Thursday, December 17, 2015

MTSA Secure and Restricted Areas

More Thoughts on the Secure Area Concept

<>  From October 2015 Waves on the Waterfront.

 This was a good short general discussion of the definitions of restricted and secure areas. However, one of the sources of confusion about secure areas is repeated in this discussion. It appears because it exists in the regulation, i.e., secure area as that area over which the owner has implemented security measures for access control.[1] Because many facilities have areas over which the owner has implemented security measures for access control where a TWIC is not required, this definition is puzzling. For example, the facility has a main office immediately inside the single fence that encircles the entire facility. TWIC cards are not required to access the office, according to the approved FSP, yet the office is within that area over which the owner has implemented security measures for access control. This seems to be in contradiction to the definition of secure area.

Even at this late date, years after TWIC implementation, there is still widespread misunderstanding about these two terms, secure and restricted areas. The idea of “secure area” has several concepts embedded within it. 
  • ·         Designating areas as restricted, secure, or both adds additional layers of security. 
  • ·         The secure area must have a maritime nexus, because the secure area is the area where persons need a TWIC for unescorted access and the purpose of the card itself is to ensure that only persons who have undergone the TWIC background checks have unescorted access to these high-risk, TSI-prone areas in facilities and vessels.
  • ·         Secure areas are a security measure described out in the FSP so to a certain extent they can be fluid across the system, and are subject to the judgement of the individual Coast Guard unit that approves the FSP.  The only secure area that will be guaranteed to be designated as such across the system, from the largest facility in the country to Laurie’s Sand & Gravel Dock, is the area immediately adjacent the vessel (that triggers the FSP) when the vessel is at the dock.[2]

For purposes of clarification, it might be useful if 33 CFR 101.105 be amended to read “Secure area means the area on board a vessel or at a facility or outer continental shelf facility over which the owner/operator has implemented security measures for access control where a TWIC card is required for unescorted access, in accordance with a Coast Guard approved security plan.” In all secure areas, TWIC cards are required for unescorted access. It seems odd therefore to exclude this important concept from the definition.

To keep the two concepts clear in the mind, it is less helpful to contrast them than to simply remember the following:
  • ·         Restricted areas require limited access and a higher degree of security protection[3]; a  list of areas that must be designated as restricted, as appropriate for the facility, is  given in 33 CFR 105.260(b).
  • ·         Secure areas are those areas where persons need a TWIC for unescorted access. There can be no secure area that is not connected with TWIC card use.

[1] 33 CFR 101.105, definition of secure area.
[2]  Navigation and Inspection Circular 03-07, enc. 3.
[3] 33 CFR 101.105, definition of restricted area.

Wednesday, December 16, 2015

On December 15 2015, the Department of Homeland Security issued its Semiannual Regulatory Agenda. As Dennis Bryant so aptly puts it, “this agenda is aspirational in nature.” This means DHS hopes that the given timetables will be met. Below is MTSA-related information from the Agenda, with my comments. The full agenda can be found at

Updates to Maritime Security
Abstract: The Coast Guard proposes certain additions, changes, and amendments to 33 CFR, subchapter H. Subchapter H is comprised of parts 101 through 106. Subchapter H implements the major provisions of the Maritime Transportation Security Act of 2002 (MTSA). This rulemaking is the first major revision to subchapter H. The proposed changes would further the goals of domestic compliance and international cooperation by incorporating requirements from legislation implemented since the
original publication of these regulations, such as the Security and Accountability for Every (SAFE) Port Act of 2006, and including international standards such as Standards of Training, Certification & Watchkeeping security training. This rulemaking has international interest because of the close relationship between subchapter H and the International Ship and Port Security Code (ISPS).

NPRM .................. 07/00/16

Comments: At this point, I can’t speculate when this update will be issued, or how outdated it will be  when it finally comes out. It’s obvious to MTSA practitioners that an update needs to be made. Absent this update, industry and regulators end up operating from NVICs and PACs and policy letters and other documents, not an ideal situation from either an industry or a regulator’s point of view. PACs and letters under CF-FAC signature aren’t regulations. They lack the industry comment that is an integral part of the regulatory process. The regulatory process seems to have evolved into a process too cumbersome for today’s fast moving workplace.

