June 17, The NPRM does not satisfy Congressional intent

Transcription

1 Comments of the Smart Card Alliance to the U.S. Coast Guard: Transportation Worker Identification Credential (TWIC) Reader Requirements Notice of Proposed Rulemaking (NPRM) Docket ID: USCG June 17, 2013 The Smart Card Alliance is respectfully submitting comments in response to the U.S. Coast Guard s Transportation Worker Identification Credential (TWIC) Reader Requirements Notice of Proposed Rulemaking (NPRM). The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart card technology, leading industry discussion on the impact and value of smart cards in the U.S. We appreciate the opportunity to comment on the Coast Guard s Notice of Proposed Rulemaking (NPRM) relating to the use of TWIC readers. The NPRM does not satisfy Congressional intent The Smart Card Alliance believes that Congress passed the Maritime Transportation Security Act of 2002 (MTSA) with the intent of implementing minimum security procedures that would limit unescorted access to secure areas of maritime facilities and vessels to only those workers that were properly vetted and cleared by the U.S. government and whose identity and status can be electronically verified through the presentation of a biometric transportation security card to a reader. Over 2.4 million cleared maritime workers have been issued a Transportation Worker Identification Credential (TWIC) which is a tamper-resistant, biometrically-enabled smart card that can be used in conjunction with an electronic reader to establish (i) that it is a valid card issued by TSA and not a forgery, (ii) that the card has not expired, (iii) that the card has not been revoked by TSA for cause, and (iv) that the person presenting the card is the same person to whom the card was issued. Use of TWIC cards in conjunction with TWIC readers will prevent potential terrorists or other adversaries from obtaining unescorted access to secure areas of maritime facilities and vessels. We believe that the NPRM s risk-based approach that waives the requirement for TWIC readers for the vast majority of TWIC access transactions falls far short of the Congressional intent and does not achieve the enhanced security objectives that were anticipated. We do not believe that Congress intended for the TWIC card to be used primarily as a flash pass when they enacted the Maritime Transportation Security Act of 2002 (MTSA). In that legislation, Congress

2 recognized that U.S. ports are particularly vulnerable to breaches in security and found that biometric identification procedures for individuals having access to secure areas in port facilities are important tools to deter and prevent port cargo crimes, smuggling, and terrorist actions" 1. Visual inspection does not provide adequate security The proposed rulemaking would limit mandatory TWIC reader requirement to only 532 of 3,270 facilities; 38 of 13,825 vessels and 5% of the issued TWIC cardholders. For the remaining 2,738 facilities, 13,727 vessels and 95 % of the TWIC holders, authorization decisions would rely on visual inspection by security staff that would be responsible for validating each TWIC card and confirming that the TWIC card is indeed in the hands of the authorized individual for each access transaction. We do not believe that visual inspection meets the security objectives intended by Congress. As competent as the facility and vessel security staff may be, we do not believe that visual inspection is an effective method of controlling access to our critical maritime infrastructure. The National Institute of Standards and Technology (NIST) concurs with this view in their guidance for eauthentication, and has stated that visual inspection of an ID card offers little or no assurance in the claimed identity of a federal employee or contractor seeking unescorted access to government facilities. The TWIC card is derived from the same technical specification, and uses the same card stock as the Personal Identity Verification (PIV) card used by millions of Federal workers for access to government facilities and information systems. Accordingly, these two credentials should share the same concerns regarding level of identity assurance. NIST has published guidance in this regard in their Special Publication SP which states the following: The PIV Card mitigates the risk of visual counterfeiting through its capability for rapid electronic authentication, and to a lesser degree, by the presence of one or more security features on the surface of the card. Given the ready availability of high-quality scanners, graphic editing software, card stock, and smart card printers, electronic verification is strongly recommended, either in place of the VIS authentication mechanism or in combination with it. The Smart Card Alliance believes that it is ineffective to rely on visual inspection of TWIC cards as a primary security protocol for 95% of the maritime user population as proposed in this NPRM. Visual inspection alone is a weak authentication mechanism and does not provide the level of identity assurance that an electronic reader can provide. Therefore, we strongly recommend that the Coast Guard expand the scope of the proposed regulation to make the use of readers mandatory for a majority of the facilities and vessels currently identified in Risk Group B. The TWIC card has specific security features that are designed only for use by reader devices. A reader can check that the TWIC card was issued by TSA and is not a forgery or copy. A reader can also verify that the card holder is the same person that was originally issued the card by 1 See PUBLIC LAW Nov. 25, 2002, Title 1, Section 101

