TWIC and DOD

Rich Roth at LinkedIn’s ASIS Supply Chain & Transportation Group pointed me (well, all group members) at an interesting article over at WND.com about the military announcement that it will no longer accept the use of Transportation Workers Identification Credentials (TWIC) for access to DOD systems. The article by Steve Elwart actually refers back to a December 10^th, Federal Register notice (77 FR 73455).

The Background

The summary for that notice states:

“To implement DoD Instruction 8520.2, dated April 1, 2004, SDDC required all commercial accounts accessing transportation systems and applications to use a commercial PKI certificate or Transportation Workers Identification Credential (TWIC). TWIC does not meet DOD security standards and cannot be used as of January 29, 2013.”

In an earlier blog post I noted that the Surface Deployment and Distribution Command (SDDC) would require either a commercial PKI certificate or a TWIC to access SDDC ‘transportation systems and applications’. This notice would revoke the TWIC portion of that earlier Federal Register notice (76 FR 126-127).

The Security Standard

The December notice explains that:

“The DoD PKI office has determined that the Transportation Workers Identification Card [Credential] (TWIC) PKI certificate cannot be used to authenticate users for access to DoD systems. The DoD PKI office has not established a trust relationship with Homeland Security/TSA.”

So apparently DOD has not been able to verify the certificate issued by TSA for the TWIC program (actually four separate certificates)

What is the Real Problem?

Now I don’t think this is the type thing we see in the competition between say Microsoft® and Google®. One would like to think that two different departments in the Federal government that are working hand-in-hand on so many issues could get their IT-Security folks together on sharing PKI certificate information. No, as I wrote in the LinkedIn discussion on this topic, I think there is a more basic problem:

“It sounds like maybe someone found out that there are TWICs out there with fake DHS credentials. Those would be worth good money to truck drivers with some 'bad' convictions on their records who would be ineligeble to receive a legitimate TWIC. Or worth a whole lot more to a terrorist or criminal wanting access to an MTSA facility for some nefarious deed.”

Even this type of issue should be more of a communication issue between the two Departments rather than a real security issue. Unless, of course, someone in DHS refused to accept the DOD complaints about forged PKI certificates. Or, if someone in DHS were trying to cover up the problem and the DOD investigators just got tired of trying to work the issue. Whichever, I doubt that we will ever get the true story behind this.

The Consequences

Of course, the people getting stuck with this whole thing are the ‘unimportant’ people in and around SDDC who come to work every day trying to make sure that the DOD’s material gets to where it is supposed to go. The ones that already had TWICs for other parts of their job (physical access to MTSA covered facilities) so they did not have to pay for their own separate PKI certificate. Now they are going to have to go out and spend their money (before the January 29^th DOD deadline) so that they can continue to access the software and hardware systems they need to do their jobs.

Congressional Action?

With various House committee chairs pushing ISCD to adopt the TWIC as part of the credentialing program for the CFATS program, maybe it is time for them to start asking DOD and TSA program people what the problem is with this PKI certificate problem between TWIC and DOD. If DOD doesn’t trust the security of TWIC information, why should a chemical plant owner or even the operator of an MTSA covered facility where TWIC use is mandated by DHS.

Will it happen? Not soon; too much financial stuff going on and not enough interest in security. Congress won’t pay attention until there is a significant security event that is directly and clearly linked to the PKC certificate issues. Then there will be a clarion call for action by DOD and DHS and a demand for heads to roll.