June 17, The NPRM does not satisfy Congressional intent
|
|
- Darrell Boyd
- 5 years ago
- Views:
Transcription
1 Comments of the Smart Card Alliance to the U.S. Coast Guard: Transportation Worker Identification Credential (TWIC) Reader Requirements Notice of Proposed Rulemaking (NPRM) Docket ID: USCG June 17, 2013 The Smart Card Alliance is respectfully submitting comments in response to the U.S. Coast Guard s Transportation Worker Identification Credential (TWIC) Reader Requirements Notice of Proposed Rulemaking (NPRM). The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart card technology, leading industry discussion on the impact and value of smart cards in the U.S. We appreciate the opportunity to comment on the Coast Guard s Notice of Proposed Rulemaking (NPRM) relating to the use of TWIC readers. The NPRM does not satisfy Congressional intent The Smart Card Alliance believes that Congress passed the Maritime Transportation Security Act of 2002 (MTSA) with the intent of implementing minimum security procedures that would limit unescorted access to secure areas of maritime facilities and vessels to only those workers that were properly vetted and cleared by the U.S. government and whose identity and status can be electronically verified through the presentation of a biometric transportation security card to a reader. Over 2.4 million cleared maritime workers have been issued a Transportation Worker Identification Credential (TWIC) which is a tamper-resistant, biometrically-enabled smart card that can be used in conjunction with an electronic reader to establish (i) that it is a valid card issued by TSA and not a forgery, (ii) that the card has not expired, (iii) that the card has not been revoked by TSA for cause, and (iv) that the person presenting the card is the same person to whom the card was issued. Use of TWIC cards in conjunction with TWIC readers will prevent potential terrorists or other adversaries from obtaining unescorted access to secure areas of maritime facilities and vessels. We believe that the NPRM s risk-based approach that waives the requirement for TWIC readers for the vast majority of TWIC access transactions falls far short of the Congressional intent and does not achieve the enhanced security objectives that were anticipated. We do not believe that Congress intended for the TWIC card to be used primarily as a flash pass when they enacted the Maritime Transportation Security Act of 2002 (MTSA). In that legislation, Congress
2 recognized that U.S. ports are particularly vulnerable to breaches in security and found that biometric identification procedures for individuals having access to secure areas in port facilities are important tools to deter and prevent port cargo crimes, smuggling, and terrorist actions" 1. Visual inspection does not provide adequate security The proposed rulemaking would limit mandatory TWIC reader requirement to only 532 of 3,270 facilities; 38 of 13,825 vessels and 5% of the issued TWIC cardholders. For the remaining 2,738 facilities, 13,727 vessels and 95 % of the TWIC holders, authorization decisions would rely on visual inspection by security staff that would be responsible for validating each TWIC card and confirming that the TWIC card is indeed in the hands of the authorized individual for each access transaction. We do not believe that visual inspection meets the security objectives intended by Congress. As competent as the facility and vessel security staff may be, we do not believe that visual inspection is an effective method of controlling access to our critical maritime infrastructure. The National Institute of Standards and Technology (NIST) concurs with this view in their guidance for eauthentication, and has stated that visual inspection of an ID card offers little or no assurance in the claimed identity of a federal employee or contractor seeking unescorted access to government facilities. The TWIC card is derived from the same technical specification, and uses the same card stock as the Personal Identity Verification (PIV) card used by millions of Federal workers for access to government facilities and information systems. Accordingly, these two credentials should share the same concerns regarding level of identity assurance. NIST has published guidance in this regard in their Special Publication SP which states the following: The PIV Card mitigates the risk of visual counterfeiting through its capability for rapid electronic authentication, and to a lesser degree, by the presence of one or more security features on the surface of the card. Given the ready availability of high-quality scanners, graphic editing software, card stock, and smart card printers, electronic verification is strongly recommended, either in place of the VIS authentication mechanism or in combination with it. The Smart Card Alliance believes that it is ineffective to rely on visual inspection of TWIC cards as a primary security protocol for 95% of the maritime user population as proposed in this NPRM. Visual inspection alone is a weak authentication mechanism and does not provide the level of identity assurance that an electronic reader can provide. Therefore, we strongly recommend that the Coast Guard expand the scope of the proposed regulation to make the use of readers mandatory for a majority of the facilities and vessels currently identified in Risk Group B. The TWIC card has specific security features that are designed only for use by reader devices. A reader can check that the TWIC card was issued by TSA and is not a forgery or copy. A reader can also verify that the card holder is the same person that was originally issued the card by 1 See PUBLIC LAW Nov. 25, 2002, Title 1, Section 101
