either unable or unwilling to notify CISA when an affected individual no longer has access to restricted areas or critical assets, the affected individual may seek redress as described in the CFATS Personnel Surety Program Privacy Impact Assessment. khammond on DSKBBV9HB2PROD with NOTICES D. What/Who Is the Source of the Information Under Option 1 and Option 2 High-risk chemical facilities are responsible for complying with RBPS 12(iv). However, companies operating multiple high-risk chemical facilities, as well as companies operating only one high-risk chemical facility, may comply with RBPS 12(iv) in a variety of ways. A high-risk chemical facility, or its parent company, may choose to comply with RBPS 12(iv) by identifying and directly submitting to CISA the information about affected individuals. Alternatively, a high-risk chemical facility, or its parent company, may choose to comply with RBPS 12(iv) by outsourcing the information-submission process to third parties. CISA also anticipates that many highrisk chemical facilities will rely on businesses that provide them with contract services (e.g., complex turnarounds, freight delivery services, landscaping) to identify and submit the appropriate information about affected individuals the contract services employ to CISA under Option 1 and Option 2. Both third parties that submit information on behalf of high-risk chemical facilities and businesses that provide services to high-risk chemical facilities must be designated by the high-risk chemical facility within CSAT in order to submit appropriate information about affected individuals to CISA on behalf of the high-risk chemical facility.17 V. CSAT User Roles and Responsibilities Under Options 1 and 2 (as described above), high-risk chemical facilities have wide latitude in assigning CSAT user roles to align with their business operations and/or the business operations of third parties that provide 17 Information about how to designate a third party within CSAT is explain in the CFATS Personnel Surety Program User Manual available on www.dhs.gov/chemicalsecurity. VerDate Sep<11>2014 17:47 Jul 08, 2019 Jkt 247001 contracted services to them. CISA has structured the CSAT Personnel Surety Program application to allow designee(s) of high-risk chemical facilities to submit information about affected individuals directly to CISA on behalf of high-risk chemical facilities. High-risk chemical facilities and designee(s) will be able to structure CSAT user roles to submit information about affected individuals to CISA in several ways, including but not limited to the following: • A high-risk chemical facility may directly submit information about affected individuals, and designate one or more officers or employees of the facility with appropriate CSAT user roles; and/or • A high-risk chemical facility may ensure the submission of information about affected individuals by designating one or more persons affiliated with a third party (or with multiple third parties); and/or • A company owning several highrisk chemical facilities could consolidate its submission process for affected individuals. Specifically, the company could designate one or more persons to submit information about affected individuals on behalf of all or some of the high-risk chemical facilities within the company on a company-wide basis. Third parties interested in providing information about affected individuals to CISA on behalf of high-risk chemical facilities may request a CSAT user account from the high-risk chemical facility or company for which the third party will be working. Third parties will not be able to submit information about affected individuals until a high-risk chemical facility designates the third party within CSAT to submit information on its behalf. CSAT Authorizers will receive access to the Personnel Surety application after the facility’s SSP has been approved or authorized by CISA for RBPS 12(iv). The CSAT Authorizer user role creates and manages all other CSAT user roles on behalf of the high-risk chemical facility. A high-risk chemical facility (or designee(s)) may then submit information under Option 1 or Option 2. One lesson learned since the implementation of the CFATS Personnel Surety Program in December of 2015 was that high-risk chemical facilities can benefit from organizing records about affected individuals within the Personnel Surety application. Organizing the records of affected individuals can be particularly useful when a CSAT Authorizer needs to transfer responsibility of some or all, records about affected individuals to PO 00000 Frm 00076 Fmt 4703 Sfmt 4703 another CSAT Authorizer (e.g., a company sells one or more high-risk chemical facilities to another company). High-risk chemical facilities may organize submitted records about affected individuals through the use of ‘‘groups’’. Records about affected individuals within groups can be easily transferred. Groups also have the benefit of protecting against the unauthorized disclosure of records. For example, if a company uses third party or a contractor to submit records about affected individuals, a company can limit a third party or contractor access to certain groups (e.g., a contractor could only access the group of records for the affected individuals who are employees of the contractor) and prevent the third party or contractor designee from accessing the records of affected individuals from another contractor or employees of the facility. Additional information about groups and scenarios about how facilities may choose to implement groups may be found within the CSAT 2.0 User Manual.18 CSAT Authorizers can also organize submitted records about affected individual through the use of ‘‘user defined fields’’. CSAT Authorizers may add one or more ‘‘user defined fields’’ (e.g., facility location, badge number, employee type, employee status, or contract name/designation) that allow a record about an affected individual to be labeled in manner that best aligns with the high-risk chemical facilities business practices. CSAT Authorizers may use either or both methods (i.e., groups and ‘‘user defined fields’’) when considering how to organize submitted records of affected individuals. Finally, CISA can provide assistance to CSAT Authorizers who must transfer responsibility for one or more facilities to another CSAT Authorizer, in which one or more of the facilities have affected individuals that have been submitted under Option 1 or Option 2. CSAT Authorizers may request assistance by contacting the CSAT Helpdesk.19 VI. Privacy Considerations High-risk chemical facilities (or designee(s)) may maintain information about an affected individual, for the purpose of complying with CFATS, which is not submitted to CISA as part of the CFATS Personnel Surety Program (e.g., for compliance with RBPS 12(i)18 The CSAT 2.0 User Manual may be found at https://www.dhs.gov/publication/csat-portal-usermanual. 19 The CSAT Helpdesk may be contacted at 866– 323–2957 (toll free) between 8:30 a.m. and 5 p.m. (ET), Monday through Friday. The CSAT Help Desk is closed for Federal holidays. E:\FR\FM\09JYN1.SGM 09JYN1 Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Notices (iii), or for recordkeeping pertaining to Option 3 or Option 4). Information not in the possession of and not submitted to CISA is not covered under the Privacy Act of 1974. Nevertheless, CISA expects that high-risk chemical facilities and designee(s) will protect and safeguard any such information as outlined in their SSPs and in accordance with any other Federal, State, or local privacy laws that are applicable to the collection of the information, just as the high-risk chemical facilities would for other similar information collected under a their normal business practices for activities unrelated to CFATS. khammond on DSKBBV9HB2PROD with NOTICES A. Privacy Act Requirements To Enable Option 1 and Option 2 CISA complies with all applicable federal privacy requirements including those contained in the Privacy Act, the E-Government Act, the Homeland Security Act, and Departmental policy. The United States also follows international instruments on privacy, all of which are consistent with the Fair Information Practice Principles (FIPPs).20 The Department: • Published a System of Records Notice (SORN) for the CFATS Personnel Surety Program on June 14, 2011 as well as a SORN Update on May 19, 2014.21 • Issued a Final Rule 22 to exempt portions of the Chemical Facility AntiTerrorism Standards Personnel Surety Program SORN from certain provisions of the Privacy Act because of criminal, civil, and administrative enforcement requirements on May 21, 2014. • Published a CFATS Personnel Surety Program Privacy Impact Assessment (PIA) in May 2011, and CFATS Personnel Surety Program PIA Updates in May of 2014, November of 2015, and May of 2017. The PIA and the updates are available at https:// www.dhs.gov/publication/dhs-nppdpia-018a-chemical-facilities-antiterrorism-standards-personnel-surety. With the publication of these privacy documents, CISA has ensured that the 20 See Privacy Policy Guidance Memorandum, The Fair Information Practice Principles: Framework for Privacy Policy at the Department of Homeland Security, available at https:// www.dhs.gov/xlibrary/assets/privacy/privacy_ policyguide_2008–01.pdf (December 29, 2008). 21 See DHS/NPPD–002—Chemical Facility AntiTerrorism Standards Personnel Surety Program System of Records, published on May 19, 2014 at 79 FR 28752. DHS/NPOPD–002 may be viewed at https://www.federalregister.gov/d/2014–11431. 22 See Implementation of Exemptions; Department of Homeland Security/National Protection and Programs Directorate—002 Chemical Facility Anti-Terrorism Standards Personnel Surety Program System of Records, published on May 21, 2014 at 79 FR 29072. The final rule may be viewed at https://www.federalregister.gov/d/2014–11433. VerDate Sep<11>2014 17:47 Jul 08, 2019 Jkt 247001 CFATS Personnel Surety Program complies with the appropriate privacy laws and Department of Homeland Security privacy policies. B. Redress The CFATS Personnel Surety Program complies with the requirement of section 2102(d)(2)(A)(iii) of the Homeland Security Act to provide redress to an individual: (1) Whose information was vetted against the TSDB under the program; and (2) who believes that the personally identifiable information submitted to the Department for such vetting by a covered chemical facility, or its designated representative, was inaccurate. The Department has described how to seek redress in the CFATS Personnel Surety Program Privacy Impact Assessment. C. Additional Privacy Considerations Related To Option 1 and Option 2 The Submitter(s) of each high-risk chemical facility (or designee(s)) will be required to affirm that, in accordance with its SSP, notice required by the Privacy Act of 1974 has been given to affected individuals before their information is submitted to CISA. The Department has made available a sample Privacy Act notice that complies with subsection (e)(3) of the Privacy Act (5 U.S.C. 552a(e)(3)) in the CFATS Personnel Surety Program PIA Update published on November 10, 2015.23 The sample notice, or a different satisfactory notice, must be provided by a high-risk chemical facility to affected individuals prior to the submission of Personally Identifiable Information (PII) to CISA under Option 1 and Option 2. This notice must: (1) Notify those individuals that their information is being submitted to CISA for vetting against the TSDB, and that in some cases additional information may be requested and submitted in order to resolve a potential match; (2) instruct those individuals how to access their information; (3) instruct those individuals how to correct their information; and (4) instruct those individuals on procedures available to them for redress if they believe their information has been improperly matched by the Department to information contained in the TSDB. Individuals have the opportunity and the right to decline to provide information; however, if an individual declines to provide information, he or 23 The November 20, 2015 CFATS Personnel Surety Program PIA Update, as well as other privacy related documents, are available at on the Department’s website at https://www.dhs.gov/ publication/dhs-nppd-pia-018a-chemical-facilitiesanti-terrorism-standards-personnel-surety. PO 00000 Frm 00077 Fmt 4703 Sfmt 4703 32775 she may impact a high-risk chemical facility’s compliance with CFATS. D. Additional Privacy Considerations for Option 3 and Option 4 A high-risk chemical facility will not submit information to CISA if the facility opts to electronically verify and validate affected individuals’ TWICs through the use of TWIC readers (or other technology that is periodically updated with revoked card information) under Option 3. High-risk chemical facilities that opt to implement Option 3 are encouraged, but are not required, to provide notice to each affected individual whose TWIC is being verified and validated. Although Option 3 allows high-risk chemical facilities to comply with RBPS 12(iv) without submitting information to CISA, CISA feels that appropriate notice should still be given to those individuals so that they know their TWICs are now being used to comply with 6 CFR 27.230(a)(12)(iv). The Department has provided a sample privacy notice for high-risk chemical facilities to use in the CFATS Personnel Surety Program PIA Update, published on November 10, 2015. In addition, a high-risk chemical facility will not submit information to CISA if the facility opts to utilize Option 4 and to visually inspect a credential or document for any Federal screening program that periodically vets individuals against the TSDB. High-risk chemical facilities that opt to implement Option 4 are encouraged, but are not required, to provide notice to each affected individual whose Federal screening program credential or document is being visually inspected in order to comply with 6 CFR 