FY13 Port Security Grant Program Solicitation posted

On May 22, 2013 FEMA posted the details of this year’s (FY13) Port Security grant program. The file is available at http://www.fema.gov/library/viewRecord.do?id=7471. Below are some important points:

 Key Dates and Times:

Application Start Date: 05/21/2013

Application Submission Deadline Date: 06/24/2013 at 11:59:59 p.m. EST

Anticipated Funding Selection Date: 08/02/2013

Anticipated Award Date: 09/01/2013

Award Amounts, Important Dates, and Extensions

Available Funding for this FOA: $93,207,313

Projected Number of Awards: 210

Projected Award Start Date(s): 09/01/2013

Projected Award End Date(s): 08/31/2015

Period of Performance: 24 months

Cost Match:

Public Sector. Public sector applicants must provide a non-Federal match (cash or in-kind) supporting at least 25 percent (25%) of the total project cost for each proposed project.

Private Sector. Private sector applicants must provide a non-Federal match (cash or in-kind) supporting at least 50 percent (50%) of the total project cost for each proposed project.

Cash and in-kind matches must consist of eligible costs (i.e., purchase price of allowable contracts, equipment). A cash match includes cash spent for project-related costs while an in-kind match includes the valuation of in-kind services. The cost-match requirement for the PSGP award may not be met by costs borne by another Federal grant or assistance program. Likewise, in-kind matches used to meet the matching requirement for the PSGP award may not be used to meet matching requirements for any other Federal grant program (e.g., FY 2013 funds are used to purchase a mobile command center from a vendor, the vendor contributes or donates communications equipment associated with the mobile command center, the value of the donated equipment may be considered as an in-kind match for the PSGP award only).

Program Objectives

The FY 2013 PSGP plays an important role in the implementation of the National Preparedness System (NPS) by supporting the building, sustainment, and delivery of core capabilities essential to achieving the National Preparedness Goal (NPG) of a secure and resilient Nation. Delivering core capabilities requires the combined effort of the whole community, rather than the exclusive effort of any single organization or level of government. The FY 2013 PSGP’s allowable costs support efforts to build and sustain core capabilities across Prevention, Protection, Mitigation, Response, and Recovery mission areas.

Grantees under the FY 2013 PSGP are encouraged to build and sustain core capabilities through activities such as:

• Strengthening governance integration;

• Enhancing Maritime Domain Awareness (MDA)

• Enhancing IED and Chemical, Biological, Radiological, Nuclear, Explosive (CBRNE) prevention, protection, response and supporting recovery capabilities within the maritime domain

• Enhancing cybersecurity capabilities

• Maritime security risk mitigation projects that support port resilience and recovery capabilities

• Training and exercises

• Transportation Worker Identification Credential (TWIC) implementation

Application Review Information

The four core PSGP funding priorities for applications are:

• Funding Priority #1. Projects that support development and sustainment of the core capabilities in the NPG and align to PSGP funding priorities identified in Appendix B –PSGP Priorities. These include:

• Enhancing MDA

• Enhancing IED and CBRNE prevention, protection, response and recovery capabilities within the maritime domain

• Enhancing cybersecurity capabilities

• Maritime security risk mitigation projects that support port resilience and recovery capabilities

• Training and exercises

• TWIC implementation

• Funding Priority #2. Projects that address priorities outlined in the applicable AMSP, FSP, and Vessel Security Plan (VSP), as mandated under the MTSA and/or the Port-Wide Risk Mitigation Plans (PRMP)

• Funding Priority #3. Projects that address additional maritime security priorities based on the COTP’s expertise and experience of the COTP within the specific Port Area

• Funding Priority #4. Projects that are eligible and feasible based on program priorities, Port Area plans and priorities, and available period of performance 

Port Area Group Designations

For FY 2013, there will be two Port Area Group Designations, rather than the traditional four groupings in prior years. Table 2 lists the specific Port Areas by Group that are eligible for funding through the FY 2013 PSGP and the competitive funding amount available within each Group. This change helps ensure funding is made available to the highest risk ports and funding is awarded to projects that are rated most effective in addressing program priorities and mitigating port security risks. DHS/FEMA reserves the right to re-allocate funding from one group to the other should the applications within a particular group prove insufficient in terms of quality, number, and/or total project costs.

