[Federal Register Volume 78, Number 56 (Friday, March 22, 2013)]
[Proposed Rules]
[Pages 17782-17833]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-06182]



[[Page 17781]]

Vol. 78

Friday,

No. 56

March 22, 2013

Part II





Department of Homeland Security





-----------------------------------------------------------------------





Coast Guard





-----------------------------------------------------------------------





33 CFR Parts 101, 104, 105, et al.





 Transportation Worker Identification Credential (TWIC)--Reader 
Requirements; Proposed Rule

  Federal Register / Vol. 78 , No. 56 / Friday, March 22, 2013 / 
Proposed Rules  

[[Page 17782]]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Coast Guard

33 CFR Parts 101, 104, 105 and 106

[Docket No. USCG-2007-28915]
RIN 1625-AB21


Transportation Worker Identification Credential (TWIC)--Reader 
Requirements

AGENCY: Coast Guard, DHS.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: In this Notice of Proposed Rulemaking (NPRM), the Coast Guard 
proposes to require owners and operators of certain vessels and 
facilities regulated by the Coast Guard to use electronic readers 
designed to work with the Transportation Worker Identification 
Credential (TWIC) as an access control measure. This NPRM also proposes 
additional requirements associated with electronic TWIC readers, 
including recordkeeping requirements for those owners and operators 
required to use an electronic TWIC reader, and security plan amendments 
to incorporate TWIC requirements. The TWIC program, including the 
proposed TWIC reader requirements in this rule, is an important 
component of the Coast Guard's multi-layered system of access control 
requirements and other measures designed to enhance maritime security.
    This rulemaking action, once final, would build upon existing Coast 
Guard regulations designed to ensure that only individuals who hold a 
TWIC are granted unescorted access to secure areas at those locations. 
The Coast Guard has already promulgated regulations pursuant to the 
Maritime Transportation Security Act of 2002 (MTSA) that require 
mariners and other individuals to obtain a TWIC and present it for 
inspection by security personnel prior to gaining access to such secure 
areas. By requiring certain vessels and facilities to perform TWIC 
inspections using electronic TWIC readers, this rulemaking would 
further enhance security at those locations. This rulemaking would also 
implement the Security and Accountability For Every Port Act of 2006 
electronic TWIC reader requirements.

DATES: Comments and related material must either be submitted to our 
online docket via http://www.regulations.gov on or before May 21, 2013 
or reach the Docket Management Facility by that date. Comments sent to 
the Office of Management and Budget (OMB) on collection of information 
must reach OMB on or before May 21, 2013.

ADDRESSES: You may submit comments identified by Coast Guard docket 
number USCG-2007-28915 to the Docket Management Facility at the U.S. 
Department of Transportation. To avoid duplication, please use only one 
of the following methods:
    (1) Federal eRulemaking Portal: http://www.regulations.gov.
    (2) Mail: Docket Management Facility (M-30), U.S. Department of 
Transportation, West Building Ground Floor, Room W12-140, 1200 New 
Jersey Avenue SE., Washington, DC 20590.
    (3) Fax: 202-493-2251.
    (4) Delivery: Room W12-140 on the Ground Floor of the West 
Building, 1200 New Jersey Avenue SE., Washington, DC 20590, between 9 
a.m. and 5 p.m., Monday through Friday, except Federal holidays. The 
telephone number is 202-366-9329.
    Collection of Information Comments: If you have comments on the 
collection of information discussed in this NPRM, you must also send 
comments to OMB's Office of Information and Regulatory Affairs (OIRA). 
To ensure that your comments to OIRA are received on time, the 
preferred methods are by email at [email protected] (include 
the docket number and ``Attention: Desk Officer for Coast Guard, DHS'' 
in the subject line of the email) or fax at 202-395-6566. An alternate, 
though slower, method is by U.S. mail to the Office of Information and 
Regulatory Affairs, Office of Management and Budget, 725 17th Street 
NW., Washington, DC 20503, ATTN: Desk Officer, U.S. Coast Guard.

FOR FURTHER INFORMATION CONTACT: If you have questions on this proposed 
rule, call Lieutenant Commander Loan T. O'Brien, Coast Guard, telephone 
202-372-1133. If you have questions on viewing or submitting material 
to the docket, call Barbara Hairston, Program Manager, Docket 
Operations, telephone 202-366-9826.

SUPPLEMENTARY INFORMATION: 

Table of Acronyms

AHP Analytical Hierarchy Process
ANPRM Advanced Notice of Proposed Rulemaking
ASP Alternative Security Program
CAC Card Authentication Certificate
CCL Canceled Card List
CDC Certain Dangerous Cargoes
CFR Code of Federal Regulations
CGAA 2010 Coast Guard Authorization Act of 2010 (Pub. L. 111-281)
CHUID Card Holder Unique Identifier
CI/KR Critical Infrastructure/Key Resources
COTP Captain of the Port
DHS Department of Homeland Security
DPEA Draft Programmatic Environmental Assessment
FASC-N Federal Agency Smart Credential-Number
FONSI Finding of No Significant Impact
FSP Facility Security Plan
HSI Homeland Security Institute
ICE Test Initial Capability Evaluation Test
IPT Integrated Product Team
MARSEC Maritime Security
MERPAC Merchant Marine Personnel Advisory Committee
MISLE Marine Information for Safety and Law Enforcement
MODU Mobile Offshore Drilling Unit
MSRAM Maritime Security Risk Analysis Model
MTSA Maritime Transportation Security Act of 2002
NIST National Institute of Standards and Technology
NMSAC National Maritime Security Advisory Committee
NPRM Notice of Proposed Rulemaking
NTTAA National Technology Transfer and Advancement Act
NVIC Navigation and Vessel Inspection Circular
OCS Outer Continental Shelf
OIRA Office of Information and Regulatory Affairs
OMB Office of Management and Budget
OSV Offshore Supply Vessel
PAC-D Policy Advisory Council Decision
PACS Physical Access Control System
PIN Personal Identification Number
QTL Qualified Technology List
RUA Recurring Unescorted Access
SAFE Port Act Security and Accountability For Every Port Act of 2006
SBA Small Business Administration
SSI Sensitive Security Information
TSA Transportation Security Administration
TSAC Towing Safety Advisory Committee
TSI Transportation Security Incident
TWIC Transportation Worker Identification Credential
TWIC 1 Final Rule Transportation Worker Identification Credential 
(TWIC) Implementation in the Maritime Sector; Hazardous Materials 
Endorsement for a Commercial Driver's License, 72 FR 3492 (Jan. 25, 
2007)
TWIC 1 NPRM Transportation Worker Identification Credential (TWIC) 
Implementation in the Maritime Sector; Proposed Rules, 71 FR 29396 
(May 22, 2006)
VSP Vessel Security Plan

Table of Contents

I. Public Participation and Request for Comments
    A. Submitting Comments
    B. Viewing Comments and Documents
    C. Privacy Act
    D. Public Meetings
II. Executive Summary
    A. Purpose of the Regulatory Action
    1. Need for the Regulatory Action
    2. Legal Authority for the Regulatory Action
    B. Summary of the Major Provisions of the Regulatory Action
    C. Summary of Costs and Benefits

[[Page 17783]]

III. Background and Purpose
    A. General Information About the Transportation Worker 
Identification Credential
    B. Statutory and Regulatory History
    C. Risk-Based Approach to Categorizing Vessels and Facilities
    D. ANPRM Proposals
    1. Classification of Vessels and Facilities into Risk Groups
    2. TWIC Reader Requirements for Risk Group A
    3. TWIC Reader Requirements for Risk Group B
    4. TWIC Requirements for Risk Group C
    5. Recurring Unescorted Access
    6. TWIC Reader Approval, Calibration, and Compliance
    7. Security Plan Amendment
    8. Recordkeeping
    9. Additional Persons Required To Obtain TWICs
    E. Public Comments Received in Response to the ANPRM and Public 
Meeting
    1. General Comments
    2. Statutory Authority
    3. Risk-Based Approach
    a. General
    b. MSRAM
    c. Movement Between Risk Groups
    d. MARSEC Levels
    e. CCL and ``Privilege Granting''
    f. PIN Usage
    4. Utility of TWIC Readers in Reducing TSI Vulnerability
    5. TWIC Reader Requirements on Vessels
    6. TWIC Reader Requirements for Risk Group A
    a. Risk Group A Classification
    b. Risk Group A TWIC Reader Requirements
    7. TWIC Reader Requirements for Risk Group B
    a. Risk Group B Classification
    b. Risk Group B TWIC Reader Requirements
    8. TWIC Requirements for Risk Group C
    a. Risk Group C Classification
    b. Risk Group C TWIC Requirements
    9. Physical Placement of TWIC Readers
    10. Recurring Unescorted Access
    11. TWIC Reader Durability, Safety, Approval, Calibration, and 
Compliance
    12. TWIC Pilot and HSI Report
    13. Security Plan Amendment
    14. Recordkeeping
    15. Other Comments
    F. TWIC Reader Pilot Program
    1. Background
    2. General Findings
    3. Specific Challenges and Lessons Learned
    G. HSI Report
    H. Additional Data Sources
    I. Advisory Committee Input
IV. Section-by-Section Description of Proposed Rule
    A. Definitions
    B. Federalism
    C. Additional Persons Required to Obtain TWICs
    D. TWIC Reader Requirements for Risk Group A
    E. TWIC Reader Exemption for Vessels With 14 or Fewer TWIC-
holding Crewmembers
    F. TWIC Inspection Requirements for Risk Groups B and C
    G. TWIC Inspection Requirements in Special Circumstances
    H. Compliance Deadlines
    I. Recordkeeping
    J. Risk Group Classifications
    K. Movement Between Risk Groups
    L. Physical Placement of TWIC Readers
    M. Technical Amendments
    N. Privacy
    O. Public Comment
V. Regulatory Analyses
    A. Regulatory Planning and Review
    B. Small Entities
    C. Assistance for Small Entities
    D. Collection of Information
    E. Federalism
    F. Unfunded Mandates Reform Act
    G. Taking of Private Property
    H. Civil Justice Reform
    I. Protection of Children
    J. Indian Tribal Governments
    K. Energy Effects
    L. Technical Standards
    M. Environment

I. Public Participation and Request for Comments

    We encourage you to participate in this rulemaking by submitting 
comments and related materials. All comments received will be posted, 
without change, to http://www.regulations.gov and will include any 
personal information you have provided.

A. Submitting Comments

    If you submit a comment, please include the docket number for this 
rulemaking (USCG-2007-28915), indicate the specific section of this 
document to which each comment applies, and provide a reason for each 
suggestion or recommendation. You may submit your comments and material 
online, or by fax, mail, or hand delivery, but please use only one of 
these means. We recommend that you include your name and a mailing 
address, email address, or phone number in the body of your document so 
that we can contact you if we have any questions regarding your 
submission.
    To submit your comment online, go to http://www.regulations.gov and 
use ``USCG-2007-28915'' as your search term. Locate this NPRM in the 
search results, click the corresponding ``Comment Now'' box, and follow 
the instructions. If you submit your comments by mail or hand delivery, 
submit them in an unbound format, no larger than 8[frac12] by 11 
inches, suitable for copying and electronic filing. If you submit 
comments by mail and would like to know that they reached the Facility, 
please enclose a stamped, self-addressed postcard or envelope.
    We will consider all comments and material received during the 
comment period and may change this proposed rule based on your 
comments.

B. Viewing Comments and Documents

    To view comments, as well as documents mentioned in this preamble 
as being available in the docket, go to http://www.regulations.gov, and 
use ``USCG-2007-28915'' as your search term. The menu options on the 
left side of the Web page enable you to filter the results for public 
submissions and other types of documents. If you do not have access to 
the Internet, you may view the docket online by visiting the Docket 
Management Facility in Room W12-140 on the ground floor of the 
Department of Transportation West Building, 1200 New Jersey Avenue SE., 
Washington, DC 20590, between 9 a.m. and 5 p.m., Monday through Friday, 
except Federal holidays. We have an agreement with the Department of 
Transportation to use the Docket Management Facility.

C. Privacy Act

    Anyone can search the electronic form of all comments received into 
any of our dockets by the name of the individual submitting the comment 
(or signing the comment, if submitted on behalf of an association, 
business, labor union, etc.). You may review a Privacy Act notice 
regarding our public dockets in the January 17, 2008 issue of the 
Federal Register (73 FR 3316).

D. Public Meetings

    We intend to hold one or more public meetings regarding the 
proposals in this NPRM. A notice with the specific date and location of 
each meeting will be published in the Federal Register as soon as this 
information is known.

II. Executive Summary

    This section provides a concise description of the major proposals 
and policy decisions in this NPRM. We also provide a summary of the 
costs and benefits of this NPRM in this section.

A. Purpose of the Regulatory Action

1. Need for the Regulatory Action
    This regulatory action is necessary to improve the security of the 
nation's vessels and port facilities and to comply with statutory 
requirements. As authorized by the Maritime Transportation Security Act 
of 2002 \1\ (MTSA), the Transportation Security Administration (TSA) 
established the TWIC program to address identity management 
shortcomings and vulnerabilities identified in the nation's 
transportation system and to comply

[[Page 17784]]

with the MTSA statutory requirements. On January 25, 2007, the 
Department of Homeland Security (DHS), through the Coast Guard and TSA, 
promulgated regulations that require mariners and other individuals 
granted unescorted access to secure areas of MTSA-regulated vessels or 
facilities to undergo a security threat assessment by TSA and obtain a 
TWIC.\2\ This rulemaking, which would require owners and operators of 
certain types of vessels and facilities to use electronic TWIC readers, 
is necessary to advance the goals of the TWIC program. This rulemaking 
applies only to MTSA-regulated vessels and facilities. As described 
more fully below in this Executive Summary, we conducted a risk-based 
analysis of MTSA-regulated vessels and facilities to categorize them 
into one of three risk groups. Risk Group A is comprised of vessels and 
facilities that present the highest risk of being involved in a 
transportation security incident (TSI).\3\ Vessels and facilities in 
Risk Group A would have new TWIC reader requirements under this rule. 
Vessels and facilities in Risk Groups B and C present progressively 
lower risks, and would continue to follow existing regulatory 
requirements for visual TWIC inspection.
---------------------------------------------------------------------------

    \1\ Public Law 107-295, 116 Stat. 2064 (Nov. 2, 2002).
    \2\ Transportation Worker Identification Credential (TWIC) 
Implementation in the Maritime Sector; Hazardous Materials 
Endorsement for a Commercial Driver's License, 72 FR 3492 (Jan. 25, 
2007).
    \3\ A transportation security incident is a security incident 
resulting in a significant loss of life, environmental damage, 
transportation system disruption, or economic disruption in a 
particular area, as defined in 46 U.S.C. 70101 (49 CFR 1572.103).
---------------------------------------------------------------------------

    The TWIC program, including the proposed TWIC reader requirements 
in this rule, is an important component of the Coast Guard's multi-
layered system of access control requirements and other measures 
designed to enhance maritime security. Under this multi-layered system, 
owners and operators of MTSA-regulated vessels or facilities are 
required to submit for Coast Guard approval a comprehensive security 
plan detailing the access control and other security policies and 
procedures implemented on each vessel and facility. Security plans must 
identify and mitigate vulnerabilities. They accomplish this task by 
detailing the following items: (1) Security organization of the vessel 
or facility; (2) personnel training; (3) drills and exercises; (4) 
records and documentation; (5) response to changes in Maritime Security 
(MARSEC) \4\ Level; (6) procedures for interfacing with other 
facilities and/or vessels; (7) Declarations of Security; (8) 
communications; (9) security systems and equipment maintenance; (10) 
security measures for access control; (11) security measures for 
restricted areas; (12) security measures for handling cargo; (13) 
security measures regarding vessel stores and bunkers; (14) security 
measures for monitoring; (15) security incident procedures; (16) audits 
and security plan amendments; (17) Security Assessment Reports and 
other security reports; and (18) TWIC procedures.\5\ Coast Guard 
inspectors conduct routine and unannounced inspections and spot-checks 
to ensure proper implementation of approved security plans. The multi-
layered security system also includes measures that consider broader 
security issues at U.S. ports and waterways, the coastal zone, the open 
ocean, and foreign ports.
---------------------------------------------------------------------------

    \4\ ``MARSEC Level'' means the level set to reflect the 
prevailing threat environment to the marine elements of the national 
transportation system, including ports, vessels, facilities, and 
critical assets and infrastructure located on or adjacent to waters 
subject to the jurisdiction of the U.S. (33 CFR 101.105).
    \5\ See 33 CFR 104.405 and 33 CFR 105.405.
---------------------------------------------------------------------------

    The TWIC program's initial requirement on mariners and other 
individuals to obtain a TWIC provides security benefits in the maritime 
sector. Prior to this requirement, mariners and other individuals could 
access secure areas of MTSA-regulated vessels and facilities after 
presenting any number of identification cards, such as State-issued 
driver's licenses, mariner credentials, passports, and union 
identification cards. To detect invalid credentials, it was necessary 
for security personnel to become familiar with the appearance and 
security features of every type of acceptable credential. Moreover, 
since some government-issued credentials are used for purposes other 
than security, applicants for those credentials do not necessarily 
submit biographic and biometric information and undergo a security 
threat assessment or criminal background check. For example, a State-
issued driver's license is a generally accepted form of government-
issued identification in many places because it: (1) Is laminated or 
otherwise secure against tampering; (2) bears the individual's name and 
photograph; and (3) bears the name of the issuing authority. 
Nonetheless, while issuance of a driver's license is conditioned upon 
the applicant's successful completion of a course on driving 
instruction, road test, written test, eye examination, and other 
criteria specific to driving a motor vehicle, the applicant is not 
necessarily fingerprinted and screened against law enforcement 
databases for felony criminal activity or terrorist group affiliation. 
These are inherent shortcomings of an access control system that would 
permit access based on a patchwork of generic credentials issued to 
individuals who have undergone no security screening as a precondition 
to obtaining those credentials. In contrast, issuance of a TWIC is 
specifically conditioned on these security-related criteria.
    Since April 15, 2009, TWIC has been the single credential used 
throughout the maritime sector. Accordingly, security personnel only 
need to become familiar with the appearance and security features of 
one credential. Moreover, unlike other government-issued credentials, 
TWIC is specifically designed for maritime transportation security. 
TWIC's purpose is to promote a vetted maritime workforce by 
establishing security-related eligibility criteria, and by requiring 
each TWIC-holder to undergo TSA's security threat assessment as part of 
the process of applying for and obtaining a TWIC.
    While the existing security benefits of the TWIC program are 
substantial, electronic TWIC readers would provide greater security 
benefits because the TWIC card is designed to contain several enhanced 
security features that can only be utilized through the use of an 
electronic TWIC reader. One of these features is the set of two 
fingerprint templates from two different fingers embedded in each TWIC 
card. The Coast Guard is proposing to require the use of electronic 
TWIC readers, which would match the TWIC-holder's fingerprint to one of 
the embedded fingerprint templates. An electronic TWIC reader would 
provide a more reliable form of identity verification than the current 
visual comparison of the TWIC-holder's face to the photograph on the 
TWIC. Because a TWIC reader, when properly functioning, engages the 
security features of the card and cross-references with TSA's Canceled 
Card List (CCL), which the owner or operator would be required to 
update at least weekly, it is also more reliable than visual inspection 
for ensuring that a TWIC is not counterfeit or expired, or has not been 
reported lost, stolen, damaged, or revoked. When TWIC readers or TWICs 
are damaged or malfunctioning, the proposed rule would permit owners 
and operators to revert to visual inspection of the TWICs for 7 days if 
certain conditions are met.
    Despite the enhanced reliability that TWIC readers would offer, not 
all vessels and facilities face security risks that justify the costs 
and other burdens that would result from a universal TWIC

[[Page 17785]]

reader requirement for all vessels and facilities. Therefore, in this 
rulemaking, we are considering a phased approach to implementing TWIC 
reader requirements by proposing such requirements first for vessels 
and facilities where the risk of harm is expected to be the greatest. 
We will continue to analyze risk data on MTSA-regulated vessels and 
facilities and consider whether additional or modified TWIC reader 
requirements are warranted in future rulemakings.
    This Notice of Proposed Rulemaking (NPRM) proposes TWIC reader 
requirements for MTSA-regulated vessels and facilities that we have 
determined to present a heightened risk of being involved in a TSI, as 
described more fully below in Section III.C., ``Risk-Based Approach to 
Categorizing Vessels and Facilities.'' The Coast Guard assembled a 
panel of maritime security subject matter experts from the Coast Guard 
and TSA to conduct a risk-based analysis of MTSA-regulated vessels and 
facilities. The panel assessed the distinct types of vessels and 
facilities using three factors: (1) Maximum consequences to that vessel 
or facility resulting from a terrorist attack; (2) criticality to the 
nation's health, economy, and national security; and (3) utility of the 
TWIC in reducing risk.
    For the first factor (maximum consequence resulting from a 
terrorist attack), we used the Coast Guard's Maritime Security Risk 
Analysis Model (MSRAM). MSRAM is a terrorism risk-analysis tool the 
Coast Guard uses to perform risk analysis on Critical Infrastructure 
and Key Resources (CI/KR) in the maritime domain, given a range of 
terrorist attack scenarios. The purpose of MSRAM is to capture and rank 
the security risks facing different types of potential terrorist 
targets spanning all CI/KR sectors in the nation's ports and on its 
waterways.
    An initial step in the MSRAM process is to calculate the maximum 
potential consequence resulting from the total loss of a target, 
factoring in injury and loss of life, economic and environmental 
impact, symbolic effect, and national security impact. MSRAM then 
assesses risk for a range of scenarios (each involving a combination of 
potential terrorist target and method of attack) in terms of threat, 
vulnerability, and consequence. MSRAM considers the response capability 
of the owner or operator, local first responders, and Federal agencies 
to mitigate the consequences of an attack. MSRAM also considers input 
from Area Maritime Security Committees (AMSCs).\6\
---------------------------------------------------------------------------

    \6\ AMSCs are committees established pursuant to 46 U.S.C. 
70112(a)(2)(A). AMSCs are composed of at least seven members having 
an interest in the maritime security of a specific geographic area. 
AMSC members may be selected from government, public safety, law 
enforcement, maritime industry, and other port stakeholders. AMSCs 
assist in the development, review, and update of formal plans that 
detail maritime security measures and procedures for ports in a 
specific geographic area. See 33 CFR part 103.
---------------------------------------------------------------------------

    For the second factor (criticality to the nation's health, economy, 
and national security), we considered the impact of the total loss of a 
vessel or facility beyond the immediate local consequences, taking into 
account the regional or national impacts on human health, the economy, 
and national security.
    For the third factor (TWIC utility), we considered the utility of 
the TWIC program in reducing a vessel's or facility's vulnerability to 
a terrorist attack.
    We combined the above three factors and developed an overall risk 
ranking of vessels and facilities by type. The panel then assigned 
numerical valued weights to the three factors. In determining the final 
weights, the panel chose the approach that best reflected its 
understanding of the maritime environment and TWIC program 
implementation, the importance of consequences in representing target 
attractiveness to terrorists, and the panel's expert perspective of 
risk. The actual numerical valued weights finalized by the panel are 
Sensitive Security Information (SSI). Finally, the panel calculated the 
priority scores for each vessel and facility type. At the end of this 
process, types of vessels and facilities with similar scores were 
combined into one of three risk groups.
    Vessels and facilities that present a heightened risk for being 
involved in a TSI, Risk Group A, would have new TWIC reader 
requirements under this rule. For now, vessels and facilities that do 
not present this heightened risk would either continue to visually 
inspect TWICs or voluntarily deploy TWIC readers. We believe this 
approach would implement the TWIC reader program in a targeted manner 
that enhances the security of MTSA-regulated vessels and facilities 
without imposing undue burdens.
2. Legal Authority for the Regulatory Action
    Under MTSA, the Secretary of Homeland Security (Secretary) is 
required to issue regulations designed to prevent individuals from 
entering secure areas of MTSA-regulated vessels or facilities without 
holding a TWIC or being accompanied by another individual holding a 
TWIC.\7\ As a first step toward implementing that mandate, DHS, through 
the Coast Guard and TSA, promulgated a rule on January 27, 2007 that 
requires all maritime workers and other individuals to obtain a TWIC 
before they are granted unescorted access to secure areas in the 
maritime sector. We also required owners and operators of MTSA-
regulated vessels or facilities to visually inspect the TWICs of 
individuals seeking access to secure areas at those locations. 
Additionally, we included alternatives to accommodate instances when an 
individual cannot present a TWIC because it has been lost, damaged, or 
stolen. In the January 27, 2007 rule, we did not implement TWIC reader 
requirements. Instead, we decided that TWIC reader requirements would 
follow in a separate rule after pilot testing TWIC readers in the 
maritime sector.
---------------------------------------------------------------------------

