TWIC Program Overview for the Smart Cards in Government Conference March 10, 2004

Transcription

1 Transportation Worker Identification Credential (TWIC) TWIC Program Overview for the Smart Cards in Government Conference March 10, 2004

2 TWIC Program Vision Improve security by establishing a system-wide common credential, used across all transportation modes, for all personnel requiring unescorted physical and/or logical access to secure areas of the transportation system. Goals Improve security Enhance commerce Protect personal privacy 2

3 Related Legislation USA PATRIOT Act of 2001 Requires states to conduct background checks through the Attorney General and TSA before issuing licenses to individuals to transport hazardous materials in commerce. Aviation and Transportation Security Act of 2001 (ATSA) Grants the TSA Administrator broad authority for transportation security; requires TSA to ensure the adequacy of security measures at airports; directs strengthened access control points in airport secured areas; and, requires TSA to consider the use of biometric, or similar technologies, to identify individuals employed at airports. Maritime Transportation Security Act of 2002 (MTSA) Requires the issuance of biometric transportation security cards and the completion of background checks for entry to any secure area of a vessel or facility. 3

4 Threat Terrorists Gain Access to Secure Areas of the Transportation System by Compromising Current Identity Management and Access Control Systems Potential Methods Employed Falsifying identity to obtain valid credential Obtaining valid credential issued without background check Stealing, or otherwise obtaining, a valid credential that allows access without secondary protection (i.e., biometric) Tampering with, or creating, a credential Using a properly issued credential subsequent to being identified as a terrorist threat 4

5 Threat Response Requirements Uniformly and consistently ascertain identities The claimed identity of persons accessing secure areas are not currently uniformly and consistently verified. Preventing persons claiming false identities from accessing secure areas is critical. Uniformly and consistently match an individual to a valid credential and background check using biometric technology Lack of biometric features on credentials allows use by unauthorized individuals. Uniformly and consistently conduct access threat assessment using name based checks through the Threat Screening Center and National Threat List The revocation of access privileges is not, and cannot, be consistently accomplished without a uniform process. Provide a tamper-resistant credential Currently, the tamper-resistance of identity credentials varies widely. Credentials may be compromised to permit access by unauthorized individuals. 5

6 Scope of TWIC The TWIC is a tool to be used for identity authentication. Possession of a valid TWIC allows the holder access into areas to which they are granted privileges. Only facilities grant access. Facilities have complete control over who is granted access to secure areas, and what level of access is granted. The TWIC program allows individual facilities to control access to the areas they define as secure and will allow individual facilities to specify additional access requirements. The TWIC program will provide a revocation alert to facilities for holders who should no longer be granted access to secure areas. 6

7 TWIC Program Benefits Enhances Commerce Improves Security Increases process speed Reduced risk of and efficiency fraudulent or altered T Enables improved credentials management and Biometrics used for utilization of resources secure, positive match W Expanded e-government of individual to potential authorized access level Public private and clearances I partnership Ability to interface and Economies of scale communicate with other purchasing federal, local, and state C agencies Eliminates need for redundant credentials and Ability to disseminate background threat alerts investigations Leverages current security investment and legacy systems Protects Individual Privacy Collection of minimum data elements Secure record control system and network Employs advanced information technology to protect personal information System-wide encryption implementation 7

8 Stakeholder Engagement Actively engaged with Key Stakeholders at federal, national, regional, and local levels 800+ National level transportation-related stakeholder organizations Active participants on international and federal standards organizations Three regional TWIC-based organizations tested different organizational models during pilot phases TWIC field teams engaged at 40+ local facilities TWIC message resonates with our Stakeholders TWIC s key goals of improved security, enhanced commerce and protection of privacy were derived from stakeholder input TWIC architectural model approaches security and cost from the national perspective Accelerating support from diverse stakeholder groups to participate in TWIC prototypes and implementation Key industry stakeholders have identified their strong desire to accelerate TWIC implementation to help local facility and transportation modes avoid duplicative costs for security improvements Final DHS decision process with regard to TWIC will include results from upcoming TWIC prototype 8

