TWIC Card Reader NPRM in Federal Register 03/22/2013

On March 22, 2013, the Coast Guard will publish the Notice of Proposed Rulemaking for the TWIC Reader in the Federal Register. To summarize, facilities and vessels are divided into risk groups and only the highest risk group (A) will need to use a reader. Lower risk groups will (for the time being) continue under the present regulatory requirements for TWIC visual inspection.

For vessels, Risk Group A consists of vessels are certificated to carry more than 1,000 passengers, carrying CDC in bulk, or towing CDC in bulk. For facilities, Risk Group A consist of facilities that handle CDC in bulk, receive vessels that are certificated to carry more than 1,000 passengers, and barge fleeting facilities that receive barges carrying CDC in bulk. The Coast Guard is considering allowing multiple risk group designations within one facility. In addition:

• ·         The NPRM does not propose to require owners and operators to specifically use contact TWIC readers, nor does the NPRM propose any PIN requirement.

• ·         The compliance deadline for operation is proposed to be two years after the publication of the final rule. Within 2 years after publication of the TWIC reader final rule, owners and operators would have to amend their security plans to indicate how they implement the TWIC reader requirements contained in the applicable sections of 33 CFR parts 101, 104, and 105.

• ·         Exempts from TWIC reader requirements all vessels with 14 or fewer TWIC-holding crewmembers,

• ·         NPRM withdraws the ANPRM’s proposal to include noncredentialed individuals engaged on towing vessels not regulated under 33 CFR part 104 among the list of mariners required to possess a TWIC.

• ·        Owners and operators of vessels or facilities in Risk Groups B and C would not be required to check TWICs against the CCL.

• ·         Owners and operators would have the discretion to impose access control measures that are stricter than the minimum regulatory requirements.

• ·         If a TWIC reader malfunctions, an owner or operator would still be permitted to grant the individual unescorted access to secure areas, provided the individual was known to have a valid TWIC and the TWIC was inspected visually.

• ·         Owners and operators would be required to update CCL information within 12 hours of any increase in MARSEC Level, regardless of when the CCL information was last updated. Owners and operators would be required to use the most recently obtained CCL information when conducting card validity checks.

• ·         The COTP is authorized to temporarily suspend TWIC reader requirements at a facility if the COTP determines that such requirements are causing delays resulting in excessive vehicle build-up or other unintended consequence. During the period of any such suspension, the owner or operator would be required to perform visual TWIC inspections for identity verification, card authentication, and card validation.

• ·         The Coast Guard will continue to analyze risk data and consider whether additional or modified TWIC reader requirements would be warranted in the future.

• ·         Considering the several rulemakings that are going to be issued in the near future, the Coast Guard  is currently examining several options to coordinate the rulemakings and manage the plan submission and re-approval process to ensure that plan changes occur only as often as necessary to incorporate any new regulatory requirements.

• ·         Amend 33 CFR 104.235 and 105.225 to set forth TWIC reader recordkeeping requirements. Owners and operators using TWIC readers, with or without a Physical Access Control System, would be required to maintain certain records for at least 2 years. During that time, owners and operators would be required to make those records available to the Coast Guard upon request. Those records include, with respect to each individual granted unescorted access to a secure area: (1) FASCN;(2) date that access was granted; (3) time that access was granted; and (4) if captured, the name of the individual to whom access was granted. If a TWIC reader or PACS captures the required data when the TWIC is scanned, and can retain and reproduce that data, the recordkeeping requirement would be met. Owners and operators would be required to also maintain records to demonstrate that they have performed the required card validity check using the CCL on each individual. TWIC reader records are SSI, and would be required to be protected in accordance with 49 CFR part 1520.

• ·         Physical placement of readers -  For facilities, TWIC readers will be required at the access points to each secure area. If the entire facility is designated as a secure area, then TWIC readers would only be required at the access points to the facility itself. If the secure area does not encompass the entire facility, then TWIC readers would be required at the access points to each secure area. For vessels, the NPRM proposes to require TWIC readers at the access points to the vessel itself, regardless of whether the secure area encompasses the entire vessel.

Below are more provisions of the NPRM.  This is just a bare-bones summary.  In this NPRM, the Coast Guard goes into great detail to give information about the processes that affected the decision-making about this rule, and the rule should be read in its entirety by the MTSA community. There are also several other related documents available for viewing in the public docket.

NPRM:

This rulemaking action, once final, would build upon existing Coast Guard regulations designed to ensure that only individuals who hold a TWIC are granted unescorted access to secure areas at those locations…..This rulemaking would also implement the Security and Accountability For Every Port Act of 2006 electronic TWIC reader requirements.

Comments – Public Comments will be accepted via http://www.regulations.gov, Docket number USCG-2007-28915.  I did not see an ending date for comment acceptance.

Public Meetings - USCG intends to hold one or more public meetings regarding the proposals in this NPRM.A notice with the specific date and location of each meeting will be published in the Federal Register as soon as this information is known.

