Transportation Worker Identity Credential (TWIC) Biometric Reader Specification and TWIC Contactless Smart Card Application

AGENCY:

Coast Guard, DHS.

ACTION:

Notice of availability and request for comments.

SUMMARY:

The Coast Guard announces the availability of a draft Transportation Worker Identification Credential (TWIC) biometric reader specification and a draft TWIC contactless smart card application. These draft documents have been recommended to the Coast Guard by the National Maritime Security Advisory Committee. We request your comments on these draft recommended specifications, and on specific questions found at the end of this notice.

DATES:

Comments and related material must reach the Docket Management Facility on or before March 30, 2007.

ADDRESSES:

You may submit comments identified by Coast Guard docket number USCG-2007-27415 to the Docket Management Facility at the U.S. Department of Transportation. To avoid duplication, please use only one of the following methods:

(1) Web site: http://dms.dot.gov.

(2) Mail: Docket Management Facility, U.S. Department of Transportation, 400 Seventh Street SW., Washington, DC 20590-0001.

(3) Fax: 202-493-2251.

(4) Delivery: Room PL-401 on the Plaza level of the Nassif Building, 400 Seventh Street SW., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. The telephone number is 202-366-9329.

FOR FURTHER INFORMATION CONTACT:

If you have questions on this notice, or the recommendations referenced in it, please contact Lieutenant Danielle Fennelly, U.S. Coast Guard, at 202-372-1136. If you have questions on viewing or submitting material to the docket, call Renee V. Wright, Program Manager, Docket Operations, telephone 202-493-0402.

SUPPLEMENTARY INFORMATION:

Public Participation and Request for Comments

We encourage you to submit comments and related material on the recommended specification and application. All comments received will be posted, without change, to http://dms.dot.gov and will include any personal information you have provided. We have an agreement with the Department of Transportation (DOT) to use the Docket Management Facility. Please see DOT's “Privacy Act” paragraph below.

Submitting comments: If you submit a comment, please include your name and address, identify the docket number for this notice (USCG-2007-27415), and give the reason for each comment. You may submit your comments and material by electronic means, mail, fax, or delivery to the Docket Management Facility at the address under ADDRESSES; but please submit your comments and material by only one means. If you submit them by mail or delivery, submit them in an unbound format, no larger than 81/2 by 11 inches, suitable for copying and electronic filing. If you submit them by mail and would like to know that they reached the Facility, please enclose a stamped, self-addressed postcard or envelope. We will consider all comments and material received during the comment period.

Viewing the comments and specifications: To view the comments and recommended specification and application, go to http://dms.dot.gov at any time, click on “Simple Search,” enter the last five digits of the docket number for this notice, and click on “Search.” You may also visit the Docket Management Facility in room PL-401 on the Plaza level of the Nassif Building, 400 Seventh Street SW., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays.

Privacy Act: Anyone can search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review the Department of Transportation's Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477), or you may visit http://dms.dot.gov.

Background and Questions for Comment

The National Maritime Security Advisory Council (NMSAC) was created pursuant to the Federal Advisory Committee Act, 5 U.S.C., App. 2 (FACA) in 2003. The membership of NMSAC, which includes 21 voting members, was selected to represent all viewpoints regarding maritime security challenges and to inform the Coast Guard of relevant maritime security issues. At the regular NMSAC meeting of November 14, 2006, the Coast Guard and the Transportation Security Administration (TSA) asked NMSAC to develop a contactless biometric specification for TWIC by February 28, 2007, applying expertise from the biometric credentialing industry and maritime industry TWIC stakeholders. The specification was required to:

a. Be non-proprietary;

b. Incorporate appropriate security and privacy controls;

c. Be consistent with FIPS 201-1 credential specifications;

d. Be capable of serving as a platform for future capabilities;

e. Be capable of supporting maritime operations; and

f. Be easily manufactured.

TSA and Coast Guard recommended that the task be addressed by dividing responsibilities to construct operational maritime requirements and technology specifications. We recommended that operational maritime requirements be developed by members of maritime industry and that they address credential authentication (e.g. authentication time and process, and alternate authentication procedures); durability requirements; and credential management procedures, including key management. We recommended that the technology specifications be developed with the technical expertise of biometric credentialing experts and address smart card, reader, and keying specification. The formal request from the TWIC program to NMSAC is available at the following URL: http://homeport.uscg.mil under Missions > Maritime Security > Maritime Transportation Security Act (MTSA) > National Maritime Security Advisory Committee (NMSAC) > TWIC Contactless Specification Development Working Group, and in the docket for this notice.

On March 1, 2007, the Coast Guard received NMSAC's report, entitled “Recommendations on Developing a Contactless Biometric Specification for the TWIC.” The report includes two recommended specifications. NMSAC expressed a strong preference for the first recommended specification, which does not require encryption of the cardholder's fingerprint template; this would permit the template to be read by a reader when the card is energized by a contactless reader. The second recommended specification provides for encryption of the fingerprint template, which protects the template from being read contactlessly unless information on the card's magnetic stripe is read by the reader and authorizes the release of the template. Encryption protects the template from being read covertly. However, if a TWIC is stolen or is in the hands of an unauthorized holder, encryption does not prevent the transfer of the template to a TWIC reader.

Both sets of recommended specifications are available at the following URL: http://homeport.uscg.mil under Missions > Maritime Security > Maritime Transportation Security Act (MTSA) > National Maritime Security Advisory Committee (NMSAC) > TWIC Contactless Specification Development Working Group. They are also available in the docket for this notice.

We invite comment on all aspects of the NMSAC recommended specifications, and in particular those that address the following questions:

1. Should additional security measures be included in the specifications, such as the use of a PIN, to further minimize the chance that a fingerprint template from a lost or stolen credential could be obtained by an unauthorized individual? If so, would the addition of a PIN or other security measure adversely impact operations? Does the length of the PIN affect adverse impacts in any measurable way?

2. What, if any, privacy concerns exist if the fingerprint template is obtained by an unauthorized individual?

3. How would the recommended specifications impact facility and vessel security and operations?

4. How would the recommended specifications impact existing physical access control systems?

5. Are there alternative designs we should consider, and if so, what are the advantages and disadvantages of the alternative designs?

6. How would the recommended specifications impact product, system, and operational costs?

7. How quickly could the recommended specifications be incorporated into the design and manufacture of access control equipment?

8. Should there be a process for identifying a Qualified Products List (QPL) or other equivalent regime? If so, what is the most efficient and effective way of creating a QPL?

The Coast Guard and TSA will examine all comments received concerning NMSAC's recommended specifications and the questions above. We will issue a Notice in the Federal Register to explain and announce the selected technology specification as we proceed with the TWIC program, in particular, the upcoming pilot programs in which we will field test the use of TWIC in biometric readers in the maritime environment.