    \7\ 46 U.S.C. 70105(a)-(f).
---------------------------------------------------------------------------

    The Security and Accountability For Every (SAFE) Port Act of 2006 
\8\ required the Secretary to conduct a pilot program to test the 
business processes, technology, and operational impacts of TWIC readers 
in the maritime environment, and to issue regulations that require the 
deployment of TWIC readers that are consistent with the findings of the 
pilot program.\9\
---------------------------------------------------------------------------

    \8\ Public Law 109-347, 120 Stat. 1884 (Oct. 13, 2006).
    \9\ 46 U.S.C. 70105(k)(3).
---------------------------------------------------------------------------

B. Summary of the Major Provisions of the TWIC Reader Advanced Notice 
of Proposed Rulemaking and This NPRM

    On March 27, 2009, the Coast Guard published an advanced notice of 
proposed rulemaking on TWIC reader requirements (ANPRM).\10\ The ANPRM 
proposed a risk-based approach to TWIC reader requirements. First, the 
ANPRM proposed to classify MTSA-regulated vessels and facilities into 
one of three risk groups, based on specific factors related to TSI 
consequence. Second, the ANPRM proposed TWIC reader requirements for 
vessels and facilities in the two highest risk groups (Risk Groups A 
and B). For the lowest risk group (Risk Group C), the ANPRM proposed 
visual TWIC inspection requirements instead of TWIC reader requirements 
because we determined that routine electronic biometric matching using 
TWIC readers would not be practical at lower risk vessels and 
facilities. This is consistent with the understanding that TWIC readers 
constitute one component

[[Page 17786]]

of a multi-layered maritime security system, but are not necessary or 
appropriate for every vessel or facility.
---------------------------------------------------------------------------

    \10\ Transportation Worker Identification Credential (TWIC)--
Reader Requirements, 74 FR 13360 (March 27, 2009).
---------------------------------------------------------------------------

    Based on the public comments received in response to the ANPRM, the 
findings of the DHS pilot program, and further analysis of the relevant 
issues, this NPRM reiterates many of the ANPRM's proposals, including 
retaining the ANPRM's risk-based framework for classifying vessels and 
facilities into the same three risk groups. As in the ANPRM, vessels 
and facilities are generally placed in higher risk groups based on the 
hazardous nature of the cargo handled or carried, or an increase in the 
number of passengers present. Our analysis demonstrates that it is 
necessary to maximize the use of the TWIC's security features where the 
risk is highest, as described more fully below in Section III.C., 
``Risk-Based Approach to Categorizing Vessels and Facilities.'' We also 
believe it is necessary to carefully weigh the costs and benefits of 
TWIC reader requirements on the regulated population.
    The main change in approach from the ANPRM to this NPRM is 
regarding the TWIC reader requirements for the different risk groups. 
Specifically, this NPRM proposes TWIC reader requirements for Risk 
Group A only. For Risk Groups B and C, this NPRM proposes to maintain 
the existing visual TWIC inspection requirements instead of TWIC reader 
requirements. This approach is designed to target the use of TWIC 
readers at the highest risk entities while minimizing the overall 
burden of the rule. Proposing TWIC reader requirements for Risk Group A 
only in this NPRM is indicative of our desire to minimize highest risks 
first, but should not be read to foreclose revised TWIC reader 
requirements in the future. We will continue to gather and analyze data 
to determine how the use of TWIC readers might be appropriate for each 
risk group. Any future changes will be made through rulemaking and the 
public will have an opportunity to comment.
    This NPRM also proposes a requirement for owners and operators 
using TWIC readers to maintain records on each individual granted 
unescorted access to a secure area. Owners and operators would be 
required to maintain such records for a period of 2 years. 
Additionally, this NPRM proposes requirements to amend security plans 
to incorporate TWIC reader requirements for vessels and facilities in 
the highest risk group. These provisions are designed to ensure that 
owners and operators of vessels or facilities in Risk Group A comply 
with TWIC reader requirements.

                      Table ES-1--Summary of Requirements/Provisions Proposed in This NPRM
----------------------------------------------------------------------------------------------------------------
                                         Vessels (33 CFR part   Facilities (33 CFR part   OCS Facilities (33 CFR
  Proposed requirement or provision              104)                     105)                  part 106)
----------------------------------------------------------------------------------------------------------------
Risk Group A classification..........  Vessels that carry CDC   Facilities that handle   Not applicable.
                                        in bulk.                 CDC in bulk.
                                       Vessels certificated to  Facilities that receive
                                        carry more than 1,000    vessels certificated
                                        passengers.              to carry more than
                                                                 1,000 passengers.
                                       Vessels towing one of    Barge fleeting
                                        the above.               facilities that
                                                                 receive barges
                                                                 carrying CDC in bulk.
Risk Group B classification..........  Vessels that carry       Facilities that receive  All OCS facilities.
                                        hazardous materials      Risk Group B vessels.
                                        other than CDC in bulk.
                                       Vessels that carry
                                        flammable or
                                        combustible liquid
                                        cargoes.
                                       Vessels certificated to
                                        carry 500-1,000
                                        passengers.
                                       Vessels towing one of
                                        the above.
Risk Group C classification..........  Vessels that carry non-  Facilities that receive  Not applicable.
                                        hazardous cargoes.       Risk Group C vessels.
                                       Vessels certificated to
                                        carry less than 500
                                        passengers.
                                       Vessels towing one of
                                        the above.
                                       MODUs and OSVs.
Movement between risk groups.........  Vessels are permitted    Facilities are           Not applicable.
                                        to move between risk     permitted to move
                                        groups based on the      between risk groups
                                        materials carried at a   based on the materials
                                        given time. Described    handled at a given
                                        in VSP.                  time. Described in FSP.
Visual TWIC inspection requirement...  Risk Groups B and C      Risk Groups B and C      Risk Groups B performs
                                        perform identity         perform identity         identity verification,
                                        verification, card       verification, card       card authentication,
                                        authentication, and      authentication, and      and card validation by
                                        card validation by       card validation by       visual TWIC inspection
                                        visual TWIC inspection   visual TWIC inspection   for each individual
                                        for each individual      for each individual      prior to being granted
                                        prior to being granted   prior to being granted   unescorted access to
                                        unescorted access to     unescorted access to     secure areas.
                                        secure areas.            secure areas.
TWIC reader requirement..............  Risk Group A must use    Risk Group A must use    No requirement.
                                        TWIC reader with         TWIC reader with
                                        biometric check for      biometric check for
                                        identity verification,   identity verification,
                                        card authentication,     card authentication,
                                        and card validation on   and card validation on
                                        each individual prior    each individual prior
                                        to being granted         to being granted
                                        unescorted access to     unescorted access to
                                        secure areas.            secure areas.
TWIC reader exemption based on         Vessels with 14 or       No exemption...........  Not applicable.
 minimum crew size.                     fewer TWIC-holding
                                        crew are exempt.
Physical placement of TWIC readers...  Vessel access points     Access points to each    Not applicable.
                                        only.                    secure area.

[[Page 17787]]

 
Unreadable fingerprints..............  Exception handling       Exception handling       Not applicable.
                                        process may include      process may include
                                        PIN or alternate         PIN or alternate
                                        biometric.               biometric.
TWIC reader malfunction..............  Owner or operator        Owner or operator        Not applicable.
                                        performs visual TWIC     performs visual TWIC
                                        inspection.              inspection.
                                        Individuals that have    Individuals that have
                                        been granted             been granted
                                        unescorted access with   unescorted access with
                                        a valid TWIC in the      a valid TWIC in the
                                        past may still be        past may still be
                                        granted such access      granted such access
                                        for up to 7 days (with   for up to 7 days (with
                                        the possibility of an    the possibility of an
                                        additional extension     additional extension
                                        at the COTP's            at the COTP's
                                        discretion).             discretion).
Recordkeeping........................  Records on each          Records on each          Not applicable.
                                        individual whose TWIC    individual whose TWIC
                                        was scanned using a      was scanned using a
                                        TWIC reader must be      TWIC reader must be
                                        kept for 2 years.        kept for 2 years.
Lost/stolen TWIC.....................  Individuals following    Individuals following    Individuals following
                                        prescribed procedures    prescribed procedures    prescribed procedures
                                        may be granted           may be granted           may be granted
                                        unescorted access for    unescorted access for    unescorted access for
                                        no longer than 7         no longer than 7         no longer than 7
                                        consecutive days.        consecutive days.        consecutive days.
                                        (Additional 30-day       (Additional 30-day       (Additional 30-day
                                        extension may be         extension may be         extension may be
                                        granted per Coast        granted per Coast        granted per Coast
                                        Guard guidance.).        Guard guidance.).        Guard guidance.)
Compliance deadline..................  2 years after final      2 years after final      Not applicable.
                                        rule publication.        rule publication.        Existing regulations
                                                                                          apply.
----------------------------------------------------------------------------------------------------------------

C. Summary of Costs and Benefits

    Under MTSA, the Coast Guard regulates approximately 13,825 vessels, 
3,270 facilities, and 56 Outer Continental Shelf (OCS) facilities. Of 
those MTSA-regulated facilities that could have potentially been 
regulated, 38 vessels and 532 facilities are affected by this proposed 
rule. We estimate the annualized cost of this proposed rule on the 
affected population of 38 vessels and 532 facilities to be about $26.5 
million, while the 10-year cost is $186.1 million, discounted at 7 
percent. The main cost drivers of this proposal are the acquisition, 
installation, and integration of TWIC readers into access control 
systems. Annual costs would be driven by costs associated with Canceled 
Card List updates, recordkeeping, training, system maintenance, and 
opportunity costs associated with failed TWIC reader transactions. We 
account for delays of up to two minutes for failed TWIC reader 
transactions. We estimate that 5% of TWIC-holders who access Risk Group 
A facilities and vessels will need to replace their TWICs annually, 
also contributing to the annual costs of this rule.
    The benefits of this proposed rule include the enhancement of the 
security of vessels, ports, and other facilities by ensuring that only 
individuals who hold TWICs are granted unescorted access to secure 
areas at those locations. TWIC readers will not help identify valid 
cards that were obtained via fraudulent means, e.g., through unreported 
theft or the use of fraudulent IDs. Further, if the Coast Guard becomes 
aware of an imminent threat to a facility or vessel, the Coast Guard 
will notify the relevant Captain of the Port and other Federal, state, 
and local law enforcement officials and implement additional security 
measures as appropriate as a part of DHS's layered approach to 
security. This proposed rule would also implement the MTSA 
transportation security card requirement, as well as the SAFE Port Act 
of 2006 electronic TWIC reader requirements. The main benefit of this 
regulation, decreased terrorism risk, cannot be quantified given 
current data limitations.

   Table ES-2--Estimated Costs and Functional Benefits of TWIC Reader
                            Requirements \11\
------------------------------------------------------------------------
             Category                               NPRM
------------------------------------------------------------------------
Applicability.....................  High risk MTSA-regulated facilities
                                     and high risk MTSA-regulated
                                     vessels with greater than 14 crew.
Affected Population...............  38 vessels.
                                    532 facilities.
Costs ($ millions, 7% discount      $26.5 (annualized).
 rate).                             $186.1 (10-year).
Costs (Qualitative)...............  Time to retrieve or replace lost
                                     PINs for use with TWIC cards.
Benefits (Qualitative)............  Standardization of access control
                                     and credential verification
                                     throughout industry.
                                    Enhanced access control and security
                                     at U.S. maritime facilities and
                                     onboard U.S. flagged vessels.
                                    Reduction of human error when
                                     checking identification and manning
                                     access points.
------------------------------------------------------------------------


[[Page 17788]]

    We used a risk-based approach to apply these regulatory 
requirements on less than 5 percent of the MTSA-regulated population, 
which represents approximately 80 percent of the potential consequences 
of a TSI. A discussion of our risk-based approach is provided below in 
Section III.C., ``Risk-Based Approach to Categorizing Vessels and 
Facilities.'' For a more detailed discussion of the methodology 
underpinning our risk-based approach, please refer to the Coast Guard 
report, ``Analysis of Transportation Worker Identification Credential 
(TWIC) Electronic Reader Requirements in the Maritime Sector,'' which 
is available for viewing in the public docket for this rulemaking. The 
proposals in this NPRM target the highest risk entities while 
minimizing the overall burden of the rule. Furthermore, we propose 
several types of relief in an effort to minimize the possible burden on 
the regulated population.
---------------------------------------------------------------------------

    \11\ For a more detailed discussion of costs and benefits, see 
the full Preliminary Regulatory Analysis and Initial Regulatory 
Flexibility Analysis available on the docket for this rulemaking. 
Appendix G of that document outlines the costs by provision and also 
discusses the complementary nature of the provisions and the 
subsequent difficulty in distinguishing independent benefits from 
individual provisions.
---------------------------------------------------------------------------

III. Background and Purpose

    This section provides a detailed discussion of the considerations 
and rationale for the policy decisions that informed this NPRM. The 
section that follows (Section IV.) sets forth the NPRM's proposals.
    Section III.A. provides a general description of the TWIC and its 
security features, and also explains how the TWIC is used in the 
maritime sector as an access control measure.
    Section III.B. discusses the statutory basis for this rulemaking, 
and summarizes the regulatory history of the TWIC program. The Coast 
Guard's most recent TWIC-related regulatory action is the ANPRM on TWIC 
reader requirements.
    Section III.C. describes the ANPRM's risk-based approach for 
evaluating and categorizing types of vessels and facilities into risk 
groups. In doing so, this section summarizes the factors considered in 
developing the ANPRM's categorization system.
    Section III.D. summarizes the ANPRM's proposals for TWIC reader 
requirements and other TWIC-related requirements for each risk group.
    Section III.E. provides a detailed discussion of the public 
comments received during the ANPRM's comment period and public meeting. 
Section III.E. also provides our responses to those comments.
    Sections III.F., III.G., III.H., and III.I. discuss DHS's TWIC 
Reader Pilot Program on TWIC reader functionality, the Homeland 
Security Institute's report on the ANPRM's risk group classification 
system, additional data sources, and Advisory Committee input in the 
rulemaking process, respectively.

A. General Information About the Transportation Worker Identification 
Credential

    This section provides a general description of the types of vessels 
and facilities currently covered under MTSA, the TWIC and its security 
features, and also explains how the TWIC is currently used in the 
maritime sector for access control.
    Under MTSA, the Coast Guard is authorized to regulate vessels and 
facilities. For purposes of MTSA, the term ``facility'' means ``any 
structure or facility of any kind located in, on, under, or adjacent to 
any waters subject to the jurisdiction of the United States.'' \12\ For 
purposes of MTSA, the term ``vessel'' includes ``every description of 
watercraft or other artificial contrivance used, or capable of being 
used, as a means of transportation on water.'' \13\
---------------------------------------------------------------------------

    \12\ 46 U.S.C. 70101(a)(2).
    \13\ 46 U.S.C. 115; 1 U.S.C. 3.
---------------------------------------------------------------------------

    Coast Guard regulations implementing MTSA with respect to vessels 
\14\ apply to: Mobile Offshore Drilling Units (MODUs), cargo vessels, 
or passenger vessels subject to International Convention for Safety of 
Life at Sea, 1974 (SOLAS), chapter XI-1 or Chapter XI-2; foreign cargo 
vessels greater than 100 gross register tons; generally, self-propelled 
U.S. cargo vessels greater than 100 gross tons; offshore supply 
vessels; vessels subject to the Coast Guard's regulations regarding 
passenger vessels; passenger vessels certificated to carry more than 
150 passengers; passenger vessels carrying more than 12 passengers 
engaged on an international voyage; barges carrying, in bulk, cargoes 
regulated under the Coast Guard's regulations regarding tank vessels or 
Certain Dangerous Cargoes (CDCs); \15\ barges carrying CDCs or cargo 
and miscellaneous vessels engaged on an international voyage; 
tankships; and generally, towing vessels greater than eight meters in 
register length engaged in towing barges.
---------------------------------------------------------------------------

    \14\ See 33 CFR 104.105.
    \15\ The term ``Certain Dangerous Cargoes'' is defined in 33 CFR 
101.105 by reference to 33 CFR 160.204, which lists all of the 
covered substances.
---------------------------------------------------------------------------

    Coast Guard regulations implementing MTSA with respect to 
facilities \16\ apply to: Waterfront facilities handling dangerous 
cargoes (as generally defined in 49 CFR parts 170 through 179); 
waterfront facilities handling liquefied natural gas and liquefied 
hazardous gas; facilities transferring oil or hazardous materials in 
bulk; facilities that receive vessels certificated to carry more than 
150 passengers; facilities that receive vessels subject to SOLAS, 
Chapter XI; facilities that receive foreign cargo vessels greater than 
100 gross register tons; generally, facilities that receive U.S. cargo 
and miscellaneous vessels greater than 100 gross register tons; barge 
fleeting facilities that receive barges carrying, in bulk, cargoes 
regulated under the Coast Guard's regulations regarding tank vessels or 
CDCs; and fixed or floating facilities operating on the OCS for the 
purposes of engaging in the exploration, development, or production of 
oil, natural gas, or mineral resources (OCS facilities).
---------------------------------------------------------------------------

    \16\ See 33 CFR 105.105 and 106.105.
---------------------------------------------------------------------------

    This rulemaking applies to the above-described vessels and 
facilities regulated by the Coast Guard pursuant to the authority 
granted in MTSA. The TWIC program is one component of the Coast Guard's 
multi-layered system of access control requirements and other measures 
designed to enhance maritime security. Under this multi-layered system, 
owners and operators of MTSA-regulated vessels or facilities are 
required to submit for Coast Guard approval a comprehensive security 
plan detailing the access control and other security policies and 
procedures implemented on each vessel and facility. Security plans must 
identify and mitigate vulnerabilities. They accomplish this task by 
detailing the following items: (1) Security organization of the vessel 
or facility; (2) personnel training; (3) drills and exercises; (4) 
records and documentation; (5) response to changes in Maritime Security 
(MARSEC) Level; (6) procedures for interfacing with other facilities 
and/or vessels; (7) Declarations of Security; (8) communications; (9) 
security systems and equipment maintenance; (10) security measures for 
access control; (11) security measures for restricted areas; (12) 
security measures for handling cargo; (13) security measures regarding 
vessel stores and bunkers; (14) security measures for monitoring; (15) 
security incident procedures; (16) audits and security plan amendments; 
(17) Security Assessment Reports and other security

[[Page 17789]]

reports; and (18) TWIC procedures.\17\ Coast Guard inspectors conduct 
routine and unannounced inspections and spot-checks to ensure proper 
implementation of approved security plans. The multi-layered security 
system also includes measures that consider broader security issues at 
U.S. ports and waterways, the coastal zone, the open ocean, and foreign 
ports.
---------------------------------------------------------------------------

    \17\ See 33 CFR 104.405 and 33 CFR 105.405.
---------------------------------------------------------------------------

    The TWIC is a tamper-resistant biometric credential TSA issues to 
eligible maritime workers who require unescorted access to secure areas 
of MTSA-regulated vessels and facilities. To obtain a TWIC, applicants 
must provide biographic and biometric information and complete a TSA 
security threat assessment. Applicants are disqualified from obtaining 
a TWIC if their assessment reveals that they: have been convicted, or 
found not guilty by reason of insanity, of certain felonies; \18\ are 
under want, warrant, or indictment for certain felonies; \19\ have been 
released from incarceration within the preceding 5-year period for 
committing certain felonies; \20\ may be denied admission to, or 
removed from, the United States under the Immigration and Nationality 
Act; \21\ or otherwise pose a terrorism security risk to the United 
States.\22\
---------------------------------------------------------------------------

    \18\ 46 U.S.C. 70105(c)(1)(A)-(B).
    \19\ 46 U.S.C. 70105(c)(1)(C).
    \20\ 46 U.S.C. 70105(c)(1)(D)(i).
    \21\ 46 U.S.C. 70105(c)(1)(D)(iii); 8 U.S.C. 1101 et seq.
    \22\ 46 U.S.C. 70105(c)(1)(D)(iv).
---------------------------------------------------------------------------

    The face of the TWIC shows the holder's photograph, name, and TWIC 
expiration date, and the back shows a unique credential number (TWIC 
Serial Number). Because TWIC is the single credential used throughout 
the maritime sector, it provides considerable security benefits, 
including ensuring that individuals permitted to enter secure areas 
within the maritime transportation system have successfully undergone 
TSA's security threat assessment, involving a criminal history records 
check and an intelligence-related check. Before TWIC was in use, 
mariners and other individuals could access secure areas of MTSA-
regulated vessels and facilities after presenting a State-issued 
driver's license or any number of other government-issued 
identification cards. To detect invalid credentials, it was necessary 
for security personnel to become familiar with the appearance and 
security features of every type of acceptable credential. Moreover, 
since some government-issued credentials are used for purposes other 
than security, applicants for those credentials do not necessarily 
submit biographic and biometric information and undergo a security 
threat assessment or criminal background check. For example, a State-
issued driver's license is a generally accepted form of government-
issued identification in many places because it: (1) Is laminated or 
otherwise secure against tampering; (2) bears the individual's name and 
photograph; and (3) bears the name of the issuing authority. 
Nonetheless, while issuance of a driver's license is conditioned upon 
the applicant's successful completion of a course on driving 
instruction, road test, written test, eye examination, and other 
criteria specific to driving a motor vehicle, the applicant is not 
necessarily fingerprinted and screened against law enforcement 
databases for felony criminal activity or terrorist group affiliation. 
These are inherent shortcomings of an access control system that would 
permit access based on a patchwork of generic credentials issued to 
individuals who have undergone no security screening as a precondition 
to obtaining those credentials. In contrast, issuance of a TWIC is 
specifically conditioned on these security-related criteria.
    Since April 15, 2009, TWIC has been the single credential used 
throughout the maritime sector. Accordingly, security personnel only 
need to become familiar with the appearance and security features of 
one credential. Moreover, unlike other government-issued credentials, 
TWIC is specifically designed for transportation security. Its purpose 
is to ensure a vetted maritime workforce by establishing security-
related eligibility criteria, and by requiring each TWIC-holder to 
undergo TSA's security threat assessment as part of the process of 
applying for and obtaining a TWIC.
    In addition to its visible security features, the TWIC stores two 
electronically readable reference biometric templates (i.e., 
fingerprint templates), a personal identification number (PIN) selected 
by the TWIC-holder, a digital facial image, authentication 
certificates, and a Federal Agency Smart Credential-Number (FASC-N). 
These features enable the TWIC to be used in different ways for: (1) 
Identity verification; (2) card authentication; and (3) card 
validation.
    Identity verification ensures that the individual presenting the 
TWIC is the same person to whom the TWIC was issued. Identity can be 
verified by visually comparing the photo on the TWIC to the TWIC-
holder. Using a TWIC reader, identity can be verified by matching one 
of the fingerprint templates stored in the TWIC to the TWIC-holder's 
live sample biometric, or by requiring the TWIC-holder to place the 
TWIC into a TWIC reader and enter a 6-, 7-, or 8-digit PIN selected by 
the TWIC-holder at the time of card activation.
    Card authentication ensures that the TWIC is not counterfeit. 
Security personnel can authenticate a TWIC by visually inspecting the 
security features on the card. A TWIC reader authenticates the card by 
performing a challenge/response protocol using the Card Authentication 
Certificate (CAC) and the associated card authentication private key 
stored in the TWIC.\23\
---------------------------------------------------------------------------

