Federal Register, Volume 74 Issue 58 (Friday, March 27, 2009)

[Federal Register Volume 74, Number 58 (Friday, March 27, 2009)]
[Proposed Rules]
[Pages 13360-13370]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-6852]

========================================================================
Proposed Rules
Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of
the proposed issuance of rules and regulations. The purpose of these
notices is to give interested persons an opportunity to participate in
the rule making prior to the adoption of the final rules.

========================================================================

Federal Register / Vol. 74, No. 58 / Friday, March 27, 2009 /
Proposed Rules

[[Page 13360]]

DEPARTMENT OF HOMELAND SECURITY

Coast Guard

33 CFR Parts 101, 104, 105, and 106

[Docket No. USCG-2007-28915]
RIN 1625-AB21

Transportation Worker Identification Credential (TWIC)--Reader
Requirements

AGENCY: Coast Guard, DHS.

ACTION: Advanced notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: This advanced notice of proposed rulemaking discusses the
United States Coast Guard's preliminary thoughts on potential
requirements for owners and operators of certain vessels and facilities
regulated by the Coast Guard under 33 CFR chapter I, subchapter H, for
use of electronic readers designed to work with Transportation Worker
Identification Credentials (TWIC) as an access control measure. It
discusses additional potential requirements associated with TWIC
readers, such as recordkeeping requirements for those owners or
operators required to use an electronic reader, and amendments to
security plans previously approved by the Coast Guard to incorporate
TWIC requirements.
This rulemaking action, once final, would enhance the security of
ports and vessels by ensuring that only persons who hold valid TWICs
are granted unescorted access to secure areas on vessels and port
facilities. It would also complete the implementation of the Maritime
Transportation Security Act of 2002 transportation security card
requirement, as well as the requirements of the Security and
Accountability for Every Port Act of 2006, for regulations on
electronic readers for use with Transportation Worker Identification
Credentials.

DATES: Comments and related material must reach the Docket Management
Facility on or before May 26, 2009.

ADDRESSES: You may submit comments identified by Coast Guard docket
number USCG-2007-28915 to the Docket Management Facility at the U.S.
Department of Transportation. Please note the new address. See 72 FR
28092, May 18, 2007. To avoid duplication, please use only one of the
following methods:
(1) Online: http://www.regulations.gov.
(2) Mail: Docket Management Facility (M-30), U.S. Department of
Transportation, West Building Ground Floor, Room W12-140, 1200 New
Jersey Avenue, SE., Washington, DC 20590-0001.
(3) Hand delivery: Same as mail address above, between 9 a.m. and 5
p.m., Monday through Friday, except Federal holidays. The telephone
number is 202-366-9329.
(4) Fax: 202-493-2251.
(5) For comments containing confidential information, business
information or sensitive security information, please mail
appropriately marked comments to LCDR Jonathan Maiorine, Commandant
(CG-544) (RM 5222), U.S. Coast Guard, 2100 2nd Street, SW., Washington,
DC 20593.

FOR FURTHER INFORMATION CONTACT: If you have questions on this advanced
notice of proposed rulemaking, call LCDR Jonathan Maiorine, Coast
Guard, telephone 1-877-687-2243.
If you have questions on viewing or submitting material to the
docket, call Renee V. Wright, Program Manager, Docket Operations,
telephone 202-366-9826.

SUPPLEMENTARY INFORMATION:

Table of Acronyms

AHP Analytical Hierarchy Process
ANPRM Advanced Notice of Proposed Rulemaking
ASPs Alternative Security Programs
TWIC Transportation Worker Identification Credential
CDC Certain Dangerous Cargoes
CI/KR Critical Infrastructure/Key Resource
CRL Certificate Revocation List
DHS Department of Homeland Security
DOT Department of Transportation
EOA Early Operational Assessment
FASC-N Federal Agency Smart Credential--Number
FOIA Freedom of Information Act
FR Final Rule
FSP Facility Security Plan
HSI Homeland Security Institute
ITEP Integrated Test and Evaluation Program
ITT Initial Technical Test
MARSEC Maritime Security
MERPAC Merchant Marine Personnel Advisory Committee
MODU Mobile Offshore Drilling Unit
MSRAM Maritime Security Risk Analysis Model
MTSA Maritime Transportation Security Act
NMSAC National Maritime Security Advisory Committee
NPRM Notice of Proposed Rulemaking
OCS Outer Continental Shelf
OMB Office of Management and Budget
OSVs Offshore Supply Vessels
PACS Personnel Access Control System
PIN Personal Identification Number
PIV Personal Identity Verification
RA Regulatory Analysis
RKB Responder Knowledge Base
SSI Sensitive Security Information
ST&E System Test & Evaluation
TEMP Test and Evaluation Master Plan
TSA Transportation Security Administration
TSAC Towing Safety Advisory Committee
TSI Transportation Security Incident
TWIC Transportation Worker Identification Credential
VSP Vessel Security Plan

Table of Contents

I. Public Participation and Request for Comments
A. Submitting Comments
B. Handling Confidential Information, Proprietary Information,
and Sensitive Security Information (SSI) Submitted in Public
Comments
C. Viewing Comments and Documents
D. Privacy Act
E. Public Meeting
F. Future Opportunities for Comment
II. Summary of ANPRM
III. Background
A. Statutory History
B. Regulatory History
IV. Discussion of Process
A. Risk-Based Approach to Reader Requirements
B. Maritime Security Risk Analysis Model (MSRAM) and the
Analytic Hierarchy Process (AHP)
C. Requirement Options Considered
D. Reader Requirements
E. Facility and Vessel Risk Groups
F. Recurring Unescorted Access
G. Additional Topics and Requirements
V. Advisory Committee Input
VI. Discussion of Pilot Programs
VII. Regulatory Analyses

I. Public Participation and Request for Comments

We encourage you to participate in this rulemaking by submitting

[[Page 13361]]

comments and related materials. All comments received will be posted,
without change, to http://www.regulations.gov and will include any
personal information you have provided. We have an agreement with the
Department of Transportation (DOT) to use the Docket Management
Facility.

A. Submitting Comments

If you submit a comment, please include your name and address,
identify the docket number for this rulemaking (USCG-2007-28915),
indicate the specific section of this document to which each comment
applies, and give the reason for each comment. You may submit your
comments and material by electronic means, mail, fax, or delivery to
the Docket Management Facility at the address under ADDRESSES; but
please submit your comments and material by only one means. If you
submit them by mail or delivery, submit them in an unbound format, no
larger than 8\1/2\ by 11 inches, suitable for copying and electronic
filing. If you submit them by mail and would like to know that they
reached the Facility, please enclose a stamped, self-addressed postcard
or envelope. We will consider all comments and material received during
the comment period. We may change the proposed rule in view of them.

B. Handling Confidential Information, Proprietary Information and
Sensitive Security Information (SSI) Submitted in Public Comments

Do not submit comments that include trade secrets, confidential
commercial or financial information, or sensitive security information
(SSI) \1\ to the public regulatory docket. Please submit such comments
separately from other comments on the rulemaking. Comments containing
this type of information should be appropriately marked as containing
such information and submitted by mail to the Coast Guard point of
contact listed in the FOR FURTHER INFORMATION CONTACT section.
---------------------------------------------------------------------------

\1\ ``Sensitive Security Information'' or ``SSI'' is information
obtained or developed in the conduct of security activities, the
disclosure of which would constitute an unwarranted invasion of
privacy, reveal trade secrets or privileged or confidential
information, or be detrimental to the security of transportation.
The protection of SSI is governed by 49 CFR part 1520.
---------------------------------------------------------------------------

Upon receipt of such comments, the Coast Guard will not place the
comments in the public docket and will handle them in accordance with
applicable safeguards and restrictions on access. The Coast Guard will
hold them in a separate file to which the public does not have access,
and place a note in the public docket that Coast Guard has received
such materials from the commenter. If the Coast Guard receives a
request to examine or copy this information, we will treat it as any
other request under the Freedom of Information Act (FOIA) (5 U.S.C.
552).

