Tuesday, February 12, 2019

DHS Science and Technology Directorate (S&T) has Issued a New Request for Comment, Assessing the Risk-Mitigation Value of TWIC® at Maritime Facilities.


On Feb. 07, 2019, Science and Technology Directorate (S&T), Department of Homeland Security (DHS) issued a new request for comment, Assessing the Risk-Mitigation Value of TWIC® at Maritime Facilities.  This notice is located in the Federal Register at https://www.govinfo.gov/content/pkg/FR-2019-02-07/pdf/2019-01377.pdf .

Please note that this notice requests comments on two items: number one, how effective the TWIC program is at enhancing security and reducing security risks for regulated maritime facilities and vessels, and number two, specific issues concerning an annual information collection about assessing the risk mitigation value of TWIC® at maritime facilities.

From the notice:
By law, the Secretary of Homeland Security is required to commission an assessment of how effective the transportation security card program is at enhancing security and reducing security risks for regulated maritime facilities and vessels. Through the transportation security card program, the Department issues the Transportation Worker Identification Credential (TWIC®). Legislation passed August 2, 2018 restricts the U.S. Coast Guard (USCG) from implementing any rule requiring the use of biometric readers for TWIC® until after submission to Congress of the results of this effectiveness assessment.

The Homeland Security Operational Analysis Center (HSOAC), a federally funded research and development center operated by the RAND Corporation, will collect information from those involved in maritime security on behalf of the DHS S&T Research and Development Partnerships (RDP) Federally Funded Research and Development Center (FFRDC) Program Management Office. HSOAC will visit regulated maritime facilities and terminals and conduct interviews using a semi-structured interview method to collect information. HSOAC will analyze this information and use it to produce a public report with its research findings.

DATES: Comments are encouraged and accepted until April 8, 2019.

ADDRESSES: You may submit comments, identified by docket number DHS–2018–0052, at:
• Federal eRulemaking Portal: http://www.regulations.gov. Please follow the instructions for submitting comments.
• Mail and hand delivery or commercial delivery: Science and Technology Directorate, ATTN: Chief Information Office—Mary Cantey, 245 Murray Drive, Mail Stop 0202, Washington, DC 20528.

Instructions: All submissions received must include the agency name and docket number DHS–2018–0052.

SUPPLEMENTARY INFORMATION: The Secretary of Homeland Security, according to Public Law 114–278, is required to commission an assessment of how effective the transportation security card program is at enhancing security and reducing security risks for regulated maritime facilities and vessels. Through the transportation security card program, the Department issues the Transportation Worker Identification Credential (TWIC®). In addition, Public Law 115–230 restricts the USCG from implementing any rule requiring the use of biometric readers for TWIC® until submitting the results of this assessment to Congress. DHS, in accordance with the Paperwork Reduction Act (PRA), 44 U.S.C. 3501 et seq., provides the general public and Federal agencies with an opportunity to comment on proposed, revised, and continuing collections of information. DHS is soliciting comments on the proposed information collection request (ICR) that is described below. DHS is especially interested in public comment addressing the following issues: (1) Is this collection necessary to the proper functions of the Department; (2) will this information be processed and used in a timely manner; (3) is the estimate of burden accurate; (4) how might the Department enhance the quality, utility, and clarity of the information to be collected; and (5) how might the Department minimize the burden of this collection on the respondents, including through the use of information technology? Please note that written comments received in response to this notice will be considered public records.

Title of Collection: Assessing the Risk Mitigation Value of TWIC® at Maritime Facilities.

Type of Review: New.

Affected Public: Port security subject matter experts such as Port Authority Security Managers, Facility Security Managers, Industry Security Managers, and local law enforcement; Labor, Other Industry Operation and Technology Managers.

Frequency of Collection: Once, Annually.

Average Burden per Response: 60 minutes.

Estimated Number of Annual Responses: 400.

Total Annual Burden Hours: 400.


Discussion: There is an effective and an ineffective way to comment on a regulation. From “Tips for Submitting Effective Comments”, found at https://www.regulations.gov/docs/Tips_For_Submitting_Effective_Comments.pdf:
·         "Read and understand the regulatory document you are commenting on
·         Feel free to reach out to the agency with questions
·         Be concise but support your claims
·         Base your justification on sound reasoning, scientific evidence, and/or how you will be impacted
·         Address trade-offs and opposing views in your comment
·         There is no minimum or maximum length for an effective comment
·         The comment process is not a vote – one well supported comment is often more influential than a thousand form letters."

Comments submitted to address the first issue need to mention how the program does or does not enhance security and reduce security risks for regulated maritime facilities and vessels. That you are personally inconvenienced during the enrollment process or that the cards are not accepted at airports probably does not address the question of risk reduction in the maritime environment. A comment that is submitted without the word “risk” or “security” in it seems to me to be flawed at the onset. DHS is required to consider these comments so this is one more chance for us to get our hands on the TWIC program and influence its path. Let’s make sure we don’t waste this opportunity.

I am still gathering information on the details of number two, the information collection. I want to know how DHS arrived at the figure of 400 persons who will submit information, and that the collection will take one hour. Until I know these details, I can’t sensibly comment on the second issue.