27.230(a)(12)(iv). VII. Information a High-Risk Chemical Facility May Wish To Consider Including in Its SSP When writing, revising, or updating their SSPs, high-risk chemical facilities may wish to consider including information about the following topics to assist CISA in evaluating the adequacy of the security measures outlined in the SSP for RBPS12(iv): 1. General • Who does the facility consider an affected individual and how does the facility identify affected individuals? Æ Who does the facility consider facility personnel and how does the facility identify them? Æ Who does the facility consider unescorted visitors and how does the facility identify them? E:\FR\FM\09JYN1.SGM 09JYN1 32776 Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Notices • If the facility escorts any visitors, how does it escort them and does the facility have an escort policy? • How does the facility define its restricted areas and/or critical assets for the purposes of RBPS 12? • Does the facility include computer systems or remote access as either a restricted area or critical asset? • Which Option(s), or alternative approaches not described in this notice, will the facility or its designee(s) use to check for terrorist ties? • Does the facility intend to use one or more Options for some affected individuals that it will not use for other affected individuals? If so, which Option(s) apply to which groups of affected individuals? • Will the facility opt to have a designee(s) (e.g. third party company, contractor, co-located company) submit information about affected individuals? If so, what guidance will the high-risk chemical facility establish for designee(s) when it submits information (e.g., when are affected individuals considered to be ‘‘facility personnel’’ or ‘‘unescorted visitors’’, how will submitted records by the designee about affected individuals be organized within the CSAT Personnel Surety application, how will the facility verify that notice has been provided to an affected individual before information about him/her is provided to CISA)? • Does the high-risk chemical facility anticipate that any individuals will require access to restricted areas or critical assets without visitor escorts or without the background checks listed in RBPS 12 under exceptional circumstances (e.g., foreseeable but unpredictable circumstances)? If so, who? If so, which exceptional circumstances would warrant access without visitor escorts or without the background checks listed in RBPS 12? • Will the facility be capable of implementing the options within the timeframes specified? If not, what timeframe does the facility propose for submission and what justification has been provided to CISA to allow for an extended timeframe? khammond on DSKBBV9HB2PROD with NOTICES 2. With Regard to Option 1 • How will notice be provided to affected individuals that information is being provided to CISA? Does the facility plan to use the DHS sample privacy notice? • Does the facility plan to organize submitted records about affected individuals using groups? • Does the facility plan to organize submitted records about affected individuals using ‘‘user defined fields’’ VerDate Sep<11>2014 17:47 Jul 08, 2019 Jkt 247001 If so, what ‘‘user defined fields’’ will be added? • Does the facility intend to notify CISA when the affected individual no longer has access to any restricted areas or critical assets? If so, how and when? 3. With Regard to Option 2 • How will notice be provided to affected individuals that information is being provided to CISA? Does the facility plan to use the DHS sample privacy notice? • What credentials does the facility plan to use under Option 2? Are there credentials the facility has decided not to accept under Option 2? • What will the facility do if CISA is unable to verify an affected individual’s enrollment in another Department TSDB vetting program? • What will be the timeframe for this follow-on action? • What will the facility do if CISA does verify the credential, but later during a periodic re-verification, is unable verify the credential? • What will be the timeframe for this follow-on action? • Does the facility describe how it will comply with RBPS 12(iv) for affected individuals without credentials capable of being verified under Option 2? • Does the facility plan to organize submitted records about affected individuals using groups? • Does the facility plan to organize submitted records about affected individuals using ‘‘user defined fields’’ If so, what ‘‘user defined fields’’ will be added? • Does the facility intend to notify CISA when the affected individual no longer has access to any restricted areas or critical assets? If so, how and when? 4. With Regard to Option 3 • How will the facility identify those affected individuals who possess TWICs? • How will the facility comply with RBPS 12(iv) for affected individuals without TWICs? • How will the facility electronically verify and validate TWICs of affected individuals? • Which reader(s) or Physical Access Control System (PACS) will the facility be using? Or, if it is not using readers, how it will use the CCL or CRL? • Where will the reader(s) or PAC(s) be located? • What mode or modes (i.e., which setting on the TWIC Reader) will be used when verifying and validating the TWIC of an affected individual?24 24 See table 4.1 on page 18 of the TSA reader specification at https://www.tsa.gov/sites/default/ PO 00000 Frm 00078 Fmt 4703 Sfmt 4703 • Will the TWIC of an affected individual be re-verified and revalidated with TWIC readers, and, if so, how often? • What will the facility (or designee(s)) do if an affected individual’s TWIC cannot be verified or if the TWIC reader is not functioning properly? 5. With Regard to Option 4 • Upon which Federal screening program(s) does the facility or designee intend to rely? • What document(s) or credential(s) issued by the Federal screening program(s) will the facility visually verify? • What procedures will the facility use to allow affected individuals to present document(s) or credential(s)? • How will the facility verify that the credential or document presented by affected individuals is not fraudulent? • What procedures will the facility follow to visually verify that a credential or document is current and valid (i.e., not expired)? • How frequently will the facility visually verify the credentials (e.g., upon each entry or on a recurring cycle)? • Will the visual verification include the following? Æ Comparing any picture on a document or credential to the bearer of the credential or document; Æ Comparing any physical characteristics listed on the credential or document (e.g. height, hair color, eye color) with the bearer’s physical appearance; Æ Checking for tampering; Æ Reviewing both sides of the credential or document and checking for the appropriate stock/credential material; Æ Checking for an expiration date; and Æ Checking for any insignia, watermark, hologram, signature or other unique feature. • What will the facility do if it is unable to visually verify an affected individual’s credential or document, if the credential or document fails visual verification, or if the credential or document appears invalid, expired, or fraudulent? 6. With Regard to Other Options • A facility that chooses to propose an option not listed above in its SSP should provide as much detail as possible to allow CISA to consider the files/publications/pdf/twic/twic_reader_card_app_ spec.pdf. E:\FR\FM\09JYN1.SGM 09JYN1 Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Notices potential option and evaluate whether or not it meets the RBPS 12(iv) standard. David Wulf Director, Infrastructure Security Compliance Division, Infrastructure Security Division, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security. [FR Doc. 2019–14591 Filed 7–8–19; 8:45 am] BILLING CODE 9110–9P–P Fish and Wildlife Service [FWS–R2–ES–2019–N076; FXES11140200000–190–FF02ENEH00] Incidental Take Permit Application To Participate in American Burying Beetle Amended Oil and Gas Industry Conservation Plan in Oklahoma Fish and Wildlife Service, Interior. ACTION: Notice of availability; request for public comments. AGENCY: Under the Endangered Species Act, we, the U.S. Fish and Wildlife Service, invite the public to comment on a federally listed American burying beetle incidental take permit (ITP) application. The applicant anticipates American burying beetle take as a result of impacts to Oklahoma habitat the species uses for breeding, feeding, and sheltering. The take would be incidental to the applicant’s activities associated with oil and gas well field and pipeline infrastructure (gathering, transmission, and distribution), including geophysical exploration (seismic), construction, maintenance, operation, repair, decommissioning, and reclamation. If approved, the permit would be issued under the approved American Burying Beetle Amended Oil and Gas Industry Conservation Plan (ICP) Endangered Species Act Section 10(a)(1)(B) Permit Issuance in Oklahoma. SUMMARY: To ensure consideration, we must receive written comments on or before August 8, 2019. ADDRESSES: You may obtain copies of all documents and submit comments on the applicant’s ITP application by one of the following methods. Please refer to the proposed permit number when requesting documents or submitting comments. • Email: fw2_hcp_permits@fws.gov. • U.S. Mail: U.S. Fish and Wildlife Service, Endangered Species—HCP Permits, P.O. Box 1306, Room 6093, Albuquerque, NM 87103. khammond on DSKBBV9HB2PROD with NOTICES DATES: 17:47 Jul 08, 2019 Marty Tuegel, Branch Chief, by U.S. mail at U.S. Fish and Wildlife Service, Environmental Review Division, P.O. Box 1306, Room 6078, Albuquerque, NM 87103; by telephone at 505–248– 6651; or via the Federal Relay Service at 800–877–8339. SUPPLEMENTARY INFORMATION: Introduction DEPARTMENT OF THE INTERIOR VerDate Sep<11>2014 FOR FURTHER INFORMATION CONTACT: Jkt 247001 Under the Endangered Species Act, as amended (ESA; 16 U.S.C. 1531 et seq.), we, the U.S. Fish and Wildlife Service, invite the public to comment on an incidental take permit (ITP) application to take the federally listed American burying beetle (Nicrophorus americanus) during oil and gas well field infrastructure geophysical exploration (seismic) and construction, maintenance, operation, repair, and decommissioning, as well as oil and gas gathering, transmission, and distribution pipeline infrastructure construction, maintenance, operation, repair, decommissioning, and reclamation in Oklahoma. If approved, the permit would be issued to the applicant under the American Burying Beetle Amended Oil and Gas Industry Conservation Plan (ICP) Endangered Species Act Section 10(a)(1)(B) Permit Issuance in Oklahoma. The original ICP was approved on May 21, 2014, and the ‘‘no significant impact’’ finding notice was published in the Federal Register on July 25, 2014 (79 FR 43504). The second draft amendment to the ICP was made available for public comment via publication in the Federal Register on March 14, 2019 (84 FR 9371), with a comment period end of April 15, 2019. It was approved on May 24, 2019. The original ICP of 2014 and the associated environmental assessment/finding of no significant impact and the amended ICP of 2019 are available on our website at https://www.fws.gov/southwest/es/ oklahoma/ABBICP. However, we are no longer taking comments on these finalized, approved documents. Application Available for Review and Comment We invite local, state, Tribal, and Federal agencies, and the public to comment on the following application under the ICP for incidentally taking the federally listed American burying beetle. Please refer to the proposed permit number (TE41861D–0) when requesting application documents and when submitting comments. Documents and other information the applicant submitted are available for review, subject to Privacy Act (5 U.S.C. 552a) PO 00000 Frm 00079 Fmt 4703 Sfmt 4703 32777 and Freedom of Information Act (5 U.S.C. 552) requirements. Permit No. T41861D–0 Applicant: Tallgrass MLP Operations, LLC—Seahorse LLC, Lakewood, KS. Applicant requests a permit for oil and gas upstream and midstream production, including oil and gas well field infrastructure geophysical exploration (seismic) and construction, maintenance, operation, repair, and decommissioning, as well as oil and gas gathering, transmission, and distribution pipeline infrastructure construction, maintenance, operation, repair, decommissioning, and reclamation in Oklahoma. Permit No. T45547D–0 Applicant: Navigator Energy Services, Oklahoma City, OK. Applicant requests a permit for oil and gas upstream and midstream production, including oil and gas well field infrastructure geophysical exploration (seismic) and construction, maintenance, operation, repair, and decommissioning, as well as oil and gas gathering, transmission, and distribution pipeline infrastructure construction, maintenance, operation, repair, decommissioning, and reclamation in Oklahoma. Public Availability of Comments Written comments we receive become part of the public record associated with this action. Before including your address, phone number, email address, or other personal identifying information in your comment, you should be aware your entire comment— including your personal identifying information—may be made publicly available at any time. While you can request in your comment that we withhold your personal identifying information from public review, we cannot guarantee that we will be able to do so. All submissions from organizations or businesses, and from individuals identifying themselves as representatives or officials of organizations or businesses, will be made available for public disclosure in their entirety. Authority We provide this notice under section 10(c) of the ESA (16 U.S.C. 1531 et seq.), its implementing regulations (50 CFR 17.22), and the National Environmental Policy Act (42 U.S.C. 4321 et seq.) and E:\FR\FM\09JYN1.SGM 09JYN1