C. Viewing Comments and Documents

To view comments, as well as documents mentioned in this preamble
as being available in the docket, go to http://dms.dot.gov at any time,
enter the docket number for this rulemaking (USCG-2007-28915) in the
Search box, and click ``Go >>.'' If you do not have access to the
internet, you may view the docket online by visiting the Docket
Management Facility in Room W12-140 on the ground floor of the
Department of Transportation West Building, 1200 New Jersey Avenue,
SE., Washington, DC 20590, between 9 a.m. and 5 p.m., Monday through
Friday, except Federal holidays.

D. Privacy Act

Anyone can search the electronic form of all comments received into
any of our dockets by the name of the individual submitting the comment
(or signing the comment, if submitted on behalf of an association,
business, labor union, etc.). You may review a Privacy Act, system of
records notice regarding our public dockets in the January 17, 2008
issue of the Federal Register (73 FR 3316).

E. Public Meeting

Because the Coast Guard intends to hold additional public meetings
(see Paragraph F ``Future Opportunities for Comment''), we plan to hold
only one public meeting in the Washington, DC area at this time. A
notice with the specific date and location of the meeting will be
published in the Federal Register as soon as this information is known.
In addition, known interested parties will be contacted via mail, e-
mail, or telephone. If you wish to be contacted regarding the public
meeting, contact LCDR Jonathan Maiorine, listed under FOR FURTHER
INFORMATION CONTACT.

F. Future Opportunities for Comment

The Coast Guard intends to publish a Notice of Proposed Rulemaking
(NPRM) after reviewing the comments on this Advanced Notice of Proposed
Rulemaking (ANPRM), and after receiving data from the TWIC pilot
programs (discussed in Section IV ``Discussion of Pilot Programs''). We
intend to have an open comment period with sufficient time to allow
interested parties to submit comments following publication of an NPRM.
We also intend to hold several public meetings during that comment
period, at various locations across the country.

II. Summary of ANPRM

This ANPRM presents preliminary thoughts of the Department of
Homeland Security, through the U.S. Coast Guard and the Transportation
Security Administration, on potential requirements for electronic TWIC
readers for certain vessels and facilities that are regulated by the
Coast Guard under 33 CFR chapter I, subchapter H, commonly known as
``MTSA-regulated'' vessels and facilities. The purpose of this ANPRM is
to open the public dialogue on implementing TWIC reader requirements
using a risk-based decision model, as well as to seek input on other
requirements that we are considering proposing at the same time as the
reader requirements. We are not proposing any specific changes to the
Code of Federal Regulations at this time. Specific changes would be
proposed in an NPRM at a future date.
This ANPRM discusses separating individual MTSA-regulated vessels,
facilities, and Outer Continental Shelf (OCS) facilities into one of
three risk groups. Each risk group would have its own associated
electronic TWIC reader requirements.
We are considering that those vessels and facilities in the lowest
risk group continue to use TWICs primarily as a visual identity badge
only, at all Maritime Security (MARSEC) Levels, and subject to
electronic verification during inspections and spot checks, as
currently required in the joint Coast Guard and TSA final rule on TWIC,
issued on January 25, 2007. 72 FR 3492.
At MARSEC Level 1, those in the middle risk group would perform an
electronic read of the TWIC to verify its authenticity and to verify
the validity of the card (i.e., ensure that it has not been revoked).
Owners or operators of these vessels and facilities would match the
TWIC-holder's fingerprint to the biometric template stored within the
TWIC (i.e., perform a biometric match) at MARSEC Level 1 on dates
chosen randomly within a frequency of at least once a month. They would
perform the biometric match at each entry at the higher MARSEC Levels.
Those vessels and facilities falling into the highest risk group
would perform the biometric match and verify the authenticity and
validity of the card at each entry at all MARSEC Levels.
These requirements are summarized in a table, found in Section IV.
D. ``Reader Requirements'' and are subject to change based on public
comment and

[[Page 13362]]

additional data collection from the TWIC reader testing pilot program
(``pilot program''), which is currently underway as required by the
Safety and Accountability for Every Port Act of 2006 (SAFE Port Act),
Public Law No. 109-347, 120 Stat. 1884, 1889 (Oct. 13, 2006). For
example, we may propose, in an NPRM, to require reader usage at a
facility or vessel in Risk Group C, or require more frequent reader
usage for those facilities and vessels in Risk Group B. We request
comments from the public regarding this process and, in particular, the
Risk Group divisions and application of MARSEC Levels to reader
requirement frequency.
We are also considering that each risk group have the option of
using recurring unescorted access for up to 14 TWIC holders, per vessel
or facility, if that provision is included in their amended security
plan and approved by the Coast Guard. In order to take advantage of
recurring unescorted access, the owner or operator of the vessel or
facility would conduct an initial biometric match of the individual
against his/her TWIC, either at hiring or upon the effective date of a
final rule, whichever occurs later. This biometric match would include
a verification of the authenticity and validity of the TWIC. Once this
check is done, the TWIC need only be used as a visual identity badge,
at a frequency to be approved by the Coast Guard in the amended
security plan, so long as the validity of the TWIC is verified
periodically, ranging from monthly to daily, depending upon risk group
and MARSEC Level. We are specifically seeking comment in this ANPRM as
to whether 14 persons is the appropriate number of persons eligible for
recurring unescorted access and whether the public believes this
process is appropriate for facilitating industry operations while
maintaining an appropriate level of port security.
This ANPRM also discusses recordkeeping requirements for those risk
groups required to use readers, and for those owners or operators
choosing to use recurring unescorted access. It discusses and seeks
comment on a requirement for all owners and operators to amend their
security plans to incorporate TWIC requirements.

III. Background

A. Statutory History

The principal statutory authority for the TWIC program, the
Maritime Transportation Security Act of 2002 (MTSA), Public Law No.
107-295, 116 Stat. 2064 (Nov. 2, 2002), requires the issuance of
biometric transportation security cards to Coast Guard credentialed
merchant mariners and other workers requiring unescorted access to
secure areas of vessels and port facilities. 46 U.S.C. 70105(a)-(f)
(2002). The SAFE Port Act, Public Law No. 109-347, 120 Stat. 1884 (Oct.
13, 2006) supplemented various MTSA credentialing requirements. These
additional provisions included establishing a port implementation
deadline; requiring implementation of a pilot program to test TWIC
readers; and setting a deadline for promulgation of final regulations
requiring the deployment of TWIC readers that are consistent with the
findings of the pilot program. 46 U.S.C. 70105(g)-(m) (2006).