    \23\ The TWIC reader will read the CAC from the TWIC and send a 
command to the TWIC requesting the card authentication private key 
be used to sign a random block of data (created and known to the 
TWIC reader). The TWIC reader will use the public key embedded in 
the CAC to verify that the signature of the random data block is 
valid. If the signature is valid, the TWIC reader will trust the 
TWIC submitted and will then pull the FASC--N and other information 
from the card for further processing. The CAC contains the FASC--N 
and a certificate of expiration date harmonized to the TWIC 
expiration date. This minimizes the need for the TWIC reader to pull 
more information from the TWIC (unless required for additional 
checking).
---------------------------------------------------------------------------

    Card validation using a TWIC reader ensures that the TWIC has not 
expired or been revoked by TSA, or reported as lost, stolen, or 
damaged. Security personnel can validate whether a TWIC has expired by 
visually checking the TWIC's expiration date. A TSA-canceled TWIC is 
placed on TSA's official Canceled Card List (CCL), which is updated 
daily.\24\ Using a TWIC reader, card validity is confirmed by finding 
no match on the CCL and electronically checking the expiration date on 
the TWIC. Checks against the CCL may be performed electronically by 
downloading the list onto a TWIC reader or integrated Physical Access 
Control System (PACS).
---------------------------------------------------------------------------

    \24\ TSA's Canceled Card List is available online at: https://twicprogram.tsa.dhs.gov/TWICWebApp.
---------------------------------------------------------------------------

B. Statutory and Regulatory History

    This section discusses the statutory basis for this rulemaking, and 
summarizes the TWIC-related regulatory actions that precede this NPRM.
    In the aftermath of the September 11, 2001 attacks, President 
George W. Bush signed Public Law 107-295, MTSA, 2002, which required 
the Secretary to publish rules that institute measures for the 
protection of U.S. maritime security as soon as practicable. On July 1, 
2003, the Coast Guard published a series of six rules to promulgate 
maritime security requirements mandated by MTSA. These rules included 
the following ones: Implementation of National Maritime Security 
Initiatives (68 FR

[[Page 17790]]

39240); Area Maritime Security (68 FR 39284); Vessel Security (68 FR 
39292); Facility Security (68 FR 39315); Outer Continental Shelf 
Facility Security (68 FR 39338); and Automatic Identification System 
(68 FR 39353). Most of these rules have been codified in 33 CFR 
subchapter H.
    MTSA is the principal statutory authority for the TWIC program, and 
it requires the Secretary to issue regulations designed to prevent an 
individual from entering secure areas of MTSA-regulated vessels or 
facilities unless the individual holds a TWIC or is accompanied by 
another individual who holds a TWIC.\25\
---------------------------------------------------------------------------

    \25\ 46 U.S.C. 70105(a)-(f).
---------------------------------------------------------------------------

    On May 22, 2006, DHS, through the Coast Guard and TSA, published a 
notice of proposed rulemaking \26\ (TWIC 1 NPRM) to implement the TWIC 
program in the maritime sector. On January 27, 2007, DHS, through the 
Coast Guard and TSA, issued a final rule \27\ (TWIC 1 Final Rule) that 
required all credentialed merchant mariners and individuals granted 
unescorted access to secure areas of MTSA-regulated vessels or 
facilities to obtain a TWIC. Based on comments received in response to 
the TWIC 1 NPRM, and upon further analysis of the information available 
at the time, the Coast Guard concluded in the TWIC 1 Final Rule that it 
was premature to require the use of TWIC readers on vessels and at 
facilities.\28\ The TWIC 1 Final Rule, however, stated that TWIC reader 
requirements would be addressed in a future rulemaking.\29\ To date, 
TSA has issued approximately 2 million TWICs.\30\ TWIC is now the 
single credential used throughout the maritime sector. For purposes of 
access control to MTSA-regulated vessels and facilities, security 
personnel only need to become familiar with the appearance and security 
features of one credential when determining whether to grant access to 
secure areas. Moreover, since the TWIC program is specifically designed 
for transportation security, it effectively ensures a vetted maritime 
workforce by establishing security-related eligibility criteria and by 
requiring each TWIC-holder to undergo TSA's security threat assessment 
as a precondition to obtaining a TWIC.
---------------------------------------------------------------------------

    \26\ Transportation Worker Identification Credential (TWIC) 
Implementation in the Maritime Sector; Hazardous Materials 
Endorsement for a Commercial Driver's License, 71 FR 29396 (May 22, 
2006).
    \27\ Transportation Worker Identification Credential (TWIC) 
Implementation in the Maritime Sector; Hazardous Materials 
Endorsement for a Commercial Driver's License, 72 FR 3492 (Jan. 25, 
2007).
    \28\ See 72 FR 3512.
    \29\ See 72 FR 3512.
    \30\ For statistics and other general information about the TWIC 
program, visit the TSA Web site at http://www.tsa.gov/twic.
---------------------------------------------------------------------------

    Section 104 of the SAFE Port Act of 2006 focused on how to further 
incorporate TWIC and TWIC readers into the MTSA security regime. 
Specifically, the SAFE Port Act supplemented various MTSA credentialing 
requirements by, among other things, requiring the Secretary to: (1) 
Conduct a TWIC reader testing pilot program (TWIC Pilot) to evaluate 
the business processes, technology, and operational impacts of a TWIC 
reader requirement; \31\ and (2) promulgate final regulations requiring 
the use of TWIC readers in a manner consistent with the findings of the 
TWIC Pilot.\32\
---------------------------------------------------------------------------

    \31\ 46 U.S.C. 70105(k)(1).
    \32\ 46 U.S.C. 70105(k)(3).
---------------------------------------------------------------------------

    While DHS collected data for the TWIC Pilot, the Coast Guard 
published the ANPRM on March 27, 2009, discussing the Coast Guard's 
preliminary thoughts on potential TWIC reader requirements, and opening 
a public dialog on how to best implement those requirements. The ANPRM 
proposed a framework that would separate individual MTSA-regulated 
vessels, MTSA-regulated facilities, and MTSA-regulated OCS facilities 
into one of three risk groups. Vessels and facilities are generally 
placed in higher risk groups based on the hazardous nature of the cargo 
handled or carried, or an increase in the number of passengers present. 
This framework is described more fully below in Section III.C., ``Risk-
Based Approach to Categorizing Vessels and Facilities.'' The ANPRM 
proposed TWIC reader requirements for vessels and facilities in Risk 
Groups A and B, the two highest risk groups. For Risk Group C, the 
ANPRM proposed visual TWIC inspection requirements instead of TWIC 
reader requirements because we determined that the frequent electronic 
matching of a biometric would not be practical at lower risk vessels 
and facilities. This is consistent with the understanding that TWIC 
readers constitute one component of a multi-layered maritime security 
system, but are not necessary or appropriate for every vessel or 
facility.
    Based on the public comments received in response to the ANPRM, the 
TWIC Pilot findings, and further analysis of the relevant issues, this 
NPRM reiterates many of the ANPRM's proposals, including retaining the 
ANPRM's risk-based framework for classifying vessels and facilities 
into the same three risk groups. Our analysis demonstrates that it is 
necessary to maximize the use of the TWIC's security features where the 
risk is highest, as described more fully below in Section III.C., 
``Risk-Based Approach to Categorizing Vessels and Facilities.'' We also 
believe it is necessary to carefully weigh the costs and benefits of 
TWIC reader requirements on the regulated population.
    The primary change in approach from the ANPRM to this NPRM is 
regarding the TWIC reader requirements for the different risk groups. 
Specifically, this NPRM proposes TWIC reader requirements for Risk 
Group A only. For Risk Groups B and C, this NPRM proposes to maintain 
the existing visual TWIC inspection requirements instead of TWIC reader 
requirements. This approach is designed to target the use of TWIC 
readers at the highest risk entities while minimizing the overall 
burden of the rule. Proposing TWIC reader requirements for Risk Group A 
only in this NPRM is indicative of our desire to minimize highest risks 
first, but should not be read to foreclose revised TWIC reader 
requirements in the future. We will continue to gather and analyze data 
to determine how the use of TWIC readers might be appropriate for each 
risk group. Any future changes will be made through rulemaking and the 
public will have an opportunity to comment.
    The Coast Guard Authorization Act of 2010 (Pub. L. 111-281) (CGAA 
2010) contains two provisions we refer to into this rulemaking. First, 
Section 809 of the CGAA 2010 authorizes the Secretary to exempt any 
credentialed mariner who is not granted unescorted access to secure 
areas of a vessel from the requirement to possess a TWIC. Second, 
Section 814 of the CGAA 2010 allows the Secretary to permit the use of 
alternate biometrics, such as a retina scan, to verify the 
identification of individuals using TWIC when the individual's 
fingerprints are not able to be taken or read.

C. Risk-Based Approach to Categorizing Vessels and Facilities

    This section describes the ANPRM's risk-based approach for 
evaluating and categorizing types of vessels and facilities into risk 
groups.
    The Coast Guard assembled a panel of maritime security subject 
matter experts from the Coast Guard and TSA to conduct a risk-based 
analysis of MTSA-regulated vessels and facilities. The panel determined 
that the Analytical Hierarchy Process (AHP) would provide an effective 
basis for applying the panel's judgment to weigh and apply several key 
factors to the assessment of types of vessels and facilities. The AHP

[[Page 17791]]

is the core methodology in the Expert Choice \33\ collaborative 
decision support tool, which was used in the Coast Guard's risk-based 
analysis. The AHP was originally developed in the 1970s by Dr. Thomas 
Saaty, then a professor at the Wharton School, University of 
Pennsylvania. The methodology has since gained wide acceptance and is 
used by Fortune 500 companies, Federal agencies, and MBA programs as a 
structured technique for achieving solutions to complex problems. 
Federal agencies that have used the AHP/Expert Choice include the 
National Institute of Standards and Technology, Department of the Army, 
Department of the Air Force, Bureau of Land Management, Bureau of 
Engraving and Printing, Department of Agriculture, Department of 
Energy, Department of Housing and Urban Development, Department of 
State, Defense Information Systems Agency, Department of Veterans 
Affairs, and the Federal Aviation Administration.
---------------------------------------------------------------------------

    \33\ Information about Expert Choice is available at 
www.expertchoice.com.
---------------------------------------------------------------------------

    The AHP provides a comprehensive and rational framework for 
structuring a problem, representing and quantifying its elements, 
relating those elements to overall goals, and for evaluating a set of 
alternative solutions. The AHP has been used by government and industry 
to assess alternatives and arrive at solutions when faced problems that 
present disparate criteria and factors to consider.
    The Coast Guard's panel of subject matter experts identified 68 
distinct types of vessels and facilities based on their purpose or 
operational description. The panel then assessed each of the 68 types 
of vessels and facilities using three factors: (1) Maximum consequences 
to that vessel or facility resulting from a terrorist attack; (2) 
criticality to the nation's health, economy, and national security; and 
(3) utility of the TWIC in reducing risk.
    For the first factor (maximum consequence resulting from a 
terrorist attack), we used the Coast Guard's Maritime Security Risk 
Analysis Model (MSRAM). MSRAM is a terrorism risk-analysis tool the 
Coast Guard uses to perform risk analysis on Critical Infrastructure 
and Key Resources (CI/KR) in the maritime domain, given a range of 
terrorist attack scenarios. The purpose of MSRAM is to capture and rank 
the security risks facing different types of potential terrorist 
targets (e.g., waterfront facilities, vessels, bridges, and other 
infrastructure) spanning all CI/KR sectors in the nation's ports and on 
its waterways.
    An initial step in the MSRAM process is to calculate the maximum 
potential consequence resulting from the total loss of a target, 
factoring in injury and loss of life, economic and environmental 
impact, symbolic effect, and national security impact. MSRAM then 
assesses risk for a range of scenarios (each involving a combination of 
potential terrorist target and method of attack) in terms of threat, 
vulnerability, and consequence. MSRAM considers the response capability 
of the owner or operator, local first responders, and Federal agencies 
to mitigate the consequences of an attack. MSRAM also considers input 
from Area Maritime Security Committees (AMSCs).\34\
---------------------------------------------------------------------------

    \34\ AMSCs are committees established pursuant to 46 U.S.C. 
70112(a)(2)(A). AMSCs are composed of at least seven members having 
an interest in the maritime security of a specific geographic area. 
AMSC members may be selected from government, public safety, law 
enforcement, maritime industry, and other port stakeholders. AMSCs 
assist in the development, review, and update of formal plans that 
detail maritime security measures and procedures for ports in a 
specific geographic area. See 33 CFR part 103.
---------------------------------------------------------------------------

    In consultation with representatives from AMSCs throughout the 
country, we have compiled MSRAM risk information from Coast Guard 
Sectors and Captains of the Port (COTPs) into a database that provides 
an overall national view of terrorism risk to maritime assets. For 
purposes of this proposed rule, we focused on MSRAM data specific to 
MTSA-regulated vessels and facilities, and used it to address the 
maximum consequence that would occur from the total loss of a vessel or 
facility caused by a TSI resulting from a terrorist attack. We averaged 
these MSRAM consequences across similar types of vessels and facilities 
to develop a standard risk for each type.
    For the second factor (criticality to the nation's health, economy, 
and national security), we considered the impact of the total loss of a 
vessel or facility beyond the immediate local consequences, taking into 
account the regional or national impacts on human health, the economy, 
and national security.
    For the third factor (TWIC utility), we considered the utility of 
the TWIC program in reducing a vessel or facility's vulnerability to a 
terrorist attack.
    Using the AHP, we combined the above three factors and developed an 
overall risk ranking of vessels and facilities by type. As a first step 
in this process, the panel identified the 68 vessel and facility types, 
and the three criteria described above. As a second step, the panel 
considered different approaches to assigning numerical valued weights 
to the three factors. In determining the final weights, the panel chose 
the approach that best reflected its understanding of the maritime 
environment and TWIC program implementation, the importance of 
consequences in representing target attractiveness to terrorists, and 
the panel's expert perspective of risk. The actual numerical valued 
weights finalized by the panel are SSI. Finally, the panel used the AHP 
math in Expert Choice to calculate the priority scores for each vessel 
and facility type. At the end of this process, types of vessels and 
facilities with similar scores were combined into one of three risk 
groups. For a more detailed discussion of the panel's methodology, a 
copy of the panel's report, ``Analysis of Transportation Worker 
Identification Credential (TWIC) Electronic Reader Requirements in the 
Maritime Sector'' is available for viewing in the public docket for 
this rulemaking.
    The ANPRM then proposed different TWIC-related requirements for 
each risk group. In determining the cutoff points between risk groups, 
risk rankings were graphed to identify natural breaks that occurred in 
the data. For vessels, these breaks generally occurred where there was 
a change in the hazardous nature of the cargo or where the number of 
passengers carried aboard a vessel increased. Similarly, for 
facilities, these breaks generally occurred where there was a change in 
the hazardous nature of the materials stored or handled at a facility, 
or where the number of passengers accessing a facility increased.
    We engaged the Homeland Security Institute (HSI) to conduct an 
independent peer review of the risk-based analysis that formed the 
basis of the proposals in the ANPRM. HSI conducted its peer review in 
accordance with OMB Memorandum M-05-03, ``Issuance of OMB's `Final 
Information Quality Bulletin for Peer Review''' (Dec. 16, 2004) \35\ 
(OMB Review Guidelines). The OMB Review Guidelines establish 
government-wide guidance aimed at enhancing the practice of peer review 
of government science documents. Peer review is designed to increase 
the quality and credibility of the scientific information generated 
across the Federal government. The OMB Review Guidelines also discuss 
the concept of a ``highly influential scientific assessment,'' as one 
that would have at least one of the following characteristics: (1) 
Potential impact of

[[Page 17792]]

more than $500 million in any year; (2) novel, controversial, or 
precedent-setting; or (3) significant interagency interest. HSI advised 
that the TWIC program is, at a minimum, precedent-setting. Therefore, 
peer review of the Coast Guard's underlying analysis would be 
considered at the level of a ``highly influential scientific 
assessment.''
---------------------------------------------------------------------------

    \35\ OMB Memorandum M-05-03 is available for viewing at http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-03.pdf.
---------------------------------------------------------------------------

    HSI conducted its peer review and issued a final report (HSI 
Report) on October 21, 2008. HSI independently reproduced the results 
based on the information provided in the Coast Guard report, ``Analysis 
of Transportation Worker Identification Credential (TWIC) Electronic 
Reader Requirements in the Maritime Sector,'' and deemed the process to 
be technically sound. The HSI report also acknowledged that ``no 
decision-aid tools * * * including the AHP, should be considered to 
lead to unassailable results.'' \36\ A portion of the HSI Report is 
considered Sensitive Security Information (SSI) under 49 CFR Part 15. 
Therefore, a non-SSI version of the HSI Report is available for viewing 
in the public docket for this rulemaking. A summary of the HSI Report 
recommendations is provided below in Section III.G. ``HSI Report.''
---------------------------------------------------------------------------

    \36\ See HSI Report, p. 2.
---------------------------------------------------------------------------

D. ANPRM Proposals

    This section provides a summary of the ANPRM's proposals for TWIC 
reader requirements and other TWIC-related requirements. Later parts of 
Section III. ``Background and Purpose'' discuss the public comments 
received on the ANPRM, as well our responses to those comments. For a 
more detailed discussion of the ANPRM's proposals, please refer to the 
ANPRM at 74 FR 13360. We retain many of the ANPRM's proposals in the 
NPRM. We delete or modify a number of the ANPRM's proposals in the 
NPRM. To avoid any confusion, if you wish to focus specifically on the 
proposals in the NPRM, please refer to Section IV. ``Section-by-Section 
Description of Proposed Rule.''
1. Classification of Vessels and Facilities Into Risk Groups
    For vessels subject to 33 CFR part 104, the ANPRM proposed the 
following risk group classifications:
Risk Group A
    (1) Vessels that carry Certain Dangerous Cargoes (CDC) in bulk;
    (2) Vessels certificated to carry more than 1,000 passengers; and
    (3) Towing vessels engaged in towing a barge or barges subject to 
paragraphs (1) or (2).
Risk Group B
    (1) Vessels that carry hazardous materials other than CDC in bulk;
    (2) Vessels subject to 46 CFR Chapter I, Subchapter D, that carry 
any flammable or combustible liquid cargoes or residues; \37\
---------------------------------------------------------------------------

    \37\ The intent as used here is to capture those tank vessels 
that are carrying the high flash point petroleums, like crude oil, 
that are not hazardous materials, whether inland, coastal, or 
seagoing.
---------------------------------------------------------------------------

    (3) Vessels certificated to carry 500 to 1,000 passengers; and
    (4) Towing vessels engaged in towing a barge or barges subject to 
paragraphs (1), (2), or (3).
Risk Group C
    (1) Vessels carrying non-hazardous cargoes that are required to 
have a vessel security plan (VSP);
    (2) Vessels certificated to carry less than 500 passengers;
    (3) Towing vessels engaged in towing a barge or barges subject to 
paragraphs (1) or (2);
    (4) Mobile Offshore Drilling Units (MODUs); and
    (5) Offshore Supply Vessels (OSVs) subject to 46 CFR Chapter I, 
Subchapters L or I.
    The risk group classifications in the ANPRM for facilities are 
similar to those for vessels. For facilities subject to 33 CFR part 
105, the ANPRM proposed the following risk group classifications:
Risk Group A
    (1) Facilities that handle CDC in bulk;
    (2) Facilities that receive vessels certificated to carry more than 
1,000 passengers; and
    (3) Barge fleeting facilities that receive barges carrying CDC in 
bulk.
Risk Group B
    (1) Facilities that receive vessels that carry hazardous materials 
other than CDC in bulk;
    (2) Facilities that receive vessels subject to 46 CFR Chapter I, 
Subchapter D, that carry any flammable or combustible liquid cargoes or 
residues;
    (3) Facilities that receive vessels certificated to carry 500 to 
1,000 passengers; and
    (4) Facilities that receive towing vessels engaged in towing a 
barge or barges carrying hazardous materials other than CDC in bulk, 
carrying crude oil, or towing vessels certificated to carry 500 to 
1,000 passengers.
Risk Group C
    (1) Facilities that receive vessels carrying non-hazardous cargoes 
that are required to have a VSP;
    (2) Facilities that receive towing vessels engaged in towing a 
barge or barges carrying non-hazardous cargoes;
    (3) Facilities that receive vessels certificated to carry less than 
500 passengers.
    The ANPRM proposed to classify all OCS facilities subject to 33 CFR 
part 106 into Risk Group B.
    In the ANPRM, we contemplated the possibility that vessels and 
facilities may move from one risk group to another, based on the cargo 
handled or carried at any given time. In those instances, the owner or 
operator would be expected to explain, in an amended security plan, how 
their regulatory compliance program would change to reflect movement 
between risk groups, with particular attention to the security measures 
to be taken when moving from a lower risk group to a higher risk group.
2. TWIC Reader Requirements for Risk Group A
    The ANPRM proposed TWIC reader requirements and other TWIC-related 
requirements for Risk Group A that would utilize the TWIC's most 
protective measures for identity verification, card authentication, and 
card validation.
    For identity verification, owners and operators of vessels or 
facilities in Risk Group A would be required to either match the TWIC-
holder's fingerprint to one of the fingerprint templates stored in the 
TWIC, or match the TWIC-holder's alternate biometric (e.g., retina 
scan, hand geometry, or other biometric) to one captured and stored in 
a PACS. A TWIC reader can work as a stand-alone unit, or it can be 
integrated into a facility's PACS. Either way, the owner or operator 
would be required to use a TWIC reader from the official list of TSA-
approved TWIC readers. The biometric match would need to be made using 
a TWIC reader and/or PACS before the individual is granted unescorted 
access to secure areas.
    When electronically matching biometrics within a PACS, an owner or 
operator would be permitted to use a different biometric than a 
fingerprint (e.g., an iris scan or hand geometry), stored in the PACS 
and matched to the biometric of the TWIC-holder. The owner or operator 
would be required to link their system to the TWIC in such a manner 
that the PACS precludes access to someone who does not have a TWIC, or 
to someone other than the

