[House Hearing, 113 Congress] [From the U.S. Government Publishing Office] THREAT, RISK, AND VULNERABILITY: THE FUTURE OF THE TWIC PROGRAM ======================================================================= HEARING before the SUBCOMMITTEE ON BORDER AND MARITIME SECURITY of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION __________ JUNE 18, 2013 __________ Serial No. 113-23 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC] [TIFF OMITTED] Available via the World Wide Web: http://www.gpo.gov/fdsys/ __________ U.S. GOVERNMENT PRINTING OFFICE 85-688 WASHINGTON : 2013 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY Michael T. McCaul, Texas, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Peter T. King, New York Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Paul C. Broun, Georgia Yvette D. Clarke, New York Candice S. Miller, Michigan, Vice Brian Higgins, New York Chair Cedric L. Richmond, Louisiana Patrick Meehan, Pennsylvania William R. Keating, Massachusetts Jeff Duncan, South Carolina Ron Barber, Arizona Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey Jason Chaffetz, Utah Beto O'Rourke, Texas Steven M. Palazzo, Mississippi Tulsi Gabbard, Hawaii Lou Barletta, Pennsylvania Filemon Vela, Texas Chris Stewart, Utah Steven A. Horsford, Nevada Richard Hudson, North Carolina Eric Swalwell, California Steve Daines, Montana Susan W. Brooks, Indiana Scott Perry, Pennsylvania Mark Sanford, South Carolina Greg Hill, Chief of Staff Michael Geffroy, Deputy Chief of Staff/Chief Counsel Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director ------ SUBCOMMITTEE ON BORDER AND MARITIME SECURITY Candice S. Miller, Michigan, Chairwoman Jeff Duncan, South Carolina Sheila Jackson Lee, Texas Tom Marino, Pennsylvania Loretta Sanchez, California Steven M. Palazzo, Mississippi Beto O'Rourke, Texas Lou Barletta, Pennsylvania Tulsi Gabbard, Hawaii Chris Stewart, Utah Bennie G. Thompson, Mississippi Michael T. McCaul, Texas (Ex (Ex Officio) Officio) Paul L. Anstine, Subcommittee Staff Director Deborah Jordan, Subcommittee Clerk Alison Northrop, Minority Subcommittee Staff Director C O N T E N T S ---------- Page Statements The Honorable Candice S. Miller, a Representative in Congress From the State of Michigan, and Chairwoman, Subcommittee on Border and Maritime Security: Oral Statement................................................. 1 Prepared Statement............................................. 2 The Honorable Sheila Jackson Lee, a Representative in Congress From the State of Texas, and Ranking Member, Subcommittee on Border and Maritime Security: Oral Statement................................................. 4 Prepared Statement............................................. 5 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Ranking Member, Committee on Homeland Security: Prepared Statement............................................. 7 Witnesses Rear Admiral Joseph A. Servidio, Assistant Commandant for Prevention Policy, U.S. Coast Guard: Oral Statement................................................. 8 Prepared Statement............................................. 9 Mr. Steve Sadler, Assistant Administrator, Transportation Security Administration: Oral Statement................................................. 11 Prepared Statement............................................. 12 Mr. Stephen M. Lord, Director, Forensic Audits and Investigative Services, U.S. Government Accountability Office: Oral Statement................................................. 15 Prepared Statement............................................. 16 Captain Marcus Woodring, USCG (Ret), Managing Director, Health, Safety, Security, and Environmental, Port of Houston Authority: Oral Statement................................................. 21 Prepared Statement............................................. 23 For the Record The Honorable Sheila Jackson Lee, a Representative in Congress From the State of Texas, and Ranking Member, Subcommittee on Border and Maritime Security: Letter From the American Association of Port Authorities....... 40 Statement of American Trucking Associations, Inc............... 41 The Honorable Tulsi Gabbard, a Representative in Congress From the State of Hawaii: Statement of the International Longshore and Warehouse Union... 44 Appendix Questions From Chairwoman Candice S. Miller for Joseph A. Servidio....................................................... 49 Questions From Chairwoman Candice S. Miller for Stephen M. Lord.. 51 THREAT, RISK, AND VULNERABILITY: THE FUTURE OF THE TWIC PROGRAM ---------- Tuesday, June 18, 2013 U.S. House of Representatives, Subcommittee on Border and Maritime Security, Committee on Homeland Security, Washington, DC. The subcommittee met, pursuant to call, at 10:09 a.m., in Room 311, Cannon House Office Building, Hon. Candice S. Miller [Chairwoman of the subcommittee] presiding. Present: Representatives Miller, Duncan, Palazzo, Barletta, Stewart, Jackson Lee, O'Rourke, and Gabbard. Mrs. Miller. Good morning. The Committee on Homeland Security, Subcommittee on Border and Maritime Security, will come to order. The subcommittee is meeting today to examine the future of the TWIC program, and our witnesses today are Rear Admiral Joseph Servidio from the U.S. Coast Guard, Steven Sadler, assistant administrator for the Office of Intelligence and Analysis, Transportation Security Administration, Stephen Lord with the Government Accountability Office, and Marcus Woodring, from the Port of Houston Authority. I will give them a more formal introduction in just a moment. After 9/11, Congress passed the Maritime Transportation Security Act, or MTSA--it is sort of the acronym--to address several security vulnerabilities within the Nation's maritime and transportation sectors to prevent acts of terrorism that might impact our Nation. Among the provisions of the bill was a requirement from the Department of Homeland Security to develop a secure biometric access credential for individuals who require unescorted access to secure areas of regulated maritime facilities and vessels. Ports by their very nature may be susceptible to acts of terrorism that could cause loss of life and severe economic disruption. The lack of access control at the Nation's ports was certainly a glaring security vulnerability that MTSA and subsequently the Transportation Worker Identification Credential--we commonly call TWIC--was intended to fix. However, more than 11 years later, the TWIC card designed to prevent terrorists from gaining access to sensitive parts of the Nation's ports is currently no more than an extensive flash pass that costs workers about $130, principally to run criminal and terrorism background checks on prospective applicants. Unfortunately, the biometric capabilities on the card are of little use because delays in the pilot program and rulemaking processes have taken longer than ever intended. Pilot programs as envisioned by the Congress should have been designed to assist the Coast Guard in understanding the impact of proposed regulations on port operations and transportation workers alike, instead have been less than useful in the rulemaking process. Certainly, all of us are looking forward to hearing from our witnesses today on the extent to which the pilot was used to inform the rulemaking process. Maritime security is not the provenance of the Federal Government alone. Private industry and other stakeholders have an important role to play, but the Government has introduced an unacceptable level of uncertainty when it comes to TWIC. For several years, Members of this committee have been calling on the Department to release the reader rules on--or effective assessment of the program. That strikes me as a very poor way to run this program. Last Congress, I introduced the SMART Port Act, which passed through this committee and in the House, which would have made a series of reforms to the TWIC program. Included in that bill was a provision which required TSA to change the requirement for TWIC applicants who currently must go to an enrollment center twice and instead would allow for only visit to an enrollment center by allowing cards to be sent through the mail, just as passports and credit cards are today. Through our efforts, that provision was attached to last year's Coast Guard authorization act and it was signed into law by the President. However, it does appear that TSA will not comply with the 270-day time line in the statute. Making two trips to an enrollment center seems to just be a very onerous burden on transportation workers. So I will be very interested to hear how TSA will implement this provision, consistent with Congressional intent within that time frame. Millions of dollars of previously allocated and future grant spending are predicated on the TWIC providing a tangible security benefit at the Nation's ports and maritime facilities. We have an obligation to get this done right, and the way this program has been run so far does not give us the confidence that we are on the right course. Today I hope that we will be able to examine the security purpose of the TWIC card, principally, as well as chart out the future of this program to ensure that we maximize security and minimize the burden on American workers. With that, I would yield to the gentlelady from Texas, my Ranking Member, Ms. Jackson Lee. [The statement of Chairwoman Miller follows:] Statement of Chairwoman Candice S. Miller June 18, 2013 After 9/11, Congress passed the Maritime Transportation Security Act--MTSA--to address several security vulnerabilities within the Nation's maritime and transportation sectors to prevent acts of terrorism that might impact the Nation's economy. Among the provisions of the bill, was a requirement for DHS to develop a secure biometric access credential for individuals who require unescorted access to secure areas of regulated maritime facilities and vessels. Ports, by their very nature, may be susceptible to acts of terrorism that could cause loss of life and severe economic disruption. The lack of access control at the Nation's ports was a glaring security vulnerability that MTSA, and subsequently the Transportation Worker Identification Credential (TWIC) was intended to fix. However, more than 11 years later, the TWIC card, designed to prevent terrorists from gaining access to sensitive parts of the Nation's ports, is currently no more than an expensive flash pass that costs workers $129.75--principally to run criminal and terrorism background checks on prospective applicants. Unfortunately, the biometric capabilities on the card are of little use because delays in the pilot program and rulemaking processes have taken longer than ever intended. Pilot programs, as envisioned by the Congress, should have been designed to assist the Coast Guard in understanding the impact of proposed regulations on port operations and transportation workers alike, instead have been less than useful in the rulemaking process. I am looking forward to hearing from our witnesses on the extent to which the pilot was used to inform the rulemaking process. Maritime security is not the provenance of the Federal Government alone. Private industry and other stakeholders have an important role to play, but the Government has introduced an unacceptable level of uncertainty when it comes to TWIC. For several years, Members of this committee have been calling on the Department to release the reader rule to provide some certainty to workers and industry. Finally, we have a notice of proposed rulemaking that only requires TWIC readers to be used at the riskiest 5 percent of all TWIC-regulated vessels and facilities, nearly 6 years after workers were first required to pay for and obtain a TWIC card. The proposed rule and findings of a recent GAO report, leads to some very simple questions about the threat, risk, and vulnerability at our Nation's ports, and how the TWIC program should be used to reduce the risk of a terrorist attack at the handful of facilities and vessels identified in the proposed rule. I support a smart, risk-based approach to security, because I am convinced that maritime security is maximized through the use of a risk-based methodology. However, we should continue to scrutinize troubled programs by examining the principal reason they exist--in this case, preventing terrorists from doing economic harm to the Nation by disrupting the supply chain. This hearing will hopefully answer the question of whether or not the TWIC program serves that purpose. At this point, I believe it is still an open question as to what degree this card enhances maritime security. To that end, I hope to hear answers to the following questions: How many terrorist plots have been stopped by this card? Does TWIC enhance security in a tangible way? Can we address the security challenges at our Nation's ports in a more cost-effective, and balanced way? Today, we will hear from the Government Accountability Office, which recently reported that, `` . . . DHS has not demonstrated how, if at all, TWIC will improve maritime security.'' An assessment of how TWIC improves maritime security should have been one of the very first things the Department did when it began to implement the program. It has been more than a decade since the legislation that required TWIC was first enacted, but it is troubling that we have never done a simple security or effectiveness assessment of the program. That strikes me as a poor way to run a program. Last Congress, I introduced the SMART Port Act which passed through this committee and in the House, and would have made a series of reforms to the TWIC program. Included in that bill was a provision, originally authored by Mr. Scalise, which required TSA to change the requirement for TWIC applicants who currently must go to an enrollment center twice, and instead would allow for only one visit to an enrollment center by allowing cards to be sent through the mail, just as passports and credit cards are today. Through our efforts, that provision was attached to last year's Coast Guard Authorization Act and was signed into law by the President. However, it appears that TSA will not comply with the 270-day time line in statute. Making two trips to an enrollment center is an onerous burden on transportation workers, and I will be very interested to hear how TSA will implement this provision, consistent with Congressional intent within that time frame. Millions of dollars of previously allocated and future grant spending are predicated on the TWIC providing a tangible security benefit at the Nation's ports and maritime facilities. We have an obligation to get this right, and the way this program has been run so far does not give me the confidence that we are on the right course. Today, I hope that we examine the security purpose of the TWIC card, as well as chart out the future of this program to ensure that we maximize security and minimize the burden on American workers. With that I will yield to the gentlelady from Texas. Ms. Jackson Lee. Thank you. Good morning. I want to thank you, Madam Chairwoman, for holding today's hearing on the Department of Homeland Security's Transportation Worker Identification Credential program, something that many of us who have served on this committee have been dealing with not only with our constituents, but with our individual constituents and our corporate constituents, such as the Houston Port Authority. We have tried to be responsive to individuals, constituents who simply need to get to work. To our dismay, there have been a number of challenges with this program, though I know that its intentions were well-intentioned. Challenges that I would like to offer for the record are the site locations for individuals, the hours that TWIC offices would be open, the difficulty of those who lived away from ports or places like Louisiana, where they had to secure them places away from their particular home base. So there have been a lot of issues that have arisen with TWIC, and as I indicated, the intentions were good to give this card of identification. As a Member of Congress representing the port of Houston, the formal Chairwoman and Ranking Member of the Subcommittee on Transportation Security, and now working with this committee and Madam Chairwoman, I have been focused on the TWIC program since its creation. Early on, I engaged ports, workers, and other stakeholders about the program and heard their concerns about how it was being deployed. Like many of my colleagues, my office has received significant amounts of TWIC casework primarily from workers having difficulty obtaining and renewing their TWIC cards. While some of the issues with the program have largely been addressed, over time, other concerns have taken their place. I am particularly troubled by the Government Accountability Office report released last month that found serious problems with the TWIC reader pilot, which was intended to serve as the basis for the TWIC reader rulemaking. GAO has found that the pilot results were incomplete, inaccurate, and unreliable for informing Congress and for developing a final reader rule. GAO concluded these issues, calling to question the TWIC program's premise and its effectiveness in enhancing security. These concerns, coupled with prior unaddressed issues related to security vulnerabilities with the program, prompted GAO to recommend that the Department not move forward until a security assessment of the program is completed. However, DHS, which was made aware of GAO's finding in December 2012, published a notice of proposed rulemaking for the TWIC readers in March of this year. The NPRM would require readers to be deployed to only the highest-risk facilities and vessels accessed by just 5 percent of TWIC holders. While nothing precludes DHS from expanding the reader requirement in the future, such a limited deployment of biometric readers is not what Congress envisioned when it mandated the TWIC program, and I would encourage DHS to regroup and reassess, take more advice and counsel from stakeholders, more importantly reassess the technology. Technology is good. But it can be even better, obviously, if we pause for a moment and try to develop the technology that will, in fact, work. I am not advocating for broader deployment of readers at present, but I am concerned that DHS would ask port workers to pay for a biometric card whose biometric capabilities apparently may never be utilized. More broadly, I am concerned that DHS appears to be moving forward with its long-delayed reader rule before addressing the fundamental concerns that the program GAO has identified in its reports. I was pleased to invite from the port Mr. Marcus Woodring, who we have engaged and over the years has given effective service in the United States Coast Guard and has dealt with the TWIC issue over and over again, to testify before the subcommittee today to offer his port's perspective on the issues facing the TWIC program. Besides being one of the Nation's major ports with a significant presence of petrochemical-related facilities and vessels, the port of Houston has been using TWIC readers voluntarily since 2008. Mr. Woodring currently serves as managing director for health, safety, security, and environment at the Port of Houston Authority, having recently served in the Coast Guard, cumulating with service as captain of the port for the Houston region. I am especially interested in hearing from him about the port of Houston's experience with TWIC readers and his views on how the TWIC program can be strengthened going forward. I am delighted that he is here along with all the other witnesses, who I welcome. I want to hear from our DHS witnesses about how they plan to address GAO's recommendation, ensure TWIC programs become the maritime security program Congress intended, that ports and facilities can use without undue disruption to their businesses, and that DHS can justify asking maritime workers to continue to pay for. Finally, I would note that I have previously supported one enrollment process, one fee, and one security threat assessment for transportation workers. Madam Chairwoman, I will tell you, with all the numbers of cards that I have heard workers having to have, it may be well time for us to try and do that. I would like to hear from witnesses today about how the on- going issues of the TWIC program might affect this effort. Again, we are grateful for the witnesses, and I want to acknowledge Mr. O'Rourke and Ms. Gabbard present here today. Thank you very much, Madam Chairwoman. I yield back. [The statement of Ranking Member Jackson Lee follows:] Statement of Ranking Member Sheila Jackson Lee June 18, 2013 As a Member of Congress representing the port of Houston, the former Chairwoman and Ranking Member of the Subcommittee on Transportation Security, and current Ranking Member of the Subcommittee on Border and Maritime Security, I have been focused on the TWIC program since its creation. Early on, I engaged ports, workers, and other stakeholders about the program and heard their concerns about how it was being deployed. Like many of my colleagues, my office has received significant amounts of TWIC casework, primarily from workers having difficulty obtaining and renewing their TWICs. While some of the issues with the program have largely been addressed over time, other concerns have taken their place. I was particularly troubled by the Government Accountability Office (GAO) report released last month that found serious problems with the TWIC reader pilot, which was intended to serve as the basis for the TWIC reader rulemaking. GAO found that the pilot results were incomplete, inaccurate, and unreliable for informing Congress and for developing a final reader rule. GAO concluded these issues call into question the TWIC program's premise and its effectiveness in enhancing security. These concerns, coupled with prior, unaddressed issues related to security vulnerabilities with the program, prompted GAO to recommend that the Department not move forward until a security assessment of the program is completed. However, DHS, which was made aware of GAO's findings in December 2012, published a Notice of Proposed Rulemaking (NPRM) for the TWIC readers in March of this year. The NPRM would require readers to be deployed to only to the highest-risk facilities and vessels, accessed by just 5% of TWIC holders. While nothing precludes DHS from expanding the reader requirement in the future, such a limited deployment of biometric readers is not what Congress envisioned when it mandated the TWIC program. I am not advocating for broader deployment of readers at present, but am concerned that DHS would ask port workers to pay for a biometric card whose biometric capabilities apparently may never be utilized. More broadly, I am concerned that DHS appears to be moving forward with its long-delayed reader rule before addressing the fundamental concerns with the program GAO has identified in its reports. I was pleased to invite a witness from the port of Houston, Mr. Marcus Woodring, to testify before the subcommittee today to offer his port's perspective on the issues facing the TWIC program. Besides being one of the Nation's major ports with a significant presence of petrochemical-related facilities and vessels, the port of Houston has been using TWIC readers voluntarily since 2008. Mr. Woodring currently serves Managing Director for Health, Safety, Security, and Environmental (HSSE) at the Port of Houston Authority, having recently served in the Coast Guard culminating with service as captain of the port for the Houston region. I am especially interested in hearing from him about the port of Houston's experience with TWIC readers and his views on how the TWIC program can be strengthened going forward. Similarly, I want to hear from our DHS witnesses about how they plan to address GAO's recommendations and ensure TWIC becomes the maritime security program Congress intended, that ports and facilities can use without undue disruption to their businesses, and that DHS can justify asking maritime workers to continue to pay for. Finally, I will note that I have previously supported one enrollment process, one fee, and one security threat assessment for transportation workers. I would like to hear from our witnesses today about how the on- going issues with the TWIC program might affect this effort. Mrs. Miller. Let me formally introduce our witnesses this morning. Again, we welcome all of you gentlemen. We appreciate you taking the time to be here. First of all, Rear Admiral Joseph Servidio is the assistant commandant for prevention policy overseeing Coast Guard inspections and compliance, marine transportation systems, and commercial regulations and standards. He is responsible for navigation and boating safety, commercial vessels, ports and facilities, merchant mariner credentialing, and vessel documentation. We welcome you, Admiral. Mr. Steven Sadler is the assistant administrator for the Office of Intelligence and Analysis at the Transportation Security Administration. In this role, he is responsible for the alignment of intelligence functions with vetting operations. Before joining TSA, Mr. Sadler spent 25 years in the commercial maritime industry in a number of leadership roles. Welcome. Mr. Stephen Lord directs the GAO's numerous engagements on aviation and surface transportation security issues and regularly discusses these issues before Congress in various industry forums. He supervised recent reviews of TSA passenger rail security programs and the TWIC program. I am going to ask my Ranking Member to make the formal introduction of her constituent, who graciously joins us this morning. Ms. Jackson Lee. As I indicated, let me welcome all the witnesses, but I am particularly--and