Transportation Worker Identification Credential:
Mailing Credentials to Applicants' Residences Would Not Be Consistent with DHS Policy
GAO-11-542R: Published: Apr 13, 2011. Publicly Released: Apr 13, 2011.
Securing transportation systems and facilities requires balancing security to address potential threats while facilitating the flow of people and goods that are critical to the U.S. economy and necessary for supporting international commerce. As we have previously reported, these systems and facilities are vulnerable and difficult to secure given their size, easy accessibility, large number of potential targets, and proximity to urban areas. To help enhance the security of these systems and facilities, the Maritime Transportation Security Act of 2002 (MTSA) required the Secretary of Homeland Security to prescribe regulations preventing individuals from having unescorted access to secure areas of MTSA-regulated facilities and vessels unless they both possess a biometric transportation security card and are authorized to be in such an area. MTSA further tasked the Secretary with the responsibility to issue biometric transportation security cards to eligible individuals unless the Secretary determines that an applicant poses a security risk warranting denial of the card. The Transportation Worker Identification Credential (TWIC) program is designed to implement these biometric maritime security card requirements. The program requires maritime workers to undergo a background check to obtain a biometric identification card. This card is required for an individual to be eligible for unescorted access to secure areas of vessels and facilities. It is still the responsibility of facility and vessel owners to determine who should be granted access to their facilities or vessels. Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) and the United States Coast Guard are responsible for implementing and enforcing the TWIC program. TSA's responsibilities include enrolling TWIC applicants, conducting background checks to assess individuals' potential security threat, and issuing TWICs. In January 2007, TSA contracted out TWIC enrollment center operations to enroll applicants and issue TWICs to approved applicants. This contract expires in June 2012. The Coast Guard is responsible for developing TWIC-related security regulations and ensuring that MTSA-regulated maritime facilities and vessels are in compliance with these regulations. In addition, DHS's Screening Coordination Office (SCO) facilitates coordination among the various DHS components involved in TWIC, such as TSA and the Coast Guard, as well as the United States Citizenship and Immigration Services (USCIS), which, through an interagency agreement, personalizes the credentials and ships them to enrollment centers, and the Federal Emergency Management Agency, which administers grant funds in support of the TWIC program. Section 818(b)(1) of the Coast Guard Authorization Act of 2010 provides that the Comptroller General shall submit a report to the House Committee on Homeland Security and the Senate Committee on Commerce, Science, and Transportation assessing the costs, technical feasibility, and security measures associated with procedures to (1) deliver a transportation security card (i.e., a TWIC) to an approved applicant's place of residence in a secure manner or (2) allow an approved applicant to receive the card at an enrollment center of the individual's choosing..
Starting in February 2009, TSA allowed applicants to designate an enrollment center of their choosing where a TWIC would be activated and issued. However, several factors limit the ability of DHS to mail TWICs to an approved applicant's residence. For example, it would not meet current or proposed NIST guidelines for credential issuance (FIPS 201-1) that require a biometric match be performed before providing the card to the applicant. Such a match must be done in person using information either from the TWIC or the enrollment record. DHS and TSA made a policy decision to align the TWIC program with these guidelines because it used the latest technology, secured critical facilities with the same processes used by federal agencies, and would allow interoperability in an emergency. Should DHS and TSA change their policy that the TWIC program be aligned with FIPS 201-1, TSA and USCIS, the organization that personalizes TWICs for TSA, stated that changes could be made to existing business processes and systems to accommodate such a change but that this would require significant changes to the existing systems and processes used to produce and issue cards. Regarding the cost implications of mailing TWICs to residences, specific program requirements to accomplish this goal would need to be identified before an accurate cost estimate can be made.