[Federal Register: May 22, 2006 (Volume 71, Number 98)]
[Proposed Rules]
[Page 29395-29462]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr22my06-15]
[[Page 29395]]
-----------------------------------------------------------------------
Part II
Department of Homeland Security
-----------------------------------------------------------------------
Coast Guard
-----------------------------------------------------------------------
Transportation Security Administration
-----------------------------------------------------------------------
33 CFR Parts 1, 20 et al.; 46 CFR Parts 10, 12, and 15
49 CFR Parts 1515, 1570, and 1572
Transportation Worker Identification Credential (TWIC) Implementation
in the Maritime Sector; Proposed Rules
[[Page 29396]]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Transportation Security Administration
49 CFR Parts 1515, 1570, 1572
Coast Guard
33 CFR Parts 101, 103, 104, 105, 106, 125; 46 CFR Parts 10, 12, 15
[Docket Nos. TSA-2006-24191; USCG-2006-24196]
RIN 1652-AA41
Transportation Worker Identification Credential (TWIC)
Implementation in the Maritime Sector; Hazardous Materials Endorsement
for a Commercial Driver's License
AGENCY: Transportation Security Administration; United States Coast
Guard, DHS.
ACTION: Notice of proposed rulemaking (NPRM).
-----------------------------------------------------------------------
SUMMARY: This is a notice of proposed rulemaking by the Department of
Homeland Security, specifically by the Transportation Security
Administration and the United States Coast Guard. If promulgated, this
rule would implement the Transportation Worker Identification
Credential program in the maritime sector. Under this program, merchant
mariners holding an active License, Merchant Mariner Document, or
Certificate of Registry and workers who require unescorted access to
secure areas at maritime facilities or on vessels must undergo a
security threat assessment, and, if found to not pose a security
threat, obtain a Transportation Worker Identification Credential.
Persons without Transportation Worker Identification Credentials will
not be granted unescorted access to secure areas at affected maritime
facilities or on vessels.
Under this proposed rule, the Coast Guard seeks to amend its
regulations on vessel and facility security to require the use of the
Transportation Worker Identification Credential as an access control
measure. It is also proposing to amend its regulations covering
merchant mariners to incorporate the requirement to obtain a
Transportation Worker Identification Credential. In a separate
rulemaking action published elsewhere in this edition of the Federal
Register, the Coast Guard also is proposing to consolidate existing
licensing and documentation regulations to minimize duplicative or
redundant identification or background check requirements.
The Transportation Security Administration proposes amending its
security threat assessment standards that currently apply to commercial
drivers authorized to transport hazardous materials in commerce to also
apply to merchant mariners and workers who require unescorted access to
secure areas on vessels and at port facilities. These proposed
amendments also relate to the notification an employer receives when an
employee who holds a hazardous materials endorsement or a
Transportation Worker Identification Credential is determined to pose a
security threat. The Transportation Security Administration also is
proposing regulations dealing with the enrollment of port workers into
the Transportation Worker Identification Credential program.
In addition, the Transportation Security Administration is
proposing a fee, as authorized under the Department of Homeland
Security Appropriations Act of 2004, to pay for the costs related to
the issuance of the Transportation Worker Identification Credentials
under this rule.
This rulemaking would enhance the security of ports by requiring
background checks on persons and establishing a biometric access
control system to prevent those who pose a security threat from gaining
unescorted access to secure areas of ports. This rulemaking implements
the Maritime Transportation Security Act of 2002, which requires that
credentialed merchant mariners and workers with unescorted access to
secured areas of vessels and facilities be subject to a security threat
assessment and receive a biometric credential needed to access secured
areas.
DATES: Comments and related material must reach the Docket Management
Facility on or before July 6, 2006. Comments sent to the Office of
Management and Budget (OMB) on collection of information must reach OMB
on or before July 6, 2006.
Public Meetings: TSA and the Coast Guard will hold four public
meetings as follows: Wednesday, May 31, 2006 in Newark, NJ; Thursday,
June 1 in Tampa, FL; Wednesday, June 6 in St. Louis, MO; and Thursday,
June 7 in Long Beach, CA. Interested individuals are invited to attend,
provide comments and ask questions about the proposed rule. TSA and
Coast Guard will provide exact locations and other additional
information about the meetings in another document to be published in
the Federal Register.
ADDRESSES: You may submit comments identified by TSA docket number TSA-
2006-24191 or Coast Guard docket number USCG-2006-24196 to the Docket
Management Facility at the U.S. Department of Transportation. To avoid
duplication, please use only one of the following methods:
(1) Web site: http://dms.dot.gov.
(2) Mail: Docket Management Facility, U.S. Department of
Transportation, Room Plaza 401, 400 Seventh Street SW., Washington, DC
20590-0001.
(3) Fax: 202-493-2251.
(4) Delivery: Room PL-401 on the Plaza level of the Nassif
Building, 400 Seventh Street SW., Washington, DC, between 9 a.m. and 5
p.m., Monday through Friday, except Federal holidays. The telephone
number is 202-366-9329.
(5) Federal eRulemaking Portal: http://www.regulations.gov.
You must mail comments on collection of information to the Office
of Information and Regulatory Affairs, Office of Management and Budget,
725 17th Street NW, Washington, DC 20503, ATTN: Desk Officer, United
States Coast Guard.
See SUPPLEMENTARY INFORMATION for format and other information
about comment submissions.
FOR FURTHER INFORMATION CONTACT: For questions related to TSA's
proposed standards: Rick Collins, Transportation Security
Administration, 601 South 12th Street, Arlington, VA 22202-4220, TWIC
Program, 571-227-3515; e-mail: credentialing@dhs.gov.
For legal questions: Christine Beyer, TSA-2, Transportation
Security Administration, 601 South 12th Street, Arlington, VA 22202-
4220; telephone (571) 227-2657; facsimile (571) 571 1380; e-mail
Christine.Beyer@dhs.gov.
For questions concerning the Coast Guard provisions of this
proposed rule: LCDR Jonathan Maiorine, Commandant (G-PCP-2), United
States Coast Guard, 2100 Second Street, SW., Washington, DC 20593;
telephone 1-877-687-2243.
For questions concerning viewing or submitting material to the
docket: Renee V. Wright, Program Manager, Docket Management System,
U.S. Department of Transportation, Room Plaza 401, 400 Seventh Street,
SW., Washington, DC 20590-0001; telephone (202) 493-0402.
SUPPLEMENTARY INFORMATION:
Public Participation and Request for Comments
We encourage you to participate in this rulemaking by submitting
comments and related materials. All comments received will be posted,
without change, to http://dms.dot.gov
[[Page 29397]]
and will include any personal information you have provided. We have an
agreement with the Department of Transportation (DOT) to use the Docket
Management Facility. Please see DOT's ``Privacy Act'' paragraph below.
Submitting comments: If you submit a comment, please include your
name and address, identify the docket number for this rulemaking (TSA-
2006-24191 or USCG-2006-24196), indicate the specific section of this
document to which each comment applies, and give the reason for each
comment. Please send comments on the TSA portions of the proposed rule
to the TSA docket (TSA-2006-24191), and send comments on the Coast
Guard portions of the proposed rule to the Coast Guard docket (USCG-
2006-24196). You may submit your comments and material by electronic
means, mail, fax, or delivery to the Docket Management Facility at the
address under ADDRESSES; but please submit your comments and material
by only one means. If you submit them by mail or delivery, submit them
in an unbound format, no larger than 8\1/2\ by 11 inches, suitable for
copying and electronic filing. If you submit them by mail and would
like us to acknowledge receipt, please enclose a stamped, self-
addressed postcard or envelope. We will consider all comments and
material received during the comment period. We may change this
proposed rule in view of them.
Handling of Confidential or Proprietary Information and Sensitive
Security Information (SSI) Submitted in Public Comments: Do not submit
comments that include trade secrets, confidential commercial or
financial information, or sensitive security information (SSI) \1\ to
the public regulatory docket. Please submit such comments separately
from other comments on the rulemaking. Comments containing this type of
information should be appropriately marked as containing such
information and submitted by mail to the TSA legal point of contact
listed in the FOR FURTHER INFORMATION CONTACT section.
---------------------------------------------------------------------------
\1\ ``Sensitive Security Information'' or ``SSI'' is informaton
obtained or developed int he conduct of security activities, the
disclosure of which would constitute an unwarranted invasion of
privacy, reveal trade secrets or privileged or confidential
information, or be detrimental tot he security of transportation.
The protection of SSI is governed by 49 CFR part 1520.
---------------------------------------------------------------------------
Upon receipt of such comments, TSA will not place the comments in
the public docket and will handle them in accordance with applicable
safeguards and restrictions on access. TSA will hold them in a separate
file to which the public does not have access, and place a note in the
public docket that TSA has received such materials from the commenter.
If TSA receives a request to examine or copy this information, TSA will
treat it as any other request under the Freedom of Information Act
(FOIA) (5 U.S.C. 552) and the Department of Homeland Security's FOIA
regulation found in 6 CFR part 5.
Viewing comments and documents: To view comments, as well as
documents mentioned in this preamble as being available in the docket,
go to http://dms.dot.gov at any time, click on ``Simple Search,'' enter
the last five digits of the docket number for this rulemaking, and
click on ``Search.'' You may also visit the Docket Management Facility
in Room PL-401 on the Plaza level of the Nassif Building, 400 Seventh
Street, SW., Washington, DC, between 9 a.m. and 5 p.m., Monday through
Friday, except Federal holidays.
Privacy Act: Anyone can search the electronic form of all comments
received into any of our dockets by the name of the individual
submitting the comment (or signing the comment, if submitted on behalf
of an association, business, labor union, etc.). You may review the
Department of Transportation's Privacy Act Statement in the Federal
Register published on April 11, 2000 (65 FR 19477), or you may visit
http://dms.dot.gov.
Abbreviations and Terms Used in This Document
AMS--Area Maritime Security
ASP--Alternative Security Program
ATSA--Aviation and Transportation Security Act
ATF--Bureau of Alcohol, Tobacco, Firearms, and Explosives
CDC--Certain Dangerous Cargo
CDL--Commercial drivers license
CDLIS--Commercial drivers license information system
CHRC--Criminal history records check
CJIS--Criminal Justice Information Services Division
COR--Certificate of Registry
COTP--Captain of the Port
DHS--Department of Homeland Security
DOJ--Department of Justice
DMV--Department of Motor Vehicles
DOT--Department of Transportation
FBI--Federal Bureau of Investigation
FIPS 201--Federal Information Processing Standards Publication 201
FMCSA--Federal Motor Carrier Safety Administration
FMSC--Federal Maritime Security Coordinator
FSP--Facility Security Plan
HME--Hazardous materials endorsement
HSA--Homeland Security Act
HSPD 12--Homeland Security Presidential Directive 12
ICC--Integrated Circuit Chip
MARSEC--Maritime Security
MMD--Merchant Mariner Document
MSC--Marine Safety Center
MTSA--Maritime Transportation Security Act
OCS--Outer Continental Shelf
REC--Regional Exam Center
SAFETEA-LU--Safe, Accountable, Flexible, Efficient Transportation
Equity Act--A Legacy for Users
STCW--International Convention on Standards of Training, Certification,
and Watchkeeping for Seafarers, 1978, as amended
TSA--Transportation Security Administration
TWIC--Transportation Worker Identification Credential
USA PATRIOT Act--Uniting and Strengthening America by Providing
AppropriateTools Required to Intercept and Obstruct Terrorism Act
VSP--Vessel Security Plan
Table of Contents
I. Background and Purpose
II. Development of TWIC Process
III. Proposed Rule
A. Coast Guard
B. TSA
1. TWIC Process
a. Pre-Enrollment and Enrollment
b. Adjudication of Security Threat Assessment
c. Credential Production
d. Credential Activation
e. Using TWIC in an Access Control System
f. Lost, Damaged or Stolen TWICs
g. Renewal
h. Call Center
i. Notifying Employers of Threat Determination
2. Fee
3. TWIC in Other Modes of Transportation
IV. Advisory Committee Participation
V. Section-by-Section Analysis of United States Coast Guard Proposed
Rule
General Introduction
33 CFR Part 101
33 CFR 101.105 Definitions.
33 CFR 101.121 Alternative Security Programs--TWIC Addendum.
33 CFR 101.514 TWIC Requirement.
33 CFR 101.515 Personal identification.
33 CFR Part 103
33 CFR 103.305 Composition of an Area Maritime Security (AMS)
Committee.
