Friday, March 22, 2013

More from TWIC Reader Notice of Proposed Rulemaking



Will there be a different requirement for TWIC reader use at elevated MARSEC Levels for Risk Group A?

The Coast Guard recognizes that the system of MARSEC Levels creates a useful mechanism for the Coast Guard to elevate security requirements at times of heightened risk. Nonetheless, the Coast Guard uses this mechanism in a targeted manner, and at this time, the Coast Guard does not believe that elevated TWIC reader requirements at higher MARSEC Levels are generally practical or appropriate. In considering the comments above, the Coast Guard notes the change that it has made from the ANPRM to this NPRM with respect to TWIC reader requirements. In the NPRM, the Coast Guard proposed TWIC reader requirements for Risk Groups A and B, with stricter TWIC reader requirements for both risk groups at higher MARSEC Levels. The ANPRM’s stricter TWIC reader requirements would have primarily affected Risk Group B because the ANPRM proposed routine biometric scanning with a TWIC reader for Risk Group A at all MARSEC Levels. For example, the ANPRM would have required Risk Group B to use TWIC readers at MARSEC Level 1 for card authentication (i.e., no routine biometric scan) and once-monthly biometric identity verification. The ANPRM, however, would have only required Risk Group B to regularly use TWIC readers for biometric identity verification at higher MARSEC Levels. In this NPRM, the Coast Guard has eliminated the proposed TWIC reader requirements for Risk Group B. The requirements for routine biometric scanning with a TWIC reader for Risk Group A remain the same as in the ANPRM. Note that the Coast Guard proposes increased requirements at higher MARSEC Levels to the extent that the NPRM would require Risk Group A to perform daily updates of CCL information at higher MARSEC Levels, instead of the weekly updates required at MARSEC Level 1.

What types of readers may be utilized?

The Department of Commerce’s National Institute of Standards and Technology (NIST) and TSA are developing TWIC reader specifications. TSA will establish a process to qualify TWIC readers, and will maintain a Qualified Technology List (QTL) of acceptable TWIC readers. The Coast Guard anticipates that there may be changes from the ICE Test list to the QTL list, based on final TWIC reader specifications resulting from the QTL process.

A list of TWIC readers that have passed the Initial Capability Evaluation (ICE) Test is available at http://www.tsa.gov/assets/pdf/twic_ice_list.pdf. As stated in PAC–D 01–11, however, TWIC readers allowed pursuant to PAC–D 01–11 may no longer be valid after promulgation of a TWIC reader final rule, and DHS will not fund replacement TWIC readers.

TSA is developing the QTL so that approved readers meet durability standards. Additionally, in this NPRM, we’re proposing requirements that provide owners and operators the flexibility to choose the TWIC reader that best suits their operational needs.

Section 101.105, Definitions.TWIC reader means an electronic device listed on TSA’s Qualified Technology List (QTL) and used to verify and validate: the authenticity of a TWIC; the identity of the TWIC-holder as the legitimate bearer of the credential; that the TWIC is not expired; and that the TWIC is not on the CCL. TSA’s QTL of acceptable TWIC readers may be accessed online at http://(TBD).

Thursday, March 21, 2013

TWIC Card Reader NPRM in Federal Register 03/22/2013



On March 22, 2013, the Coast Guard will publish the Notice of Proposed Rulemaking for the TWIC Reader in the Federal Register. To summarize, facilities and vessels are divided into risk groups and only the highest risk group (A) will need to use a reader. Lower risk groups will (for the time being) continue under the present regulatory requirements for TWIC visual inspection.

For vessels, Risk Group A consists of vessels are certificated to carry more than 1,000 passengers, carrying CDC in bulk, or towing CDC in bulk. For facilities, Risk Group A consist of facilities that handle CDC in bulk, receive vessels that are certificated to carry more than 1,000 passengers, and barge fleeting facilities that receive barges carrying CDC in bulk. The Coast Guard is considering allowing multiple risk group designations within one facility. In addition:

  • ·         The NPRM does not propose to require owners and operators to specifically use contact TWIC readers, nor does the NPRM propose any PIN requirement.

  • ·         The compliance deadline for operation is proposed to be two years after the publication of the final rule. Within 2 years after publication of the TWIC reader final rule, owners and operators would have to amend their security plans to indicate how they implement the TWIC reader requirements contained in the applicable sections of 33 CFR parts 101, 104, and 105.

  • ·         Exempts from TWIC reader requirements all vessels with 14 or fewer TWIC-holding crewmembers,

  • ·         NPRM withdraws the ANPRM’s proposal to include noncredentialed individuals engaged on towing vessels not regulated under 33 CFR part 104 among the list of mariners required to possess a TWIC.