[[Page 17793]]

individual to whom the TWIC has been issued. This requirement means 
that the TWIC would need to be read and the stored biometric identifier 
matched against the TWIC-holder's fingerprint at least once, when the 
individual's information is entered into the PACS. Before relying on 
the alternate biometric, it must be verified, through a one-to-one 
fingerprint match, that the individual presenting the TWIC is actually 
the person to whom the TWIC was issued.
    In the ANPRM, we recognized that while PIN verification could be 
used to enhance the accuracy of identity verification, this method 
presents operational and environmental challenges. The PIN can only be 
entered when the TWIC is inserted into a ``contact'' TWIC reader, where 
the TWIC is inserted into a slot allowing direct contact between the 
TWIC reader and the chip embedded in the TWIC. Comments received in 
response to the TWIC 1 NPRM, as well as recommendations from the 
National Maritime Security Advisory Committee (NMSAC), emphasized 
concerns over whether contact TWIC readers would be able to withstand 
the harsh conditions often present in a maritime environment. 
Additional concerns were raised as to whether maritime workers should 
be expected to remember a 6- to 8-digit PIN, especially workers who 
would not typically use the PIN on a regular basis. Concerns were also 
raised over the operational delays associated with a PIN requirement. 
In light of these concerns, and taking into account the level of 
security already provided via the TWIC's other features, the ANPRM did 
not propose a PIN requirement to enhance identity verification.
    For card authentication, owners and operators of vessels or 
facilities in Risk Group A would be required to use a TWIC reader to 
screen individuals seeking access to secure areas. As with identity 
verification, owners and operators would be permitted to integrate TWIC 
into a PACS, provided that the owner or operator completes this 
integration before the TWIC-holder's information is added into the 
PACS, and before the TWIC-holder is granted unescorted access to secure 
areas.
    For card validation, owners and operators of vessels or facilities 
in Risk Group A would be required to use a TWIC reader to check an 
individual's TWIC against the CCL. An owner or operator updates CCL 
information by downloading the current list onto the TWIC reader or 
PACS. At MARSEC Level 1, owners and operators would be required to 
update the CCL on a weekly basis. At MARSEC Levels 2 and 3, owners and 
operators would be required to update the CCL on a daily basis.
3. TWIC Reader Requirements for Risk Group B
    The ANPRM proposed TWIC reader requirements and other TWIC-related 
requirements for Risk Group B that would differ depending on MARSEC 
Level. At MARSEC Levels 2 and 3, owners and operators of vessels or 
facilities in Risk Group B would be required to utilize the most 
protective measures of the TWIC for identity verification, card 
authentication, and card validation. Those requirements are the same as 
those described above with respect to Risk Group A.
    At MARSEC Level 1, owners and operators would perform card 
authentication and card validation using a TWIC reader in the same 
manner required at higher MARSEC Levels. At MARSEC Level 1, however, 
owners and operators would not be required to use a TWIC reader to 
perform a biometric match for identity verification, subject to the 
exception described below. Instead, owners and operators would be 
permitted to perform identity verification by using the TWIC as a 
visual identity badge. The exception to this leniency at MARSEC Level 1 
is that on a random basis, but at least 1 day per month, owners and 
operators would be required to perform identity verification using a 
TWIC reader to match the TWIC-holder's fingerprint to one stored in the 
TWIC.
    The ANPRM's proposed requirements for Risk Group B were based on a 
determination that the TSI risk to such vessels and facilities at 
MARSEC Level 1 does not warrant a requirement to perform routine 
biometric identity verification using a TWIC reader.
4. TWIC Requirements for Risk Group C
    The ANPRM proposed TWIC requirements for Risk Group C that would 
not involve the use of a TWIC reader at any MARSEC Level. Instead, 
owners and operators of vessels or facilities in Risk Group C would 
visually inspect the security features on the TWIC for identity 
verification, card authentication, and card validation. TWIC-holders 
working on vessels or at facilities in Risk Group C would periodically 
have their TWICs scanned using a TWIC reader during Coast Guard 
inspections and unannounced spot checks.
    The ANPRM's proposed requirements for Risk Group C were based on 
our determination that, given the type of commodities and small number 
of passengers typical of this risk group, it is likely that these 
vessels and facilities present a less attractive target to individuals 
who wish to do harm than vessels and facilities in Risk Groups A and B. 
Nonetheless, vessels and facilities in Risk Group C still present some 
risk of being involved in a TSI. As a result, we determined that visual 
inspection of TWICs would be an appropriate security measure.
5. Recurring Unescorted Access
    The concept of Recurring Unescorted Access (RUA) was first proposed 
in the TWIC 1 NPRM.\38\ RUA was conceived as a means of providing 
flexibility to vessel owners and operators so that the TWIC program 
would provide them with a valuable security enhancement without 
unnecessarily burdening daily operations. As initially proposed, RUA 
would apply to vessels that would otherwise be required to use TWIC 
readers. RUA would allow the owners and operators of such vessels to 
grant certain TWIC-holders the privilege of entering secure areas on a 
repetitive basis without having their TWICs electronically scanned by a 
TWIC reader each time, provided that certain preconditions had been 
met.
---------------------------------------------------------------------------

    \38\ See 71 FR 29410-29411.
---------------------------------------------------------------------------

    The TWIC 1 NPRM cited two factors on which the decision to grant 
RUA privileges should be based: (1) The relationship of the individual 
to the vessel, or how well ``known'' the individual is; and (2) the 
individual's need to have frequent and unimpeded access to the vessel. 
We assumed that the crew of most vessels would consist of a relatively 
small number of individuals who would quickly become familiar enough 
with one another and readily distinguish each other from non-
crewmembers. Accordingly, on such vessels, there would be no added 
benefit from repeated biometric identity verification using a TWIC 
reader.
    Although RUA would exempt certain individuals from having their 
TWICs routinely scanned by a TWIC reader, these individuals would still 
need to present a TWIC for visual inspection. Additionally, prior to 
granting RUA privileges to a TWIC-holder, the vessel owner or operator 
would be required, among other things, to perform a one-time scan of 
the individual's TWIC using a TWIC reader for initial identity 
verification, card authentication, and card validity.
    In addition to proposing RUA for vessels, the ANPRM also proposed 
RUA for facilities. Thus, owners and operators of vessels or facilities 
could grant RUA privileges to a number of individuals per vessel or 
facility.

[[Page 17794]]

Owners and operators would be required to explain their RUA procedures 
in an amended security plan.
    As proposed in the ANPRM and based on a recommendation from the 
Towing Safety Advisory Committee (TSAC), RUA could be granted to a 
maximum of 14 individual TWIC-holders per vessel or facility. TSAC's 
rationale for establishing 14 as the maximum cut off for requiring TWIC 
readers on vessels is that these vessels have a reduced vulnerability 
because the individuals are all ``known'' to one another. The number 
was developed by taking into account the fact that for a small vessel, 
such as a towing vessel or offshore supply vessel, the crew would 
typically include up to one Master, one Chief Engineer, and three four-
person crews who rotate through watch shifts.
6. TWIC Reader Approval, Calibration, and Compliance
    In the ANPRM, we considered the possibility that some owners and 
operators may wish to incorporate TWIC reader requirements into an 
existing PACS. In those situations, the ANPRM proposed to require 
owners and operators to follow the standard/specification to be 
developed from the results of the TWIC Pilot.
    The ANPRM stated that we were considering alternatives for how to 
ensure that TWIC readers are maintained in proper working order. The 
existing provisions in 33 CFR 104.235, 104.260, 105.225, 105.250, 
106.230, and 106.255 would require TWIC readers to be inspected, 
tested, calibrated, and maintained in accordance with the 
manufacturers' recommendations, and that records of those actions be 
maintained as well. The ANPRM requested comments on whether TWIC 
readers should be subject to additional Coast Guard inspections or 
third-party audits.
7. Security Plan Amendment
    The ANPRM proposed a requirement on owners and operators to amend 
their security plans to include TWIC requirements within 6 months of 
promulgation of a TWIC reader final rule. In the ANPRM, we indicated 
that we would consider re-evaluating this deadline, and we sought 
public comment on how long owners and operators should have to amend 
security plans to incorporate TWIC reader requirements. Security plan 
amendments would need to detail how the owner or operator would 
implement TWIC requirements, including those promulgated in the TWIC 1 
Final Rule, and TWIC reader requirements, if applicable.
    The ANPRM mentioned that we would consider additional security plan 
provisions that require the owner or operator to discuss procedures for 
handling TWIC-holders with poor quality or no fingerprints, as well as 
TWIC-holders who are otherwise unable to match a live fingerprint to 
one of the templates stored in the card. The ANPRM also mentioned that 
we were considering a requirement on owners and operators using a 
separate PACS to explain how they will protect personal identity 
information.
    The ANPRM articulated our position that requests for waivers, 
alternatives, and equivalents would need to comply with existing 
regulatory requirements found in 33 CFR 101.120, 101.130, 104.130, 
104.135, 105.130, 105.135, 106.125, and 106.130.
    In the ANPRM, we stated our intent to not amend 33 CFR 101.120 
regarding Alternative Security Programs (ASPs). Instead, we would 
exercise our existing authority, found in 33 CFR 101.120(d)(1)(ii), to 
require those organizations that have approved ASPs to amend them to 
incorporate the TWIC requirements. Please see Section IV.C. below for a 
discussion on our decision to eliminate this proposal from the NPRM.
    An ASP is a third-party or industry organization-developed standard 
that the Coast Guard has determined provides an equivalent level of 
security to that established by 33 CFR parts 104 or 105. MTSA-regulated 
facilities that are members in good standing of trade organizations or 
industry groups may operate under an ASP, instead of an FSP, submitted 
by the trade organization or industry and approved by the Coast 
Guard.\39\ The Coast Guard permits use of ASPs to tailor Coast Guard 
security requirements to diverse industries within the maritime 
community. ASPs allow owners and operators to participate in a 
development process with other industry groups, associations, or 
organizations, and to coordinate their compliance with Coast Guard 
security rules and other rules already implemented.\40\ Practically, 
ASPs are written to address a group of owners and operators based on a 
business model. Thus, a security standard for the small passenger 
industry will be different from the industry standard for container 
vessels, simply based on the differences in their respective 
vulnerabilities and associated TSI consequence. In effect, ASPs allow 
the end-users to implement an existing security program as an 
alternative to creating an individual vessel- or facility-specific 
security plan. ASPs also lessen the numbers of security plans that must 
be reviewed and approved by the Coast Guard. Currently, there are 11 
approved ASPs.
---------------------------------------------------------------------------

    \39\ See 33 CFR 101.125.
    \40\ See 68 FR 60449, 60454, and 60532 (October 22, 2003).
---------------------------------------------------------------------------

8. Recordkeeping
    The ANPRM proposed to require owners and operators to maintain, for 
a period of 2 years, records captured by TWIC readers on each scan. 
Under the ANPRM, owners and operators would also maintain, for a period 
of 2 years, records on individuals to whom RUA was granted. Finally, 
the ANPRM indicated that we would consider whether to require owners 
and operators to maintain a record to demonstrate that they have 
completed required card validity checks.
9. Additional Persons Required To Obtain TWICs
    MTSA requires the Secretary to issue TWICs to certain individuals 
unless the Secretary determines that an individual poses a security 
risk warranting denial of the card.\41\ Section 70105(b)(2) of Title 46 
U.S.C. lists the categories of individuals to whom this requirement 
applies.
---------------------------------------------------------------------------

    \41\ 46 U.S.C. 70105(b)(1).
---------------------------------------------------------------------------

    We published the ANPRM prior the enactment of the CGAA 2010. At the 
time we published the ANPRM, the list of individuals to whom the 
Secretary was required to issue a TWIC included: (1) An individual 
allowed unescorted access to secure areas of a MTSA-regulated vessel or 
facility; (2) an individual issued a license, certificate of registry, 
or merchant mariners document; (3) a vessel pilot; (4) an individual 
engaged on a towing vessel that pushes, pulls, or hauls alongside a 
tank vessel; (5) an individual with access to SSI; (6) other 
individuals engaged in port security activities; and (7) other 
individuals as determined appropriate by the Secretary.\42\
---------------------------------------------------------------------------

    \42\ 46 U.S.C. 70105(b)(2).
---------------------------------------------------------------------------

    The Coast Guard implementing regulations in 33 CFR 101.514(a) 
require individuals to obtain a TWIC as a pre-condition to gaining 
unescorted access to secure areas of MTSA-regulated vessels and 
facilities. For purposes of Coast Guard regulation of these vessels and 
facilities, we believe that the language in 33 CFR 101.514(a) 
adequately covers the individuals required to obtain a TWIC. 
Nonetheless, at the time we published the ANPRM,

[[Page 17795]]

we were aware of a potential gap between MTSA and our regulations. 
Specifically, there may be some vessel pilots who do not hold Federal 
licenses, and there may be some individuals who are not credentialed 
mariners engaged on towing vessels that are not MTSA-regulated. 
Therefore, to avoid any possible gaps between MTSA and our regulations, 
we included a proposal in the ANPRM to explicitly include these 
individuals in the regulatory requirement to obtain a TWIC.
    Subsequent legislation has caused us to eliminate part of this 
proposal from this NPRM. Section 809 of the CGAA 2010 changed the 
applicability of 46 U.S.C. 70105(b)(2)(B) and (D) so that the Secretary 
is now required to issue a TWIC to credentialed mariners and those 
engaged on towing vessels only if these individuals are allowed 
unescorted access to a secure area of a MTSA-regulated vessel. Section 
809 has eliminated the gap with respect to mariners on towing vessels. 
Mariners who are allowed unescorted access to MTSA-regulated vessels 
are already covered in the existing regulatory requirement to obtain a 
TWIC. We no longer need to add a provision requiring mariners working 
on vessels that are not MTSA-regulated to obtain a TWIC. While there 
may be some vessel pilots that do not hold Federal licenses, we have 
not determined whether there is a population of State-licensed vessel 
pilots that are not otherwise required to obtain a TWIC because they 
access secure areas of MTSA-regulated vessels. We seek public comment 
on this subject and whether a specific provision to include them in the 
regulatory requirement to obtain a TWIC is necessary. If there is a 
population of State-licensed vessel pilots not covered under the 
current regulatory requirement to obtain a TWIC, we intend to revise 33 
CFR 101.514 to cover that population. Please see Section IV.C. below 
for further discussion on our decision to eliminate or modify this 
proposal in this NPRM.

E. Public Comments Received in Response to the ANPRM and Public Meeting

    This section provides a detailed discussion of the public comments 
received during the ANPRM's comment period and public meeting. This 
section also provides our responses to those comments.
    We received approximately 100 comment letters in response to the 
ANPRM. In addition, we hosted a public meeting in Arlington, Virginia 
on May 6, 2009, to provide another forum for obtaining public feedback 
on the ANPRM.\43\ Comments received at the public meeting aligned into 
approximately 20 categories. Copies of the public meeting sign-in 
sheets, written comments received, and a transcript of the public 
meeting, are available for viewing in the public docket for this 
rulemaking.
---------------------------------------------------------------------------

    \43\ See Transportation Worker Identification Credential 
(TWIC)--Reader Requirements, 74 FR 17444 (Apr. 15, 2009) to view the 
notice of public meeting; request for comments.
---------------------------------------------------------------------------

    Commenters represented a wide range of individuals and entities, 
including: Federal, State, and local government officials; port 
authorities; representatives of affected industries, such as maritime, 
trucking, rail, security, port, and other facilities; professional/
trade associations; labor unions; and private citizens. The comments 
received from these parties helped to inform the proposals in this 
NPRM.
1. General Comments
    Numerous commenters supported the ANPRM's general approach to TWIC 
reader requirements and other TWIC-related requirements. Many 
recognized the potential value of the TWIC program to enhance 
transportation security in general, and maritime security in 
particular. Several commenters commended us for first publishing an 
ANPRM to solicit public input on a preliminary set of proposals before 
publishing an NPRM.
    Several commenters cautioned us to implement TWIC reader 
requirements in a manner that does not unnecessarily burden affected 
industries. We believe the requirements proposed in this NPRM achieve 
that goal. Section V. ``Regulatory Analysis'' below provides a detailed 
discussion of the benefits and burdens associated with this proposed 
rule.
    One commenter suggested that the NPRM should clarify which 
provisions specifically apply to vessels, and which apply to 
facilities. Similarly, two commenters suggested that we consider 
proposing separate sets of regulations for vessels and facilities.
    Our proposals in this NPRM clearly distinguish between vessels and 
facilities. To clarify, 33 CFR part 101 sets forth general maritime 
security regulations, 33 CFR part 104 sets forth maritime security 
regulations specific to vessels, 33 CFR part 105 sets forth maritime 
security regulations specific to facilities, and 33 CFR part 106 sets 
forth maritime security regulations specific to OCS facilities. As 
described in greater detail below in Section IV., this NPRM proposes to 
add or amend relevant provisions in each of these parts. Please refer 
to Table ES-1 in the Executive Summary for a breakdown of the NPRM 
proposals by vessel, facility, and OCS facility.
    Several commenters expressed general concerns about TWIC reader 
requirements. Some opposed any requirement to use TWIC readers, citing 
financial burdens and operational complications they believe would 
result from such requirements. Others highlighted differences between 
different types of vessels, and suggested that TWIC readers may not 
necessarily enhance security in each case. Commenters also raised 
concerns about increased traffic and other operational challenges 
associated with TWIC reader requirements.
    As discussed more fully below in Sections IV. and V., this NPRM 
does not propose TWIC reader requirements for Risk Group B. This 
decision was based, in part, on comments received in response to the 
ANPRM. Many of the comments opposing TWIC reader requirements 
represented the interests of owners and operators of vessels or 
facilities assigned to Risk Group B. We have estimated the annualized 
cost of the TWIC reader requirements on vessels and facilities in Risk 
Group A at $26.5 million, at a 7 percent discount rate. Had we proposed 
TWIC reader requirements to also include Risk Group B facilities, the 
annualized cost would increase to $141.2 million, at a 7 percent 
discount rate. Moreover, including Risk Group B in the TWIC reader 
requirements would not only increase the annualized cost, but the 
average consequence figure (the monetized costs of fatalities and 
injuries resulting from a TSI) would drop by more than one-third. While 
this does not mean that there should be no TWIC reader requirements for 
Risk Group B, we believe this analysis supports our phased approach for 
requiring TWIC readers first for Risk Group A. We also wish to 
emphasize the utility of TWIC in enhancing security even when not used 
in conjunction with TWIC readers. Before mariners and other individuals 
were required to obtain a TWIC, they could access secure areas of MTSA-
regulated vessels and facilities after presenting a State-issued 
driver's license or any number of other government-issued 
identification cards. This patchwork system of valid credentials 
required security personnel to become familiar with the appearance and 
security features of every type of acceptable credential. Moreover, 
since some government-issued credentials are used for purposes other 
than security, applicants are not necessarily screened

[[Page 17796]]

from a security threat perspective. Additionally, the eligibility 
criteria for some government-issued credentials do not preclude 
issuance to an individual with a felony criminal record.
    The TWIC program mitigates the above shortcomings. Since April 15, 
2009, TWIC has been the single credential used throughout the maritime 
sector. Accordingly, security personnel only need to become familiar 
with the appearance and security features of one credential. Moreover, 
unlike other government-issued credentials, TWIC is specifically 
designed for transportation security. Its purpose is to ensure a vetted 
maritime workforce by establishing security-related eligibility 
criteria, and by requiring each TWIC-holder to undergo TSA's security 
threat assessment as part of the process of applying for and obtaining 
a TWIC.
    We will continue to analyze risk data and reassess the need to 
modify or add TWIC reader requirements in the future. We believe that 
this approach should alleviate the concerns raised by these commenters.
2. Statutory Authority
    A number of commenters emphasized that the Secretary's authority to 
require TWIC readers on vessels is discretionary, and not mandated by 
MTSA. We agree with this comment.
    One commenter requested clarification that if vessels in lower risk 
groups have not been determined by the Secretary to be at risk of a 
TSI, the SAFE Port Act prohibits TWIC reader requirements for such 
vessels. We disagree with this comment. The relevant portion of the 
SAFE Port Act provides: ``The Secretary may not require the placement 
of an electronic reader for transportation security cards on a vessel 
unless: (1) The vessel has more individuals on the crew that are 
required to have a transportation security card than the number the 
Secretary determines, by regulation issued under subsection (k)(3), 
warrants such a reader; or (2) the Secretary determines that the vessel 
is at risk of a severe TSI.'' \44\ Under the SAFE Port Act, the 
Secretary could require vessels in lower risk groups to use TWIC 
readers if their crew size exceeds the minimum threshold, in this rule 
proposed as 14 individuals, established by regulation. While this NPRM 
does not propose TWIC reader requirements for Risk Groups B or C, the 
Coast Guard is not prohibited from doing so under the SAFE Port Act.
---------------------------------------------------------------------------

    \44\ 46 U.S.C. 70105(m).
---------------------------------------------------------------------------

    One commenter noted that certain proposals in the ANPRM would apply 
to facilities that receive towing vessels engaged in towing a barge or 
barges carrying non-hazardous cargoes, facilities that receive vessels 
subject to 46 CFR Chapter I, Subchapter D, that carry any flammable or 
combustible liquid cargoes or residue, and facilities that receive 
vessels not transferring cargo. The commenter suggested that these 
facilities are not covered by MTSA, and therefore, should not be 
subject to TWIC reader requirements. We disagree with the suggestion 
that these facilities are not covered by MTSA. MTSA broadly defines the 
term ``facility'' to mean ``any structure or facility of any kind 
located in, on, under, or adjacent to any waters subject to the 
jurisdiction of the United States.'' \45\ MTSA requires facility 
security plans (FSPs) for ``facilities that the Secretary believes may 
be involved in a transportation security incident* * *.'' \46\ MTSA 
does not prohibit us from placing TWIC requirements on such facilities.
---------------------------------------------------------------------------

    \45\ 46 U.S.C. 70101(2).
    \46\ 46 U.S.C. 70103(c)(2)(A).
---------------------------------------------------------------------------

3. Risk-Based Approach
a. General
    We received a broad range of comments with respect to the ANPRM's 
risk-based approach to classifying MTSA-regulated vessels and 
facilities. Many commenters expressed support for the ANPRM's risk-
based approach. A number of commenters expressed support for a risk-
based approach, but cited general reservations on the way such an 
approach was proposed in the ANPRM. Other commenters expressed 
opposition to the ANPRM's risk-based approach.
    One argument cited by commenters opposing the ANPRM's risk-based 
approach is that vessels have already been divided into risk groups by 
MTSA with respect to security plan requirements, and by the Port 
Security Grant program. These commenters argued that to introduce 
another risk-based classification matrix would create too much 
complexity for affected industries. A larger group of commenters took 
the opposite view, however, arguing that the ANPRM's matrix should be 
based on additional variables, such as: Risk-reduction measures vessels 
and facilities have already implemented; size and type of vessel; port 
traffic volume; port location; port-wide risk; type, volume, and 
frequency of carrying or handling high-risk cargoes; characteristics of 
container cargoes and facilities; number of TWIC-holders with access to 
a vessel or facility; scenarios other than MSRAM's ``total 
destruction'' scenario; compliance costs; and other industry-specific 
considerations.
    After considering these wide-ranging comments that fell on both 
sides of the issue, we continue to believe that the risk-based approach 
set forth in the ANPRM appropriately categorizes types of vessels and 
facilities based on their risk of being involved in a TSI, without 
creating an overly complex categorization system. Other existing risk-
based categorization matrices are not tailored to TWIC requirements 
like the AHP/MSRAM approach described above. Additionally, as discussed 
more fully below in section III.G., ``HSI Report,'' HSI conducted a 
generally favorable independent peer review of the risk-based approach 
that formed the basis of the ANPRM's proposals.
    Several commenters requested that the Coast Guard establish an 
appeals process whereby owners and operators could petition to have an 
assigned risk-ranking reviewed and lowered based on unique 
circumstances. We wish to clarify that an appeals process already 
exists for those directly affected by a decision or action taken 
pursuant to the Coast Guard's maritime security regulations.\47\ Thus, 
owners and operators would be able to appeal a risk-ranking under the 
existing procedures. The establishment of a separate appeals process 
for petitioning TWIC-related risk-rankings is not necessary.
---------------------------------------------------------------------------

    \47\ 33 CFR 101.420; 33 CFR 104.150; 33 CFR 105.150; 33 CFR 
106.145.
---------------------------------------------------------------------------

