On March 22, 2013, the Coast Guard will publish the Notice
of Proposed Rulemaking for the TWIC Reader in the Federal Register. To
summarize, facilities and vessels are divided into risk groups and only the
highest risk group (A) will need to use a reader. Lower risk groups will (for
the time being) continue under the present regulatory requirements for TWIC
visual inspection.
For vessels, Risk Group A consists of vessels are
certificated to carry more than 1,000 passengers, carrying CDC in bulk, or
towing CDC in bulk. For facilities, Risk Group A consist of facilities that
handle CDC in bulk, receive vessels that are certificated to carry more than
1,000 passengers, and barge fleeting facilities that receive barges carrying
CDC in bulk. The Coast Guard is considering allowing multiple risk group
designations within one facility. In addition:
- ·
The NPRM does not propose to require owners and
operators to specifically use contact TWIC readers, nor does the NPRM propose
any PIN requirement.
- ·
The compliance deadline for operation is
proposed to be two years after the publication of the final rule. Within 2
years after publication of the TWIC reader final rule, owners and operators
would have to amend their security plans to indicate how they implement the
TWIC reader requirements contained in the applicable sections of 33 CFR parts
101, 104, and 105.
- ·
Exempts from TWIC reader requirements all
vessels with 14 or fewer TWIC-holding crewmembers,
- ·
NPRM withdraws the ANPRM’s proposal to include
noncredentialed individuals engaged on towing vessels not regulated under 33
CFR part 104 among the list of mariners required to possess a TWIC.
- · Owners and operators of vessels or facilities in
Risk Groups B and C would not be required to check TWICs against the CCL.
- ·
Owners and operators would have the discretion
to impose access control measures that are stricter than the minimum regulatory
requirements.
- ·
If a TWIC reader malfunctions, an owner or
operator would still be permitted to grant the individual unescorted access to secure
areas, provided the individual was known to have a valid TWIC and the TWIC was
inspected visually.
- ·
Owners and operators would be required to update
CCL information within 12 hours of any increase in MARSEC Level, regardless of
when the CCL information was last updated. Owners and operators would be required
to use the most recently obtained CCL information when conducting card validity
checks.
- ·
The COTP is authorized to temporarily suspend
TWIC reader requirements at a facility if the COTP determines that such requirements
are causing delays resulting in excessive vehicle build-up or other unintended
consequence. During the period of any such suspension, the owner or operator would
be required to perform visual TWIC inspections for identity verification, card
authentication, and card validation.
- ·
The Coast Guard will continue to analyze risk
data and consider whether additional or modified TWIC reader requirements would
be warranted in the future.
- ·
Considering the several rulemakings that are
going to be issued in the near future, the Coast Guard is currently examining several options to coordinate the rulemakings and
manage the plan submission and re-approval process to ensure that plan changes
occur only as often as necessary to incorporate any new regulatory requirements.
- ·
Amend 33 CFR 104.235 and 105.225 to set forth TWIC
reader recordkeeping requirements. Owners and operators using TWIC readers,
with or without a Physical Access Control System, would be required to maintain
certain records for at least 2 years. During that time, owners and operators would
be required to make those records available to the Coast Guard upon request.
Those records include, with respect to each individual granted unescorted
access to a secure area: (1) FASCN;(2) date that access was granted; (3) time
that access was granted; and (4) if captured, the name of the individual to
whom access was granted. If a TWIC reader or PACS captures the required data when
the TWIC is scanned, and can retain and reproduce that data, the recordkeeping
requirement would be met. Owners and operators would be required to also
maintain records to demonstrate that they have performed the required card validity
check using the CCL on each individual. TWIC reader records are SSI, and would
be required to be protected in accordance with 49 CFR part 1520.
- ·
Physical placement of readers - For facilities, TWIC readers will be required at
the access points to each secure area. If the entire facility is designated as
a secure area, then TWIC readers would only be required at the access points to
the facility itself. If the secure area does not encompass the entire facility,
then TWIC readers would be required at the access points to each secure area.
For vessels, the NPRM proposes to require TWIC readers at the access points to
the vessel itself, regardless of whether the secure area encompasses the entire
vessel.
Below are more provisions of the NPRM. This is just a bare-bones summary. In this NPRM, the Coast Guard goes into great
detail to give information about the processes that affected the
decision-making about this rule, and the rule should be read in its entirety by
the MTSA community. There are also several other related documents available
for viewing in the public docket.
NPRM:
This rulemaking action, once final, would build upon existing
Coast Guard regulations designed to ensure that only individuals who hold a
TWIC are granted unescorted access to secure areas at those locations…..This
rulemaking would also implement the Security and Accountability For Every Port
Act of 2006 electronic TWIC reader requirements.
Comments –
Public Comments will be accepted via http://www.regulations.gov, Docket number USCG-2007-28915. I did not see an ending date for comment
acceptance.
Public
Meetings - USCG intends to hold one or more public meetings regarding the proposals
in this NPRM.A notice with the specific date and location of each meeting will
be published in the Federal Register as soon as this information is known.
