TWIC Reader Requirements Final Rule - So far this month we discussed Who, What, When, Where and Why, so we will cover a few “What if” questions this week.

What if my TWIC card is stolen, damaged or lost? – Unescorted access can be granted up to 30 days if:

  • TWIC card appears on the Cancelled Card List (CCL)
  • Individual was known to have had a TWIC card
  • Individual reported it lost, stolen or damaged

Facilities using a Physical Access Control System (PACS) - If after 30 days the individual has NOT linked their facility access card to a valid TWIC card, the PACS must deny unescorted access to secure areas.

What if I forgot my TWIC card at home? – Unescorted access is DENIED unless electronic TWIC inspection can be performed by PACS with facility access card.  If you have TWIC readers, the individual will NOT be able to perform a required electronic TWIC inspection.

What if my job requires me to go between secure and unsecure areas to complete my duties, do I need to complete an electronic TWIC inspection every time I re-enter the secure area? – NO, an electronic TWIC inspection is not required for reentry into a secure area as long as certain requirements and conditions are met.  This includes the following:

  • Designated Recurring Access Area (DRAA) – An unsecure area adjacent to a secure area with access gates where employees require frequent access between the unsecure and secure areas to complete their duties.
  • Recurring Unescorted Access (RUA) – TWIC holding employees going between secure and unsecure areas without going through an electronic TWIC inspection each time they pass from unsecure to secure after an initial electronic TWIC inspection was conducted.

DRAA Requirements

  • Must be designated and approved in FSP
  • Security Guards at each secure area access point
  • Entire DRAA must be visible to security personnel
  • Electronic TWIC inspection completed for initial entry into secure area (beginning of work shift) and TWIC holder can have RUA as long as they do NOT leave DRAA
  • If TWIC holder leaves DRAA for ANY reason, they must conduct an electronic TWIC inspection upon return into the secure area

Some possible DRAA scenarios are:

Cruise ship porters carry baggage from curbside check-in area (unsecure) to baggage storage area (secure) for cruise ship passengers

Forklift operators transport packages from loading area (unsecure) to secure storage area on vessel or facility.

NOTE – Seebald & Associates presented a Webinar last Thursday (February 22nd) that covered everything you need to know about TWIC Reader Requirements.  If you missed the webinar, S&A Platinum members can view the recorded presentation via our website.

Last week we discussed WHO is expected to comply with TWIC Reader Requirements, WHAT is required to complete an Electronic TWIC Inspection, and WHY this is a requirement.  This week we will go over the WHEN, WHERE, and HOW for different implementation options along with administrative requirements.

There is quite a bit of apprehension in how to purchase or enhance current systems to be in compliance with the TWIC Reader Requirement Final Rule.  We are asked all the time - How do I know what TWIC Readers to purchase? or Can I enhance the Physical Access Control System (PACS) I have in place at my facility?  I will address each question and provide guidance that will assist you in determining which solution is better for you.

TWIC Readers – TSA has a Qualified Technology List (QTL) outlining companies that have approved readers meeting the Electronic TWIC inspection requirements.  That list can be found at: TSA QTL:  https://universalenroll.dhs.gov/permalinks/static/twic-reader-qtl   If your TWIC reader is not on the list, that is OK as long as it meets the Electronic TWIC Inspection Requirements – see last week’s blog for details.

PACS -  Facilities are authorized to enhance their current systems to meet the Electronic TWIC inspection requirements.  I am sure you are picking up a theme here – whatever system or reader you use, it must meet the Electronic TWIC inspection requirements.

Can the TWIC Readers and PACS be portable? – Yes, there is no requirement for either to be fixed or stationary, portable systems are acceptable.

What if TWIC Reader or PACS malfunctions? – You are required by law to have a back-up system or portable TWIC readers at the ready that perform the Electronic TWIC Inspection requirements (Visual inspection of the TWIC cards is NOT authorized).  NOTE: If you cannot provide a back-up for that access point, you must report it to your Captain of the Port and obtain permission to operate.

Once you have decided on the hardware solution, there are some administrative requirements that must be met and those are:

  • Must record/document each ENTRY into a secure area and you are required to maintain these records for two years.

We are asked -  What if we document both the entry and exit of all personnel in and out of a secure or secure/restricted area?  A lot of facilities track who enters and exits for accountability reasons and this is permissible and accepted by the Coast Guard, but make sure you maintain those records for two years.

Next week’s blog will discuss what is required if a TWIC card is lost, stolen or damaged as well as what requirements need to be met if you routinely move between a secure area and an unsecure area to perform your duties.

Reminder – Seebald & Associates will host a Webinar this week.  We’ll discuss the TWIC Reader Requirements Final Rule on Thursday, February 22, at 11:00am ET and 3:00pm ET. 

The Coast Guard has recently put out enforcement guidance regarding the TWIC Reader Requirements Final Rule, which was in last week’s blog.  This week we will recap WHO is expected to comply, WHAT is required during an Electronic TWIC Inspection, and WHY this is a requirement. 

WHO IS REQUIRED:  The following facility types will be expected to comply starting August 23, 2018:

  1. Facilities that receive vessels certified to carry more than 1,000 passengers; and
  2. Facilities subject to 33 CFR 105.295 - Certain Dangerous Cargo (CDC) facilities.
    (Guidance regarding how 33 CFR 105.295 is applied can be found in Policy Advisory Council Decision 20-04 – Certain Dangerous Cargo Facilities.)

