National Transportation Worker ID Card (TWIC) Credentialing Direct Action Group Functional Requirements DRAFT

Transcription

1 Purpose: National Transportation Worker ID Card (TWIC) Credentialing Direct Action Group Functional Requirements DRAFT 1. The primary goal of the CDAG is to fashion a nationwide transportation worker identity solution that: Precepts: verifies the identity of transportation workers, validates their background information, assists transportation facilities with managing their security risks, and accounts for personnel access to transportation facilities and activities of authorized personnel 1. The CDAG sought a solution that: Applicability: would be fully intermodal, would build on existing technology, and existing agency business processes and infrastructure as much as possible, would minimize the need for redundant credentials, would minimize risk of unauthorized release of personal information, would be compatible with the intent and provisions of the Hollings Bill (S.1214; The Port and Maritime Security Act of 2001), and would be both scalable and expandable to address future access enabling technologies 1. The focus of the CDAG s solution was on workers in the transportation system, while achieving sufficient flexibility to accommodate future needs to address identification of users of the transportation system. 2. The identification card system developed would apply to any person who has unescorted access to a transportation facility or who has access to control of a transportation conveyance. Page 1 of 109Last Saved: 1/23/2002 9:00 AM1/23/2002 8:31 AM1/18/

2 Intended conveyances include: ships/vessels that carry freight or passengers for hire; aircraft that carry freight or passengers for hire; rail conveyances that carry freight or passengers for hire; trucks and buses whose operation requires a commercial drivers license (CDL), and pipelines. Intended transportation facilities include those locations where passengers or freight are boarded/loaded onto a transportation conveyance or where freight is received, stored, and staged attendant with being loaded onto a transportation conveyance. This definition is intended to include pipeline facilities. General Concepts: 1. The Card: SmartCard technology would be used to manage the information on the card as a means of controlling access to that information and as a means of ensuring the integrity of the information. The SmartCard architecture will incorporate, to the maximum extent practicable standards, which allow maximum interoperability across hardware and software platforms. 1 This will facilitate use of the card both domestically and for international enforcement regimes. The TWIC would incorporate a reliable and standard biometric (to be determined by the Transportation Security Administration) that would ensure that the holder of the card was the individual whose information is recorded on the card. The TWIC would incorporate GSA Smart Card Interoperability Branding as a means to authenticate the card (i.e., to verify that the card is not a forgery and was actually produced within the TWIC system).2 1 The General Services Administration (GSA) published the Government Smart Card Interoperability Specification (GSC-IS) Version 1 in August This specification describes the criteria and mechanisms for making smart cards interoperable through a standard application-level API, a common data set, and a common interpretation for card-level commands. Solutions acquired under the GSA Smart Card Contract are required to meet this standard and are thus assured of being interoperable with all other GSA supplied solutions. 2 In the secure environments that smart cards operate, it is important to be certain that the card being used is the genuine article. In principal, authentication works through the verification of a shared secret. Members of a club to restrict access to a clubhouse, for example, use a password. Entities that know this secret will be part of a select group, and only bona fide entities will have this knowledge. If an entity can prove that it knows the secret, then it is considered genuine. Revealing the secret, however, exposes it to possible scrutiny by untrustworthy entities and could spoil its use. To avoid revealing the secret, a challengeresponse technique is used. With a challenge-response, the entity, a smart card for example, is required to demonstrate that it can correctly encrypt a random number using a secret key. The GSA Smart Card Interoperability Branding is the only specification developed to give US government agencies the ability to identify and authenticate smart cards. Page 2 of 109Last Saved: 1/23/2002 9:00 AM1/23/2002 8:31 AM1/18/