33 CFR 103.505 Elements of the Area Maritime Security (AMS) Plan
and 103.510 Area Maritime Security (AMS) Plan review and approval.
33 CFR Part 104
33 CFR 104.105 Applicability.
33 CFR 104.106 Passenger Access Area.
33 CFR 104.115 Compliance dates.
33 CFR 104.120 Compliance documentation.
33 CFR 104.200 Owner or Operator/104.210 Company Security
Officer
[[Page 29398]]
(CSO)/104.215 Vessel Security Officer (VSO)/104.220 Company or
vessel personnel with security duties/104.225 Security training for
all other personnel.
33 CFR 104.235 Vessel recordkeeping requirements.
33 CFR 104.265 Security measures for access control.
33 CFR 104.290 Security incident procedures.
33 CFR 104.295 Additional requirements--cruise ships.
33 CFR 104.405 Format of the Vessel Security Plan (VSP).
New Subpart E (33 CFR 104.500-104.510).
33 CFR Part 105
33 CFR 105.115 Compliance dates.
33 CFR 105.120 Compliance documentation.
33 CFR 105.200 Owner or operator/105.205 Facility Security
Officer (FSO)/105.210 Facility personnel with security duties/
105.215 Security training for all other facility personnel.
33 CFR 105.225 Facility recordkeeping requirements.
33 CFR 105.255 Security measures for access control.
33 CFR 105.280 Security incident procedures.
33 CFR 105.285 Additional requirements-passenger and ferry
facilities.
33 CFR 105.290 Additional requirements-cruise ship terminals.
33 CFR 105.295 Additional requirements-Certain Dangerous Cargo
(CDC) facilities.
33 CFR 105.296 Additional requirements-barge fleeting
facilities.
33 CFR 105.405 Format and content of the Facility Security Plan
(FSP).
New Subpart E (33 CFR 105.500-105.510).
33 CFR Part 106
33 CFR 106.110 Compliance dates.
33 CFR 106.115 Compliance documentation.
33 CFR 106.200 Owner or operator/106.205 Company Security
Officer (CSO)/106.210 OCS Facility Security Officer (FSO)/106.215
Company or OCS Facility personnel with security duties/106.220
Security training for all other OCS facility personnel.
33 CFR 106.230 OCS facility recordkeeping requirements.
33 CFR 106.260 Security measures for access control.
33 CFR 106.280 Security incident procedures.
33 CFR 106.405 Format and content of the Facility Security Plan
(FSP).
New Subpart E (33 CFR 106.500-106.510).
Miscellaneous Items
33 CFR 101.305 (Reporting requirements).
33 CFR 101.400 (Enforcement)
33 CFR 104.130, 105.130, and 106.125 (Waivers).
33 CFR Subpart C Parts 104, 105, and 106 (Security Assessments).
46 CFR Parts 10, 12, and 15.
VI. Section-by-Section Analysis of TSA Proposed Rule
49 CFR Part 1515 Appeal and Waiver Procedures for Security
Threat Assessments for Individuals.
49 CFR 1515.1 Scope.
49 CFR 1515.3 Terms used in this part.
49 CFR 1515.5 Appeal procedures.
49 CFR 1515.7 Waiver Procedures.
49 CFR Part 1570 Land Transportation Security: General Rules.
49 CFR 1570.3 Terms used in this part.
49 CFR Part 1572 Credentialing and Background Checks for Land
Transportation Security.
49 CFR 1572.5 Scope and standards for hazardous materials.
49 CFR 1572.7 Waivers of security threat assessment standards.
49 CFR 1572.9 Applicant information required for security threat
assessment for a hazardous materials endorsement.
49 CFR 1572.11 Applicant responsibilities for a security threat
assessment for a hazardous materials endorsement.
49 CFR 1572.13 State responsibilities for issuance of hazardous
materials endorsement.
49 CFR 1572.15 Procedures for security threat assessment for an
HME.
49 CFR 1572.17 Applicant information required for the security
threat assessment for TWIC.
49 CFR 1572.19 Applicant responsibilities for a security threat
assessment for TWIC.
49 CFR 1572.21 Procedures for security threat assessment for a
TWIC.
49 CFR 1572.23 Conforming Equipment; Incorporation by reference.
49 CFR 1572.24-40 [Reserved]
49 CFR 1572.41 Compliance, inspection and enforcement.
49 CFR 1572.101 Scope.
49 CFR 1572.103 Disqualifying Criminal Offenses.
49 CFR 1572.105 Immigration status.
49 CFR 1572.107 Other analyses.
49 CFR 1572.109 Mental capacity.
Subpart E--Fees for Transportation Worker Identification Credential
A. TWIC Maritime Population Estimation Methodology
1. Recurring population
2. Five-year population
B. Proposed Fee
1. Information Collection/Credential Issuance
2. Threat Assessment/Credential Production
3. FBI Fee
4. Total Fees
C. Section 1572.501 Fee Collection
VII. Rulemaking Analyses and Notices
A. Executive Order 12866 (Regulatory Planning and Review)
B. Small Entities
C. Assistance for Small Entities
D. Collection of Information
E. Federalism
F. Unfunded Mandates Reform Act
G. Taking of Private Property
H. Civil Justice Reform
I. Protection of Children
J. Indian Tribal Governments
K. Energy Effects
L. Technical Standards
M. Environment
I. Background and Purpose
Under this rule, the Department of Homeland Security (DHS), through
the United States Coast Guard (Coast Guard) and the Transportation
Security Administration (TSA), proposes to require that all merchant
mariners holding an active License, Mechant Mariner Document, or
Certificate of Registry and all persons who need unescorted access to
secure areas of a regulated facility or vessel must obtain a
Transportation Worker Identification Credential (TWIC). In order to
obtain a TWIC, individuals will be required to undergo a security
threat assessment conducted by TSA. TSA, in conducting those security
threat assessments, will use the procedures and standards established
by TSA for commercial motor vehicle drivers licensed to transport
hazardous materials within the United States.
The implementation of the TWIC program in the maritime sector
builds upon existing Coast Guard credentialing requirements and
security programs for port facilities and vessels. In a separate
rulemaking action published in this issue of the Federal Register,
Coast Guard also proposes consolidating existing merchant mariner
licensing and documentation requirements to avoid duplicative
credentials and background checks and to avoid interruption in commerce
and reduce the burden on mariners.
The TWIC program is a DHS initiative, with joint participation of
the Coast Guard and TSA. The program is supported by several statutory
and regulatory authorities and presidential directives. The principal
statutory authority is the Maritime Transportation Security Act (MTSA),
Pub. L. 107-295, 116 Stat. 2064 (November 25, 2002) (46 U.S.C. 70105).
Section 102 of MTSA requires the Secretary of Homeland Security to
issue a biometric transportation security credential to merchant
mariners ``issued a license, certificate of registry, or merchant
mariners document'' and individuals who require unescorted access to
secure areas of vessels and facilities.\2\ These individuals also must
undergo a security threat assessment to determine that they do not pose
a security threat prior to receiving the biometric credential and
authority to access the secure areas without escort. Id. The security
threat assessment must include a review of criminal, immigration, and
[[Page 29399]]
pertinent intelligence records in determining whether the individual
poses a threat, and individuals must have the opportunity to appeal an
adverse determination or apply for a waiver of the standards.
Specifically, an individual cannot be denied the transportation
security credential required under MTSA unless the individual--
---------------------------------------------------------------------------
\2\ 46 U.S.C. 70105. Section 102 of MTSA defines ``Secretary''
to mean ``the Secretary of the department in which the Coast Guard
is operating.'' Under the Homeland Security Act of 2002, the Coast
Guard became part of DHS, thus the Secretary of Homeland Security is
authorized to implement the credential requirements for mariners and
persons seeking access to secure port facilities under MTSA.
---------------------------------------------------------------------------
(A) Has been convicted within the preceding 7-year period of a
felony or found not guilty by reason of insanity of a felony--
(i) that the Secretary believes could cause the individual to be a
terrorism security risk to the United States; or
(ii) for causing a severe transportation security incident;
(B) Has been released from incarceration within the preceding 5-
year period for committing a felony described in subparagraph (A);
(C) May be denied admission to the United States or removed from
the United States under the Immigration and Nationality Act (8 U.S.C.
1101 et seq.); or
(D) Otherwise poses a terrorism security risk to the United
States.46 U.S.C. 70105(c).
Following the enactment of MTSA in November 2002, the Coast Guard
issued a series of general regulations for maritime security. See, 33
CFR parts 101-106. The MTSA regulations set out specific requirements
for owners and operators (henceforth ``owners/operators'') of vessels,
facilities, and Outer Continental Shelf (OCS) facilities that had been
identified by the Secretary of Homeland Security as posing a high risk
of being involved in a transportation security incident.
Under MTSA and the Coast Guard's MTSA regulations, owners/operators
of these vessels and facilities were required to conduct security
assessments of their respective vessels and facilities, create security
plans specific to their needs, and submit the plans for approval to the
Coast Guard by December 31, 2003. All affected vessels and facilities
are required to have been operating in accordance with their respective
plans since July 1, 2004, and are required to resubmit plans every 5
years.
Each plan requires owners/operators to address specific
vulnerabilities identified pursuant to their individual security
assessments, including controlling access to their respective vessels
and facilities. The MTSA regulations require owners/operators to
implement security measures to ensure that an identification system was
established for checking the identification of vessel and facility
personnel or other persons seeking access to the vessel or facility.
In establishing the system, owners/operators were directed to
accept identification only if it: (1) Was laminated or otherwise secure
against tampering; (2) contained the individual's full name; (3)
contained a photo that accurately depicted that individual's current
facial appearance; and (4) bore the name of the issuing authority. See,
33 CFR 101.515. The issuing authority must be a government authority or
organization authorized to act on behalf of the government authority,
or the individual's employer, union, or trade association. There was no
requirement that the identification be issued pursuant to a security
threat assessment because there was no existing credential and
supporting structure that could fulfill the needs specific to the
maritime environment.
In addition to the regulation of ports and facilities, the Coast
Guard has a long history of regulating the merchant marine. Under the
current Coast Guard regulatory scheme, the Coast Guard may issue a
mariner any combination of 4 credentials: (1) Merchant Mariner Document
(MMD); (2) License; (3) Certificate of Registry (COR); or (4)
International Convention on Standards of Training, Certification, and
Watchkeeping (STCW) Endorsement. An MMD serves as a mariner's
identification credential and is issued to mariners who are employed on
merchant vessels of 100 gross register tons or more, except for those
vessels employed exclusively in trade on the navigable waters of the
U.S. Licenses are qualification certificates that are issued to
officers. CORs are qualification certificates that are issued to
medical personnel and pursers. STCW Endorsements are qualification
certificates issued to mariners who meet international standards and
serve aboard vessels to which STCW applies. The License, COR, and STCW
Endorsement are qualification credentials only. Only the MMD is an
identity document, and none of the current mariner credentials contain
the biometric information required under MTSA.
TSA currently administers several programs involving security
threat assessments of individuals engaged in the transportation
industry, including certain airport and aircraft operator employees,
and alien flight school students. Section 1012 of the Uniting and
Strengthening America by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) Pub. L.
107-56, 115 Stat. 272 (October 25, 2001) provides that a State cannot
issue a hazardous materials endorsement (HME) to a commercial driver
who poses a security threat. TSA implemented its security threat
assessment processes under this provision.
TSA first issued regulations to implement security threat
assessment standards for HME applicants (TSA's hazmat rule) in May 2003
and subsequently amended those regulations based on comments received
from the States, employers and affected drivers. (A more detailed
discussion and regulatory history of the hazmat regulations can be
found at 68 FR 23852 (May 5, 2003); 68 FR 63033 (November 7, 2003); 69
FR 17696 (April 6, 2004); and 69 FR 68720 (November 24, 2004). These
standards are codified at 49 CFR part 1572, where many of the standards
we propose for TWIC under this rule also will reside.
