Facing up to the security challenge: Transportation Worker Identification Credential (TWIC) and Registered Traveler (RT).
Transportation Worker Identification Credential
by Steve Parsons
Transportation workers in our nation's maritime transportation environments will soon be issued a "biometric transportation security card" as required by the Maritime Transportation Security Act (MTSA) 2002 (http://www.uscg.mil/hq/g-m/mp/pdf/MTSA.pdf).
TSA and USCG are working hand-in-hand to bring the long-awaited TWIC card to the nation's transportation workers, and according to DHS Secretary Michael Chertoff, it will begin this year (http://www.dhs.gov/dhspublic/display?content=5551).
The current scope of the proposed rule includes maritime facilities, vessels, and outer continental shelf activities; however, the government is soliciting comments from the public on whether or not the TWIC should be expanded to include all modes of transportation as intended.
TSA and USCG recently completed a series of four informative public hearings to give voice to those affected by the proposed rule. The transcripts from the four public hearings as well as comments from affected stakeholders can be found on the DOT Docket Management System (http://dms.dot.gov/search/document.cfm?documentid=398320&docketid=24191).
According to the Notice of Proposed Rulemaking (http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2006/pdf/06-4508.pdf), the TWIC will be issued to more than 750,000 transportation workers. It will be a smart card that is the size of a credit card and will include security features that help make it tamper-resistant and difficult to counterfeit. The card is good for five years and will cost workers or companies between $95 and $149 per card. Those who have recently undergone a security threat assessment by TSA would receive their TWIC at a reduced cost. The replacement cost within the 5-year period is expected to be $36.
The Notice of Proposed Rulemaking (NPRM) indicates that "all of the significant components of the TWIC system align with FIPS 201-1," the implementing standard for Homeland Security Presidential Directive (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors (http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html).
TSA's decision to align the TWIC with FIPS 201 is a noteworthy decision, but not a surprise as TSA and its contractors helped write FIPS 201. Although FIPS 201 is targeted for federal employees and contractors, TSA should be commended for its decision to leverage existing investments to support related requirements such as those promulgated by HSPD-12.
Vessel and facility owner/operators have many new responsibilities under the proposed TWIC rule. Affected facilities must submit a TWIC Addendum to their security plans and be operating in accordance with the TWIC provisions, generally within one year after publication of the final rule. The facilities must have at least one operational TWIC reader--a biometric reader--to enable biometric identity verification. During heightened Maritime Security (MARSEC) levels, additional levels of authentication would be required.
Although the Final Rule is not yet published, the TWIC processes can be expected to generally follow those demonstrated during Phase III, Prototype. The first step in the process is expected to be employee certification.
The first step will be a certification by the transportation worker that they have a legitimate need for unescorted access to secure areas. Once the transportation worker certifies their need for unescorted access, the next step is pre-enrollment.
Pre-enrollment is intended to begin the full enrollment process--in advance of actually visiting an enrollment facility. Although pre-enrollment is optional, it is highly recommended because it reduces the time required during full-enrollment. Using a computer with Internet access, applicants can pre-enroll on-line. Once the applicant completes the pre-enrollment process, the next step is enrollment--the applicant's first face-to-face interaction.
The most critical component to any secure identification process is enrollment. TSA or its contractors will serve as Trusted Agents (TAs) during the enrollment process where they will collect biographic and biometric information from applicants. TAs receive special training and undergo background checks before performing their duties. TSA indicates that it intends to use a mix of fixed and mobile enrollment options to reach the intended populations. The mobile enrollment option will be particularly important to enroll hard-to-reach populations and where existing infrastructure (eg, physical space, power, and communications) is not yet available.
During enrollment, the applicant will present the required identity documents to the TA who will, in turn, review and check the documents for authenticity, then scan and retain to support re-issuance. The next step is collection of biometric samples (ie, fingerprints) and a digital photograph.