Friday, January 18, 2019

Status of TWIC Enrollment Services During Shutdown

I am getting a lot of questions from my fellow FSOs about the status of TWIC enrollment centers during the shutdown. Here's the word from TSA: "This message is a notice to stakeholders about the lapse in Federal funding. The Transportation Security Administration’s (TSA) TWIC® enrollment services are still open and operating and in-person appointments are available.* If you require assistance with enrollment services, please call 855-DHS-UES1 (855-347-8371) between 8:00am - 10:00pm Eastern, Mon. - Fri. Additionally, the issuance/delivery of the TWIC® card is not impacted. With the exception to applicants subject to redress, eligible TWIC® applicants should expect to receive a TWIC® card in approximately 4 to 14 days, pending delivery times. For additional information on the TSCC or TWIC®, please contact: TWIC.issue@tsa.dhs.gov."

Tuesday, January 15, 2019


A Summary of  Department of Homeland Security Office of Inspector General (OIG) Report OIG-19-16, DHS’ and TSA’s Compliance with Public Law 114-278


Please note: The opinions in this post are solely the author’s and do not reflect the opinion of the University of Findlay or anyone’s opinion but the author’s.

On Dec. 14, 2018 the Department of Homeland Security Office of Inspector General (OIG) published OIG-19-16, DHS’ and TSA’s Compliance with Public Law 114-278[1], Transportation Security Card Program Assessment. This audit was performed to determine DHS’ and TSA’s conformity with the public law’s requirements. P.L. 114-278 required the two agencies to undertake actions to improve the TWIC vetting process, and to conduct an overall assessment of the TWIC program effectiveness. The words “audit” and “report” are used interchangeably and designate the findings related in 19-16.

The law has four sections:
(a) Credential Improvements
(b) Comprehensive Security Assessment of the Transportation Security Card Program
(c) Corrective Action Plan; Program Reforms
(d) Inspector General Review

Actions that TSA were required to undertake to improve the vetting process/credential improvements (section a) include a risk analysis of the TWIC security threat assessment; implementing additional internal controls and best practices; improving fraud detection techniques; updating the guidance provided to Trusted Agents (TAs) regarding the vetting process and related regulations; finalizing a manual for Trusted Agents and adjudicators on the vetting process, and establishing quality controls for consistency in adjudication decisions.

The overall effectiveness review (section b) includes an evaluation of both the credentialing and the renewal process. It also includes a detailed analysis of the security value of the program, by evaluating the extent to which the program addresses security risks in the maritime environment; by evaluating the possibility of non-biometric credential alternatives; by identifying the technology, business process, and operational impacts of the use of the TWIC card and readers; by assessing the costs and benefits of the program; and evaluating the extent to which DHS has addressed the deficiencies in the Program identified by the Government Accountability Office (GAO) and the OIG before the date of enactment of the law. The risk analysis of the security threat assessment and the overall effectiveness review were awarded the Homeland Security Operational Analysis Center (HSOAC), operated by the RAND Corporation.

The assessment mandated under the law was to have begun in February 2017 and be completed in a year, with the results submitted to Congress in April 2018.

Two months after the date on which the assessment was completed, DHS was supposed to submit to Congress a corrective action plan addressing any deficiencies. The law required the DHS OIG to evaluate TSA’s implementation of the actions required by the law and submit a report to Congress no later than December 16, 2018.  Please note: a complete text of P.L. 114-278 is included in this post under footnote 1.

The OIG’s report 19-16 evaluates DHS’ compliance with the requirements of P.L. 144-278. The report contains some very alarming (and sometimes hard to believe) language.  Persons who are affected by the TWIC program should read the entire report.  Below are highlights.

There were six actions that TSA was required to perform to improve the vetting process, (a)(2) A – F. Although the OIG describes TSA as partly complying with A and B ad complying with C – E, the report also states “We were not able to fully address Congress’ requirement to evaluate TSA’s implementation of the required actions identified in the public law because TSA is still in the process of implementing elements of the required actions in the TWIC program. However, we have concerns with aspects of TSA’s responses to all of the required actions.”[2] The report then describes TSA’s compliance by each individual required action.

In action B, implementing additional internal controls, the report states “Until TSA addresses all 19 recommendations, it may be overlooking vulnerabilities in the STA [security threat assessment] process and opportunities to improve the TWIC program. This may result in individuals obtaining TWIC cards who may pose a security risk to our Nation’s maritime facilities and vessels.” The language under Action C, improve fraud detection techniques, is especially troubling.  There is a subset of recommendations under this required action.  Under improving fraud detection techniques by establishing benchmarks and a process for electronic document verification, TSA implemented the birth verification service as one of the fraud detection techniques; however, TSA uses it in a “limited capacity.”[3] Under the requirement that Trusted Agents (TA) receive annual training in fraud detection,  the OIG “was provided a copy of the contract for enrollment services that requires annual training to enhance the knowledge of TAs in identifying potentially fraudulent identity documents.[4]” A copy of a contract does not verify that training is being performed; it merely indicates that someone has drawn up a contract and that someone else has signed it. (Throughout this document, there is language that indicates that OIG conducted this audit by high-level interviews and limited (if any) auditing in the field. There is nothing in the methodology that indicates that the OIG went into the field to confirm the HSOAC findings.)