TSA's hazmat regulations establish standards concerning criminal
history, immigration status, mental capacity, and terrorist activity to
determine whether a driver poses a security threat and is qualified to
hold an HME.\3\ Drivers who have been convicted or found not guilty by
reason of insanity for certain crimes in the preceding 7 years, or have
been released from incarceration for those crimes in the preceding 5
years, are deemed to pose a security threat and are not authorized to
hold an HME. 49 CFR 1572.103. Drivers convicted of certain particularly
heinous crimes, such as espionage, treason, terrorist-related offenses,
or severe transportation security incidents, are permanently banned
from holding an HME. Id. In addition, drivers who have been
involuntarily committed to a mental institution or adjudicated as
mentally incapacitated are considered to pose a security threat that
warrants disqualification from holding an HME. 49 CFR 1572.109.
---------------------------------------------------------------------------
\3\ In developing the hazmat regulations, TSA sought to
harmonize, to the extent possible, the background check and
eligibility criteria requirements of both MTSA and the USA PATRIOT
Act and thus adopts privisions from both statutes where appropriate.
See 68 FR at 23853.
---------------------------------------------------------------------------
Aliens are not prohibited from obtaining an HME. The hazmat rule
permits individuals who are in the United States lawfully and are
authorized under applicable immigration laws to work in the United
States to hold an HME upon completion of a satisfactory TSA security
threat assessment. 49 CFR 1572.105. TSA reviews a driver's immigration
status to determine if the applicant for an HME is authorized to be
present and work in the United States under applicable
[[Page 29400]]
immigration laws. In addition, as set forth in the hazmat rules, TSA
conducts a security check of international databases through Interpol
or other appropriate means. 49 CFR 1572.107.
TSA's hazmat regulations also include appeal and waiver procedures
to ensure that no driver is wrongfully determined to pose a threat, to
provide individuals who are disqualified from holding an HME the
opportunity to show rehabilitation, where applicable, and to maintain
consistency with other credentialing or background check requirements
among transportation workers, such as those in the maritime industry
covered by MTSA and this TWIC rulemaking. See e.g., 49 CFR parts
1572.141 and 143.
II. Development of TWIC Process
In 2002, TSA established the TWIC program in response to identity
management shortcomings and vulnerabilities identified in the
transportation system. In some segments of the transportation system,
it is not possible to positively identify individuals entering secure
areas or assess the threat they may pose due to a lack of pertinent
background information. Also, existing identity credentials are often
vulnerable to fraud. To mitigate these weaknesses, TSA determined that
an integrated, credential-based, identity management system for all
transportation workers who need unescorted access to secure areas of
the nation's transportation system would be necessary.
Homeland Security Presidential Directive 12 (HSPD 12) requires
Federal agencies to improve secure identification processes for Federal
employees and contractors. The objectives of the directive are to
ensure that the credentialing processes are administered by accredited
providers; are based on sound criteria for verifying an individual's
identity; include a credential that is resistant to fraud, tampering,
counterfeiting and terrorist exploitation, and can be authenticated
quickly and electronically. As designed and proposed in this rule, TWIC
does not contradict the control objectives of HSPD 12.
The U.S. Department of Commerce published guidance on the standards
and methods by which Agencies could reach compliance with HSPD 12. In
February 2005, the Department of Commerce issued the Federal
Information Processing Standards Publication 201 (FIPS 201), Personal
Identification Verification of Federal Employees and Contractors in
response to HSPD 12. FIPS 201 is divided into Personal Identification
Verification (PIV) Parts I and II. Part I addresses the control and
security objectives, particularly the personal identity proofing
process. Part II provides detailed technical specifications that must
be met to ensure interoperability of PIV-compliant credentials in
personal authentication, access control, and credential management
systems throughout the Federal government.
The development of FIPS 201 occurred concurrently with the design
of TWIC. TSA and its contractors closely monitored the development of
FIPS 201 and individuals working on FIPS 201 followed the design of
TWIC. TSA recognized that there are many benefits to designing TWIC in
alignment with FIPS 201: Leveraging the TWIC infrastructure to support
other DHS or government credentialing programs; avoiding obsolescence
by using the latest technology; securing critical facilities with the
same process used by Federal agencies; having interoperability during
an emergency; and demonstrating the functionality of FIPS 201. All of
the significant components of the TWIC system align with FIPS 201.
As tested in the maritime environment and planned in this NPRM,
TWIC is an identification credential containing numerous technologies
to make it secure and tamper-proof. TWIC is a ``smart'' credential
containing two electronic chips on which encoded data is stored to
allow all subsequent TWIC functions to be performed. TWIC is designed
to ensure that the identity of each TWIC holder has been verified; that
a threat assessment has been completed on that identity; and that each
credential issued is positively linked to the rightful holder through
the use of biometric technology. Facility and vessel owners/operators
subject to this rule will then determine which TWIC holders will be
granted unescorted access to secure areas of their facility.
Prototype
The TWIC program has been developed in three phases. Phases I,
Planning, and II, Technology Evaluation, were completed in 2003, and
Phase III, Prototype, was completed in 2005. In the technology
evaluation, TSA tested and evaluated a range of credential-based
systems in use at transportation facilities. In Prototype, TSA tested a
comprehensive credentialing system, which included enrollment, threat
assessments, biometric security, credential production, and credential
issuance.
Prototype was conducted at twenty-eight facilities beginning
November 4, 2004 in various modes of the transportation system,
including air, rail, and maritime. The Prototype Phase came to an end
in the summer of 2005. During Prototype, the participating facilities
and associated transportation workers voluntarily provided biographical
and biometric identifiers. Participants provided appropriate identity
verification documentation, such as a birth certificate, driver's
license, government photo identification, or similar document. TSA
conducted a name-based threat assessment using the biographic
information provided, and utilized the biometric information to verify
identity and determine whether an applicant had previously enrolled in
the program. TSA did not use biometric information to complete a
security threat assessment.\4\ TSA will be using both biographic and
biometric information to conduct the security threat assessment once
TSA implements the full program. To verify an individual's identity
during Prototype, TSA followed the U.S. Citizenship and Immigration
Services Employment Eligibility Verification (Form I-9) process,
commonly used by the federal government and industry in the hiring
process. TSA tested the TWIC as positive identification for access to
secure areas of participating transportation facilities.
---------------------------------------------------------------------------
\4\ Florida law requires persons seeking access to certain port
facilities within that State to submit fingerprints and other
information to obtain a State-issued credential. During Prototype
conducted in Florida, therefore, participants submitted fingerprints
as required under State law and the State completed a fingerprint-
based criminal history records check. TSA did not use biometric
information collected from Florida participants to conduct a
security threat assessment.
---------------------------------------------------------------------------
By testing the integration of these components, TSA was able to
assess the system's performance prior to deciding how the program
should be implemented. Consequently, some processes that were tested in
Prototype, such as ``employer sponsorship,'' are not being proposed in
this rule based on TSA's determination that the process did not add
sufficient value or created operational difficulties that could not be
resolved.
III. Proposed Rule
A. Coast Guard
In order to integrate TWIC into already existing security programs
in the maritime environment, the Coast Guard must amend its maritime
security regulations, found in 33 CFR Subchapter H. These changes will
set performance standards for owners/operators of vessels, facilities,
and Outer Continental Shelf facilities to meet
[[Page 29401]]
when incorporating TWIC into their existing security programs.
The Coast Guard also must amend its regulations governing merchant
mariners, found in 46 CFR parts 10, 12, and 15, in order to add the
statutory mandate that they hold a TWIC. In a separate rulemaking,
published in today's Federal Register, the Coast Guard is proposing to
consolidate qualifications credentials and streamline its mariner
regulations, which would ensure that no mariner is required to undergo
(or pay for) more than one security threat assessment and identity
verification.
Coast Guard emphasizes that possession of the TWIC credential is
not intended to constitute an automatic access right to any facility.
The owner/operator continues to have the ultimate authority as to
access control decisions, and although holding a duly-issued TWIC is
required before an individual is eligible to be granted unescorted
access, the individual must also have a need for access in accordance
with the approved security plan. The owner/operator's right to refuse
admittance to any individual, regardless of whether he or she holds an
authenticated TWIC, remains unchanged.
B. TSA
TSA's role in implementing the TWIC program in the maritime sector
will be to conduct security threat assessments of credentialed merchant
mariners and individuals with unescorted access to secure areas,
providing an appeal and waiver process for applicants who receive an
adverse determination, and performing related functions in the
enrollment and credential issuance process. In this rule, TSA proposes
changes to its regulations to extend the current processes for
conducting security threat assessments for HMEs to persons seeking to
obtain TWICs.
On August 10, 2005, the Safe, Accountable, Flexible, Efficient
Transportation Equity Act--A Legacy for Users (SAFETEA-LU), Pub. L.
109-59, 119 Stat. 1144 (August 10, 2005) was enacted. Section 7105 of
SAFETEA-LU (49 U.S.C. 5103a(g)(1)(B)(i)) requires TSA to initiate a
rulemaking to determine which background checks required by Federal law
and applicable to transportation workers are equivalent to or less
stringent than the security threat assessment TSA requires for HME
drivers. In addition, SAFETEA-LU requires TSA to develop a process for
notifying employers of the results of a threat assessment conducted on
an HME applicant.
Under this rule, TSA is proposing a fee to cover the cost of the
TWIC threat assessment, appeals of TSA decisions during the process,
and the issuance of the credential as required under Section 520 of the
Homeland Security Appropriations Act of 2004 (2004 DHS Appropriations
Act), Pub. L. 108-90 (October 2003). TSA also is inviting comments from
the transportation industry at large on the processes proposed under
this rule as TSA and DHS are considering extending the TWIC program to
other areas in the transportation industry outside of the maritime
sector.
1. TWIC Process
As proposed in this rule, the purpose of the TWIC program is to
ensure that only authorized personnel who have successfully completed a
security threat assessment have unescorted access to secure areas of
maritime facilities and vessels. The credential will include a
reference biometric--fingerprints--that positively links the credential
holder to the identity of the individual who was issued the credential.
TWIC holders may be asked to confirm, by providing a fingerprint, that
they are the rightful owner of the credential at any time. Access
control procedures and systems at facilities and vessels will recognize
the credential and the information encrypted on it, so that the overall
maritime network will be interoperable. In addition, an individual's
credential can be deactivated or revoked by TSA if disqualifying
information is discovered by or presented to TSA or other DHS entity,
or the credential is lost or stolen, so that the credential can no
longer be used to obtain unescorted access to secure areas.
TSA has designed the TWIC process to maintain strict privacy
controls so that a holder's biographic and biometric information cannot
be compromised. The TWIC process proposed in this rule is described
below from the perspective of an applicant.
a. Pre-Enrollment and Enrollment
TWIC enrollment will be conducted by TSA (or TSA's agent operating
under TSA's direction). All enrollment personnel must successfully
complete a TSA security threat assessment and receive a TWIC before
they will be authorized to access documents, systems, or secure areas.
Facility and vessel owners/operators must notify workers of their
responsibility to enroll, as well as the deadline for doing so. (The
proposed implementation plan for enrollment is discussed in greater
detail below.) Owners/operators must provide applicants enough lead
time to enroll so that TSA has sufficient time to complete the security
threat assessment and issue the credential before the access control
procedures go into effect. Generally, owners/operators should give
individuals at least 60 days notice to begin the process. TSA cannot
guarantee that any threat assessment can be completed in less than 30
days, and therefore, owners/operators and applicants should make every
effort to initiate enrollment in a timely fashion to prevent workers
being denied access for non-compliance. TSA will provide owners/
operators with locations for enrollment that they can then pass on to
the workers (hereinafter referred to as applicants). For purposes of
the NPRM, a list of potential enrollment center locations is provided
on the TSA Web site (http://www.tsa.gov) to provide prospective owner/
operators and applicants a general idea of the enrollment plan. This
list is subject to change and TSA invites comment from affected parties
on the potential enrollment locations.
Applicants will be able to ``pre-enroll'' online to reduce the time
needed to complete the entire enrollment process at an enrollment
center. For pre-enrollment, applicants need a computer with internet
access. The applicant can access the TWIC Web site to provide personal
information required for enrollment and select an enrollment center at
which to complete enrollment. Data submitted by applicants via the
Internet will be sent using Internet security protocols (i.e., SSL).