Group I Port Areas

Eight Port Areas have been selected as Group I (highest risk) and will be allocated 60 percent (60%) of funding available. Each Group I Port Area will compete for the target funding allocation assigned to the group. The amount of available funding for the group is based on the FY 2013 DHS risk analysis. This will allow applicants to submit IJs for projects without being confined to a set dollar amount, providing DHS the opportunity to conduct field and national reviews of each project and make awards based on the two overarching priorities of PSGP, risk-based funding and regional security cooperation, as well as evaluating the extent to which each IJ decreases risk for the Port Area.

Group II Port Areas

The legacy Group II, III, and All Other Port Areas are combined into a single Port Grouping known as Group II, which will receive the remaining 40 percent (40%) of funds available. These Port Areas will compete for the target funding allocation assigned to Group II. As is the case with the Group I Port Areas, available funding is based on results of the FY 2013 DHS risk analysis. The number of legacy Group II and III ports will be adjusted to, 47 and 35, respectively; thus the total number of Group II ports under the new grouping methodology is 82. Note: The total number of Group II ports does not include All Other Port Areas. 

Ineligible Entities

The PSGP will not accept applications or IJs from an applicant or sub-applicant for the purpose of providing a service or product to an otherwise eligible entity

Port-Wide Risk Management Planning for legacy Group I and Group II Port Areas

Legacy Group I and II Port Areas are encouraged to maintain their PRMPs and to use them to identify projects that will serve to address remaining maritime security vulnerabilities. These ports are also highly encouraged to develop a Business Continuity/Resumption of Trade Plan (BCRTP). For purposes of regional strategic and tactical planning, these plans must take into consideration all other Port Areas covered by their AMSP.

Depending on the number of highly rated IJs received within each Port Grouping, funding may adjusted between groups to ensure the most highly effective, risk based maritime security projects are funded.

More from TWIC Reader Notice of Proposed Rulemaking

Will there be a different requirement for TWIC reader use at elevated MARSEC Levels for Risk Group A?

The Coast Guard recognizes that the system of MARSEC Levels creates a useful mechanism for the Coast Guard to elevate security requirements at times of heightened risk. Nonetheless, the Coast Guard uses this mechanism in a targeted manner, and at this time, the Coast Guard does not believe that elevated TWIC reader requirements at higher MARSEC Levels are generally practical or appropriate. In considering the comments above, the Coast Guard notes the change that it has made from the ANPRM to this NPRM with respect to TWIC reader requirements. In the NPRM, the Coast Guard proposed TWIC reader requirements for Risk Groups A and B, with stricter TWIC reader requirements for both risk groups at higher MARSEC Levels. The ANPRM’s stricter TWIC reader requirements would have primarily affected Risk Group B because the ANPRM proposed routine biometric scanning with a TWIC reader for Risk Group A at all MARSEC Levels. For example, the ANPRM would have required Risk Group B to use TWIC readers at MARSEC Level 1 for card authentication (i.e., no routine biometric scan) and once-monthly biometric identity verification. The ANPRM, however, would have only required Risk Group B to regularly use TWIC readers for biometric identity verification at higher MARSEC Levels. In this NPRM, the Coast Guard has eliminated the proposed TWIC reader requirements for Risk Group B. The requirements for routine biometric scanning with a TWIC reader for Risk Group A remain the same as in the ANPRM. Note that the Coast Guard proposes increased requirements at higher MARSEC Levels to the extent that the NPRM would require Risk Group A to perform daily updates of CCL information at higher MARSEC Levels, instead of the weekly updates required at MARSEC Level 1.

What types of readers may be utilized?