Seafarers’ Access to Maritime Facilities
Abstract: This regulatory action will implement section 811 of the Coast Guard Authorization Act of 2010 (Pub. L. 111–281), which requires the owner/operator of a facility regulated by the Coast Guard under the Maritime Transportation Security Act of 2002 (Pub. L. 107–295) (MTSA) to provide a system that enables seafarers and certain other individuals to transit between vessels moored at the facility and the
facility gate in a timely manner at no cost to the seafarer or other individual. Ensuring that such access through a facility is consistent with the security requirements in MTSA is part of the Coast Guard’s Ports, Waterways, and Coastal Security (PWCS) mission.
 The timetable on this rule is:
 NPRM .................. 12/29/14
NPRM Comment Period Reopened…05/27/15
NPRM Comment Period End…07/01/15
Final Rule ............ 02/00/16
Comments:  I would not be surprised to see this final rule issued in first quarter 2016. This regulation will (almost certainly) require action on the part of all MTSA facilities, including a new FSP section. Interesting example of a narrowly-focused regulation that sped through the process, despite an extended comment period. We need to keep in mind, however, the many Coast Guard actions that preceded this reg.

Transportation Worker Identification Credential (TWIC); Card Reader Requirement

Concerning the TWIC Reader rule (Transportation Worker Identification Credential (TWIC); Card Reader Requirement) the Agenda states: Regulatory Plan: This entry is Seq. No. 62 in part II of this issue of the Federal Register.

Comment: There is no Part II to this issue of the FR, so I am assuming that this is just one more puzzling  aspect of the TWIC program.

Monday, November 30, 2015

Big Changes Coming Soon to Coast Guard's Homeport Website

On November 27, 2015, the Coast Guard made an announcement concerning its Homeport website via Maritime Commons ( ). The information is also posted on the Homeport website, .
We have been hearing for quite a while about upcoming changes to Homeport – these changes are happening and happening soon. Below is the text of the announcement from the Homeport/CG-FAC website:
The United States Coast Guard (USCG) Homeport Internet Portal (HIP) was established in 2005 to facilitate compliance with the requirements set forth in the Maritime Transportation Security Act (MTSA) of 2002, by providing secure information dissemination, advanced collaboration, electronic submission and approval for vessel and facility security plans, and complex electronic and telecommunication notification capabilities.
Since its inception, HIP has been expanded to provide additional support such as Transportation Worker Identification Card New Hire; Electronic Vessel Response Plan; Marine Event Permit Process; Port Status Indicator; Merchant Mariner Licensing and Documentation; Marine Training and Assessment Data (training documentation); Merchant Mariner Certificate; Sea Service Calculator; Merchant Mariner Verification of Certificates; and Merchant Mariner Credential Survey
The Coast Guard will launch Homeport 2.0 Jan. 29, 2016 in order to provide a better user experience and improve the security of user information. Upgrades will include fewer site navigation menus and more efficient and secure search functions.
Although most features will be available as soon as the new site launches, user access to a few conveniences may be interrupted. Review the Homeport 2.0 Deployment Schedule for details. Functions that are essential to maintaining port security or that are critical to continuing the flow of commerce will remain available during the transition period.
Alternative solutions are available for most features taken offline during the transition. Anyone who needs access to a service normally obtained through HIP should contact the appropriate subject matter expert listed in the Homeport 2.0 Deployment Schedule.
From the Deployment Schedule:
Uninterrupted services:
 · TWIC new hire procedures
· Port status query
 · Merchant Mariner Application Status
· VRP Express
· Vessels & facilities search
· Merchant Mariner Credential Verification
· Merchant Mariner Sea Service Calculator
· Most core CG accessible-only functions
Services unavailable Jan. 29 - March 31, 2016
· Mariner Training & Assessment Database
 · Security Plans Temporary
· Merchant Mariner Credential Survey
 Services unavailable Jan. 29 - April 30, 2016
 · Merchant Mariner Certificate
· Marine Event Application Temporary

