- Email: [email protected]
TWIC enrolment continues
FEATURE
TWIC enrolment continues Enrolment in the US Transportation Worker Identification Credential (TWIC) is moving up a gear. This article looks at how TWIC works and examines the progress and the problems so far. TWIC was established by the US Congress through the Maritime Transportation Security Act (MTSA) and is administered by the Transportation Security Administration (TSA) and US Coast Guard. The creation of TWIC certainly hasn’t been plain sailing, and there have been many twists and turns along the way. In 2006, it was decided that the TWIC card should conform to the Federal Information Processing Standard (FIPS) 201 for government employees. However, FIPS 201-1 allows for biometric authentication only through a contact interface with a PIN while the maritime industry needed a system where: • •
• •
The readers would work in all weathers in an exposed outdoor marine environment; There was a contactless transfer of user ID and biometric data from the TWIC card to the reader; No PIN entry was required; Maritime operators did not have to manage encryption keys.
To resolve these conflicting requirements, the TSA created a specification which complements Personal Identity Verification (PIV) applications to support physical access and does not require key management. It is similar in approach to the Basic Access Control (BAC) mechanism used in ePassports, in that a TWIC privacy key is issued which is unique to each card and stored on it. It is treated as a public key and is therefore not a secret. The key is accessible from the magnetic stripe or contact interface, or it can be stored in a local physical access control system to eliminate the need for a magnetic swipe or contact reader.
First enrolment After much delay, enrolment and issuance began at the Port of Wilmington, Delaware,
What are TWICs? TWICs are tamper-resistant biometric credentials issued to workers who require unescorted access to secure areas of ports, vessels, outer continental shelf facilities and all credentialled merchant mariners. Lockheed Martin is the prime contractor. Enforcement of the card will start in April 2009. on 16 October, 2007. Since enrolment began, almost 150 registration centres have now opened, with one of the most recent – Guam – opening on 4 September, 2008. By early September, 2008, 513 000 people had pre-enrolled, 476 000 had enrolled and 296 000 cards had been issued. The largest volume of enrolments – more than 42 000 – has been handled by the centre in Houston, Texas. Statistics from the US Department of Homeland Security have revealed the number of security threats so far identified by the programme. By 24 August, 2008, almost 15 000 individuals had received an initial disqualification letter. However, of this number only 31 had received final disqualification letters preventing them from obtaining a TWIC (see Table 1).
Hurdles There have been a number of hurdles to overcome in the introduction of the TWIC credential. In July 2008, a wide-ranging 17page report by the National Maritime Security Advisory Committee’s TWIC Working Group detailed the issues being faced by port operators. Inevitably, some of its concerns related to the fingerprint biometric used with the credential. It revealed that there have been problems with capturing some individuals’ biometric, and
Table 1. Security threat assessment and statistics on action taken for the TWIC. Security threat assessment
Measurement (as of 24 August, 08)
Initial disqualification letters
14,907
Appeals requested
6,339
Appeals granted
4,377
Waivers requested
796
Waivers granted
532
Final disqualification letters
31
October 2008
recommended: “a software patch to enhance the ability to capture a damaged or otherwise unreadable biometric must be applied to the TWIC enrolment stations”. The report cited the example of Port of Long Beach, California, which hosted an onsite mobile enrolment centre involving more than 200 port employees. Of its attempted enrolments, 3.7% were unsuccessful. The report also revealed that other port operators have had difficulty enrolling up to 8% of their workers because of problems capturing fingerprints. It also raised concerns that encryption of fingerprints on certain cards was not performed properly, causing decryption to fail.
Deadlines The US Coast Guard and the TSA have said that 30 December, 2008, is the TWIC compliance date for owners and operators of facilities located within the US Coast Guard Captain of the Port Zones of Baltimore, Delaware Bay, Mobile, Lower Mississippi River, Ohio Valley, Pittsburgh and San Diego. Ports affected by the deadline include, Annapolis, Philadelphia, Camden, Gulfport, Memphis, Cincinnati and Ohio. The US Coast Guard says it plans to announce the additional ports scheduled for the compliance phase in the next few weeks. Compliance will be phased in by Captain of the Port Zones between 15 October, 2008, and 15 April, 2009, after which all ports must comply and all credentialled mariners must possess a TWIC card.
The enrolment process • Stage 1 – Applicants can save time by preenrolling online or over the telephone. During this optional phase, they provide the biographical information required for a security threat assessment. • Stage 2 – Applicants must bring identity documents, such as a certificate of citizenship, passport or permanent resident card to the enrolment centre. During enrolment, they complete a TWIC Application Disclosure Form, pay a fee, provide biographic information (if they didn’t pre-enrol) and a complete set of fingerprints. They must also sit for a digital photograph. • Stage 3 – TWICs are available within 3-4 weeks of enrolment and are collected from the enrolment centre.