3 comparing their fingerprint against the fingerprint record stored on the card. In addition to checking that a card has not expired, only a reader can determine if the TWIC card appears on the TSA Cancelled Card List (CCL). There is currently no way to check the card s presence on the CCL using visual inspection procedures -- only a TWIC reader can perform this function. Further, we believe that incorporating additional information to the CCL, such as the card serial number (to make it usable in a visual inspection protocol) will not be in the best interests of the government or maritime stakeholders. The addition of information that would tie the CCL entries to printed information on the surface of the TWIC card may itself present a security risk and cause the CCL to be designated as Security Sensitive Information (SSI). This designation would require additional security measures such as limiting the distribution of the CCL to only those with SSI access privileges and would likely result in a significant administrative burden for maritime operators. We believe that reliance on visual inspection will create significant security vulnerabilities by making it relatively easy to breach the perimeter of a facility or vessel by presenting a fake, stolen or borrowed TWIC card. Reliance on a repetitive human process is problematic as even well-intended staff will become distracted, less attentive, or vulnerable to someone talking their way onto a facility or vessel. In addition, posting security personnel at vehicle gates creates a safety issue where personnel could be injured or killed by vehicles approaching the gate area. As previously stated, the Federal government has determined that visual inspection procedures provide little or no assurance in the identity of the card holder when used for physical access and such procedures have been deprecated to reflect this finding in the most recent PIV standard issued by NIST 2. Record keeping should be extended to visual inspection The Smart Card Alliance agrees with the requirement for record keeping of TWIC reader transactions and supports the proposal to treat retained transaction records as SSI if it contains personally identifiable information such as cardholder name. If transaction logs contain only anonymous data such as FASC-N, date, and time, we see no reason that it should be treated as SSI. We also recommend that the transaction log records include entry point location. Further, if transaction logs are useful for auditing and enforcement purposes, then only requiring the keeping of such records when it is convenient (e.g., through the use of automated readers) limits the usefulness of keeping transaction logs at all. Therefore, we recommend that the Coast Guard consider also requiring transaction logs when visual inspection is used and when any nonautomated exception situation is encountered (e.g., escorted visitors, recurring unescorted access). Reader cost estimates should be offset by personnel savings In its economic analysis, it does not appear that the Coast Guard included the avoided personnel cost that maritime operators will realize by not requiring security personnel to perform visual inspection procedures at every entry point as would be the requirement if readers were not implemented. 2 See Section Physical Access Federal Information Processing Standard (FIPS 201-2) - Personal Identity Verification of Federal Employees and Contractors (draft) which can be accessed at