thank you, Madam Chairwoman, very much--particularly excited and pleased to be able to welcome Mr. Marcus Woodring, retired from the United States Coast Guard, as captain of the port of Houston-Galveston in 2011. We are delighted that he assumed his new and current position with the port of Houston in July of that year. He is responsible for safety, security, environmental stewardship, and emergency response at eight terminals along the Houston ship channel. Over the years, I have had the privilege of working with Captain Woodring, and I would tell you, Madam Chairwoman, that he is one of the most engaged public servants and a problem- solver. I am delighted for him to bring that experience to this committee and this hearing that is so very important today. Welcome you and welcome you from Houston, Captain. Mrs. Miller. Thank you very much. Other Members are reminded that statements may be submitted for the record. [The statement of Ranking Member Thompson follows:] Statement of Ranking Member Bennie G. Thompson June 18, 2013 This committee has a long history of TWIC oversight, going back almost to its inception. Since that time, DHS has made progress in standing up the program, vetting and enrolling approximately 2.5 million maritime workers. Certainly, workers have done their part by applying for TWICs, submitting to background investigations, paying for their credentials, filing for waivers and appeals as necessary, and making multiple trips to ultimately receive their cards. Yet, the program has long been plagued by delays, security vulnerabilities, and other problems. These problems now have many questioning whether TWIC will ever be the transportation security program Congress envisioned when it enacted the Maritime Transportation Security Act of 2002 and the SAFE Port Act of 2006. Just last month, the Government Accountability Office issued its latest in a series of troubling reports related to TWIC--this time on the reader pilots. GAO concluded that the pilots were so severely flawed that they cannot be used to inform DHS' long-delayed rulemaking process for the TWIC readers. Despite being made aware of GAO's serious concerns about the reliability of the reader pilot data and the TWIC program as a whole, Coast Guard published its Notice of Proposed Rulemaking (NPRM) for the TWIC readers earlier this year. The NPRM divides ports and facilities into three risk groups, requiring only those in the highest-risk group--Group A--to install biometric readers for admittance to secure areas. Facilities in Groups B and C can continue to allow TWICs to be used as ``flash passes'' with only a visual inspection required to gain access. This means that only 5% of TWIC holders would be using their biometric credentials as Congress intended--with a biometric reader. The remainder of TWIC holders will continue to use their card as an expensive flash pass. Let me be clear--I am not advocating for deployment of readers at additional facilities or vessels at this time. Rather, I believe the limited deployment of readers proposed by the rule raises some hard questions that need to be answered. For example, what does it say about the security value of the TWIC, and the TWIC program itself, if DHS does not believe the program needs to be fully deployed at all regulated facilities? And how can we continue requiring workers to pay for a biometric credential when, in the vast majority of cases, the full capability of that card will not be used? To get answers to these and other vital questions, I strongly support GAO's recommendation for an assessment of the TWIC program prior to its continued deployment. My staff has done significant stakeholder outreach on the rule, and I plan to file comments based on this outreach and our oversight work outlining my thoughts and concerns. I look forward to a discussion today about what needs to be done to address the persistent problems facing the TWIC program. In particular, I hope to hear from GAO in detail about their recommendations for the path forward for the program. Mrs. Miller. Again, thank you all for coming. At this time, the Chairwoman recognizes Admiral Servidio. STATEMENT OF REAR ADMIRAL JOSEPH A. SERVIDIO, ASSISTANT COMMANDANT FOR PREVENTION POLICY, U.S. COAST GUARD Admiral Servidio. Good morning, Madam Chairwoman, Ranking Member Jackson Lee, distinguished Members of the subcommittee. I am Rear Admiral Joe Servidio, the assistant commandant for prevention policy for the Coast Guard, and I am honored to have this opportunity to speak before you today about the Coast Guard's role in enforcing compliance with the Transportation Worker Identification Credential and update you on the status of the TWIC reader rule. The Coast Guard views TWIC as a key component of our layered security strategy. By providing a Nationally-recognized vetting standard and a common credential, TWIC promotes both security and economic efficiency. Issued under a uniform standard, TWIC allows facility and vessel operators, as well as law enforcement Nation-wide, to verify the identity of individuals using a single official document. TWIC enables transportation workers the flexibility to potentially move among facilities, vessels, and geographic regions during routine operations and in emergencies, maintaining security and facilitating resiliency. While TWIC provides a standard baseline to determine suitability to enter the secure area of a facility or vessel regulated under the Maritime Transportation Security Act, it is only half of a two-part process. In addition to possessing a valid TWIC, an individual must also be specifically granted access to a secure area by a vessel or facility security officer. To re-emphasize, the possession of a valid TWIC alone is not sufficient for the holder of a credential to access secure areas. This two-step process provides an additional layer of security to help protect vital maritime transportation infrastructure from unauthorized access or exploitation. In addition to facility and vessel operators' significant efforts, Coast Guard inspectors have validated about 280,000 TWICs during planned and unplanned no-notice visits since 2009. The Coast Guard also reviews approximately 3,100 facility and 11,000 vessel security plans each year. On 22 March 2013, the Coast Guard released the TWIC reader notice of proposed rulemaking, which outlines requirements for certain MTSA-regulated facilities and vessels to use electronic readers as part of their TWIC access control program. This NPRM is an important element of maritime security, as electronic readers allow for biometric confirmation of the TWIC holder's identity. As with our other security regs, the Coast Guard balanced the expected security benefits of the requirement with the expected costs to industry. Accordingly, the reader rule proposes the use of TWIC readers only at the vessels and facilities where a security incident could pose the greatest consequence and where biometric verification of a TWIC would reduce risk. Vessels and facilities not required to use electronic readers under this rule will still be required to conduct visual TWIC verifications. The GAO released a report questioning the security benefits of the TWIC and the way the Coast Guard used the results of the pilot program to inform the rule. We indicated to GAO that we were aware of the pilot program's limitations and used pilot data with discretion in developing the NPRM. Moreover, we are convinced that TWIC, including the use of biometric readers, is an important part of our maritime security system. The GAO report was released while the NPRM common period was open. Given the timing of the report's release, a request by Representative Thompson and to ensure that we captured comments informed by the report, we extended the comment period by 30 days to 20 June 2013. The Coast Guard hosted four public meetings around the country, providing other outlets for public feedback on the proposed regs. To date, we have received approximately 50 comments on the NPRM. The Coast Guard's focus is to facilitate a secure and efficient maritime transportation system, and TWIC is an important tool in that effort. As part of our layered security strategy, we are committed to establishing and enforcing effective and efficient access control requirements through TWIC. Our reader NPRM solicits public comment, which we recognize as critical to port security success, and we will continue to work with the Department, TSA, industry groups, labor organizations, Congress, and other key stakeholders to find ways to improve service. We know that we have more work to do, and we will ensure that Congress is informed of our progress. Thank you for the opportunity to testify today, and I look forward to your questions. [The prepared statement of Admiral Servidio follows:] Prepared Statement of Rear Admiral Joseph Servidio June 18, 2013 Good morning Madam Chairwoman and distinguished Members of the subcommittee. Thank you for the opportunity to testify before this committee on the Coast Guard's role in enforcing compliance of the Transportation Worker Identification Credential (TWIC) program within the maritime transportation system. In previous testimonies, the Coast Guard has described our responsibility for ensuring industry compliance with TWIC regulations, the status of our deployment of handheld readers to field units, and our efforts to publish regulations for electronic TWIC readers in accordance with Congressional requirements as provided in the Security and Accountability For Every (SAFE) Port Act of 2006. This testimony will provide an update of our on-going efforts to enhance the safety and security of the Nation's ports through the effective implementation of the TWIC program and recent publication of the TWIC Reader Requirements Notice of Proposed Rulemaking (NPRM). The Coast Guard and the Transportation Security Administration (TSA) have formed a successful partnership in the joint management of the TWIC program and continue to work together to effectively build, manage, and improve it. TSA is responsible for TWIC enrollment, security threat assessment and adjudication, card production, technology, TWIC issuance, conduct of the TWIC appeal and waiver process as it pertains to credential issuance, and management of Government support systems. The Coast Guard is responsible for establishing and enforcing access control requirements at Maritime Transportation Security Act (MTSA) regulated vessels and facilities, which include the requirement for TWIC. value of twic TWIC is one part of the layered approach to port security and establishes a minimum, uniform, vetting, and threat assessment for mariners and port workers across the country. It ensures that workers needing routine, unescorted access to secure areas of facilities and vessels are vetted against a specific list of terrorism associations and criminal convictions and it provides a standard baseline for determining an individual's suitability to enter the secure area of a MTSA-regulated vessel or facility. However, it is only the first half of a two-part process. First, vessel and facility security personnel must determine that an individual posseses a valid TWIC. Second, they must assess the individual's business case for entering a vessel or facility before granting the person unescorted access. The possession of a valid TWIC alone is not sufficient to gain the holder of that credential access to secure areas on vessels or facilities across the country. The TWIC provides a means by which a vessel or facility security officer can determine that an individual has been vetted to an established standard. It helps inform the security officer's decision to grant unescorted access to an individual. The facility owners/operators must maintain control of the access privileges to their respective facilities based on the valid TWIC and business case. The Nation-wide recognition of TWIC promotes security and standardization. A common credential enables facility and vessel operators as well as Federal, State, local, Tribal, and territorial law enforcement entities to verify the identity of individuals--a step that was not feasible prior to TWIC implementation with potentially thousands of different facility-specific credentials. TWIC also allows transportation workers to move among facilities, vessels, and geographic regions as needed for routine market demands and during emergencies, while still maintaining security. As required by the SAFE Port Act, the Coast Guard conducts at least two security inspections annually at MTSA-regulated facilities, with one inspection being unannounced. Vessels and facilities in all 42 Coast Guard Captain of the Port Zones are in compliance with TWIC requirements, and have been since the April 15, 2009 implementation date. In addition to the security activities taken by vessel and facility security officers, the Coast Guard conducts regular inspections, spot checks, and TWIC verifications at approximately 3,100 maritime facilities, 14,000 vessels, and 50 outer continental shelf facilities. Our enforcement program also includes the use of hand-held TWIC readers by Coast Guard personnel to conduct spot checks using the biometric capabilities of TWIC. reader requirements On March 22, 2013, the Coast Guard issued the TWIC Reader Requirements Notice of Proposed Rulemaking which outlines requirements for certain MTSA-regulated facilities and vessels to use electronic readers in accordance with Congressional requirements as provided in the SAFE Port Act as part of their TWIC access control program. The Notice of Proposed Rulemaking maintain the visual verification requirement for remaining vessels and facilities. Per 33 CFR Parts 104, 105, and 106, this visual inspection must include, at a minimum:A match of the photo on the TWIC to the individual presenting it; Verification that the TWIC has not expired; and A visual check of the various security features present on the card to determine whether the TWIC has been tampered with or forged. This Notice of Proposed Rulemaking is an important element of the Coast Guard's maritime security mission. Electronic readers add an important additional layer of security by providing biometric confirmation of the TWIC holder's identity. As you are aware, the Government Accountability Office (GAO) recently released a report questioning the security benefits of TWIC, and the way in which the Coast Guard used results of the pilot program to inform the reader rule. As we indicated to GAO in our reply to their report, we were aware of the pilot program's limitations, and used it with discretion in developing the Notice of Proposed Rulemaking. Moreover, we are convinced that TWIC, including the use of biometric readers, can and should be a part of the Nation's maritime security system. In part, because the GAO report came out while the Notice of Proposed Rulemaking public comment period was open, we extended the open period by 30 days to June 20, 2013, to ensure that the public had sufficient opportunity to review and provide feedback on the proposed regulations. conclusion TWIC is improving access control at vessels and maritime facilities across the country. Its standard, Nation-wide recognition secures and facilitates a resilient, mobile transportation workforce during routine and emergency situations. The Coast Guard's NPRM will further increase the security value of TWIC to the Nation by focusing on the highest- risk vessels and facilities. We will continue to work with TSA, industry groups, labor organizations, and other stakeholders to find ways to reduce costs, and improve service. As part of that process, we will continue to monitor the costs and benefits of TWIC, as well as the external security environment. In all of these matters, our primary concern is to provide the American people with a secure and efficient marine transportation system. We know we have more work to do, and we will ensure Congress is informed of our progress. Thank you for the opportunity to testify today. I look forward to your questions. Mrs. Miller. Thank you very much, Admiral. The Chairwoman now recognizes Mr. Sadler for his testimony. STATEMENT OF STEVE SADLER, ASSISTANT ADMINISTRATOR, TRANSPORTATION SECURITY ADMINISTRATION Mr. Sadler. Good morning, Chairman Miller, Ranking Member Jackson Lee, and distinguished Members of the subcommittee. Thank you for the opportunity to speak with you today about TSA's role in the TWIC program. TWIC provides a uniform biometric tamper-resistant credential that is issued following the successful completion of the security threat assessment. For those with a business need, the credential is required to gain unescorted access to secure areas at port facilities and vessels regulated under the Maritime Transportation Security Act. TSA is responsible for enrollment and security threat assessments, as well as system operations and maintenance. TSA conducts a comprehensive security threat assessment, and more than 2.3 million transportation workers hold active TWIC cards. These credentials represent a capability that didn't previously exist in the maritime environment. We have taken the following steps to improve the program and reduce burden on workers while maintaining the security objectives of the program. In August 2012, we announced the Extended Expiration Date TWIC initiative, a one-time effort that runs through December 2014. This initiative allows workers to extend their credential for 3 years at half the cost of a 5- year credential and requires only one visit to an enrollment center. Last month, TSA processed over 58,000 requests for TWIC cards. Of these, almost 23,000 were for the 3-year credential. This means the travel burden on 39 percent of all current applicants can be cut in half. To reduce wait times for workers, we have added customer service representatives and refined contractual performance standards. We have developed a web-based process that allows workers to apply for an Extended Expiration Date TWIC or a replacement card, and we have a plan to increase mobile enrollment opportunities. We are in the process of transitioning our single enrollment and system maintenance contract to two separate contracts. This will give us better oversight capability and allow the contractors to focus on their core functions. As directed by Congress, we are reforming the program by implementing the one-visit initiative to enable all workers to apply for and obtain a credential with a single visit to an enrollment center. Beginning with a pilot program in Alaska next month, we will expand the initiative Nation-wide in 2014. With one visit, an applicant will provide identification and biometric information during a single visit to an enrollment center. If approved to receive the credential, TSA will mail the card directly to the applicants, saving the applicant time and travel cost. We are more than doubling the number of enrollment centers from 136 to approximately 300 sites by leveraging existing assets that will allow transportation workers to apply for a TWIC or hazardous material endorsement at the same location. The SAFE Port Act directed DHS to conduct a reader pilot to test the viability of biometric card readers. Seventeen sites participated on a voluntary basis. These facilities started using readers in August 2008, and despite numerous challenges identified in our report to Congress submitted in February 2012, the pilot generated considerable data that proved helpful in evaluating reader performance and assessing the impact of readers at maritime facilities. We concluded that the reader system functions properly when designed, installed, and operated in a manner consistent with the business requirements of the facility or vessel operation. When TWIC readers are deployed, it will determine whether a card is authentic, valid, and issued by TSA. They will also facilitate access control decisions made by port facilities and vessels. In the biometric mode, readers confirm through a fingerprint match that the person using the card is the rightful owner of the card. Prior to the TWIC program, there was no standard identity verification or background check policy for entrance to a port facility or vessel. Today, facility and vessel owners and operators can look for one identification document based on an extensive background check. The use of readers and biometric verification will enhance security at MTSA-regulated port facilities and vessels. Thank you for the opportunity to be here today. I look forward to taking your questions. [The prepared statement of Mr. Sadler follows:] Prepared Statement of Steve Sadler June 18, 2013 Good morning Chairman Miller, Ranking Member Jackson Lee, and distinguished Members of the subcommittee. Thank you for the opportunity to testify today about the Transportation Security Administration's (TSA) role in the Transportation Worker Identification Credential (TWIC) program. To fulfill a security mission of such scale, the Department of Homeland Security (DHS) leverages the expertise of its components to evaluate the entities that comprise the maritime domain and design security measures to counter potential threats. TWIC provides a uniform, industry-wide, biometric, tamper-resistant credential that is issued following successful completion of a security threat assessment (STA). Following successful completion of the STA and payment of relevant fees, eligible maritime workers are provided a tamper- resistant biometric credential that permits unescorted access to secure areas of port facilities and vessels regulated by the USCG under MTSA. These security benefits are most fully realized when the credential is used in conjunction with readers that can provide electronic verification. TSA and the United States Coast Guard (USCG) jointly administer the fee-based TWIC program, which was established under Section 102 of the Maritime Transportation Security Act (MTSA) of 2002. The Act required the Secretary (at the time the Secretary of the Department of Transportation) to issue biometric transportation security cards to prevent unauthorized individuals from entering an area of a vessel or facility designated as a secure area. Currently, TSA is responsible for enrollment, STAs, and systems operations and maintenance related to TWICs while the USCG is responsible for establishing and enforcing access control standards including requirements for TWIC readers at MTSA-regulated facilities and vessels. TSA began National deployment of the TWIC program on October 16, 2007, with the enrollment of maritime workers at the Port of Wilmington, DE. Since that time, TSA has conducted comprehensive STAs and issued TWIC credentials to over 2.5 million workers while identifying and preventing approximately 50,000 TWIC applicants who did not meet the required security standards from receiving a TWIC. twic: meeting industry needs and security requirements The TWIC program represents an important maritime security measure by allowing facility and vessel security operators to verify that the holder has successfully passed the STA, through possession and visual inspection of the TWIC credential. Workers at the approximately 13,825 vessels and 3,270 maritime facilities that the USCG regulates under MTSA have been required to present their TWIC for unescorted entry to secure areas of those facilities since mid-April 2009. Until TWIC readers are in place, security access personnel are required to visually inspect the TWIC prior to granting unescorted access to secure areas on-board regulated vessels and at facilities. TWIC reader systems are designed to determine whether a card is authentic, valid, and issued by TSA. The readers also check that the card has not expired and, by accessing the cancelled card list, can determine if the card has been revoked or reported lost or stolen. When used in the biometric mode, readers confirm through a fingerprint match that the person using the card is the rightful owner of the card. The TWIC card and reader system can perform these checks virtually anywhere with portable or fixed readers because connectivity to an external database is not required. A TWIC is valid for 5 years. The cost is $129.75, unless a worker has a comparable STA and uses it to establish TWIC eligibility, in which case the cost is $105.25. In late August 2012, DHS announced the Extended Expiration Date (EED) initiative under which eligible workers have been able to submit a request to extend the expiration date on their TWIC by 3 years and pay a $60 card replacement fee. The EED is a one-time initiative through December 31, 2014. The TWIC reader requirements have been proposed by USCG in a Notice of Proposed Rulemaking published on March 22, 2013. The NPRM proposals, if finalized as published, would require TWIC readers for certain high- risk vessels and facilities. Use of readers at these sites would enhance security by verifying the validity of the TWIC card as well as the identity of the card owner. TSA is committed to partnerships with stakeholders, including the private sector, to carry out its mission. To meet the demands of the TWIC program, the TSA will provide MTSA-regulated facility owners and operators with a list of TWIC readers that meet current TWIC specifications as outlined in current guidance. TSA established the Qualified Technology List (QTL) process on November 1, 2012, with the announcement that three National Voluntary Laboratory Accreditation Program laboratories were accredited to accept readers for compliance testing. ``onevisit'' initiative and other plans to enhance customer service TSA will soon implement the ``OneVisit'' initiative to facilitate card issuance to eligible applicants and individuals needing a replacement TWIC. The initiative will enable individuals to apply for and obtain a TWIC