Sunday, March 20, 2011

PAC 01-11, Voluntary Use of TWIC Readers

On March 15, 2001, the U. S. Coast Guard issued Policy Advisory Council (PAC) Decision 01-11, ``Voluntary Use of TWIC Readers.'' Because the readers are still in the pilot stage, facility owner/operators who received grant funding have been reluctant to move forward with purchasing readers. This PAC was issued to give more guidance in purchasing and installing TWIC readers and systems. Below are some points to consider from the PAC.

In discussing the three-pronged card verification, the PAC states:

(1) Regarding Identity verification, the current requirement for identify verification is to compare the photo on the TWIC to the person at the access point (33 CFR 104.265(c)(1)(i), 105.255(c)(1)(i)), or 106.260(c)(1)(i)).

In accordance with 33 CFR §101.130, the Coast Guard determines that a biometric match using a TWIC reader from the TSA list of readers that have passed the Initial Capability Evaluation (ICE) Test (available at: http://www.tsa.gov/assets/pdf/twic_ice_list.pdf ) to confirm that the biometric template stored on the TWIC matches the fingerprint of the individual presenting the TWIC meets or exceeds the effectiveness of the identity verification check.

2. Regarding card validity, the current requirement for card validity is visual inspection to check that the TWIC has not expired (33 CFR 104.265(c)(1)(ii), 105.255(c)(1)(ii), or 106.260(c)(1)(ii)).

In accordance with 33 CFR §101.130, the Coast Guard determines that using a TWIC reader to check for card validity by either

(a) comparing the card’s internal Federal Agency Smart Card Number (FASC–N) to the TSA Cancelled Card List or

(b) using a Certificate Revocation List (CRL)

3. Regarding card authentication, the current requirement for card authentication is visual and/or physical inspection of various security features present on the card (33 CFR 104.265(c)(1)(iii), 105.255(c)(1)(iii), or 106.260(c)(1)(iii)).

In accordance with 33 CFR §101.130, the Coast Guard determines that card authentication with a TWIC reader to perform the CHALLENGE/RESPONSE protocol using the Card Authentication Certificate and the card authentication private key on the TWIC meets or exceeds the effectiveness of the card authentication.

Further:

4. Readers must be operated and maintained in accordance with manufacturer’s instructions, and operated by personnel trained in the use of the reader.

5. The plan must be amended to reflect the use of the reader.

6. PAC Decision 08-09, Incorporating TWIC into Existing Physical Access Control Systems - Change 1, remains valid for vessels or facilities with existing electronic physical access control systems as long as the systems can support a match between the local access card and the individual’s valid TWIC upon each entry.

7. Please note: this PAC is studded with warnings that any readers used that satisfy this PAC may not satisfy a subsequent rulemaking. And: “Any grandfathering or phase-in period considerations will be addressed in the rulemaking process, providing adequate opportunity for comment, but should in no way be inferred from this interim guidance. “ (My emphasis.)

No comments:

Post a Comment