See notes below:
TWIC Round Table
Steve Lord, GAO: Their goal is try to make TWIC work better over time. This is the guy responsible for the TWIC GAO report, GAO-11-657. The goals of TWIC includes the positively identification of people for unescorted access to secure areas. That people continue to maintain their eligibility.
Bottom line in weaknesses:
Enrollment and background checking and use could have contributed to the breach of MTSA regulated facilities
- The potential to use counterfeit identity documents at enrollment. GAO also manufactured their own “fake TWIC” which was used to gain entrance to ports.
- 27% of TWIC holders have a criminal record. Who should be getting a TWIC?
- Investigators were successful at gaining unescorted access using
- Counterfeit TWICs
- Authentic TWICs acquired through fraudulent means
- False business purposes to be in a secure area
- There were internal control weaknesses. Need a broader internal control study.
- DHS concurred with the GAO report and all the recommendations. DHS has established a working group to develop and implement solutions to GAO’s recommendations
TWIC has not been assessed to see if it is measurably addressing the effectiveness in enhancing security. They also looked at how the USCG uses TWIC to assess the compliance of ports in using the identification system.
John Schwartz, TSA, TWIC Program Manager: Approaching 2M applicants. 38K applications have been denied. The basis for denying a TWIC is, “Does this person pose a threat?”
Some benefits already from the program. There has been an identification of the ID of personnel. They work closely with law enforcement to investigate applications that don’t look right. TWIC is a common credential that establishes a single standard.
Reference the GAO Audit. They are in agreement and looking at their internal controls. [Certainly the contractor process for issuing TWIC.] They want to benchmark against what other credentialing systems are doing. The cost of the individual cards is something that comes up a great deal. TSA is looking to have a more secure program. The Secretary DHS has a personal staff member working with the TSA on TWIC.
Some changes being made already. Nothing specific was provided. TSA will need to make periodic reports to GAO and Congress.
LCDR Greg Callaghan, TWIC Implementation Branch, gregory.a.callaghan@uscg.mil, 202-372-1168: There is a focus on more of a visual inspection of the credential. Home Port has guidance instructions, more on the secure side of the site.
USCG has rolled out their own handheld readers. They are using these in all port areas. Looking at credentials on the seas and portside. 250 mobile readers are in the field.
Vigilance message of TWIC is the visual identification check. TWIC Reader NPRM is still being worked. No date for the release. Expect it to come after the report to Congress. [It was expected in December, but they are not sure that date will hold firm due to more stringent processes for rule making.]
There were 13 TWIC Provisions in the CG Authorization Act.
What about the renewal of expiring cards? There are tens of thousands to be reenrolled. “Workers will need to reenroll to keep their credentials current. The contractors will need to ramp up to meet the demand. As they move forward TSA will be putting out another contract for Universal Enrollment Services that will cover hazmat, etc. This is supposed to be in place by next summer.” [I can’t believe this will be a smooth operation if past history is any indication of future success.]
TWIC Implementation – Issues and Challenges
Port of Los Angeles TWIC Field Test. Unisys presentation on their work there in LA. Objectives were to:
- Conduct field test
- Facilitate and ease the participation by the terminals
- Use sustainable solutions that will last beyond the Field Test
Approach:
- Analysis and design activities
- Solutions were designed to be comprehensive, covering all entry points at terminals
Results:
- 200K TWIC cards read and counting
- Terminal operators using TWIC readers on a fulltime basis. 2-3 terminals continuing to use
- Some negative impacts—not specified.
Challenges:
- Facility management of project scope and prioritization.
- Acceptance/buy-in and participation at facilities by all stakeholders including truckers, union labor, and others
- Communicating the policy, process and technology complexities of TWIC to both stakeholders and facility personnel
- Training and learning cure required for both guards and users
- Some poorly performing or broken TWIC cards
- Immaturity of TWIC technologies and the PACS mindset of installers
Successes:
- Facilities both large and small and various types can successfully operate using TWIC technology
- There are potential benefits to operations:
- Replaced existing access control system
Recommendations:
- Structure TWIC compliance and implementation as a Program, not just a project for the FSO or IT Department
- Implication for Security , Operations, IT, Labor Relations and others
- Identify responsibilities of each organization for both implementation and the steady-state operation
- Balance people, technology policy and processes
- Design with flexibility in mind so that your solution supports how you operate
- Leverage TWIC as a component of your overall security and safety program, video, etc.
- Communication internally and externally
- Do not underestimate the learning curve for users
- Use signage with pictures and secondary languages in advance
- Plan training to cover TWIC policies, processes and technology with security guards and others
- Understand the ongoing needs and responsibilities of operating under TWIC
- Simply hanging the TWIC reader up is not the end of the process
Keith O. Palmer, L-3:
Is TWIC a card or a system? It is credentials as part of the access control system. The person holding the card has been vetted. TWIC is being implemented, good, bad or otherwise.
Are ports required to wait until the TWIC pilots are completed to design and implement a PACS? No, voluntary use of TWIC readers is possible
Is the TSA list of TWIC readers (ICE) been finalized? Not yet, maybe never. Readers and reader software will come and go.
Will access control hardware and software manufacturer guarantee TWIC compliance?
Define and understand the operational requirements for the TWIC PACS. Write, verify and validate the Access Control Concept of Operations for each entry point. E.g. if the TWIC is valid, is the worker enrolled in the system, if not enrolled then what? The system only does the electronic part of the access. The entire process needs to be documented.
Other questions:
Fixed or portable readers, or both?
If both, how do they confirm entry request against canceled card list?
How does the TWIC PACS handle visitors?
Terry Hayes, Project Management, Stockton, CA: Presented a Big Picture view of TWIC Implementation and Systems Integration. The TWIC card is only a piece of the process. Sustainability is key. Systems integration is the important part of the equation.
Installation of the TWIC readers and the connectivity needed is only one element. Get the operational aspects in place. Training was emphasized again. TWIC is a one way street, if it doesn’t work, then what? No entry! Keeping commerce flowing is an important aspect.
Best approach is a portfolio approach:
- End to end
- Holistic
- Vendor agnostic
- Integrated
Objectives:
- Optimal mix and sequencing
- Relationship integration
- Standardization
- Process improvement
- Operational efficiencies
- Acceptance
Port of Stockton:
Six months and five Contracts awarded worth $9.5M Their goal is to be a Tier 1 Security Status and a proved track record as a good steward of the public’s dollars.
Q&A:
Remote access with a TWIC Reader means you have a camera and intercom. Only previously authenticated people are being allowed.
Will TWIC readers hold up the truck line? Even with the most stringent authentication checks it should be able to happen in less than a minute. Readers now support either contact or contactless interfaces, or both.
What about maintenance issues with a contact reader? There are benefits and limitations. Vandalism can be an issue.
What about multi-passenger issues? This is where your operational procedures come into play.
[I think the development of procedures will need to be done in close cooperation with your local USCG Sector. Don’t wait and submit them when they are done. Have the USCG participate with you.]
What about regional databases for pre-registration of truckers? There are a lot of complexities with regional data bases. The issue is not the technology, but a process. The issue of having truckers register at each terminal becomes complex. In Canada some trucking companies went out of business because they could not meet the security requirements from the government.