with a single visit to an enrollment center and will begin with a pilot in Alaska this summer and expand Nation-wide in 2014 after TSA carefully evaluates the pilot results. Under ``OneVisit,'' an applicant will visit an enrollment center to provide identification and biometric information. Upon successful completion of an STA, TSA will directly mail a card to the applicant. ``OneVisit'' will eliminate the need for the transportation worker to make a follow-up visit to an enrollment center to activate the card and select a Personal Identification Number (PIN). Eliminating this second visit saves the applicant time and travel costs, as well as easing crowding at enrollment centers. The Coast Guard and Maritime Transportation Act of 2012 mandates that, within 270 days from the date of enactment, DHS reform the process for TWIC enrollment, activation, issuance, and renewal to require no more than one in-person visit to a designated enrollment center, except in cases where extenuating circumstances exist requiring more than one visit. DHS made clear that, while a plan would be initiated within 270 days to reform the process, it would likely take additional time to fully implement the provision in a manner that preserved the security of the credential. In addition to ``OneVisit,'' TSA is committed to providing enhanced customer service in a variety of ways. TSA will expand the number of TWIC enrollment centers from 136 to approximately 300 sites by transitioning Hazardous Materials Endorsement (HME)/TWIC enrollments sites to Universal Enrollment Service Centers. This will permit individuals to apply for a TWIC or HME at the same location, and shorten travel distances for many applicants. TSA is also increasing its oversight of customer service at our enrollment centers and has added call center representatives to reduce call wait times. the twic reader pilot In October 2006, pursuant to the SAFE Port Act, Congress mandated that DHS conduct a TWIC reader pilot to inform reader requirements prior to Nation-wide implementation and test the viability of selected biometric card readers while examining the technical aspects of connecting TWIC readers to access control systems. Seventeen sites participated in the reader pilot on a voluntary basis. These facilities used readers in conjunction with TWICs starting in August 2008. The pilot faced several constraints, including extreme differences in the nature of operations at participating sites. Additionally, the participating sites had to ensure that the use of the new readers and test protocols did not interfere with the security and daily operations of the facilities. Notwithstanding these challenges, the TWIC reader pilot generated considerable data that proved helpful in evaluating reader performance and assessing the impact of using readers at maritime facilities. Following analysis of the pilot results, TSA concluded that TWIC reader systems function properly when they are designed, installed, and operated in a manner consistent with the characteristics and business needs of the facility or vessel operation. TSA also found that reader systems can facilitate access decisions efficiently and effectively despite the operational and technological difficulties that affected performance at some pilot locations. While a recent Government Accountability Office (GAO) report evaluating the results of the TWIC reader pilot program concluded that that DHS should not use the analysis of the pilot program as basis for developing the final TWIC reader regulation, the pilot did produce valuable information concerning the environmental, operational, and fiscal impacts of the use of TWIC readers. conclusion Prior to the TWIC program, there was no standard identity verification or background check policy for entrance to a port facility or vessel. This created opportunities for fraud as well as security risks. Today, facility and vessel owners and operators look for one standard identification document that confirms the holder's identity and verifies that he or she successfully completed an STA. The use of readers and biometric verification will enhance security at MTSA- regulated port facilities and vessels. TSA and its partners have taken significant steps to add layers of security to protect our Nation's port facilities and vessels. These steps link together information sharing, security, and law enforcement from across TSA, USCG, DHS, and a multitude of partnerships. Each security layer builds upon and complements the others. TWIC is one of those layers. Thank you for the opportunity to discuss the TWIC program. I am available to answer any questions. Mrs. Miller. Thank you very much. The Chairwoman now recognizes Mr. Lord. STATEMENT OF STEPHEN M. LORD, DIRECTOR, FORENSIC AUDITS AND INVESTIGATIVE SERVICES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE Mr. Lord. Good morning, Chairwoman Miller, Ranking Member Jackson Lee, and other distinguished Members of the committee. I am really pleased to be here today to discuss our recent work on the TWIC pilot. As context, I would like to note that GAO has conducted an extensive body of work on a TWIC program spanning several years, which I believe gives me some unique insights to come in on the program today. The overall message that I wanted to convey today--I think this is a very important message--is that the pilot results reported to Congress in February 2012 should not be used as a basis to inform the current rulemaking or to inform decision- making. Why is that? As we noted in our May 2000 report, we identified a number of planning, data collection, and reporting challenges that we believe made the pilot results unreliable. I am a little surprised to see on the March 22 NPRM that the Coast Guard concluded that the cards function properly and enhance security, as we found this very difficult to extrapolate from the pilot results. In terms of planning, we think it is notable that DHS did take some important initial steps to address the pilot planning issues we identified in our 2009 report. At the same time, it did not develop an evaluation plan or performance standards as we recommended. In terms of data collection, we identified several limitations in the way data was collected during the pilot. For example, TSA and the independent test agent did not always record clear baseline data for comparing reader performance. They also did not collect complete data on card failures or the reasons an individual was denied access to a facility. Also, the operational impact of using TWICs, that was one of the key purposes of the pilot, with readers was not consistently documented across pilot sites. As a result of these challenges, this made it really difficult to determine whether the problems encountered at the pilot sites were due to the card itself, the card reader, or the way the users were using them or a combination of all three. In terms of the report to Congress, we found that some of the information in the report was not always supported by the pilot data. For example, assessments of entry times at ports-- this is really important piece of data--the throughput times were--seem to have been mixed up with the reader response time, which is calculated in a controlled laboratory setting. DHS's report also stated that the TWIC readers can enhance security, even though that type of data was not collected during the pilot, nor was it a purpose of the pilot. Thus, it is still unclear how TWICs--using TWICs with readers will improve security even though we recommended that the Department assess this in our May 2011 report. To be fair, DHS officials, TSA officials did note that several challenges affected their ability to collect reliable data. For example, TSA noted that pilot participation was voluntary and, in some cases, it was analogous to herding cats. It is difficult to ensure consistency. TSA and the Coast Guard also said the independent test agent did not always collect and record key data consistently. We spoke to the independent test agent. He identified some resource constraints. Basically, they didn't have the physical presence in all locations to really figure out why the cards weren't working. However, we believe these risks could have been mitigated through better pilot planning and implementation. In closing, given the many issues we identified, we believe Congress should consider repealing the requirement that the final regulations for the card readers be consistent with the findings of the pilot. Essentially, we think those two events should be de-linked. Instead, we still believe Congress should require DHS to complete a security assessment to clearly show how using TWICs with readers will actually improve security over and above the systems that are already in place. This is something we recommended in our May 2011 report, which is still an open recommendation. As part of this assessment, we believe they should consider alternative credentialing approaches, including consideration of a more decentralized approach. We think it is really important to look at other approaches for achieving the same goal. Madam Chairwoman, other Members of the committee, this concludes my prepared statement. I look forward to your questions. Thank you. [The prepared statement of Mr. Lord follows:] Prepared Statement of Stephen M. Lord June 18, 2013 transportation worker identification credential.--card reader pilot results are unreliable; security benefits should be reassessed gao-13-695t Chairman Miller, Ranking Member Jackson Lee, and Members of the subcommittee: I am pleased to be here today to discuss our work examining the Department of Homeland Security's (DHS) Transportation Worker Identification Credential (TWIC) program. Ports, waterways, and vessels handle billions of dollars in cargo annually, and an attack on our Nation's maritime transportation system could have serious consequences. Maritime workers, including longshoremen, mechanics, truck drivers, and merchant mariners, access secure areas of the Nation's estimated 16,400 maritime-related transportation facilities and vessels, such as cargo container and cruise ship terminals, each day while performing their jobs.\1\ --------------------------------------------------------------------------- \1\ For the purposes of this statement, the term ``maritime-related transportation facilities'' refers to seaports, inland ports, offshore facilities, and facilities located on the grounds of ports. --------------------------------------------------------------------------- The TWIC program is intended to provide a tamper-resistant biometric credential \2\ to maritime workers who require unescorted access to secure areas of facilities and vessels regulated under the Maritime Transportation Security Act of 2002 (MTSA).\3\ TWIC is to enhance the ability of MTSA-regulated facility and vessel owners and operators to control access to their facilities and verify workers' identities. Under current statute and regulation, maritime workers requiring unescorted access to secure areas of MTSA-regulated facilities or vessels are required to obtain a TWIC,\4\ and facility and vessel operators are required by regulation to visually inspect each worker's TWIC before granting unescorted access.\5\ Prior to being granted a TWIC, maritime workers are required to undergo a background check, known as a security threat assessment. --------------------------------------------------------------------------- \2\ A biometric access control system consists of technology that determines an individual's identity by detecting and matching unique physical or behavioral characteristics, such as fingerprint or voice patterns, as a means of verifying personal identity. \3\ Pub. L. No. 107-295, 116 Stat. 2064. According to Coast Guard regulations, a secure area is an area that has security measures in place for access control. 33 C.F.R. 101.105. For most maritime facilities, the secure area is generally any place inside the outermost access control point. For a vessel or outer continental shelf facility, such as offshore petroleum or gas production facilities, the secure area is generally the whole vessel or facility. A restricted area is a part of a secure area that needs more limited access and higher security. Under Coast Guard regulations, an owner/operator must designate certain specified types of areas as restricted. For example, storage areas for cargo are restricted areas under Coast Guard regulations. 33 C.F.R. 105.260(b)(7). \4\ 46 U.S.C. 70105(a); 33 C.F.R. 101.514. \5\ 33 C.F.R. 104.265(c), 105.255(c). --------------------------------------------------------------------------- Within DHS, the Transportation Security Administration (TSA) and the U.S. Coast Guard (USCG) jointly administer the TWIC program. USCG is leading efforts to develop a new TWIC regulation (rule) regarding the use of TWIC cards with readers (known as the TWIC card reader rule). The TWIC card reader rule is expected to define if and under what circumstances facility and vessel owners and operators are to use electronic card readers to verify that a TWIC card is valid. USCG published the TWIC card reader notice of proposed rulemaking (NPRM) on March 22, 2013, and has since extended the public comment period to June 20, 2013.\6\ --------------------------------------------------------------------------- \6\ 78 Fed. Reg. 17,782 (Mar. 22, 2013); 78 Fed. Reg. 27,335 (May 10, 2013). --------------------------------------------------------------------------- To help inform this rulemaking and to fulfill the Security and Accountability For Every Port Act of 2006 (SAFE Port Act) requirement,\7\ TSA conducted a TWIC reader pilot from August 2008 through May 2011 to test a variety of biometric readers, as well as the credential authentication and validation process. The TWIC reader pilot, implemented with the voluntary participation of maritime port, facility, and vessel operators, was to test the technology, business processes, and operational impacts of deploying card readers at maritime facilities and vessels prior to issuing a final rule.\8\ Among other things, the SAFE Port Act required that DHS submit a report on the findings of the pilot program to Congress.\9\ DHS submitted its report to Congress on the findings of the TWIC reader pilot on February 27, 2012.\10\ The Coast Guard Authorization Act of 2010 required that, among other things, GAO conduct an assessment of the report's findings and recommendations.\11\ --------------------------------------------------------------------------- \7\ Pub. L. No 109-347, 104(a), 120 Stat. 1884, 1888 (codified at 46 U.S.C. 70105(k)). \8\ The SAFE Port Act required the Secretary of Homeland Security to conduct a pilot program to test the business processes, technology, and operational impacts required to deploy transportation security card readers at secure areas of the maritime transportation system. 46 U.S.C. 70105(k)(1)(A). \9\ 46 U.S.C. 70105(k)(4). \10\ Department of Homeland Security, Transportation Worker Identification Credential Reader Pilot Program: In accordance with Section 104 of the Security and Accountability For Every Port Act of 2006, Pub. L. 109-347 (SAFE Port Act) Final Report. Feb. 17, 2012. \11\ Pub. L. No. 111-281, 802, 124 Stat. 2905, 2989. --------------------------------------------------------------------------- We have been reporting on TWIC progress and challenges since September 2003.\12\ Among other issues, we highlighted steps that TSA and USCG were taking to meet an expected surge in initial enrollment as well as various challenges experienced in the TWIC testing conducted by a contractor for TSA and USCG from August 2004 through June 2005. We also identified challenges related to ensuring that the TWIC technology works effectively in the harsh maritime environment.\13\ In November 2009, we reported on the design and approach of a pilot initiated in August 2008 to test TWIC readers, and found that DHS did not have a sound evaluation methodology to ensure information collected through the TWIC reader pilot would be complete and accurate.\14\ Moreover, in May 2011, we reported that internal control weaknesses governing the enrollment, background checking, and use of TWIC potentially limit the program's ability to provide reasonable assurance that access to secure areas of MTSA-regulated facilities is restricted to qualified individuals.\15\ --------------------------------------------------------------------------- \12\ GAO, Maritime Security: Progress Made in Implementing Maritime Transportation Security Act, but Concerns Remain, GAO-03-1155T (Washington, DC: Sept. 9, 2003). \13\ GAO, Transportation Security: DHS Should Address Key Challenges Before Implementing the Transportation Worker Identification Credential Program, GAO-06-982 (Washington, DC: Sept. 29, 2006). TWIC readers and related technologies operated outdoors in the harsh maritime environment can be affected by dirt, salt, wind, and rain. \14\ GAO, Transportation Worker Identification Credential: Progress Made in Enrolling Workers and Activating Credentials but Evaluation Plan Needed to Help Inform the Implementation of Card Readers, GAO-10- 43 (Washington, DC: Nov. 18, 2009). \15\ GAO, Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives, GAO-11-657 (Washington, DC: May 10, 2011). --------------------------------------------------------------------------- My statement today highlights the key findings of our May 8, 2013, report on the TWIC program, which addressed the extent to which the results from the TWIC reader pilot were sufficiently complete, accurate, and reliable for informing Congress and the TWIC card reader rule.\16\ For the report, among other things, we assessed the methods used to collect and analyze pilot data since the inception of the pilot in August 2008. We analyzed and compared the pilot data with the TWIC reader pilot report submitted to Congress to determine whether the findings in the report are based on sufficiently complete, accurate, and reliable data. Additionally, we interviewed officials at DHS, TSA, and USCG with responsibilities for overseeing the TWIC program, as well as pilot officials responsible for coordinating pilot efforts with TSA and the independent test agent (responsible for planning, evaluating, and reporting on all test events), about TWIC reader pilot testing approaches, results, and challenges. Our investigators also conducted limited covert testing of TWIC program internal controls for acquiring and using TWIC cards at four maritime ports to update our understanding of the effectiveness of TWIC at enhancing maritime security since we reported on these issues in May 2011. Our May 2013 report includes additional details on our scope and methodology. We conducted this work in accordance with generally accepted Government auditing standards, and conducted the related investigative work in accordance with standards prescribed by the Council of the Inspectors General on Integrity and Efficiency. --------------------------------------------------------------------------- \16\ GAO, Transportation Worker Identification Credential: Card Reader Pilot Results Are Unreliable; Security Benefits Need to Be Reassessed, GAO-13-198 (Washington, DC: May 8, 2013). --------------------------------------------------------------------------- twic reader pilot results are not sufficiently complete, accurate, and reliable for informing congress and the twic card reader rule Our review of the pilot test identified several challenges related to pilot planning, data collection, and reporting, which affected the completeness, accuracy, and reliability of the results. Pilot Planning DHS did not correct planning shortfalls that we identified in our November 2009 report.\17\ We determined that these weaknesses presented a challenge in ensuring that the pilot would yield information needed to inform Congress and the card reader rule and recommended that DHS components implementing the pilot--TSA and USCG--develop an evaluation plan to guide the remainder of the pilot and identify how it would compensate for areas where the TWIC reader pilot would not provide the information needed. DHS agreed with the recommendations; however, while TSA developed a data analysis plan, TSA and USCG reported that they did not develop an evaluation plan with an evaluation methodology or performance standards, as we recommended. The data analysis plan was a positive step because it identified specific data elements to be captured from the pilot for comparison across pilot sites. If accurate data had been collected, adherence to the data analysis plan could have helped yield valid results. However, TSA and the independent test agent did not utilize the data analysis plan.\18\ According to officials from the independent test agent, they started to use the data analysis plan but stopped using the plan because they were experiencing difficulty in collecting the required data and TSA directed them to change the reporting approach. TSA officials stated that they directed the independent test agent to change its collection and reporting approach because of TSA's inability to require or control data collection to the extent required to execute the plan. --------------------------------------------------------------------------- \17\ GAO-10-43. \18\ To conduct the TWIC reader pilot, TSA contracted with the Navy's Space and Naval Warfare Systems Command (SPAWAR) to serve as the independent test agent to plan, analyze, evaluate, and report on all test events. --------------------------------------------------------------------------- Data Collection We identified eight areas where TWIC reader pilot data collection, supporting documentation, and recording weaknesses affected the completeness, accuracy, and reliability of the pilot data. 1. Installed TWIC readers and access control systems could not collect required data on TWIC reader use, and TSA and the independent test agent did not employ effective compensating data collection measures.--The TWIC reader pilot test and evaluation master plan recognizes that in some cases, readers or related access control systems at pilot sites may not collect the required test data, potentially requiring additional resources, such as on-site personnel, to monitor and log TWIC card reader use issues. Moreover, such instances were to be addressed as part of the test planning. However, the independent test agent reported challenges in sufficiently documenting reader and system errors. For example, the independent test agent reported that the logs from the TWIC readers and related access control systems were not detailed enough to determine the reason for errors, such as biometric match failure, an expired TWIC card, or that the TWIC was identified as being on the list of revoked credentials. The independent test agent further reported that the inability to determine the reason for errors limited its ability to understand why readers were failing, and thus it was unable to determine whether errors encountered were due to TWIC cards, readers, or users, or some combination thereof. 2. Reported transaction data did not match underlying documentation.--A total of 34 pilot site reports were issued by the independent test agent. According to TSA, the pilot site reports were used as the basis for DHS's report to Congress. We separately requested copies of the 34 pilot site reports from both TSA and the independent test agent. In comparing the reports provided, we found that 31 of the 34 pilot site reports provided to us by TSA did not contain the same information as those provided by the independent test agent. Differences for 27 of the 31 pilot site reports pertained to how pilot site data were characterized, such as the baseline throughput time used to compare against throughput times observed during two phases of testing. However, at two pilot sites, Brownsville and Staten Island Ferry, transaction data reported by the independent test agent did not match the data included in TSA's reports. Moreover, data in the pilot site reports did not always match data collected by the independent test agent during the pilot. 3. Pilot documentation did not contain complete TWIC reader and access control system characteristics.--Pilot documentation did not always identify which TWIC readers or which interface (e.g., contact or contact-less interface) the reader used to communicate with the TWIC card during data collection.\19\ For example, at one pilot site, two different readers were tested. However, the pilot site report did not identify which data were collected using which reader. --------------------------------------------------------------------------- \19\ As used in this statement, ``contact-less mode'' refers to the use of TWIC readers for reading TWIC cards without requiring that a TWIC card be inserted into or make physical contact with a TWIC reader. 4. TSA and the independent test agent did not record clear baseline data for comparing operational performance at access points with TWIC readers.--Baseline data, which were to be collected prior to piloting the use of TWIC with readers, were to be a measure of throughput time, that is, the time required to inspect a TWIC card and complete access-related processes prior to granting entry. However, it is unclear from the documentation whether acquired data were sufficient to reliably identify throughput times at truck, other vehicle, and --------------------------------------------------------------------------- pedestrian access points, which may vary. 5. TSA and the independent test agent did not collect complete data on malfunctioning TWIC cards.