All information provided is then stored in the TSA system, which
encrypts and protects the data from unauthorized access. Applicants may
schedule an appointment while on-line to complete the enrollment
process, although appointments are not required at enrollment centers.
The Web site will list the documents the applicant must bring to the
enrollment center to verify identity. The convenience of pre-enrollment
is a significant benefit for applicants and reduces strain on the
enrollment centers. Applicants who pre-enroll must appear at enrollment
centers to verify their identity, confirm that the information provided
during pre-enrollment is correct, provide biometrics, and sign the
enrollment documents.
At the enrollment center, applicants will receive a privacy notice
and consent form, by which they agree to provide personal information
for the security threat assessment and credential. (For applicants who
pre-enroll, the privacy notice is provided with the application online,
but the applicants must acknowledge receipt of the notice in writing at
the enrollment
[[Page 29402]]
center.) If an applicant fails to sign the consent form or does not
have the required documents to authenticate identity, enrollment will
not proceed. During Prototype, 96 percent of applicants appeared for
enrollment with suitable identity verification documents. As TWIC is
implemented, TSA and Coast Guard will make information available to
affected workers in advance of enrollment so that all are aware of what
to bring to the enrollment center. This information will also be posted
on the TSA/TWIC Web site at http://www.tsa.gov. All information collected at
the enrollment center or during the pre-enrollment process, including
the signed privacy consent form and identity documents are scanned into
the TSA system for storage. All information is encrypted or stored
using methods that protect the information from unauthorized retrieval
or use.
At the enrollment centers, applicants must provide ten fingerprints
and sit for a digital photograph. The fingerprints and photograph will
be electronically captured at the enrollment center for use on the
credential. Individuals must provide ten fingerprint images for use in
completing the security threats assessment process. The credential
itself will store two fingerprint templates, one of which is used as a
reference biometric to verify identity. The entire enrollment record
(including the 10 fingerprints) will be stored in the TSA system,
encrypted and segmented to prevent unauthorized use. TSA will provide
alternative procedures for enrollment centers to use for situations in
which an applicant is unable to provide fingerprints.
The TWIC fee, which covers the complete cost of enrollment, threat
assessment, and credential production and delivery, must be collected
from the applicant at the enrollment center prior to the enrollment
record being transmitted to the TSA system. The TWIC enrollment fee
will be non-refundable, even if the threat assessment results in a TWIC
not being issued.
Once all data and the fee are collected, the enrollment record is
encrypted and electronically transmitted to the TSA system. The TSA
system acknowledges receipt of the enrollment record, at which time all
enrollment data is automatically deleted from the enrollment
workstation. Once the enrollment record is transmitted to the TSA
system, personal information is stored only in the TSA system, and
personal data is encrypted to very high standards before it is
transferred or stored. If an enrollment center temporarily loses its
internet connection, the enrollment data is encrypted and stored on the
enrollment workstation, but only until an internet connection is
restored.
During Prototype, the average time needed for an applicant who pre-
enrolled to complete enrollment was 10 minutes, 21 seconds. It is
expected that it will take approximately fifteen minutes to complete
enrollment of applicants who do not pre-enroll.
TSA and Coast Guard currently envision a phased enrollment process
based on risk assessment and cost/benefit analysis. Locations that are
considered critical and provide the greatest number of individual
applicants will be among the earliest enrollment sites. There are
approximately 125 locations covering approximately 300 ports where TSA
plans to enroll applicants, and we are in the process of rating each
location against a variety of factors to assess criticality,
population, and infrastructure. TSA and Coast Guard will work closely
with the maritime industry to ensure that owners/operators and workers
are given as much notice as is possible when a definitive enrollment
schedule is selected. TSA and Coast Guard also are contemplating
implementing a more flexible rollout, with anticipated dates to be
announced by notices published in the Federal Register. (See the
discussion of Sec. 1572.19 below for additional information on timing
of enrollment.) TSA plans to use a combination of fixed and mobile
enrollment stations to make the enrollment process as efficient as
possible for applicants and owners/operators.
b. Adjudication of Security Threat Assessment
Following enrollment, the TSA system sends pertinent parts of the
record to various sources so that appropriate terrorist threat,
criminal history, and immigration checks can be performed. When the
checks are completed, TSA makes a determination on whether or not to
issue a TWIC to the applicant and notifies the applicant.
If disqualifying information is discovered, TSA issues an Initial
Determination of Security Threat to the applicant with information on
how the applicant can appeal an adverse decision or apply for a waiver
of the standards. If the applicant does not respond to the Initial
Determination within a specified period, it converts to a Final
Determination of Security Threat and the applicant does not receive a
TWIC. If the applicant proceeds with an appeal or application for
waiver and is successful, the applicant is notified accordingly and the
credential production process begins. (The appeal and waiver processes
are discussed in greater detail below in the section-by-section
analysis.)
TSA may provide some of the notifications to applicants via email,
if an applicant provides an email address on the application for the
TWIC. We invite comment from prospective applicants about the
substitution of email notification for a paper process.
c. Credential Production
If the applicant is qualified to receive a TWIC, the TSA system
generates an order to produce a credential. It is produced at a
government credential production facility and securely shipped to the
center at which the applicant enrolled. The applicant will be notified
that the TWIC is ready to be retrieved and activated for use. The face
of the TWIC credential contains the applicant's photograph, name, TWIC
expiration date, and a unique credential number. In addition, the
credential will store finger minutia templates of 2 fingers, finger
pattern templates of 2 fingers, a personal identification number, and a
Federal Agency Smart Credential number. The data is securely stored and
protected in accordance with FIPS 201 in the various technologies used
in the credential, such as magnetic stripe, contact chip, and
contactless chip. The fingerprint data, the reference biometric, is
used to match the credential to the person who enrolled.
The TWIC system contains many feedback mechanisms to validate the
transmission and receipt of data at key points in the process. The
status of each transmission is recorded within the system.
Credentials are electronically locked prior to shipment to the
enrollment center so that the data cannot be accessed. Once the
credentials are electronically locked, they cannot be used for access
to any vessel or facility until they are activated by the TWIC
enrollment station.
d. Credential Activation
The applicant is notified when the enrollment center has received
the credential. The applicant then returns to the enrollment site at
his or her convenience to activate the credential.
At the enrollment center, the applicant's credential is retrieved
from secure storage and the photograph and name on it are compared to
the applicant and the identity documents the applicant uses to
authenticate identity. The applicant places a designated finger on a
reader to generate a biometric match against the biometric stored on
the credential and in the TSA
[[Page 29403]]
system. Upon successful biometric match, the TWIC is activated and the
applicant selects a Personal Identification Number (PIN) that also is
stored on the credential. The PIN can subsequently be used as an
additional factor in proving one's identity and authorized use of the
credential, or as the primary verification tool if the biometric is
inoperative for some reason. The TWIC security threat assessment and
credential are valid for five years, unless derogatory information is
discovered and TSA revokes the credential.
The process outlined above for credential activation is the same
process TSA tested in Prototype, which worked well for owner/operators
and employees who enroll. However, implementation of the program
nationwide involving employees that are not stationary at one facility
or port may impact applicants and owner/operators differently. TSA is
concerned that requiring an applicant to return to the enrollment
center to activate the credential may be onerous for workers who travel
a great deal and may not know where they will be when the credential is
ready for pick-up. TSA is considering the security and operational
impacts of alternative procedures, on which we invite comment.
TSA is considering an amendment to the process that would allow a
worker to designate a specific enrollment center for credential pick up
and activation. The card production facility would send the credential
to that location rather than the location where the applicant enrolled.
This is a change that can be accomplished, but this was not tested in
Prototype and a variety of software changes may be needed, which could
increase costs and affect the timing of implementation. Moreover,
applicants will not know the exact date on which their credential will
be ready and so those who work at a variety of ports across the country
may not be able to designate a specific activation location on the
enrollment application.
During Prototype, the entire process from enrollment to card
production was complete in fewer than 10 days. However, that process
differed from the full program we plan to implement with this rule in a
few significant ways. First, nearly all of the employees who
volunteered for Prototype worked at the same location every day and the
enrollment center was located on that site. Second, TSA did not
complete fingerprint-based criminal history records checks, and so
there was no time needed to adjudicate and provide redress for criminal
activity. For threat assessment programs that are currently in place
nationally in which applicants are not stationary and TSA conducts a
fingerprint-based CHRC, the threat assessment is generally completed in
less than 30 days. The time needed to complete the threat assessment
varies depending on whether the database searches produce adverse
information that must be investigated, and whether the applicant files
an appeal or requests a waiver. These conditions will exist for the
TWIC program and therefore, TSA will not be able to predict or
establish a specific date on which the threat assessment and card
production process will be complete.
DHS invites comment on this option, and any other proposals that
would make it easier logistically, without sacrificing security, for
the public to receive and activate TWIC cards.
e. Using TWIC in an Access Control System
Once the enrollment process is complete and the credential is
activated, the credential is ready to be used as an access control
tool. Possession of a TWIC does not guarantee access to secure areas
because the owner/operator controls the individuals who are given
unescorted access to the facility or vessel. Rather, TWIC is a secure,
verified credential that can be used in conjunction with the owner/
operator's risk-based security plan and as required by the Coast Guard
security regulations.
As envisioned in this NPRM, owners/operators will determine an
individual's need for unescorted access to secure areas and then grant
access using a TWIC program. The access control administrator of the
vessel or facility verifies that the individual holding the TWIC
matches the biometric stored on the TWIC by conducting a 1-to-1 match
with the individual's finger and the fingerprint template stored on the
chip in the TWIC.
The owner/operator verifies that an individual's TWIC is valid,
either by directly interfacing with the TSA system or by using a list
of invalid credentials downloaded from TSA. Either method provides
owners/operators pertinent information concerning the validity of the
credential. TSA will invalidate credentials that are reported as lost,
stolen, damaged, retired, or issued to an applicant that TSA
subsequently determines may pose a security threat. When the
invalidation is for cause, that is, due to a security threat, TSA will
revoke the credential. Invalidated credentials cannot be used or
honored for unescorted access to secure areas. Cardholders who report
the credential as lost, stolen, or damaged must go to the enrollment
center for resolution, and/or re-issuance of a new credential.
After the individual has been granted access to the facility, the
owner/operator may opt to notify the TSA system that access privileges
have been granted to this worker at that facility. If the owner/
operator invokes this option, the owner/operator also assumes
responsibility for informing the TSA system if the owner/operator
subsequently denies the individual access privileges.
f. Lost, Damaged, or Stolen TWICs
Replacement TWICs are available if a credential is lost, stolen, or
damaged. As soon as the applicant is aware that the credential is
missing or damaged, he or she calls the Call Center and the Center
follows a standard process to invalidate the credential. The applicant
then travels to an enrollment center to receive a new credential.
During Prototype, the card production facility printed and shipped the
new credentials within 24 hours of receiving the information.
Applicants must pay a fee of $36 to cover the cost of lost/damage/
stolen credential invalidation, new credential production, reissuance,
shipping, and other appropriate program costs. No new TSA threat
assessment-specific or enrollment costs are factored into this
replacement fee.
g. Renewal
TWICs issued under this rule will expire after five years unless
renewed. TSA does not plan to notify TWIC holders when their credential
is about to expire because the expiration date will be displayed on the
face of the credential. To renew a TWIC, the holder must appear at any
enrollment center, starting up to 90 days before the expiration date of
the credential, to initiate the renewal process. However, mariners are
allowed and encouraged to initiate renewal 180 days prior to expiration
to allow sufficient time for TSA to conduct the security threat
assessment and the Coast Guard to complete any review necessary to
renew any required mariner credentials. During renewal, applicants must
provide the same biographic and biometric information required in the
initial enrollment and pay the associated fees. A new credential is
issued upon renewal.
h. Call Center
Upon publication of the final rule, TSA will refer the public to a
Call Center to assist with questions about the TWIC program. An
automated telephone line, listing options for the caller to select,
will direct the caller to the TWIC Help Desk or the TSA/TWIC Web site.
[[Page 29404]]
Callers will be able to discuss questions about the program and final
standard, the status of their security threat assessment, the location
and time of operation of enrollment centers, and online applications
and educational materials. TSA has used the Call Center when
implementing other new programs and believes it will be very useful to
owners/operators and applicants.
i. Notifying Employers of Threat Determinations
TSA is proposing to modify the rule text applicable to HME
applicants concerning employer notification and apply the proposed
changes to the TWIC applicants.