The final comment on fraud detection needs to be reproduced in its entirety:
Lastly, TSA also complied with the requirement to review relevant security threat information provided by the TAs. According to TSA, if TAs suspect a fraudulent document, they note their concerns in the system for TSA’s Program Management Office to review. Even though TAs may include comments about potential fraudulent documents, the application process continues. If, following a review of the TA comments, TSA confirms that fraudulent documents were used, it can take one of four actions depending on the status of the applicant’s adjudication: stop the enrollment, stop the credential’s production, pull the credential from the Enrollment Center card batch, or cancel the TWIC card after production.[5]

This seems to indicate that no matter how sloppily fraudulent the document offered up by an enrollee to obtain a credential, the enrollment process must go on.

In reviewing Action E, finalize a manual for trusted agents and adjudicators, the audit states, “We still found the manual disorganized and some guidance was duplicative, contradictory, and outdated. A disorganized training manual with outdated policies, procedures, and guidance may hinder adjudicators’ ability to make appropriate, timely, and consistent decisions.”[7]

In reviewing Action F, establish quality controls to ensure consistent procedures to review adjudication decisions and terrorism vetting decisions, the OIG stated,
Although TSA has QA SOPs [quality assurance standard operating procedures] for both adjudication decisions and terrorism vetting decisions, we could not test to verify whether TSA consistently applied these quality assurance procedures in its reviews. We found the QA SOPs did not contain sufficient details on all procedures, such as a random sampling methodology for adjudication cases… Without consistent procedures and quality controls in QA reviews, TSA may be missing errors made by the adjudicators and terrorism vetting analysts. As a result, TSA may inadvertently issue TWIC cards to individuals who might pose security risks to our maritime transportation sector.[8]

TSA was a year late submitting the required report on the overall effectiveness of the program required in section (b) of the law. The reason for this delay: DHS “experienced challenges identifying an office responsible for the effort.” The assessment’s estimated completion date is April 27, 2019. [9] Per the law, if the results of this assessment indicate deficiencies, a corrective action plan needs to be implemented, but DHS has not designated a point of contact to oversee preparation of this plan.

Discussion.  I approach any document related to the TWIC program from the perspective of a supporter of the program and of a security services provider and Facility Security Officer for smaller facilities. Before TWIC, we did not have a nationwide check, albeit a snapshot at the time of enrollment, of the background of persons being granted unescorted access to secure areas of regulated facilities and vessels. Larger ports and facilities have a much wider array of tools in their toolkit to provide personnel security. Many smaller facilities use the credential as a key layer of defense, especially for threats involving non-employees.

So, as a supporter of the program, I am disturbed that the OIG described the training manual for TAs as containing material that is contradictory and outdated. I am disturbed by the possibility that DHS and TSA seem to have difficulty designating a person responsible for the corrective action plan mandated by the law. And I was very disturbed by the language stating that individuals who may pose a risk to the nation’s marine terminals and vessels are being granted credentials because of the identified  shortcomings of the program; this language appears in several places in the document.

I am also disturbed by the apparent lack of consequences for the problems identified in this document. Because it contains no recommendations, DHS and TSA did not provide any responses. DHS did not award a work order for the assessment for more than a year after the deadline. As an FSO, if I am late for many regulatory requirements – drills, exercises, security inspections, annual Facility Security Plan (FSP) audits, TWIC renewals, five-year FSP approvals, to name just a few – there are immediate and unpleasant consequences from the regulators. The FSP language must be clear and concise – if it is contradictory or outdated, as the OIG found the TSA manuals to be, the USCG petty officers will let me know. Regulatory agencies like TSA and the wider DHS, however, seem to be held to a different, sloppier standard.

The problems identified in the OIG report are described as having the capability of allowing individuals to obtain TWIC cards who may pose a security risk to our Nation’s maritime facilities and vessels. That’s the bad news. The good news is that P.L. 114-278 is in place to provide fixes/improvements for the TWIC program, and contains the oversight provision that generated OIG 19-16. TSA is required to perform actions immediately to improve the program (section a), and the OIG looks over their shoulder to report compliance. The RAND corporation is reporting on the security effectiveness of the program required in section b. (DHS will eventually overcome their challenges in identifying who is responsible for what.) Section c requires a corrective action plan, which the OIG will also review. The mission of the OIG is to “provide independent oversight and promote excellence, integrity, and accountability within DHS.”[10] Sometimes accountability is achieved by revealing unpleasant truths, as OIG 19-16 does.