--TSA officials observed malfunctioning TWIC cards during the pilot, largely because of broken antennas. If a TWIC with a broken antenna was presented for a contactless read, the reader would not identify that a TWIC had been presented, as the broken antenna would not communicate TWIC information to a contactless reader. In such instances, the reader would not log that an access attempt had been made and failed. 6. Pilot participants did not document instances of denied access.--Incomplete data resulted from challenges documenting how to manage individuals with a denied TWIC across pilot sites. Specifically, TSA and the independent test agent did not require pilot participants to document when individuals were granted access based on a visual inspection of the TWIC, or deny the individual access as may be required under future regulation. This is contrary to the TWIC reader pilot test and evaluation master plan, which calls for documenting the number of entrants ``rejected'' with the TWIC card reader system operational as part of assessing the economic impact. Without such documentation, the pilot sites were not completely measuring the operational impact of using TWIC with readers. 7. TSA and the independent test agent did not collect consistent data on the operational impact of using TWIC cards with readers.--TWIC reader pilot testing scenarios included having each individual present his or her TWIC for verification; however, it is unclear whether this actually occurred in practice. For example, at one pilot site, officials noted that during testing, approximately 1 in 10 individuals was required to have his or her TWIC checked while entering the facility because of concerns about causing a traffic backup. Despite noted deviations in test protocols, the reports for these pilot sites do not note that these deviations occurred. Noting deviations in each pilot site report would have provided important perspective by identifying the limitations of the data collected at the pilot site and providing context when comparing the pilot site data with data from other pilot sites. 8. Pilot site records did not contain complete information about installed TWIC readers' and access control systems' design.-- TSA and the independent test agent tested the TWIC readers at each pilot site to ensure they worked before individuals began presenting their TWIC cards to the readers during the pilot. However, the data gathered during the testing were incomplete. For example, 10 of 15 sites tested readers for which no record of system design characteristics were recorded. In addition, pilot reader information was identified for 4 pilot sites but did not identify the specific readers or associated software tested. According to TSA, a variety of challenges prevented TSA and the independent test agent from collecting pilot data in a complete and consistent fashion. Among the challenges noted by TSA: (1) Pilot participation was voluntary, which allowed pilot sites to stop participation at any time or not adhere to established testing and data collection protocols; (2) the independent test agent did not correctly and completely collect and record pilot data; (3) systems in place during the pilot did not record all required data, including information on failed TWIC card reads and the reasons for the failure; and (4) prior to pilot testing, officials did not expect to confront problems with nonfunctioning TWIC cards. Additionally, TSA noted that it lacked the authority to compel pilot sites to collect data in a way that would have been in compliance with Federal standards. In addition to these challenges, the independent test agent identified the lack of a database to track and analyze all pilot data in a consistent manner as an additional challenge to data collection and reporting. The independent test agent, however, noted that all data collection plans and resulting data representation were ultimately approved by TSA and USCG. Reporting As required by the SAFE Port Act and the Coast Guard Authorization Act of 2010, DHS's report to Congress on the TWIC reader pilot presented several findings with respect to technical and operational aspects of implementing TWIC technologies in the maritime environment. However, DHS's reported findings were not always supported by the pilot data, or were based on incomplete or unreliable data, thus limiting the report's usefulness in informing Congress about the results of the TWIC reader pilot. For example, reported entry times into facilities were not based on data collected at pilot sites as intended. Further, the report concluded that TWIC cards and readers provide a critical layer of port security, but data were not collected to support this conclusion. Because of the number of concerns that we identified with the TWIC pilot, in our March 13, 2013, draft report to DHS, we recommended that DHS not use the pilot data to inform the upcoming TWIC card reader rule. However, after receiving the draft that we sent to DHS for comment, on March 22, 2013, USCG published the TWIC card reader NPRM, which included results from the TWIC card reader pilot.\20\ We subsequently removed the recommendation from our final report, given that USCG had moved forward with issuing the NPRM and had incorporated the pilot results into the proposed rulemaking. In its official comments on our report, DHS asserted that some of the perceived data anomalies we cited were not significant to the conclusions TSA reached during the pilot and that the pilot report was only one of multiple sources of information available to USCG in drafting the TWIC reader NPRM. We recognize that USCG had multiple sources of information available to it when drafting the proposed rule; however, the pilot was used as an important basis for informing the development of the NPRM, and the issues and concerns that we identified remain valid. --------------------------------------------------------------------------- \20\ 78 Fed. Reg. 17,782 (Mar. 22, 2013). --------------------------------------------------------------------------- Given that the results of the pilot are unreliable for informing the TWIC card reader rule on the technology and operational impacts of using TWIC cards with readers, we recommended that Congress consider repealing the requirement that the Secretary of Homeland Security promulgate final regulations that require the deployment of card readers that are consistent with the findings of the pilot program,\21\ and that Congress should consider requiring that the Secretary of Homeland Security complete an assessment that evaluates the effectiveness of using TWIC with readers for enhancing port security. This would be consistent with the recommendation that we made in our May 2011 report. These results could then be used to promulgate a final regulation as appropriate. Given DHS's challenges in implementing TWIC over the past decade, at a minimum, the assessment should include a comprehensive comparison of alternative credentialing approaches, which might include a more decentralized approach, for achieving TWIC program goals. --------------------------------------------------------------------------- \21\ 46 U.S.C. 70105(k)(3). --------------------------------------------------------------------------- Chairman Miller, Ranking Member Jackson Lee, and Members of the subcommittee, this concludes my prepared statement. I would be happy to respond to any questions that you may have. Mrs. Miller. I thank the gentleman. The Chairwoman now recognizes Captain Woodring. STATEMENT OF CAPTAIN MARCUS WOODRING, USCG (RET), MANAGING DIRECTOR, HEALTH, SAFETY, SECURITY, AND ENVIRONMENTAL, PORT OF HOUSTON AUTHORITY Captain Woodring. Good morning, Chairman Miller, Ranking Member Jackson Lee, and distinguished Members of the subcommittee. We would like to thank Chairman Miller for holding this important hearing today. I must also recognize Ranking Member Jackson Lee for inviting the Port of Houston Authority as the industry witness. As you know, the port of Houston is in the Ranking Member's district, and we have benefited from both her leadership and advocacy on behalf of the port. The port of Houston is comprised of the Port Authority's eight public terminals, along with more than 150 private terminals. The port is consistently ranked first in the United States in foreign waterborne tonnage, first in imports, second in export tonnage, and second in total tonnage. The port of Houston is also home to the largest petrochemical complex in the Nation. Results of a recent economic impact study show that ship channel-related businesses at the port of Houston are responsible for more than 2.1 million jobs and annually generate $499 billion in economic activity, contributing over $52 billion in tax revenue Nationally. The Port of Houston Authority was not part of the TWIC reader pilot program but has been utilizing installed TWIC readers since 2008, so we speak from real-world experience. The Port of Houston Authority started very early, with the installation of access point hardware, which could utilize the features of the TWIC card. The initial infrastructure was purchased with close to $10 million in port security grant funding. The Port of Houston Authority currently has over 350 access points that can read the TWIC card, of which 73 are biometric. Not all access points used the biometric or coded access technology due to the tremendous flow of commerce through our gates. Our Bayport container terminal, for example, handles close to 19,000 vehicles a week. To facilitate commerce, we currently use the TWIC as a flash pass in our vehicle entrance lanes in conjunction with our visitor management system. Let me expand on that point for just one moment. Having a TWIC is just one part of the regulated access control. I have a TWIC, but that does not give me unfettered access to any restricted port in the country. I must also have a valid business reason to be there. Management of that validation is left to terminal operators. For repeat visitors, we issue a Port of Houston Authority ID card. For occasional visitors, we have designated certain trusted agents to enter names into our visitor management system. On any given day, we average over 3,000 names in that system, all that have a valid business reason for being on- board our facilities and overall have more than 35,000 TWIC cards registered with our credentialing office. The key takeaway is the possession of a TWIC itself is just a piece of the overall security process. During my time as captain of the port for the U.S. Coast Guard, the TWIC was first being introduced and issued in Houston. It took me several months to obtain my initial TWIC card. I recently applied for the 3-year extension and witnessed some process improvements. I would also like to note that when I was with the U.S. Coast Guard, I had the pleasure of accompanying the Ranking Member Jackson Lee to the TWIC office in Houston to activate her card in August 2008. Ma'am, I would like to take this opportunity to remind you that your card expires in 60 days. [Laughter.] Captain Woodring. The benefits of the TWIC reader program are clear. Individuals have a Federally-issued tamper-proof credential that can be used Nation-wide. The program ensures that individuals have been screened against the terrorism database, something I cannot do. The threat of a transportation security incident is reduced at the macro level, but there are still gaps in the system. Most ports issue their own credentials in addition to the TWIC card. I personally carry a port of Houston ID and my TWIC card on a daily basis. Secondly, the background check is only conducted at a very high level for very serious crimes. As a facility owner and operator, we strive to prevent any crime on our docks and still conduct our own local background checks on our employees for lesser crimes, such as driving while intoxicated, theft, or assault. These lesser crimes are just as important to us. Finally, the TWIC background check is a snapshot in time. Unless self-reported, there does not appear to be a constant and on-going linkage between the TWIC issuance and local criminal databases. Currently, the background check of the TWIC program is only as good as the day it was conducted. I would like to leave the subcommittee with two thoughts today. The Port of Houston Authority has received over $60 million in port security grant funding, and it continues to be vital to our security posture. We are in the process of making application for the 2013 port security grants, one of which will request handheld TWIC readers. It is critical to our National security that the port security grant program remain independent of other grant programs and that the erosion of the funding level ceases. Second, the initial intent of the Transportation Worker Identification Credential program was to credential all transportation workers in all transportation modes. It was envisioned as a Nation-wide solution to be used at airports, seaports, rail, pipeline, trucking, and other mass transit. Someday this program will theoretically expand to all those modes of transportation, and what comes out of hearings such as this will more broadly impact the future of the TWIC program. Thank you, and I look forward to your questions. [The prepared statement of Captain Woodring follows:] Prepared Statement of Captain Marcus Woodring June 18, 2013 Chairman Miller, Ranking Member Jackson Lee, and Members of the subcommittee, I am Marcus Woodring. I serve as the managing director for health, safety, security, and environmental (HSSE) at the Port of Houston Authority. We would like to thank Chairman Miller for holding this important and vital hearing today. I must also recognize Ranking Member Jackson Lee for inviting the Port of Houston Authority as the industry witness. As you may know, the port of Houston is in the Ranking Member's district and we have benefitted from her leadership and advocacy on behalf of the port. Security of our Nation's borders, both land and maritime, is a vexing problem with many different components and concerns. While I certainly do not have the solutions to all the challenges, I can tell you about our maritime port facilities, how we operate, and the impact of the TWIC program. First, let me begin by giving you a short background about myself. I earned an undergraduate degree at Brown University, and a Masters degree at Cornell University. I'm fairly new at the Port of Houston Authority, having been hired in 2011 after ``retiring'' from a 27-plus year career in the U.S. Coast Guard. My U.S. Coast Guard service culminated as the Captain of the Port for the Houston region. There is a saying that if you've seen one port, you've seen one port--every port in the country is organized differently. But let me tell you about ours. The port of Houston is comprised of the Port Authority's eight public terminals along with 150-plus private industrial terminals along the 25-mile long upper Houston Ship Channel. Each year, more than 229 million tons of cargo moves through the port of Houston, with more than 8,100 vessel calls and 200,000 barge transits, trading with over 200 countries around the globe. The port is consistently ranked first in the United States in foreign waterborne tonnage, first in U.S. imports, and second in U.S. export tonnage, and it is also ranked second in the United States in total tonnage. The port of Houston is the largest importer and exporter of petroleum and petroleum products in the United States, which is no surprise, as it is home to the largest petrochemical complex in the United States, and is the second-largest petrochemical complex in the world. As one of the world's busiest ports, the port of Houston is a large and vibrant component of the regional economy. Results of a recent economic impact study show that ship channel-related businesses at the port of Houston were responsible for more than 1 million jobs throughout Texas. This activity helped generate more than $178.5 billion in State-wide economic impact and more than $4.5 billion in annual State and local tax revenues. For the United States, the port's impact is even greater, with 2.1 million jobs, $499 billion in economic activity and $52.1 billion in tax revenue. Considering this economic impact and the volume of cargo traveling the waterways of the port of Houston, there are potentially significant National implications should a Transportation Security Incident occur within our maritime domain. Now I will get more specific in answering the questions on today's agenda. (1) current use of twic readers I have read the recent GAO report, but the Port of Houston Authority was not part of the TWIC Reader Pilot Program. Instead, we have been utilizing installed TWIC readers since 2008, so I will speak from that experience. In an attempt to meet the ``spirit of the regulations'', the Port of Houston Authority started very early with the installation of access point hardware which could utilize the features of the TWIC card. The initial phases of the TWIC reader installation project was funded close to $10 million dollars in Port Security Grant funding ($6.3 million in Round 5, $1.7 million in Round 7, and $1.2 million in Round 8). The Port of Houston Authority currently has over 350 access points which can read the TWIC card, of which 73 are biometric. Not all access points use the biometric or coded access technology due to the tremendous flow of commerce through our gates. For example, the Bayport Container Terminal handles close to 19,000 vehicles a week. That equates to an average of almost two trucks per minute, around the clock, at just one of our three major terminals. To facilitate commerce, we currently use the TWIC as a ``flash pass'' in our vehicle entrance lanes, in conjunction with our Visitor Management System (VMS). Let me expand on that point for a moment, having a TWIC is just one part of regulated access control. I have a TWIC, but that does not give me unfettered access to any restricted port in the country. I must also have ``a valid business reason'' to access the restricted or secure area. Management of the validation of that ``business reason'' is left to terminal operators, and managed at the Port of Houston Authority by our Credentialing Office. For our repeat visitors, we issue a Port of Houston Authority ID card. For occasional visitors, we have designated certain ``trusted agents'' to enter names into our Visitor Management System. On any given day, we average over 3,000 names in our system that all have a ``valid business reason'' for being on-board our facilities, and overall have 35,000 TWIC cards registered with our Credentialing Office. The key ``take-away'' is that possession of a TWIC itself is just a piece of the overall security process. (2) enrollment and issuance of twic In 2008, during my time as Captain of the Port for the U.S. Coast Guard, the TWIC was first being introduced and issued in Houston. I heard many stories about the issuance process and while not required by law to obtain a TWIC (my military ID and status as a member of the U.S. Coast Guard precluded the requirement), I chose to personally apply and pay for a card so that I could witness the process first-hand, desiring to validate the stories I was hearing. The initial call to schedule an appointment took over 3 hours on the phone. After several months, I was able to determine my card was ready for pick-up. I made an appointment for 0630 and was told my card could not be located. After revealing my position with the U.S. Coast Guard, another search quickly located my card. The activation was fairly easy. Knowing that my card was due to expire in early 2013, I recently applied for the 3-year extension option. Again, the phone call took over 2 hours. The turn-around time was much quicker, and I was notified within several weeks that my new card was ready for activation. My appointment time had five other people, and we all lined up in front of computers and activated our new cards in less than 30 minutes, a vast improvement in the processing. (3) security benefits or problems with twic program The benefits are clear, individuals have a Federally-issued, tamper-proof credential that can be used Nation-wide. The program ensures that individuals have been screened against a terrorism database (aka the Security Threat Assessment), which I cannot do. The threat of a Transportation Security Incident is reduced at the macro level. It also allows facilities to automate access by coding the TWIC to activate unmanned entrance points. But there are still gaps in the system. Most ports still issue their own credentials in addition to requiring a TWIC; I personally carry a Port of Houston Authority ID and my TWIC on a daily basis. The Port of Houston Authority ID is required to prove that I have a ``valid business reason'' for being on the docks. Second, the background check is only conducted at a very high level, for serious crimes. As a facility owner and operator, we strive to prevent any crime on our docks and still conduct our own local background checks on our employees for lesser crimes, such as driving while intoxicated, theft, or assault. These ``lesser crimes'' are just as important to me in keeping our facilities safe and secure. Finally, the TWIC background check is a ``snapshot'' in time. Unless self-reported, there does not appear to be a constant and on-going linkage between the TWIC issuance and local criminal databases. Again, I have over 35,000 TWIC cards registered in my access system, and the background check of the TWIC program is only as good as the day it was conducted. (4) thoughts concerning the twic reader nprm The Port of Houston Authority has already submitted ``comments for the docket'' concerning the TWIC Reader NPRM. I will briefly summarize those comments as they are available for public viewing on the docket website and included as an attachment to my prepared testimony. As I mentioned earlier, the TWIC is just a piece of the overall security process. The TWIC Reader Rule emphasizes the need to ensure the TWIC is valid, thereby simply ensuring the ``Security Threat Assessment'' is valid. There is enormous cost involved to ensure this sense of security. The background check associated with the TWIC card isn't the risk point, the risk point is when the ``valid business reason to be in the secure area'' is accepted by the individual facilities, allowing access to the waterfront. That part of the process is more critical than obtaining the TWIC card itself, but unregulated and left to individual facility security officers. We also asked for clarification of several items: The process for reporting inoperable readers to the U.S. Coast Guard, and associated waiver process, is problematic if it stops the flow of commerce while awaiting permission. The definition of ``CDC in bulk'' is vital to which determining which level of TWIC compliance a facility must obtain, and we asked for the term to be better defined. Recordkeeping requirements at a cruise terminal also need clarification as the Facility Security Plans are often ``shared'' between the cruise line and facility owner. Finally, we requested that the ``recurring unescorted access'' waiver be better defined to accommodate workers such as porters, who may be required to enter and exit a cruise terminal up to 30 times each, per day. I would like to leave the subcommittee with two thoughts today--the Port of Houston Authority alone has received over $60 million dollars in Port Security Grant funding to date, and it continues to be vital to our security posture. We are in the process of making our applications for the fiscal year 2013 Port Security Grants, one of which will request handheld TWIC readers for our remote access points and for use during heightened levels of MARSEC. It is critical to our National security for the Port Security Program to remain independent of other grant programs, and that the erosion of the funding level cease. Second, the initial intent of the Transportation Worker Identification Credential program was to credential all transportation workers in all transportation modes. It was envisioned as a Nation-wide solution to be used at airports, seaports, rail, pipeline, trucking, and other mass transit facilities. Someday, this program will theoretically expand to all those modes of transportation, and what comes out of hearings such as this will more broadly impact the future of the TWIC program. This concludes my prepared statement. I would be pleased to respond to any questions that you may have. Thank you. Attachment.