The Department of Commerce’s National Institute of Standards and Technology (NIST) and TSA are developing TWIC reader specifications. TSA will establish a process to qualify TWIC readers, and will maintain a Qualified Technology List (QTL) of acceptable TWIC readers. The Coast Guard anticipates that there may be changes from the ICE Test list to the QTL list, based on final TWIC reader specifications resulting from the QTL process.

A list of TWIC readers that have passed the Initial Capability Evaluation (ICE) Test is available at http://www.tsa.gov/assets/pdf/twic_ice_list.pdf. As stated in PAC–D 01–11, however, TWIC readers allowed pursuant to PAC–D 01–11 may no longer be valid after promulgation of a TWIC reader final rule, and DHS will not fund replacement TWIC readers.

TSA is developing the QTL so that approved readers meet durability standards. Additionally, in this NPRM, we’re proposing requirements that provide owners and operators the flexibility to choose the TWIC reader that best suits their operational needs.

Section 101.105, Definitions.TWIC reader means an electronic device listed on TSA’s Qualified Technology List (QTL) and used to verify and validate: the authenticity of a TWIC; the identity of the TWIC-holder as the legitimate bearer of the credential; that the TWIC is not expired; and that the TWIC is not on the CCL. TSA’s QTL of acceptable TWIC readers may be accessed online at http://(TBD).

TWIC Card Reader NPRM in Federal Register 03/22/2013

On March 22, 2013, the Coast Guard will publish the Notice of Proposed Rulemaking for the TWIC Reader in the Federal Register. To summarize, facilities and vessels are divided into risk groups and only the highest risk group (A) will need to use a reader. Lower risk groups will (for the time being) continue under the present regulatory requirements for TWIC visual inspection.

For vessels, Risk Group A consists of vessels are certificated to carry more than 1,000 passengers, carrying CDC in bulk, or towing CDC in bulk. For facilities, Risk Group A consist of facilities that handle CDC in bulk, receive vessels that are certificated to carry more than 1,000 passengers, and barge fleeting facilities that receive barges carrying CDC in bulk. The Coast Guard is considering allowing multiple risk group designations within one facility. In addition:

• ·         The NPRM does not propose to require owners and operators to specifically use contact TWIC readers, nor does the NPRM propose any PIN requirement.

• ·         The compliance deadline for operation is proposed to be two years after the publication of the final rule. Within 2 years after publication of the TWIC reader final rule, owners and operators would have to amend their security plans to indicate how they implement the TWIC reader requirements contained in the applicable sections of 33 CFR parts 101, 104, and 105.

• ·         Exempts from TWIC reader requirements all vessels with 14 or fewer TWIC-holding crewmembers,

• ·         NPRM withdraws the ANPRM’s proposal to include noncredentialed individuals engaged on towing vessels not regulated under 33 CFR part 104 among the list of mariners required to possess a TWIC.

• ·        Owners and operators of vessels or facilities in Risk Groups B and C would not be required to check TWICs against the CCL.

• ·         Owners and operators would have the discretion to impose access control measures that are stricter than the minimum regulatory requirements.

• ·         If a TWIC reader malfunctions, an owner or operator would still be permitted to grant the individual unescorted access to secure areas, provided the individual was known to have a valid TWIC and the TWIC was inspected visually.

• ·         Owners and operators would be required to update CCL information within 12 hours of any increase in MARSEC Level, regardless of when the CCL information was last updated. Owners and operators would be required to use the most recently obtained CCL information when conducting card validity checks.

• ·         The COTP is authorized to temporarily suspend TWIC reader requirements at a facility if the COTP determines that such requirements are causing delays resulting in excessive vehicle build-up or other unintended consequence. During the period of any such suspension, the owner or operator would be required to perform visual TWIC inspections for identity verification, card authentication, and card validation.

• ·         The Coast Guard will continue to analyze risk data and consider whether additional or modified TWIC reader requirements would be warranted in the future.

• ·         Considering the several rulemakings that are going to be issued in the near future, the Coast Guard  is currently examining several options to coordinate the rulemakings and manage the plan submission and re-approval process to ensure that plan changes occur only as often as necessary to incorporate any new regulatory requirements.