4 Reader implementation cost estimates should not be extrapolated from pilot cost data The Coast Guard is using data on FY06 and FY07 grants, as captured in the TWIC Pilot Study, to project the costs of TWIC reader implementation in a nationwide deployment. It was noted in the Coast Guard s analysis that these funds were not funds that facilities decided to spend out of their own resources. Further, the analysis reveals that these grant funds were not used to comply with specific regulatory requirements since none existed. In addition, the analysis stated that pilot participants used these grant funds to make discretionary investments that were not directly related to TWIC reader implementation. Examples included guard stations, lift gates, and fencing. However, the Coast Guard included these costs in its estimate of TWIC reader installation costs. The TWIC Pilot was quite productive in generating data and lessons learned but should not be treated as the main source for cost data associated with the national deployment of TWIC readers. As second generation readers have been deployed since the TWIC Pilot, reader cost has been reduced and integration with physical access control systems (PACS) has been simplified as a result of enhanced integration tools and more experienced installation staff. These as well as other factors result in less cost for product procurement, installation, and maintenance and improved usability. Reader cost does not necessarily need to be a major expense for those affected ports and operators. In the case where a PACS is already present to support perimeter access points, it is possible to add a reader to the existing system. While this will likely require a PACS software upgrade to add the ability to check the Canceled Card List, it would not be necessary to purchase an entirely new PACS software system. Thus for those terminals that have PACS at their existing gates, the incremental expense of adding approved TWIC readers would compare favorably to the cost of staffing a security person for visual inspection. For those maritime operators that do not have a pre-existing PACS system, there are costeffective stand-alone solutions which can be implemented. These systems provide readers and the necessary software to read and validate TWIC cards and verify the identity of the cardholder. For these installations, an all-encompassing PACS (and its associated expense) is not required to electronically validate TWIC credentials. These stand-alone system readers can be used at more remote gates where the PACS does not extend or for a backup system in the event that a port must go to an elevated threat level. The Smart Card Alliance believes that the cost of TWIC reader implementation has fallen since the TWIC Pilot and continues to drop as products and markets mature. Therefore, we believe that the cost data used in the economic analysis is not representative of the current cost for TWIC reader deployment because it is either outdated or inflated with TWIC Pilot costs that were unnecessary to facilitate TWIC reader use. We recommend that the Coast Guard conduct a new reader cost analysis using more current information that is representative of today s TWIC reader products.

5 Average TWIC reader acquisition costs are overstated The Preliminary Regulatory Analysis and Initial Regulatory Flexibility Analysis (RA) document that was included on the NPRM docket provides the supporting cost detail for the NPRM. On page 36 of the RA document, the average cost for fixed and portable reader hardware and software is provided as follows: Fixed Portable Hardware Cost $2,271 $5,384 Software Cost $10,228 $8,652 Total Average Cost $12,499 $14,036 The Smart Card Alliance believes that the total average cost for fixed and portable readers is significantly overstated by the Coast Guard in its cost analysis. After further review, we conclude that the Coast Guard s analysis included software cost estimates from a single vendor that does not provide reader hardware. We believe that the reason that the Coast Guard was unable to find other prices for reader software on the GSA Schedule is that many reader manufacturers include the cost of the on-board reader software in the cost of their hardware. Also, a study conducted by the International Biometrics & Identification Association (IBIA) in June, 2011, provided an estimate of the total average cost for TWIC readers of $4,250. This analysis included software, but excluded installation and integration cost and is summarized below 3. Fixed (Outdoor) Portable Hardware Cost $3,250 $2,750 Software Cost $1,000 $1,500 Total Average Cost $4,250 $4,250 We believe that the IBIA estimate is a more accurate representation of typical acquisition cost of TWIC readers. However, we recommend that the Coast Guard conduct a new reader cost analysis using current information that is representative of today s TWIC reader products. 3 The IBIA TWIC Reader Acquisition Cost Estimates can be downloaded from the IBIA Web site at