--Port of Houston Authority's Comments for Docket re: TWIC Reader NPRM We appreciate the effort being put forth with the TWIC program to ensure each potential port worker has been screened with a background check. Unfortunately, the background check doesn't go deep enough to ensure we are protected from crime. The TWIC Reader Rule wrongly emphasizes the need to ensure the TWIC is valid, thereby simply ensuring the very broad background check is valid. There is enormous cost involved to ensure this small sense of security. The background check associated with the TWIC card isn't the risk point, the risk point is when the ``valid business reason to be in the secure area'' is accepted by the individual facilities, allowing access to the waterfront. That part of the process is more critical than the TWIC card itself, which is easy to obtain, yet totally unregulated and left to individual facility security officers. This TWIC Reader Rule does not address the true risk decision point. The process for reporting inoperable readers to the USCG, and the associated waiver process, needs to be clarified. Are facilities allowed to switch methods, so as to not impede commerce, and then notify the U.S. Coast Guard? Or must commerce stop until the U.S. Coast Guard is notified and permission received to deviate from the TWIC Reader Rule? We suggest that facilities take prudent actions required to maintain their level of security, and simply notify the U.S. Coast Guard of the deviation within a set time frame (say 30 minutes). To pause, and await permission, will impact the movement of cargo. The term ``CDC in bulk'' is used several times in the NPRM. According to 33CFR160.204, carried in bulk means ``a commodity that is loaded or carried on board a vessel without containers or labels and received and handled without mark or count''. We assume this is the same definition being used in the NPRM. As a large container facility, with several hundred CDC iso-tanks present in a fairly confined area at any given time, we would like to ensure that we are not handling ``CDC in bulk''. Request the definition being used in the NPRM be clarified in the final rule for vessel and facility grouping purposes. As a facility that does not ``handle CDC in bulk'', are we allowed to provide a layberth for a vessel that carries CDC in bulk, but that we have no capability of handling? If the ship is in Group A, does the facility have to match that Group? Conversely, can a Cruise Ship Terminal (a Group A facility) act as a Group B layberth for a bulk ship when not operating as a Cruise Terminal? The record-keeping requirement also requires clarification. As a Port Authority, we maintain the FSP for our cruise terminal. When a cruise ship is in port, the cruise line security operates under their own FSP. Who maintains the records? We assume the Port Authority would continue to maintain the records and provide them to the U.S. Coast Guard should they desire to inspect the cruise line security operation. Request clarification in the rule making. At a cruise terminal, porters are required to enter and exit the secure area up to 25 times a day each. With 35 porters (for example) working, that is hundreds of verifications in a single day. Please clarify the process for seeking relief from this apparently cumbersome process. With the TWIC Reader Rule coming to fruition, the QTL should be expanded to include not just the authorized TWIC readers but also any supporting software, particularly for record-keeping requirements. Mrs. Miller. Thank you very much, all of you. Excuse me. I think I am going to just start with you, Captain. I appreciate your testimony. I was taking a couple notes as you were talking, and what you just said at the end there, that someday this would be a much more comprehensive kind of a program that could be utilized intermodally for all the various types of transportation. Well, actually, that probably was the original vision, I think, of Congress with this program, but what has happened has become rather unrecognizable from what our original vision was, because--excuse me--you have got the airports that do their own thing now, really, and even on our highways and that, with hazardous material endorsements, the way that those are handled through the States as an add-on to a commercial driver license, et cetera. You also mentioned that in your observation that the TWIC card currently is sort of a flash pass. It is something that we say here, a very expensive flash pass, and whether or not it actually works. Just listening to your testimony about how you have your own ID cards in the port of Houston, and most ports do, have their own--sort of a layered approach, I suppose, at all of these individual ports of what they have. Let me just ask you. Do you think the TWIC is really a critical component of security at your port? Captain Woodring. The TWIC card gives me comfort that a background check or a threat assessment has been done against the terrorism database which I cannot do. That is at the macro level. As Admiral Servidio said, it is a piece of the process of the layers that come with it. We have two reasons for issuing our own Port of Houston Authority ID card. One is to validate that business reason for being on the docks, which speeds up commerce going through the gates. You don't have to check in the computer to see if they are on the list for today. I simply show them that, and it speeds commerce through. But that card also allows me to code that card with other things. The TWIC card can be coded in our credentialing office to beep at the gate and do those kinds of things. Our Port of Houston Authority ID card can also be coded up to do other things. So we have split purposes. The TWIC card will get you into the restricted area. The port of Houston ID card has a flash pass, will show you a valid business reason, but it will also beep on the doors in the executive building and get us in there. Mrs. Miller. I see. Admiral, really, the proposed rulemaking for the reader really only includes the highest-risk facilities. Without going into details of what those all are, it has been the one-digit numerals apparently of what the high- risk facilities actually are. So you still have--who are required to have a TWIC card, so you still have 90-some percent of those who needed a TWIC card. I am just wondering, what is the rationale for requiring the entire universe of everyone to be having these TWIC cards if you are only--there is such a small percentage that you are really looking at. Admiral Servidio. Madam Chairwoman, we do see that the TWIC is an enabler for the future, in addition to allowing a migratory worker population to move between various facilities. As Captain Woodring said, the port of Houston is the port authority. When I was in St. Petersburg, there were about 80 different facilities, and over half of those were not part of that port authority terminal. So technically, you could have a worker that would need to have 30 to 40 to 80 different identification credentials to get around the port environment. It is a very different environment than an airport environment. So having a single credential, I have seen how that has increased security in that the gate guards can look at one credential and try to figure out, what are the security measures on that card, and to verify it. Also, we see biometrically that this is the direction we need to go. The Coast Guard has approximately 300 biometric hand-held readers that we use every time we do an inspection, either a regular inspection or a no-notice inspection. We know that there are 75 to 100 facilities that have already used the TWIC as their one access credential to that port. Some of them could potentially biometrically validate those people when they come in during high-risk. We see--this is the direction that we need to have in the future, is a biometrically-enabled, risk-based methodology moving forward. At the present time, our cost-benefit analysis clearly identified for risk group A that the benefits far outweigh the costs, which are about $26 million, I think, annualized. We see in the future that there might be changes in cost, and we would expand that population. Mrs. Miller. Thank you, Admiral. Just one other question, Mr. Sadler. I mentioned in my opening statement that last year we passed a SMART Port Act, where we are trying to assist the customer group, I suppose, and obviously security is the marquee issue always, so that they didn't have to go to more than one place to access the TWIC card. We gave the--we said that we needed to have that done, gave the Department 270 days, actually, I think in statute, but you were just mentioning that at this point you hope to have a pilot program or you will have a pilot program in Alaska next month. I just mentioned that sort of like, what is the hold-up? I think you--the frustration that the Congress always has-- although I have to tell you the truth that sort of what is happening--what you just testified to--is indicative of this entire program, it seems, during a number of years. So why is there such a lag in what the Congress's intent was and the application of that? Mr. Sadler. Thank you, Chairwoman. We think that the One- Visit is the right way to go, and we appreciate Congress's direction on the One-Visit program. To put it in some context, currently we are transitioning one system, which I will call the legacy system, which was used to enroll TWIC workers, to a new system, a more modernized system. That is going to allow us to roll an individual once and use that enrollment for multiple credentials. So, for instance, if you get a person who is enrolling for a TWIC card or an HME background check, we will be able to enroll that person once. We will be able to use that background check for both of those programs. So when we looked at the 270- day time line, we determined that we would have to make significant changes, very costly changes to the legacy system that may or may not be able to be carried over to the modernized system. That was one of the first things that happened. Then doing that, you would have to modify a number of contracts, as well, on the legacy side, as well as the contracts on the system for modernization. So when we looked at the overall risks and did our rough order of magnitudes for cost estimates, we determined that in order to get this right, because we obviously are fully aware of the work the GAO has done with us--and we appreciate their work, as well--in order to get this right and make such a significant change in the program, because this is one of the most significant changes we have made, we are going from two enrollments to one enrollment, we determined that the best course of action would be to implement a pilot, get some lessons learned, particularly in an area like Alaska, which is similar to Hawaii. You have an upper peninsula of Michigan. You have a lot of challenges for people traveling. Let's do it in Alaska. Let's get some lessons learned. Let's start building those requirements into the new system and then take a--go to another location late this year or early calendar year of 2014, and then from there move into Nation- wide enrollment--or, excuse me, deployment, once we get the new system in place next spring. That was our thought process for this, ma'am. Mrs. Miller. Thank you. I appreciate that. At this time, I will recognize the Ranking Member. Ms. Jackson Lee. Thank you very much, Madam Chairwoman, and I think the testimony of all the witnesses have been contributing. Hearings by Members are to be part of problem- solving. So I would indicate to all the witnesses, and particularly to you, Admiral, that you are really working with the cards that you are dealt, and I appreciate you rising to the occasion to do the best that you can, but I am not comfortable that we are where we should be and that we are at our best. I do, Captain Woodring, thank you very much, and it is good to get a personal notice of expiration, and so I will look forward to doing it again timely. Thanks for giving me the 60- day notice. It will be up to me now, after being told, to rush quickly to get it done. But I want to--you said one--a number of things that I think are important that I would like to pursue. First of all, the enormity, the largeness of the size of the Houston port is a very good prototype because of the numbers of vehicles, Bayport, 19,000 vehicles, and I didn't hear whether it is 19,000 a week, a month. I didn't hear the number. Captain Woodring. Yes, ma'am, 19,000 vehicles per week at just the Bayport container terminal. Ms. Jackson Lee. I think--let me take a point of personal privilege to invite my colleagues and the Chair to join me for a site visit at the Houston port, Madam Chairwoman. I would love to host you there and the committee, as well. So that nod is on the record, and it was a nodding yes. [Laughter.] Mrs. Miller. I would be delighted to do that. Ms. Jackson Lee. It is on the record now. Captain is writing it down. But in any event, you said something about you having the ability to access the terrorist lists. Could you just expand on that, how important that is for you? Then could you expand on your renewal? You said the phone call was 2 hours. Frankly, I believe that is too long. Is there something we can do to expedite that? Captain Woodring. Yes, ma'am. First, on my renewal, when the cards first came out, I got my initial card. I was on the phone for about 3 hours, made the appointment, went to the TWIC center. They couldn't find my card initially, and I revealed who I was with the Coast Guard at the time, and they did another search in the back room and found it. So that was my-- -- Ms. Jackson Lee. What center did you go to? Captain Woodring. I went to the one up by the Turning Basin, ma'am. Ms. Jackson Lee. Yes, thank you. Captain Woodring. You know the one. But that was 5 years ago. When I renewed this time for the 3-year extension, the phone call took me about an hour-and-a-half, and I understand they have now a web-based ability to do that, or at least I heard that in the testimony this morning. Then when I went, it was very easy. There were five of us at a long table, and they were able to activate all those cards simultaneously. So the process had greatly improved over time. Ms. Jackson Lee. But there was--and then, could you just expand quickly on the value of being able to access the terrorist list that the TWIC card provides? Captain Woodring. Yes, ma'am. I personally cannot run a--I can run a background check through our police department through different databases. I cannot access the terrorism database at the National level, and that is what the TWIC card brings to the table for me. Ms. Jackson Lee. So if we could--if we formulated something else that was more responsive, moved more quickly, but still gave access to the terrorist card, you could be open to that? Captain Woodring. I believe in the beginning there was some discussion of allowing law enforcement to somehow vet people against that list. I am not sure where that went, but we have the system we do today, and we appreciate the ability to have that. Ms. Jackson Lee. Yes, and I wouldn't offer the law enforcement. I would just say something more effective than where we are with the TWIC card. You would be open to it as long as we had--that whatever the new substitute would be would have access to that list? Captain Woodring. Absolutely, yes, ma'am. Ms. Jackson Lee. Let me go to Admiral and Mr. Sadler. I just want to have a pointed question. The GAO reported last month that not all TWIC reader cards underwent both the environmental and functional tests in a laboratory prior to use in the pilot. Instead, an initial evaluation was enhanced by TSA, and 30 TWIC card readers were approved for use by a pilot participant. However, none of the 30 readers underwent and passed all tests. Why were the readers deployed if they had not passed the proper test? What effect did this have on the pilot and the resulting data? I am going to ask two questions back-to-back, because I want to get Mr. Lord, and your report is quite thought- provoking, if I might say. I do want to go back to your point about asking us to repeal a requirement, I guess, to rely upon the data and to go in another direction. If I am going to ask Mr. Sadler and then, Mr. Lord, would you follow with your recommendation, expand on that recommendation? But, gentlemen, could you both answer that? Mr. Admiral, do you want to go first, or Mr. Sadler? Mr. Sadler. I will go first, ma'am, because we were in charge of the pilot, and that was our responsibility. So as we started to move forward on the pilot, we did a number of tests on the readers that were available at the time. We did some initial tests in a lab. We did an environmental test. Then we did operational tests in the field prior to the implementation of the pilot program. So all the readers that were put into the field passed an operational test prior to starting the pilot program at that particular location. The situation we got into was, because of the time it was taking to send all the readers and the cost-- all the readers through these testings--or these different tests, we made a determination that we would do a test on a certain number of readers and then we would allow the other readers to be used in the marketplace. That is how we got to that decision, ma'am. Ms. Jackson Lee. That is how you got to some of the errors, because you tested some and didn't test others? Mr. Sadler. I am not sure that is the reason, ma'am, because all the readers worked. They were operationally tested in the locations prior to the start of the pilot program. There were a number of different reasons that you couldn't get a read on the card. There may have been reader issues; there may have been card issues. One of the challenges that we had is it is difficult to get error information from these readers because they are not designed to do that. They are designed to facilitate access control decisions. Ms. Jackson Lee. Admiral, do you quickly want to have a comment so I can hear from Mr. Lord? Thank you for your service. Admiral Servidio. Thank you, Ranking Member. I would like to point out that, again, when the pilot first started, the systems are more robust than what they were at that time. We are looking to have a QTL, a qualified technology list, that would show that these readers have been tested and that they work properly. Our NPRM is soliciting comments from industry specifically on whether this is a good rule or bad rule, and we have seen in the past that the comments we received will make a better rule than what we initially proposed. We intentionally have not included some of those high-throughput facilities, like container terminals or row-row terminals, because we feel that we will get better data initially from the cost-benefit analysis and how we are proposing the NPRM. Ms. Jackson Lee. Mr. Lord. Mr. Lord. Did you want me to respond to the recommendation to de-link those two events? Well, obviously, we found some limitations in the pilot, and TSA and the Coast Guard were directed to use the pilot to help develop the rule. Given the importance of the rule, we believe some of the limitations we noted we are suggesting, well, they should be relieved of that requirement. Ms. Jackson Lee. So what should they base the rule on? Mr. Lord. Well, as the agencies noted in the rule, they used other sources of information to inform the rulemaking. Obviously, that is not the only source of information, although we view it as a key source, but just to ensure the integrity of the process, if the data is no good, we don't believe people should be asked to use it. Ms. Jackson Lee. Thank you, Madam Chairwoman. I yield back. Mrs. Miller. At this time, the Chairwoman recognizes the gentleman from South Carolina, Mr. Duncan. Mr. Duncan. Thank you, Madam Chairwoman. First off, let me just say that, after 11 years, this program should be a lot further along than it is. I was reading some of the notes, and it said there are disqualifying factors that can be waived with proper authority, and they include transportation security crimes, improper transportation of hazardous material, unlawful handling of explosive devices, murder, any threat or purposely false information concerning an explosive device in a public or Government facility. That is abysmal, the fact that we are going to waive entry for folks that have committed those type of crimes. So that needs to be addressed, and that is not where I am going to go today, but I would throw that out there for future hearings and conversation. I was contacted by a constituent from South Carolina, and I would just like to read some of his e-mail to me, because he is a contractor providing some of the hand-held scanners, I think, that the admiral talked about. But he said just yesterday, he spent nearly half-an-hour on the phone with the vice president of SSA, one of the Nation's largest container terminal operators. During that conversation, he told me that TWIC was dead and suggested I look for another market. We have had a team of consultants that work for us in the Texas market, and they are hearing much the same thing from many of their contacts. This was on June 5. He said that the notice of proposed rulemaking is under the comment period, which will close the 20th of this month. The NPRM was very disappointing, as it only requires Class A facilities to electronically validated TWIC cards and biometrically identify the holder. All Class B and Class C facilities will be allowed to continue to use the TWIC as a flash pass. Even though this was never the intent, I have spent the last several months on ports and private terminal operators' location and can tell you that the word flash really is the appropriate term. The drivers never take their TWIC out of its plastic protective case, which is typically on a lanyard around their neck, and hold it up for a security guard to see. For the most part, the name is not even readable from the distance they are viewing it from, certainly not the expiration date. My understanding of the current role and the new NPRM is that it is the responsibility of the security staff to accomplish three things when allowing a visitor on the port facility. One is to get the authenticity of the TWIC. The second is to verify the expiration date. The third is to positively identify the holder by comparing the picture on the TWIC with the face of the individual presenting the TWIC. This process should take approximately 15 to 20 seconds if it is done correctly. We all experience similar things at TSA, as we see airline personnel and TSA personnel and other clear people go through TSA screening. However, this is never done. In addition, we spend the time and money to publish a CCL so that we make sure we are not allowing an individual on the ports that has caused their name and number to be placed on the list. However, no Class B or Class C port or private terminal facility has the ability to check against a certain list. I think we heard some of that earlier. Even if such a list were made available to them, it would disrupt the entire operation and to take the necessary time to check the list. No one seems to be able to publish a document that clearly states that TWIC is not dead, but moving forward. It is concerning to me that I am hearing from someone and from my State that is involved. This is real life. This was an e-mail. I didn't make this up. So this is the real-life example of where we are failing America in this process of making sure that our port facilities are safe. I agree with the admiral. I think we can have the hand-held scanners that you are using. I think that is a very verifiable way to identify and make sure that that cardholder is holding a valid TWIC, that it is that person that is holding it, it is not fraudulent, and it doesn't take that long to validate that. Now, I know there are costs involved. But I would be willing to bet that over the past 11 years, the money that has been spent developing this program that is so far behind schedule that we could have probably paid for those type items. So the question I have for the witnesses is: Do you believe that the TWIC program is dead? Or should it be continued? When do you believe we will see some clarity on that issue? I will just start and go down the list. Admiral? Admiral Servidio. Thank you, sir, and thank you for the question. I strongly feel that TWIC is not dead. We, the Coast Guard, see great value in having a single credential with the background and the biometrically enabled. I think what is important is not just to look at the past, but to look at the future, and we do need something in the environment we are going to be going in that will allow real-time biometric enabling to verify a person is who they are when they are going in there. Mr. Duncan. I agree with you. Thank you. I will go down the list. Is TWIC dead? Should it continue? When do you think we will see some clarity? Mr. Sadler. TWIC is not dead. It should continue. I think we will see some clarity when the Coast Guard finishes getting its comments for the NPRM and adjudicates those comments and comes out with a good reader rule, because that is the key to this. The TWIC card is one element in the process. The reader is the key to using that card. Mr. Duncan. Do you agree with me that it is being used as a flash pass now, Class B and Class C terminals? Mr. Sadler. Currently, in many terminals, it is being used as a flash pass. That is why the reader rule is so important to get the readers out there. Mr. Duncan. Let's go down the list. Is it dead? Or should it continue? Some clarity? Mr. Lord. Obviously, it is not dead. It is--I think we need to rethink the approach, perhaps focus on more higher--use at higher-risk facilities, more selective use. That would help address some of the issues we have identified in our past work, but, again, that is up for Congress. Mr. Duncan. You are a class A terminal in Houston? Captain Woodring. Right now, we are not classified, because the NPRM is what groups you or classifies you right now. We currently use the card as a flash pass. Mr. Duncan. Flash pass? Captain Woodring. In the new rule, we would be a Group B, which means we would not have to have the biometrics unless the MARSEC level changed, in which case we would have to biometrically check. Mr. Duncan. Thank you, gentlemen. My time is up. I will yield back. Mrs. Miller. The Chairwoman now recognizes the gentleman from Texas, Mr. O'Rourke. Mr. O'Rourke. Thank you, Madam Chairwoman. I wanted to start with a statement that I believe I heard Mr. Lord make, which is that you were unable to determine how using TWIC has improved security. I just want to make sure I heard you correctly. Mr. Lord. Yes, the assumption is--and I know the Coast Guard and TSA strongly believe that is the case--but we--in terms of an analytical perspective or analysis, we have yet to see anything comparing TWIC before and after. That is what we essentially were asked--calling for in our so-called effectiveness study back in 2011. So the presumption is it would enhance security, but don't forget, a lot of these facilities already have access control systems in place. They are already using local credentials, as the gentleman to my left just explained, so we would like to--I guess we are slightly skeptical and just need to see the analysis, and that is why we made that recommendation in 2011. Mr. O'Rourke. You know, I think it is important for us to move forward with objective, verifiable data. If we have spent--as I understand it--more than $500 million so far on this program that we know, it is objective, hard data, if we are going to be asked to spend anywhere from $700 million to more than $3 billion going forward in the future, I think we need to know how and to what degree this improves security. So because the GAO and Mr. Lord were not able to determine that from the information that you provided, Admiral or Mr. Sadler, do you have anything that you could add now at this hearing that would give us some comfort in moving forward with this program? Admiral Servidio. Yes, sir. The Coast Guard does an assessment every year--at minimum annually--through what we call the MSRAM, which is the Maritime Security Risk Assessment Model, and we take a look at the whole--all of the components of port security. Access control is part of it, and TWIC is just part of that access control. So doing an assessment on just a subcomponent of one of the components is quite difficult at this time. We do agree that we should be doing assessments, we should have better measures. We feel that when there is a reader rule out there, we can look at the effectiveness of having those biometrics and other types of things. We are looking internally in how we are using the hand-held readers and what the effectiveness of using those hand-held readers are to biometrically verify people. Mr. O'Rourke. But without any data, without you being able to give me hard numbers, how could I support authorizing another dime for this program? If we do authorize another dime, how do we decide whether it is $3 billion or $10 billion or $1 trillion if you are not going to give us any reliable cost- benefit analysis to this? We don't have unlimited money to spend on security, and we have some troubling lack of evidence as to whether or not this is improved security at all so far, and yet we are being asked to spend more and perhaps expand this to other modes of transportation and other frontiers in National security. I also heard Mr. Lord say that in the data that you made available, throughput times were mixed up with reader response times. That is of particular concern to me in El Paso, Texas, a big trade corridor, more than $90 billion in U.S.