Friday, May 20, 2011

FY 2011 PSGP Solicitation Issued

Yesterday DHS/FEMA issued the solicitations for the FY 2011 Preparedness Grants. The port security grant guidelines can be found at http://www.fema.gov/pdf/government/grant/2011/fy11_psgp_kit.pdf.The total amount of funds distributed under the FY 2011 PSGP will be $235,029,000.Because FEMA will need to conduct an initial review of the application prior to the submission deadline of June 20, 2011, grantees are encouraged to initiate and complete the Standard Form 424 submission within Grants.gov by no later than June 13, 2011. There is once again no cost match for this grant, it is deemed waived. Priorities for this grant are:

· Enhancing Maritime Domain Awareness (MDA)

· Enhancing Improvised Explosive Device (IED) and Chemical, Biological, Radiological, Nuclear, Explosive (CBRNE) prevention, protection, response and supporting recovery capabilities

· Port Resilience and Recovery Capabilities

· Training and Exercises

· Efforts supporting implementation of the Transportation Worker Identification Credential (TWIC)

Regarding training and exercises, it is noted that MARAD-approved training is not eligible to be funded under this grant. Regarding using PSGP funds for TWIC issues, applicants need to read the fine print in the FEMA guidance documents cited in the solicitation. Fees associated with the application for and issuance of the TWIC cards themselves are ineligible for award consideration. Allowable costs under this section include those projects that will ensure the safe and secure transit of foreign seafarers and shore staff/support [who are not eligible for TWIC] to and from the vessel while at MTSA regulated facilities. PSGP TWIC funding recipients may be required to provide data and lessons learned from the application of card readers and associated systems. Systems implemented with grant funding may be used by recipients to comply with all TWIC rulemaking requirements once established.

Tuesday, May 17, 2011

MUST READ: Houston/Galveston AMSC Facility Security Work Group TWIC Reader Task Group (TRTG) Meeting Minutes for March 31.

I was contacted by Don Bruce of the Houston/Galveston AMSC. He sent me the transcript of the AMSC Facility Security Work Group TWIC Reader Task Group (TRTG) meeting minutes for March 31. The subject of the meeting was a TSA TWIC Program Office presentation. The Facility Security Work Group is a subgroup of the AMSC, tasked with focusing on all aspects of facility security, monitoring pending regulatory requirements; identifying security-related issues; identifying best practices and mutually agreeable solutions; communicating lessons learned and/or recommendations, and implementing outreach.

In his email to me, Mr. Bruce describes the meeting minutes as the most forthcoming explanation of the current status of the TWIC Pilot Test, TWIC Reader Rule, TWIC ICE List, TWIC Lessons Learned, TWIC Alternate Biometric Process, etc. that exists. I agree wholeheartedly. The text is available at http://www.fswg.org/files/DDF/4%20TRTG%20Meeting%20Minutes%20%203-31-11%20%20%28TSA-Transcript%29.pdf

Major contributors to this meeting were Don Bruce, Chairman of two AMSC Facility Security Work Group (FSWG) Subcommittees, the Access and Regulatory Subcommittees; Walter Hamilton, senior consultant for Identification Technology Partners out of Gaithersburg, Maryland. This company is the TWIC contractor for TSA TWIC program office. He is also chairman and president of the International Biometrics and Identification Association (IBIA) which is a nonprofit trade organization based in Washington, DC; John Martin of JTAC Consulting, who was employed by BearingPoint as Operations Manager of the TWIC program and was responsible for all of the initial TWIC pilot deployments and the Independent Verification & Validation (IV &V) testing; John Schwartz, Program Manager for the TWIC program for TSA; Michael Plostock, TWIC Pilot and ICE (Initial Capability Evaluation) List Project Manager; and Don Bruce

If you are affected by the TWIC program, or affected by MTSA regulations, you need to read these meeting minutes. The transcript has been annotated/highlighted by topics, which is very helpful. Among the many, many useful bits of information in these notes is a reinforcement of the news on PIN usage: neither TSA nor the USCG will be requiring PIN usage. p. 12.

