[Federal Register Volume 76, Number 114 (Tuesday, June 14, 2011)]
[Notices]
[Pages 34720-34732]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-14382]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
[Docket No. DHS-2009-0026]
Chemical Facility Anti-Terrorism Standards Personnel Surety
Program
AGENCY: National Protection and Programs Directorate, DHS.
ACTION: Response to comments received during 30-day comment period: New
information collection request 1670-NEW.
-----------------------------------------------------------------------
SUMMARY: The Department of Homeland Security (DHS or the Department),
National Protection and Programs Directorate (NPPD), Office of
Infrastructure Protection (IP), Infrastructure Security Compliance
[[Page 34721]]
Division (ISCD) has submitted an information collection request (ICR)
to the Office of Management and Budget (OMB) for review and clearance
in accordance with the Paperwork Reduction Act of 1995 (PRA). The
information collection is a new information collection. A 60-day public
notice for comments was previously published in the Federal Register on
June 10, 2009, at 74 FR 27555. A 30-day public notice for comments was
published in the Federal Register on April 13, 2010, at 75 FR 18850. In
the 30-day notice the Department responded to comments received during
the 60-day comment period. This notice responds to comments received
during the 30-day notice. This process is conducted in accordance with
5 CFR 1320.8.
FOR FURTHER INFORMATION: A copy of the ICR, with applicable supporting
documentation, may be obtained through the Federal Rulemaking Portal at
http://www.regulations.gov.
SUPPLEMENTARY INFORMATION
Program Description
The Chemical Facility Anti-Terrorism Standards (CFATS), 6 CFR Part
27, require high-risk chemical facilities to submit information to the
Federal government about facility personnel and, as appropriate,
unescorted visitors with access to restricted areas or critical assets
at those facilities. As part of the CFATS Personnel Surety Program this
information will be vetted by the Federal government against the
Terrorist Screening Database (TSDB) to identify known or suspected
terrorists (KSTs). The TSDB is the Federal government's consolidated
and integrated terrorist watchlist of known and suspected terrorists,
maintained by the Department of Justice (DOJ) Federal Bureau of
Investigation's (FBI) Terrorist Screening Center (TSC). For more
information on the TSDB, see DOJ/FBI--019 Terrorist Screening Records
System, 72 FR 47073 (August 22, 2007).
High-risk chemical facilities must also perform three other types
of background checks in order to comply with CFATS' Personnel Surety
Risk-Based Performance Standard 12 (RBPS-12). See 6 CFR
27.230(a)(12)(i)-(iii): High-risk chemical facilities must ``perform
appropriate background checks * * * including (i) Measures designed to
verify and validate identity; (ii) Measures designed to check criminal
history; [and] (iii) Measures designed to verify and validate legal
authorization to work.'' These three other types of background checks
are not the subjects of this notice, nor are they subjects of the
underlying ICR or of the 30- or 60-day notices preceding this notice.
The CFATS Personnel Surety Program is not intended to halt, hinder, or
replace these three other types of background checks, nor is it
intended to halt, hinder, or replace high-risk chemical facilities'
performance of background checks which are currently required for
employment or access to secure areas of those facilities.
Background
On October 4, 2006, the President signed the DHS Appropriations Act
of 2007 (the Act), Public Law 109-295. Section 550 of the Act (Section
550) provides DHS with the authority to regulate the security of high-
risk chemical facilities. DHS has promulgated regulations implementing
Section 550, the Chemical Facility Anti-Terrorism Standards, 6 CFR Part
27.
Section 550 requires that DHS establish Risk Based Performance
Standards (RBPS) as part of CFATS. RBPS-12 (6 CFR 27.230(a)(12)(iv))
requires that regulated chemical facilities implement ``measures
designed to identify people with terrorist ties.'' The ability to
identify individuals with terrorist ties is an inherently governmental
function and requires the use of information held in government-
maintained databases, which are unavailable to high-risk chemical
facilities. Therefore, DHS is implementing the CFATS Personnel Surety
Program, which will allow chemical facilities to comply with RBPS-12 by
implementing ``measures designed to identify people with terrorist
ties.''
DHS has submitted the proposed information collection for the CFATS
Personnel Surety Program to OMB for review and clearance in accordance
with the Paperwork Reduction Act of 1995.
Overview of CFATS Personnel Surety Process
The CFATS Personnel Surety Program will work with the DHS
Transportation Security Administration (TSA) to identify individuals
who have terrorist ties by vetting information submitted by each high-
risk chemical facility against the TSDB.
High-risk chemical facilities or their designees will submit the
information of: (1) Facility personnel who have or are seeking access,
either unescorted or otherwise, to restricted areas or critical assets;
and (2) unescorted visitors who have or are seeking access to
restricted areas or critical assets. These persons, about whom high-
risk chemical facilities and facilities' designees will submit
information to DHS, are referred to in this notice as ``affected
individuals.'' \1\
---------------------------------------------------------------------------
\1\ Individual high-risk facilities may classify particular
contractors or categories of contractors either as ``facility
personnel'' or as ``visitors.'' This determination should be a
facility-specific determination, and should be based on facility
security, operational requirements, and business practices.
---------------------------------------------------------------------------
Information will be submitted to NPPD through the Chemical Security
Assessment Tool (CSAT), the online data collection portal for CFATS.
The high-risk chemical facility or its designees will submit the
information of affected individuals to DHS through CSAT. The submitters
of this information (``Submitters'') for each high-risk chemical
facility will also affirm, to the best of their knowledge, that the
information is: (1) True, correct, and complete; and (2) collected and
submitted in compliance with the facility's Site Security Plan (SSP) or
Alternative Security Program (ASP), as reviewed and authorized and/or
approved in accordance with 6 CFR 27.245. The Submitter(s) of each
high-risk chemical facility will also affirm that, in accordance with
their Site Security Plans, notice required by the Privacy Act of 1974,
5 U.S.C. 552a, has been given to affected individuals before their
information is submitted to DHS.
DHS will send a verification of receipt (previously referred to as
a ``verification of submission'' in the 60-day and 30-day notices) to
the submitter(s) of each high-risk chemical facility when a high-risk
chemical facility: (1) Submits information about an affected individual
for the first time; (2) submits additional, updated, or corrected
information about an affected individual; and/or (3) notifies DHS that
an affected individual no longer has or is seeking access to that
facility's restricted areas or critical assets.
Upon receipt of each affected individual's information in CSAT,
NPPD will send a copy of the information to TSA. Within TSA, the Office
of Transportation Threat Assessment and Credentialing (TTAC) conducts
vetting against the TSDB for several DHS programs. TTAC will compare
the information of affected individuals collected by DHS (via CSAT) to
information in the TSDB. TTAC will forward potential matches to the
TSC, which will make a final determination of whether an individual's
information is identified as a match to a record in the TSDB.
In the event that an affected individual's information is confirmed
to match a record in the TSDB (which DHS refers to as a ``match to the
TSDB,'' or
[[Page 34722]]
simply as a ``match''), the TSC will notify NPPD and the appropriate
Federal law enforcement agency for coordination, investigative action,
and/or response, as appropriate. NPPD will not routinely provide
vetting results to high-risk chemical facilities nor will it provide
results to an affected individual whose information has been submitted
by a high-risk chemical facility. As warranted, high-risk chemical
facilities may be contacted by DHS or Federal law enforcement agencies
as part of law enforcement investigation activity.
Information Collected
DHS may collect the following information about affected
individuals:
Full name;
Aliases;
Date of birth;
Place of birth;
Gender;
Citizenship;
Passport information;
Visa information;
Alien registration number;
DHS Redress Number (if available).
For purposes of clarifying the exact data points which will be
routinely collected as part of the CFATS Personnel Surety Program, the
Department offers the following data clarification to the public. Under
this information collection, the Department will require that high-risk
chemical facilities submit the following information about affected
individuals that are U.S. Citizens and Lawful Permanent Residents, for
vetting against the TSDB:
a. Full name;
b. Date of birth; and
c. Citizenship or Gender.
The Department will require that high-risk chemical facilities
submit the following information about affected individuals that are
Non-U.S. Persons, for vetting against the TSDB:
a. Full name;
b. Date of birth;
c. Citizenship; and
d. Passport information and/or alien registration number.
To reduce the likelihood of false positives in matching against the
TSDB, high-risk chemical facilities may also (optionally) submit the
following information about affected individuals:
a. Aliases;
b. Gender (for Non-U.S. persons);
c. Place of birth; and
d. DHS Redress Number.
