PIA_DHS-NPPD-PIA-018(c)

Privacy Impact Assessment Update
for the

Chemical Facility Anti-Terrorism
Standards (CFATS) Personnel Surety
Program
DHS/NPPD/PIA-018(c)
May 11, 2017
Contact Point
Amy Graydon
Acting Director, Infrastructure Security Compliance Division
Office of Infrastructure Protection, National Protection and
Programs Directorate
(703) 603-4662
Reviewing Official
Jonathan R. Cantor
Acting Chief Privacy Officer
Department of Homeland Security
(202) 343-1717

Privacy Impact Assessment Update
DHS/NPPD/PIA-018(c) CFATS Personnel Surety Program Update
Page 1

Abstract
The Department of Homeland Security (DHS) National Protection and Programs
Directorate (NPPD) is updating the Chemical Facility Anti-Terrorism Standards (CFATS)
Personnel Surety Program’s Privacy Impact Assessment (PIA) in order to maintain the utmost
transparency to the public when it comes to the data collected under the program. This PIA Update
examines the potential privacy risk resulting from the Department’s implementation of an
enhanced risk-based tiering methodology under the CFATS program.

Overview
This PIA Update is being conducted to examine potential privacy risks associated with the
implementation of an enhanced risk-based tiering methodology under the Chemical Facility AntiTerrorism Standards (CFATS) program.
CFATS Program Overview
Under the CFATS program, chemical facilities of interest are required to complete and
submit a Top-Screen questionnaire 1 if the chemical facility of interest maintains and/or possesses
any chemicals of interest 2 at or above a screening threshold quantity. If it is determined, based
upon the Top-Screen information, that a chemical facility of interest presents a high level of
security risk, DHS will notify the covered chemical facility of the determination and advise the
covered chemical facility of its placement in a risk-based tiering system (i.e., Tier 1, 2, 3, or 4). 3
Covered chemical facilities determined to be high-risk must submit a Security Vulnerability
Assessment (SVA), as well as a Site Security Plan (SSP) or Alternative Security Program (ASP)
for DHS approval. In addition, high-risk chemical facilities are obligated to resubmit Top-Screen
information on a recurring basis. The Top-Screen information resubmission intervals vary and are
dependent upon the risk level at which the facility has been categorized (among other factors). 4
CFATS Personnel Surety Program Overview
To be approved by the Department, a covered chemical facility’s SSP/ASP must include
security measures designed to satisfy 18 Risk Based Performance Standards (RBPS), including
RBPS-12(iv), which mandates the implementation of “measures designed to identify people with
1

The Top-Screen is an on-line questionnaire, available through the Chemical Security Assessment Tool (CSAT),
and is completed by any facility that possesses chemicals identified on the CFATS Appendix A: DHS Chemical of
Interest List. Further information can be found in the Chemical Security Assessment Tool (CSAT) 2.0 Top-Screen
Instructions, available at https://www.dhs.gov/sites/default/files/publications/csat-top-screen-instructions508v2.0.12.pdf.
2
See CFATS Appendix A: DHS Chemicals of Interest List available at,
https://www.dhs.gov/sites/default/files/publications/appendix-a-to-part-27-508.pdf.
3
There are four risk-based tiers, ranging from highest risk at Tier 1 to lowest risk at Tier 4.
4
See Implementation of Exemptions; DHS/NPPD-002 Chemical Facility Anti-Terrorism Standards Personnel
Surety Program System of Records, 79 FR 29072 (May 21, 2014), available at https://www.gpo.gov/fdsys/pkg/FR2014-05-21/html/2014-11433.htm.

Privacy Impact Assessment Update
DHS/NPPD/PIA-018(c) CFATS Personnel Surety Program Update
Page 2

terrorist ties.” 5 As described in the program’s implementation notice (80 FR 79058), the
Department is implementing the CFATS Personnel Surety Program in phases and is currently
limiting the program to only high-risk chemical facilities designated at the two highest risk tiers
(Tier 1 and Tier 2).
For Tier 1 and Tier 2 covered chemical facilities, DHS has implemented the CFATS
Personnel Surety Program to permit covered chemical facilities to comply with RBPS-12(iv) by
employing one or more of four suggested methods: (1) Comparison of affected individuals’6
personally identifiable information (PII) against the Terrorist Screening Database (TSDB); (2)
Confirmation of affected individuals’ participation in another DHS vetting program; (3) Use of an
electronic Transportation Worker Identification Credential reader by the covered chemical facility;
and (4) Visual verification of affected individuals’ documents or credentials issued by a federal
screening program. Because the CFATS Personnel Surety Program is non-prescriptive, chemical
facilities may propose alternative methods to comply with RBPS-12(iv). If a facility opts to use
Option 1 or Option 2, the facility submits information about the affected individual to the
Department electronically via the Chemical Security Assessment Tool (CSAT) Personnel Surety
Program Application. The Department then uses the information submitted under Option 1 to
recurrently vet the affected individuals against the TSDB. The Department uses the information
submitted under Option 2 to verify that the affected individual is currently enrolled in another DHS
program that conducts equivalent TSDB vetting.
The CFATS Act of 2014
The Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014,
commonly referred to as the CFATS Act of 2014, prohibits the Department from requiring a
covered chemical facility to notify the Department when an affected individual no longer has
access to the restricted areas or critical assets of a high-risk chemical facility. 7 Though the
Department strongly encourages high-risk chemical facilities to provide notification when an
affected individual no longer has access to a covered facility’s restricted areas or critical assets,
under Option 1 and Option 2 such notification is not required. If a high-risk chemical facility is
either unable or unwilling to notify the Department when an affected individual no longer has