The FAQ document ( lists work-arounds for most unavailable services in a Deployment Schedule ( ). There is a separate FAQ document ( ) for community owners, who need to pay careful attention to deadlines. The deadline for migrating community content is January 29, 2016.  This is a hard deadline. “Legacy Homeport will be taken offline as of Jan. 29, 2016, and community owners should make all efforts to meet this deadline. Any content that is not transferred will be auto-archived and will not be easily accessible.”

Thursday, June 18, 2015

Coast Guard Releases Cyber Strategy

On June 16, 2015, the U.S. Coast Guard issued its Cyber Strategy.  The document may be found at  

The document opens with a sobering statement of the problem: “Cybersecurity* is one of the most serious economic and national security challenges we face as a Nation. Government systems—including Coast Guard systems—face a mounting array of emerging cyber threats that could severely compromise and limit our Service’s ability to perform our essential missions.” “In the digital age…there is no strategic objective the Coast Guard can adequately meet—or operational mission the Coast Guard can fully perform—without a robust and comprehensive cyber program.*”

The asterisks link to definitions, and this document gives us a good range of definitions of cyber-related terms.  Definitions, so important to the MTSA community, are found in Appendix I, and definitions sources are from a variety of documents and explain many cyber-related terms, including:
Cybersecurity breach – Unauthorized access to data, applications, services, networks and/or devices, by-passing their underlying security mechanisms. A cybersecurity breach that may rise to the level of a reportable Maritime Transportation Security Act (MTSA) security breach occurs when an individual, an entity, or an application illegitimately enters a private or confidential Information Technology perimeter of a MTSA-regulated facility or vessel, Maritime Critical Infrastructure/Key Resources, or industrial control system such as Supervisory Control and Data Acquisition systems, including but not limited to terminal operating systems, global positioning systems, and cargo management systems.

Reproduced in its entirety below is the Executive Summary. Port security stakeholders are encouraged to read the entire document.

The Coast Guard is committed to ensuring the safety, security, and stewardship of our Nation’s waters. This commitment requires a comprehensive cyber strategy that provides a clear framework for our overall mission success.

Cyber technology has fueled great progress and efficiency in our modern world. Coast Guard operations are more effective because of the rapid evolution in cyber technology, and advanced technologies have also led to an unprecedented era of efficiency of the Maritime Transportation System (MTS). However, with these benefits come serious risks. Information and its supporting systems are continually attacked and exploited by hostile actors. Foreign governments, criminal organizations, and other illicit actors attempt to infiltrate critical government and private sector information systems, representing one of the most serious threats we face as a nation.

As the Coast Guard relies on modern digital information and communications systems to execute its missions, the Service must defend against those who threaten them. The Coast Guard must also build and sustain an operational advantage in cyberspace to ensure optimal integration of information and intelligence with our operations. Moreover, the Coast Guard must lead the effort to protect maritime critical infrastructure from a broadening array of cyber threats.

To fully ensure the Coast Guard is able to perform its essential missions in the 21st Century, it must fully embrace cyberspace as an operational domain. To this end, the Coast Guard will focus on three specific strategic priorities in the cyber domain over the next ten years:
•             Defending Cyberspace
•             Enabling Operations
•             Protecting Infrastructure

Defending Cyberspace: Secure and resilient Coast Guard IT systems and networks are essential for overall mission success. To ensure the full scope of Coast Guard capabilities are as effective and efficient as possible, the Coast Guard must serve as a model agency in protecting information infrastructure and building a more resilient Coast Guard network.

Enabling Operations: To operate effectively within the cyber domain, the Coast Guard must
develop and leverage a diverse set of cyber capabilities and authorities. Cyberspace operations, inside and outside Coast Guard information and communications networks and systems, can help detect, deter, disable, and defeat adversaries. Robust intelligence, law enforcement, and maritime and military cyber programs are essential to enhancing the effectiveness of Coast Guard operations, and deterring, preventing, and responding to malicious activity targeting critical maritime infrastructure. Coast Guard leaders must recognize that cyber capabilities are a critical enabler of success across all missions, and ensure that these capabilities are leveraged by commanders and decision-makers at all levels.