6 Delays associated with reader transaction failures are overstated In its economic analysis for the NPRM, the Coast Guard included opportunity cost estimates associated with time delays resulting from failed TWIC reader transactions which were estimated at 17.1% of all reader transactions during the TWIC Pilot. We believe that this failure rate, and corresponding estimated delays in access throughput, are not representative of what would be experienced in a national deployment of TWIC readers for the following reasons: At the time of the pilot (from August 2008 through May 2011), there was a high percentage of TWIC cards that exhibited internal radio frequency (RF) antenna failure that made it impractical to use the TWIC cards in the contactless mode. Card manufacturers have implemented significant changes to the design and manufacturing process of the card body that mitigated the contactless antenna problem. The newer design TWIC cards have been in production since the fall of 2009 and are far more durable than earlier versions. All of the older design TWIC cards will be completely flushed out of the active TWIC card inventory by the time that readers are required by Coast Guard regulation. Users participating in the pilot were largely unfamiliar with the use of readers and this lack of habituation may have contributed to improper card presentation or improper use of the biometric feature. The TWIC Pilot was very important in that it contributed significantly to TWIC reader performance improvement and lessons learned. However, the TWIC reader transaction failure rate experienced during the pilot should not be treated as representative of the experience that maritime operators will have in the future. Current TWIC reader implementations provide more realistic throughput data The data generated and collected during the TWIC Pilot was important as suppliers of both cards and readers learned what worked and what didn t work. As a result, the technology industry was able to identify areas for improvement and develop solutions to problems encountered. Technology suppliers who participated in the Pilot became aware of technology-related challenges and made product improvements. The result is a second generation of cards and TWIC readers. For example, one of the largest high-volume container terminal operators in the U.S., SSA Marine in California, has deployed second-generation TWIC readers at their pedestrian and truck gates 4. They are currently using the contact interface on their readers because of the early problem with TWIC card contactless antenna failure. Over a period of about a year, this operator has recorded over 1 million TWIC reader transactions by 25,000 registered users and have an average transaction time of 3.5 seconds including fingerprint verification, expiration checking, card validity checking and revocation checking. Readers have significantly enhanced access throughput for trucks at this operator s busiest terminal. In terms of security benefits, at one of their facilities they have interdicted over 2,400 entry attempts where a TWIC card was presented that was found to be on the TSA list of revoked cards. As previously stated, none of these unauthorized transactions would have been detected using visual 4 The following performance metrics were obtained from AIA CES professional education course presentation posted to TWIC Reader NPRM Docket (USCG )

7 inspection protocols. This operator has enhanced facility throughput and facility security by deploying TWIC second-generation TWIC readers. Cancelled Card List download does not take 30 minutes The analysis that supports the NPRM estimates that download of the CCL from the TSA TWIC Web site will take 30 minutes and factors this into the cost for each facility to deploy TWIC readers. However, there is virtually no overhead or effort associated with CCL download by electronic means. In fact, this download takes about 5 seconds using a typical broadband network connection and should not be included in the NPRM reader cost calculation at all. We recommend that maritime operators be required to download the latest version of the CCL every 12 hours regardless of MARSEC level. TWIC readers can help identify cards that were obtained through unreported theft Page of the NPRM states that TWIC readers will not help identify valid cards that were obtained via fraudulent means, e.g., through unreported theft or the use of fraudulent IDs. However, TWIC readers can identify cards that were obtained through unreported theft of the TWIC card by performing biometric verification of the cardholder. This statement in the NPRM should be corrected. General cargo container terminals should be required to use TWIC readers We also are concerned that the highest risk category excludes large general cargo container terminals. There are only three container terminals in Risk Group A, and none of these are in the top ten ranking in terms of container traffic tonnage. We assume that most of the large container terminals are classified in Risk Group B, yet they account for 85% of the nation s container cargo. These facilities are crucial components of the U.S. National Critical Infrastructure where a disruption of operations to any of these facilities could have a significant negative impact on the nation s economy. Further, these facilities process a high volume of access transactions and represent a substantial portion of the TWIC cardholder population. We believe that the Coast Guard s risk analysis should have given more weight to the secondary economic consequences that would result from disruption of these facilities because of a terrorist security incident. It would seem more appropriate to require the use of readers at large general cargo container terminals in both Risk Groups A and B or re-classify them into Risk Group A. A vessel at sea should be required to update the CCL under certain circumstances The NPRM states that a vessel at sea for extended periods of time will not be required to update the CCL when there are no new individuals seeking access to secure areas and card validity was properly confirmed when the TWIC holders boarded the vessel. However, if a vessel has separate and distinct secure areas, and TWIC readers are placed at these entry points to secure crew access, then updates of the CCL should be performed at the normal interval. Of course, this assumes that an Internet connection is available on the vessel. Such a procedure would ensure that an existing crew member identified as a security threat subsequent to boarding would have access privileges revoked pending further investigation about the reason for the CCL entry. A vessel s security plan should provide full utilization of TWIC security measures where the capability exists to do so.

8 About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit Contact Randy Vanderhoof, Smart Card Alliance Executive Director rvanderhoof@smartcardalliance.org,