-Mexico trade moving through there. If we slow down already long wait times even further, with a system that doesn't work or with a system whose effect on throughput we cannot ascertain, that to me is troubling, as well. Do you have a response to the statement he made about throughput times? Admiral Servidio. Okay, sir, if I could answer the first part with regards to the assessment, I guess there are two different answers. I can give you hard numbers on how we have reduced risks in our ports using the MSRAM data each and every year as a result of the actions we have taken in implementing the Maritime Transportation Security Act and the international ship and port facility security code. We do have numbers saying that we have reduced vulnerabilities and we have reduced risks in our ports. Anecdotally, I have been the captain of the port at three different locations, sir, and I can tell you that we have come a long way in accepting any credential and what the guards would look at to where we are today in TWIC. Are we where we need to be? No, sir, but I think we are moving in that right direction. Mr. O'Rourke. Was it worth $500 million? Is it worth an additional $3.2 billion, what you have seen so far? If you can't give us the numbers here, can you tell us in your best judgment whether that is good value for the taxpayer? Admiral Servidio. I can you tell, sir, that our NPRM has an annualized cost of $26 million for the implementation of TWIC readers at Group A facilities. That is a good investment in money, sir. As we end up maturing the technology, I believe that we will be able to justify why we should roll this out to Group B facilities and potentially to other facilities, sir. Mr. Sadler. Yes, sir, I would like to add a couple of things. On the transaction times, that was our responsibility in the reader pilot. We made a determination as we were going through the pilot to use transaction times from the card itself, because we were having difficulty collecting the information on throughput times through these access points. That is one of the challenges that we faced. So if you think about throughput, whether it is a pedestrian coming up to a gate and presenting the card, or whether it is a truck coming up to a gate and presenting a card, it got to the point that if a truck comes up to the gate, for instance, and the individual has the card on a lanyard and has to back up or move closer to the reader, is that part of the throughput time that is affected by the TWIC? For us, that throughput time would be standard, no matter who was going through that gate. For us, we were concerned with the transaction time of the card. When the person actually put the card up to the reader, put the fingerprint down or finger down to check the fingerprint, and collect that transaction time, because that was going to determine, you know, how we affected the actual throughput of an individual or a vehicle. On the card itself--and as far as security is concerned--we believe that the card does improve security. Having gone through ports and facilities for over 20 years myself, I know that you can get through gates or used to be able to get through gates with multiple credentials. I never had to go through a gate with one common credential. I never had to go through a gate with a biometric credential. I don't think there was a background check at that time. We have got a standard background check. We have got an adjudication process. There are a lot of things that we have done with this card that were never done before in this maritime environment. Then last thing, if I could just finish, sir, on the cost estimate, the numbers you are referring to, the $3.2 billion, that is our life-cycle cost estimate for the program through a 10-year estimate. We did that, if I remember correctly, in 2007-2008. I would have to check that number. So to date, we have spent $394 million on the program--this is in the GAO report--approximately $100 million on appropriations, and $294 million in fees, because it is a fee- funded program. Mr. O'Rourke. Madam Chairwoman, I know my time is up. I just want to say that I appreciate your belief that this makes us more secure. The concept is a good one. But we need facts if we are to make informed decisions going forward. Thank you. Mrs. Miller. Thank you. The Chairwoman now recognizes the gentleman from Utah, Mr. Stewart. Mr. Stewart. Thank you, Madam Chairwoman. To the witnesses, thank you all. Thanks for your service. Thanks for your expertise and being with us today. I know that you have a difficult task. The challenges confronting us as a Nation and as a people that you have been involved with over the last 10 or 12 years are in some cases enormous, and we appreciate that. I think one thing that--an observation, if I could--and I would like to keep my comments and then my specific questions to you very big picture--being kind of new to this, I was a military officer for 14 years. I understand some of the security concerns. I also understand a little bit about how Government bureaucracies work. I think one of the things--an observation that many of us would agree with, and that is that Government sometimes creates bad legislation when that legislation is created in a time of perceived crisis. When there is a great urgency like we experienced after 9/11 and there was this cry to do something, and we did something, and some of that has been very effective and very important, but some of it has been less so, because it was perhaps not as thoughtful as we would have done had we not been under this--again, this sense of urgency, this sense of crisis. There were many who warned at the creation of the Department that it would become a big bureaucracy, that it would become unyielding and unresponsive to some of the needs of the people. I think that that is a fair observation. I think--I don't know anyone who would disagree with that, that like any Government agency, that there are some issues with the Department of Homeland Security that could be made better. I think, frankly, this is a pretty good example of that. What the Department has done is good, and there are many great success stories, but, again, I think that there is criticism there that we can take and probably try to apply. Again, I think the TWIC program is--as you have indicated, I think all of you--and as has been indicated in the questions--it has been troubled from the very beginning. Since its initiation in 2002, DHS has failed to meet every time requirement, essentially. We are, what, 5 years behind what our goal was and where we wanted to be? So, Mr. Sadler, maybe I will ask you, but then, Admiral, I would like to come to you, as well. Help me understand the big picture. If you can, answer this question not in a couple paragraphs, but answer it in a sentence or two sentences, if you will. What is the greatest challenge we have had? What is the one thing that we can--you know, that you would say this is the problem or this is the most important problem, and then how do we fix that one problem? Mr. Sadler. Mr. Sadler. Well, thank you, sir. This is important to understand, so I can put some context around it. We started with nothing in the beginning of the program. So what I mean by that is, there was no common credential. There was no common background check. There was no adjudication process. There was no appeals process or waiver process or administrative law judge review. There was no waiver process. There were no disqualifiers. I will try and keep my answer short, but this is very important. When we started this program, the program as it exists today did not exist then. Mr. Stewart. So then are you alluding that that is the great challenge, because we started from zero? Mr. Sadler. I think that is one of the challenges. That is a challenge, because we had to design all these things to get to this point. Another challenge is that we are taking this security and we are applying it across the maritime environment. I know Captain Woodring or Admiral Servidio would say, if you have seen one port, you have seen one port. There are different throughputs. There are trucks. There are vehicles. There are pedestrians. There are service workers. There are tremendous challenges in this program. Mr. Stewart. Okay. Mr. Sadler. So I think that is the answer. I think we had to design something that didn't exist. Although there were other cards and credentials and programs out there, it didn't exist in the maritime environment, and just the maritime environment itself is very challenging. Mr. Stewart. Okay, and I appreciate that, and I know you are not trying to evade the question or the answer, but when you say it is difficult and we had to start from zero, it has still been a long time, and we have still spent a lot of money. I am not sure any of us are satisfied with the result of where we are now. I was hoping that you would be able to say--and maybe you can't--I was hoping you would be able to say, this is the challenge we have. This is the one thing that if we did this or these two things, if we did this, this would be better, this would be--we would be able to make progress now. We wouldn't get this sense that we are just kind of spinning our wheels. Admiral, do you have any comments on this? Can you help me understand, you know, the one or two things that we could fix that would help this process? Admiral Servidio. Yes, sir. I believe the two issues are, we have one single credential now, one background credential, the TWIC card, and getting the socialization of that concept, getting the implementation of that has been a challenge. But we have done that. I think the greatest concern going forward is customer service, and I think we need to decouple customer service issues to trips and other types of issues, being on the phone for 3 hours or 2 hours, from the value in having a single credential with a common background and making it easier for our ports to implement. I really think we have made progress on going to the single credential. I think we still have work to do on the customer service, and we are working actively with TSA and the Department on addressing those concerns. Mr. Stewart. All right. Thank you. I am out of time, Madam Chairwoman. Mrs. Miller. I thank the gentleman very much. The Chairwoman now recognizes the gentlelady from Hawaii, Ms. Gabbard. Ms. Gabbard. Thank you, Madam Chairwoman. Thank you, gentlemen, for your time, your service, and your work here. Like my colleagues, of course, we are concerned about--at the bottom line, how are we addressing potential threats and alleviating threats that we see today, as well as going forward along our borders and at our maritime ports? As you can imagine in Hawaii, this is something that is particularly of interest to us, as we receive close to 95 percent of all of our goods coming through our ports. I have a few questions regarding the actual TWIC card. I know you have said that this is just one component of the overall maritime security plan, but looking at the level of threat that we see coming through our containers, coming through the cargo that is coming in, I am curious about how many either specifically or a ballpark figure, maritime figures you have found using this National terrorism database--have found to be on that list? Mr. Sadler. Well, ma'am, if I could speak to you outside of public forum, I would be happy to give you those numbers, but I am just not comfortable discussing it in this forum. Ms. Gabbard. Have you seen that this is a prevalent issue? Mr. Sadler. It is an issue, but, frankly, I would like to discuss it outside of the open forum. Ms. Gabbard. The reason I ask is because I have had conversations with many of our maritime workers that I have seen in our States. I have visited our various harbors and ports and have seen, more often than not, frustration at a basic level of dysfunction. Not only--you have talked about the readers and the other issues that have been there, but with folks who have been working at our ports for 12, 15, even 20 years, erroneously being flagged as they go through the screening process and then are put out of work for 1 month, 6 months, 8 months, which creates a tremendous hardship on their families and our workers, and to have to undergo this screening not only on an annual basis, you are saying that there is a 3- year plan now that people can apply for, but also the hardship, as we see in Hawaii, of having to travel to the mainland for this screening. How do you reduce these erroneous disqualifications that are occurring? Mr. Sadler. Well, we are required to adjudicate the backgrounds against certain disqualifying criminal issues. There are approximately 27 crimes that we look at. Some of them we look back for an unlimited period of time. Some are 5 years from conviction or 7 years from a release from incarceration. That is a statutory requirement. So one of the things that we do is, we have a robust appeals, waivers, and review process, and as soon as an individual is flagged for having some type of issue, we immediately get a letter out to that person once we have identified that person or that issue, and then we try and get them into this review process, so we can clear up whatever that issue is. One of the challenges that we have with that type of background check is, the States need to upload their information into the database that we use from the FBI, all right? At this point, we are getting State records from approximately 40 States. They may be more complete than the Federal database. They may not be. They may be more extensive. If we got the records from all the States, that would help us a lot. It--I am sorry. What were your other questions, ma'am? Oh, on the travel. So, for instance, on the travel, we are doing a couple of things. We are increasing our enrollment sites from 136 to over 300, so if you have a TWIC enrollment site or a hazardous material enrollment site, you will be able to apply for both of those background checks at the same place, and you can get a discount on the background check if you choose to get both of them. We are also extending the One-Visit pilot program to Nation-wide in 2014, which will only require one visit for all individuals. Then currently, we have the extended expiration date TWIC, the 3-year card, that only requires one visit. So we are taking positive steps to try and reduce that burden, whether it is through an adjudication process or whether it is through the actual visits to an enrollment center. Ms. Gabbard. Admiral, maybe you could answer this question. How does this background check that our maritime workers are undergoing compare to a background check that a brand-new enlistee in the uniformed services undergoes? I am not talking about a secret clearance. I am just talking about walking in the door. Admiral Servidio. I am not sure exactly what background check we do when someone comes in, so I am going to have to get back to you on the record. I can tell you that the background check we do for TWIC is different than what we require for a merchant mariner, because of just the interaction with the public and other types of things. So we do tailor some of those background checks to what we are looking for with that part of the industry. Ms. Gabbard. The reason I ask is because I am wondering if in some ways you are saying we are starting from ground zero, there has been nothing like this put in place before, but when you look at our U.S. military, for example, I know some of the branches have different and higher levels of requirement, but at a baseline level, you have a criminal background check much like the States already provide at the local level. Without a secret clearance, that is kind of it. There are different requirements there that they are undergone, but you have an ID card with the biometric system that is accessible at military bases around the world, that it is rugged, it is supposed to be durable, and it seems like this is a system that has already been in place and it has worked, and I am not sure why we are investing in something that has now already been done. Mr. Sadler. Well, our credential--the TWIC card is accepted at DOD facilities. It is--the basic card is the same card as the CAC card, the DOD card. It is a card that we get from the GSA schedule. So it is tested to the same standards, and we believe it probably has about the same failure rate, because it has similar use. I think the main difference outside of the card itself is the fact that this is a commercial environment, it is all about high volume and throughput and speed. So that is where our challenge comes in, but the card itself is the same card stock that any Federal agency would buy off the GSA schedule. Ms. Gabbard. Thank you very much. Thank you, Madam Chairwoman. Mrs. Miller. I thank the gentlelady. I certainly thank all the witnesses. You can see by the level of frustration, some of the questions that we are asking, I am sure you all share that. We will see what happens here with this TWIC card, but it is a very important issue. We appreciate all of your attendance here today. Ms. Jackson Lee. Madam Chairwoman---- Mrs. Miller. I would--yes, the Ranking Member? Ms. Jackson Lee. Yes, before we end, might I ask to put in the record three things? One, the letter from the American Association of Port Authorities on this very issue, I ask unanimous consent. Mrs. Miller. Without objection. [The information follows:] Letter From the American Association of Port Authorities June 13, 2013. U.S. Department of Transportation, Docket Management Facility (M-30), West Building Ground Floor, Room W12-140, 1200 New Jersey Avenue, S.E., Washington, DC 20590. RE: Comments of the American Association of Port Authorities on the NPRM, Transportation Worker Identification Credential (TWIC) Reader Requirements Docket: USCG-2007-28915. Dear Sir/Madam: Seaports deliver prosperity by serving as critical links for access to the global marketplace. Safe and secure seaport facilities are fundamental to both protecting our borders and moving goods. The American Association of Port Authorities (AAPA), on behalf of its U.S. members, welcomes this opportunity to comment on the Coast Guard's (USCG) Notice of Proposed Rulemaking (NPRM) related to the Transportation Worker Identification Credential (TWIC) Reader Requirements. Our U.S. members handle containers, auto and ro/ro cargo, cruise passengers, as well as many bulk and breakbulk cargos, all of which would be impacted by this rule. While the comments below address specific issues raised in the NPRM, AAPA is concerned about the findings in the recent Government Accountability Office (GAO) May 8, 2013 report, Transportation Worker Identification Credential: Card Reader Pilot Results Are Unreliable; Security Benefits Need to Be Reassessed GAO-13-198. GAO recommended that Congress halt DHS's efforts to promulgate a final regulation until the successful completion of a security assessment of the effectiveness of using TWIC readers. While we understand that there may be some disagreements over these findings, we do ask the Department to consider delaying the implementation date of the rule, and we stand ready to assist in further analysis of TWIC reader operational problems identified in the report. Below are specific recommendations related to the NPRM. In the final rule, USCG should be more specific in defining what are considered TIER A, B, and C facilities and utilize a risk-based approach to reader requirements that more clearly addresses the particular circumstances of each port area and the facilities that fall within the category requiring readers. As noted in AAPA's May 13, 2009, comments on the TWIC rule, we support the Maritime Transportation Security Act (MTSA) regulatory system that is performance- and risk-based. Unlike earlier TWIC proposals, the NPRM proposes a risk-based approach. While this is an improvement from the previous proposal, we do not believe the system as proposed should be adopted. We are concerned that the three categories for TWIC reader use are based upon the passenger capacity of vessels, bulk of hazardous material, and the facilities that they use, rather than taking an approach that is more specific to the individual circumstances of each facility. (It is unclear, for example, how Strategic Ports will be classified based on the criteria listed.) AAPA recommends that USCG expand the risk-based concept and include a more performance-based and flexible system as reflected in other MTSA regulations. Every port is different and in making evaluations about risk, USCG should aggregate risks to the port area first, followed by a second layer of risk at the facility level using a Maritime Security Risk Analysis Model (MSRAM), including an evaluation of what other facilities are in close proximity. This would result in a flexible, but risk-based system. Therefore, a facility's risk and associated reader requirements should be based on a variety of risk factors, not just what type of vessels call on it or the type of cargo that it handles. At certain facilities, TWIC should be checked by electronic reader at the beginning of a shift but then afterward and for the duration of the shift employees should be able to walk into and out of the secure area only having to flash their card or show some other identification to the guard. At cruise terminals, for example, porters walk into and out of the secure area 25-30 times during their shifts. Having to stop and use the reader every time that movement into the secure area is made could well create an unnecessary burden, delay work, impact vessel schedule, and result in unnecessary expenses. While it is true that, according to the NPRM, the Captain of the Port (COTP) has the power to suspend the reader requirement if it is unduly holding up cargo or passenger processing, this particular exception to the rule should be codified before the fact and not reliant upon an after-the-fact assessment. Differing assessments by individual COTP's could inequitably impact inter-port competitiveness. According to the NPRM, the Captain of the Port is authorized to suspend the reader requirement in the event that a reader malfunctions or some other event transpires that makes the reader requirement unduly onerous. AAPA recommends that in the event of a minor occurrence, such as a reader malfunction, the port should immediately be able to continue to process workers using an alternative means that has previously been identified in the approved Facility Security Plan. Rather than being required to contact USCG for approval to resort to the previously-approved alternate plan, the port should be able to resort to the plan and then log the occurrence for review by USCG after the fact. USCG will be able to monitor how frequently or infrequently the alternate plan is used and address irregularities without holding up the process at the time. The NPRM requires that ports submit an updated Facility Security Plan describing what procedures will be used to comply with the new reader requirement, once it goes into effect. AAPA recommends that ports be permitted to submit TWIC updates within the 5-year plan resubmission, rather than be required to submit immediate amendments to already-existing security plans. Sincerely yours, Kurt J. Nagle, President and CEO. Ms. Jackson Lee. A letter from the American--excuse me, statement from the American Trucking Association on this issue. Mrs. Miller. Without objection. [The information follows:] Statement of American Trucking Associations, Inc. June 18, 2013 introduction The American Trucking Associations (ATA), founded in 1933, is the Nation's preeminent organization representing the interests of the U.S. trucking industry. Directly and through its affiliated organizations, ATA encompasses over 37,000 companies and every type and class of motor carrier operation. The trucking industry is an integral component of our Nation's economy, transporting more than 80% of our Nation's freight bill and employing approximately 7 million workers in trucking-related jobs, including over 3 million commercial drivers. It is important to note that the trucking industry is comprised primarily of small businesses, with 97% of trucking companies operating 20 trucks or less, and 90% operating six trucks or less.