Protecting Infrastructure: Maritime critical infrastructure and the MTS are vital to our
economy, national security, and national defense. The MTS includes ocean carriers, coastwise shipping along our shores, the Western Rivers and Great Lakes, and the Nation’s ports and terminals. Cyber systems enable the MTS to operate with unprecedented speed and efficiency. Those same cyber systems also create potential vulnerabilities. As the maritime transportation Sector Specific Agency (as defined by the National Infrastructure Protection Plan), the Coast Guard must lead the unity of effort required to protect maritime critical infrastructure from attacks, accidents, and disasters.

Ensuring Long-term Success: In support of the three strategic priorities, this Strategy
identifies a number of cross-cutting support factors that will ensure the Coast Guard’s long-term success in meeting the Service's strategic goals in the cyber domain. These include:
(1) recognition of cyberspace as an operational domain,
(2) developing cyber guidance and defining mission space,
(3) leveraging partnerships to build knowledge, resource capacity,
and an understanding of MTS cyber vulnerabilities,
(4) sharing of real-time information,
(5) organizing for success,
(6) building a well-trained cyber workforce, and

(7) making thoughtful future cyber investments.

Friday, June 12, 2015

TSA Posts Notice Regarding Resolution of Delays in Processing TWIC Cards, with Caveat

On June 12, 2015, the Transportation Security Administration posted the following notice at

1) UPDATED! TWIC Processing Delays: The previously announced delay in processing some TWIC applications has been resolved.  Most applicants will receive a TWIC within a month of enrolling, and often in about two weeks.  However, despite progress in reducing processing delays for the small number of applicants whose criminal or immigration records indicate that they may not be eligible for a TWIC, those applicants may still experience a two-and-a-half month wait before receiving a TWIC or notification from TSA.
To ensure all eligible applicants receive a new or renewal TWIC before it is needed for work we continue to strongly encourage all applicants to apply for their TWIC at least 10 to 12 weeks prior to when the card will be required to avoid inconvenience or interruption in access to maritime facilities.


Takeaways from this notice: applicants with anything in their background that might result in a application refusal on criminal history or immigration grounds may still experience a lengthy delay.  It remains to be seen if persons with clean backgrounds continue to experience lengthy delays.  Employers would be well-served to take TSA’s advice and assume that the application process will take 10 – 12 weeks.

The only way to find out if anything new has been posted on the TSA TWIC website is to check it daily.  At the bottom of the site is a revision date.  If this date has changed, new material has been added.  Do not rely on the NEW!  verbiage on notices because TSA does not remove this on a timely basis.

Friday, May 29, 2015

MTSA Training Course Update from Maritime Commons

Maritime transportation security act training course update -

On May 28, 2015, the following was posted on the Coast Guard’s Maritime Commons blog, at

“The Coast Guard is pleased to see the large number of maritime industry employees who choose to take part in the voluntary Maritime Transportation Security Act Training Course Program, choosing to attend courses reviewed and approved via a Coast Guard accepted Quality Standard System, or QSS.

The Coast Guard was informed that one of the accepted QSSs, Det Norske Veritas – Germanischer Lloyd, has withdrawn from certifying FSO, CSO, MSLEP and FPSSD courses. The American Bureau of Shipping is a QSS organization accepted by the Coast Guard and continues to participate in the certification process of these courses.
Additional information can be found on the Coast Guard’s facilities webpage.

Effective security training for maritime industry professionals is critical to the success of the nation’s security efforts. As the Coast Guard continues to develop regulations to establish comprehensive FSO training requirements, maritime industry employees with security duties are strongly encouraged to take approved courses.”