B. Regulatory History

On May 22, 2006, the Coast Guard and TSA issued a joint notice of
proposed rulemaking (TWIC 1 NPRM) entitled ``Transportation Worker
Identification Credential Implementation in the Maritime Sector;
Hazardous Materials Endorsement for a Commercial Driver's License,''
setting forth proposed requirements and processes required by MTSA. 71
FR 29396. The TWIC 1 NPRM proposed amending Coast Guard regulations on
vessel and facility security, found in 33 CFR chapter I, subchapter H,
to require the use of the TWIC as an access control measure, as well as
amendments to TSA regulations on security threat assessment standards.
The TWIC 1 NPRM also proposed requiring the use of TWIC in a biometric
access control system and user fees for TWIC issued under this rule.
The joint final rule (TWIC 1 FR), issued January 25, 2007, under the
same title, established the biometric credential requirements, amended
knowledge requirements, expanded appeal and waiver provisions, and set
the user fee for the TWIC. 72 FR 3492. The TWIC 1 FR did not require
card readers. A full discussion of the provisions for the TWIC 1 NPRM
and TWIC 1 FR can be found in the preambles of those documents, at the
Federal Register cites provided in this paragraph.
After publication of the TWIC 1 FR, the Coast Guard issued a Notice
of Availability and requested comments on draft TWIC biometric reader
specifications and draft TWIC contactless smart card applications,
which were both developed by the National Maritime Security Advisory
Committee (NMSAC). The Coast Guard and TSA reviewed the comments
received and issued a Notice on September 20, 2007, announcing the
working technical specification selected for use in the TWIC pilot
programs and discussing the comments received in response to the Notice
of Availability. 72 FR 53784.
On July 13, 2007, the Coast Guard issued a final rule to delay the
compliance date for facility owners and operators wishing to redefine
their secure areas, to limit application of the TWIC requirement to
those portions of their facility directly connected to maritime
transportation. 72 FR 38486. This provision was included in the TWIC 1
FR, and the delay in the compliance date was necessary to allow owners
and operators to consider Coast Guard guidance, issued as Navigation
and Vessel Inspection Circular 03-07 on July 2, 2007.
On September 28, 2007, the Coast Guard and TSA issued another joint
Final Rule to amend provisions of the TWIC 1 FR. 72 FR 55043. This
final rule amended the definition of secure areas to address facilities
in the Commonwealth of the Northern Mariana Islands; allowed
flexibility for additional non-resident aliens to apply for a TWIC;
clarified who may obtain a TWIC at a reduced fee; and amended the
replacement fee originally announced in TWIC 1 FR.
On May 7, 2008, the Coast Guard and TSA issued a joint final rule
to extend the compliance date set forth in the TWIC 1 FR. 73 FR 25562.
Under the new final compliance date, mariners must obtain a TWIC no
later than April 15, 2009. That date also marks the final date by which
owners and operators of vessels, facilities, and OCS facilities, who
have not otherwise been required to implement access control procedures
utilizing TWIC on an earlier date, must implement those procedures.
Owners and operators of vessels, facilities, and OCS facilities should
note, however, that in accordance with the TWIC 1 FR the Coast Guard
has announced rolling COTP Zone compliance dates in the Federal
Register.

IV. Discussion of Process

A. Risk-Based Approach to Reader Requirements

This ANPRM discusses three levels of requirements, with vessels and
facilities ``assigned'' into a particular level based on risk. We used
the Maritime Security Risk Analysis Model (discussed in B. ``Maritime
Security Risk Analysis Model (MSRAM) and the Analytic Hierarchy Process
(AHP)'') and other factors to rank facilities and vessels as lower
versus higher risk. We are considering proposing that those facilities
and vessels with the higher risk be required to fully utilize the
security features and achieve the full risk reduction benefit of the
TWIC, whereas facilities and vessels

[[Page 13363]]

at the lower risk level should be required to implement only some of
the security features. We have presented the resulting matrix of
potential requirements in this document. We are seeking comment not
only on these requirements, but also on the risk groups themselves and
the method we used to reach those groups, which is discussed in the
next section.

B. Maritime Security Risk Analysis Model (MSRAM) and the Analytic
Hierarchy Process (AHP)

Three factors were applied to develop a risk-based ranking of all
MTSA-regulated facilities and vessels by type. These factors were: The
maximum consequence resulting from a terrorist attack, the criticality
to the nation's health, economy and national security, and the utility
of TWIC in reducing risk. These factors were applied in an AHP
(discussed later in this section) to develop an overall ranking of
vessel and facility types for which TWIC requirements are assigned.\2\
---------------------------------------------------------------------------

\2\ The ranking from each factor, as well as the overall
rankings, are SSI per 49 CFR 1520.5(b)(5) and (b)(12). In accordance
with 49 CFR 1520.9, SSI may only be released to covered persons with
a need to know the information.
---------------------------------------------------------------------------

The first factor applied was the maximum potential consequence
resulting from the total destruction of the vessel or facility. We
developed this factor by using the Coast Guard's MSRAM application.
MSRAM is a terrorism risk analysis tool used to perform risk
assessments on critical infrastructure and key resources in the
maritime domain given a range of terrorist attack scenarios. The tool's
purpose is to capture and rank the security risk facing different types
of potential terrorist targets (e.g., waterfront facilities, vessels,
bridges and other infrastructure) spanning all Critical Infrastructure/
Key Resource (CI/KR) sectors in our nation's ports and on our
waterways. An initial step in the MSRAM process is to calculate the
maximum potential consequence of total loss of a target, factoring in
injury and loss of life, economic and environmental impact, symbolic
effect, and national security impact. MSRAM then assesses risk for a
range of scenarios--each involving a combination of target and method
of attack--in terms of threat, vulnerability, and consequence. MSRAM
also considers the response capability of the owner/operator, local
first responders, and Federal agencies to mitigate the consequences of
an attack. The Coast Guard in consultation with representatives from
Area Maritime Security Committees throughout the country has compiled
this MSRAM risk information from Coast Guard Sectors and Captains of
the Port into a database which provides an overall national view of
terrorist risk to maritime assets.
We extracted information specific to MTSA regulated vessels and
facilities from this database and used it to address the maximum
consequence that would occur if the facility or vessel was completely
debilitated by a transportation security incident (TSI) resulting from
a terrorist attack. These MSRAM consequence scores were averaged across
similar types of MTSA regulated vessels and facilities to develop a
standard risk score for each type of vessel and facility.
The second factor scored was the criticality of vessel or facility
type. The term ``criticality'' describes the impact of the total loss
of a vessel or facility beyond the immediate local consequences and
addresses regional or national impacts to human health, the economy and
national security.
Finally, we scored the utility of TWIC in reducing vulnerability to
terrorist attack for each vessel and facility type.
We used the AHP to combine these three factors and developed an
overall risk ranking by vessel and facility type. AHP is a technique
for decision making which uses a limited number of variables, each of
which has a number of different attributes. This enables the
combination of subjective and objective input from a group to produce
consistent results.
Applying this technique, each of the three factors was weighted
based on their importance to the policy decision process, and an
analysis was conducted to check the consistency of the evaluation
measures. At the end of this process, vessel and facility types with
similar scores were combined into ``risk groups'' to determine TWIC
verification and validation requirements.
In determining the cut offs between risk groups, risk rankings were
graphed to identify any natural breaks that occurred in the data. For
vessels, these breaks generally occurred where there was a change in
the hazardous nature of the cargo or where the number of passengers
carried aboard a vessel increased. The breaks were similar for
facilities where these vessels called. These breaks were used in
defining risk groups A, B, and C. These groups are spelled out in E.
``Facility and Vessel Risk Groups.''
We then turned to the Homeland Security Institute (HSI) to provide
an independent peer review of our analysis.\3\ Specifically, HSI is
evaluating the validity of the risk assessment methodology and its
appropriateness for the identified TWIC risk issues, the extent to
which the conclusions follow from the analysis, and the overall
strengths and weaknesses of the risk analysis. The main objective is to
review how the MSRAM methodology has been applied to the development of
the proposed TWIC reader requirements; the MSRAM methodology itself is
not a part of the peer review. HSI's final report is expected this
fall, and will be placed on the docket for this rulemaking, where
indicated under ADDRESSES, as appropriate.
---------------------------------------------------------------------------