• ·         Amend 33 CFR 104.235 and 105.225 to set forth TWIC reader recordkeeping requirements. Owners and operators using TWIC readers, with or without a Physical Access Control System, would be required to maintain certain records for at least 2 years. During that time, owners and operators would be required to make those records available to the Coast Guard upon request. Those records include, with respect to each individual granted unescorted access to a secure area: (1) FASCN;(2) date that access was granted; (3) time that access was granted; and (4) if captured, the name of the individual to whom access was granted. If a TWIC reader or PACS captures the required data when the TWIC is scanned, and can retain and reproduce that data, the recordkeeping requirement would be met. Owners and operators would be required to also maintain records to demonstrate that they have performed the required card validity check using the CCL on each individual. TWIC reader records are SSI, and would be required to be protected in accordance with 49 CFR part 1520.

• ·         Physical placement of readers -  For facilities, TWIC readers will be required at the access points to each secure area. If the entire facility is designated as a secure area, then TWIC readers would only be required at the access points to the facility itself. If the secure area does not encompass the entire facility, then TWIC readers would be required at the access points to each secure area. For vessels, the NPRM proposes to require TWIC readers at the access points to the vessel itself, regardless of whether the secure area encompasses the entire vessel.

Below are more provisions of the NPRM.  This is just a bare-bones summary.  In this NPRM, the Coast Guard goes into great detail to give information about the processes that affected the decision-making about this rule, and the rule should be read in its entirety by the MTSA community. There are also several other related documents available for viewing in the public docket.

NPRM:

This rulemaking action, once final, would build upon existing Coast Guard regulations designed to ensure that only individuals who hold a TWIC are granted unescorted access to secure areas at those locations…..This rulemaking would also implement the Security and Accountability For Every Port Act of 2006 electronic TWIC reader requirements.

Comments – Public Comments will be accepted via http://www.regulations.gov, Docket number USCG-2007-28915.  I did not see an ending date for comment acceptance.

Public Meetings - USCG intends to hold one or more public meetings regarding the proposals in this NPRM.A notice with the specific date and location of each meeting will be published in the Federal Register as soon as this information is known.

Purpose of the Regulatory Action - This rulemaking, which would require owners and operators of certain types of vessels and facilities to use electronic TWIC readers, is necessary to advance the goals of the TWIC program. The Coast Guard conducted a riskbased analysis of MTSA-regulated vessels and facilities to categorize them into one of three risk groups. Risk Group A is comprised of vessels and facilities that present the highest risk of being involved in a transportation security incident (TSI).Vessels and facilities in Risk Group A would have new TWIC reader requirements under this rule. Vessels and facilities in Risk Groups B and C present progressively lower risks, and would continue to follow existing regulatory requirements for visual TWIC inspection.

Despite the enhanced reliability that TWIC readers would offer, not all vessels and facilities face security risks that justify the costs and other burdens that would result from a universal TWIC reader requirement for all vessels and facilities. Therefore, in this rulemaking, the USCG is considering a phased approach to implementing TWIC reader requirements by proposing such requirements first for vessels and facilities where the risk of harm is expected to be the greatest. The USCG will continue to analyze risk data on MTSA-regulated vessels and facilities and consider whether additional or modified TWIC reader requirements are warranted in future rulemakings.

How Did the Coast Guard Determine the Risk Tiering?

The Coast Guard assembled a panel of maritime security subject matter experts from the Coast Guard and TSA to conduct a risk-based analysis of MTSA-regulated vessels and facilities. The panel assessed the distinct types of vessels and facilities using three factors: (1) maximum consequences to that vessel or facility resulting from a terrorist attack; (2) criticality to the nation’s health, economy, and national security; and (3) utility of the TWIC in reducing risk.

For the first factor (maximum consequence resulting from a terrorist attack), they used the Coast Guard’s Maritime Security Risk Analysis Model (MSRAM).