3 comparing their fingerprint against the fingerprint record stored on the card. In addition to checking that a card has not expired, only a reader can determine if the TWIC card appears on the TSA Cancelled Card List (CCL). There is currently no way to check the card s presence on the CCL using visual inspection procedures -- only a TWIC reader can perform this function. Further, we believe that incorporating additional information to the CCL, such as the card serial number (to make it usable in a visual inspection protocol) will not be in the best interests of the government or maritime stakeholders. The addition of information that would tie the CCL entries to printed information on the surface of the TWIC card may itself present a security risk and cause the CCL to be designated as Security Sensitive Information (SSI). This designation would require additional security measures such as limiting the distribution of the CCL to only those with SSI access privileges and would likely result in a significant administrative burden for maritime operators. We believe that reliance on visual inspection will create significant security vulnerabilities by making it relatively easy to breach the perimeter of a facility or vessel by presenting a fake, stolen or borrowed TWIC card. Reliance on a repetitive human process is problematic as even well-intended staff will become distracted, less attentive, or vulnerable to someone talking their way onto a facility or vessel. In addition, posting security personnel at vehicle gates creates a safety issue where personnel could be injured or killed by vehicles approaching the gate area. As previously stated, the Federal government has determined that visual inspection procedures provide little or no assurance in the identity of the card holder when used for physical access and such procedures have been deprecated to reflect this finding in the most recent PIV standard issued by NIST 2. Record keeping should be extended to visual inspection The Smart Card Alliance agrees with the requirement for record keeping of TWIC reader transactions and supports the proposal to treat retained transaction records as SSI if it contains personally identifiable information such as cardholder name. If transaction logs contain only anonymous data such as FASC-N, date, and time, we see no reason that it should be treated as SSI. We also recommend that the transaction log records include entry point location. Further, if transaction logs are useful for auditing and enforcement purposes, then only requiring the keeping of such records when it is convenient (e.g., through the use of automated readers) limits the usefulness of keeping transaction logs at all. Therefore, we recommend that the Coast Guard consider also requiring transaction logs when visual inspection is used and when any nonautomated exception situation is encountered (e.g., escorted visitors, recurring unescorted access). Reader cost estimates should be offset by personnel savings In its economic analysis, it does not appear that the Coast Guard included the avoided personnel cost that maritime operators will realize by not requiring security personnel to perform visual inspection procedures at every entry point as would be the requirement if readers were not implemented. 2 See Section Physical Access Federal Information Processing Standard (FIPS 201-2) - Personal Identity Verification of Federal Employees and Contractors (draft) which can be accessed at
4 Reader implementation cost estimates should not be extrapolated from pilot cost data The Coast Guard is using data on FY06 and FY07 grants, as captured in the TWIC Pilot Study, to project the costs of TWIC reader implementation in a nationwide deployment. It was noted in the Coast Guard s analysis that these funds were not funds that facilities decided to spend out of their own resources. Further, the analysis reveals that these grant funds were not used to comply with specific regulatory requirements since none existed. In addition, the analysis stated that pilot participants used these grant funds to make discretionary investments that were not directly related to TWIC reader implementation. Examples included guard stations, lift gates, and fencing. However, the Coast Guard included these costs in its estimate of TWIC reader installation costs. The TWIC Pilot was quite productive in generating data and lessons learned but should not be treated as the main source for cost data associated with the national deployment of TWIC readers. As second generation readers have been deployed since the TWIC Pilot, reader cost has been reduced and integration with physical access control systems (PACS) has been simplified as a result of enhanced integration tools and more experienced installation staff. These as well as other factors result in less cost for product procurement, installation, and maintenance and improved usability. Reader cost does not necessarily need to be a major expense for those affected ports and operators. In the case where a PACS is already present to support perimeter access points, it is possible to add a reader to the existing system. While this will likely require a PACS software upgrade to add the ability to check the Canceled Card List, it would not be necessary to purchase an entirely new PACS software system. Thus for those terminals that have PACS at their existing gates, the incremental expense of adding approved TWIC readers would compare favorably to the cost of staffing a security person for visual inspection. For those maritime operators that do not have a pre-existing PACS system, there are costeffective stand-alone solutions which can be implemented. These systems provide readers and the necessary software to read and validate TWIC cards and verify the identity of the cardholder. For these installations, an all-encompassing PACS (and its associated expense) is not required to electronically validate TWIC credentials. These stand-alone system readers can be used at more remote gates where the PACS does not extend or for a backup system in the event that a port must go to an elevated threat level. The Smart Card Alliance believes that the cost of TWIC reader implementation has fallen since the TWIC Pilot and continues to drop as products and markets mature. Therefore, we believe that the cost data used in the economic analysis is not representative of the current cost for TWIC reader deployment because it is either outdated or inflated with TWIC Pilot costs that were unnecessary to facilitate TWIC reader use. We recommend that the Coast Guard conduct a new reader cost analysis using more current information that is representative of today s TWIC reader products.