    Other commenters suggested that COTPs should assign risk ratings to 
each vessel and facility on a case-by-case basis. We disagree with this 
approach because it is less predictable than a clear regulatory 
standard, and could lead to different standards being applied to 
similar vessels or facilities depending on their location.
b. MSRAM
    Several commenters addressed the use of MSRAM as part of the 
ANPRM's risk-based approach. Some suggested that MSRAM should be 
updated to take into account risk-mitigation measures that industry has 
implemented since 2005. We will continue to update the MSRAM data, but 
we believe the data that informed the ANPRM provides an accurate basis 
for the regulatory proposals in this NPRM.
    Other commenters requested additional information about MSRAM in 
order for them to comment on its utility in developing a risk-based 
classification system. In response, we emphasize that the ANPRM and 
this

[[Page 17797]]

preamble set forth the general principles that underlie MSRAM as a 
risk-analysis tool. The AHP/MSRAM process generates risk scores for 
facility and vessel types. These scores are based on factors related to 
TSI consequence. Since this information is designated as SSI, the 
publication of more specific MSRAM data is prohibited under 49 CFR Part 
15.
c. Movement Between Risk Groups
    Several commenters agreed with the ANPRM's proposal to permit 
movement between risk groups by vessels and facilities that handle or 
carry dangerous cargoes only on a limited basis. Several other 
commenters took the opposite view, arguing that movement between risk 
groups would create a burdensome and confusing set of requirements, and 
would also introduce unfair economic incentives in favor of facilities 
in lower risk groups.
    We continue to favor a flexible approach that allows for the option 
of vessels and facilities to move between risk groups based on the 
cargo handled or carried at a given time. This would ensure appropriate 
utilization of TWIC readers when dangerous cargoes are present, without 
imposing undue burdens when dangerous cargoes are not. Owners and 
operators who do not wish to take advantage of this flexibility would 
not be required to do so. Owners and operators who wish to take 
advantage of this flexibility would be expected to explain, in an 
amended security plan, how changes at their vessel or facility qualify 
for a higher or lower risk group and address the change in risk.
    A number of commenters suggested alternatives to the ANPRM's 
approach with respect to movement between risk groups. Several argued 
in favor of a uniform set of TWIC requirements applicable to all 
vessels and facilities, which would obviate the need for regulatory 
provisions dealing with movement between risk groups. Two commenters 
suggested that facilities in Risk Group C should always retain their 
classification in that group, regardless of whether they handle 
dangerous cargoes on an infrequent basis.
    We do not believe that a ``one size fits all'' approach to TWIC 
requirements is efficient or effective. Instead, we favor a more 
targeted approach that requires TWIC readers for vessels and facilities 
deemed higher risk, and requires less stringent TWIC requirements for 
vessels and facilities not deemed higher risk. We also generally 
disagree with an approach that would permit a vessel or facility to 
comply with the requirements of a lower risk group while handling or 
carrying cargoes that would otherwise trigger the TWIC requirements of 
a higher risk group. Therefore, this NPRM proposes to give the option 
for vessels and facilities to move between risk groups based on the 
cargo handled or carried at a given time.
    Two commenters suggested that facilities in Risk Group C should be 
permitted to appeal to the COTP for a special operating designation to 
cover their infrequent handling of dangerous cargoes. We reiterate that 
an owner or operator may apply for a waiver of any requirement the 
owner or operator considers unnecessary, as provided in 33 CFR 104.130, 
105.130, and 106.125. We also wish to note that if such a waiver is 
granted, an owner or operator is not required to update their security 
plan after approval of the waiver.
    Three commenters requested clarification of the proposed TWIC 
requirements in scenarios where a vessel assigned to a higher risk 
group calls on a facility assigned to a lower risk group. One commenter 
suggested that, in such cases, we should allow time for TWIC 
infrastructures to be updated.
    We wish to clarify that, according to our risk-based approach, 
facilities are classified by the types of commodities they handle and 
the types of vessels they receive. Thus, a facility that receives Risk 
Group A vessels would be categorized as a Risk Group A facility. We 
request additional comments on specific scenarios that might warrant 
further consideration of potential regulatory requirements to address 
the interaction of vessels and facilities in different risk groups.
    Some commenters suggested that the regulations should provide for 
multiple risk group assignments within one facility for situations 
where one portion of the facility handles dangerous cargoes, while 
another portion does not. We are considering granting this request. If 
we grant this request, we expect the regulations to reflect that plans 
for multiple risk group assignments within a facility would be reviewed 
on a case-by-case basis and subject to COTP approval. We request 
additional comments from the public that specifically describe how 
multiple risk group assignments might apply to their facilities. We 
note that in the TWIC 1 Final Rule, we provided facilities with greater 
flexibility by revising 33 CFR 105.115 to allow owners and operators to 
redefine their ``secure area'' as only that portion of their access 
control area that is directly related to maritime transportation. We 
seek comments from the public on whether the additional flexibility of 
being able to further modify a facility's footprint by assigning 
different portions of the facility to different risk groups is 
necessary or appropriate.
d. MARSEC Levels
    Several commenters agreed in principle with the ANPRM's approach of 
imposing enhanced TWIC requirements at higher MARSEC Levels, but 
questioned why there was little difference between the ANPRM's TWIC 
reader requirements for Risk Groups A and B at different MARSEC Levels. 
These commenters suggested alternative approaches, all of which were 
variations on the theme that TWIC reader requirements should become 
more stringent as MARSEC Levels are elevated. Other commenters 
disagreed with the ANPRM's approach, but proposed stricter 
requirements, suggesting that all MTSA-regulated vessels and facilities 
should be required to use TWIC readers at elevated MARSEC Levels. 
Another commenter disagreed with the ANPRM's approach, arguing that to 
impose different TWIC reader requirements depending on MARSEC Level is 
overly complex and would provide no added security benefits.
    We recognize that the system of MARSEC Levels creates a useful 
mechanism for the Coast Guard to elevate security requirements at times 
of heightened risk. Nonetheless, we use this mechanism in a targeted 
manner, and at this time, we do not believe that elevated TWIC reader 
requirements at higher MARSEC Levels are generally practical or 
appropriate. In considering the comments above, we note the change we 
have made from the ANPRM to this NPRM with respect to TWIC reader 
requirements. In the ANPRM, we proposed TWIC reader requirements for 
Risk Groups A and B, with stricter TWIC reader requirements for both 
risk groups at higher MARSEC Levels. The ANPRM's stricter TWIC reader 
requirements would have primarily affected Risk Group B because the 
ANPRM proposed routine biometric scanning with a TWIC reader for Risk 
Group A at all MARSEC Levels. For example, the ANPRM would have 
required Risk Group B to use TWIC readers at MARSEC Level 1 for card 
authentication (i.e., no routine biometric scan) and once-monthly 
biometric identity verification. The ANPRM, however, would have only 
required Risk Group B to regularly use TWIC readers for biometric 
identity verification at higher MARSEC Levels.
    In this NPRM, we have eliminated the proposed TWIC reader 
requirements for Risk Group B. The requirements for

[[Page 17798]]

routine biometric scanning with a TWIC reader for Risk Group A remain 
the same as in the ANPRM. Note that we propose increased requirements 
at higher MARSEC Levels to the extent that the NPRM would require Risk 
Group A to perform daily updates of CCL information at higher MARSEC 
Levels, instead of the weekly updates required at MARSEC Level 1.
    We also note that data from the TWIC Pilot demonstrated that 
switching between different TWIC reader modes of operation negatively 
impacted the efficiency of TWIC reader use by complicating the learning 
process for TWIC-holders. According to the TWIC Pilot, TWIC-holders 
were confused by the different procedural requirements for the 
different TWIC reader modes of operation, regardless of attempts to 
inform TWIC-holders in advance of mode changes. This often resulted in 
delays caused by TWIC-holders' confusion as to whether or not they 
needed to place their finger on the TWIC reader's fingerprint sensor. 
In contrast, the TWIC Pilot found that when TWIC readers were used in 
the same mode of operation for a sustained period of time, TWIC-holders 
became familiar with a consistent throughput procedure, resulting in 
more efficient processing. While more stringent TWIC reader 
requirements might seem appropriate at higher MARSEC Levels, the TWIC 
Pilot demonstrated the importance of a consistent user experience. We 
also note that according to existing regulations in 33 CFR 101.405, the 
Coast Guard may issue MARSEC Directives setting forth mandatory 
measures if we determine that additional security measures are 
necessary to respond to specific threats.
    Consistent with the findings of the TWIC Pilot, the TWIC reader 
requirements proposed in this NPRM call for no switching between TWIC 
reader modes, and also call for little variation in requirements at 
higher MARSEC Levels. The only difference between the requirements 
proposed in the ANPRM and this NPRM based on MARSEC Level is that, at 
MARSEC Level 1, owners and operators of vessels or facilities in Risk 
Group A would be required to perform card validity checks based on CCL 
information that has been updated weekly, whereas at higher MARSEC 
Levels, the CCL updates would be required daily. The increased risk 
associated with elevated MARSEC Levels warrants this requirement to 
update the CCL information more frequently. The Coast Guard seeks 
public comment on this approach.
e. CCL and ``Privilege Granting''
    Most of the comments we received regarding the CCL recognized some 
benefits to card validation requirements that involve checking TWICs 
against this list. One commenter, however, stated that the benefits of 
such requirements would not outweigh the burdens. We disagree with this 
comment. Invalid TWICs are placed on the CCL if they are lost, stolen, 
damaged, or revoked by TSA for cause. The benefit of a requirement to 
check TWICs against the CCL is that it enables owners and operators to 
limit the access to secure areas of our nation's transportation system 
to individuals that hold a TWIC. We estimate the burden of updating CCL 
information into the TWIC reader or PACS to be approximately 30 minutes 
per week. For a more detailed discussion of the costs and benefits 
associated with this proposed rule, see Section V. ``Regulatory 
Analyses'' below.
    Three commenters requested that more frequent or real-time updated 
CCL information be made available. These commenters argued that access 
to real-time CCL information would enhance security better than the 
method proposed in the ANPRM, which requires owners and operators to 
update CCL information on a weekly or daily basis depending on the 
particular MARSEC Level. Other commenters felt that daily or weekly 
download requirements are reasonable.
    We believe that the requirements to download the CCL weekly or 
daily (based on MARSEC level) strike a reasonable balance between 
security and practicality. Owners and operators who wish to download 
CCL information more frequently would be able to do so.
    Two commenters requested functionality that would enable CCL 
information to be downloaded directly into an entity's PACS. We confirm 
that this functionality exists via Internet connection.
    Other commenters requested functionality that would make CCL 
information available through additional mechanisms, such as wireless 
connection to a TWIC reader, manual download to a TWIC reader, access 
via smart-phone, or a searchable Internet database accessible via the 
Homeport \48\ or other secure system. We emphasize that the CCL 
information is available via the Internet through a wireless device or 
manual download to a TWIC reader.\49\
---------------------------------------------------------------------------

    \48\ Homeport is a publicly accessible internet portal located 
at https://homeport.uscg.mil, which provides users with current 
maritime security information. It also serves as the Coast Guard's 
communication tool designed to support the sharing, collection, and 
dissemination of sensitive but unclassified information to targeted 
groups of registered users within the port population.
    \49\ The CCL is updated daily and is publicly available for 
download on the Internet at https://twicprogram.tsa.dhs.gov/TWICWebApp/.
---------------------------------------------------------------------------

    Seven commenters expressed concerns over the CCL because it groups 
together individuals who are legitimate security threats with 
individuals who merely have a lost or stolen TWIC. These commenters 
felt that individuals in the latter categories would be unduly 
stigmatized by being placed on the CCL together with individuals 
identified as security threats. Accordingly, they argued that the CCL 
should focus exclusively on individuals determined to be security 
threats.
    We wish to clarify that the CCL does not contain names, any 
personally identifiable information, or any security information. The 
CCL is simply a list of TWIC numbers that have not yet expired, but are 
no longer valid for entry to secure areas due to their reported loss or 
theft, being revoked by TSA, or replaced administratively due to 
damage, or other reason.
    We also note that the Coast Guard does not maintain or control the 
content of the CCL. The CCL is maintained and controlled by TSA. The 
Coast Guard has shared these comments with TSA for use in future 
planning. Facility and vessel owners and operators should understand 
that a variety of factors could cause a TWIC to be listed on the CCL.
    One commenter suggested that we use a vehicle, such as the Homeport 
system, to notify employers when an employee has been identified as a 
national security threat or otherwise deemed ineligible to hold a TWIC. 
In response to this comment, we note that national security threats are 
dealt with in the manner prescribed by relevant law enforcement 
agencies, and typically do not involve release of any information that 
could compromise an ongoing investigation, including whether an 
individual may pose a national security threat. We also note, however, 
that TSA requires all TWIC applicants to acknowledge that TSA may 
notify employers and facility owners and operators if there is an 
imminent threat of risk to individuals or property.
    Several commenters expressed opinions on the ANPRM's proposal 
regarding a ``privilege granting'' system, which would enable an owner 
or operator to register with TSA the names of specific TWIC-holders 
granted access to secure areas. TSA would then contact the owner or 
operator directly when a registered individual has been added to

[[Page 17799]]

the CCL. Approximately 20 commenters stated that they would prefer a 
privilege-granting system over a requirement to continually download or 
manually check CCL information. One of these commenters suggested that 
privilege granting should actually be a minimum requirement for all 
owners and operators of vessels and facilities in Risk Group C, because 
this would confer a meaningful security benefit at little cost. Most of 
the commenters supporting a privilege-granting system opposed the 
proposition to pay a fee for it. Two commenters suggested that if a fee 
were to be charged, the NPRM should include a fee estimate so that the 
public would have more of a basis on which to comment.
    Several commenters were not in favor of the ANPRM's privilege-
granting system. One simply felt it is unnecessary. Another cited 
employee privacy concerns. One commenter stated that a privilege-
granting system might provide some benefit to vessels, but would not 
benefit facilities. Another stated that a privilege-granting system 
would not be a viable option for tug or barge operators because these 
operators do not know which individuals require access to which vessels 
or facilities.
    After considering the comments and further analysis, we have 
decided not to include a privilege-granting system in this NPRM. The 
population of TWIC-holders granted access to any given vessel or 
facility often changes, which means that a privilege-granting system 
would be labor-intensive, costly, and impractical to maintain. 
Moreover, we believe that creating and maintaining a privilege-granting 
system would require substantial government and/or industry resources, 
and commenters were generally unwilling to pay fees that would be 
necessary to create and maintain such a system.
    One commenter requested information on how vessels operating 
outside of available wireless Internet access zones would download 
necessary CCL updates. We wish to clarify that there would be no 
obligation to download updated CCL information when there are no new 
individuals seeking access to secure areas. For example, a vessel 
designated as a secure area that is underway for an extended period of 
time with the same crew would not need to download updated CCL 
information if card validity was properly confirmed when the TWIC-
holders boarded the vessel. We request additional comments from the 
public regarding practical scenarios in which a vessel might not be 
able to download necessary CCL updates within the prescribed frequency 
(weekly or daily, depending on MARSEC Level). Additionally, we request 
comments from the public regarding the regulatory requirements that we 
should put in place when vessels are in one of those scenarios. One 
possibility would be to continue to require the use of TWIC readers for 
identity verification, card authentication, and card validity, even 
though the CCL might not have been updated within the prescribed 
frequency. This would electronically confirm that the TWIC has not 
expired, and also confirm no match against the most recently downloaded 
version of the CCL. The owner or operator would be required to update 
the CCL at the next available opportunity. We request comments from the 
public on this proposal or any preferred alternatives we should 
consider.
    One commenter requested guidance on the obligations an employer 
might have if notified by TSA that a former employee's TWIC has been 
revoked. We wish to clarify that generally, no such notification would 
be forthcoming. We note, as mentioned above, that TSA requires all TWIC 
applicants to acknowledge that TSA may notify employers and facility 
owners and operators if there is an imminent threat of risk to 
individuals or property. In those scenarios, TSA would provide 
appropriate case-specific guidance to the employer at the time of any 
such TSA notification.
    Several commenters requested additional general guidance on any 
proposed requirements to perform card validation using CCL information. 
We will consider whether and how to issue additional guidance, as 
necessary.
f. PIN Usage
    Approximately 30 commenters agreed with the ANPRM's approach that 
TWIC-holders should not be required to input their PINs in order to be 
granted access to secure areas. Among the reasons commenters cited in 
opposing a PIN requirement were: intermittent use makes PINs hard to 
remember; difficulty of retrieving forgotten PINs; throughput delays 
and other disruptions; and lack of an appreciable security benefit once 
a biometric match has been established.
    In the ANPRM, we recognized the operational and environmental 
challenges that a PIN requirement would present. The TWIC Pilot also 
noted that since many TWIC-holders had rarely, if ever, used their PINs 
since activating their TWICs, some workers could not remember their 
PINs. These individuals were then required to visit a TWIC enrollment 
center to reset their PINs. The TWIC Pilot also noted that inputting 
the PIN is not necessary to conduct a biometric match. Consistent with 
the comments and TWIC Pilot findings, this NPRM does not propose a 
requirement that TWIC-holders enter their PINs in order to access 
secure areas.
    Several commenters also requested that PINs not be required during 
Coast Guard spot checks and inspections. We note that such a proposal 
was not included in the ANPRM. Existing regulation already requires 
mariners to provide their PINs to Coast Guard personnel upon 
request.\50\ For example, when a mariner's fingerprints cannot be read 
using a TWIC reader, Coast Guard personnel may require the mariner to 
provide the PIN. To account for this and other instances when a 
mariner's identity cannot be verified by means other than the TWIC and 
PIN, we are retaining the existing provision that requires mariners to 
provide PIN information to Coast Guard personnel upon request.
---------------------------------------------------------------------------

    \50\ See 33 CFR 101.515(d)(2).
---------------------------------------------------------------------------

    Some commenters acknowledged that PIN verification may be useful in 
certain circumstances, and that there are certain advantages associated 
with PINs. One commenter noted that PIN usage would be a viable 
alternative when fingerprint matching is not possible. We agree with 
this comment and have addressed this issue below in section IV.F. 
``TWIC Inspection Requirements in Special Circumstances.''
    Another commenter suggested that TWIC readers designed to only 
check PINs might be less expensive than TWIC readers that perform other 
functions. We believe that the operational and environmental challenges 
presented by a PIN requirement outweigh this possible cost advantage.
    One commenter stated that PINs are another line of defense against 
forged TWICs. We agree with this comment, but do not believe it 
warrants a PIN requirement. Although this NPRM does not propose to 
require PIN verification, owners and operators may choose to impose 
their own PIN verification requirement on individuals before granting 
them access to secure areas.
    Finally, several commenters requested that we implement a more 
widely available and accessible system for resetting forgotten PINs. 
This comment relates to TSA's procedures for resetting PINs. We have 
provided these comments to TSA for their consideration. TSA currently 
protects PINs by securely locking them on the card as required by the 
Federal Information Processing Standards 201-1 (FIPS 201). PIN reset 
requires virtual private network (VPN) access to the

[[Page 17800]]

TWIC system available only at TWIC enrollment centers. TSA is looking 
at possible alternatives and updates to the current PIN reset policy.
4. Utility of TWIC Readers in Reducing TSI Vulnerability
    Many commenters acknowledged the utility of the TWIC program in 
reducing TSI vulnerability, though they expressed differing opinions on 
the utility of TWIC readers in that regard. Some asserted that TWIC 
readers would not reduce risks, especially on small vessels where 
crewmembers are familiar with one another, and on vessels where 
restricted areas are already protected by other access control 
mechanisms. Several of these commenters expressed the opinion that TWIC 
effectively reduces risk insofar as personnel are required to complete 
a rigorous security threat assessment in order to obtain a TWIC; yet, 
they believe that TWIC readers would provide no additional risk 
reduction benefit. Although one of these commenters acknowledged the 
potential utility of TWIC readers at large facilities and on large 
vessels, this group of commenters generally opposed all of the proposed 
TWIC reader requirements.
    Other commenters took the opposite view. Several argued that the 
TWIC's security benefits would only be realized through the institution 
of a standard requirement to use TWIC readers at all MTSA-regulated 
vessels and facilities. One point emphasized by this group of 
commenters is that visual inspection as a means of identity 
verification would not effectively detect counterfeit TWICs.
    One commenter favored an approach in which TWIC readers are used in 
addition to--not in place of--visual comparison of the TWIC-holder to 
the photograph on the TWIC. Another commenter favored an approach in 
which owners and operators would be required to conduct random 
electronic biometric matches using a TWIC reader, as opposed to using a 
TWIC reader each time an individual accesses secure areas. Finally, one 
commenter suggested that we include an option that would allow owners 
and operators to schedule periodic Coast Guard visits for the purpose 
of conducting comprehensive inspections using the Coast Guard's 
portable TWIC readers.
    The wide ranging nature of these comments demonstrates the need for 
an analysis of the impacts of TWIC reader requirements in the maritime 
sector. Similarly, Congress had also mandated a thorough analysis of 
TWIC reader utility in the SAFE Port Act by requiring the Secretary to 
`` * * * conduct a pilot program to test the business processes, 
technology, and operational impacts required to deploy * * * [TWIC] 
readers at secure areas of the maritime transportation system.'' \51\ 
At the time we published the ANPRM and received the comments above, TSA 
had not yet completed data collection for the TWIC Pilot. TSA completed 
data collection for the TWIC Pilot on May 31, 2011. In accordance with 
the SAFE Port Act, we crafted the proposals in this NPRM in a manner 
consistent with the findings of the TWIC Pilot.\52\
---------------------------------------------------------------------------

    \51\ 46 U.S.C. 70105(k).
    \52\ 46 U.S.C. 70105(k).
---------------------------------------------------------------------------

    The TWIC Pilot was designed to assess, among other things, the 
utility of TWIC readers in enhancing security. The TWIC Pilot found 
that when designed, installed, and operated in a manner consistent with 
the business considerations of the vessel or facility, TWIC readers 
enhance security by reducing the risk that an unauthorized individual 
could gain access to secure areas. The TWIC Pilot also found that TWIC 
readers enhance security by enabling owners and operators to assign 
secure area access privileges to a limited population of TWIC-holders. 
The proposals in this NPRM to require TWIC readers are consistent with 
the findings of the TWIC Pilot and were developed to reduce TSI 
vulnerability at MTSA-regulated facilities and vessels.
5. TWIC Reader Requirements on Vessels
    Many commenters expressed opposition to any requirement for TWIC 
readers on vessels. These commenters argued that TWIC readers on 
vessels would be expensive, impractical, ineffective in enhancing 
security, and would put U.S.-flagged vessels at a competitive 
disadvantage relative to foreign-flagged vessels that can operate 
without TWIC readers. Instead, these commenters favored using TWIC as a 
visual identity badge on vessels. They argued that the greatest value 
of the TWIC program is not as an access control device, but rather as a 
reliable, standardized means to establish the identity and background 
of new employees. The commenters emphasized that TWIC readers would 
likely cause logistical problems, and would be unnecessary on vessels 
in which crew size is relatively small, because crewmembers are 
familiar with one another. Finally, the commenters believed that TWIC 
readers are unnecessary on vessels because, in most cases, TWIC-holders 
accessing vessels have already had their TWICs checked using a TWIC 
reader at shore-side facilities and during Coast Guard inspections.
    One commenter felt that there might be limited utility to TWIC 
readers on vessels. Another commenter proposed an alternative approach 
that would require vessel owners and operators to specify a certain 
percentage of individuals on board for random biometric matches using a 
TWIC reader.
    As mentioned previously, we rely on the TWIC Pilot's finding that 
TWIC readers enhance security when used properly. Additionally, we 
recognize that many of the commenters arguing against the proposed 
requirement for TWIC readers on vessels expressed the interest of 
owners and operators of vessels in Risk Group B. After considering the 
public comments and additional analysis, we have eliminated from this 
NPRM the proposal to require TWIC readers on vessels in Risk Group B. 
As discussed more fully below in Section IV., ``Section-by-Section 
Description of Proposed Rule,'' this NPRM proposes TWIC reader 
requirements for vessels in Risk Group A only. Moreover, this NPRM 
proposes to exempt from TWIC reader requirements all vessels with 14 or 
fewer TWIC-holding crewmembers. These measures should alleviate most of 
the concerns raised by commenters with respect to the costs and 
logistics of TWIC readers on vessels and on the limits for utility on 
vessels with 14 or fewer crewmembers.
    Some commenters expressed the opinion that on small vessels, even a 
requirement to use the TWIC as a visual identity badge is an 
unnecessary burden that would confer little or no security benefit. We 
disagree with this comment. A security benefit is conferred when a 
vessel owner or operator is able to confirm that each entrant to a 
secure area holds a TWIC.
    One commenter requested clarification as to whether a vessel owner 
or operator would be required to check TWICs electronically on days the 
vessel does not sail. We wish to clarify that TWIC reader requirements 
are triggered when individuals are granted access to secure areas, 
regardless of whether a vessel sails.
6. TWIC Reader Requirements for Risk Group A
a. Risk Group A Classification
    Two commenters questioned why Risk Group A includes facilities that 
handle bulk CDC, but does not include facilities that handle non-bulk 
Division 1.1 or 1.2 explosives. We reiterate that based on the AHP/
MSRAM data and analysis, facilities that handle non-bulk