As discussed above, SAFETEA-LU established several mandates
concerning the threat assessment process. One of the provisions
requires TSA to invite comment on and develop a process to notify
employers of HME applicants of the results of the threat assessment.
Specifically, section 7105 states that--
Within 90 days of enactment, TSA, after receiving comments from
interested parties, must develop and implement a process for
notifying employers designated by applicants for a HAZMAT license of
the results of the applicant's background check if (1) such
notification is appropriate considering the potential security
implications and (2) the Director determines in a final notification
of threat assessment served on the applicant that he or she does not
meet the standards for granting a license.
In the November 24, 2004 hazmat rule, TSA discussed employer
notification, noting that actual criminal history or other dispositive
records must be maintained confidentially by TSA. See 69 FR at 68726.
TSA may inform an employer that an employee is disqualified from
holding an HME, or has had an HME revoked, so that the employer knows
that the employee is not authorized to transport hazardous materials.
TSA, however, generally cannot disclose the basis for the determination
result of the threat assessment due to prohibitions on disclosure of
such information under the Privacy Act, or other pertinent privacy laws
or law enforcement or security regulations. See e.g., 5 U.S.C. 552a (as
amended); 46 U.S.C. 70105(e); 28 CFR 50.12. In the hazmat rule, TSA
noted that if it believes an immediate threat exists, TSA may provide
additional information to the employer to help prevent a security
incident.
In the November hazmat rule, TSA requested comment on methods to
notify an employer that a particular driver's HME is revoked or the
application for an HME is denied. TSA anticipated that it would be
difficult to locate a driver's employer because drivers tend to change
employers frequently and may work for several employers at one time.
Also, many drivers are self-employed as owners/operators and
notification in these cases would be unnecessary. TSA proposed
requiring each employer to maintain a current list of hazmat-endorsed
driver employees on a secure Web site that TSA could access for
notification purposes and employers could amend as employees change
jobs. This list would minimize the chance that TSA would erroneously
notify a previous employer of a disqualification. Also, the list would
prevent the loss of time and resources needed to locate an employer for
notification. Similar procedures are in place with respect to aviation
workers who have airport security identification display area
authority. 49 CFR 1542.211. TSA received no comments on this proposal
or suggestions for an alternative plan, although some employers stated
that they would like notification of all employee disqualifications.
Currently, when TSA determines that a driver is not qualified to
hold an HME, TSA applies the following policy:
(1) TSA notifies the employer only in cases where TSA determines
that an imminent security threat may exist.
(2) TSA notifies the employer listed in the driver's HME
application.
(3) TSA limits the information provided to the employer to the fact
that the driver's HME is being revoked or denied, but does not provide
the reason for the action.
TSA developed this process to address two primary concerns. First,
TSA is concerned about sharing disqualification information with
incorrect employers and that the likelihood of such notifications would
rise if TSA made notifications in all disqualification cases. For the
many drivers who change employers frequently or are self-employed, TSA
would expend considerable resources trying to determine with certainty
an applicant's current employer(s).
Second, for actions in which there is not an imminent threat,
employers of hazmat drivers have other procedures in place to verify
whether a driver has an HME. Carriers currently are required to
determine if a driver employee has been issued an HME, by checking
State driver records. The Federal Motor Carrier Safety Administration
(FMCSA) requires carriers to check the driver's status in the first 30
days of employment by contacting the licensing State. After that, the
carrier must make an inquiry with the State at least once annually to
ensure that the driver is authorized to transport hazardous materials.
49 CFR 391.25. Additionally, FMCSA requires carriers to review an
employee's driving record during the three years preceding employment
with the carrier, in every State in which the driver was licensed. The
carriers also must investigate the driver's employment record during
the preceding three years. 49 CFR 391.23. These investigations reveal
whether the driver's HME has been revoked.
In light of the employer notification requirement in SAFETEA-LU,
and upon further analysis, TSA proposes to amend the rule text
concerning employer notification generally and apply the following
proposed changes to HME and TWIC applicants. First, TSA proposes to add
a statement to the application for an HME or TWIC acknowledging that
TSA may notify the applicant's employer if TSA determines that the
applicant poses a security threat. The applicant must acknowledge
receipt of this statement. Second, TSA proposes to amend the rule text
to state that TSA will notify an applicant's employer, where
appropriate, when issuing final determinations of threat assessment or
immediate revocations.
Aside from the employer notification issue, with TWIC applicants,
TSA also proposes to notify the Federal Maritime Security Coordinator
(FMSC), the chief governmental security official at the port, of
revocations. The FMSC also is the Captain of the Port (COTP). 33 CFR
101.105. TSA will notify the Coast Guard concerning the outcome of
threat assessments of merchant mariners because a mariner credential
may not be issued by Coast Guard if TSA denies or revokes a TWIC for
the mariner.
TSA invites comment on these proposed requirements for notifying
employers of employee disqualifications. TSA also invites suggestions
for improving this system and methods by which a current employer/
employee list can be available to TSA when employer notification is
necessary. TSA may change its requirements based on these comments.
2. Fee
Section 520 of the 2004 DHS Appropriations Act requires TSA to
collect reasonable fees for providing credentialing and background
investigations in the field of transportation. Fees may be collected to
pay for the costs of the: (1) Conducting or obtaining a criminal
history records check (CHRC); (2) reviewing available law enforcement
databases, commercial databases, and records of other
[[Page 29405]]
governmental and international agencies; (3) reviewing and adjudicating
requests for waivers and appeals of TSA decisions; and (4) other costs
related to performing the security threat assessment or providing the
credential or performing the background records check. Section 520
requires that any fee collected must be available only to pay for the
costs incurred in providing services in connection with performing the
security threat assessment or providing the credential or performing
the background records check. The fee may remain available until
expended. TSA establishes these fees in accordance with the criteria in
31 U.S.C. 9701 (General User Fee Statute), which requires fees to be
fair and based on: (1) Costs to the government, (2) the value of the
service or thing to the recipient, (3) public policy or interest
served, and (4) other relevant facts.
In this rule, TSA proposes to establish new user fees: (1) The
Information Collection and Credential Issuance fee, estimated to range
from $45-$65; (2) the Threat Assessment and Credential Production fee,
which will be $62, or $50 for applicants who have already received a
comparable threat assessment from DHS, including those for a Merchant
Mariner License (MML), Merchant Mariners Document (MMD), Hazardous
Materials Endorsement (HME), and Free and Secure Trade (FAST) card
holders; and (3) the fee for replacement of a lost, damaged, or stolen
TWIC, which will be $36 for all TWIC holders. In addition, TSA will
collect the FBI Fee for the criminal history records checks in the TWIC
threat assessment process and forward the fee to the FBI. The current
FBI Fee is $22.00. If the FBI increases that fee in the future, TSA
will collect the increased fee. Therefore, total TWIC fees are expected
to range from $95 (MML, HME, and FAST card holders already vetted by
DHS) to $149 for all other applicants.
3. TWIC in Other Modes of Transportation
This rule proposes standards for the maritime environment and
consequently the security threat assessment standards primarily impact
merchant mariners and port workers. However, there are a variety of
individuals who work in other modes of transportation that may be
subject to the security threat assessment requirement proposed here.
For instance, many ports include railroad operations. Rail employees
may be required to obtain a TWIC depending on whether the railroad
operations are situated in the secure areas. Commercial truck drivers
delivering or retrieving goods at the port typically have unescorted
access to secure areas and so they would be required to have a TWIC. As
envisioned and currently proposed in this rule, commercial drivers that
hold an HME and have completed TSA's security threat assessment under
49 CFR part 1572 would not be required to undergo a new threat
assessment for TWIC until their HME threat assessment expires. These
drivers would be required to provide a biometric for use on the TWIC
and pay for enrollment services, credential costs, and appropriate
program support costs.
TSA is considering whether to incorporate the TWIC system into all
modes of transportation. Therefore, TSA requests comments from all of
the transportation industry--rail, mass transit, pipeline, and
aviation--not just those affected immediately by these specific
proposed maritime rules. TSA invites ideas on how this security threat
assessment and credentialing system can be used to its full potential
in each of these areas. Each mode of transportation brings its own set
of challenges to the philosophy of creating secure areas and access
control procedures that provide a high level of security, protect
privacy, and do not interfere with commerce. TSA welcomes the views of
all interested parties as we continue to improve transportation
security with TWIC and other programs.
IV. Advisory Committee Participation
In drafting the TWIC regulations, the Coast Guard drew upon the
expertise of the National Maritime Security Advisory Committee (NMSAC),
which is composed of a cross-section of maritime industries and port
and waterway stakeholders; including, but not limited to: Shippers,
carriers, port authorities, and facility operators. NMSAC advises,
consults with, and makes recommendations to, the Secretary of Homeland
Security via the Commandant of the Coast Guard on matters affecting
maritime security.
In response, NMSAC formed a Credentialing Work Group (CWG), which
was comprised of a significant number of NMSAC members and
approximately 25 other members from the public who represented various
geographic cross-sections and different elements of the maritime
industry. NMSAC provided the Coast Guard and TSA with specific industry
sponsored comments and recommendations for consideration in developing
this proposed rule. TSA and Coast Guard summarized these comments and
provide their joint responses below.
A. Access Control
Comment: NMSAC recommended that ``secure area'' be defined to
coincide with the access control area determined by the facility
operator in its security plan.
Response: We agree with this recommendation and, for all of the
reasons discussed in this NPRM, are including it in the Coast Guard's
proposed definition of secure area.
Comment: NMSAC also recommended that when vessels are moored at
MTSA regulated facilities, they should be allowed to rely on the
facility's TWIC procedures and not be required to read an individual's
TWIC again when he or she required unescorted access to the vessel from
the facility.
Response: We agree with this recommendation in part. Nothing in the
proposed rule prohibits vessels and facilities from agreeing to share
the management of access control on a case-by-case or recurring basis
to facilitate operations, subject to approval by the cognizant COTP. In
keeping with the intent of MTSA, facilities and vessels will still
retain ultimate responsibility for their own access control measures.
In the interest of preserving layered security, we also anticipate
there will be situations where persons seeking unescorted access should
be required to follow access control procedures again--when moving from
a vessel to a facility and vice versa--even if this requires repeating
access control procedures.
Comment: NMSAC believes that TWIC should serve as the baseline
requirement for unescorted access to a facility or vessel, allowing
owners or operators to adopt additional measures.
Response: We agree with this recommendation. Nothing in this NPRM
prevents an owner/operator from instituting additional requirements
before granting access.
Comment: NMSAC also felt that possession of a TWIC should not
guarantee access to a facility or vessel, or to a specific location
within the site.
Response: We agree. Owners and operators decide who, among the TWIC
holders, may have unescorted access to the facility or vessel.
Comment: NMSAC also recommended that access to Outer Continental
Shelf facilities as defined in part 106, where access is limited and
can be controlled by having the TWIC credential read at the point of
embarkation.
Response: This arrangement is currently allowed under the existing
regulations and could continue under the provisions of this NPRM.
[[Page 29406]]
B. Location of Reader Points
Comment: NMSAC recommends that the regulation not stipulate
specific reader locations.
Response: We agree. Reader locations are not specified in the
proposed rule. Owners/operators determine where readers are located,
based on the security plan and the performance standards established in
the NPRM.
Comment: NMSAC recommends that screening points should be placed
far from critical areas and placement should be determined by owners/
operators.
Response: Screening locations are not specified in the proposed
rule. Owners/operators determine where screening points are located,
based on the security plan and the performance standards established in
the NPRM.
C. Sponsorship
Comment: A majority of NMSAC opposed employer sponsorship as a
requirement of the TWIC application process. Many members believe
sponsorship introduced several complex components, including privacy
concerns, increased bureaucracy associated with approving and
monitoring sponsors, and employer liability issues.
Response: After careful consideration, we agree that sponsorship,
as originally conceived, is a challenge for the maritime TWIC program.
Many of the individuals who will require a TWIC, such as truck drivers
and casual laborers entering the port, would not be able to list or
obtain a sponsor. Making accommodations to the sponsorship process for
these workers would greatly reduce its value. Under the NPRM,
applicants are asked to provide information on their employer if
applicable, and to certify that they have a need to obtain a TWIC.