WHAT IS REQUIREDElectronic TWIC inspection –  conducted by TWIC Readers or Physical Access Control Systems (PACS) and required each time a person is granted unescorted access to a secure area and must be in place by August 23, 2018.

What is an Electronic TWIC Inspection? – Three things must happen in order to fulfill the requirements:

  1. Card Authentication – validates Card Holder Unique Identification (CHUID) and Federal Agency Smart Credential – Number (FASC-N)
  1. Card Validity – TWIC card is checked against Cancelled Card List (CCL) - is TWICrevoked or expired?   TSA CCL: https://universalenroll.dhs.gov/

           How Often must the CCL be checked?

                  MARSEC 1 – CCL is updated and checked every 7 days

                  MARSEC 2 & 3 – CCL is updated and checked daily

  1. Identity Verification – cardholder’s identity confirmed with biometrics

           Biometrics – accepted templates:

fingerprints

digital facial image with PIN

Alternative biometrics (vascular) are authorized if this biometric template is tied to TWIC holder & approved in FSP

If you have any questions on whether your facility will be expected to comply or what is required, we recommend you contact your local Captain of the Port.  Also, you are always welcomed to contact Ed Seebald or any of our Associates.

Remember - Everyone presenting a TWIC, along with a reason to access the secure or secure-restricted portion of a maritime facility, is also subject to random screening.  

WHYIT’S THE LAW!!! 

Next week’s blog will discuss WHEN, WHERE, and HOW regarding TWIC Reader implementation options and administrative requirements. 

NOTE:  Join us for our WEBINAR on Thursday February 22 that will explain all this and provide you an opportunity to ask questions.  Details will be sent out separately on the Webinar.

The Coast Guard has put out enforcement guidance regarding TWIC Reader Requirements Final Rule.

The following facilities will be expected to comply with the TWIC Reader Requirements Final Rule commencing August 23, 2018:

  1. Facilities that receive vessels certified to carry more than 1,000 passengers; and
  2. Facilities subject to 33 CFR 105.295 - Additional requirements for Certain Dangerous Cargo (CDC) facilities. (Guidance regarding how 33 CFR 105.295 is applied can be found in Policy Advisory Council Decision 20-04 – Certain Dangerous Cargo Facilities.)

I recommend facilities with any further questions reach out to their local Captain of the Port.

NOTE – This month’s blogs and Webinar will address TWIC Reader Requirements Final Rule.

For those attending the 5th Seebald & Associates International Facility Security Symposium in New Orleans, June 6-8, 2018, a senior representative from Coast Guard Office of Port and Facility Compliance will be speaking about TWIC Reader Requirements and other pertinent policies.

 

We’ve covered the main layers of the facility security organization (FSA, FSP, FSO, PSD, AO) in previous blogs.  This week we’ll look at what’s in the pyramid’s capstone.

Now that the FSA, FSP are completed and the training program is established, the FSO must not become complacent.  The Capstone to the Seebald Security Pyramid consists of regularly conducted Drills, Exercises, Audits and Reviews. 

DRILLS - How often do you conduct drills?  We know a security drill is required to be conducted every 90 days, testing one element of the FSP.  There are many elements to your FSP.  If you meet the minimal drill requirements, then you will test at only four elements of your plan.  That’s NOT how you become proficient! 

We recommend you conduct drills at least monthly, and, for all the Seebald Platinum Members, use the drills sent out every month to improve your security awareness.  Drills are meant to test at least one element of your plan, so remember to document observations and do not conduct training during the drill or you will never achieve an accurate assessment.  Drills do not need to be complicated, nor time-consuming.  You can get better at conducting drills by conducting more drills!  And remember, you are required to document best practices and lessons learned.

EXERCISES - Exercises are a full test of your security program and must include substantial and active participation from the FSO.  They’re required once each calendar year, not to exceed 18 months.  Exercises maybe full scale or live; tabletop simulation or seminar; or combined with other appropriate exercises.  Each exercise must test communication, notification procedures, elements of coordination, resource availability, and response.  As the same with drills, you must capture best practices and lessons learned.  To ensure you meet the frequency of required exercises, we at Seebald & Associates will conduct and document and exercise at your facility during your annual audit.

AUDITS - The FSP is required to be audited annually by a subject matter expert outside of your security organization.  The FSO should choose someone who will be critical and honest, so you get an accurate assessment in how the FSP is being executed.  After the audit, the FSO is required to address the discrepancies.  Remember, the audit report is Sensitive Security Information for the FSO only, do NOT show your audit report to the Coast Guard.  The FSO must sign an audit record that documents when and who conducted the audit.  Place the audit record with your security documentation – this is what substantiates your audit for the Coast Guard during your annual inspection. 

REVIEWS - FSO Reviews are crucial to building and maintaining a security culture and requires dedication from the FSO in making security a priority.  Reviews should be part of the FSO’s regular routine – this is security management by walking around.  The FSO should be reviewing the FSP on a regular basis and not once a year two weeks prior to the annual Coast Guard inspection.  The FSO should use the FSP to develop and use checklists during these walk around reviews.  These checklists can include but not limited to:  perimeter fencing, lights, security gates & guard posts, technical systems, communication systems, and information technology/cyber systems.  During walk arounds, the FSO can review items on their checklist, conduct security training by stopping and asking PSDs and AOs security awareness questions, or conduct drills.  Taking the time and making these walk around reviews part of your routine will improve the security posture and awareness on the facility.

Overall – remember, the Seebald Facility Security Pyramid provides you with the organization to secure your facility - the rest is up to you.

Seebald Security Pyramid.png