\3\ The Homeland Security Institute (HSI) is a Studies and
Analysis Federally Funded Research and Development Center
established pursuant to section 312 of the Homeland Security Act of
2002 (6 U.S.C. 192). HSI delivers independent and objective analyses
and advises in core areas important to its sponsor in support of
policy development, decision-making, analysis of alternative
approaches, and evaluation of new ideas on issues of significance.
---------------------------------------------------------------------------

C. Requirement Options Considered

We considered three separate categories of TWIC verification that
could, potentially, be checked at each entry: (1) Identity
verification, (2) card authentication, and (3) card validity.
(1) Identity verification ensures that the individual presenting
the TWIC is the same person to whom the TWIC was issued. In its most
reliable form, this is done by matching the biometric template stored
in the TWIC to the TWIC-holder's live sample biometric (e.g., a
fingerprint). However it can also be done to a less reliable degree by
visually comparing the photo on the TWIC to the TWIC-holder or by
requiring the TWIC-holder to place their card into a contact smart card
reader and then entering his/her 6-digit Personal Identity Number
(PIN), selected by the TWIC-holder at card issuance.
In some instances, a biometric match will not be possible. A small
number of TWICs will be issued that contain either poor quality
fingerprint templates, mostly due to badly damaged fingers, or no
fingerprint minutiae in the case of amputations. In these cases, the
reader will display a prompt indicating that this TWIC holder will
require exception handling. We expect that the facility or vessel owner
or operator will describe the exception process to be used in these
cases in their security plan. The exception processes may include
visual inspection of the TWIC including visual comparison of the photo
printed on the card to the presented; visual comparison of the digital
photo stored on the TWIC to the presenter by using a portable

[[Page 13364]]

reader with a contact interface and releasing the photo to the reader
screen by entering the six-digit PIN; or an alternative process
proposed by the owner or operator and approved by the Coast Guard.
Biometrics, other than the fingerprint templates stored in the
Integrated Circuit Chip of the TWIC, may be used to biometrically
verify the identity of individuals being granted unescorted access to
secure areas of MTSA regulated facilities and vessels provided that a
``chain-of-trust'' is maintained to link the individual, their TWIC,
and the alternative biometric. The process for maintaining these links
would need to be described in an FSP or VSP, approved by the Coast
Guard. In addition to linking the alternate biometric to the individual
and heir TWIC, the process would need to include ascertaining the
validity of the individual's TWIC.
Before obtaining an alternate biometric the TWIC holder must first
be linked to their credential by matching the holder's fingerprint to
the fingerprint template on the TWIC using a reader capable of reading
and matching the TWIC biometric. During this process, the validity of
the TWIC would also need to be ascertained. If the fingerprint template
match is successful and the TWIC is valid the credential would, in most
cases, be registered with the personnel access control system (PACS).
While the TWIC holder is present, the alternate biometric would be
captured and linked to the TWIC, thus establishing a ``chain-of-trust''
between the individual, their TWIC, and the alternate biometric.
Variations on the usual process of registering the TWIC and alternate
biometrics in a PACS, such as storing the alternate biometric on a
separately issued card, or storing the alternate biometric on a local
reader, may be proposed as part of the FSP or VSP. However, in all
cases the linkage between the individual, the TWIC, and the alternate
biometric would need to be proven and approved by the Coast Guard.
(2) Card authentication ensures that the card being used is an
authentic TWIC, i.e., not a counterfeit. As designed, the primary
method of card authentication involves engaging the TWIC with a reader
to perform a CHALLENGE/RESPONSE protocol using the Card Authentication
Certificate and the associated card authentication private key resident
on the TWIC.\4\ The card can also be visually inspected for various
security features that are embedded into the front and back of the
card, although this is a less reliable form of card authentication.
---------------------------------------------------------------------------

\4\ The TWIC reader will read the Card Authentication
Certificate from the TWIC card and then send a challenge to the card
requesting the card authentication key be used to sign a random
block of data (created and known to the TWIC reader). The TWIC
reader will use the public key embedded in the Card Authentication
Certificate to verify the signature of the random data block is
valid. If the signature is valid the TWIC reader will trust the TWIC
card submitted and will proceed to pulling the Federal Agency Smart
Credential--Number (FASC-N) and other information from the card for
further processing. The Card Authentication Certificate contains the
FASC-N and a certificate expiration date harmonized to the TWIC card
expiration date. This minimizes the need for the TWIC reader to pull
more information from the card (unless required for additional
checking).
---------------------------------------------------------------------------

(3) Card validity involves the determination that a TWIC is still
valid, i.e., that it has not expired; been reported as lost, stolen, or
damaged; or been revoked for cause by TSA. A TWIC that is invalid is
placed on the ``hotlist,'' which is updated daily.\5\ As designed,
checking for card validity is accomplished by comparing the expiration
date of the TWIC to the current date and additionally comparing the
card's internal Federal Agency Smart Card--Number (FASC-N), retrievable
from several locations within the TWIC, to the hotlist FASC-Ns that TSA
makes available to owners and operators.
---------------------------------------------------------------------------

\5\ The hotlist is online at: https://twicprogram.tsa.dhs.gov/TWICWebApp/SDownloadHotlist.do.
---------------------------------------------------------------------------

An alternative method for checking card validity is to use a
Certificate Revocation List (CRL). The link to the CRL is embedded in
the Issuer Signing Certificate present on every card.\6\ Each entry of
the CRL is comprised of the certificate number and its date of
revocation. Note there are four certificates for every TWIC Card (Card
Authentication Certificate, Digital Signature Certificate, Key
Management Certificate, and Personal Identity Verification (PIV)
Authentication Certificate). The CRL is updated daily. Both of these
processes (hotlist or CRL check) require a card/reader interface. A
partial card validity check can be accomplished by reviewing the
expiration date on the face of the TWIC, but such a check would not
capture information relating to cardholders who TSA determines pose a
security threat and/or hold revoked TWICs.
---------------------------------------------------------------------------

\6\ The CRL is located at http://twic-crl.orc.com/CRLs/TWICCA1.crl.
---------------------------------------------------------------------------

We anticipate that the Hotlist match (or the CRL match) can be done
in one of two ways: Electronically (either in real time or by
downloading the Hotlist into the reader or a separate access control
system), or by printing out the Hotlist and manually entering it into a
separate access control system.
The TWIC 1 NPRM discussed the potential for a process called
``privilege granting,'' in which an owner or operator could contact TSA
and register those persons granted unescorted access privileges at the
vessel or facility. Owners or operators would provide TSA with the
FASC-Ns for every person who was being considered for unescorted access
privileges. TSA would then contact the owner or operator directly if
any of those FASC-Ns were placed on the Hotlist. This option requires
access to a TWIC reader in order to discern the FASC-Ns associated with
the individuals given unescorted access. This capability was tested
during TSA's TWIC prototype but is not part of the current TWIC system.
We would like to hear comments on whether such an option would be
preferred, and if so, whether owners and operators would be willing to
pay a fee for the option of using privilege granting (instead of
downloading the Hotlist at regular intervals). If users would be
willing to pay a fee, we also request a range of what would be
appropriate (e.g., one time fee to use the system, annual fees, or a
combination of both, plus limits on what fees owners and operators
would be willing to pay).