For the second factor (criticality to the nation’s health, economy, and national security), they considered the impact of the total loss of a vessel or facility beyond the immediate local consequences, taking into account the regional or national impacts on human health, the economy, and national security.

For the third factor (TWIC utility), they considered the utility of the TWIC program in reducing a vessel’s or facility’s vulnerability to a terrorist attack.

The Coast Guard combined the above three factors and developed an overall risk ranking of vessels and facilities by type. The panel then assigned numerical valued weights to the three

factors. In determining the final weights, the panel chose the approach that best reflected its understanding of the maritime environment and TWIC program implementation, the importance of consequences in representing target attractiveness to terrorists, and the panel’s expert perspective of risk. The actual numerical valued weights finalized by the panel are Sensitive Security Information (SSI). Finally, the panel calculated the priority scores for each vessel and facility type. At the end of this process, types of vessels and facilities with similar scores were combined into one of three risk groups.

Vessels and facilities that present a heightened risk for being involved in a TSI, Risk Group A, would have new TWIC reader requirements under this rule. For now, vessels and facilities that do not present this heightened risk would either continue to visually inspect TWICs or voluntarily deploy TWIC readers.

Comparison between the ANPRM and the NPRM:

Based on the public comments received in response to the ANPRM, the findings of the DHS pilot program, and further analysis of the relevant issues, this NPRM reiterates many of the ANPRM’s proposals, including retaining the ANPRM’s riskbased framework for classifying vessels and facilities into the same three risk groups. As in the ANPRM, vessels and facilities are generally placed in higher risk groups based on the hazardous nature of the cargo handled or carried, or an increase in the number of passengers present…The main change in approach from the ANPRM to this NPRM is regarding the TWIC reader requirements for the different risk groups. Specifically, this NPRM proposes TWIC reader requirements for Risk Group A only….Proposing TWIC reader requirements for Risk Group A only in this NPRM is indicative of our desire to minimize highest risks first, but should not be read to foreclose revised TWIC reader requirements in the future. The Coast Guard will continue to gather and analyze data to determine how the use of TWIC readers might be appropriate for each risk group.

Summary of Costs and Benefits: Under MTSA, the Coast Guard regulates approximately 13,825 vessels, 3,270 facilities, and 56 Outer Continental Shelf (OCS) facilities. Of those MTSA-regulated facilities that could have potentially been regulated, 38 vessels and 532 facilities are affected by this proposed rule. The Coast Guard estimates the annualized cost of this proposed rule on the affected population of 38 vessels and 532 facilities to be about $26.5 million, while the 10-year cost is $186.1 million, discounted at 7 percent. The main cost drivers of this proposal are the acquisition, installation, and integration of TWIC readers into access control systems.

Specifics for Reader Requirements: new 33 CFR 101.520, for Risk Group A

At MARSEC Level 1, all persons seeking unescorted access to secure areas would be required to present a TWIC and fingerprint for biometric identity verification, card authentication, and card validity check. The owner or operator would be required to

perform the card validity check based on CCL information no more than 7 days old. At MARSEC Level 2, the same procedures would apply as those at MARSEC Level 1, except that the owner or operator would be required to perform the card validity check based on CCL information no more than 1 day old. Two additional provisions - First, owners and operators would be required to update CCL information within 12 hours of any increase in MARSEC Level, regardless of when the CCL information was last updated. Second, owners and operators would be required to use the most recently obtained CCL information when conducting card validity checks. The COTP is authorized to temporarily suspend TWIC reader requirements at a facility if the COTP determines that such requirements are causing delays resulting in excessive vehicle build-up or other unintended consequence. A facility owner or operator could contact the COTP seeking such a determination. During the period of any such suspension, the owner or operator would be required to perform visual TWIC inspections for

identity verification, card authentication, and card validation.

New 33 CFR 101.520(e), exempting all vessels with 14 or fewer TWIC-holding crewmembers from TWIC reader requirements.