This working group has also developed a TWIC Access Control Questionnaire. From this questionnaire, they are developing a Lessons Learned report that should be published shortly. p. 15. Concerning alternate technologies to fingerprints for verifying identity, “The FIPS 201 standard is being modified to incorporate Iris technology as an alternative biometric to fingerprint which can also be stored on the chip in addition to fingerprint templates or in lieu of fingerprint templates in the event that an individual can’t present a high enough quality fingerprint image. “ Walter Hamilton, p. 15.

Congratulations to this active AMSC working group, for furnishing this high-quality information in an extremely readable format. These meeting minutes are just one example of the excellent work product of this committee. The site at http://www.fswg.org is a wealth of information for the MTSA community in general.

Wednesday, May 11, 2011

GAO-11-657, Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives.

On May 10, 2011, the Government Accountability Office issued GAO-11-657, Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives. This is an important report for owners and operators of regulated facilities and vessels to consider.

To boil it down to essentials, the report addresses the vexing question, does the TWIC program do what it is supposed to do, does it produce reasonable assurance that unescorted access to secure areas of MTSA-regulated facilities and vessels is limited to qualified individuals? To come to an answer, GAO studies the TWIC program from from November 2009 through March 2011 and used the following data and procedures to come to their conclusions:

  • · reviewed applicable laws, regulations, and policies.
  • · reviewed documentation provided by TSA on the TWIC program systems and processes, such as the TWIC User Manual for Trusted Agents, Statement of Objectives, and Concept of Operations.
  • · reviewed the processes and data sources with TWIC program management from TSA and Lockheed Martin (the contractor responsible for implementing the program).
  • ·met with (1) the Director of Vetting Operations at TSA’s Colorado Springs Operations Center (CSOC), where background checks for links to terrorism and continual vetting of TWIC holders is to take place;
  • met with the Operations Manager for the Adjudication Center, where secondary background checks are to be conducted for applicants with identified criminal or immigration issues;
  • met with the Director at DHS’s Screening Coordination Office responsible for overseeing credentialing programs across DHS.
  • met with the Criminal Justice Information Services Division at the Federal Bureau of Investigation (FBI) to discuss criminal vetting processes and policies
  • evaluated the processes against the TWIC program’s mission needs and Standards for Internal Control in the Federal Government.
  • visited four TWIC enrollment and activation centers located in areas with high population density and near ports participating in the TWIC pilot to observe how TWIC enrollments are conducted.
  • had GAO investigators conduct covert testing at enrollment center(s) operating at the time to identify whether individuals providing fraudulent information could acquire an authentic TWIC.
  • visited or met with officials at each of the seven original pilot sites being used to test TWIC card readers, interviewed port security officials at two additional ports responsible for implementing TWIC at their port, and met with nine maritime or transportation industry associations to obtain information on (1) the use of TWIC as a flashpass and with biometric readers where they are in use, (2) experiences with TWIC card performance, and (3) any suspected or reported cases of TWIC card fraud.
  • met with TWIC program officials from TSA and the Coast Guard, as well as Coast Guard officials responsible for assessing maritime security risk, and reviewed related documents, to identify how TWIC is to enhance maritime security.
  • met with Coast Guard TWIC program officials, data management staff, and Coast Guard officials stationed at four port areas across the United States with enforcement responsibilities to assess the agency’s approach to enforcing compliance with TWIC regulations and measuring program effectiveness.
  • reviewed the type and substance of management information available to the Coast Guard for assessing compliance with TWIC.
  • evaluated the Coast Guard’s practices against TWIC program mission needs and Standards for Internal Control in the Federal Government. (pp. 4-7.)

GAO notes that the information they gained at the port visits cannot be generalized across the system as a whole but that “the ports we visited accounted for 56 percent of maritime container trade in the United States, and the ports our investigators visited as part of our covert testing efforts accounted for 54 percent of maritime container trade in the United States in 2009.” p.6.

Within the broad regulatory requirement of the provision of a common credential for all transportation workers across the United States who require unescorted access to secure areas at MTSA-regulated maritime facilities and vessels, the TWIC program also seeks to:

1. Positively identify authorized individuals who require unescorted access to secure areas of the nation’s transportation system.

2. Determine the eligibility of individuals to be authorized unescorted access to secure areas of the transportation system by conducting a security threat assessment.

3. Ensure that unauthorized individuals are not able to defeat or otherwise compromise the access system in order to be granted permissions that have been assigned to an authorized individual.