D. Waiver Process/Alternative Security Arrangements
Comment: NMSAC recommended that we use the list of disqualifying
offenses currently used for hazmat drivers for establishing
disqualifying offenses, with some qualifications and concerns. The
primary concern centered on the waiver requirements found in MTSA,
which require employer involvement. NMSAC believes that employer
involvement in the waiver process is inconsistent with MTSA's
prohibition against disclosure of details of why an applicant is denied
a TWIC. NMSAC recommended that the TWIC regulations rely upon the
existing waiver procedures that apply to hazmat drivers.
Response: We agree. We have proposed using the same list of crimes
currently in place under the hazmat regulations when making
determinations regarding TWIC eligibility. Additionally, the NPRM
contains the waiver procedures that currently apply to hazmat drivers.
Comment: NMSAC also expressed concerns about individuals currently
employed in the maritime industry who might be denied a TWIC due to
previous criminal activity. NMSAC believes existing employees should
not be denied a TWIC and possibly lose their jobs unless TSA determines
the individual to pose a risk based on the entire threat assessment.
NMSAC recommended a ``limited term waiver'' that would allow an
individual who is employed on the date of TWIC implementation, and is
not otherwise determined to be a security threat, to obtain a TWIC.
Response: A ``limited term waiver'' is not being proposed. As in
the hazmat rule, language in the waiver provisions of the NPRM allow
individuals to request a waiver of all but four disqualifying offenses.
These pertain to espionage, sedition, treason, and terrorism. In
accordance with MTSA and the NPRM, individuals with immigration
violations would also be ineligible for the TWIC. Under the hazmat
program, the majority of workers with disqualifying offenses, other
than those listed above, who have applied for a waiver have been
successful in obtaining their endorsement through the existing waiver
process. In addition, the time between publication of the final rule
and the date an individual is required to obtain a TWIC will provide
existing employees ample time to apply for a waiver.
Comment: NMSAC believes that the fingerprint data provided by
applicants should be used to search all relevant federal databases. In
addition, NMSAC suggested that TSA check against criminal databases in
the applicant's State of residence. NMSAC also recommended that a nolo
contendere plea be treated as a conviction.
Response: We intend to use an applicant's fingerprints to search
the criminal databases that require fingerprints to gain access.
However, there are some databases pertinent to security that are
accessed by name and therefore, we must use name and other biographic
information to use these databases. Currently, we do not plan to check
each State criminal database in addition to the FBI criminal databases.
The administrative cost and time associated with such an undertaking
would greatly increase the user fee and make adjudication of all
applicant records overwhelming. Under this proposal, a nolo contendere
plea constitutes a conviction.
Comment: NMSAC proposed that the regulations be consistent
nationwide. NMSAC was concerned that if individual states are allowed
to enact legislation that established standards different than the
federal standard, it would result in additional costs and delays to the
industry. NMSAC also believed that varied state background checks could
result in venue shopping by applicants.
Response: We agree that the TWIC should be nationally consistent
and that states do not have the authority to modify the federal TWIC
program. However, States, when acting in their capacity as an owner or
operator, retain the right of any owner or operator to impose
additional security measures at their ports and facilities, as they see
fit, including additional measures for access control beyond the TWIC
requirements. In addition, States retain their sovereign police powers
to impose statutes and regulations to protect their citizens from all
manner of threats, and ensure public welfare. In that capacity, a State
may impose additional measures at ports, facilities and vessels within
its jurisdiction that are directed against reducing all types of crime,
so long as those measures do not conflict with any existing Federal
regulatory program or frustrate a Federal purpose, including the TWIC.
Therefore, while the process for obtaining and maintaining a TWIC will
be uniform across the country, access control measures may vary across
States, and even from facility to facility, which is in keeping with
the recommendations of the NMSAC and the intent of this rulemaking.
E. Type of Biometric To Be Used, Other Than Fingerprints
Comment: NMSAC recommended that the applicant's digital photograph
be stored on the integrated circuit chip (ICC) on the TWIC. Its format
and technological standards should conform to other national and
international programs, such as US-VISIT and FAST. NMSAC recommended
that we reevaluate the use of fingerprint biometrics for access control
after completion of Prototype to address procedures for individuals who
cannot provide fingerprints.
Response: Regarding the first comment, we agree and are proposing
that the applicant's digital photograph be stored within the TWIC's
ICC. We agree with the second comment and are proposing a credential
that meets or exceeds HSPD 12 and FIPS 201 technical standards, which
are the baseline for all federal identification
[[Page 29407]]
credentials. We also agree with the third comment and are proposing
that the digital photograph be used as the alternate biometric for
individuals who are unable to provide fingerprints at the time of
issuance.
F. Federally-Managed vs. Federally-Regulated
Comment: NMSAC strongly supports a federally-managed approach to
TWIC implementation, as opposed to a federally-regulated approach.
NMSAC believes that a federally managed program would protect
collective bargaining agreements, promote uniformity of process and
technology, ensure appropriate auditing and oversight, protect the
sensitivity of the biographic and biometric information required for
application, and limit the potential for security compromises or other
integrity issues. It also states that there would be significant cost
savings if TWIC is implemented in a centralized, federally managed
program.
Response: We agree and the NPRM reflects this approach.
G. Enrollment
Comment: In the interest of time, NMSAC recommended that TSA
provide as many enrollment centers as practical during the initial
enrollment period, staffed either by DHS personnel or trained trusted
agents. NMSAC believes that enrollment personnel should be subject to a
higher level of scrutiny than TWIC applicants, including financial and
credit screening. NMSAC recommended that TSA streamline the enrollment
process by allowing pre-enrollment through secure Internet connections,
dedicated kiosks, or existing facilities. NMSAC had reservations about
allowing non-safety related agencies or organizations becoming involved
in this process. They also recommend DHS first look to its own
agencies, such as Coast Guard License Issuing Centers, or other
federal, state or local public safety offices to process enrollments
before seeking partnerships with agencies with non-security missions.
Response: We agree with most of the NMSAC recommendations. The
current rollout strategy is phased enrollment over a period of time to
accommodate the majority of the maritime population centers and then
geographically expands to cover all ports/facilities with mobile
enrollment centers. All enrollment centers will be staffed by trained
trusted agents who will be subject to a thorough threat assessment. The
NPRM allows for pre-enrollment through secure Internet connections and
dedicated kiosks.
H. Costs
Comment: NMSAC stated that the fee should be collected at the time
of application from the applicant. Any potential employer
reimbursements or other business relationships should not be defined in
the regulation. Individuals who have already been screened to an equal
or higher standard than the TWIC, such as the assessment done for a
hazmat endorsement, should not have to pay for duplicate applications,
credential issuance, and background records check. TSA should collect
only the costs of the program, and the cost for TWIC should be
standardized at all enrollment centers.
Response: We agree. The NPRM states that the fee is collected from
the applicant at the time of enrollment and does not require any
reimbursement arrangements. Also, we propose comparability standards so
that agencies with similar checks can apply to TSA for a comparability
determination. As for hazmat drivers, the check they must complete to
get a hazmat endorsement is the same as the standard for TWIC.
Therefore, drivers are not required to complete both checks, but must
pay a reduced fee for TWIC enrollment and credential production because
it was not included in the hazmat fee or process.
I. Term of Validity
Comment: The TWIC should be valid for a period of five years,
unless revoked for cause. This recommendation assumes there is
continual check on applicants.
Response: We agree and propose a 5-year period of validity for the
TWIC unless revoked for cause. TSA repeats portions of the check
throughout the 5-year term.
J. Roll-Out Strategy
Comment: NMSAC supported a phased in regional implementation. A
timeline and deadline should be identified by TSA, and the final
implementation/compliance date should be consistent across the country
and provide sufficient advance lead time to allow stakeholders to
prepare. To accommodate U.S. mariners, NMSAC proposed that DHS allow
enrollment centers be set up at foreign facilities with a Coast Guard
presence.
Response: We agree and Sec. 1572.19 proposes the implementation
timeline for applicants to enroll for a TWIC. Regarding oversees
enrollment of U.S. mariners, we recognize that is an issue in need of
resolution. As credentialed U.S. mariners pose less of a security risk
due to the successful completion of security and safety background
checks, they have been identified as a population who could potentially
be lower on the priority list for receipt of the TWIC. In the meantime,
options such as setting up TWIC enrollment stations within existing
Coast Guard overseas facilities is being explored.
K. TWIC Requirement for Access to Sensitive Security Information
Comment: NMSAC recommended that TWIC be used as identification
credential alone, and not affect access to SSI.
Response: The statute requires ``individuals with access to
security sensitive information as determined by the Secretary'' to hold
a TWIC. We agree that requiring all individuals with access to SSI to
also hold a TWIC may be impractical. We have interpreted the language
of the statute to allow that only certain individuals who will require
access to SSI hold a TWIC, if they have not already been subject to an
equivalent check. These individuals are clearly identified by position
in the NPRM.
L. Miscellaneous Issues
Comment: NMSAC strongly urges TSA and Coast Guard to gather
industry input in the TWIC rulemaking.
Response: In developing the TWIC program, we have benefited from
the expertise and assistance of industry and government stakeholders.
Our work with the NMSAC has produced several outstanding
recommendations and solutions to potential challenges. Additionally, we
are planning four public meetings on this NPRM, in order to engage
industry and gather comments before a final rule is in place.
Comment: NMSAC urged TSA and Coast Guard to coordinate TWIC with
other federal programs to avoid duplication and conflicts. It also
urged that Merchant Mariner Licenses and Documents be merged with TWIC
to the greatest extent possible to minimize the number of credentials
mariners are required to carry.
Response: The Coast Guard National Maritime Center has expressed
similar concerns over adding yet another credential to the list of
those required for mariners. In a separate rulemaking published in
today's Federal Register, the Coast Guard has proposed combining all
merchant mariner credentials into a single form, in order to minimize
the number of credentials a mariner must carry. That proposal would
merge the existing mariner documents, consisting of the License,
Merchant Mariner Document, STCW Endorsement, and Certificate of
Registry, into one. The TWIC would
[[Page 29408]]
remain the identification credential and separate from these other
credentials, at least for the time being. The consolidated mariner form
would document the mariner's professional skills and capabilities and
the TWIC would document the mariner's identity.
M. Procedures for Replacement of Lost or Stolen Credentials, and
Penalties for Persons Who Fraudulently Obtain or Use/Attempt to Use a
TWIC
Comment: NMSAC expressed concerns about the procedures to address
lost or stolen credentials, and the penalty for persons who
fraudulently obtain or use/attempt to use a TWIC.
Response: We agree that procedures for lost or stolen credentials
are essential services. Applicants will be given an 800-number to call
in the event they lose the TWIC or it is stolen. The applicant must
return to an enrollment center to activate a new TWIC. This will not
require a full enrollment process unless the biometric or biographic
information has changed since the time of the initial enrollment and
the period of validity of the TWIC will be the same as the lost or
stolen credential it is replacing. As the NPRM states, applicants who
fraudulently obtain or attempt to use a TWIC may be prosecuted
criminally and/or through administrative action.
N. On-Site TWIC Implementation
Comment: NMSAC expressed concern about the possibility for delay at
points of entry due to implementation of theTWIC program.
Response: During TSA's Prototype, possession of a TWIC ultimately
accelerated access for individuals when they were entered into the
local access control system. We anticipate similar results when TWIC is
fully operational. As proposed, this rule would permit owners/operators
to determine the details of the access control system, and so resolving
access problems would largely be managed at the facility or vessel.
However, we welcome industry feedback and insight on ways that we may
be able to improve the proposed requirements without compromising
either security or function.
V. Section-by-Section Analysis of United States Coast Guard Proposed
Rule
General Introduction
The following discussion highlights the changes being made to the
Coast Guard regulations and address some miscellaneous effects that
these changes will have on unamended sections of the regulations. The
discussion is divided into parts and sections within those parts, which
will enable the reader to skip to those regulations that affect him/
her. In order to allow for this, some explanations are repeated from
part to part (for example, the explanation for proposed amendments to
the recordkeeping requirement sections in parts 104, 105, and 106, are
identical).