In lieu of conducting new TSDB vetting of an affected individual,
DHS may collect information to verify that an affected individual is
currently enrolled in a DHS program that also requires a TSDB check
equivalent to the TSDB vetting performed as part of the CFATS Personnel
Surety Program. For purposes of clarifying the exact data points which
will be routinely collected as part of the CFATS Personnel Surety
Program, the Department offers the following data clarification to the
public. To verify enrollment in a DHS screening program, the high-risk
chemical facility must submit the affected individual's:
a. Full Name;
b. Date of Birth; and
c. Program-specific information or credential information, such as
unique number, or issuing entity (e.g., State for Commercial Driver's
License with an Hazardous Materials Endorsement).
When verifying enrollment in a DHS screening program, the high-risk
chemical facility may also (optionally) submit the affected
individual's:
a. Aliases;
b. Place of birth;
c. Gender;
d. Citizenship; and
e. DHS Redress Number.
If high-risk chemical facilities find it administratively easier to
submit to DHS the routine vetting information of an affected
individual, even if the affected individual has been previously vetted,
facilities may do so. In that case, DHS will vet affected individuals
against the TSDB, and will not seek to verify an affected individual's
enrollment in TWIC, HME, NEXUS, SENTRI or FAST.
DHS will collect information that identifies the high-risk chemical
facility or facilities, to which the affected individual has or is
seeking access to restricted areas or critical assets.
DHS may contact a high-risk chemical facility to request additional
information (e.g., visa information) pertaining to particular
individuals in order to clarify suspected data errors or resolve
potential matches (e.g., in situations where an affected individual has
a common name). Such requests will not imply, and should not be
construed to indicate, that an individual's information has been
confirmed as a match to a TSDB record.
In the event that a confirmed match is identified as part of the
CFATS Personnel Surety Program, DHS may obtain references to and/or
information from other government law enforcement and intelligence
databases, or other relevant databases that may contain terrorism
information.
DHS may collect information necessary to assist in tracking
submissions and transmission of records, including electronic
verification that DHS has received a particular record.
DHS may also collect information about points of contact at each
high-risk chemical facility, and which points of contact the Department
or Federal law enforcement personnel may contact with follow-up
questions. A request for additional information from DHS does not
imply, and should not be construed to indicate, that an individual is
known or suspected to be associated with terrorism.
DHS may also collect information provided by individuals or high-
risk chemical facilities in support of any redress requests or any
adjudications initiated under CFATS.
DHS may request information pertaining to affected individuals,
previously provided to DHS by high-risk chemical facilities, in order
to confirm the accuracy of that information, or to conduct data
accuracy reviews and audits as part of the CFATS Personnel Surety
Program.
DHS will also collect administrative or programmatic information
(e.g., affirmations or certifications of compliance, extension
requests, brief surveys for process improvement, etc.) necessary to
manage the CFATS Personnel Surety Program.
The Department will also collect information that will allow high-
risk chemical facilities to manage their data submissions.
Specifically, the Department will make available to high-risk chemical
facilities two blank data fields. These blank data fields may be used
by a high-risk chemical facility to assign each record of an affected
individual a unique designation or number that is meaningful to the
high-risk chemical facility. Collecting this information will enable a
high-risk chemical facility to manage the electronic records it submits
into CSAT. Entering this information into CSAT will be completely
voluntary, and is intended solely to enable high-risk chemical
facilities to search through, sort, and manage the electronic records
they submit into.
Responses to Comments Received During the CFATS Personnel Surety
Program ICR 30-Day Comment Period
The Department received 20 comments in response to the 30-day
notice for comment. Comments were received from eight private sector
companies; nine associations; one training council; one union; and one
council composed of chemical industry trade associations. Many of the
comments were in response to the questions posed by the Department in
the 30-day notice for comments. The Department first addresses comments
responding to questions posed in the 30-day notice, and then responds
to
[[Page 34723]]
unsolicited comments received in response to the 30-day notice.
(A) On Behalf of OMB, DHS Solicited Comments That Evaluate Whether the
Proposed Collection of Information Is Necessary for the Proper
Performance of the Functions of the Agency, Including Whether the
Information Will Have Practical Utility
Comment: The Department received several comments addressing
whether the proposed collection of information had any practical
utility. One commenter suggested that the CFATS Personnel Surety
Program does not provide owners or operators of regulated facilities
with a value-added tool to screen potential personnel, contractors, and
visitors or to identify potential security risks. Another commenter
suggested that the proposed program is a one-way process that provides
information to the Department on personnel with access to restricted
areas, without any feedback provided to the owners or operators of
regulated facilities on their personnel. In contrast, one commenter
stated that, ``[i]n the context of CFATS requirements for personal
surety and protecting the nation's chemical infrastructure, the
consolidated and integrated terrorist watchlist, even with [its]
limitations * * * is likely the best check for potential terrorists by
DHS compared to other methods and information.''
Response: The CFATS Personnel Surety Program is necessary for the
proper performance of the functions of the Department, including
protecting chemical facilities and the nation from terrorist attacks.
DHS will perform this responsibility by identifying individuals with
terrorist ties that have or are seeking access to restricted areas or
critical assets at high-risk chemical facilities. The CFATS Personnel
Surety Program also has practical utility--enabling the Federal
government to take appropriate follow-up action if it determines that
known or suspected terrorists have or seek access to restricted areas
or critical assets at high-risk chemical facilities.
Comment: One commenter stated that the information collection and
vetting processes described in the 30-day notice appeared to be an
attempt to shift responsibility from the government to the private
sector. The commenter suggested that the 30-day notice read as though
facilities will assist the Federal government in the performance of
anti-terrorism duties.
Response: High-risk chemical facilities will submit information
pertaining to affected individuals to DHS as part of the CFATS
Personnel Surety Program. In the preamble to the CFATS Interim Final
Rule (IFR), DHS stated that background checks identifying individuals
with terrorist ties, required by 6 CFR 27.230(a)(12)(iv), can only be
achieved by conducting vetting against the TSDB. See 72 FR 17709 (Apr.
9, 2007). Determining whether individuals' information matches a record
in the TSDB necessarily includes checks of data sets that are not
commercially available. The design of the CFATS Personnel Surety
Program will allow high-risk chemical facilities to comply with 6 CFR
27.230(a)(12)(iv) by submitting information necessary for DHS to
conduct vetting against the TSDB.
Comment: DHS received comments regarding individuals who have
previously undergone TSDB vetting equivalent to CFATS Personnel Surety
Program TSDB vetting, and who have been subsequently issued and
currently maintain active, valid credentials or endorsements (e.g.,
Transportation Worker Identification Credentials) as a result of that
previous vetting. Commenters stated that the Department's collection of
information from facilities about these affected individuals: (1)
Serves no security purpose; (2) means that the Department is not
granting TSDB vetting reciprocity between its own programs; and (3) is
redundant, particularly in situations where commenters believe that
other DHS credentialing programs have more stringent vetting criteria
than CFATS. Several commenters requested clarification on which Federal
credentialing programs the Department will recognize as conducting TSDB
checks equivalent to CFATS Personnel Surety Program TSDB checks.
Response: The 30-day notice reiterated the Department's position,
first outlined in the preamble to the IFR, that DHS supports the
sharing and reuse of vetting results. See 72 FR 17709 (Apr. 9, 2007).
An affected individual will not need to undergo additional vetting as
part of the CFATS Personnel Surety Program if he/she has successfully
undergone TSDB vetting, and possesses a valid credential or
endorsement, as part of the Department's Transportation Worker
Identification Credential (TWIC) program, Hazardous Materials
Endorsement (HME) program, NEXUS program, Secure Electronic Network for
Travelers Rapid Inspection (SENTRI) program, or Free and Secure Trade
(FAST) program. DHS must collect a limited amount of information for
that affected individual, however, to determine that the affected
individual is currently enrolled in an above-listed DHS program. This
information is necessary (1) To verify that the affected individual is
currently enrolled in the DHS program, and (2) to enable DHS to access
both the original enrollment data and the TSDB vetting results already
in the possession of the Department, when necessary. The following
information is necessary to verify an affected individual's enrollment
in a DHS program:
--------------------------------------------------------------------------------------------------------------------------------------------------------
TWIC HME NEXUS SENTRI FAST
--------------------------------------------------------------------------------------------------------------------------------------------------------
Name............................... Required.............. Required.............. Required............. Required............. Required.
Date of Birth...................... Required.............. Required.............. Required............. Required............. Required.
Unique Credential Information...... --TWIC Serial Number: --Commercial Driver's --PASS Number: --PASS Number: --PASS Number:
Required. License (CDL) Issuing Required. Required. Required.
--Expiration Date: State(s): Required. --Expiration Date: --Expiration Date: --Expiration Date:
Required.. --CDL Number: Required.. Required.. Required.