5 Average TWIC reader acquisition costs are overstated The Preliminary Regulatory Analysis and Initial Regulatory Flexibility Analysis (RA) document that was included on the NPRM docket provides the supporting cost detail for the NPRM. On page 36 of the RA document, the average cost for fixed and portable reader hardware and software is provided as follows: Fixed Portable Hardware Cost $2,271 $5,384 Software Cost $10,228 $8,652 Total Average Cost $12,499 $14,036 The Smart Card Alliance believes that the total average cost for fixed and portable readers is significantly overstated by the Coast Guard in its cost analysis. After further review, we conclude that the Coast Guard s analysis included software cost estimates from a single vendor that does not provide reader hardware. We believe that the reason that the Coast Guard was unable to find other prices for reader software on the GSA Schedule is that many reader manufacturers include the cost of the on-board reader software in the cost of their hardware. Also, a study conducted by the International Biometrics & Identification Association (IBIA) in June, 2011, provided an estimate of the total average cost for TWIC readers of $4,250. This analysis included software, but excluded installation and integration cost and is summarized below 3. Fixed (Outdoor) Portable Hardware Cost $3,250 $2,750 Software Cost $1,000 $1,500 Total Average Cost $4,250 $4,250 We believe that the IBIA estimate is a more accurate representation of typical acquisition cost of TWIC readers. However, we recommend that the Coast Guard conduct a new reader cost analysis using current information that is representative of today s TWIC reader products. 3 The IBIA TWIC Reader Acquisition Cost Estimates can be downloaded from the IBIA Web site at
6 Delays associated with reader transaction failures are overstated In its economic analysis for the NPRM, the Coast Guard included opportunity cost estimates associated with time delays resulting from failed TWIC reader transactions which were estimated at 17.1% of all reader transactions during the TWIC Pilot. We believe that this failure rate, and corresponding estimated delays in access throughput, are not representative of what would be experienced in a national deployment of TWIC readers for the following reasons: At the time of the pilot (from August 2008 through May 2011), there was a high percentage of TWIC cards that exhibited internal radio frequency (RF) antenna failure that made it impractical to use the TWIC cards in the contactless mode. Card manufacturers have implemented significant changes to the design and manufacturing process of the card body that mitigated the contactless antenna problem. The newer design TWIC cards have been in production since the fall of 2009 and are far more durable than earlier versions. All of the older design TWIC cards will be completely flushed out of the active TWIC card inventory by the time that readers are required by Coast Guard regulation. Users participating in the pilot were largely unfamiliar with the use of readers and this lack of habituation may have contributed to improper card presentation or improper use of the biometric feature. The TWIC Pilot was very important in that it contributed significantly to TWIC reader performance improvement and lessons learned. However, the TWIC reader transaction failure rate experienced during the pilot should not be treated as representative of the experience that maritime operators will have in the future. Current TWIC reader implementations provide more realistic throughput data The data generated and collected during the TWIC Pilot was important as suppliers of both cards and readers learned what worked and what didn t work. As a result, the technology industry was able to identify areas for improvement and develop solutions to problems encountered. Technology suppliers who participated in the Pilot became aware of technology-related challenges and made product improvements. The result is a second generation of cards and TWIC readers. For example, one of the largest high-volume container terminal operators in the U.S., SSA Marine in California, has deployed second-generation TWIC readers at their pedestrian and truck gates 4. They are currently using the contact interface on their readers because of the early problem with TWIC card contactless antenna failure. Over a period of about a year, this operator has recorded over 1 million TWIC reader transactions by 25,000 registered users and have an average transaction time of 3.5 seconds including fingerprint verification, expiration checking, card validity checking and revocation checking. Readers have significantly enhanced access throughput for trucks at this operator s busiest terminal. In terms of security benefits, at one of their facilities they have interdicted over 2,400 entry attempts where a TWIC card was presented that was found to be on the TSA list of revoked cards. As previously stated, none of these unauthorized transactions would have been detected using visual 4 The following performance metrics were obtained from AIA CES professional education course presentation posted to TWIC Reader NPRM Docket (USCG )
