Chemical Security Group

MTSA

Transportation Worker Identification Credential (TWIC)

TWIC Reader Requirements

 

After reviewing public comments received in response to the March 2013 TWIC Reader Notice of Proposed Rulemaking (NPRM) and other relevant issues, the U.S. Coast Guard issued the TWIC Reader Final Rule on August 23, 2016. The Final Rule requires certain Maritime Transportation Security Act (MTSA)-regulated facilities, which have been determined to present a heightened risk of a Transportation Security Incident (TSI), to conduct electronic TWIC inspections. The effective date of the Final Rule is August 23, 2018, providing facilities two (2) years to comply with the electronic TWIC inspection requirements.

 

Applicability

 

In order to determine those MTSA-regulated facilities which present a heightened risk of a TSI, the Coast Guard conducted a risk-based analysis using the following three factors: (1) maximum consequences to the facility resulting from a terrorist attack; (2) criticality to national health, economy, and national security; and (3) utility of the TWIC in reducing risk. Combining the three factors, the Coast Guard developed an overall risk-ranking and identified the following categories of “Risk Group A” facilities as those with a heightened risk of a TSI:
  • Facilities that handle Certain Dangerous Cargo (CDC) in bulk; and
  • Facilities that receive vessels certificated to carry more than 1,000 passengers.
Electronic TWIC inspections will only be required at facilities classified in Risk Group A. Importantly, the Coast Guard indicates in the preamble discussion to the Final Rule that Risk Group A facilities are not limited to those that transfer CDC in bulk over the dock – but also include those that transfer CDC in bulk through rail or other non-maritime means. This is a departure from previous Coast Guard guidance which defined “CDC Facilities” as only those which transferred CDC over the dock.

 

Electronic TWIC Inspection Requirements

 

At Risk Group A facilities, all persons must pass an electronic TWIC inspection before being granted unescorted access to a secure area prior to each entry. The electronic TWIC inspection must include the following elements:
  1. Card Authentication – The TWIC must be authenticated using the card authentication private key stored in the TWIC.
  2. Card Validity Check – The TWIC must be checked against TSA’s list of cancelled TWICs to ensure that the TWIC has not expired.
  3. Identity Verification – The biometric template stored on the TWIC (i.e., fingerprint) must be matched to the TWIC holder’s scanned fingerprint.

Electronic TWIC Reader Options

 

The Final Rule provides additional flexibility with regard to the use of electronic readers. Instead of requiring the use of a TWIC reader on the Transportation Security Administration’s (TSA’s) Qualified Technology List (QTL), facilities can choose to fully integrate electronic TWIC inspection and biometric (i.e., fingerprint) matching into a new or existing Physical Access Control System (PACS). The table below outlines the different equipment options a facility may use to perform electronic TWIC inspections:

 

Options
Description
TWIC Reader (QTL)
Facility uses a TWIC reader listed on TSA’s QTL. To gain entry to a secure area, the individual presents TWIC and biometric for electronic inspection.
TWIC Reader (Non-QTL)
Facility uses a TWIC reader that adequately performs the three required electronic checks (card authentication, card validity check, identity verification). To gain entry to a secure area, the individual presents TWIC and biometric for electronic inspection.
Transparent Reader
Similar to non-QTL TWIC reader, except the Transparent Reader does not independently perform card validation, card authentication, and identity verification. Instead, the Transparent Reader transmits information from the individual’s TWIC and biometric to a back end system containing software that performs the TWIC check. Once the TWIC check is complete, the back end system performs the processes required to either grant or deny access.
PACS
(With Facility Access Card)
Individual is issued a facility access card after initially registering his or her TWIC and biometric into the facility’s access control database. To gain entry to a secure area, the individual presents facility access card and biometric for electronic inspection to match against his or her record in the facility’s database.
PACS
(With Biometric Only)
Individual’s TWIC and biometric are initially registered into the facility’s access control database. To gain entry to a secure area, the individual presents biometric (e.g., fingerprint) for electronic inspection to match against his or her record in the facility’s database.

 

Recordkeeping

 

Facilities in Risk Group A will be required to maintain records of each individual who is granted unescorted access to a secure area for at least two (2) years – and make those records available to the Coast Guard upon request. Each record must include the following: (1) Federal Agency Smart Credential-Number (FASC-N); (2) date and time the unescorted access was granted; (3) and, if captured, the name of the individual to whom access was granted. Facilities must also maintain documentation to demonstrate that they have updated the CCL associated with their TWIC reader or PACS at the required frequency (i.e., at least every 7 days at MARSEC Level 1). These records are considered Sensitive Security Information (SSI) and must be protected accordingly.