New 33 CFR 101.525 and 101.530 – set forth the TWIC visual inspection requirements for Risk Groups B and C, respectively. At all MARSEC Levels, all persons seeking unescorted access to secure areas of vessels or facilities in Risk Groups B or C would be required to present a TWIC for visual identity verification, card authentication, and card validity check, prior to each entry. An owner or operator would perform identity verification by visually matching the photograph on the TWIC to the individual presenting it. An owner or operator would verify TWIC authenticity by visually checking its security features to determine whether it has been tampered with or forged. An owner or operator would validate the TWIC by visually checking the expiration date on the face of the TWIC to determine whether it has expired. Owners and operators of vessels or facilities in Risk Groups B and C would not be required to check TWICs against the CCL.

New 33 CFR 101.535 – TWIC inspection requirements in special circumstances. These

provisions are designed to provide an appropriate level of flexibility in the TWIC reader and inspection requirements when special circumstances arise. If an individual is unable to present a TWIC because it has been lost, damaged, or stolen, and the individual has previously been granted unescorted access to secure areas and is known to have previously possessed a TWIC, an owner or operator would be permitted to grant the individual unescorted access to secure areas for a period of no longer than 7 consecutive days, provided that certain conditions are met. Owners and operators will need to describe the process to be used to handle exceptions to using readers – such as an when individual has poor quality fingerprints, or no fingerprint minutiae – in their security plans.

If a TWIC reader malfunctions, an owner or operator would still be permitted to grant the individual unescorted access to secure areas, provided that certain conditions are met. First, the individual would be required to have previously been granted unescorted access to secure areas in the past, and the individual would be required to be known to have a TWIC. Second, the owner or operator would be required to perform identity verification, card validation and card authentication by visual inspection. An owner or operator may rely on this alternative for a period of 7 calendar days while the TWIC reader malfunction is corrected.

To ensure that CCL information is updated and used appropriately - Owners and operators would be required to update CCL information within 12 hours of any increase in MARSEC Level, regardless of when the CCL information was last updated. Second, owners and operators would be required to use the most recently obtained CCL information when conducting card validity checks.

Compliance Deadlines - Within 2 years after publication of the TWIC reader final rule, owners and operators would be required to be operating in accordance with the requirements contained in that final rule. Also, within 2 years after publication of the TWIC reader final rule, owners and operators would have to amend their security plans to indicate how they implement the TWIC reader requirements contained in the applicable sections of 33 CFR parts 101, 104, and 105.

Recordkeeping – the Coast Guard proposes to amend 33 CFR 104.235 and 105.225 to set forth TWIC reader recordkeeping requirements. Owners and operators using TWIC readers, with or without a PACS, would be required to maintain certain records for at least 2 years. During that time, owners and operators would be required to make those records available to the Coast Guard upon request. Those records include, with respect to each individual granted unescorted access to a secure area: (1) FASCN;(2) date that access was granted; (3) time that access was granted; and (4) if captured, the name of the individual to whom access was granted. If a TWIC reader or PACS captures the required data when the TWIC is scanned, and can retain and reproduce that data, the recordkeeping requirement would be met. Owners and operators would be required to also maintain records to demonstrate that they have performed the required card validity check using the CCL on each individual. Finally, we propose to include a regulatory provision indicating that TWIC reader records are SSI, and would be required to be protected in accordance with 49 CFR part 1520.

Movement Between Risk Groups - based on the materials they are carrying or handling, or the types of vessels they are receiving at any given time, designed to provide flexibility to owners and operators of vessels and facilities that only meet the Risk Group A criteria on a periodic basis. An owner or operator wishing to take advantage of one of these provisions would be required to explain how the vessel or facility would move between risk groups in an amended security plan.

Physical placement of readers -  For facilities, this NPRM proposes to require TWIC readers at the access points to each secure area. If the entire facility is designated as a secure area, then TWIC readers would only be required at the access points to the facility itself. If the secure area does not encompass the entire facility, then TWIC readers would be required at the access points to each secure area. For vessels, this NPRM proposes to require TWIC readers at the access points to the vessel itself, regardless of whether the secure area encompasses the entire vessel.