[[Page 17801]]

substances did not warrant placement in Risk Group A. Such facilities 
generated lower AHP scores because unlike bulk CDC, Division 1.1 or 1.2 
explosives are segregated and kept in smaller quantities.
b. Risk Group A TWIC Reader Requirements
    Six commenters representing owners and operators of large vessels 
or facilities expressed general concerns that the ANPRM's proposed TWIC 
reader requirements would present significant operational challenges. 
Another commenter stated that it would be burdensome if TWIC readers 
had to be manually updated to keep CCL information current.
    In considering these comments, we note that the TWIC Pilot elicited 
a variety of lessons learned with respect to the operational impacts of 
deploying TWIC readers in the maritime sector. The TWIC Pilot generally 
found that when TWIC readers are designed, installed, and operated in a 
manner consistent with the business considerations of the vessel or 
facility, they function properly.
    We believe that the proposals in this NPRM appropriately consider 
the findings of the TWIC Pilot and implement the TWIC reader 
requirements mandated by MTSA and the SAFE Port Act in a manner that 
enhances the nation's maritime security without imposing undue burdens. 
More information on the economic analysis for this proposed rule is 
provided below in Section V. ``Regulatory Analyses.''
    We also note that in the TWIC 1 Final Rule, we revised 33 CFR 
105.115 to permit owners and operators to redefine their ``secure 
area'' as only that portion of their access control area that is 
directly related to maritime transportation. This revision was intended 
to provide greater flexibility to facility owners and operators in 
dealing with the operational impacts of implementing the TWIC program 
at each individual facility. Additionally, as discussed above, we are 
also considering allowing multiple risk group designations within one 
facility, to account for situations where one portion of a facility 
handles dangerous cargoes and another portion does not.
7. TWIC Reader Requirements for Risk Group B
a. Risk Group B Classification
    Numerous commenters expressed the opinion that Risk Group B is 
over-inclusive in terms of the types of vessels and facilities covered. 
Many argued that OCS facilities subject to 33 CFR part 106 do not 
present risks that warrant placement in Risk Group B.
    Two commenters argued that tank vessels as defined in 33 CFR 
Subchapter D should not be placed in Risk Group B. One commenter 
suggested that with respect to crewmembers on Subchapter D vessels, the 
only requirement to scan their TWICs using a TWIC reader should be upon 
initial hiring at the employer's home office.
    One commenter whose vessel is licensed for 800 passengers and 
carries a crew of six argued that TWIC reader requirements would be a 
financial burden that provides no appreciable security benefit. In 
response, we note that in this NPRM, we do not propose to require TWIC 
readers for Risk Group B.
    One commenter argued that facilities handling no hazardous 
materials other than asphalt cement do not present risks that warrant 
placement in Risk Group B. The commenter requested that we specifically 
exclude from Risk Group B facilities that handle products designated as 
hazardous only due to storage and handling at elevated temperatures. 
Two commenters suggested that for purposes of this rule, the term 
``hazardous materials'' should not be defined by reference to 49 CFR 
172. One of these commenters argued that this definition would cover 
many products that present little or no risks. Instead, the commenter 
suggested that we adopt the definition of ``hazardous materials'' used 
by TSA and/or the Pipeline and Hazardous Materials Safety 
Administration.
    We wish to clarify that the term ``hazardous materials'' is defined 
in 33 CFR part 101.105 as those materials subject to regulation under 
46 CFR parts 148, 150, 151, 153, or 154, or 49 CFR parts 171 through 
180. We believe that the types of vessels and facilities referenced in 
the comments above are appropriately placed in Risk Group B based on 
the AHP/MSRAM analysis. We further believe that the comments above 
seeking re-classification out of Risk Group B resulted from the ANPRM's 
proposal to require TWIC readers for Risk Group B. We reiterate that, 
based on the comments and additional analysis, this NPRM does not 
propose TWIC reader requirements for Risk Group B.
b. Risk Group B TWIC Reader Requirements
    One commenter believed that the ANPRM's proposed requirements for 
Risk Group B are appropriate. Another commenter argued that identity 
verification upon each entry to a secure area would be too burdensome. 
Another commenter argued that the proposed TWIC reader requirements in 
the ANPRM for Risk Group B at MARSEC Level 2 would be too burdensome. 
Finally, two commenters argued that, as a general matter, the ANPRM's 
proposals are too burdensome because they would require vessels and 
facilities in Risk Group B to have both a TWIC reader and a security 
guard to visually inspect TWICs as well.
    Several commenters argued that the ANPRM's requirement for Risk 
Group B to conduct random monthly scans using a TWIC reader would be 
costly and provide minimal security benefits, especially if done on a 
low volume or non-work day. Other commenters requested clarification as 
to whether the ANPRM's approach would require monthly scans on all 
TWIC-holders associated with a vessel or facility, or only on the TWIC-
holders visiting the vessel or facility on a specific day.
    Several commenters proposed alternative TWIC requirements for Risk 
Group B. Some suggested approaches that rely less on TWIC readers than 
did the ANPRM's approach. For example, two commenters suggested 
requiring only visual TWIC checks for identity verification, card 
authentication, and card validation as a routine matter at MARSEC Level 
1. Thus, scans using a TWIC reader would only be required once per 
month at MARSEC Level 1, but would remain a standard procedure at 
higher MARSEC Levels. Another commenter suggested that card validity 
checks should be required on small vessels less frequently than as 
proposed in the ANPRM. Two commenters opposed the ANPRM's requirement 
to perform monthly scans using a TWIC reader at MARSEC Level 1.
    Other commenters suggested alternative approaches that rely more on 
TWIC readers than did the ANPRM's approach. For example, several 
commenters suggested that owners and operators of vessels or facilities 
in Risk Group B should always be required to use TWIC readers to 
perform identity verification, arguing that visual checks are less 
reliable. Some of these commenters argued that unlike random monthly 
scans using a TWIC reader, routine use of TWIC readers would provide 
TWIC-holders the benefit of a consistent user experience.
    Based on the comments and further analysis, this NPRM does not 
propose TWIC reader requirements for Risk Group B. We have estimated 
the annualized cost of the TWIC reader requirements on vessels and 
facilities in Risk Group A at $26.5 million, at a 7 percent discount 
rate. Had we proposed TWIC reader requirements to also

[[Page 17802]]

include Risk Group B facilities, the annualized cost would be $141.2 
million, at a 7 percent discount rate. Moreover, including Risk Group B 
in the TWIC reader requirements would not only increase the annualized 
cost, the average consequence figure (the monetized costs of fatalities 
and injuries resulting from a TSI) drops by more than one-third. While 
this does not mean that there should be no TWIC reader requirements for 
Risk Group B, we believe this analysis supports our phased approach for 
requiring TWIC readers first for Risk Group A.
    We also wish to emphasize the utility of TWIC in enhancing security 
even when not used in conjunction with TWIC readers. Before mariners 
and other individuals were required to obtain a TWIC, they could access 
secure areas of MTSA-regulated vessels and facilities after presenting 
a State-issued driver's license or any number of other government-
issued identification cards. This patchwork system of valid credentials 
required security personnel to become familiar with the appearance and 
security features of every type of acceptable credential. Moreover, 
since some government-issued credentials are used for purposes other 
than security, applicants are not necessarily screened from a security 
threat perspective. Additionally, the eligibility criteria for some 
government-issued credentials do not preclude issuance to an individual 
with a felony criminal record.
    The TWIC program mitigates the above shortcomings. Since April 15, 
2009, TWIC has been the single credential used throughout the maritime 
sector. Accordingly, security personnel only need to become familiar 
with the appearance and security features of one credential. Moreover, 
unlike other government-issued credentials, TWIC is specifically 
designed for transportation security. Its purpose is to ensure a vetted 
maritime workforce by establishing security-related eligibility 
criteria, and by requiring each TWIC-holder to undergo TSA's security 
threat assessment as part of the process of applying for and obtaining 
a TWIC.
    As we go forward with our phased approach to implementing TWIC 
reader requirements, we will continue to evaluate the use of TWIC 
readers on vessels and at facilities, and determine the need for 
additional or different TWIC reader requirements. Proposing 
requirements for Risk Group A only in this NPRM is indicative of our 
desire to minimize highest risks first, but should not be read to 
foreclose revised TWIC reader requirements in the future.
    Several commenters argued that container (cargo) facilities present 
risks that actually warrant the more stringent TWIC reader requirements 
of Risk Group A rather than those of Risk Group B. In response, we note 
that, based on the AHP/MSRAM analysis, being a container facility alone 
did not automatically cause a facility to be categorized in Risk Group 
B. In addition, several factors led the Coast Guard to decide not to 
require TWIC readers for most of these facilities at this time. First, 
there are limits on the additional risk reduction (above and beyond the 
credentialing and visual identification purposes of the TWIC itself) of 
TWIC readers at container facilities. Security risk in the maritime 
sector can be considered as following one of three high-level 
scenarios: (1) The asset in question could be the target of an attack; 
(2) the asset in question could be used as a weapon for an attack; or 
(3) the asset could be used to enable or facilitate an attack 
elsewhere. For container facilities, the first scenario brings low risk 
given the number of personnel concentrated and exposed to an attack and 
limited storage of hazardous materials. Similarly, the second scenario 
brings low risk as containers bring low risk of use as a weapon. 
Furthermore, the use of TWIC readers, or other access control features, 
would not mitigate the threat associated with the contents of a 
container. The TWIC reader serves as an additional access control 
measure, but would not improve screening of cargoes for dangerous 
substances or devices. The third scenario is the primary risk driver 
for container facilities, with the risk of containers used to smuggle 
illicit materials and/or personnel into the country. The additional 
verifications provided by TWIC readers, however, would bring limited 
utility to this scenario. Those individuals looking to access the 
contents of the container could do so after the container exits the 
secured area. As such, TWIC readers bring limited additional risk 
reduction over the TWIC itself. Additionally, requiring TWIC readers at 
container facilities brings significant costs, as these facilities 
typically have a higher number of access points per facility (and 
therefore would incur more capital costs) and higher numbers of 
personnel accessing the facility. While the additional time to use the 
TWIC reader to conduct a biometric match over the visual inspection is 
limited on an individual basis, the high volume of workers could cause 
the associated delay costs to accrue to much more significant levels 
than other facility types. Given the large numbers of truck drivers 
accessing these facilities, these delays would also be accompanied by 
increased air emissions, resulting in greater potential for 
environmental impact. Therefore, in this NPRM, only those container 
facilities that are otherwise categorized in Risk Group A would be 
required to use TWIC readers. We will continue to assess whether 
container facilities warrant additional consideration with respect to 
TWIC reader requirements. We welcome additional comments from the 
public on the risk group classification of container facilities.
8. TWIC Requirements for Risk Group C
a. Risk Group C Classification
    One commenter supported the ANPRM's classification of OSVs in Risk 
Group C. One commenter suggested that the passenger cutoff number for 
vessels in Risk Group C should not be 500. Instead, this commenter 
argued that the cutoff number should be 49 overnight passengers or 150 
passengers, similar to the Coast Guard's vessel safety regulations. In 
response, we reiterate that the AHP/MSRAM analysis considered factors 
based on TSI consequence. These factors are different than the factors 
that underpin the Coast Guard's safety regulations. The passenger 
cutoff numbers derived from the AHP/MSRAM analysis are more appropriate 
for defining the risk-based framework for TWIC reader requirements.
b. Risk Group C TWIC Requirements
    Many commenters agreed with the ANPRM's approach that TWIC reader 
requirements would not appreciably enhance security for vessels and 
facilities in Risk Group C. One commenter further argued that since 
vessels and facilities in Risk Group C are so low risk, even visual 
TWIC inspections would be an unnecessary burden that would confer no 
security benefit. As noted above, however, several commenters took the 
opposing view, broadly asserting that owners and operators of all MTSA-
regulated vessels and facilities (including those in Risk Group C) 
should be required to use TWIC readers to control access to secure 
areas.
    We believe that although vessels and facilities in Risk Group C 
present a less likely target for individuals wishing to do harm, these 
vessels and facilities still hold the potential of being involved in a 
TSI and with consequences that could still be significant. A security 
benefit is conferred when an owner or operator is able to confirm that 
each entrant to secure areas holds a TWIC, as the TWIC serves as 
evidence that the person has

[[Page 17803]]

successfully passed TSA's security threat assessment. Accordingly, this 
NPRM proposes the same requirements as the ANPRM for Risk Group C, 
which includes requirements to visually inspect TWICs before granting 
unescorted access to secure areas, as is already required in the 
current regulations.
    Some commenters asked whether vessels and facilities in Risk Group 
C would need dedicated security guards to perform visual TWIC checks, 
and what credentials these security guards would need to possess. Under 
current regulations (which would not change under this NPRM) for 
vessels and facilities categorized in this NPRM as Risk Group C, 
security personnel must visually inspect the TWIC of each person 
seeking unescorted access to secure areas. Our regulations do not 
require the use of ``dedicated security guards,'' but do require that 
the security personnel doing visual inspection of TWICs have certain 
knowledge, training, and experience. It is important for owners, 
operators, and others with security duties to be familiar with the 
technologies embedded in the TWIC, particularly the features that make 
the TWIC resistant to tampering and forgery. Those who would be 
examining TWICs at access control points should be familiar enough with 
the TWIC's physical appearance so that variations or alterations are 
easily recognized. Relevant security training requirements for 
personnel on vessels and at facilities are found at 33 CFR 104.210, 
104.215, 104.220, 104.225, 105.205, 105.210, 105.215, 106.205, 106.210, 
106.215, and 106.220.
9. Physical Placement of TWIC Readers
    Eight commenters requested clarification as to whether TWIC readers 
would be required at the access points to each secure area or at the 
perimeter access points to the vessel or facility. Three commenters 
suggested that vessels should not be required to place TWIC readers at 
every access point to a secure area. Instead, according to these 
commenters, vessels required to have TWIC readers should only be 
required to place them at the main access points to the vessels. 
Several commenters expressed concerns that if TWIC readers are required 
at the access points to each secure area on vessels, safety would be 
compromised in emergency situations when crewmembers need immediate 
access to those areas.
    We wish to clarify that for both vessels and facilities, the term 
``secure area'' is defined as ``* * * the area * * * over which the 
owner/operator has implemented security measures for access control * * 
*. It does not include passenger access areas, employee access areas, 
or public access areas * * *.'' \53\ For facilities, the secure area 
may encompass the entire facility, or the facility may consist of a 
combination of secure areas and public access areas. Similarly, for 
vessels, the secure area may encompass the entire vessel, or the vessel 
may consist of a combination of secure areas and passenger and employee 
access areas.
---------------------------------------------------------------------------

    \53\ 33 CFR 101.105.
---------------------------------------------------------------------------

    This NPRM proposes different requirements for vessels and 
facilities with respect to the placement of TWIC readers. For 
facilities, this NPRM proposes to require TWIC readers at the access 
points to each secure area. If the entire facility is designated as a 
secure area, then TWIC readers would only be required at the access 
points to the facility itself. If the secure area does not encompass 
the entire facility, then TWIC readers would be required at the access 
points to each secure area.
    For vessels, this NPRM proposes to require TWIC readers at the 
access points to the vessel itself, regardless of whether the secure 
area encompasses the entire vessel. Thus, even if the secure area does 
not encompass the entire vessel (e.g., a passenger vessel consisting of 
secure areas and passenger and employee access areas), TWIC readers 
would only be required at the access points to the vessel itself. TWIC-
holders may be granted unescorted access to the vessel's secure areas 
after the TWIC has been verified, validated, and authenticated at a 
vessel access control point. TWIC-holders may then move between secure 
areas and passenger and employee access areas without processing 
through a TWIC reader each time. We request additional comments from 
the public on the proposed regulatory provisions regarding the 
placement of TWIC readers for vessels and facilities, and how to 
minimize crewmembers from entering secure and/or restricted areas if 
they do not hold a TWIC.
    With respect to emergency situations, we partially addressed this 
issue in the TWIC 1 Final Rule, and added a paragraph to 33 CFR 101.514 
clarifying that emergency personnel need not have TWICs to obtain 
unescorted access to secure areas during emergencies. Moreover, this 
NPRM does not propose to require TWIC readers on vessels at each access 
point to a secure area. Instead, TWIC readers would only be required at 
the access points to the vessel itself.
    One commenter suggested that with respect to OCS facilities, the 
appropriate location for TWIC reader placement is not on the facility 
itself, but, rather, at the shore-side points of embarkation for the 
facility. This comment echoes a recommendation from NMSAC in the TWIC 1 
NPRM,\54\ to which we responded that OCS facilities where access is 
limited and can be controlled by reading the TWIC at the point of 
embarkation may continue to do so. Note that this NPRM does not propose 
TWIC reader requirements for any OCS facilities. Accordingly, OCS 
facilities where access is limited and can be controlled by visually 
inspecting the TWIC at the point of embarkation may do so.
---------------------------------------------------------------------------

    \54\ See 71 FR 29405.
---------------------------------------------------------------------------

    One commenter suggested that owners and operators of facilities 
should not be required to use TWIC readers on docks and other waterside 
access points. In response, we emphasize that we are not proposing a 
blanket exemption from TWIC reader requirements on docks and other 
waterside access points. As proposed in this NPRM, owners and operators 
of facilities in Risk Group A would be required to ensure that access 
to secure areas is limited to individuals whose TWICs have been scanned 
by a TWIC reader.
    We also note that in the TWIC 1 Final Rule, we revised 33 CFR 
105.115 to provide greater flexibility to facility owners and operators 
by allowing them the option to redefine their ``secure area'' as only 
that portion of their access control area that is directly related to 
maritime transportation. Thus, facilities whose footprint includes 
portions that are not directly related to maritime transportation can 
submit an FSP for Coast Guard approval that removes those areas from 
the definition of the facility's ``secure area'' for Coast Guard 
regulatory purposes. Such facilities would typically include 
refineries, chemical plants, factories, mills, power plants, smelting 
operations, or recreational boat marinas. As discussed above, we are 
also considering allowing multiple risk group designations within one 
facility, to account for situations where one portion of a facility 
handles dangerous cargoes and another portion does not. Owners and 
operators should comply with TWIC reader requirements in a manner that 
considers the specific nature of their facilities and their access 
points, and they may take advantage of regulatory provisions that would 
minimize the impact on operations.
10. Recurring Unescorted Access
    Numerous commenters generally supported the ANPRM's provision

[[Page 17804]]

regarding RUA as a means of providing relief to owners and operators 
otherwise required to use TWIC readers. Many of these commenters 
expressed differing opinions regarding the proposed cutoff number of 
14. Six commenters stated that 14 is an appropriate cutoff number. More 
than 25 commenters felt that the cutoff number should be higher. One 
commenter felt that the cutoff number should be lower. Several 
commenters argued that 14 is an arbitrary cutoff number, though they 
offered no rationale or alternative cutoff number. Five commenters 
suggested that the cutoff number should be approved by the COTP on a 
case-by-case basis, considering factors such as an entity's size and 
whether a vessel operates with multiple crews.
    Several commenters requested clarification regarding whether an 
entity could grant RUA privileges to contractors, vendors, and other 
frequent visitors.
    Approximately eight commenters opposed the ANPRM's RUA proposal, 
suggesting instead that we should simply exempt all vessels with fewer 
than 14 TWIC-holders on board from TWIC reader requirements. One 
commenter noted that such an exemption would fall squarely within the 
SAFE Port Act's provision that prohibits requiring TWIC readers on 
vessels that the Secretary has determined do not have the requisite 
number of TWIC-holders as crewmembers.\55\
---------------------------------------------------------------------------

    \55\ 46 U.S.C. 70105(m)(1).
---------------------------------------------------------------------------

    Two commenters argued that RUA would compromise security by 
granting unescorted access to secure areas without requiring 
individuals to undergo screening using a TWIC reader.
    One commenter felt the phrase ``recurring unescorted access'' could 
be misinterpreted to mean that an individual may require an escort to 
access a secure area, even if the individual is a TWIC-holder.
    Several commenters opposed a requirement to perform the initial 
biometric scan using a TWIC reader on TWIC-holders granted RUA. Their 
rationale was that TSA already performs reliable biometric identity 
verification prior to the issuance of each individual's TWIC. Some 
commenters also raised concerns of potential fraud that could arise if, 
as suggested in the ANPRM, an owner or operator pursued an agreement 
with a facility or other company to borrow or otherwise have access to 
a TWIC reader in order to perform the one-time initial biometric 
verification.
    One commenter felt that the proposed initial biometric scan 
requirement would be appropriate. Another commenter felt that owners 
and operators should be required to perform an electronic biometric 
scan using a TWIC reader at the beginning of each shift for each TWIC-
holder granted RUA.
    Three commenters argued that owners and operators granting RUA 
privileges should not be required to purchase a TWIC reader to perform 
initial biometric scans on RUA grantees. Two commenters suggested that 
an Internet-based system would provide the most practical method for 
keeping track of RUA grantees.
    One commenter called attention to the fact that employee records 
regarding individuals granted RUA would be kept by the employer, not 
the Coast Guard or TSA.
    After considering the comments and further analysis discussed below 
in Section IV., ``Section-by-Section Description of Proposed Rule,'' we 
have removed from this NPRM the RUA provisions proposed in the ANPRM. 
RUA was previously proposed to introduce flexibility and provide relief 
to vessels otherwise required to use TWIC readers, based on the 
familiarity that exists between a relatively small number of 
crewmembers. This NPRM incorporates two important proposals, however, 
that render RUA an unnecessary provision. First, unlike the ANPRM, 
which proposed TWIC reader requirements for Risk Groups A and B, this 
NPRM proposes TWIC reader requirements for Risk Group A only. Second, 
this NPRM proposes a broad exemption from TWIC reader requirements for 
all vessels with 14 or fewer TWIC-holding crewmembers. This exemption 
is based on the SAFE Port Act's provision that prohibits requiring TWIC 
readers on vessels that the Secretary has determined do not have the 
requisite number of TWIC-holders as crewmembers.\56\ These two changes 
render the need for RUA as a mechanism for regulatory relief 
unnecessary.
---------------------------------------------------------------------------

    \56\ 46 U.S.C. 70105(m)(1).
---------------------------------------------------------------------------