7 inspection protocols. This operator has enhanced facility throughput and facility security by deploying TWIC second-generation TWIC readers. Cancelled Card List download does not take 30 minutes The analysis that supports the NPRM estimates that download of the CCL from the TSA TWIC Web site will take 30 minutes and factors this into the cost for each facility to deploy TWIC readers. However, there is virtually no overhead or effort associated with CCL download by electronic means. In fact, this download takes about 5 seconds using a typical broadband network connection and should not be included in the NPRM reader cost calculation at all. We recommend that maritime operators be required to download the latest version of the CCL every 12 hours regardless of MARSEC level. TWIC readers can help identify cards that were obtained through unreported theft Page of the NPRM states that TWIC readers will not help identify valid cards that were obtained via fraudulent means, e.g., through unreported theft or the use of fraudulent IDs. However, TWIC readers can identify cards that were obtained through unreported theft of the TWIC card by performing biometric verification of the cardholder. This statement in the NPRM should be corrected. General cargo container terminals should be required to use TWIC readers We also are concerned that the highest risk category excludes large general cargo container terminals. There are only three container terminals in Risk Group A, and none of these are in the top ten ranking in terms of container traffic tonnage. We assume that most of the large container terminals are classified in Risk Group B, yet they account for 85% of the nation s container cargo. These facilities are crucial components of the U.S. National Critical Infrastructure where a disruption of operations to any of these facilities could have a significant negative impact on the nation s economy. Further, these facilities process a high volume of access transactions and represent a substantial portion of the TWIC cardholder population. We believe that the Coast Guard s risk analysis should have given more weight to the secondary economic consequences that would result from disruption of these facilities because of a terrorist security incident. It would seem more appropriate to require the use of readers at large general cargo container terminals in both Risk Groups A and B or re-classify them into Risk Group A. A vessel at sea should be required to update the CCL under certain circumstances The NPRM states that a vessel at sea for extended periods of time will not be required to update the CCL when there are no new individuals seeking access to secure areas and card validity was properly confirmed when the TWIC holders boarded the vessel. However, if a vessel has separate and distinct secure areas, and TWIC readers are placed at these entry points to secure crew access, then updates of the CCL should be performed at the normal interval. Of course, this assumes that an Internet connection is available on the vessel. Such a procedure would ensure that an existing crew member identified as a security threat subsequent to boarding would have access privileges revoked pending further investigation about the reason for the CCL entry. A vessel s security plan should provide full utilization of TWIC security measures where the capability exists to do so.
8 About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit Contact Randy Vanderhoof, Smart Card Alliance Executive Director rvanderhoof@smartcardalliance.org,
TWIC or TWEAK The Transportation Worker Identification Credential:
TWIC or TWEAK The Transportation Worker Identification Credential: Issues and Challenges for MTSA-Regulated Facility Owner/Operators THE USUAL DISCLAIMER By: Presentation at AAPA Administrative & Legal
More informationNational Transportation Worker ID Card (TWIC) Credentialing Direct Action Group Functional Requirements DRAFT
Purpose: National Transportation Worker ID Card (TWIC) Credentialing Direct Action Group Functional Requirements DRAFT 1. The primary goal of the CDAG is to fashion a nationwide transportation worker identity
More informationThe Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services
The Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services This document was developed by the Smart Card Alliance Health and Human Services Council in response to the GAO
More informationOffice of Transportation Vetting and Credentialing. Transportation Worker Identification Credential (TWIC)
Office of Transportation Vetting and Credentialing Transportation Worker Identification Credential (TWIC) Program Briefing for the American Association of Port Authorities Chicago, IL 27 April 2005 TWIC
More informationTWIC Program Overview for the Smart Cards in Government Conference March 10, 2004
Transportation Worker Identification Credential (TWIC) TWIC Program Overview for the Smart Cards in Government Conference March 10, 2004 TWIC Program Vision Improve security by establishing a system-wide
More informationTWIC Transportation Worker Identification Credential. Overview
TWIC Transportation Worker Identification Credential Overview TWIC Program Vision Goals Improve the security of identity management by establishing a system-wide common credential, universally acceptable
More informationMultiple Credential formats & PACS Lars R. Suneborn, Director - Government Program, HIRSCH Electronics Corporation
Multiple Credential formats & PACS Lars R. Suneborn, Director - Government Program, HIRSCH Electronics Corporation Insert Company logo here A Smart Card Alliance Educational Institute Course Multiple credential
More informationChemical Facility Anti-Terrorism Standards. T. Ted Cromwell Sr. Director, Security and
