Greetings, Facility Security Colleagues, 

The Coast Guard Office of Port and Facility Compliance (CG-FAC) recently released their 2016 Facility Year in Review. While busy with many initiaves, TWIC and reporting Suspicious Activity and Breaches of Security were prominent. 

The Coast Guard published a policy letter regarding criteria and procedures for reporting Suspicious Activity (SA) and Breaches of Security (BoS). (Note: We're already addressing this in our courses, audits, assessments, and plans.) Basically, the Department of Homeland Security (DHS) National Cyber Security and Communications Integration Center (NCCIC) may be contacted directly for cybersecurity incidents and suspicious activity NOT resulting in phyical or pollution effects (physical and pollution incidents must be reported to the National Response Center (NRC)). When reporting a cybersecurity SA or BoS, maritime owners and operators must identify themselves as a MTSA regulated entity in order to satisfy the reporting requirements of 33 CFR 101.305. NCCIC will document the activity, evaluates it against operations, provides technical assistance if requested, and passes the information to the NRC. Information-sharing between NCCIC and NRC may contain Sensitive Security Information and is protected per 49 CFR 1520.

In 2016, the Coast Guard conducted 6,002 MTSA compliance inspections covering 3,476 MTSA regulated facilites, resulting in 1,648 deficiencies. This resulted in 180 enforcement activites. More than half of the citations were in three cateories: Security Measures for Access Control (61), Owner or Operator Requirements (32), and Drill and Exercise Requirements (17). Remember from your training, Access Control is crucial in your first line of defese against security incidents. 

Over 54,000 TWIC cards were inspected visually or electronically resulting in 515 instances of non-compliance. This shows that facilities are not preoperly inspecting TWIC cards or individuals are not carrying them when working on the regulated secure footprint. Remember, TWIC cards need to be inspected at 100% and everyone must have them on their person. 

There is a lot of interesting information in the 2016 report, such as Rulemakings, Training, Cyber Risk Management, and much more. Please take the time to read it and learn how these policy changes or recommended advice affects your facility. Have a safe and secure day. 

Under the TWIC Final Rule, electronic TWIC inspection is required each time a person is granted unescorted access to a secure area for facilities in Risk Group A.  TWIC readers or a Risk Group A facility’s Physical Access Control System (PACS) must perform three functions:

1.  Card Authentication – The TWIC reader or PACS determines that the TWIC is authentic via the Card Holder Unique Identification (CHUID) and validates the Federal Agency Smart Credential – Number (FASC-N)

2.  Card Validity – Checks the TWIC against the Cancelled Card List (CCL), which determines whether a TWIC is valid (i.e., not revoked or expired.)  Learn more about the TSA CCL at

The TWIC reader or PACS must stay current with the CCL, with the following update requirements: 

• MARSEC 1 – update CCL every 7 days

• MARSEC 2 & 3 – update CCL daily

3.  Identity Verification  The TWIC reader or PACS verifies the card holder’s identity, which is confirmed with accepted biometrics templates: 

• Fingerprints

• Digital facial image with PIN (Do you remember your TWIC's PIN?)

• Alternate biometrics (vascular) are authorized if this biometric temnplate is tied to the TWIC holder & approved with your FSP

This month’s Seebald & Associates blogs focus on the TWIC Final Rule impacts of Who needs it? What is needed? How you can meet the requirements? What are your Next Steps? When you need to submit your amendments or new FSP to be compliant

The TWIC Final Rule defines Risk Group A as facilities that handle Certain Dangerous Cargo (CDC) in bulk or receive vessels carrying CDC in bulk, as well as facilities that receive vessels certificated to carry more than 1,000 passengers. 

Bulk or in bulk means a commodity that is loaded or carried on board a vessel without containers or labels, and that is received and handled without mark or count.  This includes cargo transferred using hoses, conveyors, or vacuum systems. 

There seems to be a level of confusion in industry as to what determines whether a facility is a CDC facility or not regarding the TWIC Final Rule, especially facilities that receive CDCs by truck or rail.  Because of this confusion, the Coast Guard is considering additional guidance, policy determinations, and/or regulatory updates.  Seebald & Associates will stay tuned for guidance the Coast Guard provides and we’ll keep you up to date on Coast Guard policy decisions.  

Still, lack of guidance does NOT relieve you of being compliant with the TWIC Final Rule - because it is the law.

33 CFR 105 requires the Owner/Operator (read as ‘FSO,’ that’s YOU!), to conduct an Audit annually.  This is the FSO’s opportunity to show the Auditor, your ‘critical best friend,’ how well you know your duties and are doing your job; nearly instantaneous feedback on how you’re doing as an FSO, now that’s job satisfaction!  (Assuming you know the regulations and what the facility’s FSP says; and are routinely conducting drills and applying best practices and lessons learned.)

If the Owner/Operator/FSO are not gaining security perspective and insights from your Auditor every year, it’s time to bring on the regulatory and practical experience that comes with each Seebald Associate; we pride ourselves in being your expert ‘critical best friend.’

Have you and your alternates attended a certified FSO Course or FSO Refresher Course?  The FSO Course is recommended every 5 years, the FSO Refresher Course every 2-3 years.  See for a location and date that works for you; or give Ed a call and arrange a private course tailored for you, your facility and personnel.

As the Owner/Operator’s representative, the FSO must sort through the regulations and know the applicable parts that govern their facility.

TWIC - do you know if and how the upcoming TWIC Reader requirement applies to your facility?

Seafarer Access - as FSO, do you know if the Owner/Operator must facilitate Merchant Mariner access, and if so, when and how?

Does the Owner/Operator have responsibilities when a vessel calls on the facility with an elevated security (ISPS or MARSEC) level?  What are the requirements associated with Declarations of Security?

It’s all in the regulations, supplementary guidance and advice documents.  Need a Certified FSO Course or FSO Refresher?  See for a location and date that works for you; or give Ed a call and arrange a private course tailored for you, your facility and personnel.