Agencies

[Federal Register Volume 84, Number 131 (Tuesday, July 9, 2019)]
[Notices]
[Pages 32768-32777]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-14591]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY


Chemical Facility Anti-Terrorism Standards; Personnel Surety 
Program Implementation Notice

AGENCY: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).

ACTION: Notice Implementing the CFATS Personnel Surety Program at All 
High-risk Chemical Facilities.

-----------------------------------------------------------------------

SUMMARY: CISA is providing notice to the public and chemical facilities 
regulated under the Chemical Facility Anti-Terrorism Standards (CFATS) 
that it is commencing full implementation of the CFATS Personnel Surety 
Program at all high-risk chemical facilities. CFATS requires regulated 
chemical facilities to implement security measures designed to ensure 
that certain individuals with or seeking access to the restricted areas 
or critical assets at those chemical facilities are screened for 
terrorist ties. The CFATS Personnel Surety Program enables regulated 
chemical facilities to meet this requirement.

DATES: This notice is applicable July 9, 2019.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Notice of Full Implementation
II. Statutory and Regulatory History of the CFATS Personnel Surety 
Program
III. Contents and Requirements of the CFATS Personnel Surety Program
    A. Who must be Checked for Terrorist Ties?
    B. Checking for Terrorist Ties during an Emergency or Exigent 
Situation
    C. High-Risk Chemical Facilities have Flexibility when 
Implementing the CFATS Personnel Surety Program
    D. Options Available to High-Risk Chemical Facilities to Comply 
with RBPS 12(iv)
    E. High-Risk Chemical Facilities may Use More Than One Option
    F. High-Risk Chemical Facilities may Propose Additional Options
    G. Security Considerations for High-risk Chemical Facilities to 
Weigh in Selecting Options
    H. When the Check for Terrorist Ties must be Completed
IV. Additional Details about Option 1 and Option 2 (Which Involve 
the Submission of Information to CISA)
    A. Submission of a New Affected Individual's Information under 
Option 1 or Option 2
    B. Updates & Corrections to Information about Affected 
Individuals under Option 1 or Option 2
    C. Notification that an Affected Individual No Longer Has Access 
under Option 1 or Option 2
    D. What/Who is the Source of the Information under Option 1 and 
Option 2
V. CSAT User Roles and Responsibilities
VI. Privacy Considerations
    A. Privacy Act Requirements to Enable Option 1 and Option 2
    B. Redress
    C. Additional Privacy Considerations Related to Option 1 and 
Option 2
    D. Additional Privacy Considerations for Option 3 and Option 4
VII. Information a High-Risk Chemical Facility may Wish to Consider 
Including in its SSP

I. Notice of Full Implementation

    CISA is publishing this notice to inform high-risk chemical 
facilities, in particular Tier 3 and Tier 4 facilities, regulated under 
CFATS of the full implementation of the CFATS Personnel Surety Program 
at all high-risk chemical facilities. CISA has previously implemented 
the Personnel Surety Program at Tier 1 and 2 facilities.\1\ CISA will 
now implement the program in a phased manner at all high-risk chemical 
facilities, to include Tier 3 and 4 facilities.\2\ High-risk chemical 
facilities will be individually notified when to begin implementing 
risk based performance standard (RBPS) 12(iv) in accordance with its 
Site Security Plan (SSP).\3\ High-risk chemical facilities at which the 
CFATS Personnel Surety Program is already implemented are unaffected by 
this notice.
---------------------------------------------------------------------------

    \1\ On December 18, 2015 at 80 FR 79058, the Department 
published the initial implementation notice for the CFATS Personnel 
Surety Program. The initial implementation was limited to Tier 1 and 
Tier 2 high-risk chemical facilities. The initial implementation 
notice may be viewed at https://www.federalregister.gov/d/2015-31625.
    \2\ CISA is implementing in a phased manner based upon its 
experience implementing the CFATS Personnel Surety Program at Tier 1 
and Tier 2 facilities, requests by commenters to the 60-day PRA 
notice and 30-day notice, and the terms of clearance within the 
Notice of Action issued by OMB when it approved the CFATS Personnel 
Surety Program Information Collection Request in May of 2019.
    \3\ Throughout this notice any reference to SSPs also refers to 
Alternative Security Programs submitted by high-risk chemical 
facilities as described in 6 CFR 27.235.
---------------------------------------------------------------------------

II. Statutory and Regulatory History of the CFATS Personnel Surety 
Program

    Section 550 of the Department of Homeland Security Appropriations 
Act of 2007, Public Law 109-295 (2006) (``Section 550''), provided the 
Department with the authority to identify and regulate the security of 
high-risk chemical facilities using a risk-based approach. On April 9, 
2007, the Department issued the CFATS Interim Final Rule (IFR) 
implementing this statutory mandate. 72 FR 17688.
    Section 550 required that the Department establish risk-based 
performance standards for high-risk chemical facilities, and through 
the CFATS regulations the Department promulgated 18 RBPSs, including 
RBPS 12--Personnel Surety. Under RBPS 12, high-risk chemical facilities 
regulated under CFATS are required to account for the conduct of 
certain types of background checks in their Site Security Plans. 
Specifically, RBPS 12 requires high-risk chemical facilities to:
    Perform appropriate background checks on and ensure appropriate 
credentials for facility personnel, and as appropriate, for unescorted 
visitors with access to restricted areas or critical

