During the month of May, we covered the TWIC Final Rule that requires Risk Group A maritime facilities to incorporate TWIC readers into their maritime security regime no later than August 23, 2018. This month we'll continue that discussion as it relates to TWIC reader technology. Additionally, given the recent Ransomware cyber attack, we'll review ways to enhance your cyber security to help prevent becoming a cyber statistic. 

TWIC reader technology is continually evolving. TSA and the Coast Guard recognize this reality; there are three options for facilities to comply:

• Purchase a TWIC reader from TSA's Qualified Technology List, or

• A TWIC reader thata adequately performs and electronic TWIC inspection:
     - Card Authentication
     - Validity
     - Holder Identity

• Use a Transparent reader, which sends the TWIC information with biometric to a back-end system that performs card authentication, validity, and holder identity authentication. 

Remember - Everyone presenting a TWIC, along with a reason to access the secure or secure-restricted portion of a maritime facility is also subject to a random screening. 

But wait! There is another TWIC reader option that we'll cover next week. 

How August 23, 2018, or 448 days and a wake up. That's when your Risk Group A facility must be read to go, which includes:

• Having the required electronic TWIC readers or PACS operational.

• Having a Coast Guard COTP approved FSP or FSP amendment that includes electronic TWIC inspection.

Remember, you should plan to submit your new FSP (that will require a new/updated FSA) or FSP amendment in ample time to obtain Coast Guard approval. That means at least 60 days prior to August 23, 2018. Trust us, it'll take you at least 60 days to adequately prepare/amend your FSP to meet the TWIC Final Rule requirements. All considered, that's 120 days before August 23, 2018. 

Are you paying attention? August 2018 just became April 2018 on your TWIC Final Rule planning calendar. That's the latest when you should be underway and making way in preparing to comply with the TWIC Final Rule. 

Thoroughly review the TWIC Final Rule requirements and research wisely in what system will meet your needs.  Be wary of vendors trying to sell you more than what is needed!  Develop contingency plans for when your TWIC readers or PACS malfunction.  Remember your documentation requirements - how will you record the information, which is Sensitive Security Information and where will you maintain the entry records in a restricted area for two years?  

How can Risk Group A facilities comply with TWIC Final Rule requirements? These are some of the capabilities and capacities to bring you into compliance:

• TWIC Readers & Physical Access Control Systems (PACS) - Not required to be stationary/fixed - portables are acceptable

• TWIC Reader - If not on TSA's Qualified Technology List (QTL), it must meet electronic TWIC inspection requirements. You can verify if your TWIC reader is approved by check the TSA QTL at: https://homeport.uscg.mil/mycg/portal/ep/contentView.do?contentTypeId=2&channelId=-24886&contentId=544123&programId=50398&pr

• PACS - facilities are authorized to enhance their current PACS to meet electronic TWIC inspection requirements. 

• TWIC Reader or PACS malfuntions - Must have a back-up system or portables that perform Electronic TWIC inspection requirements (Note: A visiual inspection is NOT authroized.)

• If your electronic TWIC reader fails and you do not have an operable back-up, you MUST report it to COTP and obtain permission to operate. The Coast Guard will require suitable risk mitigation before granting permission to operate.

• TWIC Reader or PACS - must record/document ENTRY into a secure area and Risk Group A facilities are required to maintain these records for two years. 

Remember: 

The TWIC Final Rule is a credentialing law, it does NOT replace screening.

Greetings, Facility Security Colleagues, 

The Coast Guard Office of Port and Facility Compliance (CG-FAC) recently released their 2016 Facility Year in Review. While busy with many initiaves, TWIC and reporting Suspicious Activity and Breaches of Security were prominent. 

The Coast Guard published a policy letter regarding criteria and procedures for reporting Suspicious Activity (SA) and Breaches of Security (BoS). (Note: We're already addressing this in our courses, audits, assessments, and plans.) Basically, the Department of Homeland Security (DHS) National Cyber Security and Communications Integration Center (NCCIC) may be contacted directly for cybersecurity incidents and suspicious activity NOT resulting in phyical or pollution effects (physical and pollution incidents must be reported to the National Response Center (NRC)). When reporting a cybersecurity SA or BoS, maritime owners and operators must identify themselves as a MTSA regulated entity in order to satisfy the reporting requirements of 33 CFR 101.305. NCCIC will document the activity, evaluates it against operations, provides technical assistance if requested, and passes the information to the NRC. Information-sharing between NCCIC and NRC may contain Sensitive Security Information and is protected per 49 CFR 1520.

In 2016, the Coast Guard conducted 6,002 MTSA compliance inspections covering 3,476 MTSA regulated facilites, resulting in 1,648 deficiencies. This resulted in 180 enforcement activites. More than half of the citations were in three cateories: Security Measures for Access Control (61), Owner or Operator Requirements (32), and Drill and Exercise Requirements (17). Remember from your training, Access Control is crucial in your first line of defese against security incidents. 

Over 54,000 TWIC cards were inspected visually or electronically resulting in 515 instances of non-compliance. This shows that facilities are not preoperly inspecting TWIC cards or individuals are not carrying them when working on the regulated secure footprint. Remember, TWIC cards need to be inspected at 100% and everyone must have them on their person. 

There is a lot of interesting information in the 2016 report, such as Rulemakings, Training, Cyber Risk Management, and much more. Please take the time to read it and learn how these policy changes or recommended advice affects your facility. Have a safe and secure day.