Purpose of the
Regulatory Action - This rulemaking, which would require owners and
operators of certain types of vessels and facilities to use electronic TWIC
readers, is necessary to advance the goals of the TWIC program. The Coast Guard
conducted a riskbased analysis of MTSA-regulated vessels and facilities to categorize
them into one of three risk groups. Risk Group A is comprised of vessels and
facilities that present the highest risk of being involved in a transportation
security incident (TSI).Vessels and facilities in Risk Group A would have new TWIC
reader requirements under this rule. Vessels and facilities in Risk Groups B
and C present progressively lower risks, and would continue to follow existing
regulatory requirements for visual TWIC inspection.
Despite the enhanced reliability that TWIC readers
would offer, not all vessels and facilities face security risks that justify
the costs and other burdens that would result from a universal TWIC reader
requirement for all vessels and facilities. Therefore, in this rulemaking, the USCG is considering a phased approach to implementing TWIC reader requirements by proposing
such requirements first for vessels and facilities where the risk of harm is expected to be the
greatest. The USCG will continue to analyze risk data on MTSA-regulated vessels and facilities
and consider whether additional or modified TWIC reader requirements are
warranted in future rulemakings.
How Did the
Coast Guard Determine the Risk Tiering?
The Coast Guard assembled a panel of maritime security
subject matter experts from the Coast Guard and TSA to conduct a risk-based
analysis of MTSA-regulated vessels and facilities. The panel assessed the
distinct types of vessels and facilities using three factors: (1) maximum
consequences to that vessel or facility resulting from a terrorist attack; (2) criticality
to the nation’s health, economy, and national security; and (3) utility of the
TWIC in reducing risk.
For the first factor (maximum consequence resulting from
a terrorist attack), they used the Coast Guard’s Maritime Security Risk Analysis
Model (MSRAM).
For the second factor (criticality to the nation’s
health, economy, and national security), they considered the impact of the total
loss of a vessel or facility beyond the immediate local consequences, taking
into account the regional or national impacts on human health, the economy, and
national security.
For the third factor (TWIC utility), they considered
the utility of the TWIC program in reducing a vessel’s or facility’s vulnerability
to a terrorist attack.
The Coast Guard combined the above three factors and developed an overall
risk ranking of vessels and facilities by type. The panel then assigned
numerical valued weights to the three
factors. In determining the final weights, the panel
chose the approach that best reflected its understanding of the maritime environment
and TWIC program implementation, the importance of consequences in representing
target attractiveness to terrorists, and the panel’s expert perspective of
risk. The actual numerical valued weights finalized by the panel are Sensitive
Security Information (SSI). Finally, the panel calculated the priority scores for each vessel and
facility type. At the end of this process, types of vessels and facilities with
similar scores were combined into one of three risk groups.
Vessels and facilities that present a heightened risk
for being involved in a TSI, Risk Group A, would have new TWIC reader
requirements under this rule. For now, vessels and facilities that do not
present this heightened risk would either continue to visually inspect TWICs or
voluntarily deploy TWIC readers.
Comparison
between the ANPRM and the NPRM:
Based on the public comments received in response to
the ANPRM, the findings of the DHS pilot program, and further analysis of the
relevant issues, this NPRM reiterates many of the ANPRM’s proposals, including
retaining the ANPRM’s riskbased framework for classifying vessels and facilities into
the same three risk groups. As in the ANPRM, vessels and facilities are
generally placed in higher risk groups based on the hazardous nature of the cargo handled or carried, or
an increase in the number of passengers present…The main change in approach
from the ANPRM to this NPRM is regarding the TWIC reader requirements for the
different risk groups. Specifically, this NPRM proposes TWIC reader requirements
for Risk Group A only….Proposing TWIC reader requirements for Risk Group A only
in this NPRM is indicative of our desire to minimize highest risks first, but
should not be read to foreclose revised TWIC reader requirements in the future.
The Coast Guard will continue to gather and analyze data to determine how the use of TWIC
readers might be appropriate for each risk group.
Summary of
Costs and Benefits: Under MTSA, the Coast Guard regulates approximately
13,825 vessels, 3,270 facilities, and 56 Outer Continental Shelf (OCS) facilities. Of those MTSA-regulated facilities that
could have potentially been regulated, 38 vessels and 532 facilities are affected
by this proposed rule. The Coast Guard estimates the annualized cost of this proposed rule on
the affected population of 38 vessels and 532 facilities to be about $26.5 million, while
the 10-year cost is $186.1 million, discounted at 7 percent. The main cost drivers
of this proposal are the acquisition, installation, and integration of TWIC
readers into access control systems.
Specifics for
Reader Requirements: new 33 CFR 101.520, for Risk Group A
At MARSEC Level 1, all persons seeking unescorted
access to secure areas would be required to present a TWIC and fingerprint for
biometric identity verification, card authentication, and card validity check.