Using live-scan biometric readers, the applicant's fingers and thumbs will be scanned and collected. The process is similar to the old "ink and roll" process, but today--it's digital. In the case of amputees, missing digits (ie, finger, thumb), or poor samples, TSA is expected to have alternatives available to support biometric-based identity verification.
Once the TA has collected the required information, the applicant's enrollment record is electronically secured and encrypted, then sent to the TSA ID management system (IDMS) for processing.
TWIC ID MANAGEMENT SYSTEM
The TWIC IDMS is the secure repository for cardholder information and where all identity vetting and screening is initiated. Pertinent parts of the applicant's enrollment record will be used to conduct a criminal history records check, a name-based terrorist threat assessment, and an immigration check. In addition, the biometric samples collected during enrollment will be used to conduct a one-to-many (1:N) search to ensure that the applicant is not already in the TWIC system--perhaps fraudulently by a different name or alias.
This 1:N search is a critical capability that distinguishes the TWIC Program from other "identity management" programs and is a very strong deterrent to fraudulent or duplicate enrollments.
Once required checks are complete and if the applicant is qualified to receive a TWIC, appropriate parts of the enrollment record are sent to the government's card production facility.
CARD PRODUCTION AND PERSONALIZATION
The TWIC is produced (ie, personalized) in a central government card production facility. During personalization, the applicant's information is placed onto the TWIC. This information includes biometric templates, minimal biographical information, and a cardholder-unique ID. Unlike the perpetual and troublesome social security number, the cardholder-unique ID will be re-generated upon re-issuance of the TWIC--at least every five years.
Once the card is produced, it will be shipped to the appropriate enrollment center. Upon receipt at the enrollment center, the Trusted Agent will acknowledge receipt, thereby electronically notifing the applicant that the card is ready for activation and issuance.
ACTIVATION AND ISSUANCE
Card activation is anticipated to be the last government-controlled step of the application and issuance process. This step is the second face-to-face transaction between the applicant and the TA. The transportation worker will present his personal ID and conduct a biometric 1:1 match to the card and system to confirm that he is the rightful owner of the card. If the one-to-one match is successful, the TA can then issue the TWIC to the worker.
Once the transportation worker has his/her credential, it is an activated TWIC good for access nowhere. This is an important point to make because possession of the TWIC alone does not mean you also have carte blanche access to any secure area of a vessel or facility.
VESSEL AND FACILITY ACCESS CONTROL
Vessel and Facility owner/operators retain the authority to grant or deny access to their facilities. Typically, Facility Security Officers would register the cardholder and valid TWIC in the local access control system. Once access is granted, the authorized individual could use the TWIC for unescorted access to that area.
The long-awaited TWIC implementation means new opportunities for the nation's transportation industry. The TWIC promises to provide expanded opportunities to enhance security and commerce, especially for Arms, Ammunition, and Explosives (AA&E). These are just a few possibilities:
* Ability to associate (link) vehicle operators/passengers with their conveyance.
* Facilitate secure and efficient access into secured or controlled environments (ie, installations, strategic ports, depots, or staging areas).
* In-cab integration of the TWIC with other commercial applications to include communications, Global Positioning System, and vehicle itself.
* Interoperability and integration with DOD Physical Security programs.
* TWIC as company "badge" for both physical and logical (cyber) access control.
"As envisioned, the TWIC program represents a significant milestone in the adoption of both smart-cards and biometrics," said Paul Collier, Executive Director of the Biometric Foundation. "The strong chain-of-trust model for card issuance, coupled with the biometric ensures positive identification in visitor control, as well as physical and logical access control applications. In addition, the size and scope of the TWIC program not only makes it the largest civil credential program ever deployed by the federal government, but it will also provide a major portion of the necessary infrastructure to foster widespread adoption of biometrics across the entire transportation sector."
Verification and authentication are tomorrow's watchwords as our nation moves to more trustworthy, secure, and reliable forms of personal identification. Whether you are a transportation worker, registered traveler, first responder, licensed vehicle operator, or DOD employee, the trust and veracity of our identity documents and business processes are paramount to protecting individuals and enhancing our nation's security. TWIC moves us in that direction.
