Earlier this year, the Department of Homeland Security (DHS), in conjunction with its components the Transportation Security Administration (TSA) and the U.S. Coast Guard (Coast Guard), published in the Federal Register a Final Rule that codifies the Transportation Worker Information Credential (TWIC) program originally proposed in a 2006 Notice of Proposed Rule Making (NPRM). The Final Rule (1) requires all workers seeking unescorted access to secure areas of port facilities and vessels to acquire a biometric identification card, called a TWIC, which they obtain by passing a DHS Security Threat Assessment (STA), and (2) places obligations on owners/operators of port facilities and maritime vessels (the “covered entities”) to improve security. The Final Rule represents a significant development and evolution in maritime port and facility security and in standardizing transportation worker security credentials.
More broadly, the TWIC program could serve as an important catalyst for the expansion of standardized biometric credentialing programs to all aspects of the transportation industry. Recently thwarted potential security incidents at Heathrow and John F. Kennedy Airports involved conspirators employed by airports and granted full access credentials, while Orlando Airport officials recently uncovered a gun and drug smuggling ring anchored by a credentialed employee. These events demonstrate the potential need for uniform biometric credentials across the transportation industry, and the TWIC program could represent the first step in that direction. Monitoring the development of TWIC regulations could save companies time and money if and when the regulations extend to their own industries.
The Final Rule took effect on March 26, 2007, but workers affected by the requirements have until September 25, 2008, to complete their registration and receive a TWIC. The provisions in the Final Rule differ substantially from the original regulations presented for comment in the NPRM. Most notably, the requirement that covered entities install and maintain TWIC readers does not appear in the Final Rule. Instead, the Coast Guard will conduct periodic, unannounced on-site inspections of TWIC holders’ identity and biometrics while DHS weighs its options with respect to codifying a biometric card reader requirement. Covered entities will want to monitor the developments of the TWIC reader specifications, as they represent the largest potential expense for companies that must comply with TWIC regulations.
DHS issued the Final Rule pursuant to the Maritime Transportation Security Act of 2002 (MTSA) and the Security and Accountability for Every Port Act of 2006 (SAFE Port Act). Companies affected by the TWIC regulations should closely monitor their implementation and development to ensure compliance and to avoid civil and criminal penalties.
This advisory also provides a brief synopsis of the TWIC requirements contained in the Final Rule and how they affect covered entities. This advisory introduces key issues left unanswered by the Final Rule and discusses the challenges the regulations present as port facilities and vessels attempt to comply with the TWIC program.
The TWIC program exists to ensure that only authorized personnel who have successfully completed a Security Threat Assessment can gain unescorted access to secure areas of maritime vessels and facilities. A TWIC contains a worker’s biometric and biographical information and reflects the successful completion of an STA. Because DHS has yet to issue regulations concerning biometric TWIC readers, the Coast Guard plans to inspect the validity of TWICs through unannounced, periodic checks of secure areas of ports and maritime vessels.
To obtain a TWIC, workers must complete an application, pay fees and successfully complete a TSA-performed STA. In most cases, a TWIC remains valid for five years. Prior to the expiration date, workers must renew the TWIC and undergo a new STA.
Covered entities must oversee the workers’ application process and may under special circumstances allow an applicant who has passed an initial name-based check to work in secure areas before acquiring a TWIC. Covered entities must reconsider their current access control arrangements to ensure that only TWIC-holders can access secure areas. They must also closely monitor the immigration and residency status of their employees to ensure that workers do not continue to possess a TWIC after their legal status in the United States expires. DHS has yet to determine the contours of its regulations concerning TWIC readers. Future regulations will require covered entities to install biometric card readers at all access control points leading to secure areas. While DHS recently requested comments concerning the technical specifications and requirements of TWIC readers, it has not provided firm guidance about how it intends to structure its TWIC reader regulations.
The Contents of a TWIC
The Final Rule describes the required contents of a TWIC. Each credential will include:
- the individual’s full name;
- a photograph that depicts the individual’s current appearance;
- the name of the issuing authority; and
- lamination or other security against tampering.
