Covert government investigators were able to successfully enroll in a homeland security credentialing program aimed at increasing security at the nation’s seaports through the use of counterfeit and fraudulently acquired identification documents, demonstrating that there are security vulnerabilities in the Transportation Worker Identification Credential (TWIC) program, the Government Accountability Office (GAO) says in a report this week.
The documents used by the GAO testers were good enough to let them successfully pass background checks conducted by the Transportation Security Administration (TSA) as part of the process port and related maritime workers go through to obtain a TWIC card. TWIC cards have been in use for two years to control access to secure areas of ports and vessels.
While the Department of Homeland Security has processes and controls in place related to individuals applying for and obtaining a TWIC card, “internal control weaknesses governing the enrollment, background checking, and use of TWIC potentially limit the program’s ability to provide reasonable assurance that access to secure areas of MTSA (Maritime Transportation Security Act)-regulated facilities is restricted to qualified individuals,” GAO says in its report, Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives (GAO-11-657). GAO released an unclassified version of the report on May 10.
Sen. Susan Collins (R-Maine), the ranking member on the Homeland Security and Governmental Affairs Committee, in a statement said that TWIC has worked but said it is “disturbing that GAO investigators could obtain credentials and access several ports using counterfeit TWICS and authentic credentials acquired through fraudulent means.”
Through early January, TSA had issued about 1.6 million TWIC cards to port workers. The agency is responsible for enrolling applicants, conducting background checks and issuing TWIC credentials.
Lockheed Martin [LMT] is TSA’s prime contractor for TWIC. The Coast Guard develops TWIC security regulations and ensures that port facilities and vessels are complying with these regulations.
To access secure areas of ports and vessels, TWIC cardholders currently use their credentials as a flash pass, meaning they are visually inspected. Under TWIC, the goal is to have biometric-enabled electronic readers in place to verify that the holder of the card is the person who was issued the card.
While TSA has pilot projects underway at seven ports, a final rule for implementing the readers won’t be ready until late 2012 at the earliest, GAO says. Since last December, all Coast Guard sectors and Maritime Safety and Security Teams have handheld TWIC readers to conduct random compliance checks of port workers and their cards with the program.
Through FY ’10, the TWIC program has had $420 million in funding authority. DHS estimates that the program could cost the federal government and private sector between $694 million and $3.2 billion over 10 years, excluding costs associated with implementing and operating the electronic readers, GAO says.