Chemical Facility Anti-Terrorism Standards T. Ted Cromwell Sr. Director, Security and NJ ELG Operations Meeting Today s Presentation ACC Action Major Rule Components Select Risk-Based Performance Standards
More informationTWIC Update to Sector Delaware Bay AMSC 8 June 2018
TWIC Update to Sector Delaware Bay AMSC 8 June 2018 Agenda TWIC Program Metrics TWIC Next Generation (NexGen Physical Features) Credential Modes of Operation Canceled Card List Mobile App TWIC Assessments
More informationTWIC Implementation Challenges and Successes at the Port of LA. July 20, 2011
TWIC Implementation Challenges and Successes at the Port of LA 1 July 20, 2011 Agenda Port of LA TWIC Field Test Background Objectives Approach Results Implementation Challenges and Successes! Recommendations
More informationSecuring Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS
Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS Introduction The expectations and requirements on government contracts for safety and security projects
More informationManagement. Port Security. Second Edition KENNETH CHRISTOPHER. CRC Press. Taylor & Francis Group. Taylor & Francis Group,
Port Security Management Second Edition KENNETH CHRISTOPHER CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an informa business Preface
More informationCompliance with ISPS and The Maritime Transportation Security Act of 2002
Mr. Melchor Becena Security Administrator Port Everglades SecurePort Conference Miami, Florida 25-27 27 February, 2004 Compliance with ISPS and The Maritime Transportation Security Act of 2002 Overview
More informationTWIC Readers What to Expect
TWIC Readers What to Expect Walter Hamilton Chairman International Biometric Industry Association Walter Hamilton International Biometric Industry Association 1155 F Street, NW Washington, DC 20004 (727)
More informationHow to Plan, Procure & Deploy a PIV-Enabled PACS
How to Plan, Procure & Deploy a PIV-Enabled PACS Access Control Council Webinar Series Session Two: Facility Characteristics & Risk Assessment Introductions Randy Vanderhoof, Secure Technology Alliance
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014
Federal Energy Regulatory Commission Order No. 791 June 2, 2014 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently proposed
More informationNavigation and Vessel Inspection Circular (NVIC) 05-17; Guidelines for Addressing
This document is scheduled to be published in the Federal Register on 07/12/2017 and available online at https://federalregister.gov/d/2017-14616, and on FDsys.gov 9110-04-P DEPARTMENT OF HOMELAND SECURITY
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015
Federal Energy Regulatory Commission Order No. 791 January 23, 2015 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently
More informationTransportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005
Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005 Who Am I? How do you know? 2 TWIC Program Vision A high-assurance identity credential that
More informationStrategies for the Implementation of PIV I Secure Identity Credentials
Strategies for the Implementation of PIV I Secure Identity Credentials A Smart Card Alliance Educational Institute Workshop PIV Technology and Policy Requirements Steve Rogers President & CEO 9 th Annual
More informationTechnical Conference on Critical Infrastructure Protection Supply Chain Risk Management
Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management Remarks of Marcus Sachs, Senior Vice President and the Chief Security Officer North American Electric Reliability
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationHow AlienVault ICS SIEM Supports Compliance with CFATS
How AlienVault ICS SIEM Supports Compliance with CFATS (Chemical Facility Anti-Terrorism Standards) The U.S. Department of Homeland Security has released an interim rule that imposes comprehensive federal
More informationChemical Facility Anti- Terrorism Standards
SATA Presentation Regarding Chemical Facility Anti- Terrorism Standards Joe Hartline, CHMM Rindt-McDuff Associates Marietta, Georgia October 6, 2007 Presentation Outline Introduction Rule Requirements
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationDFARS Cyber Rule Considerations For Contractors In 2018
Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors
More informationInapplicability to Non-Federal Sales and Use
Security Industry Association 8405 Colesville Road, Suite 500 Silver Spring, MD, 20190 301-804-4705 www.securityindustry.org Submitted by email: osd.dfars@mail.mil October 19, 2018 Re: Section 889 of the
More informationFiXs - Federated and Secure Identity Management in Operation
FiXs - Federated and Secure Identity Management in Operation Implementing federated identity management and assurance in operational scenarios The Federation for Identity and Cross-Credentialing Systems
More informationSecure Government Computing Initiatives & SecureZIP
Secure Government Computing Initiatives & SecureZIP T E C H N I C A L W H I T E P A P E R WP 700.xxxx Table of Contents Introduction FIPS 140 and SecureZIP Ensuring Software is FIPS 140 Compliant FIPS
More informationFundamental Shift: A LOOK INSIDE THE RISING ROLE OF IT IN PHYSICAL ACCESS CONTROL
Fundamental Shift: A LOOK INSIDE THE RISING ROLE OF IT IN PHYSICAL ACCESS CONTROL Shifting budgets and responsibilities require IT and physical security teams to consider fundamental change in day-to-day
More informationWill Federated Cross Credentialing Solutions Accelerate Adoption of Smart Card Based Identity Solutions?