As a final thought, some other wider issues need to be considered when reflecting on the problems raised by the OIG report.  TSA has a major role in the TWIC program but the agency’s main focus is on the aviation sector. Personnel distribution within the agency confirms this. More than 43,000 transportation security officers and more than 600 aviation transportation security inspectors ensure security at the 440 federalized airports. [11] Describing its multimodal security efforts, TSA states that it utilizes approximately 250 surface transportation inspectors to conduct annual inspections in support of risk-based security of more than 4 million miles of roadways, nearly 140,000 miles of railroad track, approximately 612,000 bridges and more than 470 tunnels, approximately 360 maritime ports, and approximately 2.75 million miles of pipeline.[12] “TSA has an annual surface security operating budget of around $111 million, which represents approximately 3 percent of TSA’s total budget, while the remainder of the budget is dedicated primarily to aviation operations”, according to the Government Accountability Office.[13]

More critically, key people may not be in place at DHS or TSA to make decisions, sign off on important documents, and generally oversee the progress of important programs like TWIC. In August 2018, approximately 30% of the top positions in DHS remained unfilled.[14] Furthermore, the administration has chosen not to staff an essential White House office responsible for personnel decisions. The White House Office of Presidential Personnel
…oversees the selection process for Presidential appointments and works to recruit candidates to serve the President in departments and agencies throughout the Executive Branch. Presidential Personnel staff present candidates for PAS [Presidential Appointment needing Senate confirmation] positions to the Senate for confirmation after they have been approved by the President and have gone through Personnel’s selection and clearance process. Additionally, the office is responsible for thousands of lower level appointees. [15]

In March 2018, National Review described the White House personnel office: “Compared with President Bill Clinton’s administration at a similar point in his presidency, Trump’s personnel office has fewer than a fourth the number of staffers to process paperwork and interview applicants. Several of the offices at the personnel department are empty most of the day.” [16]There is no evidence that this short-staffing has been remedied; there is evidence that it is continuing to affect the maritime security of the United States.








[1] Congress.gov. Public Law 144-278, Dec. 16, 2016. To require the Secretary of Homeland Security to prepare a comprehensive security assessment of the transportation security card program, and for other purposes.https://www.congress.gov/114/plaws/publ278/PLAW-114publ278.pdf

Public Law 114–278
114th Congress
An Act
To require the Secretary of Homeland Security to prepare a comprehensive security assessment of the transportation security card program, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. TRANSPORTATION WORKER IDENTIFICATION CREDENTIAL SECURITY CARD PROGRAM IMPROVEMENTS AND ASSESSMENT.
(a) CREDENTIAL IMPROVEMENTS.—
(1) IN GENERAL.—Not later than 60 days after the date of enactment of this Act, the Administrator of the Transportation Security Administration shall commence actions, consistent with section 70105 of title 46, United States Code, to improve the Transportation Security Administration’s process for vetting individuals with access to secure areas of vessels and maritime facilities.
(2) REQUIRED ACTIONS.—The actions described under paragraph (1) shall include—
(A) conducting a comprehensive risk analysis of security threat assessment procedures, including—
(i) identifying those procedures that need additional internal controls; and
(ii) identifying best practices for quality assurance at every stage of the security threat assessment;
(B) implementing the additional internal controls and best practices identified under subparagraph (A);
(C) improving fraud detection techniques, such as—
(i) by establishing benchmarks and a process for electronic document validation;
(ii) by requiring annual training for Trusted Agents; and
(iii) by reviewing any security threat assessment related information provided by Trusted Agents and incorporating any new threat information into updated guidance under subparagraph (D);
(D) updating the guidance provided to Trusted Agents regarding the vetting process and related regulations;
(E) finalizing a manual for Trusted Agents and adjudicators on the vetting process; and
(F) establishing quality controls to ensure consistent procedures to review adjudication decisions and terrorism
vetting decisions.
(3) REPORT.—Not later than 2 years after the date of enactment of this Act, the Inspector General of the Department  of Homeland Security shall submit a report to Congress that evaluates the implementation of the actions described in paragraph (1).
(b) COMPREHENSIVE SECURITY ASSESSMENT OF THE TRANSPORTATION SECURITY CARD PROGRAM.—
(1) IN GENERAL.—Not later than 60 days after the date of enactment of this Act, the Secretary of Homeland Security shall commission an assessment of the effectiveness of the transportation security card program (referred to in this section as ‘‘Program’’) required under section 70105 of title 46, United States Code, at enhancing security and reducing security risks for facilities and vessels regulated under chapter 701 of that title.
(2) LOCATION.—The assessment commissioned under paragraph (1) shall be conducted by a research organization with significant experience in port or maritime security, such as—
(A) a national laboratory;
(B) a university-based center within the Science and Technology Directorate’s centers of excellence network; or
(C) a qualified federally-funded research and development center.
(3) CONTENTS.—The assessment commissioned under paragraph (1) shall—
(A) review the credentialing process by determining—
(i) the appropriateness of vetting standards;
(ii) whether the fee structure adequately reflects the current costs of vetting;
(iii) whether there is unnecessary redundancy or duplication with other Federal- or State-issued transportation security credentials; and
(iv) the appropriateness of having varied Federal and State threat assessments and access controls;
(B) review the process for renewing applications for Transportation Worker Identification Credentials,
including the number of days it takes to review application, appeal, and waiver requests for additional information;
and
(C) review the security value of the Program by—
(i) evaluating the extent to which the Program, as implemented, addresses known or likely security risks in the maritime and port environments;
(ii) evaluating the potential for a non-biometric credential alternative;
security card and transportation security card readers in the maritime and port environments;
(iv) assessing the costs and benefits of the Program, as implemented; and
(v) evaluating the extent to which the Secretary of Homeland Security has addressed the deficiencies
in the Program identified by the Government Accountability Office and the Inspector General of the Department of Homeland Security before the date of enactment of this Act.