33 CFR Part 101
33 CFR 101.105
Coast Guard proposes amending Sec. 101.105 by adding new
definitions for escorting, personal identification number (PIN),
recurring unescorted access, secure area, TWIC, TWIC program, and
unescorted access. These terms would be introduced by the amendments
discussed below, and their definitions are self-explanatory.
33 CFR 101.121
Coast Guard proposes adding Sec. 101.121 to require those
organizations that have approved Alternative Security Programs (ASPs)
to submit a TWIC Addendum to their ASP. This TWIC Addendum should
explain how the TWIC requirements proposed in parts 104, 105, and 106
(as applicable) would be implemented in the ASP. The TWIC Addendum
would be submitted to the Coast Guard for approval and, once approved,
would be given the same expiration date as the overall ASP. When it is
time for the overall ASP to be reapproved, the TWIC Addendum would be
incorporated into the overall ASP, resulting in a single document. Any
organization not submitting the TWIC Addendum by the given deadline
would have their ASP declared invalid.
33 CFR 101.514
Coast Guard proposes adding Sec. 101.514. This new section
contains the requirement that all persons requiring unescorted access
to secure areas of vessels, facilities, and OCS facilities regulated by
parts 104, 105, or 106 of subchapter H possess a TWIC before such
access is granted. Federal officials would not be required to use a
TWIC, but rather would be required to use their HSPD 12-compliant
agency credential. These HSPD 12-compliant, biometrically-enabled
credentials will be built according to the same technical standards as
the TWIC, ensuring comparable levels of security. Coast Guard has also
included a provision allowing for State and local officials to
voluntarily obtain a TWIC when their office or duty station falls
within, or where they require recurring unescorted access to, a secure
area of a vessel, facility, or an OCS facility. Coast Guard would not,
at this time, require these officials to obtain a TWIC, but we may
revisit this in the future.
Coast Guard also would allow for voluntary compliance with TWIC for
those maritime facilities and vessels that would otherwise not be
required to comply. Any owner or operator who would like to voluntarily
comply with TWIC requirements would first be required to contact their
cognizent COTP, who will forward the request, along with the COTP's
recommendation, to TSA. Once the Coast Guard and TSA determine that use
of the TWIC by the facility or vessel would benefit and improve overall
maritime security, the owner/operator would receive authorization to
have employees enroll at TSA enrollment centers and establish a TWIC
program at their facility. Coast Guard requests that those owner/
operators who would like to voluntarily comply under this provision
please submit a comment.
33 CFR 101.515
Coast Guard proposes amending Sec. 101.515 to limit its
application only to those persons seeking escorted access to a secure
area. This amendment would require that anyone, other than law
enforcement officers in performance of their official duties, seeking
access to a vessel, facility, or OCS facility provide personal
identification meeting the standards listed in this section. It also
would require that these individuals be escorted at all times in a
secure area.
33 CFR Part 103
33 CFR 103.305
Coast Guard proposes amending Sec. 103.305 to require that all
Area Maritime Security (AMS) Committee members hold a TWIC or have
passed a comparable security background investigation, as determined by
the FMSC, with the exception of credentialed Federal, state and local
officials. Coast Guard would omit credentialed Federal, state, and
local officials from the requirement to hold a TWIC because the
majority of these individuals undergo a security threat assessment
prior to beginning their job, and because (as explained above) the
Federal officials will all be issued HSPD 12-compliant, biometric
identification credentials, and it is hoped that states and local
entities will follow suit.
33 CFR 103.505 and 103.510
Coast Guard proposes amending Sec. Sec. 103.505 and 103.510 to
require that all AMS plans address biometric access programs within the
port, and to require
[[Page 29409]]
that all AMS plans be updated to reflect this consideration.
33 CFR Part 104
33 CFR 104.105
Coast Guard proposes amending Sec. 104.105 to exempt foreign
vessels from the TWIC requirements. Currently foreign vessels entering
U.S. ports that carry a valid International Ship and Port Facility
(ISPS) certificate are deemed to be in compliance with part 104, except
for Sec. Sec. 104.240, 104.255, 104.292, and 104.295. However, there
are a small number of foreign vessels who are not required to comply
with the International Convention for Safety of Life at Sea (SOLAS) or
with the ISPS Code, and therefore must submit security plans in
accordance with this part. Without the proposed language, these vessels
would be required to comply with the TWIC provisions. The crew of these
vessels would primarily consist of foreign mariners. While not
explicitly exempt from the TWIC requirements by the language of 46
U.S.C. 70105, the particular situation of foreign mariners makes it
impractical to issue this population TWICs, and it has been determined
that it is inappropriate to this rulemaking. Thus, the small number of
foreign vessels who would otherwise be required to comply with part
104, as well as all other foreign vessels, have been exempted from
complying with the TWIC provisions of this part since none of their
crew would hold a TWIC. Nothing in this proposed exemption should
affect the existing requirements that owners or operators have
procedures in place for allowing seafarers to traverse facilities for
the purpose of completing crew changes or taking shore leave.
33 CFR 104.106
Coast Guard proposes adding Sec. 104.106 to provide for passenger
access areas on board passenger vessels, ferries, and cruise ships.
Implementation of the TWIC credential would have a significant impact
on the way that owners and operators make access control decisions. The
proposed rule would introduce the concept of a ``secure area,'' defined
as the area over which an owner or operator chooses to exercise access
control as set forth in Sec. 104.265, essentially making the entire
vessel a secure area. In non-passenger vessels, this is not
problematic; for those that carry passengers, however, it presents
difficulties. Since the law requires that no one be allowed unescorted
access to secure areas unless they carry a TWIC, passenger vessels,
ferries, and cruise ships would have had to either require passengers
to obtain TWICs or ensure that passengers were ``escorted'' at all
times while on the vessel. To avoid either outcome, Coast Guard
proposes creating the ``passenger access area,'' which will allow
vessel owners/operators to carve out areas within the secure areas
aboard their vessels where passengers are free to move about
unescorted. These passenger access areas would work in a manner similar
to the already existing ``public access areas'' in part 105.
33 CFR 104.115
In Sec. 104.115, Coast Guard proposes using the same roll-out and
implementation model for TWIC as was used for vessel security plans.
Vessels would have six (6) months from the date that the final rule is
published to submit a TWIC addendum to the Marine Safety Center. They
would be required to be operating according to the addendum between
twelve (12) and eighteen (18) months following the date that the final
rule is published, depending on whether enrollment for the port in
which the vessel is operating has been completed.
33 CFR 104.120
The proposed amendment to Sec. 104.120 would require that a copy
of the approved TWIC addendum be kept on board the vessel, along with
the already approved Vessel Security Plan (VSP) (already required to be
on board). Coast Guard has included provisions for scenarios in which
the TWIC addendum has been submitted to the Marine Safety Center (MSC)
but not yet approved, and for vessels operating under an approved
alternative security program.
33 CFR 104.200, 104.210, 104.215, 104.220, and 104.225
Coast Guard proposes amending these sections to require that all
individuals with security duties, including the company security
officer (CSO), acquire and maintain a TWIC. Coast Guard requests
comment on whether owners/operators should also be required to obtain a
TWIC, based on their access to sensitive security information (SSI).
Coast Guard also proposes amending these sections to add knowledge
requirements and responsibilities pertaining to TWIC to those already
assigned to owners/operators, company security officers, vessel
security officers, vessel employees with security duties, and all
vessel employees. At this time, there are no formal training
requirements proposed in order to meet the TWIC knowledge requirements.
It is important that owners/operators and those with security duties be
familiar with the technologies on the credential that make it resistant
to tampering and forgery. Persons who will be examining TWICs at access
control points should be familiar enough with its physical appearance
such that variations or alterations are easily recognized.
It is important that security personnel at the access points to the
vessel be familiar with alternate ways to reliably verify an
individual's identity and his or her credential should the individual
be unsuccessful using the primary means of verification (e.g.,
fingerprint match). Personnel who will be required to resolve an
individual's failure to electronically verify his or her identity
should be familiar with all the possible reasons for the failure. For
example, an individual may not be able to verify his identity against
the biometric stored on the credential due to wear on the integrated
circuit chip (ICC) itself, problems with the reader, wear on the
individual's fingerprints, or because the individual is an imposter.
Alternate procedures for addressing failures of an individual to verify
his fingerprint against the information stored on the credential should
be reasonably designed to discern between a legitimate user and an
imposter. All other employees should be familiar with the TWIC
topology, as well as the steps to take should their own TWIC become
lost or stolen.
The heaviest burden has been placed on the owner/operator, who
would be required to ensure that the TWIC program is implemented on
board the vessel in accordance with the proposed regulations. This
would include a new requirement that the owner/operator ensure that
someone on the vessel know who is on the vessel at all times. It would
also include a requirement that the owner/operator ensure that computer
and access control systems and hardware are secure. The Coast Guard has
placed a sample document in its docket (located at the places listed in
the ADDRESSES section above) for this NPRM that outlines the proper
standard of care to be used to protect these systems and hardware. We
request comment on this standard of care, as well as on any associated
costs to implement it.
33 CFR 104.235
Coast Guard proposes adding a new record-keeping requirement,
mandating that owners/operators maintain records for two years of all
persons who are granted access to secure areas of the vessel, including
when they disembark the vessel. The requirement does not distinguish
between those who were granted unescorted access because they
[[Page 29410]]
carried a TWIC and those who were granted escorted access. For those
who are granted recurring unescorted access, such as permanently
attached crew or other employees, owners/operators would be required to
record the span over which the individual's access privileges endured.
For individuals who were granted escorted access, the owners/operators
would be required to record each date that the individual is escorted,
and identify his escort.
33 CFR 104.265
Coast Guard proposes amending this section to require the use of
TWIC in the vessel's access control measures. This section would show
the greatest changes as a result of TWIC implementation, and reflects a
difficult compromise of many competing concerns, including our desire
to preserve as much of the performance-based standard as possible so
that vessels could tailor implementation to suit their individual
operational needs while preserving the security enhancements provided
by the TWIC credential.
TWIC provides for implementing graduated security measures by
relying upon the three factor authentication process for establishing a
person's identity. This process consists of identifying: (1) Something
the person has--a TWIC credential; (2) something the person knows--a
PIN, stored securely on the ICC in the credential; and (3) something
the person is--in the case of the TWIC, that will be the individual's
fingerprint, which also is stored on the ICC of the credential. By
requiring one or all of these factors before allowing access, owners/
operators can make increasingly more secure decisions regarding
individuals who are requesting to board the vessel.
Currently, most access control decisions are made relying on a
``flash pass.'' Individuals requesting entry are required to show
identification that conforms to Sec. 101.515 of subchapter H, which
currently encompasses a broad spectrum of credentials, including
driver's licenses from all 50 states. Many of these credentials are
easily forged or altered, and the sheer diversity of appearances
hampers security personnel's ability to recognize a forged or altered
credential when it is presented.
Even when used as a flash pass, the TWIC provides greater
reliability than the existing system because it presents a uniform
appearance with embedded features on the face of the credential that
make it difficult to forge or alter. When presented with a TWIC,
security personnel familiar with its security features are immediately
able to notice any absence or destruction of these features.
Nevertheless, our intent was to discourage the use of the TWIC as a
flash pass for several reasons. While security personnel can reliably
detect changes to the appearance of the credential or missing features,
he or she cannot know whether or not the credential has been revoked by
TSA, or other competent authority, merely by examining the surface of
the credential. Furthermore, comparing the individual to the photo on
the credential requires focused examination that is likely to suffer
when security personnel are distracted or during particularly busy
periods. This is the time that an unauthorized individual is most
likely to attempt entry, and is most likely to breach a system that
relies solely on the flash pass system. Finally, allowing owners/
operators to rely solely on the flash pass system is unreasonable in
light of the additional cost of the credential, and the available
security enhancements that the increased cost represents.
Thus, Coast Guard proposes to require owners/operators to use at
least one of the technical enhancements on the credential to
electronically verify a person's identity and also requires
verification that the credential remains valid, and has not been
altered or counterfeited.
Implementation of the TWIC program will require that the owner/
operator use different processes for identifying persons, depending on
whether or not the individual is requesting unescorted access. If the
individual is requesting, or will require, unescorted access as part of
his or her job responsibilities, the individual must have and maintain
a TWIC.
