TWIC Challenges – GreaterThan We Knew
October 21, 2006
As I am writing this, Halloween approaches. Vampire movies are playing on many television channels, carved pumpkins are on many porches, ghosts, goblins, and witches are on display in stores and windows. Just when I thought that it could not get any scarier, I read the recent 57-page report of the Government Accountability Office (GAO) on the Transportation Worker Identification Credential (TWIC) program. It is not for the faint of heart.
In an understated conclusion, the GAO recommends that, before implementing TWIC in the maritime sector, the Transportation Security Administration (TSA) develop and test solutions to problems identified during testing to ensure that key components of the program work effectively and that the agency also strengthen contract planning and oversight practices before awarding the TWIC implementation contract. The Department of Homeland Security (DHS) reviewed a draft of the GAO report and concurred with the recommendations.
It is the numerous details of the report that cause one’s blood to go cold.
Let’s start by putting the major blame where it belongs. Although the GAO report glosses over this point, Congress has failed, throughout the life of this program, to provide the funding necessary to accomplish the mission. Through fiscal year 2006, only $89.7 million has been provided (and $10 million of that came by reprogramming from other DHS accounts). While Congress has unceasingly demanded that the TWIC program be accelerated, it has failed to put its money where its mouth is. It is thus little wonder that things have not gone smoothly, to say the least!
The TSA conducted prototype tests at 28 facilities. That testing has been continually cited by the TSA as justification for moving ahead with full implementation. During the comment period on the proposed rulemaking, various stakeholders raised questions about how the testing went. These questions were uniformly rebuffed by the TSA. The GAO report reveals for the first time just how badly the prototype testing proceeded.
Due to a lack of government personnel, TSA allowed the contractor hired to conduct the prototype testing to also evaluate the testing!
After enlisting the voluntary support of facilities to host the prototype testing, the TSA did not inform the facilities of the results. The rationale of TSA was that the results contained sensitive security information. Hold it right there. If these facilities could be trusted to test the system and are also expected to eventually implement it, how can they not be trusted with information on how the tests went? How can those facilities provide meaningful comments to improve the process if they don’t know the test results? Belatedly, the TSA acknowledges that it could have done a better job of communicating with the stakeholders at the testing locations.
During the prototype testing, the enrollment process was seriously flawed. The goal was to enroll 75,000 workers at the 28 transportation facilities. However, only 12,900 workers were actually enrolled and only about 1,700 TWIC cards were eventually issued to workers at 19 facilities. According to the TSA, these problems were caused by difficulties finding volunteers to enroll and by technical problems, such as collecting fingerprints from workers at certain testing locations and enrolling large numbers of workers at one time. If trying to enroll 75,000 workers overtaxed the system, just wait until TSA tries to enroll 750,000 workers from 3,500 maritime facilities and 10,800 vessels!
As the GAO report states, another challenge that TSA faces is ensuring that workers are not providing false information and counterfeit identification documents when they enroll. Fraudulent social security cards, birth certificates, driver licenses, and passports are easily obtained – and some are of high quality. Enrollment personnel must be trained to identify such bogus documents and provided sufficient time to perform the analysis.
During the prototype tests, enrollment techniques were utilized at some locations that turned out to result in extensive delays in the enrollment process. The TSA indicates that it is adopting approaches to address these problems. The agency, though, declined to share with the GAO the results of how these supposedly successful approaches worked.
Major problems have arisen relating to TWIC card readers. In part, this is due to delays experienced by the National Institute of Standards and Technology (NIST) in finalizing the standard for biometric cards and readers – officially the FIPS 201-1 standard. During the prototype testing, fewer than half of the 99 card readers installed were biometric. The biometric readers were installed at only eight facilities and only functioned efficiently at two!
The prototype testing program did not include use of biometric card readers on any vessels. The TSA also discovered that maritime workers had coarser fingers than office workers. Some of the devices had difficulty reading maritime finger prints.