 (4) DEADLINES.—The assessment commissioned under paragraph (1) shall be completed not later than 1 year after the date on which the assessment is commissioned.
(5) SUBMISSION TO CONGRESS.—Not later than 60 days after the date that the assessment is completed, the Secretary of Homeland Security shall submit to the Committee on Commerce, Science, and Transportation and the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Transportation and Infrastructure of the House of Representatives the results of the assessment commissioned under this subsection.
(c) CORRECTIVE ACTION PLAN; PROGRAM REFORMS.—If the assessment commissioned under subsection (b) identifies a deficiency in the effectiveness of the Program, the Secretary of Homeland Security, not later than 60 days after the date on which the assessment is completed, shall submit a corrective action plan to the Committee on Commerce, Science, and Transportation and the Committee on Homeland Security and Governmental Affairs
of the Senate, the Committee on Homeland Security and the Committee on Transportation and Infrastructure of the House of Representatives that—
(1) responds to findings of the assessment;
(2) includes an implementation plan with benchmarks;
(3) may include programmatic reforms, revisions to regulations, or proposals for legislation; and
(4) shall be considered in any rulemaking by the Department of Homeland Security relating to the Program.
(d) INSPECTOR GENERAL REVIEW.—If a corrective action plan is submitted under subsection (c), the Inspector General of the Department of Homeland Security shall—
(1) not later than 120 days after the date of such submission, review the extent to which such plan implements the
requirements under subsection (c); and
(2) not later than 18 months after the date of such submission, and annually thereafter for 3 years, submit a report
to the congressional committees set forth in subsection (c) that describes the progress of the implementation of such plan.
Approved December 16, 2016.
[2] Ibid.
[3] Ibid.
[4] Ibid.
[5] Ibid.
[7] Ibid.
[8] Ibid.
[9] Ibid.
[10]U.S. Department of Homeland Security.  Office of the Inspector General. 2018.  https://www.oig.dhs.gov/about
[11] U.S. Department of Homeland Security. Transportation Security Administration. Factsheet: TSA by the Numbers. 2019. https://www.tsa.gov/sites/default/files/resources/tsabythenumbers_factsheet.pdf
[12] Ibid.
[13] United States Government Accountability Office. Transportation Security Administration: Surface
Transportation Inspector Activities Should Align More Closely With Identified Risks. GAO-18-180. December 2017. https://www.gao.gov/assets/690/689031.pdf
[14] Clark, Charles S. Vacancy Rate for Top Agency Jobs Continues to Set Records. Government Executive. August 1, 2018.
https://www.govexec.com/management/2018/08/vacancy-rate-top-agency-jobs-continues-set-records/150224/
[15] The White House. White House Internship Program. Presidential Departments. 2018.  https://www.whitehouse.gov/get-involved/internships/presidential-departments/
[16] Fund, John. Trump Is Running a ‘Home Alone’ Administration. National Review. March 25, 2018. https://www.nationalreview.com/2018/03/trump-administration-staff-vacancies-leave-career-civil-servants-in-place/

Monday, August 6, 2018

Latest Developments that will Affect Implementation of the TWIC Reader Final Rule


On August 02, 2018, HR 5729 was signed into law, becoming Public Law No: 115-230,The  Transportation Worker Identification Credential Accountability Act of 2018.  The law is so brief that it is quoted in its entirety at the end of this post.  It prohibits the Coast Guard from implementing the TWIC Reader Final Rule and proposing or issuing a notice of proposed rulemaking for any revision to that rule except to extend its effective date, or for any other rule requiring the use of biometric readers for biometric transportation security cards. The Coast Guard may not do any of this before the end of the 60-day period after submission to Congress of the results of an assessment of the effectiveness of the TWIC program, required under a 2016 law mandating a comprehensive security assessment of the program. TSA was supposed to have commenced and completed this assessment of the TWIC program in 2017, but I can find no evidence on the relevant congressional committee websites of testimony on the assessment.

On August 03 the Coast Guard published a post on Maritime Commons, Latest Developments Regarding the TWIC Reader Final Rule, at http://mariners.coastguard.dodlive.mil/2018/08/03/8-3-2018-latest-developments-regarding-twic-reader-final-rule/, advising about HR 5729.
The Maritime Commons post gives some information from International Liquid Terminals Association et. al. v. DHS, the industry groups lawsuit against the TWIC reader rule, that also impacts implementation of the rule: “Additionally, the United States District Court for the Eastern District of Virginia issued a court order July 24, 2018, delaying the TWIC Reader Final Rule implementation at Certain Dangerous Cargo transfer and non-transfer facilities until further order of the Court, in response to a lawsuit brought by industry groups.”