D. Reader Requirements

When we considered electronic reader requirements for facilities
and vessels, we began with a baseline approach that all three
categories of TWIC verification--identity verification, card
authentication, and card validity--in its most reliable and complete
form should be required of all risk groups.
TWIC provides a universally recognized, tamper-resistant credential
backed up by a TSA security threat assessment that, when used as an
access control tool, reduces the risk of a transportation security
incident at vessels and maritime facilities. TWIC is a dual interface
smart card which was developed using national and international
standards to ensure security, interoperability and performance. The
card has physical and logical security features which, when used
properly, can provide a secure method of determining, with a high level
of assurance, that the TWIC-holder is the same individual to whom the
TWIC was issued, and that they do not present a security threat.
The benefit of using existing industry recognized standards in
developing the TWIC is the flexibility of use the card provides. It can
be integrated into existing access control systems by using the TWIC as
a secure means of

[[Page 13365]]

authenticating an individual when first registering an individual into
an existing access control system. Alternatively, either the contact or
contactless interface can be used with existing smart card readers to
authenticate the individual and the credential when making access
control decisions, by securely accessing and using the data stored on
the TWIC.
A design principle of the TWIC system is to establish and maintain
a chain of trust. A chain of trust is a security architecture that
ensures that a uniform level of security and integrity is applied to
the components or agents where information is stored or passes through.
TWIC accomplishes this by the use of secure communication between
components of the TWIC system, identity verification and authentication
issuance requirements, and centralized personalization.
The following tables briefly summarize the requirements the Coast
Guard is considering for each risk group. It indicates what would need
to occur, at each MARSEC Level, to complete identity verification, card
authentication, and a card validity check.

Table of Potential Reader Requirements
----------------------------------------------------------------------------------------------------------------
MARSEC Level 1 MARSEC Level 2 MARSEC Level 3
----------------------------------------------------------------------------------------------------------------
Risk Group A, Bulk CDCs, >1,000 IDENTITY VERIFICATION: IDENTITY VERIFICATION: IDENTITY VERIFICATION:
passengers Biometric match of Biometric match of Biometric match of
fingerprint to fingerprint to fingerprint to
template stored in template stored in template stored in
TWIC at each entry. TWIC at each entry. TWIC at each entry.
CARD AUTHENTICATION: CARD AUTHENTICATION: CARD AUTHENTICATION:
Electronic Electronic Electronic
communication to communication to communication to
achieve a successful achieve a successful achieve a successful
CHALLENGE/RESPONSE CHALLENGE/RESPONSE CHALLENGE/RESPONSE
result at each entry. result at each entry. result at each entry.
CARD VALIDITY CHECK: CARD VALIDITY CHECK: CARD VALIDITY CHECK:
Compare FASC-N against Compare FASC-N against Compare FASC-N against
Hotlist at each entry; Hotlist at each entry; Hotlist at each entry;
update Hotlist weekly. update Hotlist daily. update Hotlist daily.
Risk Group B, HAZ MAT, Crude Oil, 500- IDENTITY VERIFICATION: IDENTITY VERIFICATION: IDENTITY VERIFICATION:
1,000 passengers. Random biometric match Biometric match of Biometric match of
of fingerprint to fingerprint to fingerprint to
template stored in template stored in template stored in
TWIC, at least one day TWIC at each entry. TWIC at each entry.
a month; all other
times as visual
identity badge.
CARD AUTHENTICATION: CARD AUTHENTICATION: CARD AUTHENTICATION:
Electronic Electronic Electronic
communication to communication to communication to
achieve a successful achieve a successful achieve a successful
CHALLENGE/RESPONSE CHALLENGE/RESPONSE CHALLENGE/RESPONSE
result at each entry. result at each entry. result at each entry.
CARD VALIDITY CHECK: CARD VALIDITY CHECK: CARD VALIDITY CHECK:
Compare FASC-N against Compare FASC-N against Compare FASC-N against
Hotlist at each entry; Hotlist at each entry; Hotlist at each entry;
update Hotlist weekly. update Hotlist daily. update Hotlist daily.
Risk Group C, Non-HAZ................ IDENTITY VERIFICATION: IDENTITY VERIFICATION: IDENTITY VERIFICATION:
MAT, <500 passengers MODU OSV........ Visual identity badge Visual identity badge Visual identity badge
at each entry. at each entry. at each entry.
CARD AUTHENTICATION: CARD AUTHENTICATION: CARD AUTHENTICATION:
Check security Check security Check security
features on card at features on card at features on card at
each entry and each entry and each entry and
electronic electronic electronic
verification during verification during verification during
annual inspections and annual inspections and annual inspections and
random spot checks. random spot checks. random spot checks.
CARD VALIDITY CHECK: CARD VALIDITY CHECK: CARD VALIDITY CHECK:
Check expiration date Check expiration date Check expiration date
at each entry; CG each entry; CG perform at each entry; CG
perform spot checks. spot checks. perform spot checks.
----------------------------------------------------------------------------------------------------------------

Risk Group A
To provide the maximum security benefit, we determined that those
assets presenting the highest risk should be required to implement the
most protective measures. Thus, we are considering requiring facilities
and vessels that fall into risk group A to either match the TWIC-
holder's biometric (fingerprint) to the template stored in the card or
to match the TWIC-holder's biometric to one held in the owner/
operator's own access control system. This match will need to occur at
each entry. For the latter option, the owner or operator may choose to
apply a different biometric than the fingerprint, such as an iris scan
or hand geometry, stored in the local access control system and matched
to the individual seeking access. Also, for the latter option, the
owner/operator's system must be linked to the TWIC in such a manner
that the access control system forbids access to someone who does not
have a valid TWIC, or to someone other than to whom the TWIC has been
issued. This means that the TWIC will need to be read and the stored
biometric identifier matched against the TWIC-holder's fingerprint at
least once, when the individual is entered into the local access
control system.
We are re-considering whether to require a TWIC-holder to verify
his/her PIN as a part of the identity verification process. This added
element, making the TWIC-holder provide ``something he/she knows,''
would complete three-factor authentication: (1) Something the person
has--a TWIC credential; (2)

[[Page 13366]]

