After a nearly three-year wait, the Coast Guard on Tuesday published the final rule for the use of electronic smart card readers at the nation’s seaports, mandating that a biometric be stored in worker credentials.

The final rule for the Transportation Worker Identification Credential (TWIC) reader requirements was originally supposed to be published in late 2013 and then 2015 and the delays were due in part to a large number of comments received as the Coast Guard finalized the guidelines for access control to ports and their secure areas and high-risk vessels (Defense Daily, June 4, 2015).

Crossmatch Verifier Sentry handheld smart card and fingerprint reader used to authenticate people and their credentials. Photo: Crossmatch
Crossmatch Verifier Sentry handheld smart card and fingerprint reader used to authenticate people and their credentials. Photo: Crossmatch

The rule requires that a template of a person’s biometric, such as a fingerprint, be stored on the TWIC card to confirm the individual’s identity. Currently TWIC cards are used as visual identity badges in most ports although they have some security features such as hologram, watermark digital photograph, PIN, Federal Agency Smart Credential Number and expiration date to help security guards authenticate the cards and verify the identity of card users.

The Coast Guard says that shortcomings with the existing cards include that they don’t take advantage of all the potential security features and that if lost or stolen can be used by unauthorized individuals to access secure areas of ports and vessels. It also points out that if a person’s TWIC card is revoked for a particular disqualifying offense, there is no way for a guard to determine that the card is no longer valid based on looking at the cardholder’s face.

The rule also points out that the way cards are currently used they can be forged.

The new rule “will ensure that prior to being granted unescorted access to a designated secure area, an individual will have his or her TWIC authenticated, the status of that credential validated against an up-to-date list maintained by the TSA, and the individual’s identity confirmed by comparing his or her biometric (i.e. fingerprint) with a biometric template stored on the credential,” the Coast Guard says in the rule.

Some ports and terminals around the country have already purchased and installed TWIC card readers. The Transportation Security Administration (TSA) has piloted the readers and created a Qualified Technology List of acceptable readers.

However, compared with the proposed rule, the final rule includes a number of changes, including allowing port and terminal owners and operators to forego a TSA qualified TWIC reader, instead allowing them to “choose to fully integrated electronic TWIC inspection and biometric matching into a new or existing Physical Access Control System (PACS),” the rule states.

The final rule also applies only to the highest risk vessels and facilities, Risk Group A, with no changes required to other regulated vessels and facilities under the Maritime Transportation Security Act (MTSA) of 2002. Under MTSA, there are 525 facilities that meet Risk Group A requirements and one vessel, the Coast Guard says.

The Coast Guard estimates that the total cost over 10 years to acquire, install and integrate TWIC readers into access control systems will be about $157.9 million, with the annualized cost being $22.5 million. The costs also include updating the list of canceled TWICs, record keeping, training, and maintenance.

The estimated annualized TWIC costs are about $5.1 million less than projected in the earlier draft rule.

Other changes included in the final rule include clarification that for Risk Group A facilities, an electronic TWIC inspection is required every time a person is granted unescorted access to a secure area and that for vessels in this risk category only when boarding the ship. The rule also eliminates that barge fleeting facilities that handle barges carrying dangerous cargoes in bulk be classified in the highest risk group.

Maritime workers apply for a TWIC card and are vetted against security and criminal watchlists before receiving their cards, which are good for five years.