Required..
--Expiration Date:
Required..
--------------------------------------------------------------------------------------------------------------------------------------------------------
If DHS cannot confirm an affected individual's current enrollment
in one of the previously mentioned programs, or if previous vetting
results cannot be verified, DHS will either: (1) Notify the high-risk
chemical facility that the Department could not verify that the
affected individual is currently enrolled in a DHS program; and/or (2)
vet the affected individual against the TSDB. When a high-risk chemical
facility is notified that the Department could not
[[Page 34724]]
verify that the affected individual is currently enrolled in a DHS
program, the high-risk chemical facility must either: (1) Submit
additional information, which corrects or updates the previous
information to verify enrollment; or (2) provide sufficient information
for the Department to conduct vetting of the affected individual
against the TSDB. Such notifications from DHS will not imply, and
should not be construed to indicate, that an individual has been
confirmed as a match to the TSDB.
If high-risk chemical facilities find it administratively easier to
submit information about affected individuals for vetting against the
TSDB (rather than leveraging previous vetting against the TSDB), high-
risk chemical facilities may do so. In that case, DHS will vet affected
individuals against the TSDB, and will not seek to verify an affected
individual's enrollment in TWIC, HME, NEXUS, SENTRI, or FAST.
Comment: Several commenters suggested that the Department was not
following recently-issued White House recommendations to promote
comparability and reciprocity across credentialing and screening
programs. One commenter specifically referred to Recommendation 16 of
the Surface Transportation Security Priority Assessment, which
recommends that the Federal government ``Create a more efficient
Federal credentialing system by reducing credentialing redundancy,
leveraging existing investments, and implementing the principle of
`enroll once, use many' to reuse the information of individuals
applying for multiple access privileges.'' See The White House (March
2010), http://www.whitehouse.gov/sites/default/files/rss_viewer/
STSA.pdf.
Response: The design of the CFATS Personnel Surety Program aligns
with the recommendations of the Surface Transportation Security
Priority Assessment.
In discussions with high-risk chemical facilities, DHS has
discovered that the concept of ``enroll once, use many'' may have been
misinterpreted by commenters as meaning that an individual should only
need to submit information to DHS once, and that DHS should never
collect information from that individual again. DHS, however, defines
the ``enroll once, use many'' concept as the ability to reuse
previously-submitted program enrollment information and/or vetting
results, upon collection of sufficient information to confirm an
individual's prior enrollment in a DHS program or prior vetting
results. High-risk chemical facilities will have to submit affected
individuals' personal data to DHS as part of the CFATS Personnel Surety
Program in order for DHS to reuse previously-submitted enrollment
information and previous vetting results. The CFATS Personnel Surety
Program will require only the minimum information necessary to verify
affected individuals' enrollments in the TWIC, HME, NEXUS, SENTRI, and
FAST programs.
Comment: Several commenters suggested that it may be reasonable for
DHS to require chemical facilities to perform visual inspections of
TWICs and other existing credentials, but that requiring chemical
facilities to submit data pertaining to affected individuals possessing
such other credentials would not serve any legitimate security purpose.
Further, one commenter stated that facilities not regulated under the
Maritime Transportation Security Act (MTSA) should not be expected to
obtain ``readers'' for TWIC credentials.
Response: As previously discussed, DHS will collect information
about affected individuals who are currently enrolled in certain DHS
programs with equivalent TSDB vetting to verify that each affected
individual is currently enrolled in the TWIC, HME, NEXUS, SENTRI, and/
or FAST programs.
DHS agrees that there is no expectation or requirement that non-
MTSA facilities be equipped with TWIC readers. DHS also emphasizes that
TWICs are not required for persons accessing facilities regulated by
CFATS. High-risk chemical facilities may, however, choose to leverage
TWIC credentials as part of the identity, legal authorization to work,
and criminal history background checks they perform as part of 6 CFR
27.230(a)(12)(i)-(iii). The precise manners in which high-risk chemical
facilities could leverage TWIC credentials as part of identity, legal
authorization to work, and criminal history background checks could
vary from facility to facility, and should be described in individual
facilities' SSPs. The precise manners in which facilities could
leverage TWIC credentials as part of these other background checks are
beyond the scope of this Paperwork Reduction Act response to comments.
Comment: Several commenters suggested that the Department should
accept vetting results from other Federal agencies, namely the Bureau
of Alcohol, Tobacco, Firearms, and Explosives (ATF), which conduct
vetting against the TSDB. Commenters suggested that without this
accommodation, the Department would impose unreasonable burdens on a
segment of the community regulated by more than one Federal agency
without any corollary enhancement to security.
Response: ATF conducts point-in-time vetting against the TSDB,
which means that ATF's checks are conducted at only specified times,
not on a recurrent basis. Recurrent vetting is a DHS best practice, and
compares an affected individual's information against new and/or
updated TSDB records as new and/or updated records become available.
(B) On Behalf of OMB, DHS Solicited Comments Which Evaluate the
Accuracy of the Department's Estimate of the Burden of the Proposed
Collection of Information, Including the Validity of the Methodology
and Assumptions Used
Comment: The Department received comments which supported the
proposed CFATS Personnel Surety Program information submission
schedule, published in the Federal Register on April 13, 2010, at 75 FR
18853, as part of the Department's 30-day notice. The Department also
received comments raising the point that the proposed schedule would
create situations in which an affected individual's name will be
submitted to DHS after he/she no longer has access to a high-risk
chemical facility. Several commenters highlighted this issue by
pointing out that commercial delivery companies may not always send the
same driver to a high-risk chemical facility.
Response: Based in part on commenters' concerns, DHS will revise
the proposed information submission schedule previously published in
the 30-day notice. The revised schedule will be published in the
Federal Register and/or disseminated to high-risk chemical facilities
individually, and will align with the RBPS Metric 12.1 for ``new/
prospective employees [facility personnel] & unescorted visitors.''
(See Table 17 in the May 2009 Risk Based Performance Standards
Guidance, http://www.dhs.gov/xlibrary/assets/chemsec_cfats_riskbased_performance_standards.pdf.) Specifically, the revised
schedule will require high-risk chemical facilities to submit the
information of new affected individuals prior to access to restricted
areas or critical assets. The Department is considering whether to
establish that high-risk chemical facilities be required to submit the
information at least 48 hours prior to access to restricted areas or
critical assets. The Department may, on a case by case basis, allow for
variances from the schedule.
In response to the comments received about commercial delivery
drivers, DHS reminds the public that RBPS-12
[[Page 34725]]
applies only to facility personnel with access to a high-risk chemical
facility's restricted areas or critical assets, and to unescorted
visitors with access to a high-risk chemical facility's restricted
areas or critical assets. Situations that require visitors to generally
access a high-risk chemical facility will not result in submission of
information for vetting under the CFATS Personnel Surety Program if the
visitors do not have access to restricted areas or critical assets, or
if the visitors are escorted through restricted areas and critical
assets. If commercial delivery drivers visiting high-risk chemical
facilities are escorted, or if they do not have access to restricted
areas or critical assets in the first place, then they will not be
affected individuals and will not be vetted under the CFATS Personnel
Surety Program.
If a high-risk chemical facility opts to allow visitors (e.g.,
commercial truck drivers) unescorted access to its restricted areas or
critical assets, the visitors will be considered affected individuals
and the facility will be required to both (1) Perform background checks
on the unescorted visitors as required under 6 CFR 27.230(a)(12)(i)-
(iii), and (2) submit information pertaining to those visitors to the
Department to identify individuals with terrorist ties. The Department
recognizes that this may, or may not, necessitate changes in business
operations of high-risk chemical facilities.
Comment: Many commenters suggested the Department did not
accurately estimate the burden to high-risk chemical facilities because
it underestimated the affected population. The commenters suggested a
total population of 10,000,000 affected individuals, rather than the
Department's estimate of 1,063,200 affected individuals. Using the
Department's estimated time per respondent of 0.59 hours, commenters
estimated 6,000,000 burden hours. The majority of commenters used an
average hourly rate of $20.00. Commenters estimated that total annual
cost of the CFATS Personnel Surety Program would be $120,000,000.
