Commercial container port

The Risk-Mitigation Value of the Transportation Worker Identification Credential

A Comprehensive Security Assessment of the TWIC Program

Source: Williams, Heather J., Kristin Van Abel, David Metz, James V. Marrone, Edward W. Chan, Katherine Costello, Ryan Bauer, Devon Hill, Simon Veronneau, Joseph C. Chang, Ian Mitch, Joshua Lawrence Traub, Sarah Lovell, Zachary Haldeman, Kelly Klima, and Douglas C. Ligor, The Risk-Mitigation Value of the Transportation Worker Identification Credential: A Comprehensive Security Assessment of the TWIC Program, Homeland Security Operational Analysis Center operated by the RAND Corporation, RR-3096-DHS, 2020. As of December 08, 2021: https://www.rand.org/pubs/research_reports/RR3096.html

The Transportation Worker Identification Credential (TWIC®) is one of multiple measures that the Maritime Transportation Security Act (MTSA) introduced to enhance security at U.S. ports. Anyone with unescorted access to a secure area at an MTSA-regulated facility, vessel, or outer continental shelf (OCS) facility must have a TWIC. Congress established TWIC to help prevent transportation security incidents. TWIC’s primary function is to establish that the holder has passed a Transportation Security Administration (TSA) security threat assessment (STA); the TWIC card can also serve as identification.

Each secure area at each regulated location must maintain an access control program and verify three things at every access point: identity, presence and validity of the TWIC card, and whether the person has a business purpose at that facility. Currently, facilities are required only to conduct visual verification of the TWIC card, either at each time of entry or at time of enrollment into a facility physical access control system (PACS). A pending regulation, which we call the TWIC-reader rule, would require that any high-risk facility electronically inspect the card and, using biometrics, match it to the holder.

The governing legislation requires that an assessment of TWIC determine the program’s value in mitigating the risk of terrorism and crime at ports. The U.S. Department of Homeland Security commissioned the Homeland Security Operational Analysis Center to complete that comprehensive assessment. In this report, the authors establish factors that increase or decrease TWIC’s security value and determine what TWIC’s value would need to be to offset the costs of establishing further access control requirements for facilities.

Key Findings

The vetting standards might be appropriate, depending on stakeholder intent

  • The security threat assessment (STA) would detect known or suspected terrorists who seek to legally gain persistent access to the maritime environment.
  • The federal government and industry might have different objectives in determining risk, with the former focused on national security, the transportation sector, and terrorism and the latter also concerned about profits and worker safety.
  • A single vetting standard must apply to the entire population working in the maritime sector, and facility management can adopt additional criteria beyond TWIC vetting standards to satisfy a facility’s specific security needs.

Electronic biometric card readers would probably cost industry more than benefit it under the pending rule

  • Readers are ultimately costly and mitigate only certain types of threats, forcing facilities to prioritize a source of vulnerability that might not be the most jeopardizing in their specific circumstances.

Electronic biometric card readers can mitigate some kinds of risk

  • TWIC is stronger against attacks requiring persistent insider access than against those requiring one-time or no access.
  • People more often gain unauthorized access to facilities via other means than by using invalid TWICs.

Further enhancing TWIC requirements would come at significant costs, which are likely to exceed the commensurate benefit

  • There are likely more cost-effective methods of reducing the risk that maritime facilities face.
  • There might be lower-cost options to bring greater security value from the TWIC program as currently implemented, such as a mobile application to allow facilities to check the Canceled Card List at essentially zero cost.

Recommendations

  • Take a system approach to maritime security rather than focusing on one program. The effectiveness of a facility’s security system overall matters far more than the effectiveness of any given component for any specific task.
  • There is no one-size-fits-all solution for improving security at maritime facilities, given their broad differences in risk and operations. The current process of facility-specific security assessments and security plans is designed to enable flexible solutions specific to each facility’s needs. Greater identity assurance methods might be appropriate for some facilities, given their risk profiles. Transparent management of the TWIC program with a focus on how to effectively support TWIC’s stakeholders could incentivize industry to maximize TWIC’s potential security benefit.