  • ·        Owners and operators of vessels or facilities in Risk Groups B and C would not be required to check TWICs against the CCL.

  • ·         Owners and operators would have the discretion to impose access control measures that are stricter than the minimum regulatory requirements.

  • ·         If a TWIC reader malfunctions, an owner or operator would still be permitted to grant the individual unescorted access to secure areas, provided the individual was known to have a valid TWIC and the TWIC was inspected visually.

  • ·         Owners and operators would be required to update CCL information within 12 hours of any increase in MARSEC Level, regardless of when the CCL information was last updated. Owners and operators would be required to use the most recently obtained CCL information when conducting card validity checks.

  • ·         The COTP is authorized to temporarily suspend TWIC reader requirements at a facility if the COTP determines that such requirements are causing delays resulting in excessive vehicle build-up or other unintended consequence. During the period of any such suspension, the owner or operator would be required to perform visual TWIC inspections for identity verification, card authentication, and card validation.

  • ·         The Coast Guard will continue to analyze risk data and consider whether additional or modified TWIC reader requirements would be warranted in the future.

  • ·         Considering the several rulemakings that are going to be issued in the near future, the Coast Guard  is currently examining several options to coordinate the rulemakings and manage the plan submission and re-approval process to ensure that plan changes occur only as often as necessary to incorporate any new regulatory requirements.

  • ·         Amend 33 CFR 104.235 and 105.225 to set forth TWIC reader recordkeeping requirements. Owners and operators using TWIC readers, with or without a Physical Access Control System, would be required to maintain certain records for at least 2 years. During that time, owners and operators would be required to make those records available to the Coast Guard upon request. Those records include, with respect to each individual granted unescorted access to a secure area: (1) FASCN;(2) date that access was granted; (3) time that access was granted; and (4) if captured, the name of the individual to whom access was granted. If a TWIC reader or PACS captures the required data when the TWIC is scanned, and can retain and reproduce that data, the recordkeeping requirement would be met. Owners and operators would be required to also maintain records to demonstrate that they have performed the required card validity check using the CCL on each individual. TWIC reader records are SSI, and would be required to be protected in accordance with 49 CFR part 1520.

  • ·         Physical placement of readers -  For facilities, TWIC readers will be required at the access points to each secure area. If the entire facility is designated as a secure area, then TWIC readers would only be required at the access points to the facility itself. If the secure area does not encompass the entire facility, then TWIC readers would be required at the access points to each secure area. For vessels, the NPRM proposes to require TWIC readers at the access points to the vessel itself, regardless of whether the secure area encompasses the entire vessel.

Below are more provisions of the NPRM.  This is just a bare-bones summary.  In this NPRM, the Coast Guard goes into great detail to give information about the processes that affected the decision-making about this rule, and the rule should be read in its entirety by the MTSA community. There are also several other related documents available for viewing in the public docket.

NPRM:

This rulemaking action, once final, would build upon existing Coast Guard regulations designed to ensure that only individuals who hold a TWIC are granted unescorted access to secure areas at those locations…..This rulemaking would also implement the Security and Accountability For Every Port Act of 2006 electronic TWIC reader requirements.

Comments – Public Comments will be accepted via http://www.regulations.gov, Docket number USCG-2007-28915.  I did not see an ending date for comment acceptance.

Public Meetings - USCG intends to hold one or more public meetings regarding the proposals in this NPRM.A notice with the specific date and location of each meeting will be published in the Federal Register as soon as this information is known.

Purpose of the Regulatory Action - This rulemaking, which would require owners and operators of certain types of vessels and facilities to use electronic TWIC readers, is necessary to advance the goals of the TWIC program. The Coast Guard conducted a riskbased analysis of MTSA-regulated vessels and facilities to categorize them into one of three risk groups. Risk Group A is comprised of vessels and facilities that present the highest risk of being involved in a transportation security incident (TSI).Vessels and facilities in Risk Group A would have new TWIC reader requirements under this rule. Vessels and facilities in Risk Groups B and C present progressively lower risks, and would continue to follow existing regulatory requirements for visual TWIC inspection.

Despite the enhanced reliability that TWIC readers would offer, not all vessels and facilities face security risks that justify the costs and other burdens that would result from a universal TWIC reader requirement for all vessels and facilities. Therefore, in this rulemaking, the USCG is considering a phased approach to implementing TWIC reader requirements by proposing such requirements first for vessels and facilities where the risk of harm is expected to be the greatest. The USCG will continue to analyze risk data on MTSA-regulated vessels and facilities and consider whether additional or modified TWIC reader requirements are warranted in future rulemakings.