Response: DHS disagrees with several of the commenters' assumptions
that resulted in the $120,000,000 estimate. First, commenters suggested
that the ICR estimate of 1,063,200 total respondents (i.e., affected
individuals) did not account for agricultural retail or distribution
facilities that cannot isolate restricted areas or critical assets to a
limited number of employees or visitors. In the CFATS Regulatory
Assessment the Department approximated compliance costs through the use
of model facility categories. See CFATS Regulatory Assessment, section
5.1 (Apr. 1, 2007), http://www.regulations.gov/#!documentDetail;D=DHS-
2006-0073-0116. Model facility categories were created using four
variables: (1) To which of the four risk-based tiers a covered facility
is assigned; (2) whether a covered facility is ``enclosed'' (inside a
building) or ``open'' (not inside a building); (3) the size of a
covered facility (large or small); and (4) whether the chemicals at a
covered facility are at risk of theft or diversion for subsequent use
as weapons or weapons components. These variables provided the
Department with 16 variations for which different estimates could be
approximated. See CFATS Regulatory Assessment at 23, table 15 (Apr. 1,
2007). Several of the variations of these model facility categories,
notably Tier 4 Groups A, B, and C, do account for agricultural retail
or distribution facilities that cannot isolate restricted areas or
critical assets to a limited number of employees or visitors.
Therefore, the Department believes that the information collection does
reasonably account for agricultural retail or distribution facilities
that cannot isolate restricted areas or critical assets to a limited
number of facility personnel or unescorted visitors.
Second, some commenters assumed that the Department failed to
account for respondents at facilities that would be required to submit
Top-Screen consequence assessments to DHS if the ``indefinite time
extension'' issued by the Department on January 9, 2008 is lifted. The
Department disagrees with the commenters because the total respondent
estimate used by the Department was derived from the CFATS Regulatory
Assessment, which was published (on April 1, 2007) prior to the
``indefinite time extension'' (issued on January 9, 2008). The CFATS
Regulatory Assessment assumed the inclusion of these facilities when
estimating the population of individuals affected by Personnel Surety
costs.
The third assumption that commenters used to support an estimated
total number of 10,000,000 affected individuals was that the Department
should include the population of individuals working at approximately
3,200 MTSA-regulated facilities in its estimate of the population of
affected individuals. The Department is precluded from including any
population in the total number of respondents explicitly excluded from
regulation under CFATS. MTSA facilities are excluded from regulation
under CFATS by Section 550.
Commenters also suggested that many high-risk facilities in the
retail segment could see large numbers of visitors (i.e., customers)
entering facilities during peak retail times of the year. The
commenters suggested that depending on how the Department defines
``unescorted visitor,'' the total annual number of respondents could be
an order of magnitude greater than the 354,400 figure estimated by the
agency. Commenters did not specify any order of magnitude, so the
Department assumed that commenters were suggesting that during peak
times of the year the Department should estimate an increase of one
order of magnitude (i.e., 3,189,600 affected individuals) above the
Department's current annual population estimate.\2\ The Department does
not believe that high-risk chemical facilities in the retail segment
will opt to conduct the other background checks required under 6 CFR
27.230(a)12(i)-(iii) on these individuals due to the cost and burden
that would place on the high-risk chemical facility. Hence, high-risk
chemical facilities in the retail segment will likely ensure, through
their access controls, that customers will not become affected
individuals. Therefore, the Department has chosen not to modify the
total number of respondents based upon peak retail times of the year.
---------------------------------------------------------------------------
\2\ The estimate of 3,189,600 affected individuals is derived
from [(354,000 affected individuals x 10)--354,400 affected
individuals]
---------------------------------------------------------------------------
The Department has concluded that the comments which estimated that
the total annual cost on the regulated community of the CFATS Personnel
Surety Program would be $120,000,000 were based on inaccurate
assumptions.
Comment: One commenter stated that it conducted a study of twelve
industry members and subsequently concluded the Department had
significantly underestimated the burden on the industry.
Response: The Department requested from the commenter, and was
subsequently provided, the survey data underlying the study referenced
in the commenter's response. The survey requested information and
specific numeric data from 34 facilities (owned and operated by 12
industry members). The facilities ranged from a small research facility
to several large facilities. The Department concluded that an increase
in the estimated number of respondents was justified, based on the
survey data received.
The Department has concluded that the type of facilities surveyed
generally aligned with Group A facilities (described in section 5.1 of
the CFATS
[[Page 34726]]
Regulatory Assessment). Based on the survey, and based on a brief
description of facilities responding to the survey, the Department
increased, for the purposes of this ICR, the estimate of Group A
facilities by an order of magnitude thus matching the results of the
survey.
In reviewing the comments, as well as the survey data provided, the
Department identified a minor computational error when calculating the
total annual number of respondents in the 60-day and 30-day notices.
Specifically, the Department in the 30-day and 60-day notices
improperly assumed that total number of respondents as 1,063,200
affected individuals over a three-year period. Rather in the CFATS
Regulatory Assessment the Department had assumed the total population
of individuals to be screened at 1,063,200 with an additional annual
turnover that resulted in an additional 177,290 respondents during the
second and third years. Therefore, in the 60-day and 30-day notices the
Department should have estimated a total number of respondents over
three years as 1,417,780 resulting in 472,593 annual number of
respondents.
In accounting for this minor computational error, and for the
increase of Group A facilities by an order of magnitude, the Department
has revised its average total annual number of respondents from 354,400
to 1,303,700. As a consequence, the estimated time per respondent
(i.e., total burden hours/number of respondents) was revised from 0.59
hours to 0.54 hours.
Comment: Three of the four commenters that analyzed the estimated
costs outlined in the 30-day notice suggested an appropriate wage rate
of $20 per hour while the fourth commenter suggested the wage rate
would range between $20 and $40 per hour.
Response: Based upon the commenters' suggestions, the Department
has modified the wage rate. Since comments on the appropriate wage rate
ranged from $20 to $40 per hour, we picked the midpoint of $30 for our
hourly wage rate. To account for the cost of employee benefits such as
paid leave, insurance, retirement, etc., we multiplied the base wage
rate of $30 by 1.4 to arrive at a fully loaded wage rate of $42 per
hour.\3\ The updated analysis and costs submitted to OMB as part of the
CFATS Personnel Surety Program ICR are reflected at the conclusion of
this notice.
---------------------------------------------------------------------------
\3\ The average hourly wage rate previously used by the
Department in the 30-day and 60-day notices was $84. This average
hourly wage rate was based upon the hourly wage rate estimate for
Site Security Officers (SSO) contained in section 6.3.1 of the CFATS
Regulatory Assessment, adjusted to account for passage of time since
publication of the Regulatory Assessment. See CFATS Regulatory
Assessment (Apr. 1, 2007), http://www.regulations.gov/#!documentDetail;D=DHS-2006-0073-0116.
---------------------------------------------------------------------------
Comment: Many commenters suggested that the Department did not
accurately estimate the burden because the estimate was limited to
those activities listed in 5 CFR 1320.3(b)(1). Commenters suggested
that such a limit does not account for unnecessary investigations, or
for justified or unjustified adverse employment decisions that could
result from a person's possibly unjustified presence on the TSDB. One
commenter expressed concern that the Department's estimate did not
account for the burden on affected individuals whose information
matches that of records in the TSDB, but who are not in fact
terrorists.
Response: The activities which the Department must account for when
estimating the burden of an ICR are limited in scope to those
activities listed in 5 CFR 1320.3(b)(1). Specifically, 5 CFR
1320.3(b)(1) requires the Department to estimate the total time,
effort, or financial resources expended by persons to generate,
maintain, retain, disclose, or provide information to or for a Federal
agency. The potential burden described by the commenters is not related
to the burden high-risk chemical facilities incur in collecting and
submitting the information of affected individuals to DHS, nor is it
within the scope of the activities listed in 5 CFR 1320.3(b)(1).
(C) On Behalf of OMB, DHS Solicited Comments To Enhance the Quality,
Utility, and Clarity of the Information To Be Collected
Comment: One commenter suggested that requiring covered facilities
to collect, submit and maintain affected individuals' information
creates a situation subject to data entry errors and presents a
significant challenge to maintain current information.
Response: The Department has made an effort to create a user-
friendly Web tool (in CSAT) that will reduce data entry errors. Hence,
the Department believes that Submitters of high-risk chemical
facilities will be able to affirm that, to the best of their knowledge,
information submitted to DHS as part of the CFATS Personnel Surety
Program is true, correct, and complete.
Comment: One commenter suggested that it would be inappropriate to
require facilities to submit affected individuals' information to DHS.
The commenter suggested that requiring covered facilities to collect,
verify, submit, and maintain this information creates an increased
legal liability for covered facilities that have to accurately and
timely collect, verify, submit, maintain and protect this sensitive
information.
Response: DHS presumes that chemical facilities, as employers, have
access to basic biographical information (such as names, dates of
birth, genders, and citizenships) of many facility personnel and
visitors.
As part of RBPS-12, each high-risk chemical facility is also
required to conduct background checks to verify the identity, legal
authorization to work, and criminal history of affected individuals.