First generation TWICs will not contain the contactless biometric operations contemplated in the NPRM. The Final Rule does not make clear either when DHS plans to phase in biometric operations or what biometrics a TWIC will contain.10 After the issuance of the Final Rule, DHS awarded a $70 million contract to Lockheed Martin, in which Lockheed Martin agreed to collect the biographical and biometric data of workers and issue the TWICs. As part of its successful bid, Lockheed Martin guaranteed to enroll the 750,000 affected port workers within 16 months.1111 Covered entities should remain up-to-date on the development of TWIC technology and the final biometric contents of a TWIC as DHS and Lockheed Martin finalize its contents.
How Workers Obtain a TWIC
The Final Rule places the responsibility of applying for and procuring a TWIC on the workers themselves, including the cost of producing the credential and conducting the STA. However, as a practical matter, to avoid adverse impacts on ongoing operations, covered entities would be well-advised to facilitate employee compliance with the requirements of the Final Rule. To obtain a TWIC and keep it current, workers must:
- Pre-enroll. DHS has created a Web site for workers to begin the enrollment process before they report to an official enrollment center. Workers must provide biographical and biometric information at an enrollment center.12
- Pay TWIC fees. While the Final Rule does not specify fees, a subsequent notice published in the Federal Register clarifies that a TWIC will cost between $107 and $159, depending on whether or not workers have already successfully completed an STA.
Complete a Security Threat Assessment. The Final Rule unifies the STA standards for maritime workers and the STA standards for truck drivers transporting hazardous materials.1313 Generally, the STA attempts to determine whether an applicant has any connection to terrorist activity. An applicant will fail an STA if he or she: (1) committed certain crimes that DHS views as indicative of present or future terrorist involvement; (2) lacks legal immigration status or the authorization to work in the United States;1414 (3) has a direct connection to terrorist activity; or (4) lacks requisite mental capacity.15 Applicants disqualified from obtaining a TWIC may apply for a waiver of the disqualification; if DHS denies an applicant’s waiver, that applicant may take advantage of a special appeals process and seek review by an administrative law judge (ALJ).16
Renew the TWIC. In most cases, both the applicant’s STA and TWIC remain valid for five years. Applicants wishing to renew their TWICs must initiate a renewal application at least 30 days prior to the expiration date, pay new fees and undergo a new STA.17
Compliance by Covered Entities
The Final Rule places significant obligations on covered entities, but postpones the codification of TWIC reader specifications and requirements. Covered entities have obligations to comply with the Final Rule in the following areas:
- Access Control Procedures – Secure Areas. The Final Rule carefully distinguishes the commonly used DHS definition of “restricted areas” – individual rooms and areas with unique access control points – from its newly formed definition of “secure areas,” which more broadly encompasses the outer boundary of all access controlled areas.18 Under the Final Rule, any individual requiring access to spaces within an outer access-controlled boundary (including hallways between restricted areas) will need a TWIC. DHS hopes that a broad definition of secure areas will minimize the eventual cost of installing TWIC readers, since a broad perimeter of access-control should result in fewer TWIC readers than more narrowly defined restricted areas. DHS cautions, however, that many port facilities and vessels currently do not have access control points only for maritime workers, noting that many facilities have one access control point for warehouses, transportation facilities and maritime employee workspaces alike. To avoid requiring warehouse and transportation workers who would not otherwise need a TWIC to obtain one, DHS advises port facilities to redefine their access control points so that only maritime workers require access to secure areas. The Final Rule gives facilities until July 25, 2007, to submit an amended Facility Security Plan (FSP) with new access control arrangements to the appropriate Captain of the Port (COTP).19
- Current Workers’ Enrollment. DHS advises covered entities to keep their affected workers apprised of key deadlines for TWIC enrollment and to encourage workers to begin the application process as soon as possible. Covered entities must ensure that all affected workers complete their STA and receive a TWIC before September 25, 2008, which represents the deadline for the full implementation of the TWIC program.