5

See 6 CFR § 27.230(a)(12)(iv).
Affected individuals are individuals that are subject to screening for terrorist ties under the CFATS program. These
individuals are: (1) facility personnel who have or are seeking access, either unescorted or otherwise, to restricted
areas or critical assets; or (2) unescorted visitors who have or are seeking access to restricted areas or critical assets.
Individual high-risk facilities may choose to classify contractors as either “facility personnel” or “visitors.” This is a
facility-specific determination and is based on individual facility security protocols, operational requirements, and
business practices.
7
See DHS/NPPD/PIA-018(b) Chemical Facilities and Anti-Terrorism Standards Personnel Surety Program,
available at https://www.dhs.gov/sites/default/files/publications/privacy-pia-nppd-cfatsps-november2015.pdf, for
more information on how the CFATS Act of 2014 impacts the CFATS Personnel Surety Program.
6

Privacy Impact Assessment Update
DHS/NPPD/PIA-018(c) CFATS Personnel Surety Program Update
Page 3

access to restricted areas or critical assets, the affected individual may contact the Department
directly as described in the CFATS Personnel Surety Program Privacy Impact Assessment. 8

Reason for the PIA Update
The Department recently launched an enhanced risk assessment and tiering methodology
under the CFATS program. As part of this enhancement, DHS is requiring certain chemical
facilities of interest, tiered and un-tiered, to submit updated Top-Screen questionnaires (81 FR
47001). The Department will then re-tier facilities under the enhanced methodology using the
updated information provided by the facilities. This could result in a currently covered chemical
facility being: (1) re-affirmed in its existing tier, (2) designated into a different tier, or (3)
designated as no longer high-risk.
For the purposes of clarity and transparency, the Department will be taking the following
actions with regard to records pertaining to affected individuals that have been properly collected
from Tier 1 or Tier 2 covered chemical facilities:
1) When a Tier 1 or Tier 2 covered chemical facility continues to be a Tier 1 or Tier 2 covered
chemical facility, the submitted records about affected individuals will be unaffected. The
Tier 1 or Tier 2 covered chemical facility will continue to be required to submit records
about affected individuals in accordance with their approved or authorized SSP or ASP.
2) When a Tier 1 or Tier 2 covered chemical facility is re-tiered as a Tier 3 or Tier 4 covered
chemical facility, the submitted records about affected individuals will continue to be
vetted by the Department until the covered chemical facility updates the record to indicate
the affected individuals no longer have access. If a CFATS covered chemical facility is
unable or unwilling to update their records and affected individuals no longer have access
to a CFATS Tier 1 or Tier 2 covered chemical facility, the affected individuals may contact
the Department for assistance in updating their record to indicate that they no longer have
access. Once the Department confirms that the individuals no longer have are seeking
access to a CFATS Tier 1 or Tier 2 covered facility, the individuals’ information will be
removed in accordance with the CFATS Personnel Surety records retention schedule.
3) When a Tier 1 or Tier 2 covered chemical facility is tiered out of the CFATS program, the
submitted records about affected individuals will be processed for removal in accordance
with the records retention schedule described in the CFATS Personnel Surety Program
System of Records Notice (SORN). 9 A Tier 1 or Tier 2 covered chemical facility re-tiered
to a Tier 3 or Tier 4 covered chemical facility may no longer submit records about affected
individuals.
8

See DHS/NPPD/PIA-018 Chemical Facilities and Anti-Terrorism Standards Personnel Surety Program, available
at https://www.dhs.gov/sites/default/files/publications/privacy-pia-nppd-cfats-2011.pdf.
9
See DHS/NPPD-002 – Chemical Facility Anti-Terrorism Standards Personnel Surety Program System of Records,
79 FR 28752 (May 19, 2014), available at https://www.gpo.gov/fdsys/pkg/FR-2014-05-19/html/2014-11431.htm.

