Update on the transportation worker identity credentialing process

Feb. 6, 2023
How the industry is reviving the Qualified Technology List with a simple Self Certification Approval process

The Transportation Worker Identification Credential (TWIC®)[1] is a biometric-enabled smart card identity credential that is issued to maritime workers to enable unescorted access into secure areas of maritime facilities and vessels regulated by the Department of Homeland Security (DHS).  TWIC is administered by DHS through two component organizations - the Transportation Security Administration (TSA) and the U.S. Coast Guard.  TSA is responsible for the enrollment of applicants, background vetting, card issuance, and life-cycle management of the TWIC credential. The Coast Guard is responsible for issuing regulations related to the use of the TWIC for access control and for regulatory compliance enforcement.

Usage and Benefit

Individuals seeking unescorted access to regulated maritime facilities or vessels must show eligibility to be granted such rights to a critical national infrastructure asset.  A TWIC card may be subject to visual inspection at a port point of entry or be electronically authenticated and validated to prove that the TWIC is valid, has not expired, and is being presented by the individual to whom the TWIC was issued.  Several different types of TWIC readers are offered for different levels of assurance (modes of operation).  These readers are being deployed by maritime operators to strengthen physical access security.  Note that TWIC cards are highly compatible with the U.S. federal Personal Identity Verification (PIV) deployed infrastructure.

Harsh weather-exposed conditions are common in a maritime environment where a reader could be exposed to hot summer weather, salty humid corrosive air mixed with oily pollutants, freezing rain and sleet in many winter locations, and combined with a large number of daily transactions at maritime facility physical points of entry.  Both readers and supporting equipment face a very challenging and demanding existence in such an environment while performing the important task of securing physical access by detecting a forged, copied or altered TWIC card that may be presented by an imposter.   

Qualified Technology Listing Process and Purpose

TWIC readers and supporting systems are currently being evaluated and, if approved, are listed on a TWIC Self-Certification Qualified Technology List (TWIC SC QTL) that is made available to maritime facilities, vessel operators and the general public by the TSA. The purpose of this qualification effort is to:

1.   Provide a simple-to-use “TWIC Reader Catalog” where maritime operators, other relying on third parties and product specifiers may see a list of TWIC reader products that meet the operational and technical requirements of their facility or vessel as well as other local and TSA requirements.

2.    Provide manufacturers with a public place to list their qualified TWIC reader products and show what Mode(s) of Operation each product is capable of performing.

3.    Offer maritime operators confidence that their product selection will indeed be a good fit for their particular operation.

To be included in the TWIC SC QTL, a TWIC reader manufacturer must first request an application form from the TSA TWIC SC QTL Program Office ([email protected]) with the subject line “Request QTL Application”.   The application form includes a series of boxes to check such as type of reader (handheld/portable or fixed mount), biometric matching capability, type of card-to-reader interface (contact or contactless), etc.

The manufacturer completes and returns the application to the TSA TWIC Program Office.  Based on the checked boxes, a specific set of functionality evaluation scenarios are custom configured for the reader (e.g., one scenario would be to ensure the product under evaluation checks for expiration) and returned to the manufacturer along with a set of TWIC SC QTL cards and scenario procedure instructions.

Both positive (properly personalized) and negative (specifically faulted) cards are included in the TWIC SC QTL package.  Negative cards are used to determine the reader’s ability to detect and reject specific errors and to prove the product’s ability to detect if an otherwise valid TWIC card has been canceled by TSA.  Reasons for cancellation, though never provided to the public, maybe for a loss of a TWIC card or a change in an individual’s eligibility to hold a TWIC card.

The TWIC Reader Self Certification QTL has evolved from the previous TWIC Reader QTL, which used third-party accredited laboratories, and is no longer supported.  The TWIC Reader SC QTL allows manufacturers to conduct their own tests (self-certification) in their own facilities using their own technical and engineering staff.  This enables the manufacturer to make changes and adjustments to their product at their own pace as may be necessary.  The newer TWIC SC QTL process was crafted to eliminate, to a great extent, the cost of involving a for-profit national laboratory. 

During the evaluation process, the TSA TWIC SC QTL Program Office team is available to assist and answer questions that may arise for a given product evaluation. 

At the time of this writing, there is a small but growing number of manufacturers who have volunteered to undergo and have successfully completed the self -certification evaluation suites.  These pathfinder manufacturers are currently qualified for inclusion on the TSA TWIC Reader Self Certification Qualified Technology List.  The official TWIC Reader SC QTL will be publicly posted when the date and Web site URL are finalized by TSA.  TSA is expected to issue a TWIC “technical advisory” for SC QTL information in the near future.

With approximately 2.2 million ACTIVE TWIC cards currently in circulation, and approximately 10,000 TWIC cards being issued on a weekly basis, the TWIC program continues to grow. Populations beyond maritime, such as those adhering to the Chemical Facility Anti-Terrorism Standards (CFATS) are now optionally employing TWIC in their security operations.

Maritime operators, product specifiers and manufacturers should all benefit from the modern TSA TWIC Reader SC QTL program.

Note:

The QTL is not a mandated program or project administered by TSA.

The SC QTL is managed by the TSA TWIC Program Office

About the author: Lars Suneborn, CSCIP/G, CSEIP. Is a Senior. Consultant with ID Technology Partners. He is recognized as a leading Subject Matter Expert on Physical Access Control Systems (PACS) with more than 35 years of practical experience in Government facilities and large-scale enterprise networks.  He also develops and conducts advanced professional certification courses for access control system engineers and is supporting the General Services Administration’s (GSA’s) FIPS 201 Evaluation Program.

He leads the development of the Certified System Engineer Identity Credential & Access Management (ICAM) PACS Certification Program (CSEIP).  His extensive experience also includes system design and product development for the high-security government market.  He led deployment of access control systems in high-risk, national consequence facilities worldwide including the U.S., Canada and the United Kingdom.   Mr. Suneborn enjoys a well-established reputation as an industry leader and team player.

[1] TWIC is a registered trademark of the Department of Homeland Security.

About the Author

Lars R. Suneborn, CSCIP/P, CSEIP | CSCIP/G, CSEIP , is the Director, Training Program for the Smart Card Alliance

Lars R. Suneborn, CSCIP/P, CSEIP, is Director of Training Programs for the Smart Card Alliance (www.smartcardalliance.org).