What this will probably mean for us is that the clock has been stopped on the TWIC reader final rule – not just for certain classes of facilities, but for all facilities subject to the rule. Maritime Commons states in the August 03 post that “The Office of Port and Facility Compliance will provide additional information regarding the impacts of this law, the current lawsuit, and the Notice of Proposed Rulemaking in the near future.”
______________________________________________________

Public Law No: 115-230
An Act, To restrict the department in which the Coast Guard is operating from implementing any rule requiring the use of biometric readers for biometric transportation security cards until after submission to Congress of the results of an assessment of the effectiveness of the transportation security card program.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the “Transportation Worker Identification Credential Accountability Act of 2018”.
SEC. 2. RESTRICTION ON IMPLEMENTATION OF TRANSPORTATION WORKER IDENTIFICATION CREDENTIAL BIOMETRIC READER RULE.
The department in which the Coast Guard is operating may not implement the rule entitled “Transportation Worker Identification Credential (TWIC)–Reader Requirements” (81 Fed. Reg. 57651), and may not propose or issue a notice of proposed rulemaking for any revision to such rule except to extend its effective date, or for any other rule requiring the use of biometric readers for biometric transportation security cards under section 70105(k)(3) of title 46, United States Code, before the end of the 60-day period beginning on the date of the submission under paragraph (5) of section 1(b) of Public Law 114–278 (130 Stat. 1411 to 1412) of the results of the assessment required by that section.
SEC. 3. PROGRESS UPDATES.
Not later than 30 days after the date of the enactment of this Act, and every 90 days thereafter until the submission under paragraph (5) of section 1(b) of Public Law 114–278 (130 Stat. 1411 et seq.) of the results of the assessment required by that section, the Secretary of Homeland Security shall report to the Committee on Homeland Security and the Committee on Transportation and Infrastructure of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate regarding the implementation of that section.

Wednesday, July 11, 2018

TSA Begins Issuing New TWIC Design


From TSA, 07/10/2018:  "The Transportation Security Administration (TSA) began issuing a new, more secure Transportation Worker Identification Credential (TWIC®) on July 10, 2018. Incorporating enhanced security features, the new TWIC® design aims to deter counterfeiting efforts and mitigate the fraudulent use of the credential at regulated facilities and vessels. Below are some key details about the new card:

               Current TWIC® card holders do not need to replace a valid TWIC® card with the new TWIC® card design. 
               Regulated entities that require TWIC® for access will accept and recognize both the current and new TWIC® designs until the card’s expiration.
               The new card design is compatible with qualified TWIC® readers.
               To deter alteration of the card’s expiration date, the new card includes a color-coded expiration date box that will update on an annual basis.
               The fee for the newly re-designed TWIC® card remains unchanged ($125.25) and the credential is valid for five years."

“TWIC Authentication Guide” document focused on the overt security features of the new TWIC® card design has been cleared for public release. 

Please note, TSA did not approve, disapprove, or endorse this blog post.  

Friday, June 29, 2018

USCG Maritime Commons Announces New Form for Documenting Facilities Inspection

In the 06/28/2018 posting in Maritime Commons, the Coast Guard Blog for Maritime Professionals, the Coast Guard announced a change in documentation for facility inspections. The CG-835 form is being replaced by the CG-835F. There are no major differences between the two forms but facilities may notice the following:

1.       The 835 is a combined vessel and facility inspection form. The 835F is specifically designed for facilities inspection, and contains a space for the MISLE activity number. MISLE is the Coast Guard’s Marine Information for Safety and Law Enforcement data information system. For more information on MISLE, see https://www.dhs.gov/publication/dhsuscgpia-008-marine-information-safety-and-law-enforcement-misle.
2.       Directions are different on the two forms. The 835 directs, “You must inform the inspecting officer when the following have been corrected.” The 835F emphasizes compliance and states, “Contact the inspecting officer when the following item(s) have been corrected.”
3.       Size matters: the 835 is a smaller form, harder to file and easier to misplace. The 835F is an 8.5 x 11 form which can be 3-hole punched for easier filing in paper copy.
4.       The 835F has a second page that details the rights of appeal for facilities who want to request consideration.
The Maritime Commons post states that “Regulated facilities should note that Coast Guard facility inspectors may begin using the CG-835F to document facility inspections, but in some instances may continue to use the CG-835 during this transition.”
Maritime Commons, the Coast Guard Blog for Maritime Professionals, is an excellent source of information concerning MTSA issues, facility compliance, and general Coast Guard news. You can subscribe to Maritime Commons at http://mariners.coastguard.dodlive.mil/. 

Wednesday, July 12, 2017

Draft Navigation and Vessel Inspection Circular No. 05-17, Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Facilities

In the July 12, 2017 Federal Register, the Coast Guard posted the notice of the publication of Draft Navigation and Vessel Inspection Circular (NVIC) No. 05-17, Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Facilities.  The NVIC is available at  https://www.regulations.gov/document?D=USCG-2016-1084-0002. Comments must be submitted to the online docket via http://www.regulations.gov, or reach the Docket Management Facility, on or before September 11, 2017.

Facility Security Officers (FSOs) are advised that this is a draft NVIC, posted for review, to allow industry an opportunity to give feedback and commentary which the Coast Guard will evaluate and incorporate in the final version of the NVIC. This is a richly detailed performance standard on implementation of security measures to ward off the worst threat looming over us.