[[Page 32769]]

assets, including, (i) Measures designed to verify and validate 
identity; (ii) Measures designed to check criminal history; (iii) 
Measures designed to verify and validate legal authorization to work; 
and (iv) Measures designed to identify people with terrorist ties[.]6 
CFR 27.230(a)(12).
    The first three aspects of RBPS 12 (checks for identity, criminal 
history, and legal authorization to work) have already been 
implemented, and all high-risk chemical facilities have addressed these 
aspects of RBPS 12 in their Site Security Plans. This notice announces 
to the public and chemical facilities that it is commencing full 
implementation of the CFATS Personnel Surety Program at all high-risk 
chemical facilities, which requires high-risk chemical facilities to 
implement security measures designed to ensure that certain individuals 
with or seeking access to the restricted areas or critical assets at 
those chemical facilities are screened for terrorist ties.
    Identifying affected individuals who have terrorist ties is an 
inherently governmental function and requires the use of information 
held in government-maintained databases that are unavailable to high-
risk chemical facilities. 72 FR 17688, 17709 (April 9, 2007). Thus, 
under RBPS 12(iv), CISA and high-risk chemical facilities must work 
together to satisfy the ``terrorist ties'' aspect of the Personnel 
Surety performance standard. To implement the provisions of RBPS 
12(iv), and in accordance with Title XXI of the Homeland Security Act 
of 2002, as amended,\4\ the following options will be available to 
enable high-risk chemical facilities to facilitate terrorist-ties 
vetting of affected individuals.
---------------------------------------------------------------------------

    \4\ 6 U.S.C. 621 et seq.
---------------------------------------------------------------------------

    Option 1. High-risk chemical facilities may submit certain 
information about affected individuals that CISA will use to vet those 
individuals for terrorist ties. Specifically, the identifying 
information about affected individuals will be compared against 
identifying information of known or suspected terrorists contained in 
the federal government's consolidated and integrated terrorist 
watchlist, the Terrorist Screening Database (TSDB), which is maintained 
by the Department of Justice (DOJ) Federal Bureau of Investigation 
(FBI) in the Terrorist Screening Center (TSC).\5\
---------------------------------------------------------------------------

    \5\ For more information about the TSDB, see DOJ/FBI-019 
Terrorist Screening Records System, 72 FR 47073 (August 22, 2007).
---------------------------------------------------------------------------

    Option 2. High-risk chemical facilities may submit information 
about affected individuals who already possess certain credentials that 
rely on security threat assessments conducted by the Department. See 72 
FR 17688, 17709 (April 9, 2007). This will enable CISA to verify the 
continuing validity of these credentials.
    Option 3. High-risk chemical facilities may comply with RBPS 12(iv) 
without submitting to CISA information about affected individuals who 
possess Transportation Worker Identification Credentials (TWICs), if a 
high-risk chemical facility electronically verifies and validates the 
affected individual's TWICs through the use of TWIC readers (or other 
technology that is periodically updated using the Canceled Card List).
    Option 4. High-risk chemical facilities may visually verify certain 
credentials or documents that are issued by a Federal screening program 
that periodically vets enrolled individuals against the Terrorist 
Screening Database (TSDB). CISA continues to believe that visual 
verification has significant security limitations and, accordingly, 
encourages high-risk chemical facilities choosing this option to 
identify in their Site Security Plans the means by which they plan to 
address these limitations.
    Each of these options is described in further detail below in 
Section III.D.

III. Contents and Requirements of the CFATS Personnel Surety Program

    The CFATS Personnel Surety Program enables CISA and high-risk 
chemical facilities to mitigate the risk that certain individuals with 
or seeking access to restricted areas or critical assets at high-risk 
chemical facilities may have terrorist ties.

A. Who must be checked for terrorist ties?

    RBPS 12(iv) requires that certain individuals with or seeking 
access to restricted areas or critical assets at high-risk chemical 
facilities be checked for terrorist ties. These individuals are 
referred to as ``affected individuals.'' Specifically, affected 
individuals are facility personnel or unescorted visitors with or 
seeking access to restricted areas or critical assets at high-risk 
chemical facilities. High-risk facilities may classify particular 
contractors or categories of contractors either as ``facility 
personnel'' or as ``visitors.'' This determination should be a 
facility-specific determination, and should be based on facility-
security considerations, operational requirements, and business 
practices.
    There are also certain groups of persons, which CISA does not 
consider to be affected individuals, such as (1) federal officials who 
gain unescorted access to restricted areas or critical assets as part 
of their official duties; (2) state and local law enforcement officials 
who gain unescorted access to restricted areas or critical assets as 
part of their official duties; and (3) emergency responders at the 
state or local level who gain unescorted access to restricted areas or 
critical assets during emergency situations.

B. Checking for Terrorist Ties During an Emergency or Exigent Situation

    In some emergency or exigent situations, access to restricted areas 
or critical assets by other individuals who have not had appropriate 
background checks under RBPS 12 may be necessary. For example, 
emergency responders who are not emergency responders at the state or 
local level may require such access as part of their official duties 
under appropriate circumstances. If high-risk chemical facilities 
anticipate that an individual will require access to restricted areas 
or critical assets without visitor escorts or without the background 
checks listed in RBPS 12 under exceptional circumstances (e.g., 
foreseeable but unpredictable circumstances), high-risk chemical 
facilities may describe such situations and the types of individuals 
who might require access in those situations in their SSPs. CISA will 
assess the situations described, and any security measures the high-
risk chemical facility plans to take to mitigate vulnerabilities 
presented by these situations, as it reviews each high-risk chemical 
facility's SSP.

C. High-Risk Chemical Facilities Have Flexibility When Implementing the 
CFATS Personnel Surety Program

    A high-risk chemical facility will have flexibility to tailor its 
implementation of the CFATS Personnel Surety Program to fit its 
individual circumstances and, in this regard, to best balance who 
qualifies as an affected individual, unique security issues, costs, and 
burden. For example a high-risk chemical facility may, in its Site 
Security Plan:
     Restrict the numbers and types of persons allowed to 
access its restricted areas and critical assets, thus limiting the 
number of persons who will need to be checked for terrorist ties.
     Define its restricted areas and critical assets, thus 
potentially limiting the number of persons who will need to be checked 
for terrorist ties.
     Choose to escort visitors accessing restricted areas and 
critical assets in lieu of performing terrorist ties background checks 
under the CFATS Personnel Surety Program. The high-risk chemical 
facility may propose in its SSP traditional escorting solutions and/or

[[Page 32770]]

innovative escorting alternatives such as video monitoring (which may 
reduce facility security costs), as appropriate, to address the unique 
security risks present at the facility.

D. Options Available to High-Risk Chemical Facilities To Comply With 
Rbps 12(IV)

    CISA has developed a CFATS Personnel Surety Program that provides 
high-risk chemical facilities several options to comply with RBPS 
12(iv). In addition to the alternatives expressly described in this 
notice, CISA will also permit high-risk chemical facilities to propose 
alternative measures for terrorist ties identification in their SSPs, 
which CISA will consider on a case-by-case basis in evaluating high-
risk chemical facilities' SSPs. Of note, and as discussed further 
below, a high-risk chemical facility may choose one option or a 
combination of options to comply with RBPS 12(iv).
Overview of Option 1
    The first option allows high-risk chemical facilities (or 
designee(s)) \6\ to submit certain information about affected 
individuals to CISA through a Personnel Surety Program application in 
an online technology system developed under CFATS called the Chemical 
Security Assessment Tool (CSAT). Access to and the use of CSAT is 
provided free of charge to high-risk chemical facilities (or their 
designee(s)).
---------------------------------------------------------------------------

    \6\ A designee is a third party that submits information about 
affected individuals to CISA on behalf of a high-risk chemical 
facility.
---------------------------------------------------------------------------

    Under this option, information about affected individuals submitted 
by, or on behalf of, high-risk chemical facilities will be compared 
against identifying information of known or suspected terrorists 
contained in the TSDB.\7\
---------------------------------------------------------------------------

    \7\ Detailed information about the submission of information 
about affected individuals under Option 1 to the Department for 
vetting purposes via CSAT can be found in the CSAT Personnel Surety 
Program User Manual available on www.dhs.gov/chemicalsecurity.
---------------------------------------------------------------------------

    If Option 1 is selected by a high-risk chemical facility in its 
SSP, the facility (or its designee(s)) must submit the following 
information about an affected individual to satisfy RBPS 12(iv):
     For U.S. Persons (U.S. citizens and nationals as well as 
U.S. lawful permanent residents):

[cir] Full Name
[cir] Date of Birth
[cir] Citizenship or Gender

     For Non-U.S. Persons:

[cir] Full Name
[cir] Date of Birth
[cir] Citizenship
[cir] Passport information and/or alien registration number

    To reduce the likelihood of false positives in matching against 
records in the Federal Government's consolidated and integrated 
terrorist watchlist, high-risk chemical facilities (or their 
designee(s)) are encouraged, but not required, to submit the following 
optional information about each affected individual:
     Aliases
     Gender (for Non-U.S. Persons)
     Place of Birth
     Redress Number \8\
---------------------------------------------------------------------------

    \8\ For more information about Redress Numbers, please go to 
https://www.dhs.gov/one-stop-travelers-redress-process#1.

    If a high-risk chemical facility chooses to submit information 
about an affected individual under Option 1, the following table 
summarizes the biographic data that would be submitted to CISA.

