Wednesday, February 29, 2012

TWIC Reader Pilot Program Final Report from DHS

On February 27, 2012, DHS issued the SAFEPort Act Final Report on the TWIC Reader Pilot Program. Below are selected quotes from the summary of findings of the report. The purpose of this report is to convey the findings of the Reader Pilot as per the SAFE Port Act.


“The TWIC Reader Pilot was conducted through the combined efforts of a number of DHS offices and components. The Transportation Security Administration (TSA) conducted the pilot and was responsible for overall execution of the TWIC Pilot Test and Evaluation Master Plan (TEMP) developed by the DHS Science & Technology (S&T) Directorate. The DHS Screening Coordination Office (SCO) provided policy guidance regarding the use of biometric credentials. The Federal Emergency Management Administration (FEMA) awarded and administered the Port Security Grants that provided funding to ports and individual facility operators to procure and install the readers and reader infrastructure used in the Reader Pilot….The U.S. Coast Guard (USCG), which is the agency responsible for promulgating the future regulation specifying the use of TWIC readers, participated in all aspects of the Reader Pilot. The USCG will consider the results of the pilot in preparing a Notice of Proposed Rulemaking and subsequent Final TWIC Reader Rule.


To provide independent verification of test procedures and data gathering, DHS S&T arranged for the U.S. Navy Space and Naval Warfare Systems Center Atlantic in Charleston, SC to serve as the Independent Test Agent (ITA) for the Reader Pilot....”


"Key Findings

Despite a number of challenges, the TWIC Reader Pilot obtained sufficient data to evaluate reader performance and assess the impact of using readers at ports and maritime facilities. The lessons learned during the Reader Pilot will provide valuable information regarding readers and access control systems to maritime users.

It was determined that TWIC reader systems function properly when they are designed, installed, and operated in a manner consistent with the characteristics and business needs of the facility or vessel operation.

It also found that reader systems can make access decisions efficiently and effectively.

A number of operational and technological difficulties were documented that affected overall success at many pilot locations….(including) challenges such as complex complexity of biometric credential and reader technology, equipment performance and reliability, operator and user training, card stock durability, and the reluctance of some workers and facilities to use the readers..."


"Business Impact, Throughput without Biometric Identity Verification - …despite having slower throughput times, contact readers proved to have fewer incomplete reader transactions than contactless readers as long as they were protected from debris and moisture and not subjected to excessive wear from use in high-volume situations.


Business Impact, Throughput with Biometric Identity Verification-…the extent of the delay for processing an individual at an access point was sometimes compounded by user unfamiliarity with the TWIC authentication process. It is important to note that when a user is properly trained and acclimated to interface with the card reader, transaction times decrease considerably. TSA plans to issue future documentation of lessons learned to address these and other findings.


“Training -In general, training requirements were underestimated by the pilot participants. Workers who reported to the same facility daily learned to use the readers quickly. However, when workers were required to access multiple facilities, individuals had to become familiar with site-specific business processes and requirements. Acclimation was further compounded by various reader ergonomics found at different port access points. Readers placed at heights ordistances awkward for drivers to reach slowed access and, in some cases, created a danger to drivers trying to reach misplaced readers. There was also difficulty reading messages on the screens of readers not shielded from direct sunlight, which prevented users from determining the cause of access denial.

In addition to proper training for worker populations, facilities and security personnel required training on how to use the TWIC system. Successful reader and access control system operations require an understanding of the reader and system operation appropriate to the role of the user. Some access control system operators and their security personnel were unfamiliar with the messaging provided by their readers and access control systems, resulting in incorrect assumptions as to the cause of an incomplete read of a card or access denial. In some cases, workers were told there was a problem with their TWIC card when it was actually functioning properly. In addition, many of these access denial problems were traced to individuals not being registered in the access control system.

This unfamiliarity with reader technology also extended to portable TWIC readers. Without sufficient training, security personnel encountered problems operating portable readers-shifting from one reader mode to another or rebooting readers if they "freeze" or "lock up". At facilities where workers are required to enter and exit secure areas multiple times over short periods, biometric identity verification upon every entry is difficult to maintain, especially using portable readers. In some cases portable readers malfunctioned when used carelessly in wet conditions not aligned with vendor guidance.”