Here are some take-aways from this post:
1.  At this point, ABS is the sole course certifier for FSO, CSO, MSLEP and FPSSD.
2.  The Coast Guard continues to “strongly encourage” maritime industry employees with security duties to take approved courses. Because the new regulation mandating training is not yet in effect, strongly encourage is all they can do, but a word to the wise ought to be sufficient.

Persons who are hoping  that the Coast Guard may grandfather any FSO currently serving or who has received any sort of FSO training (4 hours? 2 hours?), and only require new FSOs to become certified under the new regulations, should probably take a look at the communications that have come out from CG-FAC supporting approved courses.

Monday, March 23, 2015

TSA Notice Concerning Reporting Non-Receipt of Mailed TWICs

Today the Transportation Security Administration posted a notice concerning persons who have enrolled for a TWIC card, received notification that the card has been mailed, and then fail to receive the card through the mail. The notice is at This is the "down side" of the TSA one-visit program. It remains to be seen how many of the cards will fail to reach the end receiver.  Persons who have received the card through the mail tell me that the envelope is clearly marked "Transportation Security Administration".

The notice is printed in its entirety below.

NEW! Reporting Non-Receipt of Mailed TWICs: TWIC applicants who request to receive their TWIC card by mail will receive a phone or email notification that the card has been mailed.  After notification that the card has been mailed, applicants have 60 days to report non-receipt of the card by contacting the Universal Enrollment Services (UES) Call Center at: (855) 347-8371. Failure to report non-receipt of the card within 60 days will result in a $60 fee to replace the lost card.

Monday, February 9, 2015

From Coast Guard Maritime Commons blog today, a reminder that USCG has not yet made final decision on transportation of fracking water (Shale Gas Extraction Waste Water, or SGEWW, in bulk) by barge

From Coast Guard Maritime Commons today, a reminder that USCG has not yet made final decision on transportation of fracking water (Shale Gas Extraction Waste Water, or SGEWW, in bulk) by barge, at

This blog, Coast Guard Maritime Commons, is a wonderful source of information on many maritime topics, including security.  It should be required reading for FSOs. FSOs can sign up at the blog site to be notified of new postings. The posting on fracking water is reproduced below:

The Coast Guard reiterated Thursday that it has not taken final agency action or approved requests for the carriage of Shale Gas Extraction Waste Water, or SGEWW, in bulk.

“The Coast Guard has not taken final agency action on the June 2012 request to carry Shale Gas Extraction Waste Water,” stated CAPT John Mauger, Chief of the Office of Design Engineering Standards at Coast Guard Headquarters. “Our action on this request is still pending our analysis of the comments received during the public review of our proposed policy.”

In June 2012, the Coast Guard received a request to classify and carry SGEWW for bulk transportation via barge. The regulations in 46 CFR 153, require the Coast Guard’s Office of Design and Engineering Standards to assess the hazards and classify a cargo before it can be carried in bulk.

In October 2013, the Coast Guard published a draft policy that proposed conditions for carriage of this cargo. No decision regarding the carriage of this cargo has been made.

As described in the draft policy, the proposed standards would not supersede existing allowances for oil field wastes to be shipped as hazardous wastes under long-standing Coast Guard policy in Navigation and Vessel Inspection Circular 7-8 7, Guidance on Waterborne Transport of Oil Field Wastes. This policy describes the oil field wastes and provides several examples. Under this policy, vessels carrying hazardous waste are subject to inspection. Further, waterfront facilities involved in the handling, storage or transfer of hazardous waste are regulated by the Coast Guard under 33 CFR, Part 126.