It is possible that Facility Security Plan sections 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, and 16 as well as the Facility Security Assessment may be affected by this NVIC. This is not a lengthy document (37 pages) so FSOs are encouraged to read it in its entirety. The amount of detail was difficult to summarize, especially Enclosure 2, and only the organization and main points are described below.
__________________________________________________________

SUMMARY OF THE NVIC (largely taken from the text. My words are in italics) The NVIC has two enclosures.
(1) Cyber Security and MTSA
(2) Cyber Governance and Cyber Risk Management Program Implementation Guidance

Purpose:  MTSA-regulated facilities are instructed to analyze vulnerabilities with computer systems and networks in their Facility Security Assessments. This NVIC will assist FSOs in completing this requirement. Additionally, this NVIC provides guidance and recommended practices for MTSA regulated facilities to address cyber related vulnerabilities. Until specific cyber risk management regulations are promulgated, facility operators may use this document as guidance to develop and implement measures and activities for effective self governance of cyber vulnerabilities.

Background: The Coast Guard currently has the regulatory authority to instruct facilities and Outer Continental Shelf (OCS) facilities regulated under MTSA to analyze computer systems and networks for potential vulnerabilities within their required FSA and, if necessary, FSP.

DISCLAIMER. This guidance is not a substitute for applicable legal requirements, nor is it itself a rule. It is not intended to nor does it impose legally binding requirements on any party. It represents the Coast Guard’s current thinking on this topic and may assist industry, mariners, the general public, and the Coast Guard, as well as other federal and state regulators, in applying statutory and regulatory requirements.

Enc. 1 Cyber Security and MTSA:  33 CFR Parts 105 and 106.

The Coast Guard interprets (threats) to specifically include threats to computer systems and attacks in the electronic (cyber) domain.

In this draft document, the Coast Guard is laying out its interpretation of regulatory provisions in parts 105 and 106 as applicable to electronic and cybersecurity systems. This enclosure discusses the specific regulatory provisions that instruct owners/operators of a Maritime Transportation Security Act (MTSA) regulated facility to address cyber/computer system security in the Facility Security Assessment (FSA) and, if applicable, provide guidance within their FSPs to address any vulnerabilities identified in the Facility Security Assessment (FSA). This document intends to assist the owner/operator in identifying cyber systems that are related to MTSA regulatory functions, or whose failure or exploitation could cause or contribute to a Transportation Security Incident. If there are electronic or cybersecurity-related vulnerabilities identified in an FSA, an owner/operator may choose to provide this information in a variety of formats, such as a stand-alone cyber annex to their FSP, or by incorporating cybersecurity procedures alongside the physical security measures of their FSP.

For facilities with strong cyber programs - In many cases, companies have established cybersecurity and risk management programs that provide for strong cyber defense. For those situations, the owner/operator may demonstrate that those policies meet or exceed the requirements of 33 CFR parts 105 and 106. Owners/operators that already employ a comprehensive cybersecurity plan for their organization, or who wish to apply a standard security program that incorporates cybersecurity to multiple facilities, may wish to submit a security plan under the Alternative Security Program, 33 CFR 101.120.

How detailed does the FSA or FSP need to be? Owners/operators do not need to indicate specific or technical controls, but should provide general documentation on how they are addressing their cyber risks.

Cyber components for 33 CFR:
Recommended Cyber Analysis as part of the FSA:  The NVIC gives information on how to provide the cyber component for 105.305 (d)(2)(v).

UnderRecommendation to Address Identified Cyber Vulnerabilities (as applicable)” the NVIC gives  general, recommended guidance on how to mitigate cyber vulnerabilities determined during the FSA by regulation/FSP section. I can see most facilities describing cyber measures for most of the sections, which will require FSP amendments. There is guidance here on what the Coast Guard wants to see in the FSP sections as relating to cyber. 

Enc. 2 Cyber Governance and Cyber Risk Management Program Implementation Guidance. The Coast Guard details how the NIST Cybersecurity Framework (CSF) can be implemented in the maritime environment. Sections 1 – 4 of this enclosure utilize the NIST CSF as the recommended foundation for development of a cyber risk management program. Facility owner/operators should consider these guidelines in conjunction with their own risk management policies to help ensure they account for cyber risks. The four sections of this enclosure are:
1.       Establishing Cyber Risk Management: Forming a Cyber Risk Management
       Team (CRMT), Defining Cyber Risk Management Policy, and Establishing a
       Cyber Risk Management Program
2.       Enterprise-Wide Inventory and Analysis
3.       Consequence Analysis, Vulnerability Analysis, and Prioritization
4.       Protect, Detect, Respond, and Recover.

These are the nuts and bolts of the cyber security measures, so to speak: how the USCG suggests that the NIST Framework can be translated over into the MTS. Each section is detailed and written in plain understandable English, unlike many cyber publications. Throughout these sections, where appropriate, the NVIC gives examples of suggested procedures to follow. There’s a lot of what-to-do and why-we-do-it. The 4.1 Protect Section is particularly rich with bulleted lists.


Appendix A contains tables and metrics - methods for measuring and scoring cyber vulnerability. Table 1 is a Consequence Evaluation Guide for vulnerability assessments, linking how bad it is to a number. Table 2 is a Consequence Score Action (document/consider/mitigate as relates to cyber, using the score from Table 1) matrix, for scoring scenarios for Facility Security Assessments. Table 3 is a Connective Vector Assessment and will assist operators in determining which systems perform or are related to these critical security and safety functions by examining the purposes and connections of each system. “Yes” responses from Table 3 are then evaluated using Table 4, the Cyber Infrastructure Vulnerability Assessment. Each system that receives a “no” in Table 4 should be evaluated through Table 5, the Vulnerability Severity Assessment, where it will receive a vulnerability score. Systems with the highest TOTAL score (at the bottom of Table 5) should be considered the most vulnerable.