How Did the Coast Guard Determine the Risk Tiering?

The Coast Guard assembled a panel of maritime security subject matter experts from the Coast Guard and TSA to conduct a risk-based analysis of MTSA-regulated vessels and facilities. The panel assessed the distinct types of vessels and facilities using three factors: (1) maximum consequences to that vessel or facility resulting from a terrorist attack; (2) criticality to the nation’s health, economy, and national security; and (3) utility of the TWIC in reducing risk.

For the first factor (maximum consequence resulting from a terrorist attack), they used the Coast Guard’s Maritime Security Risk Analysis Model (MSRAM).

For the second factor (criticality to the nation’s health, economy, and national security), they considered the impact of the total loss of a vessel or facility beyond the immediate local consequences, taking into account the regional or national impacts on human health, the economy, and national security.

For the third factor (TWIC utility), they considered the utility of the TWIC program in reducing a vessel’s or facility’s vulnerability to a terrorist attack.

The Coast Guard combined the above three factors and developed an overall risk ranking of vessels and facilities by type. The panel then assigned numerical valued weights to the three
factors. In determining the final weights, the panel chose the approach that best reflected its understanding of the maritime environment and TWIC program implementation, the importance of consequences in representing target attractiveness to terrorists, and the panel’s expert perspective of risk. The actual numerical valued weights finalized by the panel are Sensitive Security Information (SSI). Finally, the panel calculated the priority scores for each vessel and facility type. At the end of this process, types of vessels and facilities with similar scores were combined into one of three risk groups.

Vessels and facilities that present a heightened risk for being involved in a TSI, Risk Group A, would have new TWIC reader requirements under this rule. For now, vessels and facilities that do not present this heightened risk would either continue to visually inspect TWICs or voluntarily deploy TWIC readers.

Comparison between the ANPRM and the NPRM:

Based on the public comments received in response to the ANPRM, the findings of the DHS pilot program, and further analysis of the relevant issues, this NPRM reiterates many of the ANPRM’s proposals, including retaining the ANPRM’s riskbased framework for classifying vessels and facilities into the same three risk groups. As in the ANPRM, vessels and facilities are generally placed in higher risk groups based on the hazardous nature of the cargo handled or carried, or an increase in the number of passengers present…The main change in approach from the ANPRM to this NPRM is regarding the TWIC reader requirements for the different risk groups. Specifically, this NPRM proposes TWIC reader requirements for Risk Group A only….Proposing TWIC reader requirements for Risk Group A only in this NPRM is indicative of our desire to minimize highest risks first, but should not be read to foreclose revised TWIC reader requirements in the future. The Coast Guard will continue to gather and analyze data to determine how the use of TWIC readers might be appropriate for each risk group.


Summary of Costs and Benefits: Under MTSA, the Coast Guard regulates approximately 13,825 vessels, 3,270 facilities, and 56 Outer Continental Shelf (OCS) facilities. Of those MTSA-regulated facilities that could have potentially been regulated, 38 vessels and 532 facilities are affected by this proposed rule. The Coast Guard estimates the annualized cost of this proposed rule on the affected population of 38 vessels and 532 facilities to be about $26.5 million, while the 10-year cost is $186.1 million, discounted at 7 percent. The main cost drivers of this proposal are the acquisition, installation, and integration of TWIC readers into access control systems.

Specifics for Reader Requirements: new 33 CFR 101.520, for Risk Group A
At MARSEC Level 1, all persons seeking unescorted access to secure areas would be required to present a TWIC and fingerprint for biometric identity verification, card authentication, and card validity check. The owner or operator would be required to
perform the card validity check based on CCL information no more than 7 days old. At MARSEC Level 2, the same procedures would apply as those at MARSEC Level 1, except that the owner or operator would be required to perform the card validity check based on CCL information no more than 1 day old. Two additional provisions - First, owners and operators would be required to update CCL information within 12 hours of any increase in MARSEC Level, regardless of when the CCL information was last updated. Second, owners and operators would be required to use the most recently obtained CCL information when conducting card validity checks. The COTP is authorized to temporarily suspend TWIC reader requirements at a facility if the COTP determines that such requirements are causing delays resulting in excessive vehicle build-up or other unintended consequence. A facility owner or operator could contact the COTP seeking such a determination. During the period of any such suspension, the owner or operator would be required to perform visual TWIC inspections for
identity verification, card authentication, and card validation.