Many high-risk chemical facilities are collecting, verifying, and
properly maintaining information necessary for these other
verifications already. This already-collected information should
include many, if not most of the necessary data elements required for
submission to DHS to complete the check for an individual's ties to
terrorism.
Comment: A few commenters stated that high risk chemical facilities
are rarely in a legal position to guarantee the truth, correctness or
completeness of information related to contractors, vendors, truck
drivers or any other non-employees. Requiring signed documents by
company officials will not ensure that information from parties outside
of their legal control is true, correct, and complete. One commenter
expressed concern that company or facility representatives are not
experts in determining the validity of identification, and the
affirmation statements the Department will require each Submitter to
affirm should be modified to be ``the same information presented by the
affected individual.''
Response: Each Submitter will be expected to affirm, to the best of
his/her knowledge, that the information he/she submits to DHS on behalf
of a high-risk chemical facility for vetting against the TSDB is true,
correct, and complete. In the event that a high-risk chemical facility
submits incorrect information through no fault of its own, the
Department will expect the high-risk chemical facility to update the
information in accordance with the proposed submission schedule. Steps
that high-risk chemical facilities might take to validate personal
information collected as part of identity, legal authorization to work,
or criminal history checks are beyond the scope of this notice and are
beyond the scope of the CFATS Personnel Surety Program ICR.
[[Page 34727]]
Comment: The Department received comments requesting clarity as to
whether covered facilities should submit names of emergency personnel
who would qualify as affected individuals. One commenter noted a CFATS
Frequently Asked Question (FAQ) which indicated that fire department
personnel would not be required to undergo background checks.
Response: The Department expects high-risk chemical facilities to
submit the information of affected individuals in accordance with the
submission schedule to be published or disseminated by the Department.
For purposes of RBPS-12, the Department affirms that certain
populations are not affected individuals. Specifically: (1) Federal
officials that gain unescorted access to restricted areas or critical
assets as part of the performance of their official duties are not
affected individuals; (2) law enforcement officials at the state or
local level that gain unescorted access to restricted areas or critical
assets as part of the performance of their official duties are not
affected individuals; and (3) emergency responders at the state or
local level that gain unescorted access to restricted areas or critical
assets during emergency situations are not affected individuals. This
aligns with the population assumptions for the CFATS Personnel Surety
Program embedded within the Regulatory Assessment.
The Department has updated FAQ 1368 (see http://csat-help.dhs.gov),
and appreciates the comment which brought the FAQ to the Department's
attention.
Comment: One commenter suggested that the Department is requesting
information beyond what is required to identify people with terrorist
ties when collecting work phone numbers and work email addresses. The
commenter also suggested that collecting additional information for
auditing purposes is beyond the scope of CFATS.
Response: DHS no longer plans to routinely collect affected
individuals' work phone numbers and work email addresses. The
Department disagrees, however, that collection of information for
auditing purposes is beyond the scope of CFATS.
Comment: Several commenters suggested that the burden would be
difficult to estimate unless the Department provided definitions for
such terms as ``contractor'' and ``vendor.''
Response: Individual high-risk facilities may classify particular
contractors or vendors, or categories of contractors or vendors, either
as ``facility personnel'' or as ``visitors.'' This determination should
be a facility-specific determination, and should be based on facility
security, operational requirements, and business practices. The
Department's estimates regarding the information collection burden of
the Personnel Surety Program reflect this approach.
Comment: One commenter was not aware of any facility that currently
maintains, in an easily accessible or transferrable format, the
information required for submission discussed in the ICR.
Response: The Department believes that the information necessary to
identify individuals with terrorist ties is already in the possession
of many high-risk chemical facilities, due to the other background
checks already performed by those facilities. The burden outlined in
this ICR accounts for the fact that some facilities do not possess this
information, and that others do not possess this information in easily
accessible or transferrable formats.
Comment: One commenter suggested that various flaws in the TSDB and
various flaws in the Federal government's watchlisting protocols need
to be addressed in order to make the CFATS Personnel Surety Program
viable and fair.
Response: As indicated in the CFATS IFR, the Department has
determined that a TSDB check is necessary for the purpose of protecting
restricted areas and critical assets of high-risk chemical facilities
from persons who may have ties to terrorism. See 72 FR 17708 (Apr. 9,
2007). The TSDB is the Federal government's integrated and consolidated
terrorist watchlist and is the appropriate database to use to identify
individuals with terrorist ties. Discussions regarding TSDB flaws and
the Federal government's watchlisting protocols are beyond the scope of
this notice.
Comment: One commenter requested clarity about the Department's
reference that it may ``collect information on affected individuals as
necessary to enable it to provide redress.'' Another commenter
expressed concern that the CFATS Personnel Surety Program design does
not set up a uniform, thorough system that gives workers full appeals
or waiver procedures. Several commenters expressed concern about how
the Department would provide meaningful redress under the design of the
CFATS Personnel Surety Program.
Response: An ICR is not the appropriate vehicle for the Department
to use to address privacy and redress issues related to the CFATS
Personnel Surety Program. The Department will publish a Privacy Impact
Assessment (PIA) about the CFATS Personnel Surety Program, to be made
available on the Department's Web page at http://www.dhs.gov/privacy
and http://www.dhs.gov/chemicalsecurity. The Department will also
publish a System of Records Notice (SORN) for the CFATS Personnel
Surety Program, and a Notice of Proposed Rulemaking proposing to take
certain Privacy Act exemptions for the CFATS Personnel Surety Program
System of Records.
(D) On Behalf of OMB, DHS Solicited Comments Regarding the Minimization
of the Burden of Information Collection on Those Who Are To Respond,
Including Tthrough the Use of Aappropriate Automated, Electronic,
Mechanical, or Other Technological Collection Techniques or Other Forms
of Information Technology (e.g., Permitting Electronic Submissions of
Responses)
Comment: Three commenters suggested that the Department should
allow private third parties to submit information of individuals to DHS
on behalf of chemical facilities. Specifically, these commenters
suggested that if private third parties could directly submit
information, substantial burden could be eliminated for high-risk
chemical facilities. Another commenter suggested that the Department
should provide a means through which non-employees would be able to
directly provide their information to the Department.
Response: As part of the Personnel Surety Program, DHS will also
allow facilities to designate third party individuals as Submitters.
Designated individuals will be able to submit TSDB screening
information to DHS on behalf of the facilities that designate them as
Submitters.
Comment: Commenters suggested that the ICR places undue burdens and
costs on businesses that operate multiple regulated facilities where
redundant information submissions would be required for a given
individual who visits multiple sites.
Response: The Department has taken steps to minimize the potential
for an affected individual's information to be submitted multiple
times. Further, in the event that an affected individual's information
is submitted to the Department multiple times, only one record will be
transmitted to TSA to be vetted against the TSDB.
The primary step the Department has taken to minimize the potential
for an affected individual's information to be submitted multiple times
is ensuring that companies with many high-risk chemical facilities have
flexibility to consolidate CSAT user roles. Specifically, CSAT will
provide
[[Page 34728]]
companies the flexibility either to consolidate their user roles to
allow a single Submitter for many facilities, or to elect for each
facility to independently submit information to the Department. Each
company may implement the best strategy for itself.
Comment: Several commenters suggested that requiring facilities to
update and correct information about affected individuals will neither
``increase the accuracy of data collected,'' nor ``decrease the
probability of incorrect matches'' against the TSDB. The commenters
further suggested that updating and correcting information will
significantly increase the administrative burden on companies required
to provide the information and will also increase the likelihood that
data may be incomplete and/or inaccurate.
Response: The Department is confident that matching correct and
accurate information against records in the TSDB increases the accuracy
of the vetting process. The use of inaccurate or false data prevents
DHS from accurately screening individuals with or seeking access to
high-risk chemical facilities for ties to terrorism.
Comment: Several commenters requested that the Department eliminate
the requirement that facilities notify the Department when an affected
individual no longer has access to a facility's restricted areas or
critical assets.
Response: For the duration that an affected individual has or is
seeking access to restricted areas or critical assets at high-risk
chemical facilities, DHS will compare the affected individual's
information against new and/or updated TSDB records. When the
Department is made aware that an individual no longer has or is seeking
access, that individual's information will no longer be vetted against
the TSDB. Therefore, the Department will not eliminate the requirement
that facilities must notify the Department when an affected individual
no longer has or is seeking access to a facility's restricted areas or
critical assets.
