News

Risk-Informed Analysis of Transportation Worker Identification Credential Reader Requirements

The RAND Corporation published its long-awaited assessment of the Transportation Worker Identification Credential (TWIC) Reader Rule. The purpose of the assessment is to further consider the costs versus benefits of the TWIC Reader Rule, including the scope of affected facilities.

As an initial matter RAND has concluded:

• Between 471 and 711 Maritime Transportation Security Act–regulated facilities handle Certain Dangerous Cargo (CDC) in bulk and are therefore likely to be subject to the reader rule delay.
• Among the facilities observed to handle CDCs, anhydrous ammonia was the most common CDC, although many facilities handle more than one type of CDC.
• The consequence distribution of facilities that handle CDCs in bulk was highly skewed (i.e., many facilities with relatively low consequences and few facilities with extremely high consequences).
• The TWIC reader rule would have to avert a Transportation Security Incident (TSI) approximately every 60 to 90 years, at a minimum, to be cost-effective.
• Although the final reader rule is potentially cost-effective even in its current form, reasons exist to consider a more-targeted approach that excludes low-quantity or low–population density facilities, or both. Under hypothetical regulatory options, a more-targeted approach affecting only higher-consequence facilities would need to avert only one TSI approximately every 200 to 600 years to be cost-effective.
• The decision to use a wide net or a more-targeted approach could depend largely on policymakers’ preferences and relative risk tolerance considering trade-offs among several competing factors.

https://www.rand.org/pubs/research_reports/RRA1687-1.html

Reduced Cost for Online TWIC Renewal

In August 2022, the Transportation Security Administration (TSA) implemented an online renewal process for Transportation Worker Identification Credential (TWIC) applicants. This new capability permits eligible applicants to renew their TWIC online without visiting a TSA enrollment center. With the implementation of this capability, TSA reduced the cost for TWIC renewals completed through the new online process.

Effective November 3, 2022, the fee for an online TWIC renewal was reduced to $117.25. The fee for new enrollments and in-person renewals will remain $125.25.

Online TWIC Renewal Program

On August 11, 2022, the Transportation Security Administration (TSA) began allowing most current TWIC holders to renew their credentials online without needing to visit an enrollment center. TSA believes that this change will make renewal faster and more convenient for most TWIC holders, since nearly 60% of TWIC holders renew their card every five years. Current TWIC card holders may renew their TWIC card online up to one year prior to the expiration date printed on their card and up to one year after their card expires. To be eligible for online renewal, the TWIC card holder must be a U.S. citizen, U.S. national, or a lawful permanent resident.

For more information regarding the TWIC renewal process or to renew your TWIC online, visit the TSA Universal Enroll website.

New TSA Pipeline Security Directive

On Friday, July 23, 2022, the Transportation Security Administration (TSA) issued Security Directive Pipeline 2021-02C (SD-02C). SD-02C has three main components and takes effect on July 27, 2022.

SD-02C focuses on performance-based – rather than prescriptive – measures to achieve TSA’s identified cybersecurity outcomes (i.e., TSA does not mandate the specific mechanisms to achieve the outcomes). SD-02C’s key elements are summarized below:

• Affected pipeline operators are those notified by TSA that their pipeline system or facility is critical. In other words, the same pipeline operators that have been implementing TSA’s previous Security Directives since mid-2021 must now implement SD-02C.

• In pertinent part, SD-02C requires affected operators to: (1) develop and implement a TSA-approved Cybersecurity Implementation Plan; (2) establish a Cybersecurity Incident Response Plan; and (3) implement a Cybersecurity Assessment Program.

• Affected operators must submit a Cybersecurity Implementation Plan to TSA for approval no later than October 25, 2022 (i.e., 90 days from the July 27, 2022 effective date). Once TSA approves an affected operator’s Cybersecurity Implementation Plan, TSA will inspect against it to determine compliance.

• Affected operators must develop and submit a Cybersecurity Assessment Program to TSA no later than 60 days from the date that TSA approves the operator’s Cybersecurity Implementation Plan.

• SD-02C supersedes previously issued Security Directives but affected operators must continue to implement Security Directive 2021-02B until a Cybersecurity Implementation Plan is submitted to, and approved by, TSA.

MTSA Cyber FAQs

The Coast Guard previously published Navigation and Vessel Inspection Circular (NVIC) 01-20: Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities as guidance for complying with Maritime Transportation Security Act (MTSA) cybersecurity requirements. As part of that initiative, the Coast Guard has published a Frequently Asked Questions (FAQ) document supporting NVIC 01-20 and cyber inclusion in Facility Security Plans (FSPs).

As the Coast Guard continues to work with its Facility Inspectors in the field and maritime industry stakeholders, it will continue to update the FAQs based on feedback.

MSIB: Cybersecurity Awareness and Action

The Coast Guard Assistant Commandant for Prevention Policy has published Marine Safety Information Bulletin (MSIB) 02-22: Cybersecurity Awareness and Action.

In MSIB 02-22, the Coast Guard provides that, in accordance with the Cybersecurity and Infrastructure Security Agency’s “Shields Up” guidance, every organization should have documented thresholds for reporting potential cyber incidents to senior management and the U.S. Government. In this heightened threat environment, the Coast Guard states that these thresholds should be significantly lower than normal.

MSIB 02-22 reminds Maritime Transportation Security Act (MTSA)-regulated facilities that they are required to report breaches of security and suspicious activity to the National Response Center (NRC) at 1-800-424-8802.

The Coast Guard also recommends contacting its Cyber Command for technical support that may help MTSA-regulated facilities prepare for or respond to a cyber-incident. Cyber Command’s 24×7 watch can be reached at 202-372-2904 or [email protected].