TWIC Access Credentials Under Fire
By Brian Rhodes, Published Oct 20, 2014, 12:00am EDTOne of the biggest credential formats in the US is barely hanging on. With over 3 million TWIC cards issued, it is one of the most common ID carried by federal employees and private contractors alike to enter sensitive security areas like seaports.
However, after hundreds of millions have been spent, politicians and security managers alike are asking "Is this worth it?" A new Congressional inquiry will likely spell the end of TWIC. In this note we look at the issue and how it impacts the access control market.
Background
First announced in 2007, 'Transportation Worker Identification Credential' program aimed to issue a common smartcard to workers employed in the US Maritime industry, including the US Coast Guard and Port Authority personnel. To date, over 3 million cards have been issued to these workers.
The goal of TWIC is straightforward: standardize eligibility background checks and credentialing at every US maritime facility, regardless of who is asking for access. Especially in the maritime sector, sensitive or hazardous cargos are routinely handled by longshoremen and the trucking industry, and merchant mariners need access to areas occupied by naval vessels. Ensuring everyone with access to these areas is legitimate is crucial to maintaining local and even national security.
Prior Headaches
However, TWIC has faced development and deployment issues since the very beginning. Early difficulties in writing the standard resulted in mixed implementations that often did not reliably work in physical and logical access control systems. Many of the expected benefactors of TWIC were the loudest critics, resulting in countless editorials like:
Over time, the early interoperability problems like 35,000 bad cards [link no longer available], no card readers, or discrepancies interpreting the standard have evened out, but many question what has been improved or is easier now than before.
For many affected access systems, modifying them to work with TWIC cards is costly and slow, as the design requirements have frequently changed [link no longer available] since introduction. Many TWIC facilities still use two separate credentials for access and identity, against the major intent of the program.
Too Costly
The bottom line impression most administrators and lawmakers have about TWIC is the extreme costs involved to implement it. To date, the program has cost an estimated $420 million, far exceeding the initial estimates. This results in a cost of about $140 each credential currently issued, and while federal employees do not pay for these, many in the private sector are saddled with routine application and renewal fees.
Furthermore, major aspects of TWIC still do not fully work. For example, the biometric credentialing element has been fraught with delays and is not active [link no longer available], meaning that many high-security facilities are still relying on manned checkpoints to verify employee identity.
Reform Coming
US lawmakers have passed a bill (HR3202) challenging TWIC and calling for a decision to either deeply reform or outright scrap the program.
Citing TWIC's redundancy with other federal credential programs like FIPS-201-2, the question is whether TWIC is the best available option to address the issue of common credentialing in sensitive facilities.
The major reforms actions described in the bill are being reviewed now, and final decisions about the program are expected by the end of next congressional session.
Market Impact
While impact may not be immediate, both TWIC deployments and development will change. The number of off-the-shelf 'TWIC readers' compatible with mainstream access solutions will be few, as vendors will hesitate to commit development until future development is firm.
In the meantime, while scrutiny is applied to TWIC, other federal credential solutions like (FIPS-201) PIV-II CAC will gain traction.