Purpose of the Regulatory Action - This rulemaking, which would require owners and operators of certain types of vessels and facilities to use electronic TWIC readers, is necessary to advance the goals of the TWIC program. The Coast Guard conducted a riskbased analysis of MTSA-regulated vessels and facilities to categorize them into one of three risk groups. Risk Group A is comprised of vessels and facilities that present the highest risk of being involved in a transportation security incident (TSI).Vessels and facilities in Risk Group A would have new TWIC reader requirements under this rule. Vessels and facilities in Risk Groups B and C present progressively lower risks, and would continue to follow existing regulatory requirements for visual TWIC inspection.

Despite the enhanced reliability that TWIC readers would offer, not all vessels and facilities face security risks that justify the costs and other burdens that would result from a universal TWIC reader requirement for all vessels and facilities. Therefore, in this rulemaking, the USCG is considering a phased approach to implementing TWIC reader requirements by proposing such requirements first for vessels and facilities where the risk of harm is expected to be the greatest. The USCG will continue to analyze risk data on MTSA-regulated vessels and facilities and consider whether additional or modified TWIC reader requirements are warranted in future rulemakings.

How Did the Coast Guard Determine the Risk Tiering?

The Coast Guard assembled a panel of maritime security subject matter experts from the Coast Guard and TSA to conduct a risk-based analysis of MTSA-regulated vessels and facilities. The panel assessed the distinct types of vessels and facilities using three factors: (1) maximum consequences to that vessel or facility resulting from a terrorist attack; (2) criticality to the nation’s health, economy, and national security; and (3) utility of the TWIC in reducing risk.

For the first factor (maximum consequence resulting from a terrorist attack), they used the Coast Guard’s Maritime Security Risk Analysis Model (MSRAM).

For the second factor (criticality to the nation’s health, economy, and national security), they considered the impact of the total loss of a vessel or facility beyond the immediate local consequences, taking into account the regional or national impacts on human health, the economy, and national security.

For the third factor (TWIC utility), they considered the utility of the TWIC program in reducing a vessel’s or facility’s vulnerability to a terrorist attack.

The Coast Guard combined the above three factors and developed an overall risk ranking of vessels and facilities by type. The panel then assigned numerical valued weights to the three

factors. In determining the final weights, the panel chose the approach that best reflected its understanding of the maritime environment and TWIC program implementation, the importance of consequences in representing target attractiveness to terrorists, and the panel’s expert perspective of risk. The actual numerical valued weights finalized by the panel are Sensitive Security Information (SSI). Finally, the panel calculated the priority scores for each vessel and facility type. At the end of this process, types of vessels and facilities with similar scores were combined into one of three risk groups.

Vessels and facilities that present a heightened risk for being involved in a TSI, Risk Group A, would have new TWIC reader requirements under this rule. For now, vessels and facilities that do not present this heightened risk would either continue to visually inspect TWICs or voluntarily deploy TWIC readers.

Comparison between the ANPRM and the NPRM:

Based on the public comments received in response to the ANPRM, the findings of the DHS pilot program, and further analysis of the relevant issues, this NPRM reiterates many of the ANPRM’s proposals, including retaining the ANPRM’s riskbased framework for classifying vessels and facilities into the same three risk groups. As in the ANPRM, vessels and facilities are generally placed in higher risk groups based on the hazardous nature of the cargo handled or carried, or an increase in the number of passengers present…The main change in approach from the ANPRM to this NPRM is regarding the TWIC reader requirements for the different risk groups. Specifically, this NPRM proposes TWIC reader requirements for Risk Group A only….Proposing TWIC reader requirements for Risk Group A only in this NPRM is indicative of our desire to minimize highest risks first, but should not be read to foreclose revised TWIC reader requirements in the future. The Coast Guard will continue to gather and analyze data to determine how the use of TWIC readers might be appropriate for each risk group.

Summary of Costs and Benefits: Under MTSA, the Coast Guard regulates approximately 13,825 vessels, 3,270 facilities, and 56 Outer Continental Shelf (OCS) facilities. Of those MTSA-regulated facilities that could have potentially been regulated, 38 vessels and 532 facilities are affected by this proposed rule. The Coast Guard estimates the annualized cost of this proposed rule on the affected population of 38 vessels and 532 facilities to be about $26.5 million, while the 10-year cost is $186.1 million, discounted at 7 percent. The main cost drivers of this proposal are the acquisition, installation, and integration of TWIC readers into access control systems.