Steve Parsons is VP, Government Services, Senture, LLC. Before joining Senture, he was the Deputy TWIC Program Manager. He is a career Air Force transporter, former NDTA Chapter President in Montgomery, Alabama, and a long-time member of NDTA.
Senture is headquartered in London, Kentucky, with offices in Virginia, Tennessee, and Florida. Their services include security, secure credentialing, and IT services to federal, state, and commercial clients. The company offers 24/7/365 multi-lingual contact center, Help Desk, as well as fulfillment, order processing, and warehousing services.
by Colleen Chamberlain
Congress, in the 2001 Aviation and Transportation Security Act (ATSA), authorized the Registered Traveler (RT) concept as a means to "establish requirements to implement trusted passenger programs and use available technologies to expedite security screening of passengers who participate in such programs."
In 2004, the Transportation Security Administration conducted RT pilot programs at five airports: Minneapolis-St. Paul, Los Angeles, Houston Bush, Boston Logan, and Washington Reagan National. The TSA pilots ended in September 2005. A public-private sub-pilot was established at Orlando International Airport and is still operating today.
REGISTERED TRAVELER INTEROPERABILITY CONSORTIUM
In June 2005, the Registered Traveler Interoperability Consortium (RTIC) was formed by a group of airports in conjunction with the American Association of Airport Executives (AAAE). Today, more than 70 airports belong to the RTIC, a roster of which can be found on www.rtconsortium.org. Recognizing the value of the registered traveler concept, the airports agreed to work together to leverage existing airport resources and the AAAE's Transportation Security Clearinghouse (TSC) to facilitate a permanent, interoperable, and vendor-neutral RT program in the United States.
A permanent, interoperable RT program depends on the implementation of a technical, operational, and business model capable of supporting the needs of individual airports, while providing the common infrastructure that allows passengers to use this capability at any participating airport. As a result, the main objective of the RTIC is to develop the common set of technical standards and processes necessary for an open, secure, and industry-driven RT program. In developing these standards, the RTIC will focus on six themes:
* Improving security;
* Expediting passenger processing;
* Creating passenger screening consistency;
* Reducing the passenger "hassle factor;"
* Developing an interoperable system that can be used nationwide; and
* Coordinating with TSA and other partners interested in Registered Traveler.
In October 2005, the airport members of the RTIC announced the formation of a Service Provider Council. The Service Provider Council was established as a way for service providers to participate in the development of the technical standards and processes required for an interoperable RT program.
The Service Provider Council draws on the expertise and experience of more than 60 well known and respected commercial organizations that specialize in, among other things, registered traveler solutions, smartcards, biometrics, identity management, security, and airport management. The Service Provider Council is open to any commercial organization interested in participating. A roster of the Service Provider Council can also be found on www.rtconsortium.org.
In January 2006, the RTIC and its Service Provider Council submitted three detailed responses to the TSA's request for information on RT on 1) technical interoperability, 2) common business processes, and 3) financial standards. The RTIC responses outlined a consensus framework for the rapid deployment of a sustainable, biometrically enabled, and interoperable RT program. In addition, the RTIC responses detailed a public-private business model that utilizes a non-proprietary, open-architecture approach and creates a fair and seamless platform for airports, airlines and RT service providers to interface with TSA and each other.
In April 2006, to follow up on the consensus response to the TSA RFI, the RTIC and its Service Provider Council began to focus its efforts on defining the technical specification needed for an interoperable RT program.
On May 25, 2006, TSA released its Registered Traveler Model. The model is meant to provide stakeholders and interested members of the general public with a basis for discussing and planning for RT. The document is not meant to represent the final product in RT's development, but rather a snapshot of the current concept of the program's structure. The TSA's model incorporated most, if not all, of the RTIC's recommendations from January 2006. In addition, TSA encouraged interested stakeholders to join the RTIC's current effort in drafting open technical standards.