(E) DHS Solicited Comments That Respond to the Department's
Interpretation of the Population Affected by RBPS-12's Background Check
Requirement
Comment: Some commenters acknowledged the plain reading of CFATS,
describing what categories of individuals are affected individuals for
purposes of the CFATS Personnel Surety Program, while expressing their
dissatisfaction that the Department was not pursuing rulemaking to
modify the text of 6 CFR 27.230(a)(12). The majority of commenters,
however, reiterated comments submitted during the 60-day comment period
expressing disagreement with the definition of affected individuals.
Commenters described the definition as a ``new'' CFATS requirement for
escorted facility personnel and inconsistent with congressional intent,
regulatory language contained in CFATS, guidance DHS has issued on RBPS
satisfaction (available at http://www.dhs.gov/xlibrary/assets/chemsec_cfats_riskbased_performance_standards.pdf), and with other
regulatory programs designed to enhance the security of the nation's
critical infrastructure. For example, some commenters mentioned that
the U.S. Coast Guard permits individuals without TWICs to access the
secure areas of MTSA-regulated facilities so long as those individuals
are escorted. Commenters requested additional information as to why the
Department has seemingly crafted new categories of affected individuals
in the context of CFATS.
Response: The text of 6 CFR 27.230(a)(12) identifies who should
appropriately undergo background checks as part of CFATS. The
population of individuals who must be vetted under 6 CFR 27.230(a)(12)
is the same as described in both the 60-day and 30-day notices: (1)
Facility personnel who have or are seeking access (unescorted or
otherwise) to restricted areas or critical assets, and (2) unescorted
visitors who have or are seeking access to restricted areas or critical
assets.\4\ In this response to comments, however, the Department has
clarified that certain populations are not affected individuals.
Specifically: (1) Federal officials that gain unescorted access to
restricted areas or critical assets as part of the performance of their
official duties are not affected individuals; (2) law enforcement
officials at the State or local level that gain unescorted access to
restricted areas or critical assets as part of the performance of their
official duties are not affected individuals; and (3) emergency
responders at the state or local level that gain unescorted access to
restricted areas or critical assets during emergency situations are not
affected individuals.
---------------------------------------------------------------------------
\4\ See footnote 1.
---------------------------------------------------------------------------
Comment: Some commenters suggested that the Department is selecting
only one possible interpretation of 6 CFR 27.230(a)(12). Specifically,
commenters suggested that a plain English interpretation of the text,
``* * * appropriate background checks on and ensure appropriate
credentials * * *'' could mean that sometimes it is appropriate not to
conduct background checks on individuals with access to restricted
areas or critical assets at high-risk chemical facilities.
Response: DHS disagrees with the commenters' interpretation of 6
CFR 27.230(a)(12). That section of CFATS requires that high-risk
chemical facilities perform identity checks, criminal history checks,
legal authorization to work checks, and terrorist ties checks on both
(1) Facility personnel with access (unescorted or otherwise) to
restricted areas or critical assets, and (2) unescorted visitors with
access to restricted areas or critical assets.\5\
---------------------------------------------------------------------------
\5\ See footnote 1.
---------------------------------------------------------------------------
Comment: One commenter representing farmer-owned cooperatives
explained that it is common for farmers to be unescorted in or near
critical assets or restricted areas of high-risk chemical facilities
when picking up products sold by or available from those facilities.
The commenter stated that such a farmer would be seen at various times
by various people throughout such facilities. The commenter requested
clarity as to whether or not such a farmer would be an affected
individual.
Response: The Department emphasizes that each high-risk chemical
facility has the ability to tailor its SSP to meet its unique business
and security needs, including the ability to tailor access control
procedures for restricted areas and critical assets. Each high-risk
chemical facility will need to consider its unique security concerns
when determining which individuals will be afforded access to
restricted areas or critical assets. If a farmer-owned cooperative,
determined by the Department to be a high-risk chemical facility,
decided to establish access controls such that an unescorted individual
had access to restricted areas and critical assets within the high-risk
chemical facility, then that unescorted individual's information would
need to be submitted to the Department.
Comment: A few commenters requested clarity from the Department as
to whether or not the scope of RBPS-12 extended beyond the physical
perimeter of the high-risk chemical facility and potentially impacted
individuals with access to networked computer systems.
Response: If a networked computer system is listed as a restricted
area or critical asset in an approved SSP, then individuals with access
to that networked computer system would be
[[Page 34729]]
affected individuals for purposes of RBPS-12.
(F) DHS Solicited Comments Which Respond to the Statement That a
Federal Law Enforcement Agency May, if Appropriate, Contact the High-
Risk Chemical Facility as a Part of a Law Enforcement Investigation
Into Terrorist Ties of Facility Personnel
Comment: The Department received several comments suggesting that
Federal law enforcement agencies should not be hindered in their
investigatory or anti-terrorism responsibilities. Most commenters
believe, however, that both high-risk chemical facilities and
individuals being vetted against the TSDB should, on a routine basis,
be notified of TSDB vetting results.
Response: It is the policy of the U.S. Government to neither
confirm nor deny an individual's status in the TSDB.
Comment: Several commenters suggested that the policy of not
routinely notifying high-risk chemical facilities of vetting results is
inconsistent with other Federal security vetting programs. One
commenter stated that another Federal background check program provides
notice to the facility and the individual when an individual has or has
not cleared a background check. The commenter further stated that,
``[t]his notice does not reveal to the employer facts that led the
agency to disqualify the employee, but it does allow the employer the
opportunity to immediately, if appropriate, remove the employee from
work functions that would allow the individual to [perform sensitive
work functions].''
Response: Providing a vetting result back to the facility or the
individual being vetted would conflict with the U.S. Government policy
to neither confirm nor deny an individual's status in the TSDB.
Comment: Several commenters requested additional information about
the process and procedures the Federal Government would follow in the
event that a known or suspected terrorist is identified who has or
seeks access to restricted areas or critical assets at a high-risk
chemical facility.
Response: DHS will not routinely notify high-risk chemical
facilities of CFATS Personnel Surety Program vetting results. DHS will
coordinate with Federal law enforcement entities to monitor and/or
prevent situations in which known or suspected terrorists have access
to high-risk chemical facilities. The precise manners in which DHS or
Federal law enforcement entities could contact high-risk chemical
facilities following vetting are beyond the scope of this notice.
Comment: One commenter recommended that the Department collect
information on all employees who have CFATS-related adverse employment
decisions, and make this information (not including personal
identifiers) publically available.
Response: DHS will not collect information on employment decisions
as part of the CFATS Personnel Surety Program.
(G) Respond to the Department's Intention To Collect Information That
Identifies the High-risk Chemical Facilities, Restricted Areas and
Critical Assets to Which Each Affected Individual Has Access
Comment: One commenter supported the Department's intention to
collect information that identifies the high-risk chemical facilities
to which each affected individual has access. Most commenters generally
objected, however, to the Department's intention to collect information
that identifies the high-risk chemical facilities to which each
affected individual has access. One commenter expressed concern that
the ICR indicated that the Department was collecting information about
specific restricted areas or critical assets within each facility.
Response: As part of the Personnel Surety Program the Department
does not intend to collect information that identifies the specific
restricted areas and critical assets within high-risk chemical
facilities to which each affected individual has or is seeking access.
Comment: A common objection made by commenters was that the
Department was creating a tool to track individuals' movement from site
to site, resulting in a program which far exceeds the Department's
stated goal of identifying individuals that have ties to terrorism.
Response: DHS has no intention to and will not track the movement
of affected individuals between and among high-risk chemical
facilities. The Department will only require a high-risk chemical
facility to submit information about an affected individual to the
Department (through CSAT) for the purpose of identifying individuals
with terrorist ties once. A high-risk chemical facility will not need
to submit to DHS information about a single affected individual each
time that affected individual accesses restricted areas or critical
assets.
As mentioned previously in this notice, in accordance with the
proposed submission schedule, high-risk chemical facilities will also
be required to submit updated or corrected information about each
affected individual, and to notify DHS when an affected individual no
longer has or is seeking access to that facility's restricted areas or
critical assets.
Although the Department will not track the movement of affected
individuals between and among high-risk chemical facilities, the
Department will associate an affected individual with the high-risk
chemical facility (or facilities) for which the high-risk chemical
facility Submitter providing that affected individual's information
into CSAT is responsible. In the event that a Submitter enters
information into CSAT on behalf of more than one facility, by default
the Department will associate the affected individual with all of the
facilities for which the Submitter is responsible. A Submitter may,
however, modify the lists of facilities with which particular affected
individuals are associated. The Department may contact the designated
points of contact for particular high-risk chemical facilities for
several reasons, including to identify exactly at which high-risk
chemical facilities particular affected individuals have access to
restricted areas or critical assets.