Some facilities had problems installing the infrastructure necessary to operate the TWIC card readers. Only ten of the 28 TWIC testing facilities linked the card readers to the local facility access control system. The effectiveness of these links was not fully explored by TSA. GAO report includes the following: “According to TSA, while facility and vessel owners and operators will be required to install TWIC card readers, it is up to these facilities and vessels whether they want to link these card readers to their access control systems.” Why do I see suddenly think of ostriches?
Based on the limited testing conducted to date on biometric card readers, even under controlled conditions, concerns have been raised with regard to use of these devices in the harsh outdoor maritime environment. For this and other reasons, the TSA has decided to delay that portion of the rulemaking requiring installation and use of the TWIC card readers. This solves (or at least delays) one problem, but creates another. Plans now call for promulgation of TWIC card regulations prior to the end of 2006 and commencement of the enrollment process shortly thereafter. As the GAO report points out, there is a significant risk that hasty issuance of the TWIC cards while the card readers are still under development with lead to incompatibility. In other words, the TWIC cards won’t work in the readers. The cards will then have to be reissued. [In recognition of this potential, Congress recently decreed that workers can’t be charged for the cost of issuance of new replacement cards.]
A key component of the TWIC program is the ability to quickly revoke a worker’s unescorted access privileges if either the individual is identified as a security threat or the TWIC card is lost or stolen. During prototype testing, the contractor experienced difficulty in connecting local access control systems to the national TWIC database. As a result, the connection process was not tested at any of the 28 participating facilities. The TSA has reassured the GAO, though, that this component has been tested in a laboratory. The TSA then said that it was unable to provide the GAO with any reports from the laboratory. Why am I increasingly uneasy?
The cost of the TWIC program is a significant concern. The TSA has gone well over budget to date, in large part due to efforts made to accelerate the project. The agency estimates the cost to industry to be $800 million (with a major portion to be spent the first year in start-up costs). It estimates that, on average, a maritime facility will spend $90,000 to upgrade or install access control systems, including biometric card readers. Port officials believe otherwise, estimating costs to be closer to $300,000 per terminal. The TSA declined to provide additional information on how it developed its cost estimates.
Concerns have been expressed within the maritime industry over the significant delay between submitting an application for a TWIC card and the actual receipt and activation of the card allowing the individual to commence work. The proposed rule indicated that it should take up to 60 days for a card to be issued. The TSA now estimates that issuance can be accomplished in as little as 30 days. In addition, the agency is looking into allowing new workers temporary access during the processing period.
Federal law requires that rulemakings consider and minimize adverse impact on small businesses. In addition, common sense dictates that small businesses such as whale watching boats present less risk to national security than do large ships engaged in international commerce. The proposed rule, though, makes no distinction between big and small business. The GAO report states that the TSA now plans to obtain additional comments on the small business impact as part of its rulemaking regarding installation and use of TWIC card readers. In other words, the workers at small facilities and vessels will have to obtain (and pay for) biometric cards, but the small facilities and vessels may not have to purchase the readers to make the cards effective. Am I missing something?
The TSA is assigning much of the blame for problems during prototype testing to the political mandate it faced to accelerate the program. It reassured the GAO that this will not occur when the system is actually implemented. The GAO is not so easily taken in. It notes that the TSA is now being directed by the DHS (and Congress, but the GAO omits that element) to deploy the TWIC program immediately. The TSA has publicly stated that it will move forward rapidly, at least with issuance of the TWIC cards. The GAO cautions, though, that poor planning got the program into trouble before and is likely to do so again. It recommends that none of the TWIC program be deployed until problems identified in prototype testing and during the comment period are resolved. In its official response to the GAO report, DHS states that it concurs with the recommendations. It then states that DHS and TSA will continue implementation of the TWIC program as scheduled.
My thoughts return to Halloween – or maybe the Charge of the Light Brigade.
Related Practices