DHS wants PII on persons at all ‘high-risk’ chemical facilities; but where’s the biometrics?
The Department of Homeland Security’s National Protection and Programs Directorate’s (NPPD) Office of Infrastructure Protection, Infrastructure Security Compliance Division is seeking an information collection request program revision to the Chemical Facility Anti-Terrorism Standards (CFATS) to obtain approval to collect information about affected individuals from all high-risk chemical facilities rather than only Tier 1 and Tier 2 high-risk chemical facilities, and to update the estimated number of annual respondents from 195,000 to 72,607 based on historical information collected since DHS implemented the CFATS Personnel Surety Program (PSP) in December 2015 as mandated by the Securing Chemical Facilities from Terrorist Attacks Act of 2014.
NPPD previously published this information collection request (ICR) in the Federal Register on December 27, 2017, for a 60-day public comment period.
However, the new ICR notice NPPD published in the Federal Register is in “responding to seven commenters that submitted comments in response to the 60-day notice previously published for this ICR and soliciting public comment concerning this ICR for an additional 30 days.”
Additional comments will be accepted until July 18, 2018.
According to DHS, the department received approximately $911 million for the CFATS program for the period beginning fiscal year 2007 through fiscal year 2018, a recent Government Accountability Office (GAO) audit report disclosed.
NPPD said, “Identifying affected individuals who have terrorist ties is an inherently governmental function and requires the use of information held in government-maintained databases that are unavailable to high-risk chemical facilities. See 72 FR 17688, 17709 (April 9, 2007). Thus, under RBPS 12(iv), [DHS] and high-risk chemical facilities must work together to satisfy the ‘terrorist ties’ aspect of the Personnel Surety performance standard.”
Critics are puzzled by the lack of specific references to use of, and access to, biometric databases.
“Other than authorizing the use of the Coast Guard’s Transportation Worker Identification Credentials [TWIC], which is only indirectly addressing biometrics, the PSP program does not specifically address biometrics. I cannot even find mention of ‘biometrics’ in the Risk Based Performance Standards guidance documents that provides the limited guidance on what types of security measures that a facility should consider,” Biometric Update was told by Patrick Coyle, who after 15 years in the US Army began working in the chemical industry, getting his BSc Chemistry degree while working as a technician. He then spent 12 years working as a process chemist in a specialty chemical company, and most recently worked as a QA/R&D Manager in a specialty chemical manufacturing facility.
Section 550 of the Department of Homeland Security Appropriations Act of 2007, Section 550, provided (and the CFATS Act of 2014 continues to provide) DHS with the authority to identify and regulate the security of high-risk chemical facilities using a risk-based approach. On April 9, 2007, DHS issued the CFATS Interim Final Rule (IFR), implementing this statutory mandate.
Section 550 required, and the CFATS Act of 2014 continues to require, DHS to establish risk-based performance standards (RBPS) for high-risk chemical facilities. Through the CFATS regulations, DHS promulgated 18 RBPS. Each chemical facility that has been finally determined by DHS to be high-risk must submit, for DHS approval, a Site Security Plan (SSP), or an Alternative Security Program (ASP), whichever the high-risk chemical facility chooses, that satisfies each applicable RBPS.
RBPS 12 requires high-risk chemical facilities to perform appropriate background checks on and ensure appropriate credentials for facility personnel, and, as appropriate, unescorted visitors with access to restricted areas or critical assets. RBPS 12(iv) specifically requires high-risk chemical facility to implement measures designed to identify people with terrorist ties. For the purposes of the CFATS PSP, “people” in RBPS 12(iv) is in reference to affected individuals (i.e., facility personnel or unescorted visitors with or seeking access to restricted areas or critical assets at high-risk chemical facilities).
“In response to multiple comments on the current ICR,” DHS said it “agreed to a ‘phased implementation’ of the CFATS PSP to Tier 1 and Tier 2 high-risk chemical facilities,” but that, “based on lessons learned and the near completion of the implementation at Tier 1 and Tier 2 high-risk chemical facilities,” DHS “now seeks to close a security gap by implementing CFATS PSP at all high-risk chemical facilities.”
“As implemented at Tier 1 and Tier 2 high-risk chemical facilities,” DHS said it “will roll out the CFATS PSP in a ‘phased implementation’ to Tier 3 and Tier 4 high-risk chemical facilities.”