Will Federated Cross Credentialing Solutions Accelerate Adoption of Smart Card Based Identity Solutions? Jack Radzikowski,, Northrop Grumman & FiXs Smart Card Alliance Annual Meeting La Jolla, California
More informationTWIC / CAC Wiegand 58 bit format
This document was developed by the Smart Card Alliance Physical Access Council to respond to requests for sample Wiegand message formats that will handle the additional fields of the Federal Agency Smart
More informationHITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013
HITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013 The Smart Card Alliance hereby submits the following comments regarding the Health Information Technology Policy Committee
More informationCYBER SECURITY POLICY REVISION: 12
1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationuanacia 1+1 MARINE SECURITY OPERATIONS BULLETIN No:
1+1 MARINE SECURITY OPERATIONS BULLETIN No: 2014-001 CLARIFICATION OF TRANSPORT CANADA (TC) MARINE SECURITY MANDATORY THREAT, BREACH AND INCIDENT REPORTING REOUIREMENTS THIS MARINE SECURITY OPERATIONS
More informationInteragency Advisory Board Meeting Agenda, February 2, 2009
Interagency Advisory Board Meeting Agenda, February 2, 2009 1. Opening Remarks (Tim Baldridge, NASA) 2. Mini Tutorial on NIST SP 800-116 AND PIV use in Physical Access Control Systems (Bill MacGregor,
More informationPaul A. Karger
Privacy and Security Threat Analysis of the Federal Employee Personal Identity Verification (PIV) Program Paul A. Karger karger@watson.ibm.com Outline Identify specific problem with FIPS 201 Problem of
More informationInteragency Advisory Board Meeting Agenda, Wednesday, February 27, 2013
Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013 1. Opening Remarks 2. Discussion on Revisions Contained in Draft SP 800-63-2 (Bill Burr, NIST) 3. The Objectives and Status of Modern
More informationCyber Security Panel Discussion Gary Hayes, SVP & CIO Technology Operations. Arkansas Joint Committee on Energy March 16, 2016
Cyber Security Panel Discussion Gary Hayes, SVP & CIO Technology Operations Arkansas Joint Committee on Energy March 16, 2016 CenterPoint Energy, Inc. (NYSE: CNP) Regulated Electric and Natural Gas Utility
More informationGovernment Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security
Government Resolution No. 2443 of February 15, 2015 33 rd Government of Israel Benjamin Netanyahu Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security It is hereby resolved:
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationCybersecurity Risk and Options Considered by IMO
Cybersecurity Risk and Options Considered by IMO John Jorgensen October 18, 2017 INTERTANKO North American Panel, Houston, TX 2017 American Bureau of Shipping. All rights reserved Agenda for Today s Discussion
More informationCIP Cyber Security Personnel & Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-6 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the Bulk Electric
More informationDEFINITIONS AND REFERENCES
DEFINITIONS AND REFERENCES Definitions: Insider. Cleared contractor personnel with authorized access to any Government or contractor resource, including personnel, facilities, information, equipment, networks,
More informationTrust Services for Electronic Transactions
Trust Services for Electronic Transactions ROUMEN TRIFONOV Faculty of Computer Systems and Control Technical University of Sofia 8 st. Kliment Ohridski bul., 1000 Sofia BULGARIA r_trifonov@tu-sofia.bg
More informationSmart Card Alliance Update. Update to the Interagency Advisor Board (IAB) June 27, 2012
Smart Card Alliance Update Update to the Interagency Advisor Board (IAB) June 27, 2012 Industry s Access Control Payments (NEW) Mobile & NFC Identity Industry s Healthcare Transportation Access Control
More informationHeavy Vehicle Cyber Security Bulletin
Heavy Vehicle Cyber Security Update National Motor Freight Traffic Association, Inc. 1001 North Fairfax Street, Suite 600 Alexandria, VA 22314 (703) 838-1810 Heavy Vehicle Cyber Security Bulletin Bulletin
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationASSESSMENT LAYERED SECURITY
FFIEC BUSINESS ACCOUNT GUIDANCE RISK & ASSESSMENT LAYERED SECURITY FOR ONLINE BUSINESS TRANSACTIONS New financial standards will assist banks and business account holders to make online banking safer and
More informationHow Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner
How Cybersecurity Initiatives May Impact Operators Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495 Agenda Rise in Data Breaches Effects of Increase in Cybersecurity Threats Cybersecurity Framework