The owner or operator would be required to
perform the card validity check based on CCL
information no more than 7 days old. At MARSEC Level 2, the same procedures
would apply as those at MARSEC Level 1, except that the owner or operator would
be required to perform the card validity check based on CCL information no more
than 1 day old. Two additional provisions - First, owners and operators would
be required to update CCL information within 12 hours of any increase in MARSEC
Level, regardless of when the CCL information was last updated. Second, owners
and operators would be required to use the most recently obtained CCL information when conducting
card validity checks. The COTP is authorized to temporarily suspend TWIC reader
requirements at a facility if the COTP determines that such requirements are
causing delays resulting in excessive vehicle build-up or other unintended consequence. A facility
owner or operator could contact the COTP seeking such a determination. During
the period of any such suspension, the owner or operator would be required to
perform visual TWIC inspections for
identity verification, card authentication, and card
validation.
New 33 CFR
101.520(e), exempting all vessels with 14 or fewer TWIC-holding crewmembers
from TWIC reader requirements.
New 33 CFR
101.525 and 101.530 – set forth the TWIC visual inspection requirements for
Risk Groups B and C, respectively. At all MARSEC Levels, all persons seeking
unescorted access to secure areas of vessels or facilities in Risk Groups B or
C would be required to present a TWIC for visual
identity verification, card authentication, and card validity check, prior to
each entry. An owner or operator would perform identity verification by visually matching the
photograph on the TWIC to the individual presenting it. An owner or operator would
verify TWIC authenticity by visually checking its security features to
determine whether it has been tampered with or forged. An owner or operator
would validate the TWIC by visually checking the expiration date on the face of
the TWIC to determine whether it has expired. Owners and operators of vessels or facilities in Risk Groups B and C would
not be required to check TWICs against the CCL.
New 33 CFR
101.535 – TWIC inspection requirements in special circumstances. These
provisions are designed to provide an appropriate
level of flexibility in the TWIC reader and inspection requirements when special
circumstances arise. If an individual is unable to present a TWIC because it
has been lost, damaged, or stolen, and the individual has previously been
granted unescorted access to secure areas and is known to have previously possessed a TWIC, an owner or operator
would be permitted to grant the individual unescorted access to secure areas
for a period of no longer than 7 consecutive days, provided that certain
conditions are met. Owners and operators will need to describe the process to
be used to handle exceptions to using readers – such as an when individual has
poor quality fingerprints, or no fingerprint minutiae – in their security plans.
If a TWIC reader malfunctions, an owner or operator
would still be permitted to grant the individual unescorted access to secure
areas, provided that certain conditions are met. First, the individual would be
required to have previously been granted unescorted access to secure areas in
the past, and the individual would be required to be known to have a TWIC. Second,
the owner or operator would be required to perform identity verification, card
validation and card authentication by visual inspection. An owner or operator
may rely on this alternative for a period of 7 calendar days while the TWIC reader malfunction is corrected.
To ensure that
CCL information is updated and used appropriately - Owners and operators
would be required to update CCL information within 12 hours of any increase in
MARSEC Level, regardless of when the CCL information was last updated. Second,
owners and operators would be required to use the most recently obtained CCL
information when conducting card validity checks.
Compliance
Deadlines - Within 2 years after publication of the TWIC reader final rule,
owners and operators would be required to be operating in accordance with the
requirements contained in that final rule. Also, within 2 years after
publication of the TWIC reader final rule, owners and operators would have to
amend their security plans to indicate how they implement the TWIC reader
requirements contained in the applicable sections of 33 CFR parts 101, 104, and
105.
Recordkeeping –
the Coast Guard proposes to amend 33 CFR 104.235 and 105.225 to set forth TWIC
reader recordkeeping requirements. Owners and operators using TWIC readers,
with or without a PACS, would be required to maintain certain records for at
least 2 years. During that time, owners and operators would be required to make
those records available to the Coast Guard upon request. Those records include,
with respect to each individual granted unescorted access to a secure area: (1)
FASCN;(2) date that access was granted; (3) time that access was granted; and
(4) if captured, the name of the individual to whom access was granted. If a
TWIC reader or PACS captures the required data when the TWIC is scanned, and
can retain and reproduce that data, the recordkeeping requirement would be met.
Owners and operators would be required to also maintain records to demonstrate
that they have performed the required card validity check using the CCL on each
individual. Finally, we propose to include a regulatory provision indicating
that TWIC reader records are SSI, and would be required to be protected in accordance
with 49 CFR part 1520.
Movement
Between Risk Groups - based on the materials they are carrying or handling,
or the types of vessels they are receiving at any given time, designed to
provide flexibility to owners and operators of vessels and facilities that only
meet the Risk Group A criteria on a periodic basis. An owner or operator
wishing to take advantage of one of these provisions would be required to explain
how the vessel or facility would move between risk groups in an amended
security plan.
Physical
placement of readers - For facilities,
this NPRM proposes to require TWIC readers at the access points to each secure
area. If the entire facility is designated as a secure area, then TWIC readers
would only be required at the access points to the facility itself. If the secure
area does not encompass the entire facility, then TWIC readers would be
required at the access points to each secure area. For vessels, this NPRM
proposes to require TWIC readers at the access points to the vessel itself,
regardless of whether the secure area encompasses the entire vessel.