New 33 CFR 101.520(e), exempting all vessels with 14 or fewer TWIC-holding crewmembers from TWIC reader requirements.

New 33 CFR 101.525 and 101.530 – set forth the TWIC visual inspection requirements for Risk Groups B and C, respectively. At all MARSEC Levels, all persons seeking unescorted access to secure areas of vessels or facilities in Risk Groups B or C would be required to present a TWIC for visual identity verification, card authentication, and card validity check, prior to each entry. An owner or operator would perform identity verification by visually matching the photograph on the TWIC to the individual presenting it. An owner or operator would verify TWIC authenticity by visually checking its security features to determine whether it has been tampered with or forged. An owner or operator would validate the TWIC by visually checking the expiration date on the face of the TWIC to determine whether it has expired. Owners and operators of vessels or facilities in Risk Groups B and C would not be required to check TWICs against the CCL.

New 33 CFR 101.535 – TWIC inspection requirements in special circumstances. These
provisions are designed to provide an appropriate level of flexibility in the TWIC reader and inspection requirements when special circumstances arise. If an individual is unable to present a TWIC because it has been lost, damaged, or stolen, and the individual has previously been granted unescorted access to secure areas and is known to have previously possessed a TWIC, an owner or operator would be permitted to grant the individual unescorted access to secure areas for a period of no longer than 7 consecutive days, provided that certain conditions are met. Owners and operators will need to describe the process to be used to handle exceptions to using readers – such as an when individual has poor quality fingerprints, or no fingerprint minutiae – in their security plans.

If a TWIC reader malfunctions, an owner or operator would still be permitted to grant the individual unescorted access to secure areas, provided that certain conditions are met. First, the individual would be required to have previously been granted unescorted access to secure areas in the past, and the individual would be required to be known to have a TWIC. Second, the owner or operator would be required to perform identity verification, card validation and card authentication by visual inspection. An owner or operator may rely on this alternative for a period of 7 calendar days while the TWIC reader malfunction is corrected.

To ensure that CCL information is updated and used appropriately - Owners and operators would be required to update CCL information within 12 hours of any increase in MARSEC Level, regardless of when the CCL information was last updated. Second, owners and operators would be required to use the most recently obtained CCL information when conducting card validity checks.

Compliance Deadlines - Within 2 years after publication of the TWIC reader final rule, owners and operators would be required to be operating in accordance with the requirements contained in that final rule. Also, within 2 years after publication of the TWIC reader final rule, owners and operators would have to amend their security plans to indicate how they implement the TWIC reader requirements contained in the applicable sections of 33 CFR parts 101, 104, and 105.

Recordkeeping – the Coast Guard proposes to amend 33 CFR 104.235 and 105.225 to set forth TWIC reader recordkeeping requirements. Owners and operators using TWIC readers, with or without a PACS, would be required to maintain certain records for at least 2 years. During that time, owners and operators would be required to make those records available to the Coast Guard upon request. Those records include, with respect to each individual granted unescorted access to a secure area: (1) FASCN;(2) date that access was granted; (3) time that access was granted; and (4) if captured, the name of the individual to whom access was granted. If a TWIC reader or PACS captures the required data when the TWIC is scanned, and can retain and reproduce that data, the recordkeeping requirement would be met. Owners and operators would be required to also maintain records to demonstrate that they have performed the required card validity check using the CCL on each individual. Finally, we propose to include a regulatory provision indicating that TWIC reader records are SSI, and would be required to be protected in accordance with 49 CFR part 1520.

Movement Between Risk Groups - based on the materials they are carrying or handling, or the types of vessels they are receiving at any given time, designed to provide flexibility to owners and operators of vessels and facilities that only meet the Risk Group A criteria on a periodic basis. An owner or operator wishing to take advantage of one of these provisions would be required to explain how the vessel or facility would move between risk groups in an amended security plan.

Physical placement of readers -  For facilities, this NPRM proposes to require TWIC readers at the access points to each secure area. If the entire facility is designated as a secure area, then TWIC readers would only be required at the access points to the facility itself. If the secure area does not encompass the entire facility, then TWIC readers would be required at the access points to each secure area. For vessels, this NPRM proposes to require TWIC readers at the access points to the vessel itself, regardless of whether the secure area encompasses the entire vessel.

Sunday, March 17, 2013

Meeting Notice for National Maritime Security Advisory Committee posted in Federal Register




The following notice will be posted in the Federal Register, vol. 78, no. 52, on Monday March 18, 2013:

The National Maritime Security Advisory Committee (NMSAC) will meet on April 2-3, 2013 in Washington, DC to discuss various issues relating to national maritime security. This meeting will be open to the public.