4. Identify individuals who fail to maintain their eligibility requirements subsequent to being permitted unescorted access to secure areas of the nation’s transportation system and immediately revoke the individual’s permissions. (p.9.)

According to the GAO, how well is the program meeting these goals? The agency identified the following major weaknesses:

  • Internal controls in the enrollment and background checking processes are not designed to provide reasonable assurance that (1) only qualified individuals can acquire TWICs; (2) adjudicators follow a process with clear criteria for applying discretionary authority when applicants are found to have extensive criminal convictions; or (3) once issued a TWIC, TWIC holders have maintained their eligibility. An example of this weakness is the admission by TSA that if a worker obtains a valid TWIC by fraudulent means, that person is deemed not to be a security threat to the maritime environment because a holder of a valid TWIC is presumed to have met TWIC-related qualifications during a background check. The report contains the following startling statement: “TWIC program officials told us that control weaknesses were not addressed prior to initiating the TWIC program because they had not previously identified them, or because they would be too costly to address. “ p.17. GAO investigators went to TWIC enrollment centers, declared themselves US citizens who needed a TWIC, passed the process, and received their cards. During this enrollment, the GAO investigators provided counterfeit or fraudulently acquired documents, but they were not detected. The trusted agents performing the enrollment are given rudimentary training in detecting fraudulent documents. Proof of citizenship is also an issue. As of December 1, 2010, nearly 86 percent of approved TWIC enrollments were by self-identified United States citizens or nationals asserting that they were born in the United States or a United States territory. p. 19. The TWIC program does not require that applicants claiming to be U.S.-born citizens or nationals provide identity documents that demonstrate proof of citizenship, or lawful status in the United States. p.19 49 CFR require the applicant to disclose the reason that he needs the card, and the locations where it will be used, but this provision is not enforced in the enrollment process. There is no way to tell if persons being issued TWICS really need them.
  • “In determining whether an applicant poses a security threat, TSA officials stated that adjudicators have the discretion to consider the totality of an individual’s criminal record, including criminal offenses not defined as a permanent or interim disqualifying criminal offenses, such as theft or larceny…TSA may determine that an applicant poses a security threat if the search conducted reveals extensive foreign or domestic criminal convictions.” p.24-25. TSA has not developed guidance for adjudicators to apply consistently across the system when dealing with the totality of an individual’s criminal record. This is especially important when viewed in the light of the fact, that, at the time of enrollment, approximately 27 percent of individuals approved for a TWIC had a criminal record based on results obtained from the FBI. p.25. Difficult as it is to believe, out of the universe of 460,786 applications with criminal records, 1 application was denied because of an offense not designed as a permanent or interim offense. p.26.
  • In order to determine if a cardholder has committed a prohibited offense after obtaining a TWIC, TSA conducts name-based checks against federal wants and warrants. TSA is unable to run a more accurate fingerprint-based FBI check if the prints are more than a year old because the FBI would charge TSA $17.25 per check. p.. 27. GAO states that TSA has not explored other less costly means of verification, such as tapping into means already available to maritime stakeholders.
  • If a person obtains a TWIC card on the strength of a visa that is about to expire, TSA does not require that person to show proof that they have legal status in the U. S.
  • GAO investigators used counterfeit TWIC’s, valid TWIC’s acquired through fraudulent means, and fraudulent reasons for needing unescorted access to access secure areas of MTSA facilities. In cases where a secondary port identity card was needed, they were not able to obtain unescorted access. P. 30.
  • GAO states that “DHS has not demonstrated that TWIC, as currently implemented and planned with readers, is more effective than prior approaches used to limit access to ports and facilities, such as using facility specific identity credentials with business cases.“ p.32. GAO suggests that DHS conduct a risk-informed cost-benefit analysis as part of the regulatory analysis required by the next rulemaking on TWIC. The Coast Guard also needs to revise its MISLE data collection system in order to “identify and assess TWIC-related compliance and enforcement trends, and to obtain management information needed to assess and understand existing vulnerabilities with the use of TWIC.” P.38.

Overall, this is a discouraging review of a program that many good people have worked long and hard to implement. It is worth reading in its entirety, both for the wealth of details about the TWIC program as well as for the bad news bombs delivered on nearly every page.