More informationMapping to the National Broadband Plan
The National Telecommunications and Information Administration Mapping to the National Broadband Plan 37 th Annual PURC Conference Smart Technology vs. Smart Policy February 3, 2010 1 About NTIA The National
More informationInteragency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008
Interagency Advisory Board HSPD-12 Insights: Past, Present and Future Carol Bales Office of Management and Budget December 2, 2008 Importance of Identity, Credential and Access Management within the Federal
More informationSecurity in a Converging IT/OT World
Security in a Converging IT/OT World Introduction Around the winter solstice, darkness comes early to the citizens of Ukraine. On December 23, 2015, it came a little earlier than normal. In mid-afternoon,
More informationKentucky IT Consolidation
2007 NASCIO Recognition Awards Nomination Category: Enterprise IT Management Initiatives Kentucky IT Consolidation Commonwealth Office of Technology The Commonwealth of Kentucky is nearing completion of
More informationStandard CIP 004 3a Cyber Security Personnel and Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-3a 3. Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access
More informationMarine Security Overview
Marine Security Overview November 2017 Fred Myer Senior Manager, Marine Security & Waterways fred.myer@portofportland.com 503.415.6542 Port of Portland Facilities Three airports, four marine terminals,
More informationCIP Cyber Security Personnel & Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-5.1 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationBEFORE THE PENNSYLVANIA PUBLIC UTILITY COMMISSION PETITION OF PECO ENERGY COMPANY FOR APPROVAL OF ITS SMART METER UNIVERSAL DEPLOYMENT PLAN
PECO ENERGY COMPANY STATEMENT NO. 2 BEFORE THE PENNSYLVANIA PUBLIC UTILITY COMMISSION PETITION OF PECO ENERGY COMPANY FOR APPROVAL OF ITS SMART METER UNIVERSAL DEPLOYMENT PLAN DOCKET NO. M-2009-2123944
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationIdentity Theft Prevention Policy
Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening
More informationUsing the Prototype TWIC for Access A System Integrator Perspective
Using the Prototype TWIC for Access A System Integrator Perspective AAPA Port Security Seminar and Exhibition, Seattle, WA July 19, 2006 Management and Technology Consultants The Challenge How do I manage
More informationState of Colorado Cyber Security Policies
TITLE: State of Colorado Cyber Security Policies Access Control Policy Overview This policy document is part of the State of Colorado Cyber Security Policies, created to support the State of Colorado Chief
More informationRecommendations for Implementing an Information Security Framework for Life Science Organizations
Recommendations for Implementing an Information Security Framework for Life Science Organizations Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting Agenda Why is information
More information26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 26 February 2007 Office of the Secretary Public
More informationMark Your Calendars: NY Cybersecurity Regulations to Go into Effect
Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect CLIENT ALERT January 25, 2017 Angelo A. Stio III stioa@pepperlaw.com Sharon R. Klein kleins@pepperlaw.com Christopher P. Soper soperc@pepperlaw.com
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationData Protection. Plugging the gap. Gary Comiskey 26 February 2010
Data Protection. Plugging the gap Gary Comiskey 26 February 2010 Data Protection Trends in Financial Services Financial services firms are deploying data protection solutions across their enterprise at
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationRequest for Information Strategies to Improve Maritime Supply Chain Security and Achieve 100% Overseas Scanning
Request for Information Strategies to Improve Maritime Supply Chain Security and Achieve 100% Overseas Scanning May 2, 2016 1 STRATEGIES TO IMPROVE MARITIME SUPPLY CHAIN SECURITY AND ACHIEVE 100% OVERSEAS
More informationEmergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery
Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery A Smart Card Alliance White Paper Publication Date:
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationI. PURPOSE III. PROCEDURE
A.R. Number: 2.11 Effective Date: 2/1/2009 Page: 1 of 5 I. PURPOSE This policy outlines the procedures that third party organizations must follow when connecting to the City of Richmond (COR) networks
More informationWritten Statement of. Timothy J. Scott Chief Security Officer The Dow Chemical Company