Since DHS implemented the CFATS PSP in December 2015, the department said “it has evaluated many of the assumptions it used when estimating the burden estimate of [the ICR] collection. As a result, several of the assumptions can be revised using actual data rather than assumptions. The burden methodology and revised estimates are described in” DHS’s Methodology in Estimating the Burden for CFATS PSP Information Collection.
Pursuant to the Homeland Security Act of 2002, as amended by the CFATS Act of 2014, the following options are available to enable high-risk chemical facilities to facilitate the vetting of affected individuals for terrorist ties:
• Option 1. High-risk chemical facilities may submit certain information about affected individuals, which DHS will use to vet those individuals for terrorist ties. Specifically, the identifying information about affected individuals will be compared against identifying information of known or suspected terrorists contained in the federal government’s consolidated and integrated terrorist watch list, the Terrorist Screening Database (TSDB), which is maintained by the FBI in the Terrorist Screening Center (TSC).
TSDB data, which includes personally identifiable information (PII), is necessary for DHS to effectively and efficiently assess the risk and/or threat posed by a person or their related goods and cargo entering or exiting the country, but the degree of biometric PII it contains is unclear. DHS has said the Electronic System for Travel Authorization (ESTA) continuously vets applicants’ biographic – including biometric — information against TSDB, the biometric PII of which are argued to be incomplete and fractured, partly due to information-sharing gaps.
• Option 2. High-risk chemical facilities may submit information about affected individuals who already possess certain credentials or documentation that rely on security threat assessments conducted by DHS that will enable the department to verify the continuing validity of these credentials or documentation.
• Option 3. High-risk chemical facilities may comply with RBPS 12(iv) without submitting to DHS information about affected individuals who possess TWIC identification if a high-risk chemical facility electronically verifies and validates the affected individual’s TWICs through the use of TWIC readers (or other technology that is periodically updated using the Canceled Card List).
• Option 4. High-risk chemical facilities may visually verify certain credentials or documents that are issued by a federal screening program that periodically vets enrolled individuals against the TSDB. However, DHS said, it “continues to believe that visual verification has significant security limitations and, accordingly, encourages high-risk chemical facilities choosing this option to identify in their SSPs the means by which they plan to address these limitations.”
In addition to the options described above for satisfying RBPS 12(iv), a high-risk chemical facility can propose alternative or supplemental options in its SSP that are not described in the new ICR options on a facility-by-facility basis in the course of evaluating each facility’s SSP.
“Under Option 3 and Option 4,” DHS said, “a high-risk chemical facility would not need to submit information about an affected individual to [DHS]. These Options are only mentioned in this notice for informational purposes, and there will be no analysis of Option 3 and Option 4 in this information collection request.”
DHS emphasized that, “This information collection request does not propose changes to who qualifies as an affected individual. There are certain groups of persons that the department does not consider to be affected individuals, such as: Federal officials that gain unescorted access to restricted areas or critical assets as part of their official duties; state and local law enforcement officials that gain unescorted access to restricted areas or critical assets as part of their official duties; and emergency responders at the state or local level that gain unescorted access to restricted areas or critical assets during emergency situations.”
Other than seeming to imply biometrics as part of the vetting process using federal databases that include biometric identifiers, critics believe it would be easy enough to give facilities’security departments access to DHS’s TSDB and others, containing know persons of threats.
“Ignoring for the moment concerns about the efficacy and accuracy of data in the TSDB, it is currently the only centralized government database of information identifying persons with ‘known or suspected ties to terrorists.’ Vetting personnel with unaccompanied access to critical infrastructure against that list would seem to be a no brainer,” Coyle said, noting, though, that “it would certainly be helpful if the TSDB had a strong biometric component, but it does not seem to have that at this point.”
So, what about incorporating the Defense Department’s Biometrics Enabled Watch List (BEWL), which contains the fingerprints of “high-threat persons of interest” and is linked to other national terrorist watch lists, like Customs and Border Protection’s Automated Biometric Fingerprint Identification System?
Coyle explained that, “The big problem with biometric identification in the CFATS PSP is that all data submissions by the facility to DHS go through the CSAT website. Collecting the biometric data at the facility site would be a high-cost, high-time activity that would be vigorously opposed by the CFATS regulated community,” and, “DHS would have a hard time justifying the cost when the TSDB is the current standard for DHS,” never mind TSDB is part of a jumbled intelligence collection system with equally as convoluted biometric data.
Walter Haydock, a former staff member for the House Committee on Homeland Security and a targeting officer at the National Counterterrorism Center, last year made a compelling case for consolidating the terrorist watchlisting bureaucracy.