201803 S&A Blogs - Facility Security Threats
- Posted by Brian Kelley
Facility Security Threats – It’s a Knowledge Requirement!
Before we get started on our threat discussion this month, let’s see what 33 CFR 105 requires of us. In particular, our knowledge and training must include awareness of security threats and patterns.
- §105.205 Facility Security Officer (FSO).
(2) In addition to knowledge and training required in paragraph (b)(1) of this section, the FSO must have knowledge of and receive training in the following, as appropriate:
(b)(2)(viii) Current security threats and patterns;
- §105.210 Facility personnel with security duties.
Facility personnel responsible for security duties must maintain a TWIC, and must have knowledge, through training or equivalent job experience, in the following, as appropriate:
(a) Knowledge of current security threats and patterns;
- §105.225 Facility recordkeeping requirements.
(b) Records required by this section may be kept in electronic format. If kept in an electronic format, they must be protected against unauthorized deletion, destruction, or amendment. The following records must be kept:
(6) Security threats. For each security threat, the date and time of occurrence, how the threat was communicated, who received or identified the threat, description of threat, to whom it was reported, and description of the response;
The Coast Guard takes a risk-based approach to security. Threats are an important consideration in their many activities, such as setting MARSEC levels. In lieu of your own research, or trying to navigate through Homeport, you can take advantage of participating in your Area Maritime Security Committee (AMSC) to learn more about what the Coast Guard perceives as the prominent threats in your area. Have that discussion with your Coast Guard facility inspector and with your colleagues in the AMSC.
Remember that the specific threat discussions may include Sensitive Security Information (SSI), so it’s our duty to be careful to protect this information. If you’re having a threat discussion, then be sure to know your surroundings. Also, when recording a security threat to your facility or personnel, be sure to mark the record as SSI, and protect it along with your other facility documentation.
Next week’s blog will look at Threats as a component of our facility’s risk equation…
Also, did you know? …
The Facility Security Symposium and FSO Academy (June 6-8 in New Orleans) was created to give members of the international port community a unique opportunity to have direct access to the foremost leaders that establish the industry's best practices and procedures. Register now before it’s too late – rooms and seats are going fast!
TWIC READER REQUIREMENTS - WHAT IF?
TWIC Reader Requirements Final Rule - So far this month we discussed Who, What, When, Where and Why, so we will cover a few “What if” questions this week.
What if my TWIC card is stolen, damaged or lost? – Unescorted access can be granted up to 30 days if:
- TWIC card appears on the Cancelled Card List (CCL)
- Individual was known to have had a TWIC card
- Individual reported it lost, stolen or damaged
Facilities using a Physical Access Control System (PACS) - If after 30 days the individual has NOT linked their facility access card to a valid TWIC card, the PACS must deny unescorted access to secure areas.
What if I forgot my TWIC card at home? – Unescorted access is DENIED unless electronic TWIC inspection can be performed by PACS with facility access card. If you have TWIC readers, the individual will NOT be able to perform a required electronic TWIC inspection.
What if my job requires me to go between secure and unsecure areas to complete my duties, do I need to complete an electronic TWIC inspection every time I re-enter the secure area? – NO, an electronic TWIC inspection is not required for reentry into a secure area as long as certain requirements and conditions are met. This includes the following:
- Designated Recurring Access Area (DRAA) – An unsecure area adjacent to a secure area with access gates where employees require frequent access between the unsecure and secure areas to complete their duties.
- Recurring Unescorted Access (RUA) – TWIC holding employees going between secure and unsecure areas without going through an electronic TWIC inspection each time they pass from unsecure to secure after an initial electronic TWIC inspection was conducted.
- Must be designated and approved in FSP
- Security Guards at each secure area access point
- Entire DRAA must be visible to security personnel
- Electronic TWIC inspection completed for initial entry into secure area (beginning of work shift) and TWIC holder can have RUA as long as they do NOT leave DRAA
- If TWIC holder leaves DRAA for ANY reason, they must conduct an electronic TWIC inspection upon return into the secure area
Some possible DRAA scenarios are:
Cruise ship porters carry baggage from curbside check-in area (unsecure) to baggage storage area (secure) for cruise ship passengers
Forklift operators transport packages from loading area (unsecure) to secure storage area on vessel or facility.
NOTE – Seebald & Associates presented a Webinar last Thursday (February 22nd) that covered everything you need to know about TWIC Reader Requirements. If you missed the webinar, S&A Platinum members can view the recorded presentation via our website.
TWIC READER REQUIREMENTS - WHEN, WHERE & HOW!!!
Last week we discussed WHO is expected to comply with TWIC Reader Requirements, WHAT is required to complete an Electronic TWIC Inspection, and WHY this is a requirement. This week we will go over the WHEN, WHERE, and HOW for different implementation options along with administrative requirements.
There is quite a bit of apprehension in how to purchase or enhance current systems to be in compliance with the TWIC Reader Requirement Final Rule. We are asked all the time - How do I know what TWIC Readers to purchase? or Can I enhance the Physical Access Control System (PACS) I have in place at my facility? I will address each question and provide guidance that will assist you in determining which solution is better for you.