- New Hires. Covered entities may allow new employees requiring immediate access to secure areas to work for 30 consecutive days once they have successfully completed a preliminary name-based background check and applied for a TWIC.20 The Final Rule obligates covered entities to have new hires sign a declaration affirming compliance with TSA regulations and enter new hires’ biographical information on a designated Coast Guard Web site. If the new hire’s application is denied during the 30 day period, the covered entity must immediately revoke the new hire’s access to secure areas.
- Escorting. In most cases, covered entities must provide an escort for any individuals requiring access to secure areas who have not obtained a TWIC. In restricted areas, covered entities must provide a live escort to accompany non-credentialed individuals at all times; in secure areas that do not also constitute restricted areas, escorting can mean video monitoring, but covered entities must be able to respond immediately if non-credentialed individuals behave suspiciously or act beyond the scope of their authorized entry.21 The Coast Guard plans to issue a navigation and vessel inspection circular to clarify the contours of the restricted areas escorting requirement.
- Emergency Responders. In emergency situations, state and local response workers must have access to secure areas even if they do not possess a TWIC for the purpose of responding to the emergency.22 While the emergency responders remain in the secure areas, however, covered entities must monitor them to ensure that they do not exceed the scope of their authorized access.
- Immigrant and Nonresident Workers. Covered entities must closely monitor the status of immigrant and nonresident workers who possess or will require a TWIC. Workers’ TWIC eligibility depends in part on their immigration status and, if applicable, the nature of their nonresident visa. If the employment relationship between a covered entity and an immigrant or nonresident worker holding a TWIC comes to an end, the covered entity has five days to notify TSA of the worker’s departure and return the TWIC.23
- Compliance Deadlines. The last possible date for all workers, facilities and vessels to achieve compliance with the Final Rule remains September 25, 2008, but the Final Rule specifies that vessels have 20 months from the effective date (March 26, 2007) to reach full compliance; compliance dates for facilities will vary depending on their COPT zone.24 Port facilities have until July 25, 2007, to submit an updated FSP reflecting new access control arrangements to the appropriate COTP.
- TWIC Reader Specifications. The Final Rule notably decided not to decide the specifications for TWIC readers and any requirements for covered entities to install and/or maintain them.25 DHS created a working group, the National Maritime Security Advisory Committee (NMSAC), to study the available technologies and recommend TWIC reader specifications. In February, the NMSAC released a report discussing the implementation issues confronting the installation and maintenance of TWIC readers and issued recommendations for the reader requirements. In general, the NMSAC concluded that a cost/benefit analysis did not favor designing encrypted biometric readers and recommended that the DHS should: (1) assess the value of an encrypted card reader and determine the security risk of non-encrypted readers; (2) engage the maritime security industry in a pilot program to test readers before requiring a full-scale implementation; and (3) resolve its policy objectives before it evaluates available technology.26 In March, DHS sought comments on the NMSAC report.27 DHS has not yet offered additional guidance concerning their plan to implement TWIC reader requirements.
The TWIC Final Rule jointly issued by TSA and the Coast Guard represents a significant step forward in the effort by DHS to standardize the biometric credentialing process for workers in the transportation industry. The Final Rule requires all workers requiring access to secure areas of facilities and vessels to successfully complete a TSA-conducted STA and present biographical and biometric information for inclusion on the TWIC. The Final Rule places significant obligations on covered entities to assist in security efforts, including:
- redefining the access control points of facilities and vessels;
- assisting employees’ efforts to obtain TWICs and informing them of key deadlines;
- tracking workers’ immigration status and the status’ effect on TWIC eligibility;
- providing personnel to accompany new employees during their interim work period; and
- monitoring the development of TWIC reader requirements and specifications.
Covered entities must ensure their full compliance with TWIC regulations to avoid civil and criminal penalties. Companies not immediately affected by the TWIC program should watch the implementation and operation of the Final Rule in order to potentially save time and money if the TWIC program expands beyond the maritime industry.