9 Prototype Overview 2 Enrollment Centers 6 Card Production Facility 7 1 Transportation Workers Local Facilities / Employers 8 4 Identity Management System (IDMS) Database Queries Name-Based Name-Based Terrorist-Focused Terrorist-Focused Risk Risk Assessment Assessment Office Office of of National National Risk Risk Assessment Assessment (ONRA) (ONRA) 3 5 Numbers Indicate Workflow Order 9

10 Privacy Protection Measures Minimum Data: Collect and retain only data that is absolutely necessary Limit Use: Use the data only for the purpose for which it was collected Data Quality: Ensure data maintained is accurate, complete, current, and relevant Data Security: Secure and protect data from unauthorized use (physical and cyber) Accountability: Use internal controls to protect the privacy of individual information Procedural Safeguards: Use logical access authentication for those who have access to any part of data. Data will be filtered to preclude access by unauthorized individuals. 10

11 Technology Evaluation Accomplishments 3 Months Planning To-Be Analysis Requirements Baseline 5 Months Technology Evaluation Evaluate Range of Potential Technologies for Core Business Process and Requirements Today Prototype Planning 7 Months Prototype Proof of Concept Evaluate Access Technologies for Full Range of Business Processes, Policies, and Requirements Tested five card-based technologies at 12 transportation facilities in two regions: Integrated Circuit Chip 2-D Barcode Magnetic Stripe Optical Memory Stripe Linear Bar Code Issued cards to a broad range of transportation workers: Union workers (ILWU, AFL-CIO, etc.) Independent truck drivers Crane operators Non-union workers, managers, owners Security guards Airline mechanics Pipeline workers Railroad employees Tug boat crews Evaluated each technology in a variety of physical and logical access transactions: Vehicle gates Staffed guard stations IT system sign-on Truck multi-lanes Unattended building entrances Internal building doors Unattended gates High volume pedestrian turnstile Parking garage exit points Evaluated central card production feasibility: Produced the final increment of cards for the West Coast region at the DHS facility in Corbin KY Operated enrollment centers, local issuance, help desk, and card management systems. 11

12 Prototype Goals Confirm Performance of Conceptual TWIC Identity Management Business Processes and Determination of Implementation Strategy Verifying Claimed Identity Capturing Biometric Information Conducting Terrorist Threat Assessment Integrating Assessment Results with Issuance System Producing in Volume High Quality, Tamper Resistant Cards Confirming Operation of Database Infrastructures Conducting Initial Testing of Contactless Card Providing for Multiple Approaches Confirm Performance of TWIC as an Access Control Tool Using Selected Credential Technologies with Biometric as Access Control Tool Confirming Operation of Facility / TWIC Interfaces Confirming hot list and Revocation Capability Ensure Readiness of TWIC System for Implementation Phase Using a comprehensive Prototype evaluation plan including a detailed cost benefit analysis 12

13 Potential Prototype Participants and Processes Pipeline Air Rail Oth Port of Wilmington, DE Packer Avenue Terminal, PA Penns Terminal, PA Beckett Street Terminal, NJ APL Terminal, CA Maersk Terminal, CA LBCT Terminal, CA Crowley Marine, CA 14 Florida Sea Ports Delaware River & Bay Maritime Exch, PA Port HQ Long Beach, CA Port HQ Los Angeles, CA BP Refinery, CA Conoco Phillips Oil Refinery, PA Purpose: Broaden evaluation using multiple technologies over the full range of business processes and requirements. Maritime PHL Airport, PA LAX Airport, CA Union Pacific Rail ITCF, CA Customs House, PA East Coast Sites West Coast Sites Florida Seaports HQ TWIC Multi-Application / Multi-Technology Solution X X X X X X X X X X X X X X X X X X Contactless X X X X X Biometrics X X X X X X X X 13

14 Prototype Timeline Release RFP Award Contract FY-04 FY05 Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan FY-05 Feb Conduct System Demonstration Plan Test/Evaluation at East; West; and FL Sites Confirm Prototype Concept; Begin Full Prototype Test Conduct Florida Prototype Operations Conduct East / West Coast Prototype Operations Begin TWIC Issuance Begin TWIC Issuance Report Preliminary Prototype Results Begin IRB Review DHS Decision Milestone *Begin Transition to Implementation *based on DHS decision 14

15 15