TWIC Readers – TSA has a Qualified Technology List (QTL) outlining companies that have approved readers meeting the Electronic TWIC inspection requirements. That list can be found at: TSA QTL: https://universalenroll.dhs.gov/permalinks/static/twic-reader-qtl If your TWIC reader is not on the list, that is OK as long as it meets the Electronic TWIC Inspection Requirements – see last week’s blog for details.
PACS - Facilities are authorized to enhance their current systems to meet the Electronic TWIC inspection requirements. I am sure you are picking up a theme here – whatever system or reader you use, it must meet the Electronic TWIC inspection requirements.
Can the TWIC Readers and PACS be portable? – Yes, there is no requirement for either to be fixed or stationary, portable systems are acceptable.
What if TWIC Reader or PACS malfunctions? – You are required by law to have a back-up system or portable TWIC readers at the ready that perform the Electronic TWIC Inspection requirements (Visual inspection of the TWIC cards is NOT authorized). NOTE: If you cannot provide a back-up for that access point, you must report it to your Captain of the Port and obtain permission to operate.
Once you have decided on the hardware solution, there are some administrative requirements that must be met and those are:
- Must record/document each ENTRY into a secure area and you are required to maintain these records for two years.
We are asked - What if we document both the entry and exit of all personnel in and out of a secure or secure/restricted area? A lot of facilities track who enters and exits for accountability reasons and this is permissible and accepted by the Coast Guard, but make sure you maintain those records for two years.
Next week’s blog will discuss what is required if a TWIC card is lost, stolen or damaged as well as what requirements need to be met if you routinely move between a secure area and an unsecure area to perform your duties.
Reminder – Seebald & Associates will host a Webinar this week. We’ll discuss the TWIC Reader Requirements Final Rule on Thursday, February 22, at 11:00am ET and 3:00pm ET.
TWIC READER REQUIREMENTS - WHO, WHAT & WHY!!!
The Coast Guard has recently put out enforcement guidance regarding the TWIC Reader Requirements Final Rule, which was in last week’s blog. This week we will recap WHO is expected to comply, WHAT is required during an Electronic TWIC Inspection, and WHY this is a requirement.
WHO IS REQUIRED: The following facility types will be expected to comply starting August 23, 2018:
- Facilities that receive vessels certified to carry more than 1,000 passengers; and
- Facilities subject to 33 CFR 105.295 - Certain Dangerous Cargo (CDC) facilities.
(Guidance regarding how 33 CFR 105.295 is applied can be found in Policy Advisory Council Decision 20-04 – Certain Dangerous Cargo Facilities.)
WHAT IS REQUIRED: Electronic TWIC inspection – conducted by TWIC Readers or Physical Access Control Systems (PACS) and required each time a person is granted unescorted access to a secure area and must be in place by August 23, 2018.
What is an Electronic TWIC Inspection? – Three things must happen in order to fulfill the requirements:
- Card Authentication – validates Card Holder Unique Identification (CHUID) and Federal Agency Smart Credential – Number (FASC-N)
- Card Validity – TWIC card is checked against Cancelled Card List (CCL) - is TWICrevoked or expired? TSA CCL: https://universalenroll.dhs.gov/
How Often must the CCL be checked?
MARSEC 1 – CCL is updated and checked every 7 days
MARSEC 2 & 3 – CCL is updated and checked daily
- Identity Verification – cardholder’s identity confirmed with biometrics
Biometrics – accepted templates:
digital facial image with PIN
Alternative biometrics (vascular) are authorized if this biometric template is tied to TWIC holder & approved in FSP
If you have any questions on whether your facility will be expected to comply or what is required, we recommend you contact your local Captain of the Port. Also, you are always welcomed to contact Ed Seebald or any of our Associates.
Remember - Everyone presenting a TWIC, along with a reason to access the secure or secure-restricted portion of a maritime facility, is also subject to random screening.
WHY – IT’S THE LAW!!!
Next week’s blog will discuss WHEN, WHERE, and HOW regarding TWIC Reader implementation options and administrative requirements.
NOTE: Join us for our WEBINAR on Thursday February 22 that will explain all this and provide you an opportunity to ask questions. Details will be sent out separately on the Webinar.
***LATEST UPDATE FROM COAST GUARD ON TWIC READERS***
- Posted by Edward Seebald
The Coast Guard has put out enforcement guidance regarding TWIC Reader Requirements Final Rule.
The following facilities will be expected to comply with the TWIC Reader Requirements Final Rule commencing August 23, 2018:
- Facilities that receive vessels certified to carry more than 1,000 passengers; and
- Facilities subject to 33 CFR 105.295 - Additional requirements for Certain Dangerous Cargo (CDC) facilities. (Guidance regarding how 33 CFR 105.295 is applied can be found in Policy Advisory Council Decision 20-04 – Certain Dangerous Cargo Facilities.)
I recommend facilities with any further questions reach out to their local Captain of the Port.
NOTE – This month’s blogs and Webinar will address TWIC Reader Requirements Final Rule.
For those attending the 5th Seebald & Associates International Facility Security Symposium in New Orleans, June 6-8, 2018, a senior representative from Coast Guard Office of Port and Facility Compliance will be speaking about TWIC Reader Requirements and other pertinent policies.