11. TWIC Reader Durability, Safety, Approval, Calibration, and 
Compliance
    Four commenters expressed concerns that harsh weather and other 
physical stresses on vessels and at facilities would likely cause TWIC 
readers to fail or otherwise become damaged. One commenter countered 
that TWIC readers have already been subjected to environmental testing, 
and have proven to function well in the marine environment.
    The TWIC Pilot found that at varying locations, some TWIC readers 
experienced difficulty scanning fingerprints in inclement weather. 
Certain types of TWIC readers withstood harsh weather conditions, 
whereas others were found to be sensitive to those conditions. 
Throughout the TWIC Pilot, the conditions under which TWIC readers had 
to perform were significantly more challenging than those commonly 
found at entrances to office buildings and other more controlled 
locations and environments. The TWIC Pilot, however, noted that most of 
the challenges associated with weather can be overcome with proper 
planning that takes environmental conditions into consideration.\57\
---------------------------------------------------------------------------

    \57\ See page vii of the TWIC Pilot Report. (A copy of the TWIC 
Pilot Report is available for viewing in the public docket for this 
rulemaking.)
---------------------------------------------------------------------------

    One commenter requested that we consider the safety concerns of 
using TWIC readers in areas where flammable materials are stored or 
transferred. We agree that safety concerns are of the utmost 
importance, and expect that owners and operators who carry or handle 
flammable materials would comply with applicable TWIC reader 
requirements in a manner that does not compromise safety.
    One commenter stated that TWIC readers must be able to process 
biometric scans in 3 seconds or less in order to minimize the impact of 
TWIC reader requirements at facilities with large numbers of entrants. 
Several commenters stated that we should establish a minimum standard 
for errors in connection with TWIC reader technology. We have passed 
these comments to TSA for consideration in future planning. TSA has 
established the TWIC reader specifications and Qualified Technology 
List process (described later in this section) to validate that TWIC 
readers meet the specifications. In addition, TSA is conducting a card 
error/failure analysis to identify and address TWIC reader and card 
failures. There is additional information on TWIC reader throughput in 
the TWIC Pilot report, which is available in the public docket for this 
rulemaking.
    As discussed in the ANPRM, TWIC readers are considered ``security 
systems and equipment,'' and therefore, existing regulatory provisions 
applicable to security systems and equipment maintenance would require 
that TWIC readers be inspected, tested, calibrated, and maintained in 
accordance with the manufacturers'

[[Page 17805]]

recommendations.\58\ Additionally, records of such actions would be 
required to be maintained for at least 2 years and made available to 
the Coast Guard upon request.\59\ The ANPRM sought public comment on 
whether TWIC readers should also be subject to additional Coast Guard 
inspections and/or third party audits to further ensure that TWIC 
readers are maintained in proper working order.
---------------------------------------------------------------------------

    \58\ See 33 CFR 104.260 and 105.250.
    \59\ See 33 CFR 104.235 and 105.225.
---------------------------------------------------------------------------

    Two commenters favored both additional Coast Guard inspections and 
third-party audits to check that TWIC readers are maintained in proper 
working order. Ten commenters opposed third-party audits, and suggested 
that the Coast Guard should conduct compliance inspections. Six 
commenters favored neither Coast Guard inspections nor third-party 
audits, arguing that owners and operators are already required to 
maintain security equipment maintenance logs, which can be reviewed by 
the Coast Guard to make compliance determinations. We note that 33 CFR 
104.260 and 105.250 already require security systems (which would 
include TWIC readers) to be in good working order and inspected, 
tested, calibrated, and maintained according to the manufacturer's 
recommendation. These existing regulatory provisions also require 
owners and operators to maintain records of the results of such testing 
for 2 years. Additionally, Coast Guard field inspectors would inspect 
TWIC reader functionality as part of regularly occurring inspections. 
We agree with the majority of commenters above that appreciable value 
would not be added by requiring additional Coast Guard inspections and/
or third party audits beyond the existing provisions on security 
systems and equipment maintenance. Therefore, this NPRM does not 
propose additional Coast Guard inspections and/or third party audits.
    One commenter generally requested guidance regarding how owners and 
operators may voluntarily use TWIC readers before we publish a TWIC 
reader final rule. On March 15, 2011, we published a notice announcing 
the availability of Policy Advisory Council Decision (PAC-D) 01-11, 
``Voluntary Use of TWIC Readers,'' \60\ providing guidance on how 
owners and operators may use TWIC readers to meet existing regulatory 
requirements. Navigation and Vessel Inspection Circular (NVIC) 03-07 
\61\ provides additional guidance to the public on this issue.
---------------------------------------------------------------------------

    \60\ Policy Advisory Council Decision 01-11, ``Voluntary Use of 
TWIC Readers,'' available for viewing at https://homeport.uscg.mil/.
    \61\ See Navigation and Vessel Inspection Circular (NVIC) No. 
03-07, ``Guidance for the Implementation of the Transportation 
Worker Identification Credential (TWIC) Program in the Maritime 
Sector,'' (July 2, 2007).
---------------------------------------------------------------------------

    Five commenters requested that we immediately publish a list of 
TWIC reader specifications, or a list of acceptable TWIC reader 
vendors, so that owners and operators wishing to use Federal grant 
money to purchase equipment can do so before we publish a TWIC reader 
final rule. Another commenter cautioned that such an approach may not 
be advisable because TWIC reader technology is still evolving.
    PAC-D 01-11 provides guidance on how owners and operators of 
vessels or facilities can use TWIC readers to meet existing regulatory 
requirements for effective identity verification, card validity, and 
card authentication. A list of TWIC readers that have passed the 
Initial Capability Evaluation (ICE) Test is available at http://www.tsa.gov/assets/pdf/twic_ice_list.pdf. As stated in PAC-D 01-11, 
however, TWIC readers allowed pursuant to PAC-D 01-11 may no longer be 
valid after promulgation of a TWIC reader final rule, and DHS will not 
fund replacement TWIC readers.
    The Department of Commerce's National Institute of Standards and 
Technology (NIST) and TSA are developing TWIC reader specifications. 
TSA will establish a process to qualify TWIC readers, and will maintain 
a Qualified Technology List (QTL) of acceptable TWIC readers. We 
anticipate that there may be changes from the ICE Test list to the QTL 
list, based on final TWIC reader specifications resulting from the QTL 
process.
12. TWIC Pilot and HSI Report
    Seven commenters expressed confidence that the TWIC Pilot would 
yield important information that should inform this NPRM, including 
information regarding TWIC reader error rates, transaction times, 
durability in extreme weather conditions, and TWIC integration with an 
existing PACS. Two commenters requested that the TWIC Pilot include 
additional ports. The Merchant Marine Personnel Advisory Committee 
(MERPAC) recommended that the TWIC Pilot should include a sufficient 
number of vessels in appropriately diverse operating areas to test TWIC 
reader technology, operating conditions, and procedures.
    TSA completed data collection for the TWIC Pilot on May 31, 2011. 
The TWIC Pilot gathered data from pilot sites regarding TWIC reader 
performance and reliability as well as throughput data at vehicle and 
pedestrian access points, which was instrumental in evaluating the 
impact of TWIC reader use on vessel and facility operations. Although 
the SAFE Port Act required the pilot program to take place at not fewer 
than five distinct geographic locations, the program actually took 
place in seven geographic locations to allow for the evaluation of TWIC 
reader functionality and impacts across a variety of environmental and 
operational conditions. The TWIC Pilot report provides a list of the 
TWIC Pilot participants.
    Two commenters urged us to consider the final HSI Report in 
crafting the NPRM. We acknowledge that the HSI Report has provided 
useful insights and information that have informed the proposals in 
this NPRM.
    A summary of both the TWIC Pilot and HSI Report recommendations are 
provided below in Sections III.F. ``TWIC Reader Pilot Program'' and 
III.G., ``HSI Report,'' respectively. A copy of the TWIC Pilot Report 
is available for viewing in the public docket for this rulemaking. A 
non-SSI version of the HSI Report is available for viewing in the 
public docket for this rulemaking.
13. Security Plan Amendment
    Two commenters requested that the revisions to security plans 
resulting from this NPRM should be as minimal as possible. We believe 
the proposals in this NPRM are consistent with that request.
    Six commenters generally supported the ANPRM's proposal to require 
amendments to security plans within 6 months after we publish a final 
TWIC reader rule. Three commenters felt that the ANPRM's proposed 
deadline of 6 months is too short. One commenter requested a 9-month 
deadline. Five commenters requested at least a 1-year deadline. One 
commenter suggested staggered deadlines of 24 months, 18 months, and 12 
months for Risk Groups A, B, and C, respectively. Six commenters 
requested staggered deadlines based on the expiration dates of existing 
security plans. Two commenters suggested that each security plan 
amendment deadline should be determined on a case-by-case basis. 
Another commenter suggested that requirements to amend security plans 
should apply once we have classified each vessel and facility into its 
risk group.
    In light of the comments and further analysis, this NPRM would 
extend the proposed deadline for security plan updates. Owners and 
operators would

[[Page 17806]]

be required to amend security plans to include TWIC requirements within 
2 years after publication of the final rule in the Federal Register.
    One commenter suggested that amended security plans should be 
reviewed by the Coast Guard before owners and operators are required to 
invest resources into TWIC-related expenditures. We encourage owners 
and operators to work with the Coast Guard, as needed, to prepare 
security plans that comply with regulatory requirements. We do not 
believe, however, that it is necessary to create a formal coordination 
process in which the Coast Guard would review amended security plans 
separate from what already exists.
14. Recordkeeping
    The ANPRM proposed a requirement on owners and operators using TWIC 
readers to maintain records on each individual granted unescorted 
access to a secure area. Owners and operators would be required to 
maintain such records for a period of 2 years. Five commenters argued 
that owners and operators should not be required to check the TWICs of 
individuals leaving a vessel or facility. This is consistent with the 
ANPRM's approach, and we propose it in this NPRM as well.
    One commenter considered the ANPRM's proposed 2-year record 
retention requirement to be reasonable. Other commenters believed 2 
years is longer than necessary for record retention, and suggested 
alternative durations ranging from 30 days to 1 year. Fifteen 
commenters opposed a 2-year record retention requirement altogether, 
arguing that the costs would outweigh the benefits to law enforcement. 
One commenter opposed recordkeeping requirements for Risk Group C.
    We believe TWIC reader records can prove useful to law enforcement 
without imposing an undue burden on the regulated population. The 2-
year timeframe for record retention was designed, in part, for 
consistency with existing security-related and other recordkeeping 
requirements applicable to vessels and facilities.\62\ A uniform 
timeframe for recordkeeping requirements provides the public with a 
consistent and predictable standard.
---------------------------------------------------------------------------

    \62\ 33 CFR 104.235; 33 CFR 105.225.
---------------------------------------------------------------------------

    Two commenters stated that MTSA does not require the Secretary to 
impose recordkeeping requirements. We agree with this comment. With 
respect to TWIC, MTSA requires the Secretary to prescribe regulations 
to prevent an individual from entering secure areas of vessels and 
facilities unless the individual is so authorized and either possesses 
a TWIC or is escorted by someone who possesses a TWIC.\63\ Thus, while 
MTSA does not specifically require the Secretary to impose 
recordkeeping requirements, such requirements are within the 
Secretary's authority, and they are an important part of the set of 
regulations designed to prevent unauthorized access to the secure areas 
of the nation's transportation system. For example, in the event of a 
TSI or a security breach, records would be available to the Coast Guard 
and other law enforcement to enable them to determine who had accessed 
the vessel or facility.
---------------------------------------------------------------------------

    \63\ 46 U.S.C. 70105(a).
---------------------------------------------------------------------------

    Two commenters requested that we prescribe more detailed 
recordkeeping requirements. In contrast, one commenter requested that 
we allow individual regulated parties to determine the best method and 
manner of complying with the recordkeeping requirements. We agree with 
the latter commenter's more flexible approach.
    One commenter acknowledged that TWIC-related records could be 
useful to law enforcement, but argued that records should only be 
shared with law enforcement on a need-to-know basis. Another commenter 
suggested that records should only be kept to the extent they provide a 
homeland security-related benefit. We believe that TWIC reader 
recordkeeping requirements would prove beneficial to law enforcement in 
any number of investigations. Accordingly, this NPRM does not propose 
restrictions on how law enforcement may use those records.
    One commenter questioned whether portable TWIC readers have the 
capability to retain records for 2 years. In response to this question, 
we wish to clarify that this NPRM would not require records to be 
stored specifically in TWIC readers. Logs from TWIC readers may be 
maintained on the TWIC readers themselves or exported to other systems. 
As stated above, we are not prescribing the specific method and manner 
of complying with the proposed recordkeeping requirements.
    Four commenters expressed concerns regarding the privacy of 
personal information stored in TWIC readers. Some commenters 
highlighted concerns with respect to foreign-owned vessels and vessels 
traveling in foreign waters where equipment may be subject to seizure 
by foreign authorities. One commenter suggested that the personal 
information stored in a TWIC reader should be classified as SSI, which 
would trigger the compliance protections in 49 CFR part 1520.
    We believe that information collected by a TWIC reader needs to be 
protected. We wish to clarify that the TWIC requirements found in 33 
CFR part 104 do not apply to foreign vessels.\64\ We also wish to 
clarify that TWIC readers typically do not capture or record the name 
of the TWIC-holder. A TWIC reader only captures the TWIC-holder's name 
if it is a contact TWIC-reader (i.e., one that requires the TWIC-holder 
to insert the TWIC into a slot for direct contact between the TWIC 
reader and the chip embedded in the TWIC) and only after the TWIC-
holder has entered the PIN. This NPRM does not propose to require 
owners and operators to specifically use contact TWIC readers, nor does 
this NPRM propose any PIN requirement. Therefore, a TWIC reader will 
typically capture three pieces of information when an individual's TWIC 
is scanned: (1) FASC--N; (2) date; and (3) time. As explained above, a 
contact TWIC reader will also capture name information after the PIN 
has been entered. A PACS may also capture the name of the TWIC-holder. 
We consider a TWIC-holder's name and FASC-N to be SSI under 49 CFR 
15.5. Therefore, if that information is captured by a TWIC reader, the 
information would need to be protected in accordance with 49 CFR Part 
15, which imposes duties on ``certain covered'' persons to protect 
SSI.\65\ ``Covered persons'' include, among others: (1) Each owner, 
charterer, or operator of a vessel, including foreign vessel owners, 
charterers, and operators, required to have a security plan under 
Federal or International law; (2) each owner or operator of a maritime 
facility required to have a security plan under MTSA and each person 
who has access to SSI, as specified in 49 CFR 15.11.\66\ Furthermore, 
the International Ship and Port Facility Security Code requires a 
vessel's security plan and applicable security records to be protected 
from unauthorized access or disclosure.\67\ SSI information collected 
by a TWIC reader falls under that requirement.
---------------------------------------------------------------------------

    \64\ See 33 CFR 104.105(d).
    \65\ See 49 CFR 15.7.
    \66\ See 49 CFR 15.7.
    \67\ See International Ship and Port Facility Code, Part A, 
adopted on December 12, 2002, Sections 9.7, 9.8 and 10.4.
---------------------------------------------------------------------------

    One commenter supported the ANPRM's proposed requirement that 
owners and operators explain how they are protecting personal identity 
information stored in a separate PACS. Two commenters questioned 
whether MTSA grants the Coast Guard authority to impose such a 
requirement.
    To the extent that a PACS contains personal identity and biometric

[[Page 17807]]

information, it contains SSI, which must be protected in accordance 
with 49 CFR part 15. The Coast Guard, through delegation from the 
Secretary, has the authority to impose such recordkeeping requirements. 
Section 70124 of Title 46 U.S.C. authorizes the Secretary to issue 
regulations necessary to implement provisions of chapter 701 of Title 
46 U.S.C, and 46 U.S.C. 70103(c)(4) subjects all security plans to 
review by the Secretary. Additionally, 46 U.S.C. 71013(c)(4)(D) 
requires the periodic verification of the effectiveness of an FSP. 
Recordkeeping requirements are authorized under those statutory 
provisions.
15. Other Comments
    Seven commenters requested additional public meetings and greater 
coordination between the Coast Guard and affected industries as the 
TWIC program is implemented. Two commenters requested greater labor 
union input regarding the employee information collected and stored in 
the TWIC. One commenter requested greater Coast Guard collaboration 
with Congress, authorities from affected States, and Coast Guard 
advisory committees during the rulemaking process.
    We will hold at least one public meeting in connection with this 
rulemaking and we are considering holding additional public meetings in 
connection with this rulemaking. The details of any future public 
meeting will be published in a separate notice in the Federal Register. 
We welcome the participation and comments of all interested parties.
    Three commenters suggested that TWIC reader requirements should be 
tailored to enable integration with an existing PACS, since some owners 
and operators have invested substantial resources into existing 
systems. We agree with these commenters. In fact, data from the TWIC 
Pilot demonstrated that those pilot participants where TWIC readers 
were certified for operation with an existing PACS encountered fewer 
integration and operational and technical issues than other pilot 
participant systems. Accordingly, this NPRM proposes options for 
vessels and facilities to either use a stand-alone TWIC reader or to 
integrate TWIC into an existing PACS.
    Two commenters requested additional information regarding the 
ANPRM's reference to alternate biometrics that may be used in 
connection with TWIC. This NPRM continues to propose two alternatives 
for biometric matching. Owners and operators may: (1) Use a TWIC reader 
to match the TWIC-holder's fingerprint to one of the fingerprint 
templates stored in the TWIC; or (2) use a PACS to match the TWIC-
holder's biometric to the biometric stored in a PACS. For the latter 
option, owners and operators may use a different biometric than the 
fingerprint, such as an iris scan or hand geometry, stored in a PACS to 
be matched to the individual seeking access to secure areas. Since the 
implementation of the latter option would be unique to each vessel or 
facility, it would be impractical for us to propose a single set of 
prescriptive regulations for each owner and operator to follow. 
Instead, owners and operators would explain in their security plans the 
details of how their use of alternate biometrics performs the required 
access control functions.
    Two commenters suggested that TWIC functionality should be enhanced 
to include other biometrics in addition to fingerprints. We believe 
that to enhance the features on the TWIC so that it includes other 
biometrics in addition to fingerprints would increase the costs 
associated with the TWIC program. We do not currently have data to show 
that the benefits of such an enhancement would justify those additional 
costs. Furthermore, the only standard for a biometric that the Federal 
government has published to date is the fingerprint biometric.\68\
---------------------------------------------------------------------------

    \68\ See National Institute of Standards and Technology (NIST) 
Special Publication 800-76-1, ``Biometric Data Specification for 
Personal Identity Verification,'' (January 2007), available at 
http://csrc.nist.gov/publications/nistpubs/800-76-1/SP800-76-1_012407.pdf.
---------------------------------------------------------------------------

    One commenter suggested that the final TWIC reader rule should 
become effective only after a period of 24-36 months to enable owners 
and operators to adequately train employees and test their TWIC 
readers. We acknowledge that a period for TWIC reader training and 
testing is warranted. This NPRM proposes an effective date for 
compliance within 2 years after publication of a TWIC reader final rule 
in the Federal Register.
    One commenter requested confirmation that the regulations are 
imposing minimum requirements, and that owners and operators be given 
discretion to implement higher standards. While we have sought to 
minimize costs in this rulemaking, owners and operators may impose 
security provisions that exceed the minimum regulatory requirements.
    Three commenters suggested that vessels operating outside U.S. 
waters should not be required to use TWIC readers, citing concerns 
about disruptions at foreign ports due to the inability of foreign 
workers to access these vessels. We disagree with these comments and do 
not propose an exemption from TWIC reader requirements for vessels 
operating outside U.S. waters. Under existing regulation, all persons 
requiring unescorted access to secure areas of a MTSA-regulated vessel 
must possess a TWIC, regardless of whether the vessel is located in 
U.S. waters.\69\ For any individual without a TWIC to access secure 
areas of a MTSA-regulated vessel, the individual must be authorized to 
be there and also be escorted by a TWIC-holder.
---------------------------------------------------------------------------

    \69\ See 33 CFR 101.514.
---------------------------------------------------------------------------

    One commenter asked whether a non-U.S. citizen is eligible to 
obtain a TWIC. A list of certain non-U.S. citizens that are eligible to 
obtain a TWIC is available on TSA's Web site at http://www.tsa.gov/sites/default/files/publications/pdf/twic/immigration_status_documents.pdf.
    Some commenters requested additional guidance for situations when 
TWIC readers or communication systems malfunction. In this NPRM, we 
propose that, in the event of a TWIC reader malfunction, individuals 
can still be granted unescorted access to secure areas for a period not 
to exceed 7 days, provided that the individual has been granted such 
unescorted access in the past and is known to possess a TWIC. Owners 
and operators expecting such occurrences should provide appropriate 
contingency planning in their security plans. We request comments from 
the public regarding whether 7 days is a sufficient amount of time in 
which to expect resolution of a typical TWIC reader or communication 
systems malfunction.
    Four commenters requested further guidance with respect to how 
owners and operators would be required to process TWIC-holders with 
poor quality or no fingerprints. In such instances, we expect that the 
owner or operator would describe in their security plan the exception 
process they plan to use. The exception process may include PIN 
verification, alternative biometric verification, visual comparison of 
the digital photo stored in the TWIC to the presenter using a portable 
reader with a contact interface and releasing the photo to the reader 
screen by entering the 6-, 7-, or 8-digit PIN, or an alternative 
process proposed by the owner or operator and approved by the Coast 
Guard.
    Three commenters argued that TWIC reader requirements at rail 
entrances to facilities would be impractical. These

[[Page 17808]]

commenters cited throughput delays, increased traffic, environmental 
concerns with increased emissions, costs of TWIC readers at seldom-used 
rail entrances, and security risks when rail workers leave their 
cargoes unattended to walk to the nearest TWIC reader.
    We note that facilities could provide TWIC-holding escorts to rail 
workers, which is one way to alleviate these concerns. We also note 
that current regulations already require visual inspection of TWICs at 
rail entrances to secure areas of regulated facilities. The TWIC Pilot 
found that the increase in throughput delay resulting from a TWIC 
reader requirement is 2 seconds. Therefore, we do not believe a TWIC 
reader requirement at rail entrances to secure areas of Risk Group A 
facilities would lead to the results suggested by the commenters. While 
we seek to minimize the burdens associated with TWIC reader 
requirements, an exemption from such requirements at rail entrances 
would be inconsistent with the goal of the TWIC program to ensure that 
access to secure areas of the transportation system is limited to 
authorized individuals holding a TWIC.
    One commenter suggested that TWIC-holders on all MTSA-regulated 
vessels and facilities should be required to visually display their 
TWICs, similar to the requirement at federally regulated airports. 
Another commenter opposed such a requirement, citing concerns that this 
practice might increase the number of lost TWICs.
    In keeping with the longstanding tradition that seafarers keep 
their mariner credentials and other important documents on the bridge 
or stored in a secure place, this NPRM does not propose to require 
TWIC-holders to display their credentials at all times. Existing Coast 
Guard guidance acknowledges that such a requirement may not be 
practical in the marine environment.\70\ Owners and operators are 
permitted to collect and store all crewmember TWICs in the vessel's 
pilot house or allow for TWICs to be stored in another secure location 
on board the vessel or at the facility.
---------------------------------------------------------------------------

    \70\ See Navigation and Vessel Inspection Circular (NVIC) No. 
03-07, ``Guidance for the Implementation of the Transportation 
Worker Identification Credential (TWIC) Program in the Maritime 
Sector,'' (July 2, 2007).
---------------------------------------------------------------------------