Biometric Technology Today
7
TWIC enrolment continues Enrolment in the US Transportation Worker Identification Credential (TWIC) is moving up a gear. This article looks at how TWIC works and examines the progress and the problems so far. TWIC was established by the US Congress through the Maritime Transportation Security Act (MTSA) and is administered by the Transportation Security Administration (TSA) and US Coast Guard. The creation of TWIC certainly hasn’t been plain sailing, and there have been many twists and turns along the way. In 2006, it was decided that the TWIC card should conform to the Federal Information Processing Standard (FIPS) 201 for government employees. However, FIPS 201-1 allows for biometric authentication only through a contact interface with a PIN while the maritime industry needed a system where: • •
• •
The readers would work in all weathers in an exposed outdoor marine environment; There was a contactless transfer of user ID and biometric data from the TWIC card to the reader; No PIN entry was required; Maritime operators did not have to manage encryption keys.
To resolve these conflicting requirements, the TSA created a specification which complements Personal Identity Verification (PIV) applications to support physical access and does not require key management. It is similar in approach to the Basic Access Control (BAC) mechanism used in ePassports, in that a TWIC privacy key is issued which is unique to each card and stored on it. It is treated as a public key and is therefore not a secret. The key is accessible from the magnetic stripe or contact interface, or it can be stored in a local physical access control system to eliminate the need for a magnetic swipe or contact reader.
First enrolment After much delay, enrolment and issuance began at the Port of Wilmington, Delaware,
What are TWICs? TWICs are tamper-resistant biometric credentials issued to workers who require unescorted access to secure areas of ports, vessels, outer continental shelf facilities and all credentialled merchant mariners. Lockheed Martin is the prime contractor. Enforcement of the card will start in April 2009. on 16 October, 2007. Since enrolment began, almost 150 registration centres have now opened, with one of the most recent – Guam – opening on 4 September, 2008. By early September, 2008, 513 000 people had pre-enrolled, 476 000 had enrolled and 296 000 cards had been issued. The largest volume of enrolments – more than 42 000 – has been handled by the centre in Houston, Texas. Statistics from the US Department of Homeland Security have revealed the number of security threats so far identified by the programme. By 24 August, 2008, almost 15 000 individuals had received an initial disqualification letter. However, of this number only 31 had received final disqualification letters preventing them from obtaining a TWIC (see Table 1).
Hurdles There have been a number of hurdles to overcome in the introduction of the TWIC credential. In July 2008, a wide-ranging 17page report by the National Maritime Security Advisory Committee’s TWIC Working Group detailed the issues being faced by port operators. Inevitably, some of its concerns related to the fingerprint biometric used with the credential. It revealed that there have been problems with capturing some individuals’ biometric, and
Table 1. Security threat assessment and statistics on action taken for the TWIC. Security threat assessment
Measurement (as of 24 August, 08)
Initial disqualification letters
14,907
Appeals requested
6,339
Appeals granted
4,377
Waivers requested
796
Waivers granted
532
Final disqualification letters
31
October 2008
recommended: “a software patch to enhance the ability to capture a damaged or otherwise unreadable biometric must be applied to the TWIC enrolment stations”. The report cited the example of Port of Long Beach, California, which hosted an onsite mobile enrolment centre involving more than 200 port employees. Of its attempted enrolments, 3.7% were unsuccessful. The report also revealed that other port operators have had difficulty enrolling up to 8% of their workers because of problems capturing fingerprints. It also raised concerns that encryption of fingerprints on certain cards was not performed properly, causing decryption to fail.
Deadlines The US Coast Guard and the TSA have said that 30 December, 2008, is the TWIC compliance date for owners and operators of facilities located within the US Coast Guard Captain of the Port Zones of Baltimore, Delaware Bay, Mobile, Lower Mississippi River, Ohio Valley, Pittsburgh and San Diego. Ports affected by the deadline include, Annapolis, Philadelphia, Camden, Gulfport, Memphis, Cincinnati and Ohio. The US Coast Guard says it plans to announce the additional ports scheduled for the compliance phase in the next few weeks. Compliance will be phased in by Captain of the Port Zones between 15 October, 2008, and 15 April, 2009, after which all ports must comply and all credentialled mariners must possess a TWIC card.
The enrolment process • Stage 1 – Applicants can save time by preenrolling online or over the telephone. During this optional phase, they provide the biographical information required for a security threat assessment. • Stage 2 – Applicants must bring identity documents, such as a certificate of citizenship, passport or permanent resident card to the enrolment centre. During enrolment, they complete a TWIC Application Disclosure Form, pay a fee, provide biographic information (if they didn’t pre-enrol) and a complete set of fingerprints. They must also sit for a digital photograph. • Stage 3 – TWICs are available within 3-4 weeks of enrolment and are collected from the enrolment centre.
Biometric Technology Today
7