The Transportation Worker Identification Credential (TWIC) is designed to enhance security at U.S. ports. It demonstrates that the holder has passed a Transportation Security Administration security threat assessment and is required of anyone with unescorted access to a secure area at a regulated facility. This report provides the findings from an assessment of the TWIC program, along with the assessors' recommendations.
The Risk-Mitigation Value of the Transportation Worker Identification Credential
A Comprehensive Security Assessment of the TWIC Program
Purchase Print Copy
|Add to Cart||Paperback308 pages||$49.95||$39.96 20% Web Discount|
- Are the vetting standards appropriate for determining whether someone presents a security risk?
- Is the fee structure appropriate for the current costs of vetting?
- How long does it take for a Transportation Worker Identification Credential (TWIC) to be issued?
- Is TWIC unnecessarily duplicative of or redundant with other federal and state credentialing programs?
- Would requiring use of biometric readers at high-risk facilities yield a benefit greater than their cost?
- What alternatives exist to biometrics?
- What technology, business process, and operational impacts do TWIC and electronic readers have on facilities?
The Transportation Worker Identification Credential (TWIC®) is one of multiple measures that the Maritime Transportation Security Act (MTSA) introduced to enhance security at U.S. ports. Anyone with unescorted access to a secure area at an MTSA-regulated facility, vessel, or outer continental shelf (OCS) facility must have a TWIC. Congress established TWIC to help prevent transportation security incidents. TWIC's primary function is to establish that the holder has passed a Transportation Security Administration (TSA) security threat assessment (STA); the TWIC card can also serve as identification.
Each secure area at each regulated location must maintain an access control program and verify three things at every access point: identity, presence and validity of the TWIC card, and whether the person has a business purpose at that facility. Currently, facilities are required only to conduct visual verification of the TWIC card, either at each time of entry or at time of enrollment into a facility physical access control system (PACS). A pending regulation, which we call the TWIC-reader rule, would require that any high-risk facility electronically inspect the card and, using biometrics, match it to the holder.
The governing legislation requires that an assessment of TWIC determine the program's value in mitigating the risk of terrorism and crime at ports. The U.S. Department of Homeland Security commissioned the Homeland Security Operational Analysis Center to complete that comprehensive assessment. In this report, the authors establish factors that increase or decrease TWIC's security value and determine what TWIC's value would need to be to offset the costs of establishing further access control requirements for facilities.
The vetting standards might be appropriate, depending on stakeholder intent
- The security threat assessment (STA) would detect known or suspected terrorists who seek to legally gain persistent access to the maritime environment.
- The federal government and industry might have different objectives in determining risk, with the former focused on national security, the transportation sector, and terrorism and the latter also concerned about profits and worker safety.
- A single vetting standard must apply to the entire population working in the maritime sector, and facility management can adopt additional criteria beyond TWIC vetting standards to satisfy a facility's specific security needs.
Electronic biometric card readers would probably cost industry more than benefit it under the pending rule
- Readers are ultimately costly and mitigate only certain types of threats, forcing facilities to prioritize a source of vulnerability that might not be the most jeopardizing in their specific circumstances.
Electronic biometric card readers can mitigate some kinds of risk
- TWIC is stronger against attacks requiring persistent insider access than against those requiring one-time or no access.
- People more often gain unauthorized access to facilities via other means than by using invalid TWICs.
Further enhancing TWIC requirements would come at significant costs, which are likely to exceed the commensurate benefit
- There are likely more cost-effective methods of reducing the risk that maritime facilities face.
- There might be lower-cost options to bring greater security value from the TWIC program as currently implemented, such as a mobile application to allow facilities to check the Canceled Card List at essentially zero cost.
- Take a system approach to maritime security rather than focusing on one program. The effectiveness of a facility's security system overall matters far more than the effectiveness of any given component for any specific task.
- There is no one-size-fits-all solution for improving security at maritime facilities, given their broad differences in risk and operations. The current process of facility-specific security assessments and security plans is designed to enable flexible solutions specific to each facility's needs. Greater identity assurance methods might be appropriate for some facilities, given their risk profiles. Transparent management of the TWIC program with a focus on how to effectively support TWIC's stakeholders could incentivize industry to maximize TWIC's potential security benefit.
Table of Contents
Background on the TWIC Program and Maritime Facilities
Previous GAO and OIG Concerns About the TWIC Program
Security Threats to the Maritime Environment
The Risk-Mitigation Value of the TWIC STA
TWIC Use at Maritime Facilities
TWIC's Limits in Addressing Risks to Maritime Security
A Cost-Effectiveness Analysis of the TWIC-Reader Rule Requirements
Alternative Models and Redundancies
Port and Facility Interviews
Permanent and Interim Disqualifying Criminal Offenses for TWIC
MSRAM in Relation to the TWIC Program
The Status of GAO and OIG Recommendations
A Detailed Analysis of TWIC User Fees
Rationale for a Break-Even Analysis
Detailed Estimation of Costs and Benefits
Research conducted by
- Homeland Security Operational Analysis Center
HSOAC is a federally funded research and development center operated by the RAND Corporation under contract with DHS.