Something the person knows--a PIN, stored securely on * * * the
credential; and (3) Something the person is--biometric. PIN
verification would require the TWIC to be inserted into a card reader,
as the PIN only operates in the contact-chip mode. Comments received on
the TWIC 1 NPRM made it clear that requiring insertion of a TWIC into
an open-slot card reader was not favored among the maritime community.
This was echoed in the recommendations made by NMSAC in its
recommendations for specifications for a contactless TWIC. There were
concerns over whether the readers would be able to withstand harsh
environmental and operational conditions and how long they would last
if they were operated continually in the maritime environment. Industry
partners also voiced concerns over whether maritime workers would be
able to remember a PIN, especially if a PIN was only required at higher
MARSEC Levels, and over the operational delays that may be caused by
requirements for TWIC-holders to pass through access control points,
insert the card, enter a PIN (which could take several tries), and then
remove the card. After considering these comments, the relative risk
presented by the vessels and facilities, and the security already being
provided through the remaining requirements, we have tentatively
determined that a requirement for use of the PIN would have a negative
impact on large scale throughput during access control evolutions. As a
result, we have not included a requirement for regular use of the PIN
at any MARSEC Level for any risk group in this ANPRM. We would like
public comments on this decision and whether the Coast Guard should
reconsider using PIN requirements. We note, however, that PINs may be
required by owners and operators who wish to implement an additional
level of security or during the spot checks and annual inspections
conducted by the Coast Guard.
We are also considering a proposal that vessels and facilities in
the highest risk group (risk group A) authenticate the card
electronically with a card reader at each entry. Again, for vessels and
facilities opting to integrate TWIC into existing local access control
systems, this will need to be done before the individual's information
is added into the local access control system, and before unescorted
access is first granted to the individual. For other vessels and
facilities, this function can be done by TWIC readers at the same time
that the biometric match is being made. Adding this requirement would
add a negligible time to the transaction between the TWIC-holder and
the card reader, as the readers will be able to perform this function
as the individual is presenting his or her finger for matching against
the template stored on the TWIC.
Finally, vessels and facilities in risk group A would verify the
validity of the TWIC at each entry using information that is no more
than seven (7) days old, when at MARSEC Level 1. This means that on a
weekly basis, the Hotlist or CRL will need to be downloaded into the
reader(s) used at the vessel or facility's access control point(s) or
into the local access control system used by the vessel or facility.
This frequency will jump to daily (i.e., the Hotlist or CRL will need
to be downloaded daily) at MARSEC Levels 2 and 3. We request comments,
particularly from vessels and facility owners and operators in risk
grouping A, as to these processes.
Risk Group B
Vessels and facilities in risk group B would, under a final rule
based on this model, be required to complete the identity verification
by using the TWIC as a visual identity badge (``flash pass'') at each
entry. On a random basis, but at least one day a month, at MARSEC Level
1, they would also be required to match the biometric stored on the
card in order to conduct more complete identity verification.
Vessels and facilities in risk group B would need to perform card
authentication by electronically reading all the cards at MARSEC Level
1 at each entry, even when the biometric match is not being
implemented. While these checks require the use of an electronic
reader, they may be done using the contactless smart card interface,
and would not require that the individual TWIC-holder present his or
her fingerprint for matching against the template. The validity of the
TWICs must be checked at each entry, using TSA's Hotlist or CRL. At
MARSEC Level 1, this would be done using information that is no more
than seven (7) days old. At MARSEC Levels 2 and 3, the information
would be downloaded daily. We seek comments on this process and its
application to vessels and facilities in risk group B.
Risk Group C
Facilities and vessels in the lowest risk group, risk group C,
would not be required to match the biometric stored on the card in
order to complete the identity verification at any MARSEC Level.
Instead, they would only be required to use the TWIC as a visual
identity badge in the manner currently required by the TWIC 1 FR. This
provides identity verification with a lower level of reliance than a
biometric match would, however, we have determined at this time, and
subject to public comment, that in this lower risk group matching the
biometric frequently is not necessary. Given the type of commodities
and small number of passengers typical of this risk group, it is likely
these vessels and facilities are a less attractive target for
individuals who wish to do harm, though still holding the potential of
being involved in a TSI. As a result, we have determined that the
frequent matching of a biometric would not be practical. In addition,
identity verification using TWIC as a visual identity badge would more
closely align with other less stringent security provisions implemented
at these lower risk vessels and facilities.
Card authentication for this group (risk group C), would require
only verification of the various security features on the front and
back of the card. Under this process, vessels and facilities in this
risk group would continue to use the TWIC in the manner required by the
TWIC 1 FR. Finally, for the card validity check, we would require only
that the expiration date be checked. Thus, vessels and facilities in
risk group C will be able to fulfill their TWIC obligations without
having to buy or have access to a card reader.
This does not mean that individuals who hold TWICs and work
exclusively at vessels or facilities falling into risk group C will
never need to present their TWICs for a biometric match or more secure
card authentication check. The Coast Guard will continue to check and
verify TWICs, using handheld readers, during annual inspections and
during unannounced spot checks aboard vessels and facilities within all
three risk groups. These checks will include identity verification
using the fingerprint template stored in the TWIC, card authentication,
and card validity checks using the current TSA Hotlist or CRL.
Additionally, vessels and facilities may choose to electronically
authenticate the card with a card reader.
TSA would be able, through use of information collected during
enrollment for the TWIC, to contact employers or the Coast Guard if an
imminent threat, resulting in an immediate revocation of a TWIC, is
identified during the perpetual vetting of TWIC holders. At MARSEC
Levels 2 or 3, the Coast Guard spot checks and the percentage of TWICs
verified at each annual inspection would increase.
The Coast Guard seeks public comment of these processes, and
specifically as to the everyday

[[Page 13367]]

operational impacts related to the process and whether they will
maintain appropriate security levels while permitting the efficient and
effective continuation of industry operations.

E. Facility and Vessel Risk Groups

The following are suggested risk groups for vessels that are
subject to 33 CFR part 104:
Risk Group A
(1) Vessels that carry Certain Dangerous Cargoes (CDC) in bulk;
(2) Vessels certificated to carry more than 1,000 passengers; and
(3) Towing vessels engaged in towing a barge or barges subject to
paragraphs (1) or (2).
Risk Group B
(1) Vessels that carry hazardous materials other than CDC in bulk;
(2) Vessels subject to 46 CFR Chapter I, Subchapter D, that carry
any flammable or combustible liquid cargoes or residues \7\;
---------------------------------------------------------------------------

\7\ The intent as used here is to capture those tank vessels
that are carrying the high flash point petroleums, like crude oil,
that aren't hazardous materials, whether inland, coastal, or
seagoing.
---------------------------------------------------------------------------

(3) Vessels certificated to carry 500 to 1,000 passengers; and
(4) Towing vessels engaged in towing a barge or barges subject to
paragraphs (1), (2), or (3).
Risk Group C
(1) Vessels carrying non-hazardous cargoes that are required to
have a vessel security plan;
(2) Vessels certificated to carry less than 500 passengers;
(3) Towing vessels engaged in towing a barge subject to paragraphs
(1) or (2);
(4) Mobile Offshore Drilling Units (MODU); and
(5) Offshore Supply Vessels (OSVs) subject to 46 CFR chapter I,
subchapters L or I.
The following is suggested risk groups for facilities that are
subject to 33 CFR part 105:
Risk Group A
(1) Facilities that handle CDC in bulk;
(2) Facilities that receive vessels certificated to carry more than
1,000 passengers; and
(3) Barge fleeting facilities that receive barges carrying CDC in
bulk.
Risk Group B
(1) Facilities that receive vessels that carry hazardous materials
other than CDC in bulk;
(2) Facilities that receive vessels subject to 46 CFR Chapter I,
Subchapter D, that carry any flammable or combustible liquid cargoes or
residues;
(3) Facilities that receive vessels certificated to carry 500 to
1,000 passengers; and
(4) Facilities that receive towing vessels engaged in towing a
barge or barges carrying hazardous materials other than CDC in bulk,
crude oil, or certificated to carry 500 to 1,000 passengers.
Risk Group C
(1) MTSA-regulated facilities that receive vessels carrying non-
hazardous cargoes that are required to have a vessel security plan;
(2) Facilities that receive towing vessels engaged in towing a
barge carrying non-hazardous cargoes;
(3) Facilities that receive vessels certificated to carry less than
500 passengers.
All OCS facilities subject to 33 CFR part 106 would fall into risk
group B.
We considered the possibility that vessels may move from one risk
group to another, based on the cargo they are carrying or handling at
any given time. We expect that owners and operators of vessels that
expect to be in this situation (of moving between risk groups) will
explain, in their amended security plans, how they will move between
the requirements of the higher and lower risk groups, with particular
attention to the security measures to be taken when moving from a lower
risk group to a higher risk group and seek comments regarding this
requirement and the potential timing and processes for carrying out
these amendments.
We have also considered the possibility that facilities could be
permitted to move between risk groups based on vessel interface or
cargo operations. We are specifically requesting comment and
suggestions on how to apply this flexibility as it pertains to
potential electronic reader requirements while ensuring an equivalent
level of security and consistency across multiple COTP Zones to the
maximum extent possible.