Written Statement of Timothy J. Scott Chief Security Officer The Dow Chemical Company Representing The Dow Chemical Company and the American Chemistry Council To the United States Senate Committee on Homeland
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )
UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION Revised Critical Infrastructure Protection Reliability Standards ) ) Docket No. RM15-14-000 COMMENTS OF THE NORTH AMERICAN ELECTRIC
More informationCOMPTIA CLO-001 EXAM QUESTIONS & ANSWERS
COMPTIA CLO-001 EXAM QUESTIONS & ANSWERS Number: CLO-001 Passing Score: 800 Time Limit: 120 min File Version: 39.7 http://www.gratisexam.com/ COMPTIA CLO-001 EXAM QUESTIONS & ANSWERS Exam Name: CompTIA
More informationAlternative Fuel Vehicles in State Energy Assurance Planning
+ Alternative Fuel Vehicles in State Energy Assurance Planning July 17, 2014 Webinar hosted by the National Association of State Energy Officials (NASEO), with support from the U.S. Department of Energy
More informationBefore the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C
Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C. 20554 In the Matters of Video Device Competition Implementation of Section 304 of the Telecommunications Act of 1996 Commercial Availability
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationState of the Industry and Councils Reports. Access Control Council
State of the Industry and Councils Reports Access Control Council Chairman: Lars R. Suneborn, Sr. Manager, Technical Marketing, Government ID, Oberthur Technologies Property of the Smart Card Alliance
More informationPort Facility Cyber Security
International Port Security Program Port Facility Cyber Security Cyber Security Assessment MAR'01 1 Lesson Topics ISPS Code Requirement The Assessment Process ISPS Code Requirements What is the purpose
More informationROADMAP TO DFARS COMPLIANCE
ROADMAP TO DFARS COMPLIANCE ARE YOU READY FOR THE 12/31/17 DEADLINE? In our ebook, we have answered the most common questions we receive from companies preparing for DFARS compliance. Don t risk terminated
More informationScience & Technology Directorate: R&D Overview
Science & Technology Directorate: R&D Overview August 6 th, 2012 UNCLASSIFIED//FOUO DHS S&T Mission Strengthen America s security and resiliency by providing knowledge products and innovative technology
More informationPolicy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy
Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:...
More informationPublished Privacy Impact Assessments on the Web. ACTION: Notice of Publication of Privacy Impact Assessments (PIA).
This document is scheduled to be published in the Federal Register on 03/22/2012 and available online at http://federalregister.gov/a/2012-06847, and on FDsys.gov 9110-9L DEPARTMENT OF HOMELAND SECURITY
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 3 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationCyber Security Requirements for Supply Chain. June 17, 2015
Cyber Security Requirements for Supply Chain June 17, 2015 Topics Cyber Threat Legislation and Regulation Nuts and Bolts of NEI 08-09 Nuclear Procurement EPRI Methodology for Procurement Something to think
More informationRobert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group
Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group Presentation Objectives Introductions Cyber security context Cyber security in the maritime sector Developing cybersecurity
More informationTSA/FTA Security and Emergency Management Action Items for Transit Agencies
TSA/FTA Security and Emergency Management Action Items for Transit Agencies AACTION ITEM LIST Management and Accountability 1. Establish Written System Security Programs and Emergency Management Plans:
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationCertiPath TrustVisitor and TrustManager. The need for visitor management in FICAM Compliant PACS
CertiPath TrustVisitor and TrustManager The need for visitor management in FICAM Compliant PACS CertiPath TrustMonitor CertiPath TrustVisitor and TrustManager The need for visitor management in FICAM Compliant
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationApex Information Security Policy
Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationThe U.S. Government s Role in Standards and Conformity Assessment
The U.S. Government s Role in Standards and Conformity Assessment ASTM International-Russian Federation on Technical Regulating and Metrology Coordinated Program Mary Saunders Chief, Standards Services
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More information