On an owner/operator's first encounter with an individual seeking
or requiring unescorted access to the vessel, we would require that all
of TWIC's security features be used to verify both the individual's
claimed identity and that the credential remained valid. Thus, when
presented with an individual's TWIC for the first time, an owner or
operator would be required to electronically verify that the
individual's fingerprint matches the data stored on the ICC, and that
the individual can correctly enter the PIN that is also stored on the
ICC. Both of these processes will require that the individual have the
TWIC in his/her possession, thus satisfying all three factors of the
authentication process. In addition, the owner or operator would have
to confirm that the TWIC remains valid. In order to know that the TWIC
has not been revoked, some regular contact with TSA will be necessary.
Coast Guard has not specified how this contact should be made so as to
provide as much flexibility as possible.
These steps performed together will detect to the highest degree of
certainty whether the individual is the rightful bearer of the TWIC he
or she holds, and whether or not it was duly issued and remains valid.
After the initial encounter, there is as much flexibility as possible
for the owner/operator so that the TWIC would provide a valuable
security enhancement without unnecessarily burdening daily operations.
Coast Guard recognized that, particularly for smaller vessels such as
towing vessels, the value by the daily validation of an individual's
personal identity is less than for facilities, which generally interact
with greater numbers of vendors, visitors, and facility employees. We
assumed that the crew of most vessels, excluding cruise ships, would be
a relatively small number of people who would quickly become familiar
enough with one another so as to be able to readily identify fellow
crew members and notice strangers. Thus, there is more emphasis on
ensuring that the credential remains valid. Accordingly, Coast Guard
has identified specific intervals, according to the Maritime Security
(MARSEC) level, when a vessel owner/operator must routinely check that
the credential remains valid.
As a result of this desire to provide flexibility, we propose the
concept of ``recurring unescorted access,'' which is intended to allow
an individual to enter on a continual basis, without repeating the
personal identity verification piece. The decision to grant recurring
access privileges should be based on two considerations: (1) The
relationship of the individual to the vessel, or how well ``known'' he
or she is; and (2) the individual's need to have frequent and unimpeded
access to the vessel.
No vessel is required to grant any individual recurring unescorted
access; it is intended as a tool by which owners/operators can allow
persons who are well known to them to move in and out of secure areas
on a repetitive basis without having to electronically verify the
individual's identity each time. The credential verification
requirement would remain, and owners/operators would be responsible to
check the validity of the TWIC belonging to any person to whom is
granted recurring unescorted access according to the identified
specific interval, based on the MARSEC level.
Frequent vendors and other visitors, such as union and seafarer
representatives, could seek and, at the
[[Page 29411]]
owner/operator's discretion, be granted recurring unescorted access. If
granted, it would allow these individuals, identified by the vessel
security officer, or other qualified personnel, to be entered onto the
vessel's rolls of TWIC holders whose TWIC must be checked on a regular
basis to ensure it remains unrevoked by TSA.
The infrequent visitor or vendor who bears a TWIC and seeks
unescorted access, would be required to electronically verify his or
her identity by matching the biometric information stored on the ICC.
The credential's validity would also have to be verified to ensure that
it has not been revoked since issuance by TSA. Coast Guard acknowledges
that maintaining this connectivity with TSA will be a challenge for
vessel owners and operators. However, TSA has indicated that it will be
able to maintain an updated list of all invalid credentials which can
be downloaded over a secure connection with the TSA Web site, and
vessel owners/operators would be able to verify the validity of
credentials from infrequent visitors against this list. Furthermore,
Coast Guard has assumed that vessels which could not establish access
to TSA via a secure Web site from time to time could obtain updated
versions of the list from its agent or home office.
Persons presenting for entry who do not hold a TWIC would still be
required to show an acceptable form of identification, as set forth in
Sec. 101.515 and 104.265(e)(3), and would be required to be escorted
if they are granted access to secure areas. Owners/operators are not
required by the proposed changes to use the TWIC as their primary
badging system. As much as practical, Coast Guard has retained the
performance-based standards from the existing regulations that allows
owners/operators to establish identification systems that best suits
their individual operational needs. If, however, owners/operators
choose to rely solely on the TWIC as their badging system, the system
should include a means for identifying non-TWIC holders. If owners/
operators choose to use a separate badging system, it must be
coordinated with the TWIC requirements in this part such that
notification to the owner/operator of changes in the individual's TWIC
status are also reflected in the separate badging system.
Other existing regulatory requirements that we thought were
important to preserve related to coordinating access control measures
and the TWIC implementation with facilities whenever possible,
particularly as that would facilitate the ready access of frequent
vendors, and union and seafarer representatives to the vessel, as
appropriate. Coast Guard anticipates that these individuals will also
obtain a TWIC. Any coordination must be outlined in the TWIC addendum.
In keeping with the longstanding tradition that seafarers keep
their mariner credentials and other important documents on the bridge,
or stored in a secure place, this rule does not propose that vessel
crew be required to display or maintain their TWIC on their person at
all times. Instead, anyone granted unescorted access to the secure
areas of the vessel under this proposed rule is expected to produce his
or her TWIC for inspection if so required by a competent authority.
Thus, persons assigned to the vessel can keep the credential stored
securely on the vessel with their other important documents. However,
mariners will have to take the TWIC with them when they leave the
vessel in order to gain unescorted access through the facility.
Owners/operators are required to devise backup processes for making
access control decisions when any part of the TWIC system fails, with
particular attention paid to not creating greater vulnerabilities that
can be leveraged by a failure of the system due to deliberate efforts.
Of particular concern is the occasion when an individual may not be
able to match his or her biometric against the information stored on
the ICC. While this could mean the person is not who he says he is, it
is also possible that wear and tear on the reader, the ICC, or the
person's fingerprint itself have caused the failure. In resolving these
kinds of failures, security personnel should be well informed as to
other reliable means of verifying identity, such as comparing the image
of the individual that is electronically stored on the ICC to the
person him or herself, or by having other authorized personnel vouch
for his identity.
In keeping with the graduated scheme of the MTSA regulations, this
rule proposes requiring increased use of TWIC security features at
higher MARSEC levels. At MARSEC level 1, the owner/operator would be
required to ensure that the validity of TWIC credentials is verified
against the latest information available from TSA on a weekly basis. At
MARSEC level 2, the owner/operator would be required to ensure that the
validity of TWIC credentials is verified against the latest information
available from TSA on a daily basis. At MARSEC level 3, all personnel
seeking unescorted access would be required to verify their identity
biometrically and using their PIN at each entry to a secure area of the
vessel.
The requirements at each MARSEC level are laid out in the table
that follows.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Vessels
------------------------------------------------ U.S. flagged cruise
Recurring unescorted Non-recurring Facilities OCS facilities ships
access unescorted access
--------------------------------------------------------------------------------------------------------------------------------------------------------
MARSEC 1........................... Facial recognition 1 to 1 biometric match 1 to 1 biometric 1 to 1 biometric 1 to 1 biometric
minimum each entry; at each entry; card match at each entry; match at each entry; match at each entry;
card validity checked validity checked at card validity card validity card validity
weekly with each entry with checked at each checked at each checked at each
information < =1 week information < = 1 week entry with entry with entry with most
old. old. information < =1 week information < =1 week current information
old. old; recheck those available from TSA.
continuously aboard
weekly with most
current information
available from TSA.
--------------------------------------------------------------------------------------------------------------------------------------------------------
[[Page 29412]]
MARSEC 2........................... Facial recognition 1 to 1 biometric match 1 to 1 biometric 1 to 1 biometric 1 to 1 biometric
minimum each entry; at each entry; card match at each entry; match at each entry; match + PIN at each
card validity checked validity checked at card validity card validity entry; card validity
daily with the most each entry with checked at each checked at each checked at each
current information information < =1 day entry with entry with entry with most
available from TSA. old. information < =1 day information < =1 day current information
old. old; recheck those available from TSA.
continuously aboard
daily with most
current information
available from TSA.
--------------------------------------------------------------------------------------------------------------------------------------------------------
MARSEC 3........................... 1 to 1 biometric match + PIN at each entry; 1 to 1 biometric 1 to 1 biometric 1 to 1 biometric
card validity checked at each entry with match + PIN at each match + PIN at each match + PIN at each
information < =1 day old. entry; card validity entry; card validity entry; card validity
checked at each checked at each checked at each
entry with entry with entry with most
information < =1 day information < =1 day current information
old. old; recheck those available from TSA.
aboard continuously
daily.
--------------------------------------------------------------------------------------------------------------------------------------------------------
33 CFR 104.290
Coast Guard proposes amending this section to require owners/
operators to have the records of persons who have been granted access
to the vessel (See, Sec. 104.235, discussed above) available after a
security incident.
33 CFR 104.295
Coast Guard proposes amending Sec. 104.295 to impose higher
burdens on U.S. cruise ships. The same assumptions regarding crew size
and connectivity (discussed in the proposed changes to Sec. 104.265
above) do not apply to these large, sophisticated vessels whose
potential to be the impetus of a transportation security incident (TSI)
is much greater than other vessels. As a result, TWIC requirements more
closely resemble those for facilities. Coast Guard proposes requiring
that an individual's identity be checked against their TWIC at each
entry to the vessel, and that the validity of the TWIC be verified with
TSA at a higher rate than for other vessels.
33 CFR 104.405
Coast Guard proposes amending this section to require that when
each vessel security plan is reviewed and resubmitted for approval upon
its 5 year anniversary date, it incorporates the TWIC Addendum into all
appropriate sections of the VSP. Most of these changes should be
reflected in the plan's section on access control.
New Subpart E (33 CFR 104.500-104.510)
Proposed Sec. 104.500-104.510 are new and are intended to be
temporary measures that will be phased out as existing plans are
renewed according to their expiration date. Rather than require owners/
operators to resubmit their entire plan with the TWIC measures
incorporated within, Coast Guard proposes requiring a temporary TWIC
addendum to be submitted. The addendum should be drafted in conjunction
with the existing plan, reflecting all modifications that the TWIC
rules require. Once approved, it should be attached to and maintained
as part of the entire plan, and will be given the same expiration date
as the existing plan. Upon expiration, the TWIC addendum should be
seamlessly incorporated into the full plan when it is renewed in
accordance with the regulations in place at the time of renewal.
Owners/operators may opt to resubmit their entire plan, with a list of
sections amended, as their TWIC Addendum, but once approved it will
carry the same expiration date as it had prior to amendment. Owners/
operators are encouraged to submit the addendum via Homeport (http://homeport.uscg.mil
).
33 CFR Part 105
33 CFR 105.115
In Sec. 105.115, Coast Guard proposes using the same roll-out and
implementation model for TWIC as was used for MTSA security plans.
Facilities would have six (6) months from the date that the final rule
is effective to submit a TWIC addendum to their cognizant Captain of
the Port (COTP) and would be required to be operating according to the
addendum between twelve (12) and eighteen (18) months following the
effective date, depending on whether enrollment has been completed at
the port where the facility is located.
33 CFR 105.120
In the proposed amendment to Sec. 105.120, Coast Guard would
require that the facility keep a copy of the approved TWIC addendum on-
site, along with the already approved facility security plan (FSP)
(already required to be on site). Coast Guard has included provisions
for scenarios in which the TWIC addendum has been submitted to the COTP
but not yet approved, and for facilities operating under an approved
alternative security program.
33 CFR 105.200, 105.205, 105.210, and 105.215
Coast Guard proposes amending these sections to require that all
individuals with security duties acquire and maintain a TWIC. Coast
Guard requests comment on whether owners/operators should also be
required to obtain a TWIC, based on their access to sensitive security
information (SSI). Coast Guard also proposes adding knowledge
requirements and responsibilities pertaining to TWIC to those already
assigned to owners/operators, facility security officers, facility
employees with security duties, and all facility employees. There are
no formal training requirements in order to meet the TWIC knowledge
requirements proposed at this time. It is important that owners/
operators and those with security duties be familiar with the
technologies on the credential, particularly the imbedded features that
make the credential resistant to tampering and forgery. Persons who
will be examining TWICs at access control points should be familiar
enough with its physical
[[Page 29413]]
appearance such that variations or alterations are easily recognized.
It is important that security personnel at the access points to the
facility be familiar with altern