The beleaguered Transportation Worker Identification Credential program, known by the initials TWIC, has been dealt a serious blow with a determination by the Department of Defense that it doesn’t meet DoD standards, and won’t be recognized for department purposes.
The U.S. Department of the Army issued a Federal Register notice that the TWIC card will no longer be used to authenticate users for access to certain Department of Defense computer systems.
In part, the notice states:
“The DoD PKI [Public Key Infrastructure] office has determined that the Transportation Workers Identification Card (TWIC) PKI certificate cannot be used to authenticate users for access to DoD systems. The DoD PKI office has not established a trust relationship with Homeland Security/TSA.
“Starting January 29, 2013, TWIC certificates cannot be accepted by ETA [Electronic Transportation Acquisition] … All current TWIC holders accessing an application within ETA will need to purchase an External Certificate Authority (ECA) prior to January 29, 2013. ”
The register entry essentially says that the TWIC program cannot be used to authenticate users for access to DoD computer systems and networks. The Department of Defense will require additional credentials of TWIC holders, who need access to certain defense computer networks starting at the end of the month.
The TWIC program was started as a joint initiative between Transportation Security Administration and U.S. Coast Guard. The purpose of the program is to provide a biometric credential to workers who need to enter “secure areas” of port facilities and vessels that fall under the Maritime Transportation Security Act of 2002.
Under the program, access to these areas is still allowed to those individuals, but they have to be escorted by someone currently holding a valid card. Individuals without those valid cards have to be kept within sight at all times.
TSA has spent $420 million on TWIC, and it has been estimated that the federal government and private sector may spend as much as $3.2 billion on TWIC during the next 10 years, not including the card readers themselves.
More than 1.9 million U.S. workers have enrolled in the TWIC program with a cost of $132.50 per enrollment.
The TWIC program has been problematic from the start. The TWIC application is a two-step process. A person has to go to an authorized TWIC Enrollment Center to apply for the card and then has to return to pick up the card and provide biometric information. This is not a problem if one lives close to a port city such as New York or Los Angeles. However, some of the facilities that fell under the jurisdiction of the TWIC program are far from the centers. In some cases, a person has to travel six to eight hours to apply for the card, and then repeat the process six weeks later to pick it up. For small facilities under the program, this caused quite a burden.
As one person tweeted, “I need to stop playing a ‘snag a TWIC card’.”
The cards themselves had a good security design, using standard “Two-factor Authentication,” an authentication method that consists of two or more of the three authentication factors: “something the user knows” (a password), “something the user has” (the TWIC card itself), and “something the user is” (their fingerprint).
To gain entry to a facility or system, the goal was for a person to present their card (something they own) for reading, enter their password (something they know), and have their fingerprint scanned and compared to the fingerprint information embedded in the card’s computer chip (something they are).
One problem that arose early on was that there were no card readers for the cards. The card’s computer chip, known as an Integrated Circuit Chip, stores the holder’s information and biometric data. The chip was supposed to be read by inserting it into a reader or holding it near a “contactless” reader.
Once the card was read, the card holder’s name was to be checked against a list of people who were to be barred from entering the facility. The list was to be updated almost in real time so that if a person was recently added to the list, they could be identified quickly and denied entry.
The problems with the card readers had been so profound that covered workers are allowed to extend their expiring TWIC cards by three years at a reduced price because federal officials are facing delays in deploying the readers.
This latest development with the DoD was not surprising since the program was already plagued by delays, cost overruns and false starts.
In December 2011, the Department of Homeland Security’s Transportation Security Administration said that the 26,000 already issued TWIC cards were missing a digit in the “Federal Agency Smart Credential Number.”
In another case, TSA lost the passwords that were associated with the card and a user had to apply for a new TWIC card if they ever needed their password.
Not that it would matter since the bug-ridden card reader program reduced the TWIC card to merely a “flash card” at most ports as the card reader program has been riddled with glitches and continues to lag behind its implementation schedule.
It also made it impossible to identify cards that have been reported as lost, stolen, revoked or suspended, while the lack of an updated threat assessment could compromise the security of a port.
The future of the program seemed suspect when the Transportation Security Administration opted this year to extend the expiration dates of some of the current cards. With the first round of five-year expiration dates bearing down on TWIC holders, the TSA offered a three-year extension. U.S. citizens with current TWICs that are to expire on or before Dec. 31, 2014, can opt to pay $60 to extend the expiration date for three years.
This latest announcement is making people covered by the TWIC program wonder why a program deemed not suitable for security in the U.S. Army Supply Chain is still being used for security in protecting civilian freight transportation venues from terrorist attack.
According to a December 2012 statement issued by Todd Spencer, the executive vice president of the Owner-Operator Independent Drivers Association, “At one time we thought TWIC would be it, but it does not appear so now. The promise of secure credentials to identify truckers authorized to work the ports is no closer to reality than ever.”
“The TWIC program seems to exist only for the benefit of those who collect fees for generating the card at the expense of the time and money of professional drivers.”