The U.S. Coast Guard is determining how many facilities handle certain dangerous cargoes and whether, according to a risk analysis, requiring those facilities to biometrically verify the Transportation Worker Identification Credential of every person accessing a secure area of such a facility would be cost-effective. This report answers those questions.
Risk-Informed Analysis of Transportation Worker Identification Credential Reader Requirements
- How many facilities are subject to the final TWIC reader rule delay?
- Is the final rule cost-effective for those facilities?
A 2016 U.S. Coast Guard (USCG) regulation, "Transportation Worker Identification Credential (TWIC)–Reader Requirements," requires certain maritime facilities determined to be of high risk to use electronic and biometric access control programs in the facilities' secure areas. The final version of this rule, known as the final reader rule, has been delayed (from 2020) until May 8, 2023, for three categories of facilities that handle certain dangerous cargoes (CDCs) in bulk. The USCG asked the Homeland Security Operational Analysis Center to reestimate the population of such regulated facilities that could be subject to the final reader rule delay, develop an objective risk assessment model for these facilities, and conduct a cost–benefit analysis of the regulation.
This report describes the researchers' analytical efforts to address these three research areas. Because there is no database of Maritime Transportation Security Act–regulated facilities that has all the requisite information about CDCs that facilities handle in bulk, the researchers resorted to other data sources, such as the U.S. Environmental Protection Agency's databases, an online survey, and interviews, to estimate the facility population. For the facility risk model, they used the modeling approach for assessing potential consequence included in the risk engine of the Cybersecurity and Infrastructure Security Agency's Chemical Facility Anti-Terrorism Standards (CFATS) program, harmonizing the TWIC and CFATS programs in consequence assessment. Because there was no credible estimate for the probability of a transportation security incident, the researchers used a break-even analysis to assess whether the final reader rule is cost-effective.
- Between 471 and 711 Maritime Transportation Security Act–regulated facilities handle CDCs in bulk and are therefore likely to be subject to the reader rule delay.
- Among the facilities observed to handle CDCs, anhydrous ammonia was the most common CDC, although many facilities handle more than one type of CDC.
- The consequence distribution of facilities that handle CDCs in bulk was highly skewed (i.e., many facilities with relatively low consequences and few facilities with extremely high consequences).
- Observable facility attributes, such as CDC quantity and local population density, can be used to generally identify high-consequence facilities.
- The TWIC reader rule would have to avert a transportation security incident (TSI) approximately every 60 to 90 years, at a minimum, to be cost-effective.
- Although the final reader rule is potentially cost-effective even in its current form, reasons exist to consider a more-targeted approach that excludes low-quantity or low–population density facilities, or both. Under hypothetical regulatory options, a more-targeted approach affecting only higher-consequence facilities would need to avert only one TSI approximately every 200 to 600 years to be cost-effective.
- The decision to use a wide net or a more-targeted approach could depend largely on policymakers' preferences and relative risk tolerance considering trade-offs among several competing factors.
- Once the final reader rule is implemented, perform ongoing monitoring and enforcement to remain current as facilities open or close.
- Develop a centralized reporting system that records, at a minimum, the types and amounts of CDCs being handled at each MTSA-regulated facility.
- Build data infrastructure to implement and maintain the CDC reporting system.
- Institutionalize an objective, transparent risk assessment approach (e.g., CFATS risk engine). Taxonomy Terms
Table of Contents
Risk Analysis for CDCs
Estimating the Facility Population
Developing the Facility Risk Model
A Cost–Benefit Analysis of the Reader Rule Delay
A Review of TWIC-Relevant Regulations
CDCs Authorized to Be Transported by Vessels in Bulk
Processing of PAD in the ERG
Processing of USCG NRC Incident Data
Processing of EPA RMP Facility Data
The Facility Survey Instrument
Analysis of the MSRAM Data
Incorporating LandScan USA Population Data into a Simplified Model to Estimate Facility Consequences
Creating a Synthetic Data Set for Analysis of Consequence Distributions
Research conducted by
- Homeland Security Operational Analysis Center
HSOAC is a federally funded research and development center operated by the RAND Corporation under contract with DHS.