Specifics for Reader Requirements: new 33 CFR 101.520, for Risk Group A

At MARSEC Level 1, all persons seeking unescorted access to secure areas would be required to present a TWIC and fingerprint for biometric identity verification, card authentication, and card validity check. The owner or operator would be required to

perform the card validity check based on CCL information no more than 7 days old. At MARSEC Level 2, the same procedures would apply as those at MARSEC Level 1, except that the owner or operator would be required to perform the card validity check based on CCL information no more than 1 day old. Two additional provisions - First, owners and operators would be required to update CCL information within 12 hours of any increase in MARSEC Level, regardless of when the CCL information was last updated. Second, owners and operators would be required to use the most recently obtained CCL information when conducting card validity checks. The COTP is authorized to temporarily suspend TWIC reader requirements at a facility if the COTP determines that such requirements are causing delays resulting in excessive vehicle build-up or other unintended consequence. A facility owner or operator could contact the COTP seeking such a determination. During the period of any such suspension, the owner or operator would be required to perform visual TWIC inspections for

identity verification, card authentication, and card validation.

New 33 CFR 101.520(e), exempting all vessels with 14 or fewer TWIC-holding crewmembers from TWIC reader requirements.

New 33 CFR 101.525 and 101.530 – set forth the TWIC visual inspection requirements for Risk Groups B and C, respectively. At all MARSEC Levels, all persons seeking unescorted access to secure areas of vessels or facilities in Risk Groups B or C would be required to present a TWIC for visual identity verification, card authentication, and card validity check, prior to each entry. An owner or operator would perform identity verification by visually matching the photograph on the TWIC to the individual presenting it. An owner or operator would verify TWIC authenticity by visually checking its security features to determine whether it has been tampered with or forged. An owner or operator would validate the TWIC by visually checking the expiration date on the face of the TWIC to determine whether it has expired. Owners and operators of vessels or facilities in Risk Groups B and C would not be required to check TWICs against the CCL.

New 33 CFR 101.535 – TWIC inspection requirements in special circumstances. These

provisions are designed to provide an appropriate level of flexibility in the TWIC reader and inspection requirements when special circumstances arise. If an individual is unable to present a TWIC because it has been lost, damaged, or stolen, and the individual has previously been granted unescorted access to secure areas and is known to have previously possessed a TWIC, an owner or operator would be permitted to grant the individual unescorted access to secure areas for a period of no longer than 7 consecutive days, provided that certain conditions are met. Owners and operators will need to describe the process to be used to handle exceptions to using readers – such as an when individual has poor quality fingerprints, or no fingerprint minutiae – in their security plans.

If a TWIC reader malfunctions, an owner or operator would still be permitted to grant the individual unescorted access to secure areas, provided that certain conditions are met. First, the individual would be required to have previously been granted unescorted access to secure areas in the past, and the individual would be required to be known to have a TWIC. Second, the owner or operator would be required to perform identity verification, card validation and card authentication by visual inspection. An owner or operator may rely on this alternative for a period of 7 calendar days while the TWIC reader malfunction is corrected.

To ensure that CCL information is updated and used appropriately - Owners and operators would be required to update CCL information within 12 hours of any increase in MARSEC Level, regardless of when the CCL information was last updated. Second, owners and operators would be required to use the most recently obtained CCL information when conducting card validity checks.

Compliance Deadlines - Within 2 years after publication of the TWIC reader final rule, owners and operators would be required to be operating in accordance with the requirements contained in that final rule. Also, within 2 years after publication of the TWIC reader final rule, owners and operators would have to amend their security plans to indicate how they implement the TWIC reader requirements contained in the applicable sections of 33 CFR parts 101, 104, and 105.

Recordkeeping – the Coast Guard proposes to amend 33 CFR 104.235 and 105.225 to set forth TWIC reader recordkeeping requirements. Owners and operators using TWIC readers, with or without a PACS, would be required to maintain certain records for at least 2 years. During that time, owners and operators would be required to make those records available to the Coast Guard upon request. Those records include, with respect to each individual granted unescorted access to a secure area: (1) FASCN;(2) date that access was granted; (3) time that access was granted; and (4) if captured, the name of the individual to whom access was granted. If a TWIC reader or PACS captures the required data when the TWIC is scanned, and can retain and reproduce that data, the recordkeeping requirement would be met. Owners and operators would be required to also maintain records to demonstrate that they have performed the required card validity check using the CCL on each individual. Finally, we propose to include a regulatory provision indicating that TWIC reader records are SSI, and would be required to be protected in accordance with 49 CFR part 1520.

Movement Between Risk Groups - based on the materials they are carrying or handling, or the types of vessels they are receiving at any given time, designed to provide flexibility to owners and operators of vessels and facilities that only meet the Risk Group A criteria on a periodic basis. An owner or operator wishing to take advantage of one of these provisions would be required to explain how the vessel or facility would move between risk groups in an amended security plan.

Physical placement of readers -  For facilities, this NPRM proposes to require TWIC readers at the access points to each secure area. If the entire facility is designated as a secure area, then TWIC readers would only be required at the access points to the facility itself. If the secure area does not encompass the entire facility, then TWIC readers would be required at the access points to each secure area. For vessels, this NPRM proposes to require TWIC readers at the access points to the vessel itself, regardless of whether the secure area encompasses the entire vessel.