F. Recurring Unescorted Access

In the TWIC 1 NPRM, we introduced the concept of recurring
unescorted access for vessels to allow an individual to enter on a
continual basis, without repeating the identity verification
requirement at each entry. 71 FR 29410. This concept allowed
flexibility for an individual to acquire unescorted access to secure
areas on a continual or ongoing basis, without having to fulfill the
TWIC access control requirement at every entry. In that NPRM, we noted
that an owner or operator's decision to grant recurring unescorted
access should be based on two considerations: (1) The relationship of
the individual to the vessel, or how well ``known'' he or she is; and
(2) the individual's need to have frequent and unimpeded access to the
vessel. In developing this ANPRM, we determined that both vessels and
facilities, at each risk group, should have the option of using
recurring unescorted access for up to 14 persons per vessel or
facility, if that provision is included in their amended security plan
and approved by the Coast Guard. In order to take advantage of
recurring unescorted access, the owner or operator of the vessel or
facility would need to perform a biometric match of the individual
against his or her TWIC (identity verification), either at hiring or
upon the effective date of a final rule, whichever occurs later. This
biometric match would need to include a verification of the FASC-N and
the TWIC Card Authentication Certificate (card authentication), as well
as a verification of the validity of the TWIC (card validity check).
Once this check is done, the TWIC could be used as a visual identity
badge at a frequency to be approved by the Coast Guard in the amended
security plan, so long as the validity of the TWIC is verified
periodically, using the Hotlist or CRL. For vessels and facilities in
risk groups A and B, these periodic checks of validity would need to
occur on a weekly basis at MARSEC Level 1, and on a daily basis at
MARSEC Levels 2 and 3. For those vessels in risk group C, these checks
would need to occur on a monthly basis at MARSEC Level 1, and on a
weekly basis at MARSEC Levels 2 and 3. In each case, the validity would
need to be checked using information that is no more than 24 hours old.
As a result, vessels in any risk group with a crew of 14 or less
would not need to carry a reader on their vessel to provide access
control over his or her own crew. The owner or operator would need
access to a reader to perform the initial identity verification and
card authentication, and would likely need some specialized software on
a computer to complete the card validity checks, but these checks could
be done at a shore side location, such as at the company's office. This
would allow owners and operators of more than one vessel to use the
same reader for an entire fleet. It also enables the owner or operator
to pursue an agreement with a facility or other company to borrow or
otherwise have access to their reader to perform the initial check,
create a file with the FASC-Ns and names of the employees granted
recurring unescorted access, and then use a software program

[[Page 13368]]

to compare this list to the TSA Hotlist or CRL on the required periodic
basis.
We used the recommendation from the Towing Safety Advisory
Committee (TSAC) which recommended a crew size cut off of 14 for
determining when to require a reader on board a vessel, as required by
the SAFE Port Act to develop a cut off for recurring unescorted access.
This was done because the rationale for allowing recurring unescorted
access--i.e., that these vessels have a reduced vulnerability because
the individuals are all ``known'' to one another--is the same rationale
used by TSAC to justify their crew size cut off recommendation. The
number was developed by taking into account the fact that for a small
vessel, such as a towing vessel or offshore supply vessel, the crew
would typically include up to one Master, one Chief Engineer, and three
four-person crews who rotate through watch shifts. This number would
also include a large percentage of deep draft vessels. We then carried
the number over to facilities, as it is reasonable to assume that 14
persons could be ``known'' by a facility owner or operator as well.
While the recurring unescorted access provision does not go so far
as to set a specific crew size below which a reader would not be
required on a vessel, we believe this provision, in conjunction with
the no reader requirement for risk group C, meets the intent of the
SAFE Port Act. Namely, it provides relief for owners and operators of
small and many large vessels, where it is unlikely that someone unknown
to the crew could acquire any type of access to the vessel without
raising suspicion. Additionally, while the recurring unescorted access
process would call for the use of electronic card readers to gain
access to certain vessels, we would not require that they be carried on
board any vessel. If the owner or operator of a vessel can demonstrate
in their vessel security plan that they will be able to meet the reader
requirements via use of a reader at a dedicated facility, by using a
reader that stays ashore with the company, or by agreements established
between vessels and facilities (such those captured in a Declaration of
Security) then the recurring unescorted access provisions could be met
without requiring installation or implementation of a reader on a
gangway or at any other place on the vessel.

G. Additional Topics and Requirements

Reader Approval--TWIC readers, incorporated into MTSA regulated
vessel and facility PACS, will need to follow the standard/
specification that will be developed from the results of the TWIC
reader pilot program, and published by the Government. An independent
lab that tests for compliance to the standard will be used by reader
manufacturers. These test results will be listed by the Government on
the DHS Responder Knowledge Base (RKB), which provides an on-line
source of information on products, equipment, and other information.
The RKB Web site may be viewed at: http://www.rkb.us.
Reader Calibration and Compliance--we are considering alternatives
for how we can check for compliance with regard to the readers
themselves. We would like to ensure, that once readers are installed,
they are maintained in proper working order. The existing provisions in
33 CFR 104.235, 104.2260, 105.225, 105.250, 106.230, and 106.255 would
require that the readers be inspected, tested, calibrated, and
maintained in accordance with the manufacturer's recommendations, and
that records of those actions be maintained as well. We seek comment on
whether TWIC readers should also be the subject to Coast Guard
inspections, or require some type of third party audit.
Security Plan amendment--we are considering a requirement for all
owners and operators to amend their security plans to include TWIC
requirements. We intend, at this time, to require the amendment within
six months of promulgation of a final rule. However, we will re-
evaluate this deadline as we get closer to issuing a final rule. We are
also considering the staggering of deadlines in order to spread out
expiration dates for security plans in the future. We seek public
comment on how long owners and operators should have to amend security
plans to incorporate TWIC reader requirements. This amendment would
need to detail how the owner or operator would implement the TWIC
verification requirements, including those promulgated in the TWIC 1 FR
(if not already incorporated into their security plans), and electronic
reader requirements if applicable. For instance, if the owner or
operator will use recurring unescorted access, the amendment would need
to explain when and where the initial check of the TWIC will occur, as
well as how the periodic card validity check will be accomplished. The
amendment would also need to explain how the owner or operator would
address identity verification, TWIC authentication, and the TWIC
validity check for individuals who are not granted recurring unescorted
access (i.e., how they would check TWICs according to the relevant
requirements if an individual seeks unescorted access, or how escorting
would be accomplished).
Additional security plan provisions that we are considering include
requiring the owner or operator to discuss how they will handle those
persons whose TWIC indicate they have poor quality or no fingerprints,
as well as those persons that are unable to match their live
fingerprint to the template stored on their TWIC. We are also
considering adding a requirement that those owners and operators using
a separate physical access system explain how they are protecting
personal identity information.
Requests for waivers, alternatives, and equivalents would need to
comply with existing regulatory requirements found in 33 CFR 101.120,
101.130, 104.130, 104.135, 105.130, 105.135, 106.125 and 106.130.
We would not amend the section on Alternative Security Programs
(ASPs), 33 CFR 101.120. Rather, we expect that, should this process be
promulgated in a final rule, the Coast Guard will exercise its existing
authority, found in Sec. 101.120(d)(1)(ii), to require those
organizations that have approved ASPs to amend them to incorporate the
TWIC requirements. We will give each organization the same amount of
time that owners and operators have to complete this amendment, but
seek comment on whether a shorter or longer period would be more
appropriate. For those organizations whose current ASPs cover vessels
or facilities that would fall into more than one risk group, we would
expect that the amended ASP address each relevant risk group.
Recordkeeping--The electronic readers that will be available for
owners and operators to purchase in order to meet the requirements
included in this proposal should be able to keep track of the names,
FASC-Ns, dates, and times of those persons passing through the reader.
Having records of those persons who were granted unescorted access, may
prove beneficial in law enforcement situations. For this reason, we are
considering requiring that facility and vessel owners who are required
to utilize readers (those in risk groups A and B) also keep records of
the persons who have been granted unescorted access (those whose TWICs
have been read by a card reader) for a period of two years. We are not
considering requiring that owners and operators need to know who is on
their vessel or facility at all times and believe that type of
requirement would be burdensome compared to the security benefit that
it would provide. This would remove the requirement that individuals
have their TWICs