 Table 01--Affected Individual Required and Optional Data Under Option 1
------------------------------------------------------------------------
                                                        For a Non-U.S.
 Data elements submitted to CISA   For a U.S. person        person
------------------------------------------------------------------------
Full Name.......................                 Required.
                                 ---------------------------------------
Date of Birth...................                 Required.
                                 ---------------------------------------
Gender..........................  Must provide        Optional.
                                   Citizenship or
                                   Gender.
Citizenship.....................  ..................  Required.
Passport Information and/or       N/A...............  Required.
 Alien Registration Number.
                                 ---------------------------------------
Aliases.........................                 Optional.
                                 ---------------------------------------
Place of Birth..................                 Optional.
                                 ---------------------------------------
Redress Number..................                 Optional.
------------------------------------------------------------------------

Overview of Option 2
    The second option also allows high-risk chemical facilities (or 
designee(s)) to submit certain information about affected individuals 
to CISA through a Personnel Surety Program application.\9\ This option 
allows high-risk chemical facilities and CISA to take advantage of the 
vetting for terrorist ties already being conducted on affected 
individuals enrolled in the TWIC Program, Hazardous Materials 
Endorsement (HME) Program, as well as the NEXUS, Secure Electronic 
Network for Travelers Rapid Inspection (SENTRI), Free and Secure Trade 
(FAST), and Global Entry Trusted Traveler Programs.
---------------------------------------------------------------------------

    \9\ Detailed information about the submission of information 
about affected individuals under Option 2 to the Department via CSAT 
can be found in the CSAT Personnel Surety Program User Manual 
available on www.dhs.gov/chemicalsecurity.
---------------------------------------------------------------------------

    Under Option 2, high-risk chemical facilities (or designee(s)) may 
submit information to CISA about affected individuals possessing the 
appropriate credentials to enable CISA to electronically verify the 
affected individuals' enrollments in these other programs. CISA will 
subsequently notify the Submitter \10\ of the high-risk chemical 
facility whether or not an affected individual's enrollment in one of 
these other DHS programs was electronically verified. CISA will also 
periodically re-verify each affected individual's continued enrollment 
in one of these other programs, and notify the high-risk chemical 
facility and/or designee(s) of significant changes in the status of an 
affected individual's enrollment (e.g., if an affected individual who 
has been enrolled in the HME Program ceases to be enrolled,

[[Page 32771]]

then CISA would change the status of the affected individual in the 
CSAT Personnel Surety Program application and notify the 
Submitter).\11\ Electronic verification and re-verification ensure that 
both CISA and the high-risk chemical facility can rely upon the 
continuing validity of an affected individual's credential or 
endorsement. As a condition of choosing Option 2, a high-risk chemical 
facility must describe in its SSP what action(s) it, or its 
designee(s), will take in the event CISA is unable to verify, or no 
longer able to verify, an affected individual's enrollment in the other 
DHS program. The high-risk facility must take some action and not leave 
the situation unresolved.
---------------------------------------------------------------------------

    \10\ A Submitter is a person who is responsible for the 
submission of information through the CSAT system as required in 6 
CFR 27.200(b)(3).
    \11\ When the Department notifies the Submitter of the high-risk 
chemical facility of significant changes in the status of an 
affected individual's enrollment, such a notification should not be 
construed to indicate that an individual has terrorist ties or be 
treated as derogatory information.
---------------------------------------------------------------------------

    If Option 2 is selected by a high-risk chemical facility in it SSP, 
the high-risk chemical facility (or designee(s)) must submit the 
following information about an affected individual to satisfy RBPS 
12(iv):
     Full Name;
     Date of Birth; and
     Program-specific information or credential information, 
such as unique number, or issuing entity (e.g., State for Commercial 
Driver's License (CDL) associated with an HME).
    To further reduce the potential for misidentification, high-risk 
chemical facilities (or designee(s)) are encouraged, but not required, 
to submit the following optional information about affected individuals 
to CISA:
     Aliases
     Gender
     Place of Birth
     Citizenship
    If a high-risk chemical facility chooses to submit information 
about an affected individual under Option 2, the following table 
summarizes the biographic data that would be submitted to CISA.

                     Table 02--Affected Individual Required and Optional Data Under Option 2
----------------------------------------------------------------------------------------------------------------
                                                                                         For affected individual
                                                                                          enrolled in a trusted
   Data elements submitted to CISA     For affected individual  For affected individual      traveler program
                                             with a TWIC              with an HME         (NEXUS, SENTRI, FAST,
                                                                                             or Global Entry)
----------------------------------------------------------------------------------------------------------------
Full Name............................                                  Required.
                                      --------------------------------------------------------------------------
Date of Birth........................                                  Required.
                                      --------------------------------------------------------------------------
Expiration Date......................                                  Required.
                                      --------------------------------------------------------------------------
Unique Identifying Number............  TWIC Serial Number:      CDL Number: Required...  PASS ID Number:
                                        Required.                                         Required.
Issuing State of CDL.................  N/A....................  Required*..............  N/A.
                                      --------------------------------------------------------------------------
Aliases..............................                                  Optional.
                                      --------------------------------------------------------------------------
Gender...............................                                  Optional.
                                      --------------------------------------------------------------------------
Place of Birth.......................                                  Optional.
                                      --------------------------------------------------------------------------
Citizenship..........................                                  Optional.
                                      --------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------

Overview of Option 3
    Under Option 3--Electronic Verification of TWIC, a high-risk 
chemical facility (or its designee(s)) will not submit to CISA 
information about affected individuals in possession of TWICs, but 
rather will electronically verify and validate the affected 
individuals' TWICs \12\ through the use of TWIC readers (or other 
technology that is periodically updated with revoked card information). 
Any high-risk chemical facility that chooses this option must describe 
in its SSP the process and procedures it will follow if it chooses to 
use TWIC readers, including what action(s) it, or its designee(s), will 
take in the event the high-risk chemical facility is unable to verify 
the TWIC, or subsequently unable to verify an affected individual's 
TWIC. For example, if a TWIC cannot be verified through the use of a 
TWIC Reader, the high-risk chemical facility may choose to verify the 
affected individual's enrollment in TWIC under Option 2, or submit 
information about the affected individual under Option 1.
---------------------------------------------------------------------------

    \12\ Electronic verification and validation of an affected 
individual's TWIC requires authentication that the affected 
individual's TWIC (1) is a valid credential issued by TSA, and (2) 
has not been cancelled by the TSA, and (3) the biometric live sample 
matches the biometric template on the TWIC.
---------------------------------------------------------------------------

Overview of Option 4
    Option 4--Visual Verification Of Credentials Conducting Periodic 
Vetting complies with section 2102(d)(2) of the Homeland Security Act 
and allows a high-risk chemical facility to satisfy its obligation 
under 6 CFR 27.230(a)(12)(iv) to identify individuals with terrorist 
ties using any Federal screening program that periodically vets 
individuals against the TSDB if:
     The Federal screening program issues a credential or 
document,\13\
---------------------------------------------------------------------------

    \13\ This requirement is derived from section 2102(d)(2)(B)(i) 
of the Homeland Security Act.
---------------------------------------------------------------------------

     The high-risk chemical facility is presented \14\ a 
credential or document by the affected individual,\15\ and
---------------------------------------------------------------------------

    \14\ The Department considers records of credentials or 
documents maintained by the high-risk chemical facility, or 
designee, as having been presented by the affected individual. For 
example, if high-risk chemical facility (or designee) has in its 
personnel or access control files a photocopy of an affected 
individual's CDL with an HME, the high-risk chemical facility may 
consider the copy in its files as having been presented by the 
affected individual.
    \15\ Section 2102(d)(2)(B)(i)(II)(aa) of the Homeland Security 
Act requires high-risk chemical facilities to accept the credential 
or document from any federal screening program that conducts 
periodic vetting against the TSDB. Under Option 4, a high-risk 
chemical facility may contact the Department when drafting its SSP 
to determine if a specific credential or document is from a federal 
screening program that conducts periodic vetting against the TSDB.
---------------------------------------------------------------------------

     The high-risk chemical facility verifies the credential or 
document is current in accordance with its SSP.\16\
---------------------------------------------------------------------------

    \16\ This requirement is derived from section 
2102(d)(2)(B)(i)(II)(bb) of the Homeland Security Act.
---------------------------------------------------------------------------

    As a result, a high-risk chemical facility may verify that a 
credential or

[[Page 32772]]

document is current based upon visual inspection, if the processes for 
conducting such visual inspections are described in its SSP. When 
developing such processes, CISA encourages high-risk chemical 
facilities to consider any rules, processes, and procedures prescribed 
by the entity issuing the credential or document. CISA believes that 
visual verification has inherent limitations and provides less security 
value than the other options available under the CFATS Personnel Surety 
Program. CISA encourages every high-risk chemical facility to consider 
a means of verification that is consistent with its specific 
circumstances and its assessment of the threat posed by the acceptance 
of such credentials. If a facility chooses to use Option 4, in whole or 
in part, it should also identify in its Site Security Plan the means by 
which it plans to address these limitations.
    An example of Option 4 that could be implemented by a high-risk 
chemical facility is to leverage the vetting conducted by the Bureau of 
Alcohol, Tobacco, Firearms, and Explosives (ATF) on affected 
individuals who are employee possessors of a Federal explosives 
licensee/permittee. For example, a high-risk chemical facility may rely 
on a ``letter of clearance'' issued by ATF when presented by an 
affected individual who is also an employee-possessor of explosives. 
The high-risk chemical facility should describe in its SSP the 
procedures it will use to verify the letter of clearance is current. 
CISA will consider high-risk chemical facilities' proposals in the 
course of evaluating individual SSPs.

E. High-Risk Chemical Facilities May Use More Than One Option

    High-risk chemical facilities have discretion as to which option(s) 
to use for an affected individual. For example, if an affected 
individual possesses a TWIC or some other credential or document, a 
high-risk chemical facility could choose to use Option 1 for that 
individual. Similarly, a high-risk chemical facility, at its 
discretion, may choose to use Option 1 or Option 2 rather than Option 3 
or Option 4 for affected individuals who have TWICs or some other 
credential or document. High-risk chemical facilities also may choose 
to combine Option 1 with Option 2, Option 3, and/or Option 4, as 
appropriate, to ensure that adequate terrorist ties checks are 
performed on different types of affected individuals (e.g., employees, 
contractors, unescorted visitors). Each high-risk chemical facility 
must describe how it will comply with RBPS 12(iv) in its SSP.