“Technology

Reader Performance- The Reader Pilot provided one of the first opportunities to gain knowledge regarding the performance of cards and readers in an actual long-term application. Reader performance in this pilot varied widely. Some readers performed well throughout the TWIC Reader Pilot; some readers were not as mature technologically; others required adjustments; and in one case, the readers initially installed at a facility repeatedly failed and were replaced by readers from another vendor.

Card Stock Durability and Electronic Maturity - TWIC card stock is the same as that used for Personal Identity Verification (PIV) cards issued to all federal employees and contractors as well as members of the military. However, through the Reader Pilot, TSA discovered that an unexpectedly high number of TWIC cards had malfunctioned electronically and could not be read with readers.4 Most TWIC cards that failed could not transmit information to a contactless reader despite the fact that the integrated circuit chip (ICC) could be read by a contact reader.”


More to come…Thanks to my friend Don Bruce for sending this report to me. The Houston-Galveston AMSC Facility Security Working Group (http://www.fswg.org) is the best place to go for the best and latest on TWIC.

Friday, February 17, 2012

Preliminary Review of FY 2012 PSGP Solicitation

On February 17, 2012, DHS published the Funding Opportunity Announcement (grant solicitation) for the FY2012 Port Security Grant Program (PSGP.) It can be found at http://www.fema.gov/pdf/government/grant/2012/fy12_psgp_foa.pdf. Below is some information gleaned from an initial scan of the solicitation.

424’s into Grants.gov April 27, 2012

Application deadline is May 4, 2012.

Anticipated Funding Selection Date: 06/29/2012

Anticipated Award Date: 09/30/2012

Cost match is back.

The following match requirements apply for the FY 2012 PSGP (including ferry systems):

Public Sector. Public sector applicants must provide a non-Federal match (cash or in-kind) supporting at least 25 percent of the total project cost for each proposed project.

Private Sector. Private sector applicants must provide a non-Federal match (cash or in-kind) supporting at least 50 percent of the total project cost for each proposed project.

Exceptions. There is no matching requirement for grant awards where the total award is $25,000 or less (with the exception of national and/or regional corporations submitting 11 or more projects throughout their system[s]). If the Secretary of Homeland Security determines that a proposed project merits support and cannot be undertaken without a higher rate of Federal support, the Secretary may approve grants with a matching requirement other than that specified above in accordance with Title 46, Section 70107 of the United States Code of Federal Regulations (46 U.S.C. 70107[c][2][B]).

Field level review will be managed at the COTP level.

Review criteria will be:

Criteria #1. Projects that support development and sustainment of the core capabilities in the NPG and align to PSGP funding priorities identified in Appendix B – FY 2012 PSGP Priorities. These include:

Enhancing Maritime Domain Awareness (MDA)

Enhancing Improvised Explosive Device (IED) and Chemical, Biological, Radiological, Nuclear, Explosive (CBRNE) prevention, protection, response and supporting recovery capabilities

Port Resilience and Recovery Capabilities

Training and Exercises

Equipment Associated with Transportation Worker Identification Credential (TWIC) Implementation

Criteria #2. Projects that address priorities outlined in the applicable AMSP, as mandated under the MTSA and/or the Port-Wide Risk Mitigation Plans (PRMP)

Criteria #3. Projects that address additional security priorities based on the COTP’s expertise and experience of the COTP within the specific port area

Criteria #4. Projects that offer the highest potential for risk reduction for the least cost

Ineligible Entities

The PSGP will not accept applications or IJs from an applicant or sub-applicant for the purpose of providing a service or product to an otherwise eligible entity.

NO FA’s

The Fiduciary Agent process will not be utilized in the FY 2012 PSGP. Eligible applicants will apply directly to FEMA for funding under this program.

PRMP - Port-Wide Risk Management Planning for Group I and Group II Port Areas

In order to receive FY 2012 PSGP funds, Group I and Group II port areas are required to have in place an approved PRMP.

Key language from Funding Guidelines:

First, DHS will focus the bulk of its available port security grant dollars on the highest risk port systems. This determination is based on ongoing intelligence analysis, extensive security reviews, and consultations with port industry partners.

Second, DHS places a very high priority on ensuring that all PSGP applications reflect robust regional coordination and an investment strategy that institutionalizes and integrates a regional maritime security risk strategy.