Friday, June 2, 2017

New Information from MARAD About Maritime Security Communications with Industry

From the April meeting of the National Maritime Security Advisory Committee, new information from MARAD about maritime security communications with industry. Information about the new program can be found at  https://www.marad.dot.gov/environment-and-safety/office-of-security/msci/

From this website: The U.S. Maritime Administration has established a new interagency approach to communicating with U.S. maritime industry stakeholders regarding identified maritime security threats. The new system, U.S. Maritime Advisory System, replaces Special Warnings to Mariners (previously generated by the U.S. Department of State’s Office of Transportation Policy), MARAD Advisories (previously generated by the Department of Transportation’s Maritime Administration), and global maritime security focused Marine Safety Information Bulletins (previously generated by the Department of Homeland Security’s U.S. Coast Guard), to more effectively and efficiently communicate with U.S. maritime industry stakeholders and U.S. mariners regarding identified threats in the maritime domain.

Two new instruments will be issued through the System, U.S. Maritime Alerts and U.S. Maritime Advisories. The U.S. Maritime Alert is a new tool that has been developed to expeditiously provide basic information (location, incident type, and date/time) on reported maritime security threats to U.S. maritime industry interests.  In some situations, a U.S. Maritime Alert may be issued to refute unsubstantiated claims. U.S. Maritime Alerts do not contain policy or recommendations for specific courses of action (this type of information is reserved for U.S. Maritime Advisories). A U.S. Maritime Advisory may follow the issuance of a U.S. Maritime Alert and is intended to provide more detailed information, when appropriate, through a “whole-of-government” response to an identified maritime threat.

 Both instruments will normally be transmitted by the National Geospatial-Intelligence Agency, will be emailed to U.S. maritime industry stakeholders, and will be posted to this web portal to inform mariners of identified maritime security threats. Vessel Masters, Company Security Officers, ship operators, U.S. mariners, maritime industry associations, U.S. maritime unions and professional associations, and U.S. mariner related non-governmental organizations are the intended recipients of these messages. Maritime industry stakeholders wishing to be added to the email distribution list for U.S. Maritime Alerts and U.S. Maritime Advisories should email their request to MaradSecurity@dot.gov.

______________________________________________________________________


Please note: This blog always quotes heavily from the sources identified in the opening paragraph. I acknowledge that I should probably be using quotation marks and block indentation. Readers should assume that text is from the source and not original with the blog author unless otherwise stated.

Tuesday, May 2, 2017

Draft NVIC on Cybersecurity Coming Soon

During the April 25-26 2017 meeting of the National Maritime Security Advisory Committee (NMSAC), the Committee was given a regulatory update by U.S. Coast Guard personnel. During this update, the Committee was advised that the draft Navigation and Vessel Inspection Circular (NVIC) on cybersecurity would soon be published. Below are some thoughts on this NVIC and what the Coast Guard has said about the need for a proactive approach to cybersecurity.

During the Maritime Cyber Security Standards Public Meeting on January 15, 2015, discussing the need for voluntary cyber standards, Rear Admiral Paul Thomas, Assistant Commandant for Prevention Policy, stated, “The Coast Guard just recently conducted a study about the cost burden to industry of all the regulations that we have published since 1973. We found that 88% of the entire cost burdens of all regulations, over all those years, were due to two regulations, OPA 90 and MTSA. Both of these regulations followed predictable disasters.  The lesson learned should be that we should not wait for an incident to occur that will make us move forward on reactive, more expensive, regulations; we need to be proactive in approaching this. We are here to have a discussion with industry so we can develop a standard together, one that works and is reasonable in terms of the cost benefit.  If we wait until an incident occurs, that opportunity goes away.” (as quoted in Cyber Risk Management, by LCDR Josh Rose & LT Josie Long, http://aapa.files.cms-plus.com/SeminarPresentations/2015Seminars/2015Cybersecurity/Rose%20USCG%20CYBER.pdf)

In the Rose/Long AAPA presentation, there was a slide concerning the cybersecurity NVIC. Bullet points about this NVIC content include:
• How do we incorporate cyber into risk assessments?
•What tools are available for industry to use for risk assessments?
•MTS standard terms (definitions)
•What are examples of industrial control systems in the maritime environment (what is the scope of NVIC)?

I think one issue that may be addressed in the NVIC is the link between the NIST framework and the Facility Security Plan (FSP) – incorporation of cyber into facility security assessments; guidance for construction of a possible voluntary cyber annex or new FSP section that directly addresses the Framework elements of identify, protect, detect, respond, and recover; guidance for inspectors who encounter these new sections or annexes in annual compliance inspections or during incident post-review. (We'll see how well my crystal ball is functioning.)


This will be a draft NVIC, probably titled “For review and comment only. Not to be used as final guidance.” As a draft NVIC, it will probably be numbered 17-XX, rather than receiving two numbers as the terminal designation. In the Federal Register notice of its publication, there will probably be a section titled Public Participation and Request for Comments.  In this section, there will probably be sub-sections explaining how to submit comments ad how to view comments and documents. (Lots of probably’s!)