F. High-Risk Chemical Facilities May Propose Additional Options

    In addition to the options described above for satisfying RBPS 
12(iv), a high-risk chemical facility is welcome to propose alternative 
or supplemental options not described in this document in its SSPs. 
CISA will assess the adequacy of such alternative or supplemental 
options on a facility-by-facility basis, in the course of evaluating 
each facility's SSP.

G. Security Considerations for High-Risk Chemical Facilities To Weigh 
in Selecting Options

    CISA believes the greatest security benefit is achieved when a 
high-risk chemical facility selects either Option 1 and/or Option 2. 
Option 3 also provides significant security benefit. Option 4 provides 
some security benefit but less than Option 1, Option 2, or Option 3.
    Option 1 and Option 2 provide the greatest security benefit because 
the information submitted about each affected individual will be 
recurrently vetted against the TSDB. Recurrent vetting is a Department 
best practice and compares an affected individual's information against 
new and/or updated TSDB records as such records become available. 
Further, in the event that an affected individual with terrorist ties 
has or is seeking access to restricted areas or critical assets, if 
information about that affected individual is submitted to CISA under 
Option 1 or Option 2, CISA will be able to ensure that an appropriate 
Federal law enforcement agency is notified and that, as appropriate and 
consistent with law-enforcement and intelligence requirements, the 
facility receives notification as well.
    Option 3 also provides significant security benefit because 
information about affected individuals with TWICs is recurrently vetted 
against the TSDB. However, since CISA does not receive information 
about these affected individuals from high-risk chemical facilities 
under Option 3, CISA cannot ensure that the appropriate Federal law 
enforcement agency is provided information about the high-risk chemical 
facility at which any such affected individual with terrorist ties has 
or is seeking access.
    Finally, Option 4 provides a more-limited security benefit, as some 
Federal screening programs do not conduct recurrent vetting. Recurrent 
vetting compares an affected individual's information against new and/
or updated TSDB records as those new and/or updated records become 
available. Recurrent vetting is a Department best practice because 
often records about terrorists are either created or updated in the 
TSDB after the initial vetting has already occurred. Consequently, 
recurrent vetting results in additional matches and provides 
substantial security value.
    In addition, relying on a visual inspection of a credential or 
document is not as secure as electronic verification because visual 
inspection may make it more difficult to ascertain whether a credential 
or document has expired, been revoked, or is fraudulent. For example, 
the visual verification of a TWIC will not reveal whether the TWIC has 
been revoked by the Transportation Security Administration. Similarly, 
visual verification of a Hazardous Material Endorsement on a commercial 
driver's license will not reveal if the endorsement has expired or been 
revoked.
    Finally, since CISA will not receive from high-risk chemical 
facilities information about affected individuals whose credentials are 
visually verified, CISA will be unable to ensure the appropriate 
Federal law enforcement agency is provided information regarding the 
risks posed to a high-risk chemical facility by any such affected 
individual with terrorist ties, nor will it be able to ensure that the 
facility receives appropriate notification of the risk.
    For the reasons described above, Option 4 provides less security 
value than the other options available to high-risk chemical facilities 
under the CFATS Personnel Surety Program.

H. When the Check for Terrorist Ties Must Be Completed

    CISA will notify high-risk chemical facilities, individually, when 
it will require each to address RBPS 12(iv) in its SSP. After that 
notification, a facility must update or draft its SSP to address RBPS 
12(iv), as appropriate, prior to authorization or approval by CISA. 
After authorization or approval, a high-risk chemical facility (as 
described in its authorized or approved SSP) must complete the 
terrorist ties check required to be conducted on a particular affected 
individual by 6 CFR 27.230(a)(iv) prior to the affected individual 
being granted access to any restricted area or critical asset. For 
affected individuals with existing access, CISA will expect, unless 
otherwise noted in an authorized or approved SSP or ASP, that the 
terrorist ties check will be completed within 60 days after receiving 
authorization or approval of an SSP requiring the facility to implement 
measures to comply with RBPS 12(iv). A high-risk chemical

[[Page 32773]]

facility may suggest an alternative schedule based on its unique 
circumstances in its SSP. Table 03 below outlines the four primary 
options, and the expected time a high-risk chemical facility will have 
to complete the required activity(ies) outlined in the authorized or 
approved SSP to comply with RBPS 12(iv) for new affected individual as 
well as affected individuals with existing access.

                            Table 03--Summary of Options To Check for Terrorist Ties.
----------------------------------------------------------------------------------------------------------------
                                                                                          Timeline for affected
        Option for compliance             Facility activity         Timeline for new         individuals with
                                             description          affected individuals       existing access
----------------------------------------------------------------------------------------------------------------
OPTION 1--Direct Vetting.............  Facility submits         Unless otherwise noted   Unless otherwise noted
                                        information to CISA.     in an authorized or      in an authorized or
                                                                 approved SSP, CISA       approved SSP, CISA
                                                                 expects that this        expects that this
                                                                 activity will be         activity will be
                                                                 completed prior to the   completed within 60
                                                                 affected individual      days after receiving
                                                                 being granted access     authorization or
                                                                 to any restricted area   approval of an SSP
                                                                 or critical asset.       requiring the facility
                                                                                          to implement measures
                                                                                          to comply with RBPS
                                                                                          12(iv).
OPTION 2--Use of Vetting Conducted     Facility submits
 Under Other DHS Programs.              information to CISA.
OPTION 3--Electronic Verification of   Facility uses a TWIC
 TWIC.                                  Reader.
OPTION 4--Visual Verification of       Facility conducts
 Credentials Conducting Periodic        visual verifications
 Vetting.                               by examining affected
                                        individuals'
                                        credentials or
                                        documents.
Facility-Proposed Alternative........  Details about facility-  Details about facility-  Details about facility-
                                        proposed alternatives    proposed alternatives    proposed alternatives
                                        could vary               could vary               could vary
                                        significantly from       significantly from       significantly from
                                        facility to facility.    facility to facility.    facility to facility
----------------------------------------------------------------------------------------------------------------

IV. Additional Details About Option 1 and Option 2 (Which Involve the 
Submission of Information to CISA)

A. Submission of a New Affected Individual's Information Under Option 1 
or Option 2

    Under Option 1 or Option 2, a high-risk chemical facility may 
submit information about new affected individuals in accordance with 
its SSP. CISA encourages high-risk chemical facilities to submit 
information about affected individuals as soon as possible after an 
individual has been determined to be an affected individual. As 
described earlier in this notice, the high-risk chemical facilities 
must submit information prior to a new affected individual obtaining 
access to any restricted area or critical asset.

B. Updates & Corrections to Information About Affected Individuals 
Under Option 1 or Option 2

    Section 2102(d)(2)(A)(i) of the Homeland Security Act prohibits 
CISA from requiring a high-risk chemical facility to submit information 
about an individual more than one time under Option 1 or Option 2. 
Therefore, under Option 1 or Option 2, a high-risk chemical facility 
may choose whether to submit data updates or corrections about affected 
individuals.
    CISA believes that there are substantial privacy risks if a high-
risk chemical facility opts not to provide updates and corrections 
(e.g., updating or correcting a name or date of birth) about affected 
individuals. Specifically, the accuracy of an affected individual's 
personal data being vetted against the TSDB for terrorist ties may be 
affected. Accurate information both (1) increases the likelihood of 
correct matches against information about known or suspected 
terrorists, and (2) decreases the likelihood of incorrect matches that 
associate affected individuals without terrorist ties with known and 
suspected terrorist identities. As a result, CISA encourages high-risk 
chemical facilities to submit updates and corrections as they become 
known so that the Department's checks for terrorist ties, which are 
done on a recurrent basis, are accurate. A lesson learned from the 
implementation of the CFATS Personnel Surety Program since December of 
2015 was that high-risk chemical facilities could reduce the burden of 
continuous updates or corrections by reducing the frequency of updates 
or correction. For example, a high-risk chemical facility could conduct 
audits of submitted information on a regular basis such as quarterly or 
annually and then subsequently update or correct the information. If a 
high-risk chemical facility is either unable or unwilling to update or 
correct an affected individual's information, the affected individual 
may seek redress as described in the CFATS Personnel Surety Program 
Privacy Impact Assessment.

C. Notification That an Affected Individual No Longer Has Access Under 
Option 1 or Option 2

    Section 2102(d)(2)(A)(i) of the Homeland Security Act also 
prohibits CISA from requiring a high-risk chemical facility to notify 
CISA when an affected individual no longer has access to the restricted 
areas or critical assets of a high-risk chemical facility. Therefore, 
under Option 1 or Option 2, a high-risk chemical facility has the 
option to notify CISA when the affected individual no longer has access 
to any restricted areas or critical assets, but such notification is 
not required. CISA strongly encourages high-risk chemical facilities to 
notify CISA when an affected individual no longer has access to 
restricted areas or critical assets to ensure the accuracy of CISA's 
data and to stop the recurrent vetting on the person who is no longer 
an affected individual. A lesson learned from the implementation of the 
CFATS Personnel Surety Program since December of 2015 was that high-
risk chemical facilities could reduce the burden of immediately 
updating the affected individual's record within CSAT to reflect they 
no longer have access by reducing the frequency of these updates. For 
example, a high-risk chemical facility could conduct audits of 
submitted information on a regular basis such as

[[Page 32774]]

quarterly or annually rather and then subsequently update the affected 
individual's information. Alternatively, a high-risk chemical facility 
could submit the date an individual will no longer have access (e.g., a 
badge expiration date of an employee or contractor, or the date a 
contract expires for contractors). If a high-risk chemical facility is 
either unable or unwilling to notify CISA when an affected individual 
no longer has access to restricted areas or critical assets, the 
affected individual may seek redress as described in the CFATS 
Personnel Surety Program Privacy Impact Assessment.

