Limiting the use of Transportation Worker Identification Credential (TWIC) smart cards and readers will create significant security vulnerabilities in our maritime infrastructure, the Smart Card Alliance Access Control Council said in comments submitted this week to the U.S. Coast Guard.
The Smart Card Alliance’s comments referred to the Coast Guard’s Transportation Worker Identification Credential (TWIC) Reader Requirements Notice of Proposed Rulemaking (NPRM). The rulemaking proposes limiting the use of tamper-resistant, biometrically-enabled TWIC smart cards and readers, and proposes relying on visual inspection of TWIC cards as the primary security protocol for 95% of the maritime user population.
Today, more than 2.4 million cleared maritime workers have a TWIC card, which was issued in response to the Maritime Transportation Security Act of 2002 (MTSA). When used in conjunction with an electronic reader, the TWIC smart card can establish: that it is a valid card issued by TSA and not a forgery; that the card has not expired; that the card has not been revoked by TSA for cause; and that the person presenting the card is the same person to whom the card was issued.
“The use of TWIC cards in conjunction with TWIC readers can prevent potential terrorists or other adversaries from obtaining unescorted access to secure areas of maritime facilities and vessels,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “We do not believe that visual inspection meets the security objectives intended by Congress in the MTSA and think that a reliance on visual inspection will make it relatively easy to breach the perimeter of a facility or vessel by presenting a fake, stolen or borrowed TWIC card. Therefore, we strongly recommend that the Coast Guard expand the scope of the proposed regulation.”
The Smart Card Alliance Access Control Council made the following recommendations to the U.S. Coast Guard in its comments:
• Expand the scope of the proposed regulation to make the use of TWIC card readers mandatory for a majority of the facilities and vessels currently identified in Risk Group B.
• Require transaction logs when visual inspection is used and when any non-automated exception situation is encountered (such as escorted visitors, recurring unescorted access).
• Conduct a new reader cost analysis using more current information that is representative of today’s TWIC reader products.
• Require maritime operators to download the latest version of the CCL every 12 hours regardless of MARSEC (maritime security) level.
• Correct the statement on Page 17787 of the NPRM: “TWIC readers will not help identify valid cards that were obtained via fraudulent means, e.g., through unreported theft or the use of fraudulent IDs.” TWIC readers can identify cards that were obtained through unreported theft of the TWIC card by performing biometric verification of the cardholder.
• Require the use of readers at large general cargo container terminals in both Risk Groups A and B or reclassify them into Risk Group A.
• Require vessels at sea to update the CCL under certain circumstances for security.