PSGP Priorities

1. Enhancing Maritime Domain Awareness (MDA)

MDA is the critical enabler that allows leaders at all levels to make effective decisions and act early against threats to the security of the Nation’s seaports. In support of the National Strategy for Maritime Security and the Prevention and Protection mission areas of the NPG, port areas should seek to enhance their MDA through projects that address knowledge capabilities within the maritime domain.

This effort could include access control/standardized credentialing, command and control, communications, and enhanced intelligence sharing and analysis. This effort may also include construction or infrastructure improvement projects that are identified in the PRMP and/or FSPs and/or Vessel Security Plans (VSPs). Construction and enhancement of Interagency Operations Centers for port security should be considered a priority for promoting MDA and unity of effort. MDA requires a coordinated unity of effort within and among public and private sector organizations and international partners. The need for security is a mutual interest requiring the greatest cooperation between industry and government. MDA depends upon unparalleled information sharing. MDA must have protocols to protect private sector proprietary information. Bi-lateral or multi-lateral information sharing agreements and international conventions and treaties will greatly assist enabling MDA.

2. Enhancing Improvised Explosive Device (IED) and Chemical, Biological, Radiological, Nuclear, Explosive (CBRNE) prevention, protection, response and supporting recovery capabilities

Port areas should continue to enhance their capabilities to prevent, detect, respond to and recover from terrorist attacks employing IEDs, CBRNE devices and other non-conventional weapons. Of particular concern in the port environment are attacks that employ IEDs delivered via small craft (similar to the attack on the USS Cole), by underwater swimmers (such as underwater mines), or on ferries (both passenger and vehicle). Please refer to the DHS Small Vessel Security Strategy April 2008 document, which can be found at http://www.dhs.gov/files/publications/gc_1209408805402.shtm.

3. Port Resilience and Recovery Capabilities

The Nation’s ability to withstand threats and hazards requires an understanding of risks and robust efforts to reduce vulnerabilities. Mitigating vulnerabilities reduces both the direct consequences and the response and recovery requirements of disasters. One of the core missions of DHS, as outlined in the Quadrennial Homeland Security Review (QHSR) Report, is “ensuring resilience to disasters”. A major goal in support of this mission is to “improve the Nation’s ability to adapt and rapidly recover.” A main objective of this goal is to sustain critical capabilities and restore essential services in a timely manner.

Those responsible for the security and resilience of our Nation’s ports must take appropriate action to reduce risk related vulnerabilities. Resilience spans the full spectrum of activities by exploring options and identifying processes that reduce the magnitude and duration of disruptions. PSGP funds are intended to assist “risk owners” in addressing port security vulnerabilities. Port resilience and recovery should be viewed as a critical component of this overarching effort. During the FY 2007 Supplemental round of port security grants, port stakeholders, through their Area Maritime Security Committees, were encouraged to develop BCRTPs. Those ports that already have completed plans should pursue PSGP funds to address their identified risks and vulnerabilities, including any worthwhile projects that would help enable continuity of port operations and/or rapid recovery of the port following a major incident. Ports that have not completed plans are highly encouraged to complete them and may apply for PSGP funding to facilitate that effort.

4. Training and Exercises

Port areas should assess their training and qualification requirements, coordinate training and qualification of incident response personnel, and regularly test these capabilities through emergency exercises and drills. Exercises must follow the Area Maritime Security Training Exercise Program (AMSTEP) or the Transportation Security Administration (TSA) Intermodal Security Training Exercise Program (ISTEP) guidelines that test operational protocols that would be implemented in the event of a terrorist attack. The efforts include live situational exercises involving various threat and disaster scenarios, table-top exercises, and methods forimplementing lessons learned.

5. Equipment Associated with Transportation Worker Identification Credential (TWIC) Implementation

TWIC is a congressionally-mandated security program through which DHS will conduct appropriate background investigations and issue biometrically enabled and secure identification cards for individuals requiring unescorted access to U.S. port facilities. Regulations outlining the initial phase of this program (card issuance) were issued by TSA in cooperation with the Coast Guard in volume 72 of the Federal Register on page 3492, dated January 25, 2007. See FEMA GPD IB 343, dated June 21, 2010 for further information on the TWIC program and guidance forexecuting PSGP-funded TWIC projects. For FY 2012, infrastructure and installation projects that support TWIC implementation (e.g. cabling, Information Technology [IT], limited construction, etc.) will be given a higher priority than the purchase of TWIC card readers.