Comment: Commenters objected to the Department's intention to
collect information that identifies high-risk chemical facilities
because commenters claimed that this would cause the Department to run
the risk of amassing so much information that the information collected
will be meaningless.
Response: The Department disagrees. DHS requires a minimum amount
of information to perform checks to determine if affected individuals
have ties to terrorism, and to identify the facilities to which
affected individuals have access. DHS requires this information in
order to carry out the terrorist ties checks required by CFATS. DHS is
confident that that it can effectively collect and maintain this
information, as appropriate.
Comment: A few commenters reported that during a meeting between
DHS and the Chemical Sector Coordinating Council on April 28, 2010, the
Department stated its intention to collect information that identifies
the high-risk chemical facilities, restricted areas, and critical
assets to which each affected individual has access, and that it would
use this information to conduct analysis and investigations.
Response: DHS met with the Chemical Sector Coordinating Council on
April 28, 2010, and reiterated the Department's intention to collect
information that identifies the high-risk
[[Page 34730]]
chemical facilities to which each affected individual has access. The
Department clarified that in the event that a match to a record in the
TSDB is identified, the Department would be able to quickly identify
the specific chemicals of interest (COI) the match may have access to
and the contact information of the appropriate person at the chemical
facility. This information may prove useful in determining an
appropriate Federal, state, or local response in the event that one is
necessary. The Department emphasizes that there will be no ``tracking''
of affected individuals, nor will DHS collect information on specific
restricted areas or critical assets to which an affected individual has
or is seeking access, as part of the CFATS Personnel Surety Program.
Comment: Several commenters suggested that the Department should
reach out to the facility contact that submitted an individual's
information to determine specifics about the individual's site access
when circumstances warrant.
Response: DHS will collect information about facility points of
contact in case follow-up is necessary.
(H) DHS Solicited Comments Which Respond to the Department's Intention
to Seek an Exception to the Notice Requirement Under 5 CFR
1320.8(b)(3).
Comment: The Department received only a few comments in response to
this question. None of these comments supported the Department's
intention to seek an exception to the notice requirement under 5 CFR
1320.8(b)(3).
Response: The Department carefully reviewed the comments, but
disagrees that an exception to the Paperwork Reduction Act (PRA)
requirement, as contained in 5 CFR 1320.8(b)(3), that requires
information collections to provide certain reasonable notices, will
pose a risk to privacy. Therefore, the Department will request from OMB
an exception for the CFATS Personnel Surety Program to the PRA
requirement, as contained in 5 CFR 1320.8(b)(3), which requires Federal
agencies to confirm that their information collections provide certain
reasonable notices to affected individuals. If this exception is
granted, DHS will be relieved of the potential obligation to require
high-risk chemical facilities to collect signatures or other positive
affirmations of these notices from affected individuals. Whether or not
this exception is granted, DHS will still require high-risk facilities
to affirm that, in accordance with their Site Security Plans, notice
required by the Privacy Act of 1974, 5 U.S.C. 552a, has been given to
affected individuals before their information is submitted to DHS.
The Department's request for an exception to the requirement under
5 CFR 1320.8(b)(3) would not exempt high-risk chemical facilities from
having to adhere to applicable Federal, state, local, or tribal laws,
or to regulations or policies pertaining to the privacy of facility
personnel and the privacy of unescorted visitors.
(I) DHS Also Received Unsolicited Comments in Response to the 30-day
Notice Related to the CFATS Personnel Surety Program
Comment: Several commenters suggested that the CFATS Personnel
Surety Program outlined in the ICR exceeds the Department's statutory
authority, because the proposed CFATS Personnel Surety Program design
conflicts with Section 550. Commenters suggested that the CFATS
Personnel Surety Program's design eliminates a high-risk facility's
flexibility to achieve compliance with RBPS-12. Specifically, the
commenters suggested that the CFATS Personnel Surety Program design
precludes a facility from satisfying RBPS-12 by leveraging measures
other than the CFATS Personnel Surety Program to identify ties to
terrorism, which commenters assert is a possible violation of Section
550.
Response: The CFATS Personnel Surety Program will not exceed the
Department's statutory authority, nor will it violate or conflict with
Section 550. DHS will provide and approve sufficient alternative
methods for facility satisfaction of the terrorism ties background
check portion of RBPS-12. Specifically, the CFATS Personnel Surety
Program will provide several options to high-risk chemical facilities,
including the following options:
Facilities can restrict the numbers and types of persons whom they
allow to access their restricted areas and critical assets, thus
limiting the number of persons who will need to be vetted against the
TSDB. Facilities additionally have wide latitude in how they define
their restricted areas and critical assets in their SSPs, and thus are
able to limit or control the numbers and types of persons requiring
TSDB screening. Facilities can choose to escort visitors to restricted
areas and critical assets in lieu of performing the background checks
required by RBPS-12 on them. Facilities can also submit different
biographic information to DHS through CSAT for affected individuals
holding TWIC, HME, NEXUS, SENTRI, or FAST credentials than for affected
individuals not holding such credentials.
Comment: Many commenters suggested that this ICR is improper
because it makes changes to CFATS and results in de facto rulemaking.
Specifically, commenters suggested that four elements of the CFATS
Personnel Surety Program are changes to CFATS prescribing specific
protocols for administering background checks that take a categorically
different approach than all other TSDB background check programs
currently administered in the United States. Those elements were: (1)
The Department's plan to conduct ``recurrent vetting'' of affected
individuals, thus requiring facilities to notify the Department when a
person no longer has access to restricted areas or critical assets; (2)
the Department's intention to require facilities to submit updates on
an approved schedule whenever an affected individual's information has
changed; (3) the possibility that the Department would not recognize
TSDB vetting results completed by other Federal programs as satisfying
RBPS-12's terrorist ties check requirement; and (4) the Department's
intention to link each affected individual to particular high-risk
chemical facilities.
Response: The ICR, and the associated 60-day and 30-day notices, do
not make changes to CFATS. The ICR and associated notices provide
descriptions of the nature of the CFATS Personnel Surety Program's
information collection, categories of respondents, estimated burden,
and costs. The PRA requires the Department to provide sufficient detail
about how the Department would collect information under the CFATS
Personnel Surety Program to enable the public to provide comment on
that information collection.
Comment: Many commenters suggested that the Department did not
properly account for Executive Order 12866 in issuing the 60- and 30-
day notices preceding this notice. Among other things, Executive Order
12866 directs agencies to assess the effects of Federal regulatory
actions on state, local, and tribal governments, and the private
sector, and to provide qualitative and quantitative assessments of the
anticipated costs and benefits of Federal mandates resulting in annual
expenditures of $100,000,000 or more, including the costs and benefits
to state, local, and tribal governments, and the private sector.
Commenters suggested that the Department carefully consider whether the
CFATS Personnel Surety Program ICR qualifies as a significant
rulemaking such that it is subject to various requirements of Executive
Order 12866.
[[Page 34731]]
Response: The Department disagrees that this information collection
alone will generate expenditures in excess of $100,000,000. The
Department also disagrees that this information collection constitutes
rulemaking. When the Department published CFATS, however, it did
consider CFATS to be a significant rulemaking. Therefore, in compliance
with the requirements of Executive Order 12866, the Department outlined
in the CFATS Regulatory Assessment the assumptions it used to estimate
the costs of CFATS, which included the Department's estimates related
to Personnel Surety in section 6.3.10 of the CFATS Regulatory
Assessment.
Comment: A few commenters suggested that this information
collection will have a significant economic impact on a substantial
number of small entities, which requires the Department to conduct a
Regulatory Flexibility Analysis in accordance with the Regulatory
Flexibility Act (RFA).
Response: The RFA mandates that an agency conduct an analysis when
an agency is required to publish a notice of proposed rulemaking, not
when soliciting comments in preparation of submitting an ICR to OMB for
review and clearance in accordance with the PRA. See 5 U.S.C. 603(a).
The Department concluded in the preamble to the IFR that because
Congress authorized DHS to proceed in promulgating CFATS without the
traditional notice-and-comment required by the Administrative Procedure
Act, the Department was not required to prepare an Initial Regulatory
Flexibility Analysis (IRFA) under the Regulatory Flexibility Act. See
72 FR 17722 (Apr. 9, 2007). Even so, the Department did consider the
impacts of CFATS on small entities. Specifically, the CFATS Regulatory
Assessment contains the Department's analysis of the impacts of CFATS
on small entities. After consideration of the percentage of small
entities that may have to comply with the risk-based performance
standards (which include background checks under the CFATS Personnel
Surety Program) required by CFATS and the compliance costs explained in
the CFATS Regulatory Assessment, the Department determined that CFATS
may have a significant economic impact on a substantial number of small
entities.