[[Page 13369]]

electronically read when leaving the facility or vessel.
We are also considering that owners and operators opting to use
recurring unescorted access keep records of those persons to whom
recurring unescorted access has been granted. We would not be
prescribing the format for these records, only that they include the
name of individuals granted recurring unescorted access and be kept for
two years and made available to the Coast Guard upon inspection or
request. These records must allow the Coast Guard to identify the 14
(or fewer) individuals who are using the recurring unescorted access
privilege at the time they inspect or request the record.
We are also considering a provision that all owners and operators
maintain a record to demonstrate that they have completed the card
validity check (Hotlist or CRL check), if required.
Additional persons required to obtain TWICs--MTSA contained
additional categories of individuals who must hold a TWIC that were not
explicitly identified in the TWIC 1 NPRM or TWIC 1 FR. These include
all vessel pilots and all persons engaged on a towing vessel that
pushes, pulls, or hauls alongside a tank vessel. 46 U.S.C. 70105(b). We
believe that the majority of these individuals were already captured in
the TWIC 1 FR requirement for all persons requiring unescorted access
to secure areas; however there may be some vessel pilots that do not
hold Federal licenses, and there may be some persons who are not
credentialed mariners who are engaged on a towing vessel that is not
otherwise regulated by 33 CFR part 104. Thus, we are considering
including these populations in the TWIC requirement when we issue an
NPRM, in order to comply with the congressional mandate found in 46
U.S.C. 70105(b).

V. Advisory Committee Input

The Coast Guard has a long tradition of consulting with its
advisory committees before taking regulatory action. We acknowledge the
benefit of consulting with our advisory committees, and before issuing
this ANPRM we sent a task statement to the Merchant Marine Personnel
Advisory Committee (MERPAC), TSAC, and NMSAC, asking eighteen questions
related to requirements for TWIC readers. This task statement, as well
as each committee's formal responses and recommendations, may be found
in the docket for this ANPRM where listed under the ADDRESSES section
above. As discussed above, we accepted and incorporated a number of the
advisory committee recommendations into this ANPRM. We greatly
appreciate advisory committee input into this program and plan to
continue to seek advisory committee input throughout the remainder of
the TWIC regulatory process.

VI. Discussion of Pilot Program

In accordance with the SAFE Port Act, DHS, through the USCG and
TSA, developed a pilot program to ``test the business processes,
technology, and operational impacts required to deploy transportation
security card readers at secure areas of the marine transportation
system.'' 46 U.S.C. 70105(k)(1)(A). The SAFE Port Act requires the
pilot program to be conducted in a minimum of five geographically
distinct locations. The selected sites include the ports of Los Angeles
and Long Beach, California; the ports of New York and New Jersey, (New
York, Elizabeth, and Newark); the port of Brownsville, Texas; an Inland
Rivers tugboat operator in Vicksburg, Mississippi; the Staten Island
Ferry in New York, and a small passenger vessel operator in Annapolis,
Maryland. Other locations are also under consideration, specifically a
cold weather facility in the Great Lakes region. The goal of the pilot
program site selection is to engage a wide range of vessel and facility
types in a variety of operational environments and geographic areas.
During the reader pilot program, TSA strongly advocates, but does not
mandate, that port security directors consider FIPS 201 authentication
readers to accommodate future FIPS 201 interoperable cards.
The TWIC pilot program will conduct tests of contactless biometric
readers, as well as the credential authentication and validation
process to evaluate the previously published reader specification. 72
FR 53784. TSA and USCG worked with the maritime and smart card
industries through NMSAC to specify contactless technology for TWIC
readers that will minimize the impact to the flow of commerce (e.g.,
slower throughput at gates, potential lower availability of workers)
while still enabling the use of biometrics to verify identity and while
protecting personal information in the card from unauthorized
disclosure. The following should not be considered an all-inclusive
list; rather, this information is intended to offer insight regarding
the purpose and goals of the TWIC pilot program to greater inform your
comments to this ANPRM and provide information as to the overall
progress of the TWIC program.
TSA has developed a Test and Evaluation Master Plan (TEMP) to
provide a plan to acquire and evaluate the test data needed to support
the final reader rule. The TEMP addresses the impact of requiring the
use of the Contactless Biometric Card Reader to biometrically verify
identity, card authenticity and validity, and establishes a plan for an
Integrated Test and Evaluation Program (ITEP) for the card reader. The
ITEP is designed to provide accurate and timely information necessary
to evaluate the economic impact of a nationwide deployment of the card
reader(s), and to test the capability of card reader(s) to support the
enhanced security of the Nation's maritime transportation systems
through the development and issuance of enhanced rules and
specifications. The ITEP is comprised of three principle activities
including:
(1) Initial Technical Test (ITT),
(2) Early Operational Assessment (EOA), and
(3) System Test and Evaluation (ST&E).
All testing is designed to build upon preceding testing and
assessments to ensure all technical and operational aspects of the card
reader are evaluated while minimizing testing duplication.
The ITT is focused on providing information to determine if select
card readers meet specification parameters, including environmental
requirements, to ensure that the card readers will correctly perform
the biometric match and operate in the maritime operational environment
during ST&E.
The EOA is focused to obtain essential data to support rulemaking,
assess card reader suitability and effectiveness, and support
refinement of the card reader specification.
The ST&E is a comprehensive technical and operational testing of
the card reader system to provide the information required to finalize
reader regulatory requirements and support future card reader
acquisitions by the stakeholders.
Reader conformance testing is predicated upon a test protocol
verified by the National Institute of Standards and Technology.
Conformance testing will be conducted in accordance with the test
protocol at an independent laboratory. This includes TWIC contactless
reader interface testing.
Upon successful completion of the ST&E conformance testing, card
readers and/or portable card readers are installed and tested at
selected operational sites and vessels. The operational testing will
proceed with the system operating at the site or vessel. System testing
then continues until the data to support the decision for declaration
of operational effectiveness and supportability is acquired.

[[Page 13370]]

As required by the SAFE Port Act, the pilot program's results
should validate the TWIC and TWIC reader's impact on the flow of
commerce, the ability for vessels and facilities to comply with the
regulations, the applicability of the TWIC reader requirements, and
their ability to improve security, and economic and environmental
impacts.

VII. Regulatory Analyses

Before developing an NPRM, we will consider a number of statutes
and executive orders related to rulemaking, including Executive Orders
12866 and 13132 (Regulatory Planning and Review and Federalism,
respectively), the Regulatory Flexibility Act (5 U.S.C. 601-612), the
Paperwork Reduction Act (44 U.S.C. 3501-3520), and the National
Environmental Policy Act of 1969 (42 U.S.C. 4321-4370f). If you have
any information or comments that you feel would be helpful to us as we
complete these required analyses, please submit it to the docket during
the comment period for this ANPRM. Draft analyses will be included as
part of an NPRM, and will be made public for comment before the
issuance of a final rule, as required by the Administrative Procedure
Act (5 U.S.C. 553).

Dated: January 16, 2009.
Brian M. Salerno,
Rear Admiral, U.S. Coast Guard, Assistant Commandant for Marine Safety,
Security and Stewardship.
[FR Doc. E9-6852 Filed 3-26-09; 8:45 am]
BILLING CODE 4910-15-P