- See more at:

Update to TSA TWIC NEWS Posting on Truncated Last Name on TWIC Card

TSA has posted an update to the issue concerning persons with last names of more than 14 characters who have enrolled for a TWIC.  The take-away for FSOs is, "TSA is exploring ways to print the full last name on the card regardless of the number of characters.  Security personnel should be aware that some TWIC holders will have authentic cards although their full last name, as printed on the card, may be truncated." 
(Off topic: I made a request to John Schwartz that updated and new items on this website be posted with a date so we can figure out what was posted when.  He advised that that was already being considered.  I see that they are still considering it.) 
Truncated Last Name on TWIC Card: TWIC cards issued since May 2014 truncated the number of characters printed on cards for individuals with long last names.  Version 2.3 TWIC® cards printed prior to 12/12/2014 printed only the first 14 characters of a person’s last name.  The number of characters includes spaces, hyphens, and apostrophes in the person’s last name.  The printed last name is always followed by a comma. If a person’s last name exceeds 14 characters, all characters after the 14th are not printed.  A comma follows immediately after the 14th character.
Version 2.3 TWIC cards printed on or later than 12/12/2014 are printed with a maximum of last name 19 characters, followed by a comma.
Despite the limited space available on the card, TSA is exploring ways to print the full last name on the card regardless of the number of characters.  Security personnel should be aware that some TWIC holders will have authentic cards although their full last name, as printed on the card, may be truncated.

Tuesday, January 27, 2015

TSA Notice Concerning TWIC Card Delay

Today, January 27, 2015, the Transportation Security Adminstration posted the following notice on its website at

NEW!  TWIC Processing Delays: Currently, some TWIC applicants are experiencing delays of more than 75 days to receive their TWIC.  We regret any inconvenience or difficulty this may be causing, and are working diligently to reduce the time it takes to process all TWIC applications.  The delay mentioned above applies to applications that involve criminal history records or immigration status that must be verified, although others may also experience a delay.  We strongly encourage all applicants to apply for their TWIC at least 10 to 12 weeks prior to when the card will be required to avoid inconvenience or interruption in access to maritime facilities.

Monday, January 5, 2015

New TWIC Enrollment Requirements for U.S.-Born TWIC Applicants

Sometime over the holidays, TSA posted the following on the TSA TWIC website:


Starting on July 1, 2015 Transportation Worker Identification Credential (TWIC®) applicants who were born in the United States, and who claim U.S. citizenship, must provide documents to prove their citizenship.  Applicants need to bring one document from List A, or two documents from List B as shown below.

Until July 1, 2015 TWIC applicants who were born in the U.S. may continue to certify that they are U.S. citizens by checking the box on the electronically signed TWIC application and bring documents as listed on the UES website here.

TSA is making this change to align TWIC proof-of-citizenship requirements with those of other TSA programs such as the Hazardous Material Endorsement and TSA Pre✓ programs.  Requiring proof of citizenship at the time of enrollment will ensure that all TWIC applicants meet eligibility requirements for the credential.

Acceptable Documentation Providing Proof of U.S. Citizenship

List A:  Bring one of the following:
• Unexpired U.S. Passport (book or card) – demonstrates U.S. Citizenship
• Unexpired U.S. Enhanced Driver’s License (EDL) – demonstrates U.S. Citizenship if indicated on card
• Unexpired Enhanced Tribal Card (ETC) – demonstrates U.S. Citizenship
• Unexpired Free and Secure Trade (FAST) Card – demonstrates U.S. Citizenship if indicated on the card
• Unexpired NEXUS Card – demonstrates U.S. Citizenship if indicated on the card
• Unexpired Secure Electronic Network for Travelers Rapid Inspection (SENTRI) Card -- demonstrates U.S. Citizenship if indicated on the card
• Unexpired Global Entry Card -- demonstrates U.S. Citizenship if indicated on the card

List B:  Or, bring one of the following plus a government-issued photo ID:
• Original or certified copy of birth certificate issued by a State, county, municipal authority, or outlying possession of the U.S. bearing an official seal
• U.S. Certificate of Citizenship (N-560 or 561)
• U.S. Certificate of Naturalization (N-550 or 570)
• U.S. Citizen Identification Card (I-179 or I-197)
• Consular Report of Birth Abroad (FS-240)
• Certification of Report of Birth (DS-1350)
• Certification of Birth Abroad (FS-545)
• Expired U.S. passport within 12 months of expiration*

*An expired U.S. passport may not be presented by itself. It must be presented with at least one other document (and a name change document if needed).