D. What/Who Is the Source of the Information Under Option 1 and Option 
2

    High-risk chemical facilities are responsible for complying with 
RBPS 12(iv). However, companies operating multiple high-risk chemical 
facilities, as well as companies operating only one high-risk chemical 
facility, may comply with RBPS 12(iv) in a variety of ways. A high-risk 
chemical facility, or its parent company, may choose to comply with 
RBPS 12(iv) by identifying and directly submitting to CISA the 
information about affected individuals. Alternatively, a high-risk 
chemical facility, or its parent company, may choose to comply with 
RBPS 12(iv) by outsourcing the information-submission process to third 
parties.
    CISA also anticipates that many high-risk chemical facilities will 
rely on businesses that provide them with contract services (e.g., 
complex turn-arounds, freight delivery services, landscaping) to 
identify and submit the appropriate information about affected 
individuals the contract services employ to CISA under Option 1 and 
Option 2.
    Both third parties that submit information on behalf of high-risk 
chemical facilities and businesses that provide services to high-risk 
chemical facilities must be designated by the high-risk chemical 
facility within CSAT in order to submit appropriate information about 
affected individuals to CISA on behalf of the high-risk chemical 
facility.\17\
---------------------------------------------------------------------------

    \17\ Information about how to designate a third party within 
CSAT is explain in the CFATS Personnel Surety Program User Manual 
available on www.dhs.gov/chemicalsecurity.
---------------------------------------------------------------------------

V. CSAT User Roles and Responsibilities

    Under Options 1 and 2 (as described above), high-risk chemical 
facilities have wide latitude in assigning CSAT user roles to align 
with their business operations and/or the business operations of third 
parties that provide contracted services to them. CISA has structured 
the CSAT Personnel Surety Program application to allow designee(s) of 
high-risk chemical facilities to submit information about affected 
individuals directly to CISA on behalf of high-risk chemical 
facilities.
    High-risk chemical facilities and designee(s) will be able to 
structure CSAT user roles to submit information about affected 
individuals to CISA in several ways, including but not limited to the 
following:
     A high-risk chemical facility may directly submit 
information about affected individuals, and designate one or more 
officers or employees of the facility with appropriate CSAT user roles; 
and/or
     A high-risk chemical facility may ensure the submission of 
information about affected individuals by designating one or more 
persons affiliated with a third party (or with multiple third parties); 
and/or
     A company owning several high-risk chemical facilities 
could consolidate its submission process for affected individuals. 
Specifically, the company could designate one or more persons to submit 
information about affected individuals on behalf of all or some of the 
high-risk chemical facilities within the company on a company-wide 
basis.
    Third parties interested in providing information about affected 
individuals to CISA on behalf of high-risk chemical facilities may 
request a CSAT user account from the high-risk chemical facility or 
company for which the third party will be working. Third parties will 
not be able to submit information about affected individuals until a 
high-risk chemical facility designates the third party within CSAT to 
submit information on its behalf.
    CSAT Authorizers will receive access to the Personnel Surety 
application after the facility's SSP has been approved or authorized by 
CISA for RBPS 12(iv). The CSAT Authorizer user role creates and manages 
all other CSAT user roles on behalf of the high-risk chemical facility. 
A high-risk chemical facility (or designee(s)) may then submit 
information under Option 1 or Option 2.
    One lesson learned since the implementation of the CFATS Personnel 
Surety Program in December of 2015 was that high-risk chemical 
facilities can benefit from organizing records about affected 
individuals within the Personnel Surety application. Organizing the 
records of affected individuals can be particularly useful when a CSAT 
Authorizer needs to transfer responsibility of some or all, records 
about affected individuals to another CSAT Authorizer (e.g., a company 
sells one or more high-risk chemical facilities to another company).
    High-risk chemical facilities may organize submitted records about 
affected individuals through the use of ``groups''. Records about 
affected individuals within groups can be easily transferred. Groups 
also have the benefit of protecting against the unauthorized disclosure 
of records. For example, if a company uses third party or a contractor 
to submit records about affected individuals, a company can limit a 
third party or contractor access to certain groups (e.g., a contractor 
could only access the group of records for the affected individuals who 
are employees of the contractor) and prevent the third party or 
contractor designee from accessing the records of affected individuals 
from another contractor or employees of the facility. Additional 
information about groups and scenarios about how facilities may choose 
to implement groups may be found within the CSAT 2.0 User Manual.\18\
---------------------------------------------------------------------------

    \18\ The CSAT 2.0 User Manual may be found at https://www.dhs.gov/publication/csat-portal-user-manual.
---------------------------------------------------------------------------

    CSAT Authorizers can also organize submitted records about affected 
individual through the use of ``user defined fields''. CSAT Authorizers 
may add one or more ``user defined fields'' (e.g., facility location, 
badge number, employee type, employee status, or contract name/
designation) that allow a record about an affected individual to be 
labeled in manner that best aligns with the high-risk chemical 
facilities business practices. CSAT Authorizers may use either or both 
methods (i.e., groups and ``user defined fields'') when considering how 
to organize submitted records of affected individuals.
    Finally, CISA can provide assistance to CSAT Authorizers who must 
transfer responsibility for one or more facilities to another CSAT 
Authorizer, in which one or more of the facilities have affected 
individuals that have been submitted under Option 1 or Option 2. CSAT 
Authorizers may request assistance by contacting the CSAT Helpdesk.\19\
---------------------------------------------------------------------------

    \19\ The CSAT Helpdesk may be contacted at 866-323-2957 (toll 
free) between 8:30 a.m. and 5 p.m. (ET), Monday through Friday. The 
CSAT Help Desk is closed for Federal holidays.
---------------------------------------------------------------------------

VI. Privacy Considerations

    High-risk chemical facilities (or designee(s)) may maintain 
information about an affected individual, for the purpose of complying 
with CFATS, which is not submitted to CISA as part of the CFATS 
Personnel Surety Program (e.g., for compliance with RBPS 12(i)-

[[Page 32775]]

(iii), or for recordkeeping pertaining to Option 3 or Option 4). 
Information not in the possession of and not submitted to CISA is not 
covered under the Privacy Act of 1974. Nevertheless, CISA expects that 
high-risk chemical facilities and designee(s) will protect and 
safeguard any such information as outlined in their SSPs and in 
accordance with any other Federal, State, or local privacy laws that 
are applicable to the collection of the information, just as the high-
risk chemical facilities would for other similar information collected 
under a their normal business practices for activities unrelated to 
CFATS.

A. Privacy Act Requirements To Enable Option 1 and Option 2

    CISA complies with all applicable federal privacy requirements 
including those contained in the Privacy Act, the E-Government Act, the 
Homeland Security Act, and Departmental policy. The United States also 
follows international instruments on privacy, all of which are 
consistent with the Fair Information Practice Principles (FIPPs).\20\ 
The Department:
---------------------------------------------------------------------------

    \20\ See Privacy Policy Guidance Memorandum, The Fair 
Information Practice Principles: Framework for Privacy Policy at the 
Department of Homeland Security, available at https://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdf (December 
29, 2008).
---------------------------------------------------------------------------

     Published a System of Records Notice (SORN) for the CFATS 
Personnel Surety Program on June 14, 2011 as well as a SORN Update on 
May 19, 2014.\21\
---------------------------------------------------------------------------

    \21\ See DHS/NPPD-002--Chemical Facility Anti-Terrorism 
Standards Personnel Surety Program System of Records, published on 
May 19, 2014 at 79 FR 28752. DHS/NPOPD-002 may be viewed at https://www.federalregister.gov/d/2014-11431.
---------------------------------------------------------------------------

     Issued a Final Rule \22\ to exempt portions of the 
Chemical Facility Anti-Terrorism Standards Personnel Surety Program 
SORN from certain provisions of the Privacy Act because of criminal, 
civil, and administrative enforcement requirements on May 21, 2014.
---------------------------------------------------------------------------

    \22\ See Implementation of Exemptions; Department of Homeland 
Security/National Protection and Programs Directorate--002 Chemical 
Facility Anti-Terrorism Standards Personnel Surety Program System of 
Records, published on May 21, 2014 at 79 FR 29072. The final rule 
may be viewed at https://www.federalregister.gov/d/2014-11433.
---------------------------------------------------------------------------

     Published a CFATS Personnel Surety Program Privacy Impact 
Assessment (PIA) in May 2011, and CFATS Personnel Surety Program PIA 
Updates in May of 2014, November of 2015, and May of 2017. The PIA and 
the updates are available at https://www.dhs.gov/publication/dhs-nppd-pia-018a-chemical-facilities-anti-terrorism-standards-personnel-surety.
    With the publication of these privacy documents, CISA has ensured 
that the CFATS Personnel Surety Program complies with the appropriate 
privacy laws and Department of Homeland Security privacy policies.

B. Redress

    The CFATS Personnel Surety Program complies with the requirement of 
section 2102(d)(2)(A)(iii) of the Homeland Security Act to provide 
redress to an individual: (1) Whose information was vetted against the 
TSDB under the program; and (2) who believes that the personally 
identifiable information submitted to the Department for such vetting 
by a covered chemical facility, or its designated representative, was 
inaccurate. The Department has described how to seek redress in the 
CFATS Personnel Surety Program Privacy Impact Assessment.

