By Chris Corum, Editor
Transportation workers will soon be carrying the first TWIC cards and they will not be delayed getting into transport facilities by a contact chip and PIN number. That is because TSA officials have decided that contactless is the only way to go for everyday TWIC use. But the readers have not yet been defined … so while a new working group does its thing, use of the new cards will be limited.
Contactless was the original plan since the project was announced after 9-11 and the initial prototype phase contract was awarded to BearingPoint back in August 2004. But contactless temporarily got bumped in the spring of 2006 when TWIC officials determined that they needed to more closely follow HSPD-12 and its decision to require a PIN to unlock the biometric.
Industry rallied against this decision citing that it would make the access control process a bottleneck to rapid entry into secured facilities. Additionally, many stressed that the encapsulated nature of contactless readers makes them less susceptible to damage resulting from the elements and vandalism. The cries were heard and the mandate for reader deployment was postponed so that appropriate contactless biometric readers could be identified for TWIC operation.
A bit of background
TWIC is based on the Maritime Transportation Security Act (MTSA) that pertains to individuals that need unescorted access to secure areas of MTSA regulated vessels, facilities, and Outer Continental Shelf (OCS) facilities, which includes but is not limited to longshoremen, truck drivers, vendors, facility/vessel employees, maintenance personnel, train crews, etc.
The cards, planned for issuance beginning in March, are compliant with the FIPS 201 specification and contain a dual interface chip and biometric templates.
A recent TSA announcement details the issuance process in the following way: “TWIC enrollment will begin in March of 2007, initially at a small number of ports. Additional TWIC deployments will increase and continue throughout the year at ports nationwide on a phased basis. Workers will be notified of when and where to apply prior to the start of the enrollment period in their given area. After issuance of TWIC cards to a port’s workers has been accomplished, DHS will at each port establish and publish a deadline by which all port workers at that port will thereafter be required to possess a TWIC for unescorted access.
“The total population is around 750000,” says John Schwartz, TWIC project manager, TSA, “but it is a transient population so we think during rollout it will approach 850,000 or more.” With a rollout goal of just 18-months to issue all cards, the project is a significant undertaking.
“We will have enrollment centers at population nodes … at a minimum of 120 locations throughout the US,” says Mr. Schwartz.
At these enrollment centers, the applicant’s ID documents are scanned, 10 fingerprints are captured, and a facial photo is taken. This information is encrypted and transferred into the central TWIC system. A security threat assessment for the applicant is conducted by TSA. If the applicant is approved, the card is printed and the individual is notified to return to the enrollment center where, following biometric verification, he or she obtains the card.
Contactless is coming but not for a while
Industry, led by the International Biometrics Association, helped convince TSA that it would be a mistake to launch TWIC using a contact chip for everyday access control decisions. But from the outset TWIC officials knew they needed a secure reader that could be deployed in offline as well as online environments. The two approaches, it was determined, needed to be reconciled.
“We have a working group that is building a contactless biometric reader specification (for TWIC),” says to Mr. Schwartz. The group’s report is due on Feb 28. “Then we will test the new spec in five geographically-dispersed locations,” he adds.
Because this new development will take some time, the TWIC rulemaking process was split into two parts: card issuance and reader deployment.
“On January 1 we posted the text of the implementing rule to kick-off the program,” says Mr. Schwartz. It will actually be in effect on the 25 of March following the required waiting period.
The requirement to acquire and use TWIC readers is postponed and will be in a follow-on rule. Thus, for a window of time, TWIC cards will be in the field but there will not be readers at access points.
“We will be using it as flash pass (in the interim),” according to Mr. Schwartz. “We are not going to be using the (contact) chip on a routine basis because … we feel it will slow up commerce too much for everyday in and out access verification.”
But, he stresses that the contact chip will be used for spot verification and in cases where there is reason to suspect an individual may be doing something wrong. The Coast Guard will be validating TWICs with handheld contact chip readers as part of regular security checks, suggests Mr. Schwartz.
Vendors and prices to be determined “in the coming weeks”
The cost for the TWIC card will be a direct pass-through to the user. Because the bid has not been awarded, however, the final cost is not known. Figures released by TWIC suggest that each cardholder will pay between $139 and $159 for the initial card and between $36 and $60 for replacement cards. TWIC cards will be valid for five years.
While the final award has not been made for the project, Mr. Schawartz said that the field had been narrowed to eight qualified vendors from the pool of respondents. TSA spokeperson, Darrin Kayser, told SecureIDNews, “we expect to make an award in the coming weeks.”
It looks like this time the TWIC is really on track and we will see cards, readers, and usage in 2007.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.