Privacy Impact Assessment Update
DHS/NPPD/PIA-018(c) CFATS Personnel Surety Program Update
Page 4

Privacy Impact Analysis
Authorities and Other Requirements
There have been no changes to the program’s authorities since the previous PIA Update,
published on November 10, 2015. The Protecting and Securing Chemical Facilities from Terrorist
Attacks Act of 2014 (December 18, 2014), amends the Homeland Security Act of 2002 to
reauthorize the CFATS program and authorizes the program for four years.
Characterization of the Information
There have been no changes to the characterization of the information since the previous
PIA Update, published on November 10, 2015. The program collects biographic information, such
as name, date of birth, citizenship, and gender or unique credential information (required); and
optional information such as aliases, place of birth, or Redress Number.
Uses of the Information
There have been no changes to the uses of the information since the previous PIA Update,
published on November 10, 2015. DHS will use the PII collected to identify individuals with
terrorist ties by comparing affected individuals against information maintained in the TSDB. The
PII collected by DHS may be used to facilitate operational, law enforcement, or intelligence
responses, if appropriate, when affected individuals’ identities match identities contained in the
TSDB.
Notice
There have been no changes to the methods by which the Department notifies facilities or
individuals about information being collected under the CFATS Personnel Surety Program. This
PIA Update is being published only to maintain the utmost transparency as the Department
implements the updated re-tiering methodology.
Privacy Risk: The Department recognizes that an affected individual’s awareness about
how his or her information is managed, largely because the Department regulates facilities and
not affected individuals, continues to pose risk to transparency. While this risk is not new, the
Department is now confronted with the challenge of communicating to affected individuals how
it will manage their records as a result of the re-tiering process.
Mitigation: This risk is partially mitigated. The CFATS Act of 2014 precludes the
Department from requiring that high-risk chemical facilities update records about affected
individuals in the CSAT Personnel Surety Application. As a result, notice and transparency
continue to be the Department’s most valuable tools for encouraging the maintenance of accurate
and relevant information under the Personnel Surety Program. Included below are some past and
present actions taken by the Department in an effort to mitigate risk using notice and transparency.

Privacy Impact Assessment Update
DHS/NPPD/PIA-018(c) CFATS Personnel Surety Program Update
Page 5

The Department has worked in the past to mitigate the potential privacy risks by
encouraging owners and operators of covered chemical facilities to update records in CSAT.
Additionally, the Department has employed publicly available program documentation,
particularly the Privacy Impact Assessment and subsequent updates, to provide notice to the public
of the potential privacy risks associated with the Personnel Surety Program.
As the re-tiering process for facilities begins under the enhanced methodology, the
Department is issuing communications to facilities that have been re-tiered, advising them that
they may voluntarily update their records in CSAT. Updated and accurate records in CSAT may
help to alleviate privacy concerns as well as limit costs incurred by the Department by reducing
the number of individuals being unnecessarily vetted against the TSDB.
Additionally, the Department is issuing this update to DHS/NPPD/PIA-018 Chemical
Facility Anti-Terrorism Standards (CFATS) Personnel Surety Program (May 4, 2011), to provide
transparency to the Department’s intentions on how to handle records about affected individuals
collected under the CFATS Personnel Surety Program.
Data Retention by the project
There have been no changes to data retention practices since the original PIA, published
on May 4, 2011. NPPD will retain the biographic information, as well as the results of TSDB
vetting. NPPD may also retain records or information collected from other sources in the event
that an individual is determined to be a positive match to a TSDB record.
Information Sharing
There have been no changes to information sharing practices since the previous PIA
Update, published on November 10, 2015. PII will be shared internally with authorized individuals
within DHS who have a need to know the information to perform their official duties, as well as
externally in accordance with the routine uses listed in the CFATS Personnel Surety Program
System of Records Notice (SORN).
Redress
The procedures for accessing and/or correcting information have not changed and can be
found in the original CFATS Personnel Surety Program PIA, published on May 4, 2011, or in
DHS/NPPD-002 CFATS Personnel Surety Program System of Records.

Privacy Impact Assessment Update
DHS/NPPD/PIA-018(c) CFATS Personnel Surety Program Update
Page 6

Auditing and Accountability
There have been no changes to auditing or accountability procedures since the previous
PIA Update, published on November 10, 2015. Established security controls are in place to limit
access based on user roles and responsibilities, need to know, least privilege, and separation of duties.

Responsible Official
Amy Graydon
Acting Director, Infrastructure Security Compliance Division
Office of Infrastructure Protection, National Protection and Programs Directorate
Department of Homeland Security

Approval Signature
Original signed and on file with the DHS Privacy Office.
________________________________
Jonathan R. Cantor,
Acting Chief Privacy Officer,
Department of Homeland Security.