Comment: One commenter requested that the Department remove
administrative roadblocks that either complicate the CFATS Personnel
Surety Program or prohibit measures that would simplify and enhance the
CFATS Personnel Surety Program. Specifically, the commenter requested
that the Department allow employees to apply for TWICs, if their
individual jobs require them to have access to restricted areas or
critical assets at high-risk chemical facilities. The commentor
suggested that there is no language in MTSA that expressly prohibits
the use of TWICs at non-maritime facilities.
Response: TWIC's authorizing statute, the Maritime Transportation
Security Act of 2002 (MTSA), as amended, 46 U.S.C. 70101 et seq.,
explicitly applies ``transportation security card'' requirements to:
``individual[s] allowed unescorted access to secure area[s] designated
in * * * [maritime] vessel or [maritime] facility security plan[s]''
(70105(b)(2)(A)); certain MTSA license and permit holders
(70105(b)(2)(B)); maritime vessel pilots (70105(b)(2)(C)); maritime
towing vessel personnel (70105(b)(2)(D)); individuals with access to
certain protected maritime security information (70105(b)(2)(E)); and
certain other individuals (70105(b)(2)(F)-(G)). Further, individuals
are eligible to receive a TWIC unless, among other criteria, they have
committed certain ``disqualifying criminal offense[s],'' or do not meet
certain ``immigration status requirements.'' 49 CFR 1572.5(a)(1)-(2).
The CFATS authorizing statute, however, applies to ``chemical
facilities that * * * present high levels of security risk.''
Department of Homeland Security Appropriations Act of 2007, Pub. L.
109-295, 550 (Oct. 4, 2006). CFATS ``does not apply to facilities
regulated pursuant to the Maritime Transportation Security Act of
2002.'' 6 CFR 27.110(b). CFATS Personnel Surety Program screening
requirements apply only to high-risk chemical facilities' ``personnel,
and as appropriate * * * unescorted visitors with access to restricted
areas or critical assets.'' 6 CFR 27.230(a)(12). Individuals are not
eligible for TWICs solely because they have access to high-risk
chemical facilities covered by CFATS. Accordingly, the CFATS Personnel
Surety Program is not duplicative with the TWIC program in terms of
type of facilities covered or program objectives.
High-risk chemical facilities may, however, choose to leverage TWIC
credentials as part of the identity, legal authorization to work, and
criminal history background checks they perform under CFATS. See 6 CFR
27.230(a)(12)(i)-(iii). The precise manners in which high-risk chemical
facilities could leverage TWIC credentials as part of identity, legal
authorization to work, and criminal history background checks could
vary from facility to facility, and should be described in individual
facilities' SSPs.
Comment: Several commenters suggested that collecting sufficient
information to conduct the background checks required by RBPS-12 might
cause high-risk chemical facilities to violate State privacy laws and/
or the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq.
Response: The Department does not agree that participation in the
CFATS Personnel Surety Program will cause high-risk chemical facilities
to violate the Fair Credit Reporting Act. Similarly, the Department
does not agree that participation in the CFATS Personnel Surety Program
will cause high-risk chemical facilities to violate State law.
High-risk chemical facilities may conduct the identity, legal
authorization to work, and criminal history background checks required
by 6 CFR 27.230(a)(12)(i)-(iii) in a variety of ways. Although
identity, legal authorization to work, and criminal history background
checks are not the subject of this notice, the Department believes that
high-risk chemical facilities can structure and carry out these
background checks in compliance with all applicable Federal and state
laws, including the Fair Credit Reporting Act and state privacy laws.
Comment: One commenter stated that screening databases and
watchlists should be publicly accessible to allow for efficient and
consistent background checks. The commenter stated that other U.S. and
partner nation agencies share this information in the public domain,
which allows for regulated entities to engage third-party vendors to
facilitate background screening. The commenter cited specifically
Office of Foreign Assets Control watch lists, which are available to
the public.
Response: The Department does not agree that the TSDB should be
publicly available. The TSDB is the U.S. government's consolidated and
integrated terrorist watchlist, used to identify known or suspected
terrorists, containing sensitive information not appropriate for public
consumption.
The TSDB remains an effective tool in the government's
counterterrorism efforts because its contents are not disclosed. For
example, if it was revealed who was in the TSDB, terrorist
organizations would be able to circumvent the purpose of the terrorist
watchlist by determining in advance which of their members are likely
to be questioned or detained.
Comment: One commenter stated that there is no central database
that covered entities could query to validate that an already-existing
background screening may be on file with the Department.
[[Page 34732]]
Response: DHS agrees that there is currently no central database
that allows the public to determine that an individual has already
undergone screening by the Department.
Comment: One commenter was troubled by the information pertaining
to RBPS-12 contained in Appendix C of the May 2009 Risk-Based
Performance Standards Guidance (http://www.dhs.gov/xlibrary/assets/chemsec_cfats_riskbased_performance_standards.pdf), because the
commenter believes that certain types of measures, procedures,
policies, and plans mentioned in Appendix C are not appropriate for
determining if chemical facility personnel are terrorist threats.
Response: The Department expects high-risk chemical facilities to
implement appropriate security measures to conduct identity, criminal
history, and legal authorization to work background checks. These
security measures can vary from facility to facility commensurate with
facility-specific risks, security issues, and business practices. The
guidance referenced by the commenter (see pages 180 to 186 of the Risk-
Based Performance Standards Guidance), and other guidance addressing
identity, criminal history, and legal authorization to work background
checks, however, is not guidance addressing compliance with 6 CFR
27.230(a)(12)(iv), and as such is not the subject of this notice, nor
is it the subject of the underlying ICR or of the 30- or 60-day notices
preceding this notice.
Comment: One commenter requested that the Department clarify what
appeal or waiver options an affected individual has if his/her employer
takes an adverse employment action against him/her based on RBPS-12
background checks or based on information received or obtained under
the CFATS Personnel Surety Program. The commenter also requested that
the Department prevent high-risk chemical facilities from using
personal information collected from affected individuals as part of
RBPS-12 for purposes other than conducting the background checks
required by RBPS-12.
Response: High risk chemical facilities' employment actions are not
regulated by CFATS.
The ICR the Department will submit to OMB, this notice, the 60-day
notice, and the 30-day notice address the CFATS Personnel Surety
Program, not the identity, legal authorization to work, and criminal
history background checks required by 6 CFR 230(a)(12)(i)-(iii).
Discussion of information collected as part of those other three
background checks, or employment decisions based on them, is beyond the
scope of this notice.
Conclusion
As mentioned in the summary section of this notice, DHS has
submitted an ICR to OMB for review and clearance in accordance with the
Paperwork Reduction Act of 1995. This notice responds to comments
received during the 30-day notice.
Prior to implementation of the CFATS Personnel Surety Program, the
Department will also publish a Privacy Impact Assessment (PIA) about
the CFATS Personnel Surety Program, available on the Department's Web
page at http://www.dhs.gov/privacy and http://www.dhs.gov/chemicalsecurity. The Department will also publish a System of Records
Notice (SORN) for the CFATS Personnel Surety Program, and a Notice of
Proposed Rulemaking proposing to take certain Privacy Act exemptions
for the CFATS Personnel Surety Program System of Records.
The Department will also publish a notice, and/or send notice to
high-risk chemical facilities individually, stating that the CFATS
Personnel Surety Program has been implemented. In that notice, the
Department will include description of how the CFATS Personnel Surety
Program will be implemented, as well as the information submission
schedule high-risk chemical facilities will be required to follow. The
notice will also describe how a high-risk chemical facility can request
a variance from the submission schedule.
Analysis
Agency: Department of Homeland Security, National Protection and
Programs Directorate, Office of Infrastructure Protection,
Infrastructure Security Compliance Division.
Title: CFATS Personnel Surety Program.
Form: DHS Form 11000-29.
OMB Number: 1670-NEW.
Frequency: As required by a DHS-approved schedule.
Affected Public: High-risk chemical facilities as defined in 6 CFR
Part 27, high-risk chemical facility personnel, and as appropriate,
unescorted visitors with access to restricted areas or critical assets.
Number of Respondents: 1,303,700 individuals.
Estimated Time per Respondent: 0.54 hours (32.4 minutes).
Total Burden Hours: 707,200 annual burden hours.
Total Burden Cost (capital/startup): $0.00.
Total Burden Cost (operating/maintaining): $29,704,000.
Signed: June 6, 2011.
David Epperson,
Chief Information Officer, National Protection and Programs
Directorate, Department of Homeland Security.
[FR Doc. 2011-14382 Filed 6-13-11; 8:45 am]
BILLING CODE 9110-9-P