3 DRAFT The TWIC would incorporate a standard architecture (i.e., design) that would be usable by all necessary agencies and facilities. (See Architecture below) The TWIC would have a 5-year period of validity and would require renewal thereafter. The card itself would not necessarily be physically replaced, but its renewed period of validity would be recorded on the card s microprocessor. The SmartCard The TWIC system would, by incorporating necessary interagency connectivity, permit authorized sharing and updating of information. The Smart Card should have a standard data model set. 2. Controlling Facility Access: A physical access security requirement, as adopted by local management, will establish a regime of security levels that would be used to manage access to various identified spaces aboard facilities or conveyances. A system of four (4) levels (1 through 4) is envisioned. Level 1 would indicate an escort was required; level 4 would indicate full access to the facility or conveyance. This standard would be incorporated into a system of approved vessel or facility security plans such that spaces applicable to each level would be identified in the plan. This would allow facilities and conveyances substantial flexibility in identifying physical security regimes that meet the broad spectrum of industry needs. Cardholders would be required to submit to a standard security check as a condition of card issuance. The standard would include FBI criminal records check as a minimum, and some level of National Agency Check as a maximum. Compatibility with S.1214 would be incorporated. Based on the results of the security check, the standard would establish one of the four security levels and this would be recorded on the card. The specific results of the security check would not be placed on the card but would be retained by the entity evaluating the results against the standard. Security checks would be initiated by the organization from which the worker is seeking the TWIC. The cost of the check would be borne by the worker or the employing organization in accordance with local custom. Disputes regarding the security level assigned would be subject to an appeal process adjudicated by the TSA. This would ensure consistent application of the standard security checks and standard security levels across all modes. DRAFT Page 3 of 109Last Saved: 1/23/2002 9:00 AM1/23/2002 8:31 AM1/18/

4 Interim checks of criminal record or other relevant databases would be made periodically to ensure that a TWIC s qualification for the assigned security level remained valid. DRAFT 3. Credential Redundancy By using an interoperable SmartCard architecture, the TWIC will provide a single, standard mechanism for confirming the validity of the card and the identity of the holder. Card reading hardware is relatively inexpensive. Government grants could be used to offset initial costs to private industry. The establishment of a standard security level system, based on standard security checks, in conjunction with a system of approved facility/conveyance security plans, will allow the TWIC to serve as a single secure-space access card. Facilities or conveyances that wish to adopt additional security regimes will be free to do so, but would not be required to. By reserving a segment of the SmartCard architecture for each modal operating agency and for appropriate state motor vehicle agencies, the TWIC can incorporate secure verification of specific qualifications to which the holder is entitled. The TWIC architecture would support incorporation of the driver s license (including CDL), HAZMAT carrier permits, merchant mariner qualifications (license, ratings, and STCW), pilot licenses, rail operating permits, etc. 4. Management of Personal Information Personal information would be held, as it is now, by the organization(s) who generate(s) it. Information recorded on the card would be kept to a minimum. Identity information (i.e., name, biometric, DOB, address, security level, cargo authorization, unique ID#) would be held by the organization last updating it. Using the security key structure developed by GSA, access to information on the card would be compartmentalized so that organizations could access (either for read-only or update) only their respective relevant segment of the TWIC. Normally, no access would be available without the cardholder s authorization. Identification information would be updateable only by qualified agencies (see Additional Considerations below). 5. Additional Considerations Page 4 of 109Last Saved: 1/23/2002 9:00 AM1/23/2002 8:31 AM1/18/

