The Risk-Mitigation Value of the Transportation Worker Identification Credential

A Comprehensive Security Assessment of the TWIC Program

by Heather J. Williams, Kristin Van Abel, David Metz, James V. Marrone, Edward W. Chan, Katherine Costello, Ryan Bauer, Devon Hill, Simon Veronneau, Joseph C. Chang, et al.


Download eBook for Free

Full Document

FormatFile SizeNotes
PDF file 4.5 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Research Summary

FormatFile SizeNotes
PDF file 0.2 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback308 pages $49.95 $39.96 20% Web Discount

Research Questions

  1. Are the vetting standards appropriate for determining whether someone presents a security risk?
  2. Is the fee structure appropriate for the current costs of vetting?
  3. How long does it take for a Transportation Worker Identification Credential (TWIC) to be issued?
  4. Is TWIC unnecessarily duplicative of or redundant with other federal and state credentialing programs?
  5. Would requiring use of biometric readers at high-risk facilities yield a benefit greater than their cost?
  6. What alternatives exist to biometrics?
  7. What technology, business process, and operational impacts do TWIC and electronic readers have on facilities?

The Transportation Worker Identification Credential (TWIC®) is one of multiple measures that the Maritime Transportation Security Act (MTSA) introduced to enhance security at U.S. ports. Anyone with unescorted access to a secure area at an MTSA-regulated facility, vessel, or outer continental shelf (OCS) facility must have a TWIC. Congress established TWIC to help prevent transportation security incidents. TWIC's primary function is to establish that the holder has passed a Transportation Security Administration (TSA) security threat assessment (STA); the TWIC card can also serve as identification.

Each secure area at each regulated location must maintain an access control program and verify three things at every access point: identity, presence and validity of the TWIC card, and whether the person has a business purpose at that facility. Currently, facilities are required only to conduct visual verification of the TWIC card, either at each time of entry or at time of enrollment into a facility physical access control system (PACS). A pending regulation, which we call the TWIC-reader rule, would require that any high-risk facility electronically inspect the card and, using biometrics, match it to the holder.

The governing legislation requires that an assessment of TWIC determine the program's value in mitigating the risk of terrorism and crime at ports. The U.S. Department of Homeland Security commissioned the Homeland Security Operational Analysis Center to complete that comprehensive assessment. In this report, the authors establish factors that increase or decrease TWIC's security value and determine what TWIC's value would need to be to offset the costs of establishing further access control requirements for facilities.

Key Findings

The vetting standards might be appropriate, depending on stakeholder intent

  • The security threat assessment (STA) would detect known or suspected terrorists who seek to legally gain persistent access to the maritime environment.
  • The federal government and industry might have different objectives in determining risk, with the former focused on national security, the transportation sector, and terrorism and the latter also concerned about profits and worker safety.
  • A single vetting standard must apply to the entire population working in the maritime sector, and facility management can adopt additional criteria beyond TWIC vetting standards to satisfy a facility's specific security needs.

Electronic biometric card readers would probably cost industry more than benefit it under the pending rule

  • Readers are ultimately costly and mitigate only certain types of threats, forcing facilities to prioritize a source of vulnerability that might not be the most jeopardizing in their specific circumstances.

Electronic biometric card readers can mitigate some kinds of risk

  • TWIC is stronger against attacks requiring persistent insider access than against those requiring one-time or no access.
  • People more often gain unauthorized access to facilities via other means than by using invalid TWICs.

Further enhancing TWIC requirements would come at significant costs, which are likely to exceed the commensurate benefit

  • There are likely more cost-effective methods of reducing the risk that maritime facilities face.
  • There might be lower-cost options to bring greater security value from the TWIC program as currently implemented, such as a mobile application to allow facilities to check the Canceled Card List at essentially zero cost.


  • Take a system approach to maritime security rather than focusing on one program. The effectiveness of a facility's security system overall matters far more than the effectiveness of any given component for any specific task.
  • There is no one-size-fits-all solution for improving security at maritime facilities, given their broad differences in risk and operations. The current process of facility-specific security assessments and security plans is designed to enable flexible solutions specific to each facility's needs. Greater identity assurance methods might be appropriate for some facilities, given their risk profiles. Transparent management of the TWIC program with a focus on how to effectively support TWIC's stakeholders could incentivize industry to maximize TWIC's potential security benefit.

Table of Contents

  • Chapter One


  • Chapter Two

    Background on the TWIC Program and Maritime Facilities

  • Chapter Three

    Previous GAO and OIG Concerns About the TWIC Program

  • Chapter Four

    Security Threats to the Maritime Environment

  • Chapter Five

    The Risk-Mitigation Value of the TWIC STA

  • Chapter Six

    TWIC Use at Maritime Facilities

  • Chapter Seven

    TWIC's Limits in Addressing Risks to Maritime Security

  • Chapter Eight

    A Cost-Effectiveness Analysis of the TWIC-Reader Rule Requirements

  • Chapter Nine

    Alternative Models and Redundancies

  • Chapter Ten


  • Appendix A

    Port and Facility Interviews

  • Appendix B

    Permanent and Interim Disqualifying Criminal Offenses for TWIC

  • Appendix C

    MSRAM in Relation to the TWIC Program

  • Appendix D

    The Status of GAO and OIG Recommendations

  • Appendix E

    A Detailed Analysis of TWIC User Fees

  • Appendix F

    Rationale for a Break-Even Analysis

  • Appendix G

    Detailed Estimation of Costs and Benefits

This research was sponsored by the Research and Development Partnerships Group in the DHS Science and Technology Directorate and conducted by the Strategy, Policy and Operations Program within the Homeland Security Operational Analysis Center (HSOAC).

This report is part of the RAND Corporation Research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.