\1\ More importantly, about 80 percent of all U.S. communities depend solely on trucks to deliver and supply their essential commodities. --------------------------------------------------------------------------- \1\ American Trucking Associations, American Trucking Trends 2011 (March 2011). --------------------------------------------------------------------------- background As ATA has testified on several occasions at Congressional hearings, including before the House Homeland Security Committee, both the private sector and Government agencies continue to struggle to find the right balance between improving security while facilitating commerce throughout our Nation's transportation sector. The motor carrier industry believes that security and commerce are not mutually exclusive goals throughout the transportation system and the increasingly sophisticated supply chains that move global trade. To truly enhance security without disrupting the flow of commerce, security regulations and programs must be implemented in a cost- effective and coordinated manner. A key goal of such an effort must be that individual programs should be designed in a way that they can be leveraged to comply with a multiplicity of regulations and security requirements. The trucking industry believes that the Transportation Worker Identification Credential (TWIC) can be such a program if implemented and utilized in an appropriate manner. ATA has long supported the original concept of the TWIC: One application/enrollment process, one fee, one security threat assessment (STA), and a single credential that transportation workers may utilize to demonstrate compliance with multiple security requirements. However, commercial drivers today continue to face multiple security credentialing requirements. For example, in addition to the TWIC, drivers must undergo separate STAs for the Hazardous Materials Endorsement (HME), the Free and Secure Trade (FAST) program for border crossings, to name a few. The cost to drivers and companies of these separate STAs and credentialing programs is almost $300 in fees alone, not including the costs associated with drivers' lost wages and fuel costs while traveling to and from multiple enrollment centers, and the aggravation of providing fingerprints multiple times for each program that performs the same background check. Over 10 years ago, Admiral James Loy, then the second-most senior official at the Transportation Security Administration) TSA, summed up the concept and the purpose of the TWIC, stating: ``A fourth initiative also underway is development of a Transportation Worker Identification Credential or TWIC . . . The idea is to have these [transportation] employees undergo only one standard criminal background investigation . . . I've heard that there are some truck drivers currently carrying up to 23 ID cards around their necks. I wouldn't want to pay that chiropractor bill. Under the TWIC program drivers and other transportation workers will only have one card to deal with which would be acceptable across the United States.\2\ --------------------------------------------------------------------------- \2\ Remarks of Admiral James M. Loy, Under Secretary of Transportation for Security, Transportation Security Administration, during Transportation Research Board 82nd Annual Meeting Chairman's Luncheon, January 15, 2003. Unfortunately, the TWIC program/concept has not lived up fully to its promise and has become another expensive, duplicative security credential that truck drivers must obtain to access maritime facilities. TWIC works, but the goal of universal acceptance of a single security credential has yet to be implemented by TSA. It is not too late to enhance TWIC's capabilities and acceptance across multiple programs to improve its benefits and reduce the need for multiple screenings through the same databases. In essence, implement the long- established Department of Homeland Security principle of ``enroll once, use many.'' twic challenges and opportunities The TWIC program has had to confront strong criticism since it was first proposed in an NPRM in 2006 implementing statutory requirements mandated under the Maritime Transportation Security Act of 2002. Some of the key criticisms that the TWIC has encountered include: The excessively high cost of the TWIC: $132.50 (reduced to $129.50 in 2012); The extended time the application process requires of applicants, taking time off work twice: Once to apply and provide the biometrics, a second visit to pick up the credential; The failure to expand TWIC's utilization to satisfy other Federal STA regulatory requirements, including sister programs within TSA; The lack of TWIC enrollment facilities Nation-wide to facilitate the enrollment of transportation workers who live far from either coast; The failure to implement TWIC with its essential counterpart reader rule, annulling the credential's technology benefits and serving only as an expensive ``flash-pass''. ATA generally agrees with these criticisms of the TWIC program and we have expressed such concerns in past testimony before Congressional Committees as well as in comments to TSA, The United States Coast Guard (USCG), and the Department of Homeland Security (DHS). However, our greatest concern at this point is the multiplicity of background checks, and their associated costs and burdens, which drivers undergo to perform their everyday work responsibilities, from transporting hazardous materials and delivering at maritime facilities, to crossing our international land borders and transporting air cargo. As a matter of policy, ATA has long supported a system and process that provides for a Criminal History Records Check through National databases. But today's state of affairs in which commercial drivers undergo multiple STAs is untenable, excessively burdensome, and patently inefficient. Because of this, ATA has taken the position to support the TWIC as the potential single credential and STA that can demonstrate and provide compliance with multiple programs and regulations that require a STA through a single enrollment, a single fee, a single background check and a single credential. Although TSA has not provided for full recognition of one STA for compliance with another regulatory STA, for example allowing TWIC holders seeking an HME to show their TWIC as proof of already having an equivalent STA--a policy supported statutorily by Section 1556 of the 9/11 Commission Act--other Federal agencies are accepting the TWIC for compliance with their credentialing requirements. For example, the Department of Defense (DoD) has an established policy allowing commercial drivers transporting freight in and out of appropriate military facilities to use a TWIC in lieu of obtaining a DoD issued Common Access Card (CAC). DoD acceptance of the TWIC for such purposes is recognition of the strength of the TWIC STA process and its compliance with Federal Personal Identity Verification (PIV) standards used by millions of Federal employees. In its latest report regarding the TWIC card reader pilot results,\3\ the U.S. Government Accountability Office (GAO) criticized TSA's planning shortfalls for implementing the TWIC reader pilot in a manner that did not yield usable information due to data-collection challenges. ATA is aware that TSA faced some technology challenges in collecting TWIC-reader functionality data, including that the first generation of TWIC cards had faulty antennas embedded in the cards which rendered them useless when utilized with contactless readers. However, ATA is also aware of certain facilities that have been using the TWIC readers successfully to verify the credential's status, identity, and improving throughput for truck operations. Perhaps additional focus should be given to facilities that have successfully implemented the TWIC readers and utilize such ``lessons-learned'' that can be applied to other facilities facing reader challenges. --------------------------------------------------------------------------- \3\ U.S. Government Accountability Office; Transportation Worker Identification Credential: Card Reader Pilot Results Are Unreliable; Security Benefits Need to be Reassessed; May 2013. --------------------------------------------------------------------------- GAO's concerns and suggestions should be given careful consideration by DHS in improving the development and implementation of TWIC-readers at regulated facilities. ATA also agrees that Congress should continue to carefully assess the overall implementation of the TWIC program. However, ATA is concerned with GAO's suggestion that Congress consider ``alternative credentialing approaches, which might include a more decentralized approach for achieving TWIC program goals.'' A decentralized approach could result in an environment in which each State or location performs STAs and issues separate credentials for truck drivers to access maritime facilities throughout the country. Such a scenario would result in an increasingly burdensome, inefficient, and ineffective system for transportation workers who work and operate at multiple MTSA-regulated facilities. The TWIC is a robust, Nation-wide and uniform STA that can be utilized at multiple locations when matched with the appropriate readers. TSA and USCG need to focus their efforts in ensuring the deployment of TWIC readers nationwide rather than creating a vast assortment of individual systems. With the appropriate leadership within TSA and with clear guidance from Congress, the TWIC has the potential to serve as a valuable tool to ensure that personnel working throughout our country's critical transportation infrastructure have been screened appropriately and continue to be vetted frequently through relevant databases. Moreover, when the credential is utilized with the appropriate readers it can ensure the validity of the card, match the TWIC to the cardholder and allow for improved throughput when entering secure areas requiring such systems. conclusion Notwithstanding that the TWIC continues to face several challenges to gain broad support from various sectors within Government--as demonstrated by the latest GAO TWIC report--as well as private-sector entities, the TWIC's future utility is robust if implemented as originally intended by leveraging its applicability throughout other security programs. But appropriate efforts and policies must be implemented by DHS, TSA, USCG, and other Federal entities to coordinate the utility of such a PIV for compliance with multiple STA requirements. The 2.4 million transportation workers in possession of a TWIC, including over 400,000 commercial drivers, are already heavily invested in the program. It would be a disservice to these workers to consider doing away with the TWIC when they have spent resources and time to obtain the credential. ATA urges the Homeland Security Committee and its various relevant subcommittees to: Continue supporting the TWIC as a viable STA program used by millions of personnel to access secure areas of maritime facilities as well as various Federal facilities; Authorize and mandate the use of the TWIC for compliance with equivalent STA programs; Analyze and require TSA to significantly reduce the high cost of the TWIC and ensure ample geographic coverage of enrollment centers; Not overlook the fact that the TWIC, as a stand-alone credential, provides a solid STA component and a perpetual vetting process that offers a high degree of security; Allow the USCG to move forward with the implementation of the TWIC readers, after careful consideration of industry comments and recommendations. The implementation of the TWIC readers is essential to leverage properly the technology embedded in the TWIC and to establish uniform, secure, and efficient access procedures at secure areas of MTSA- regulated facilities. Even with the very high cost of the TWIC, at roughly $130.00, it is a more cost-efficient scenario rather than paying multiple fees and undergoing multiple enrollment and finger- printing processes. The trucking industry asks that these costs be reasonable and part of an efficient, risk-based process. ATA supports an approach that is good for security--and good for commerce. ATA appreciates the opportunity to offer this written statement and we look forward to continue working with this subcommittee and the Homeland Security Committee to further improve the security of our transportation system, doing so in a coordinated and efficient manner. Ms. Jackson Lee. For the record, a question to the Coast Guard and TSA to provide us in writing whether you have the tools to assess and evaluate the effectiveness of using the TWIC with readers for enhancing port security. I think we need a--I need a focus one, two, three, four, in relation to the GAO report in 2011 and 2013. I thank the Chairwoman, and I think this has been a very helpful hearing from all of the witnesses and look forward to maybe providing some legislative fix. I yield back to the Chairwoman. Mrs. Miller. I thank the gentlelady. Any Members of the committee that might have some additional questions for the witnesses there, we will--pursuant to the committee rule, the hearing record will be open for 10 days for those. Ms. Gabbard. Excuse me, Madam Chairwoman. Just briefly request---- Mrs. Miller. Gentlelady from Hawaii. Ms. Gabbard [continuing]. Unanimous consent to insert testimony we have here submitted for the record from the Longshore and Warehouse Union, representing port workers in Hawaii and the western region for the record. Mrs. Miller. Without objection. [The information follows:] Statement of the International Longshore and Warehouse Union June 18, 2013 The International Longshore and Warehouse Union (``ILWU'') represents port workers in California, Oregon, Washington, Alaska, and Hawaii, as well as warehouse, maritime, agriculture, and hotel and resort workers. The ILWU's membership includes the approximately 22,000 longshore workers, marine clerks and foremen who load, unload, track, monitor and oversee the movement of cargo into and out of all of the major ports on the West Coast, Alaska, and Hawaii. We appreciate the opportunity to submit these comments on the TWIC Program. The ILWU and its members have been active participants in the development and roll-out of TWIC since its inception. The union's experience of the program and deep knowledge of the waterfront have shown that TWIC does not improve port security and unfairly burdens working people. The program is now at a crossroads. The program stands poised to expand through the mandatory installation of expensive TWIC readers at approximately 570 locations pursuant to proposed regulations currently under review by the Coast Guard.\1\ According to the GAO, the TWIC Program has cost more than $500 million and will cost between $690 million and $3.2 billion more over the next 10 years, not counting the costs of installing and operating readers.\2\ In one of its multiple recent reports critical of the program, GAO concluded: ``11 years after initiation, the TWIC program continues to be beset with significant internal control weaknesses and technology issues, and . . . the security benefits of the program have yet to be demonstrated. The weaknesses we have identified suggest that the program as designed may not be able to fulfill the principal rationale for the program-- enhancing maritime security.''\3\ Before proceeding further, we urge this committee to re-think the wisdom of TWIC. We believe that careful consideration of the facts on the ground will reveal that TWIC does not make our Nation safer, hurts American workers, and is a poor use of limited Government dollars. --------------------------------------------------------------------------- \1\ Notice of Proposed Rulemaking on TWIC Readers, 78 Fed. Reg. 56 (March 22, 2013) at 17782, et seq. \2\ ``Transportation Worker Identification Credential: Card Reader Pilot Results are Unreliable; Security Benefits Need to Be Reassessed'', GAO-13-198, Appendix III, p. 59-60 (May 2013). \3\ ``Transportation Worker Identification Credential: Card Reader Pilot Results are Unreliable; Security Benefits Need to Be Reassessed'', GAO-13-198, at p. 42 (May 2013); see also ``Security Benefits Need to Be Reassessed,'' GAO-13-198 (May 2013); ``Transportation Worker Identification Credential: Internal Control Weaknesses Need to be Corrected to Help Achieve Security Objectives,'' GAO-11-657 (May 2011). --------------------------------------------------------------------------- First, the fundamental focus of the TWIC program is wrong. If preventing terrorism is the goal, then targeting American workers for screening, as opposed to targeting containers and cargo, is the wrong approach. On the modern container facilities through which most of our imports and exports travel, port workers like those whom we represent have no real access to the cargo or the documentation associated with the containers' contents. Thus, requiring that workers be screened does not help to prevent facilities from being used to transport items that could be used to commit an act of terrorism. Moreover, the majority of the facilities themselves (whether container terminals or bulk operations) are large, decentralized spaces with workers, cargo, and equipment typically spread out across many acres. These characteristics make the facilities poor targets for a terrorist hoping to have a significant impact on commerce or on the public. Thus, screening the facilities' workforces is not a meaningful way to prevent a terrorist attack. Second, the TWIC program unfairly targets working people and has caused substantial hardships for workers and their families with no added security benefit. In 2006, when TWIC was still in the planning stages, ILWU longshore workers and marine clerks went through a Coast Guard-mandated threat assessment screening to ensure that they did not pose a National security risk.\4\ The ILWU cooperated with the Coast Guard and TSA to complete this process. The ILWU is not aware of any members being found to pose a risk. --------------------------------------------------------------------------- \4\ 71 Fed. Reg. 82 (April 28, 2006) at 25067 (requiring the ILWU to provide the Coast Guard with identifying information, including Social Security Numbers and alien identification numbers for all longshoremen to permit TSA to ``analyze . . . whether or not an employee or longshoreman poses or is suspected of posing a security threat warranting denial of access to the port facility'' and stating that anyone meeting those criteria will be denied access). --------------------------------------------------------------------------- In 2008, when the Department of Homeland Security began to require TWICs to obtain unescorted access to longshore workplaces, the ILWU membership was screened again.\5\ ILWU members applied for TWICs, were fingerprinted, had their irises scanned, underwent criminal background checks, and paid $129.75 each out of their own pockets to obtain these technologically-advanced cards. Almost none of these expensive technologies were ever put to use. --------------------------------------------------------------------------- \5\ 72 Fed. Reg. 3492 (Jan. 25, 2007); 33 CFR 101.514, 104.115(d). --------------------------------------------------------------------------- The Government databases relied upon in evaluating TWIC applications contain an abundance of incomplete and faulty information.\6\ Due to this fact and delays by TSA, some of our members languished for months, unable to work, and unable to support their families while they tried to obtain TWICs.\7\ The following are only a few examples: --------------------------------------------------------------------------- \6\ U.S. Attorney General, ``The Attorney General's Report on Criminal History Background Checks,'' at page 3 (June 2006) (concluding that FBI's database was ``missing final disposition information for approximately 50% of its records''); see also ``A Scorecard on the Post 9/11 Port Worker Background Checks: Model Worker Protections Provide a Lifeline for People of Color, While Major TSA Delays Leave Thousands Jobless During the Recession,'' National Employment Law Project (July 2009), available at http://www.nelp.org/page/SCLP/PortWor- kerBackgroundChecks.pdf?nocdn=1. \7\ The National Employment Law Project, which represented or assisted more than 450 workers seeking to obtain TWICs estimated that workers waited almost 4 months on average to obtain an initial decision from TSA on their TWIC applications and workers waited an average of 7 months for their appeals or waiver requests to be reviewed. ``A Scorecard on the Post- 9/11 Port Worker Background Checks: Model Worker Protections Provide a Lifeline for People of Color, While Major TSA Delays Leave Thousands Jobless During the Recession,'' National Employment Law Project (July 2009), at p. at 5-6. --------------------------------------------------------------------------- William Ericson, a lonsghore worker from Seattle was erroneously denied a TWIC based on incorrect or incomplete information in the notoriously flawed FBI database. Despite 12 years of work history on the waterfront, Brother Ericson sat unable to work for 6 months, exhausted his savings and came close to having his home foreclosed upon before he was able to finally convince TSA that the agency had made a mistake. Another member from Seattle, Steven Richards, was born outside of the United States on a military base. Even though he was a citizen and met all of the qualifications to obtain a TWIC, TSA denied his application. He found himself stuck in the bureaucratic snarl and unable to work for months while TSA obtained the records that proved his citizenship and eligibility. Another member in the San Francisco Bay Area was denied a TWIC because he had previously been convicted of a marijuana- related offense even though the court had expunged his conviction.\8\ He had been a hard-working longshore worker for 18 years and had no other convictions. He spent months waiting for TSA to rule on his initial application and, then even longer waiting for TSA to review his request for a waiver. In the meantime, he was unable to work and his family struggled to avoid losing their home. --------------------------------------------------------------------------- \8\ To protect the member's privacy, we do not include his name. --------------------------------------------------------------------------- These members and others like them posed no risk to the security of the United States. These members are not alone. The Department of Homeland Security reports that, as of May 21, 2013, it had issued initial TWIC disqualification letters to 120,224 people.\9\ TSA has two procedures whereby someone can challenge the denial of a TWIC--appeal and waiver.\10\ Appeal is available to an applicant who was wrongly denied a TWIC. In other words, the applicant met all of the statutory and regulatory criteria for obtaining a TWIC but TSA erroneously denied his or her application anyway.\11\ Waiver can be sought by an applicant who does not meet all of the statutory and regulatory criteria for obtaining a TWIC but who nonetheless ``does not pose a security threat.''