Wednesday, April 20, 2011

GAO Report on TWIC Mail Delivery

Thanks to John C.W. Bennett over at the Maritime Transportation and Security News and Views for pointing out that the GAO had prepared a report to Congress regarding their evaluation of the various delivery options for getting Transportation Workers Identification Credentials (TWIC) into the hands of the registered transportation workers. This report was mandated by §818(b)(1) of the Coast Guard Authorization Act of 2010 in response to concerns about the cost to workers to travel to a limited number of TWIC issuance facilities to pick-up and activate their cards.

This report will have some potential bearing on possible consideration of HR 1143, the TWIC Delivery Act of 2011, which would mandate the establishment of a program for TWIC delivery by U.S. Mail to any applicant that resided more than 100 miles from a transportation security card enrollment center.

Currently a TWIC applicant must go to one of a limited number of enrollment centers to apply for a TWIC because part of the application process is providing fingerprints and a photo that would be electronically imbedded in the card. Once the background check is successfully completed and the individual’s card is produced the individual must come back to an enrollment center to pick-up and activate the card. As part of this process the individual’s finger prints are verified and a pin number is selected allowing the TWIC to be used as part of a two-factor identification process.

If the TWIC was an integral part of an electronic identification verification system, mailing the card to the individual would not be a problem as long as the individual had to go to an approved location to activate the card. Unfortunately, there is not yet a program in place to require the use of an electronic reader with the TWIC due to delays in the testing program for TWIC Readers. The draft rule for this requirement is expected this fall.

Without the use of a TWIC Reader as part of the identification process the TWIC is just another picture ID to be flashed at a guard as part of an entry procedure at a secure MTSA facility. The concern is that the mailing of the TWIC to the authorized user could allow for the interception or diversion of these cards which could then be used to gain unauthorized access to these facilities.

The GAO report is a good summary of the issues of the current debate, but it provides no data useful for resolving the debate. It does not even provide a suggested methodology for evaluating the information provided. So we are left with a political debate about making things easier for workers vs the maintenance of strict security standards.

Future Debate

Once TWIC Readers become part of the identification process, this debate will shift as a mail-delivered would still need to be activated before it could be used to gain access to a secure facility. The debate will then be about the use of alternative activation methods other than going to one of the limited number of enrollment centers.

A further complicating factor in this debate could arise when the folks at ISCD release their personnel surety program for CFATS facilities. Many people have suggested that the use of a TWIC would be a preferable method of allowing access to CFATS facilities. This could greatly increase the number of TWIC applications that are processed, with a large number of these new applicants living far from the current enrollment facilities.

1 comment:

John C.W. Bennett said...

PJ,

Regarding your next-to-last paragraph, I’m not so sure that the debate would shift to alternate means of TWIC activation. I don’t think the Congressional types who advocate mailing TWICs are knowledgeable about the distinction between delivery and activation. I suspect they think that a TWIC is ready to go as soon as it’s delivered. If they were to realize TWICs need to be activated, the debate would still be over worker convenience versus security. Those still in favor of convenience for their constituents would simply want to see activated TWICs delivered by mail. Secondly, if the main points of the Coast Guard ANPRM on TWIC readers make it into the Final Rule, a lot of facilities (although probably not most chemical facilities) will still be using TWICs as flash passes most of the time. In this situation, mailing even unactivated TWICs will continue to present a significant security risk. Ironically, mailing TWICs might not be that great a convenience. The GAO Report identifies a problem involving mail sent to people who have moved (and I suspect that the maritime population is more prone to frequent moves than most). Think of the inconvenience of not having a TWIC because it was bouncing around in the mail system, trying to catch up with you (assuming you left a forwarding address).

As to use of TWICs in non-maritime CFATS facilities (your last paragraph), TSA’s TWIC Program Manager briefed the National Maritime Security Advisory Committee last Tuesday on the status of the TWIC Pilot Program. In response to a question about allowing non-maritime employees of cross-modal operators to obtain TWICs so that the cross-modal operators could have a single identification system, he was less than enthusiastic. His lack of enthusiasm for issuing TWICs to these transportation workers seemed to me to involve more than just his specific answer that it would require a regulatory change. If that’s the attitude of TSA generally, they’d likely be even less in favor of providing TWICs to non-transportation workers. Not to say that the higher ups in DHS couldn’t impose it on TSA.

Regards,
JCWB

 
/* Use this with templates/template-twocol.html */