5 Transportation Security Administration to define data encryption and data exchange requirements for system citing appropriate standards. This approach would minimize concerns over sharing of personal information. DRAFT Standards will be developed for 4 security levels plus HAZMAT endorsement. They would apply to the various transportation modes across the board. Facility and vessel/conveyance security plans would identify specific spaces to which each security level applied (i.e., spaces accessible by persons with each security level). A worker s security level would be an aspect of his/her identification and would be based on a standard security check. (Note: We should be careful when using the term background check because its broad spectrum of meanings depending on context. We have used the term in the Coast Guard to refer to the criminal records check that we perform with the FBI and NDR. These are relatively inexpensive and quick to perform. In the intelligence community, the term background check connotes a prohibitively slow and costly examination of a candidate s behavior.) The facility/conveyance security plan would specify which areas were accessible to a TWIC holder and specify any additional measures deemed appropriate for local conditions. The concept of Qualified Agency is used to identify those organizations that would have update authority for any part of the card s information. At the national level, this would include the federal transportation agencies, state driver s license bureaus and state/local business units. The specific information that could be updated would be limited to information relevant only to that agency. Any qualified agency would be able to update the identity information. This provides the most convenience to the ID holder. This would require that all qualified agencies have connection to the identity database held by the Transportation Security Administration, on a need to know basis, so that the information on the holder s card is, at all times, identical to the information in the central ID database. The concept described in the table above envisions the states issuing SmartCard driver s licenses which would carry the necessary architecture to be used by any of the modes, should the individual require a Transportation Worker ID Card (TWIC). An alternative would be for the state s to issue conventional (i.e., non-smartcard) drivers licenses to those persons who do not require a TWIC (undoubtedly the vast majority). In the event the person subsequently required a TWIC, they would have to obtain one from the relevant qualified agency. Page 5 of 109Last Saved: 1/23/2002 9:00 AM1/23/2002 8:31 AM1/18/

6 The concept would require development/adoption of a variety of standards (ID documentation, biometric(s), security check, security levels, card architecture, etc.). Concept will also require very wide availability of card reading equipment throughout the transportation industry. Exception and appeal processes to be defined by TSA in a public rulemaking. DRAFT DOT/Customs/INS are established as the major keyholders that authorize keys to issuing officials. All keys have a unique ID, which is branded to the cards. There can be multiple levels e.g.ost-fmcsa-states or OST-USCGports. The reporting and exchange of information to endorse other keys for the holders (such as training credentials and security clearances, drivers licenses) on top of the basic ID would be permitted. Each issuer and endorser maintains its own database. Appropriate linkages are established to enable verification of credentials when presented for additional keys or to grant first time access to a facility or asset. Operating protocols or standards need to be developed for appropriate response times, including any pre-notifications to a key holder to permit online or offline verifications of existing credentials. Recommend that we start with a 48-hour parameter for issuance of new credential or to obtain endorsements. This will allow more offline processing and also help limit how much information leakage or exposure may accumulate. A standard for establishing an individual s identity is required prior to issuing a TWIC. Once this identity has been established, the rights or privileges of the individual are further determined by the specific application or use for which the TWIC is issued. Presently, among the credentials that are generally accepted, the state driver s license is the most ubiquitous documentary evidence linking a specific identity to a specific individual. Others include employee ID cards and passports. A determination must also be made if presentation of these credentials requires in-person appearance before a qualified agency representative. A need is recognized to incorporate the categories of credentials presently in use to the architecture of the TWIC and the security definitions. To the extent resources are appropriated by Congress, the Department of Transportation could pay software development and maintenance costs required for SmartCard architecture development. In addition, DOT will expect to share the costs of establishing necessary linkages among participating organizations. In recognition of the need for a transition from Page 6 of 109Last Saved: 1/23/2002 9:00 AM1/23/2002 8:31 AM1/18/

7 existing systems, DOT expects that data linkages accomplished within 5 years of first implementation will also be eligible for some DOT funding. DRAFT Page 7 of 109Last Saved: 1/23/2002 9:00 AM1/23/2002 8:31 AM1/18/

8 Page 8 of 109Last Saved: 1/23/2002 9:00 AM1/23/2002 8:31 AM1/18/ :13 AM

9 DRAFT 6. GSA Proposed Key Structure Page 9 of 109Last Saved: 1/23/2002 9:00 AM1/23/2002 8:31 AM1/18/ :13 AM

10 Page 10 of 109Last Saved: 1/23/2002 9:00 AM1/23/2002 8:31 AM1/18/ :13 AM