DATES: The Committee will meet on Tuesday, April 2, 2013 from 9:00 a.m.to 4:00 p.m. and Wednesday, April 3, 2013 from 8:00 a.m. to 11:00 a.m.This meeting may close early if all business is finished. All written material and requests to make oral presentations should reach the CoastGuard on or before March 29, 2012.

ADDRESSES: The Committee will meet in the Oklahoma Room at the Department of Transportation, 1200 New Jersey Ave SE., Washington, DC 20590. Seating is very limited. Members of the public wishing to attend should register with Mr. Ryan Owens, Alternate Designated Federal Official (ADFO) of NMSAC, telephone 202-372-1108 or
ryan.f.owens@uscg.mil no later than March 25, 2013. Additionally, this meeting will be broadcasted via a web enabled interactive online format and teleconference line.
    To participate via teleconference, dial 866-810-4853, the pass code to join is 9760138. Additionally, if you would like to participate in this meeting via the online web format, please log onto
https://connect.hsin.gov/r11254182 and follow the online instructions to register for this meeting.
    For information on facilities or services for individuals with disabilities or to request special assistance at the meeting, contact the person listed in the FOR FURTHER INFORMATION CONTACT section as soon as possible.
    To facilitate public participation, we are inviting public comment on the issues to be considered by the Committee as listed in the ``Agenda'' section below. You may submit written comments no later than March 29, 2013. Identify your comments by docket number [USCG-2012-0797] using one of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
     Mail: Docket Management Facility (M-30), U.S. Department of Transportation, West Building Ground Floor, Room W12-140, 1200 New Jersey Avenue SE., Washington, DC 20590-0001. We encourage use of electronic submissions because security screening may delay delivery of
mail.
     Fax: (202) 493-2251.
     Hand Delivery: Same as mail address above, between 9:00 a.m. and 5:00 p.m., Monday through Friday, except Federal Holidays. The telephone number is 202-366-9329.
    Instructions: All submissions received must include the words``Department of Homeland Security'' and docket number [USCG-2012-0797].
All submissions received will be posted without alteration at www.regulations.gov, including any personal information provided. You may review a Privacy Act notice regarding our public dockets in the January 17, 2008 issue of the Federal Register (73 FR 3316)
Day 1 
    The agenda for the Committee meeting is as follows:
    (1) Cyber Security Executive Order. On February 12, 2013, President  Barack Obama signed 
an Executive Order \1\ to strengthen the cybersecurity of critical infrastructure by increasing 
information sharing and by jointly developing and implementing a framework of cybersecurity 
practices with our industry partners. NMSAC will be engaged to discuss and hear public 
comment on the Executive Order and begin initial work in developing a framework for the 
maritime community.
--------------------------------------------------------------------------- 
    \1\ The Executive Order (not numbered) is available for viewing online at the White House's 
Web site:
 http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-
infrastructure-cybersecurity.
--------------------------------------------------------------------------- 
    (2) Presidential Policy Directive-21.\2\ On February 12, 2013, the White House Office of the 
Press Secretary published a Presidential Policy Directive (PPD) on critical infrastructure 
security and resilience. PPD-21 updates the national approach from Homeland Security 
Presidential Directive-7 (issued in 2003) to adjust to the new risk environment, understand
 key lessons learned, and drive toward enhanced capabilities. NMSAC will be engaged to 
discuss and hear public comment on PPD-21 and its impacts on the maritime community.
--------------------------------------------------------------------------- 
    \2\ Presidential Policy Directive-21 is available for viewing online at the White House's 
Web site: http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-
critical-infrastructure-security-and-resil.
--------------------------------------------------------------------------- 
    (3) Maritime Domain Awareness and Information Sharing. NMSAC will receive a brief on, 
and will engage in a discussion on, the efforts of the Coast Guard and DHS to implement 
Maritime Domain Awareness and Information Sharing.
    (4) National Suspicious Activity Reporting Initiative (NSI). NMSAC will receive a brief, 
hear public comments and provide recommendations, on the NSI program.
    (5) Public Comment Period. 
Day 2 
    (1) Radiation Portal Monitoring. NMSAC will continue its discussion of the Radiation Portal 
Monitoring Program.
    (2) Port Security Grant Program. NMSAC will discuss the Port Security Grant Program, 
hear public comments and provide recommendations to the Coast Guard on the future 
implementation of the program.
    (3) Public comment period. 
Dated: March 11, 2013.
R.F. Owens,
U.S. Coast Guard, Office of Port and Facility Compliance, Deputy 
Designated Federal Official.