In April 2006, TSA announced that in the second half of the year it will begin an initial phase of Registered Traveler that will test business and technical interoperability at 10 to 20 interested airports. TSA is currently receiving Statements of Interest (SOI) from airports and air carriers indicating their desire to participate in the initial phase.
In July, the RTIC submitted to TSA for its review the specification for technical interoperability standards.
Colleen Chamberlain is Director, Transportation Security Policy with the American Association of Airport Executives (AAAE). The Association represents thousands of airport management personnel at public use airports nationwide and assists executives in fulfilling their responsibilities to the airports and communities they serve. The RTIC was formed by the AAAE in collaboration with a group of airports to establish common business rules and technical standards to create a permanent, interoperable, and vendor-neutral RT Program that will bring passenger screening consistency and improved security procedures to air travelers in the United States.
RELATED ARTICLE: BIOMETRIC BYTES
The Federation for Identity and Cross Credentialing Systems (FiXS) is a coalition of government contractors, companies, and non-profit organizations that promotes trust through a federated identity infrastructure and the development of a secure, interoperable, electronic means of authenticating an individual.
* Biometric identification is not solely based on our physical attributes--facial geometry, fingerprints, or retinal images. Unique behaviors also play a part in distinguishing one person from another. Our signature, our voice (which carries a physical component), our gait, and even our keystroke pattern at the computer can measure identity.
* The most widely used physical biometric application is the fingerprint; signature and voice rate high on the behavioral side.
* SPOT (Screening of Passengers by Observation Techniques), TSA-tested at select airports in the northeast last year, is based squarely on behaviors. Passengers conducting themselves in an unusual or anxious manner were singled out for face-to-face interviews to determine threat potential. The SPOT system has been particularly successful in targeting fake ID holders, persons entering the country illegally, or persons carrying drugs.
* Proponents of phrenology, a theory developed around 1800, claimed that character traits and criminality could be judged on the shape of a person's head. Skull or "head bump" reading is now recognized as a pseudoscience, but the practice did yield current scientific understanding of localized brain function.
* Frontline Biometrics - According to a Government Computer News report (08/16/04), troops in Iraq asked for Biometric ID devices and got them. The request was based on a real need to identify the good guys from the bad who were seeking entry to foreign posts. Fingerprint and iris scanners verify employees and identify prisoners' past crimes and affiliations. Data are shared with other military posts and camps to monitor personnel who have been kicked off military bases elsewhere in the world. The Defense Biometric Identification System (DBIDS) is bottom line to the process. It is a centralized, rules-based access verification system that produces identification cards that include personal information, photographs, and 2-print fingerprints, as well as assigning "rules" governing installation access. DBIDS has provided security at access control points in Korea since 2001, in Germany since 2003, and most recently in Kuwait and Qatar in Southwest Asia. DBIDS is also being employed at Fort Hood, Texas and other stateside bases. Information flows into a biometrics database maintained by DOD's Biometrics Fusion Center in West Virginia.
* R&R Trucking, an NDTA Chairman's Circle Member, is working on a DBIDS pilot program for truckers hauling military cargo on/off military bases.
* Benchmarking Partners (Chair of NDTA's Security Best Practices Committee and a catalyst on Internet-based supply chain collaboration systems) will lead a panel at the NDTA Annual Forum in Memphis in September, 2006, on the business case for biometric credentials and ensuring interoperability. This panel will be based on a two-day roundtable Benchmarking held in May, 2006. Participants included General Norton Schwartz and his TRANSCOM leadership team along with senior leadership from DLA, NORTHCOM, DHS, Wal-Mart, Home Depot, CVS, and the American Red Cross.
|Printer friendly Cite/link Email Feedback|
|Publication:||Defense Transportation Journal|
|Date:||Aug 1, 2006|
|Previous Article:||Passenger travel corporate member news.|
|Next Article:||Atlanta Chapter.|