C. Additional Privacy Considerations Related To Option 1 and Option 2

    The Submitter(s) of each high-risk chemical facility (or 
designee(s)) will be required to affirm that, in accordance with its 
SSP, notice required by the Privacy Act of 1974 has been given to 
affected individuals before their information is submitted to CISA. The 
Department has made available a sample Privacy Act notice that complies 
with subsection (e)(3) of the Privacy Act (5 U.S.C. 552a(e)(3)) in the 
CFATS Personnel Surety Program PIA Update published on November 10, 
2015.\23\ The sample notice, or a different satisfactory notice, must 
be provided by a high-risk chemical facility to affected individuals 
prior to the submission of Personally Identifiable Information (PII) to 
CISA under Option 1 and Option 2. This notice must: (1) Notify those 
individuals that their information is being submitted to CISA for 
vetting against the TSDB, and that in some cases additional information 
may be requested and submitted in order to resolve a potential match; 
(2) instruct those individuals how to access their information; (3) 
instruct those individuals how to correct their information; and (4) 
instruct those individuals on procedures available to them for redress 
if they believe their information has been improperly matched by the 
Department to information contained in the TSDB. Individuals have the 
opportunity and the right to decline to provide information; however, 
if an individual declines to provide information, he or she may impact 
a high-risk chemical facility's compliance with CFATS.
---------------------------------------------------------------------------

    \23\ The November 20, 2015 CFATS Personnel Surety Program PIA 
Update, as well as other privacy related documents, are available at 
on the Department's website at https://www.dhs.gov/publication/dhs-nppd-pia-018a-chemical-facilities-anti-terrorism-standards-personnel-surety.
---------------------------------------------------------------------------

D. Additional Privacy Considerations for Option 3 and Option 4

    A high-risk chemical facility will not submit information to CISA 
if the facility opts to electronically verify and validate affected 
individuals' TWICs through the use of TWIC readers (or other technology 
that is periodically updated with revoked card information) under 
Option 3. High-risk chemical facilities that opt to implement Option 3 
are encouraged, but are not required, to provide notice to each 
affected individual whose TWIC is being verified and validated. 
Although Option 3 allows high-risk chemical facilities to comply with 
RBPS 12(iv) without submitting information to CISA, CISA feels that 
appropriate notice should still be given to those individuals so that 
they know their TWICs are now being used to comply with 6 CFR 
27.230(a)(12)(iv). The Department has provided a sample privacy notice 
for high-risk chemical facilities to use in the CFATS Personnel Surety 
Program PIA Update, published on November 10, 2015.
    In addition, a high-risk chemical facility will not submit 
information to CISA if the facility opts to utilize Option 4 and to 
visually inspect a credential or document for any Federal screening 
program that periodically vets individuals against the TSDB. High-risk 
chemical facilities that opt to implement Option 4 are encouraged, but 
are not required, to provide notice to each affected individual whose 
Federal screening program credential or document is being visually 
inspected in order to comply with 6 CFR 27.230(a)(12)(iv).

VII. Information a High-Risk Chemical Facility May Wish To Consider 
Including in Its SSP

    When writing, revising, or updating their SSPs, high-risk chemical 
facilities may wish to consider including information about the 
following topics to assist CISA in evaluating the adequacy of the 
security measures outlined in the SSP for RBPS12(iv):
1. General
     Who does the facility consider an affected individual and 
how does the facility identify affected individuals?

[cir] Who does the facility consider facility personnel and how does 
the facility identify them?
[cir] Who does the facility consider unescorted visitors and how does 
the facility identify them?


[[Page 32776]]


     If the facility escorts any visitors, how does it escort 
them and does the facility have an escort policy?
     How does the facility define its restricted areas and/or 
critical assets for the purposes of RBPS 12?
     Does the facility include computer systems or remote 
access as either a restricted area or critical asset?
     Which Option(s), or alternative approaches not described 
in this notice, will the facility or its designee(s) use to check for 
terrorist ties?
     Does the facility intend to use one or more Options for 
some affected individuals that it will not use for other affected 
individuals? If so, which Option(s) apply to which groups of affected 
individuals?
     Will the facility opt to have a designee(s) (e.g. third 
party company, contractor, co-located company) submit information about 
affected individuals? If so, what guidance will the high-risk chemical 
facility establish for designee(s) when it submits information (e.g., 
when are affected individuals considered to be ``facility personnel'' 
or ``unescorted visitors'', how will submitted records by the designee 
about affected individuals be organized within the CSAT Personnel 
Surety application, how will the facility verify that notice has been 
provided to an affected individual before information about him/her is 
provided to CISA)?
     Does the high-risk chemical facility anticipate that any 
individuals will require access to restricted areas or critical assets 
without visitor escorts or without the background checks listed in RBPS 
12 under exceptional circumstances (e.g., foreseeable but unpredictable 
circumstances)? If so, who? If so, which exceptional circumstances 
would warrant access without visitor escorts or without the background 
checks listed in RBPS 12?
     Will the facility be capable of implementing the options 
within the timeframes specified? If not, what timeframe does the 
facility propose for submission and what justification has been 
provided to CISA to allow for an extended timeframe?
2. With Regard to Option 1
     How will notice be provided to affected individuals that 
information is being provided to CISA? Does the facility plan to use 
the DHS sample privacy notice?
     Does the facility plan to organize submitted records about 
affected individuals using groups?
     Does the facility plan to organize submitted records about 
affected individuals using ``user defined fields'' If so, what ``user 
defined fields'' will be added?
     Does the facility intend to notify CISA when the affected 
individual no longer has access to any restricted areas or critical 
assets? If so, how and when?
3. With Regard to Option 2
     How will notice be provided to affected individuals that 
information is being provided to CISA? Does the facility plan to use 
the DHS sample privacy notice?
     What credentials does the facility plan to use under 
Option 2? Are there credentials the facility has decided not to accept 
under Option 2?
     What will the facility do if CISA is unable to verify an 
affected individual's enrollment in another Department TSDB vetting 
program?
     What will be the timeframe for this follow-on action?
     What will the facility do if CISA does verify the 
credential, but later during a periodic re-verification, is unable 
verify the credential?
     What will be the timeframe for this follow-on action?
     Does the facility describe how it will comply with RBPS 
12(iv) for affected individuals without credentials capable of being 
verified under Option 2?
     Does the facility plan to organize submitted records about 
affected individuals using groups?
     Does the facility plan to organize submitted records about 
affected individuals using ``user defined fields'' If so, what ``user 
defined fields'' will be added?
     Does the facility intend to notify CISA when the affected 
individual no longer has access to any restricted areas or critical 
assets? If so, how and when?
4. With Regard to Option 3
     How will the facility identify those affected individuals 
who possess TWICs?
     How will the facility comply with RBPS 12(iv) for affected 
individuals without TWICs?
     How will the facility electronically verify and validate 
TWICs of affected individuals?
     Which reader(s) or Physical Access Control System (PACS) 
will the facility be using? Or, if it is not using readers, how it will 
use the CCL or CRL?
     Where will the reader(s) or PAC(s) be located?
     What mode or modes (i.e., which setting on the TWIC 
Reader) will be used when verifying and validating the TWIC of an 
affected individual?\24\
---------------------------------------------------------------------------

    \24\ See table 4.1 on page 18 of the TSA reader specification at 
https://www.tsa.gov/sites/default/files/publications/pdf/twic/twic_reader_card_app_spec.pdf.
---------------------------------------------------------------------------

     Will the TWIC of an affected individual be re-verified and 
re-validated with TWIC readers, and, if so, how often?
     What will the facility (or designee(s)) do if an affected 
individual's TWIC cannot be verified or if the TWIC reader is not 
functioning properly?
5. With Regard to Option 4
     Upon which Federal screening program(s) does the facility 
or designee intend to rely?
     What document(s) or credential(s) issued by the Federal 
screening program(s) will the facility visually verify?
     What procedures will the facility use to allow affected 
individuals to present document(s) or credential(s)?
     How will the facility verify that the credential or 
document presented by affected individuals is not fraudulent?
     What procedures will the facility follow to visually 
verify that a credential or document is current and valid (i.e., not 
expired)?
     How frequently will the facility visually verify the 
credentials (e.g., upon each entry or on a recurring cycle)?
     Will the visual verification include the following?

[cir] Comparing any picture on a document or credential to the bearer 
of the credential or document;
[cir] Comparing any physical characteristics listed on the credential 
or document (e.g. height, hair color, eye color) with the bearer's 
physical appearance;
[cir] Checking for tampering;
[cir] Reviewing both sides of the credential or document and checking 
for the appropriate stock/credential material;
[cir] Checking for an expiration date; and
[cir] Checking for any insignia, watermark, hologram, signature or 
other unique feature.

     What will the facility do if it is unable to visually 
verify an affected individual's credential or document, if the 
credential or document fails visual verification, or if the credential 
or document appears invalid, expired, or fraudulent?
6. With Regard to Other Options
     A facility that chooses to propose an option not listed 
above in its SSP should provide as much detail as possible to allow 
CISA to consider the

[[Page 32777]]

potential option and evaluate whether or not it meets the RBPS 12(iv) 
standard.

David Wulf
Director, Infrastructure Security Compliance Division, Infrastructure 
Security Division, Cybersecurity and Infrastructure Security Agency, 
U.S. Department of Homeland Security.
[FR Doc. 2019-14591 Filed 7-8-19; 8:45 am]
 BILLING CODE 9110-9P-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.