\12\ As of May 21, 2013, DHS had received 54,271 appeals and had granted 52,299 (more than 96%). In addition, DHS had received 14,593 waiver requests and granted 12,289 (more than 84%). While these numbers indicate the absolute necessity of having an appeal and waiver process available, they also indicate that TSA initially denied TWICs to more than 50,000 people erroneously and to more than 12,000 people who posed no security threat. Almost certainly, there are tens of thousands more workers who met the requirements to obtain a TWIC but did not or could not appeal their denial or seek a waiver. These people are being wrongly denied access to work for no good reason. --------------------------------------------------------------------------- \9\ http://www.tsa.gov/sites/default/files/publications/pdf/twic/ monthly_dashboard_cur- rent.pdf. \10\ 49 C.F.R. 1515.6-1515.7. \11\ Id. 1515.6(b). \12\ Id. 1515.7(b). --------------------------------------------------------------------------- Third, TWIC has shown itself to be of little to no value if the goal of the program is to limit facility and vessel access. As ILWU members like those discussed above struggled and were denied the ability to work for lack of a TWIC, the ILWU has watched as unknown truckers, rail crews, vessel crews, maintenance workers, and construction crews without TWICs routinely enter and work at marine terminal facilities. Sometimes these workers are ``escorted'' by people with TWICs. However, in many cases the ``escort'' is more theoretical than real and individuals without TWICs work on the facilities largely unmonitored. What is more, these workers have no lasting relationship with the facility owner or operator and therefore pose an arguably more serious security risk than ILWU members. In addition, while ILWU members' backgrounds have been scrutinized in the name of National security, the union has watched waterfront employers eliminate people and protocols that actually improve security and replace them with cost-cutting technologies that are no substitute. For example, many marine terminal operators used to require that seals on stuffed containers be visually checked to ensure that they had not been tampered with. They also previously required that empty containers be opened and checked. To cut costs and speed up the movement of cargo, many employers now use only a camera linked to a monitor at a remote location. But a camera cannot tug on the seals to make sure they are intact, or open empty containers. The ILWU has been advised by some facility owners and operators that, if TWIC readers become mandatory, the employers intend to use the readers to further cut costs by eliminating security guards. Facility security personnel know the regular workforce on the docks and, therefore, know who belongs and who does not. Again, technology is no substitute, particularly given the serious flaws with TWIC card technology and readers noted by the GAO.\13\ --------------------------------------------------------------------------- \13\ GAO-13-198, ``Transportation Worker Identification Credential: Card Reader Pilot Results Are Unreliable; Security Benefits Need to Be Reassessed,'' (May 8, 2013) at 25 (``according to officials from two pilot sites, approximately 70 percent of the TWICs they encountered when testing TWICs against contactless readers had broken antennas or malfunctioned. Further, a separate 2011 report commissioned and led by USCG . . . identified one site where 49 percent of TWICs could not be read in contact-less (or proximity mode, and two other sites where 11 percent and 13 percent of TWICs could not be read in contact-less mode. Because TWIC cards malfunctioned, they could not be detected by readers.''). --------------------------------------------------------------------------- For all of these reasons, TWIC is misguided. It does not improve port security and it unfairly targets working people. Public monies can and should be put to better use. The ILWU appreciates the opportunity to submit these comments and thanks the committee for its consideration. Ms. Gabbard. Thank you. Mrs. Miller. Again, thank you to the witnesses very much. The committee is now adjourned. [Whereupon, at 11:25 a.m., the subcommittee was adjourned.] A P P E N D I X ---------- Questions From Chairwoman Candice S. Miller for Joseph A. Servidio Question 1. A Coast Guard official started in an interview with a Fierce Homeland Security reporter ``there is not a real strong nexus between the results of the pilot program and what is in the reader regulation.'' However, the pilot was referenced several times in the NPRM. What data from the TSA pilot were used to inform the NPRM? Could this information have been provided through other means? How can the Coast Guard be certain the NRPM will not have negative impacts on business operations knowing that this system has not truly been tested? Had the TSA pilot been more complete or shown a strong feasibility in carrying out the biometric requirements of the TWIC program, would the rule have sought to regulate more than 5 percent of all MTSA-regulated vessels and facilities? Answer. The Coast Guard used the best available data to characterize economic impacts, which in some cases resulted in using sources other than the TWIC pilot. Specifically, the TWIC pilot was the main data source associated with the cost to install TWIC readers, as well as the number of readers required per access point, throughput times, and failure rates of readers. However, TWIC pilot data was supplemented with other available data sources to provide preliminary estimates of other costs and benefits. Other data sources included the Marine Information for Safety and Law Enforcement (MISLE) database for population figures, the Marine Security Risk Assessment Model (MSRAM) for risk hierarchy and consequence data, the General Services Administration (GSA) schedule for reader hardware and software costs, and other literature for basic background on TWIC reader deployment. Based on the judicious use of all data sources, the Coast Guard has confidence in the proposed regulation's limited impact on business operations as noted in the Regulatory Assessment. Decisions regarding application of TWIC reader requirements were not driven by any limitations of the TWIC pilot, but rather by comparing costs of the requirements versus benefits gained. In the case of vessels, given the inherent limits on manning for barges (and thereby the limited utility for using a reader to verify the identity of mariners accessing any secure spaces on a barge), barges were excluded from TWIC reader requirements, thus eliminating approximately 51 percent of the MTSA population (includes vessels and facilities). Similarly, other vessels with lower risk (e.g., vessels not engaged in transport of hazardous cargoes) and/or with fewer than 14 TWIC-holding crewmembers were eliminated given relatively low utility for the cost. This eliminated another 32 percent of the MTSA population (for a total of about 83 percent of the MTSA population exempted in the current proposal). Similar logic was applied to facilities, with requirements imposed on those 20 percent of MTSA facilities that comprised approximately 80 percent of the risk exposure. By eliminating lower risk facilities, another 13 percent of the MTSA population was exempted from requirements for a total of about 95 percent of the MTSA population exempted from reader requirements. Question 2. Since 9/11, Congress has implemented legislation specifically addressing perceived vulnerabilities with containerized cargo entering the United States. However, no container facilities will fall within Risk Group A, and thus will not be impacted by the proposed reader regulations at this time. Does containerized cargo deserve to be in a higher-risk group, or are earlier concerns regarding the threat within containerized cargo overstated? If container facilities are a major vulnerability, why are they not widely impacted by the proposed card reader rule? Answer. In the development of the NPRM, the Coast Guard evaluated TWIC reader requirements alternatives to those proposed in the NPRM including an alternative that would have required the installation of TWIC readers at Risk Group A facilities and all container facilities. The Coast Guard considered this alternative because container facilities are perceived to pose a unique threat to the maritime sector due to the transfer risk associated with containers (i.e., there is a greater risk of a threat coming through a container facility and inflicting harm or damage elsewhere than with any other facility type). However, as discussed in the preamble of the NPRM, many of the high- risk threat scenarios at container facilities would not be mitigated by TWIC readers. Although TWIC readers serve as an additional access control measure, they do not mitigate the threat associated with the contents of a container, and would not improve screening of cargoes for dangerous substances or devices. Additionally, the costs/impacts for TWIC readers at container facilities would not be justified by the amount of potential risk reduction at these facilities. This alternative would increase the burden on industry by increasing the affected population from 532 facilities to 651 facilities. The discounted 10-year costs would go from $186.1 million to $624.9 million. The inclusion of container facilities would also potentially have adverse environmental impacts due to increased air emissions due to longer queuing times and congestion at facilities. Question 3. In recent years, many port facilities have designated Port Security Grant funds specifically to procure TWIC readers and other equipment associated with TWIC implementation. How many facilities not in Group A, have received funding for TWIC card readers and infrastructure? Is it your expectation that Group B and C facilities, which are not required to purchase card readers, will still go ahead with the investment? Did the Coast Guard take into consideration, while drafting the NPRM, whether or not risk Group B or C facilities have already obtained Port Security Grant funding to purchase card readers? Answer. In the development of the TWIC Reader NPRM, the Coast Guard specifically focused on risk, security, and economic impacts rather than taking into consideration whether or not facilities had voluntarily purchased electronic TWIC Readers (with or without PSG funding). The Coast Guard expects that each facility in Groups B and C will make a determination on whether to implement readers based on what best meets its specific business and security needs and assessments. Absent of regulatory requirement, there is no expectation for B and C facilities to implement readers. The PSG Program allocates funds towards maritime security risk mitigation projects based on risk. Eligible PSG applicants may request several different projects within an application of which a TWIC project may be one of the projects or part of a project. PSG Program financial data is maintained via methodology established by Congress for Federal grant funding. From fiscal year 2007 through fiscal year 2012, a total of 401 TWIC implementation projects were approved by DHS, and a total of $144.7 million was awarded for TWIC projects. Funding awarded for TWIC projects represented 7.5% of the total PSG Program funding ($1.92 billion) awarded during the period. Question 4. The crewmembers operating the Saugatuck Chain Ferry, out of Saugatuck, Michigan are required to carry a TWIC card. Given the low threat nature of this vessel as it operates on a fixed chain system propelled by a hand crank does it make sense for crewmembers of this vessel to be required to carry a TWIC card? Has there been any consideration to waive the requirement for crewmembers to obtain a TWIC card for vessels like this? Answer. The Saugatuck Chain Ferry (also known as the M/V DIANE) is a Coast Guard inspected 46 CFR Subchapter `T' small passenger vessel that operates on the Kalamazoo River (a navigable waterway). In accordance with Coast Guard Policy Letter 11-15, since the Saugatuck Chain Ferry does not meet the applicability requirements of maritime security for vessels (33 CFR 104.105) and therefore is not required to maintain a Vessel Security Plan (VSP), a credentialed mariner operating the vessel is not required to retain a Transportation Worker Identification Credential (TWIC). However, individuals applying for their initial Merchant Mariner Credential (MMC) are required to apply for a TWIC in order to undergo a Security Threat Assessment (STA). Such persons would only need to pass the STA in order to obtain their MMC. There is no requirement for that individual to actually hold a valid TWIC unless they are working on a vessel required to hold a VSP. Additionally, the Coast Guard will not require a mariner who holds or has held a TWIC to renew it in order to renew their current credential. Because of the Saugatuck Chain Ferry's route and service, the operator of the vessel is required to possess a Coast Guard issued MMC. The Coast Guard does not have the authority to waive this statutory requirement. Therefore, any person applying for their initial MMC who would like to then use that MMC to operate the Saugatuck Chain Ferry would have to apply for a TWIC in order to undergo a STA, but would not be required to carry the TWIC. Questions From Chairwoman Candice S. Miller for Stephen M. Lord [Note.--The responses are based on work associated with our previously issued products.]\1\ --------------------------------------------------------------------------- \1\ See GAO, Transportation Worker Identification Credential: Card Reader Pilot Results Are Unreliable; Security Benefits Need to Be Reassessed, GAO-13-198 (Washington, DC: May 8, 2013); Transportation Security: Actions Needed to Address Limitations in TSA's Transportation Worker Security Threat Assessments and Growing Workload, GAO-12-60 (Washington, DC: Dec. 8, 2011); Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives, GAO-11-657 (Washington, DC: May 10, 2011); Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives, GAO-11-648T (Washington, DC: May 10, 2011); and Transportation Worker Identification Credential: Progress Made in Enrolling Workers and Activating Credentials but Evaluation Plan Needed to Help Inform the Implementation of Card Readers, GAO-10-43 (Washington, DC: Nov. 18, 2009). --------------------------------------------------------------------------- Question 1. Although TWIC was originally intended to be the common credential for workers in all modes of transportation, it has been limited to strictly a maritime security access control credential. The Coast Guard has further limited its scope by developing a Notice of Proposed Rulemaking (NPRM) which applies to less than 5 percent of all MTSA-regulated vessels and facilities. Given that the reader requirement is not being applied to Group B and C facilities should TWIC be further reduced by limiting issuance and use to only the highest-risk maritime facilities? Answer. Given the current uncertainties surrounding the implementation of the TWIC program in the maritime environment, and the program weaknesses highlighted in our 2011 and 2013 reports, limiting the use of TWIC to maritime facilities where the Coast Guard can clearly demonstrate that use of TWIC will effectively mitigate the three terrorist scenarios illustrated in the March 2013 NPRM (i.e., a truck bomb, a person/passenger carrying an improvised explosive device (IED), or a terrorist assault team) would be consistent with our findings and recommendations.\2\ As highlighted in our May 2013 report, the TWIC pilot conducted to test the use of TWICs with biometric card readers and other supporting analyses did not provide DHS with complete and accurate information on the impact of TWIC on facility and vessel operations or the added security benefits that the TWIC may provide.\3\ For example, we found that the pilot test's results were unreliable, and that DHS has not assessed the effectiveness of TWIC at enhancing security or reducing risk at Maritime Transportation Security Act (MTSA)-regulated facilities and vessels. While the current NPRM is aimed at implementing the use of TWIC with readers at Group A/highest- risk-vessels and facilities, the NPRM suggests allowing for the expanded use of TWIC with readers at lower-risk facilities in the future. --------------------------------------------------------------------------- \2\ GAO-11-657 and GAO-13-198. \3\ GAO-13-198. --------------------------------------------------------------------------- Question 2. DHS argues that the decentralized security credential similar to the airport's Secure Identification Display Area (SIDA) badge is not comparable to TWIC because airport workers generally work at only one airport and disagrees with the GAO assessment that ``maintaining site-specific credentials enhances security.'' Why do you believe decentralized security ``enhances security?'' What examples of such a decentralized approach would you recommend DHS evaluate for use at port facilities? Answer. Based on findings from our prior work, a decentralized credentialing approach could help remediate internal control weaknesses identified in our May 2011 report, and may therefore enhance security.\4\ Among others, we reported that TWIC program controls are not in place to determine whether an applicant has a need for a TWIC, and that our investigators were successful in obtaining authentic TWIC cards despite going through the background-checking process. As implemented, a uniform TWIC credential is issued by TSA after it conducts a security threat assessment. Operator participation is not required as part of this centralized TWIC enrollment, security review, or issuance process. According to our review of the evidence, operator participation, as would be required under a decentralized credentialing approach using facility- or port-specific credentials, could help validate an individual's identity and need for a credential to access a specific facility or vessel prior to issuing the credential. Maritime vessel and facility operators have a paramount interest in securing their assets. Involving operators in the credentialing process gives them more control and insight into the risks posed by people seeking access to secure areas, and could better ensure operators and the Federal Government of the individual's identity, need for a credential, and need for access to specific vessels and facilities. --------------------------------------------------------------------------- \4\ See, for example, GAO-13-198; GAO-12-60; and GAO-11-657. --------------------------------------------------------------------------- As we reported in May 2011, the TWIC program's internal controls for positively identifying an applicant, arriving at a security threat determination for that individual, and approving the issuance of a TWIC, are not designed to provide reasonable assurance that only qualified applicants can acquire TWICs. If an individual presents an authentic TWIC acquired through fraudulent means when requesting access to the secure areas of a MTSA-regulated facility or vessel, the cardholder is deemed not to be a security threat to the maritime environment because the cardholder is presumed to have met TWIC-related qualifications during a background check. In such cases, these individuals could inappropriately gain unescorted access to secure areas of a MTSA-regulated facility or vessel, as our investigators did for our May 2011 report and again for our May 2013 report. Through our work on the TWIC program, we have not identified any industry-wide common credential--beyond TWIC--that is used as a security tool for controlling access to individual, and often privately-owned, entities. Moreover, the Federal Government, which provides access to its many departments and agencies, does not use a single identification credential for controlling access to its facilities and vessels. Under the Federal model, agencies apply a standard for conducting background checks and creating the credentials. For example, as we reported in May 2011, TWIC is unlike other Federally-sponsored access control credentials, such as the Department of Defense's Common Access Card--the agency-wide standard identification card--for which sponsorship by an employer is required. For these Federal credentialing programs, employer sponsorship begins with the premise that an individual is known to need certain access as part of his or her employment. Further, the employing agency is to conduct a background investigation on the individual and has access to other personal information, such as prior employers, places of residency, and education, which it may confirm as part of the employment process and use to establish the individual's identity. According to our analysis, use of a decentralized credentialing approach could enhance the TWIC program's identity verification, vetting, and issuance controls by leveraging the employer and operator's knowledge of the individual's background and need for an access credential prior to conducting the Federal security threat assessment required as part of the TWIC program. In addition, localized control over credential issuance could enhance security by making it easier for individuals to replace lost or nonfunctioning credentials on site, and forgo potential travel times and waiting periods currently experienced under the TWIC program. Similarly, the decentralized aviation model may enhance security to a greater extent than the TWIC because this model includes employer sponsorship, background vetting at the local level, a Federal security threat assessment, and card revocation at the local level. For example, based on our prior work, in order to receive a SIDA, a person seeking a credential is sponsored by a previously vetted and authorized individual within the airport. This process provides greater assurance that the person seeking the credential has a real need for the credential and that the person is the person he or she claims to be on the application. Further, since the credential is valid only within a given airport, the person holding the credential cannot use that credential to access other airports where he or she has no legitimate need to gain access. As demonstrated by our covert tests, having a TWIC provided the appearance of legitimacy for our testers and allowed them to access multiple facilities with a single card. Moreover, the SIDA vetting process allows local airport authorities to see the criminal background check information pulled by DHS from the Federal Bureau of Investigation (FBI). Airport authorities use this information to make the determination about whether to grant or deny a credential. This allows the totality of an individual's criminal background to be considered, not just disqualifying offenses. We found that the Transportation Security Administration (TSA) has the authority and discretion to do this for the TWIC program but has seldom done so as part of the adjudication process.\5\ Consequently, under the SIDA model, airport authorities have greater control and ability to watch over the vetting process. Similarly, when local credentials are granted by local authorities, they can be customized for the unique needs of the facilities and can be revoked by the facilities, thus providing the facilities with greater control. As we found during our December 2011 work on local credentialing programs, when Florida repealed provisions of law requiring workers accessing the State's 12 active deepwater public ports to undergo a State criminal history records check, individuals with criminal backgrounds who were kept out of the ports were allowed to return to work because they possessed a TWIC.\6\ --------------------------------------------------------------------------- \5\ GAO-11-657. \6\ GAO-12-60. --------------------------------------------------------------------------- Regarding TSA's assertion that the lack of a common credential across the industry could leave facilities open to a security breach with falsified credentials, DHS has not provided or discussed with us any studies or evidence showing that use of a centralized common access credential enhances security beyond use of port- or facility-specific credentials supplemented by a Federal security threat assessment. As we reported in May 2011, unlike prior access control approaches that allowed access to a specific facility, the TWIC potentially facilitates access to thousands of facilities once the Federal Government attests that the TWIC holder has been positively identified and is deemed not to be a security threat. Further, DHS argues that the aviation industry's SIDA badge is not comparable to TWIC because airport workers generally work at only one airport. However, during the course of our work, DHS did not provide us with analysis on the number of TWIC holders that are ``transient'' or for whom a local port-specific credential(s) could necessitate the need for multiple credentials. Further, DHS did not provide us with analysis demonstrating that the majority of people seeking access to maritime facilities require more access control credentials than individuals working in the airport environment, or showing the extent to which requiring multiple access control credentials negatively affects security. Use of a single credential to access thousands of maritime facilities Nation-wide may prove to be more convenient for certain individuals or segments of the transportation industry. However, the TWIC program's primary intention is to enhance security. Given the lack of validated analysis available to support DHS's position on the security merits of using a common credential such as TWIC instead of a local port- or facility-specific credential supplemented by a Federal security threat assessment, we continue to believe that our May 2011 recommendation to DHS that it conduct an effectiveness assessment of the TWIC program, has merit and should be implemented. We also continue to believe that our May 2013 suggestion to Congress that it consider requiring that DHS complete such an assessment, including a comprehensive comparison of alternative credentialing approaches, which might include a more decentralized approach for achieving TWIC program goals, before implementing a final regulation requiring the use of TWIC cards with biometric readers, has merit and should be implemented. Question 3. Considering the numerous delays and tribulations with the TWIC program over the past 11 years would the Department be able to produce a better product if only one component was responsible for the entire program? Answer. It is unclear that making one component responsible for the entire TWIC program would enhance the program at this time. The Coast Guard has primary responsibility for ensuring the safety and security of maritime ports and has individuals stationed at the ports, among other things. However, TSA manages the resources for conducting required security threat assessments for TWIC and other transportation- related credentials. Therefore, moving the security threat assessment function to the Coast Guard may create duplication, though we have not conducted work in this area.