F. TWIC Reader Pilot Program

    This section discusses the background and findings of DHS's TWIC 
Pilot on TWIC reader functionality in the maritime sector. A copy of 
the TWIC Pilot report, as well as the GAO reports discussed below, are 
available for viewing in the public docket for this rulemaking. The 
Coast Guard seeks comments on the following characterizations of the 
TWIC Pilot, the Coast Guard's conclusions from the TWIC Pilot, and how 
the Coast Guard used the findings from the TWIC Pilot to inform the 
NPRM.
1. Background
    The TWIC Pilot was established under Section 104 of the SAFE Port 
Act, and was designed to evaluate the business processes, technology, 
and operational impacts of implementing a TWIC reader system. The SAFE 
Port Act required the Secretary to conduct the TWIC Pilot at not fewer 
than five distinct geographic locations, and include vessels and 
facilities in a variety of environmental settings.\71\ DHS conducted 
the TWIC Pilot in seven geographic locations, and covered five 
participant groups: (1) Container terminals; (2) large passenger 
vessels and terminals with more than 500 passengers; (3) break-bulk 
terminals; (4) petroleum facilities; and (5) small passenger vessels, 
towboats, and other facility types. DHS managed the TWIC Pilot through 
the joint participation of TSA and the Coast Guard, with grant funding 
provided by the Federal Emergency Management Administration through the 
Port Security Grant Program.
---------------------------------------------------------------------------

    \71\ 46 U.S.C. 70105(k)(1)(B).
---------------------------------------------------------------------------

    The TWIC Pilot consisted of three phases. In Phase 1 (Initial 
Technical Testing), DHS tested TWIC readers under controlled laboratory 
conditions to verify that the TWIC readers correctly processed 
biometric information from the TWIC, and could also perform other TWIC 
verification and validation operations in maritime environments.
    In Phase 2 (Early Operational Assessment) DHS required pilot 
participants to install TWIC readers and begin using them. This phase 
allowed both TWIC-holders and security personnel to become familiar 
with TWIC readers and different operational modes. It also provided an 
opportunity to evaluate the initial technical performance of TWIC 
readers in maritime settings, and to address problems.
    Phase 3 (System Test and Evaluation) required pilot participants to 
verify the identities of individuals granted unescorted access to 
secure areas based on potential requirements as set forth in the ANPRM. 
Data collected during Phase 3 included: (1) Impacts of the biometric 
verification process on vessel and facility operations; (2) measurement 
of wait times for access to secure areas; (3) TWIC reader and 
infrastructure failures and maintenance requirements; and (4) 
implementation and operating costs.
    TSA completed data collection for the TWIC Pilot as of May 31, 
2011. The SAFE Port Act required the Secretary to `` * * * submit a 
comprehensive report to the appropriate congressional committees * * * 
that includes: (A) The findings of the pilot program with respect to 
technical and operational impacts of implementing a transportation 
security card reader system; (B) any actions that may be necessary to 
ensure that all vessels and facilities * * * are able to comply with 
[TWIC reader] regulations; and (C) an analysis of the viability of 
equipment under the extreme weather conditions of the marine 
environment.'' DHS submitted the TWIC Pilot report to Congress on 
February 27, 2012.
2. General Findings
    The TWIC Pilot noted a number of benefits associated with the use 
of TWIC readers. First, when used properly, TWIC readers provide an 
additional layer of security by reducing the risk that an unauthorized 
individual could gain access to a secure area. Owners and operators 
using TWIC readers can achieve this security risk reduction without 
significantly increasing throughput times at access points. Second, 
security is further enhanced by enabling owners and operators to assign 
access privileges to a specific, limited population of TWIC-holders. 
Finally, vessels and facilities using the TWIC as a site access token, 
in addition to as a means of identification, may benefit financially 
through the reduction of card management operational costs associated 
with identity vetting, card inventory, printing equipment, and issuance 
infrastructure.
    The TWIC Pilot also elicited a number of operational challenges and 
lessons learned. Although the TWIC Pilot provided the most complete 
information available regarding the costs associated with large-scale 
TWIC reader implementation and integration for access control 
available, we note some limitations regarding the TWIC Pilot data. We 
were not able to obtain data from a statistically representative sample 
of the affected population of MTSA-regulated vessels and facilities 
affected by this proposed rule because the TWIC Pilot was a voluntary 
program. As such, it was necessary to extrapolate the findings of the 
TWIC Pilot across the entire affected population. There were also some 
variations as to how individual pilot participants reported their data 
to TSA, which made some data manipulations

[[Page 17809]]

more difficult. Also, some of the cost reporting included costs that 
were not directly related to TWIC readers, but rather general physical 
security, and these were included in the pilot participants' cost 
estimates.
    Additionally, while not all of the TWIC Pilot participants were in 
Risk Group A, using the costs associated with TWIC reader deployment at 
facilities not in Risk Group A does not adversely affect our overall 
estimates. Potential TWIC reader implementation costs should not differ 
greatly across risk groups, as the size and geography of a facility is 
independent of its risk grouping. The key difference between the risk 
groups is the potential consequences of a TSI at a particular facility, 
not the costs associated with potential TWIC reader deployment.
    Since the passage of MTSA in 2002, the United States Government 
Accountability Office (GAO) has published a number of reports regarding 
implementation of the TWIC program, highlighting both progress and 
limitations. Copies of these reports are available for viewing on the 
GAO Web site at www.gao.gov, by clicking on the ``Reports & 
Testimonies'' tab, and using ``TWIC'' as your keyword search term, as 
well as in the docket. The GAO has conducted a review of the TWIC 
Pilot, highlighting some of the same limitations with respect to the 
quality of TWIC Pilot data we have described above. While we 
acknowledge that the TWIC Pilot contained certain data limitations, the 
TWIC Pilot provided the most detailed and wide-spread assessment of the 
impacts of deploying TWIC readers in the maritime sector to date. The 
TWIC Pilot provided useful data with respect to the costs associated 
with installing and integrating TWIC readers at facilities, as well as 
valuable TWIC-holder population data and TWIC reader failure rates, as 
experienced during the TWIC Pilot. As discussed below in Section III.H. 
``Additional Data Sources,'' we supplemented TWIC Pilot data with other 
data sources as necessary to provide the most accurate estimates for 
cost and benefit possible. In accordance with 46 U.S.C. 70105(k)(3), 
the proposals in this NPRM are consistent with the findings of the TWIC 
Pilot.
    The TWIC Pilot generally found that when TWIC readers are designed, 
installed, and operated in a manner consistent with the business 
considerations of the vessel or facility, they function properly. 
Conversely, the TWIC Pilot also noted a number of operational and 
technological difficulties that affected overall success at many pilot 
locations. The proposals in this NPRM are designed to be consistent 
with the findings of the TWIC Pilot.
3. Specific Challenges and Lessons Learned
    The TWIC Pilot noted that processing delays at access points were 
sometimes compounded by user unfamiliarity with the TWIC authentication 
process. It is important to note that when a user is properly trained 
and acclimated to interface with the TWIC reader, transaction times 
decrease considerably. In this NPRM, we have included a 2-year 
compliance deadline for TWIC reader implementation to allow adequate 
time for proper training.
    The TWIC Pilot noted that training requirements were often 
underestimated by TWIC Pilot participants. Additionally, TWIC-holders 
experienced challenges becoming familiar with different TWIC reader 
modes and processes. Switching among different TWIC reader modes 
complicated the learning process, impacting the efficiency of TWIC 
reader use. Additionally, TWIC-holders had difficulty interfacing with 
TWIC readers from multiple manufacturers with differing designs and 
user interfaces. Finally, some TWIC-holders presented the wrong finger, 
or did not hold their finger on the fingerprint sensor long enough to 
complete the transaction. These occurrences impeded operations and 
increased throughput times. In this NPRM, we have included a 2-year 
compliance deadline for TWIC reader implementation to allow adequate 
time for proper training.
    The TWIC Pilot noted certain challenges that arose when using 
portable TWIC readers. At facilities where workers are required to 
enter and exit secure areas multiple times over short periods, it was 
particularly challenging to maintain biometric checks using portable 
readers. Additionally, some portable TWIC readers malfunctioned when 
used carelessly in wet conditions not aligned with vendor guidance. In 
this NPRM, we do not specifically require the use of portable TWIC 
readers. Instead, we take a flexible approach by allowing owners and 
operators to choose the type of TWIC readers that best suit their 
operational needs.
    The TWIC Pilot noted that while some TWIC readers performed well 
throughout the TWIC Pilot, others were not as mature technologically or 
required adjustments. In one case, the TWIC readers repeatedly failed 
and had to be replaced by another vendor. We expect these challenges to 
be mitigated in the future because TSA is developing the QTL so that 
approved readers meet durability standards.
    The TWIC Pilot noted that the ability of TWIC readers to work 
properly depends, in part, on a functioning TWIC card. In response, TSA 
established an Integrated Product Team (IPT) in conjunction with DHS 
that is continuing to review the nature and prevalence of non-
functioning TWIC cards and seeking ways to resolve these technical 
issues.
    The TWIC Pilot noted TWIC reader installation delays at some 
facilities where TWIC systems integrators were unfamiliar with other 
components of multi-functional systems. In this NPRM, we have included 
a 2-year compliance deadline for TWIC reader implementation to allow 
facilities and security personnel adequate time for proper training.
    The TWIC Pilot noted challenges with respect to the registration of 
authorized TWIC-holders in a PACS. The registration process proved to 
be time-consuming. Some TWIC Pilot participants that were located 
within the same geographical region chose to operate using a regional 
registration database. This was a successful way to populate their 
various PACS. One factor that led to delays was the decision by some 
facilities to require TWIC-holders to enter their PIN as part of the 
registration process. Since many TWIC-holders rarely, if ever, used 
their PIN since activating their TWIC, some workers could not remember 
their PIN. These workers then had to visit a TWIC enrollment center to 
reset their PIN and return to the facility to complete the registration 
process. This NPRM does not propose to require facilities to register 
authorized TWIC-holders by requiring them to enter their PIN.
    The TWIC Pilot noted that some participants failed to grant TWIC-
holder rights to specific access points, which increased the number of 
invalid transactions using TWIC readers. Developing standard operating 
procedures to assign access privileges should mitigate this issue.
    The TWIC Pilot noted that TWIC reader system architecture played a 
significant role in overall technical efficiency, performance, and 
throughput times. The TWIC Pilot participant with a dedicated network 
only used by TWIC readers and PACS showed faster transaction times, 
higher validation rates, and fewer technical issues than other TWIC 
Pilot participants. System configurations that used hard wired networks 
were more efficient with respect to network speed and availability than 
wireless networks. Systems that included TWIC readers

[[Page 17810]]

within the security architecture encountered fewer operational issues. 
Finally, TWIC reader implementation costs were lower if facilities were 
able to use existing infrastructure. We encourage the regulated 
population to take note of these lessons learned. Additionally, in this 
NPRM, we take a flexible approach by allowing owners and operators to 
choose the type of TWIC readers that best suit their operational needs.
    The TWIC Pilot found that a consistent experience on the part of 
TWIC-holders and security personnel enhanced the efficiency of TWIC 
reader use. TWIC-holders who reported to the same facility on a daily 
basis had a consistent user experience and learned to interface with 
TWIC readers quickly. TWIC-holders whose work required them to access 
multiple facilities, however, experienced challenges becoming familiar 
with TWIC readers from several manufacturers with different designs and 
interfaces, as well as many site-specific business processes and 
requirements. Different TWIC reader ergonomics found at different 
access points further compounded these challenges. For example, truck 
drivers visiting several facilities encountered TWIC readers that were 
sometimes placed at awkward heights or distances, making the readers 
difficult to reach.
    The TWIC Pilot tested both fixed and portable TWIC readers in 
different modes of operation. In contactless mode, the card is scanned 
by holding it within 4 inches of the TWIC reader. In contact mode, the 
card must be inserted into a slot that allows direct contact between 
the TWIC reader and the chip embedded in the TWIC. The TWIC Pilot found 
that when contactless TWIC readers are used in a non-biometric mode to 
verify that the card is authentic, has not expired, and is not on the 
CCL, and in a manner consistent with their intended environment, access 
point throughput times were less than throughput times required to 
visually inspect TWICs. When used in non-biometric mode, however, it is 
also necessary to visually compare the photograph on the TWIC to the 
TWIC-holder. Although adding a biometric match to the above TWIC reader 
functions may take slightly longer than mere visual inspection, the 
TWIC Pilot did not find that the resulting access point throughput 
delays impacted business operations. Nonetheless, using TWIC readers in 
the biometric mode significantly increases the assurance that only 
TWIC-holders are permitted to access secure areas.
    The TWIC Pilot also found that fixed readers with both contact and 
contactless interfaces yielded a higher validation rate than fixed 
readers that only used the contactless interface to read the TWIC. A 
contact read required the TWIC to be inserted into the contact slot of 
the TWIC reader, which reduced the potential for incorrectly placing 
the TWIC, and provided an alternative to the TWIC's internal antennae.
    A successful contactless read requires the user to hold the card 
motionless on or near the surface of the TWIC reader for approximately 
2 seconds, which was not initially understood by many pilot 
participants. As a remedial measure, the posting of explanatory 
diagrams helped overcome this problem. The TWIC Pilot found that 
switching between different TWIC reader modes created a confusing 
process for TWIC-holders and had a negative impact on the efficiency of 
TWIC reader use.
    Accordingly, the proposals in this NPRM enable owners and operators 
to use fixed or portable, contact or contactless TWIC readers in a 
single mode of operation as much as possible. Each owner or operator 
would have the discretion to configure a system that best suits the 
vessel or facility.
    The TWIC Pilot found that facilities with an existing PACS that 
could be easily adapted to incorporate TWIC reader technology took less 
time to install than facilities without that existing infrastructure. 
Consistent with that finding, this NPRM allows for the integration of 
TWIC reader technology into an existing PACS.
    The TWIC Pilot found that geographic location did not affect the 
efficiency of TWIC reader functionality. The TWIC Pilot found, however, 
that at varying locations, some TWIC readers experienced difficulty 
scanning fingerprints in inclement weather. Fully encapsulated fixed 
contactless TWIC readers withstood harsh weather, whereas contact TWIC 
readers, and TWIC readers exposed to the elements were sensitive to 
inclement weather conditions. Throughout the TWIC Pilot, the conditions 
under which TWIC readers had to perform were significantly more 
challenging than those commonly found at entrances to office buildings 
and other more controlled locations and environments. The TWIC Pilot 
demonstrated that TWIC readers installed in harsh environments will 
occasionally be contaminated with debris, and a maintenance program to 
perform regular inspections and cleaning cycles is necessary. The TWIC 
Pilot noted, however, that most of the challenges associated with 
weather can be overcome with proper planning that takes environmental 
conditions into consideration. Proper planning means that a facility's 
business practices will be useful in determining which type of TWIC 
readers and accompanying infrastructure to use. For example, if an 
access point is exposed to direct sunlight, the facility can mitigate 
glare by using an awning or hood. If an access point is exposed to 
harsh weather, the facility may wish to use an encapsulated fixed TWIC 
reader or instead use a portable TWIC reader that is kept inside a 
nearby security guard booth.
    TSA is developing the QTL so that approved readers meet durability 
standards. Additionally, in this NPRM, we're proposing requirements 
that provide owners and operators the flexibility to choose the TWIC 
reader that best suits their operational needs.

G. HSI Report

    This section summarizes the analysis and recommendations provided 
by HSI after evaluating the risk-based approach that formed the basis 
of the proposals in the ANPRM. A non-SSI version of the HSI Report is 
available for viewing in the public docket for this rulemaking.
    Prior to publishing the ANPRM, we developed a risk-based approach 
based on MSRAM, to inform our proposals for more stringent TWIC reader 
requirements on higher-risk vessels and facilities. We engaged HSI to 
obtain an independent peer review of our analysis. HSI is a federally 
funded research and development center established by the Secretary, 
pursuant to Section 312 of the Homeland Security Act of 2002 (Pub. L. 
107-296). On October 21, 2008, HSI issued a final report, titled 
``Independent Verification and Validation of Development of 
Transportation Worker Identification Credential (TWIC) Reader 
Requirements'' (HSI Report). The HSI Report provided information and 
recommendations that were useful in formulating the proposals in this 
NPRM.
    The HSI Report verifies that our AHP/MSRAM analysis matches the way 
we described it, and that its findings can be reproduced. The HSI 
Report also validates that our AHP/MSRAM analysis is technically sound. 
While the HSI Report suggests that some adjustments to the results of 
our analysis might be necessary, the report concludes that our 
methodology is appropriate for establishing the risk ranking of vessels 
and facilities set forth in the ANPRM.
    The HSI Report notes that Risk Group A is well defined, but the 
distinction between Risk Groups B and C is not as clear. The HSI Report 
also notes that, while adjustments could be suggested with respect to 
the ANPRM's proposed

[[Page 17811]]

TWIC reader requirements, the overall risk-based approach to specifying 
the TWIC reader requirements is fundamentally sound. The HSI Report 
recommends that we consider further analysis of how to best group 
vessels and facilities into appropriate risk-based categories.
    Our proposals in this NPRM are consistent with the above 
conclusions and recommendations. Whereas the ANPRM proposed different 
TWIC requirements for Risk Groups B and C, this NPRM proposes the same 
TWIC requirements for both of those risk groups. We expect to continue 
analyzing the risk rankings to determine whether alternative or 
additional considerations would yield more appropriate risk groupings 
and corresponding TWIC requirements. As noted earlier, if the Coast 
Guard changes the risk groupings, it will be done through rulemaking 
and the public will have an opportunity to comment.
    The HSI Report also recommends that we consider better defining the 
concept of TWIC utility. As used in the context of the AHP/MSRAM 
analysis, TWIC utility accounts for the reduced risk to a vessel or 
facility due to TWIC implementation. The HSI Report acknowledges that a 
clearer definition of this concept may require analysis of each 
individual vessel and facility, which would substantially expand the 
scope of the process of developing TWIC reader requirements. The HSI 
Report suggests that we consider an approach that combines general 
analyses of broad risk groups with specific analyses of individual 
vessels and facilities. We are considering the feasibility of 
implementing this recommendation.
    The HSI Report recommends that we consider adding flexibility to 
TWIC reader requirements by providing a process through which owners 
and operators may seek a waiver of TWIC reader requirements based on 
the unique features of a specific vessel or facility. The rationale for 
this recommendation is that while TWIC reader requirements apply to an 
entire risk group, each risk group is comprised of a range of types of 
vessels and facilities with fundamentally different security systems. 
In response to this recommendation, we note that waiver provisions 
already exist in current 33 CFR 104.130, 105.130, and 106.125. These 
provisions enable an owner or operator to apply for a waiver of any 
requirement that the owner or operator considers unnecessary in light 
of the nature or operating conditions of a vessel or facility.
    The HSI Report recommends that we consider using dynamic 
consequence data instead of the static maximum consequence data 
currently used as part of the MSRAM analysis. The rationale for this 
recommendation is that maximum consequence would necessarily change 
depending on how vessels and facilities are used. For example, a cruise 
ship terminal would have a different maximum consequence when cruise 
ships are docked at the facility, as opposed to when the port is empty. 
We believe that, due to the amount and complexity of dynamic 
consequence data, obtaining such data would not be feasible. 
Furthermore, use of dynamic consequence data would eliminate or at 
least dramatically reduce the predictability of regulatory 
requirements, and would likely not reduce costs significantly, as most 
costs would be borne anyway. Nonetheless, we are considering the 
feasibility of implementing this recommendation.

H. Additional Data Sources

    TWIC Pilot data was supplemented with other data sources as 
necessary to provide the most accurate estimates for cost and benefit 
possible. Other data sources included the Coast Guard's Marine 
Information for Safety and Law Enforcement (MISLE) database for 
population figures, MSRAM for risk hierarchy and consequence data, the 
General Services Administration schedule for TWIC reader hardware and 
software costs, Environmental Protection Agency data for estimates for 
truck throughput, and contracted studies for general discussion points 
on access control systems. For a more detailed discussion on the use of 
this data, please refer to the ``Preliminary Regulatory Analysis and 
Initial Regulatory Flexibility Analysis,'' which is available in the 
public docket for this rulemaking. The Coast Guard seeks public comment 
on whether or not there are additional data sources that should be 
considered. If there are, please include information in your comments 
about these data sources and the reason for their relevance.

I. Advisory Committee Input

    This section discusses the input we received from advisory 
committees in connection with this rulemaking.
    The Coast Guard has a long tradition of consulting with its 
advisory committees before taking regulatory action. We acknowledge the 
benefit of consulting with advisory committees. Prior to issuing the 
ANPRM, we sent a task statement to MERPAC, NMSAC, and TSAC, asking 18 
questions related to TWIC reader requirements. This task statement is 
available for viewing in the public docket for this rulemaking. We 
accepted and incorporated a number of the advisory committee 
recommendations into the ANPRM and this NPRM. For example, we 
incorporated TSAC's recommendation to set the crew size cutoff number 
at 14 for determining when to exempt vessels from TWIC reader 
requirements as discussed more fully below in Section IV.E. ``TWIC 
Reader Exemption for Vessels With 14 or Fewer TWIC-holding 
Crewmembers.'' Both NMSAC and MERPAC recommended that we wait for 
completion of the TWIC Pilot before publishing an NPRM on TWIC reader 
requirements. MERPAC recommended against requiring owners and operators 
to verify TWIC-holder PIN information. MERPAC also recommended that low 
risk vessels and facilities should not be subject to TWIC reader 
requirements. These are some examples of the advisory committee 
recommendations we incorporated into this NPRM. We greatly appreciate 
advisory committee input into this program. Copies of each advisory 
committee's formal recommendations and responses to the task statement 
are available for viewing in the public docket for this rulemaking.

IV. Section-by-Section Description of Proposed Rule

    This section provides a discussion of the regulations we propose in 
this NPRM, which include: updated definitions relevant to this 
rulemaking; a provision on the Federalism issues associated with the 
Coast Guard's maritime security regulations; TWIC reader and inspection 
requirements for Risk Groups A, B, and C, applicable in both normal and 
special circumstances; deadlines for compliance with the proposed 
regulatory requirements; TWIC reader recordkeeping requirements; TWIC-
related risk group classifications for vessels and facilities; 
requirements for the physical placement of TWIC readers; and several 
technical amendments to the regulations.
    We note that, if finalized, the proposed regulations would be 
subject to the control and compliance measures in 33 CFR 101.410, which 
give the COTP authority to impose measures to rectify non-compliance. 
The proposed regulations would also be subject to the relevant civil 
and/or criminal penalties in 33 CFR 101.415 for violations of any 
provision in 33 CFR subchapter H.

A. Definitions

    We propose to amend 33 CFR 101.105 by adding several new defined 
terms.
    The term ``biometric match'' would mean a confirmation that: one of 
the two

[[Page 17812]]

biometric (fingerprint) templates stored in the TWIC matches the 
scanned fingerprint of the person presenting the TWIC; or the alternate 
biometric stored in a PACS matches the corresponding biometric of the 
person.
    The term ``Canceled Card List (CCL)'' would mean the list of TWIC 
Federal Agency Smart Credential-Numbers that have been invalidated or 
revoked because TSA has determined that the TWIC-holder may pose a 
security threat, or because the card has been reported lost, stolen, or 
damaged.
    The term ``card authentication'' would mean the electronic 
verification that the card presented is a valid TWIC issued by TSA.
    The term ``Card Holder Unique Identifier (CHUID)'' would mean the 
standardized data object comprised of the FASC-N, globally unique 
identifier, expiration date, and certificate used to validate the data 
integrity of other data objects on the credential.
    The term ``card validity check'' would mean the verification that a 
TWIC has not been revoked or expired.
    The term ``Mobile Offshore Drilling Unit (MODU)'' is defined by 
reference to 33 CFR 140.25.
    The term ``Offshore Supply Vessel (OSV)'' is defined by reference 
to 46 CFR 125.160.
    The term ``Physical Access Control System (PACS)'' would mean a 
system that includes devices, personnel, and policies that controls the 
access to and within a facility or vessel.
    The term ``Risk Group'' would mean the risk ranking assigned to a 
vessel, facility, or OCS facility for the purpose of TWIC requirements.
    The term ``TWIC reader'' would mean an electronic device used to 
verify and validate: the authenticity of a TWIC; the identity of the 
TWIC-holder as the legitimate bearer of the credential; that the TWIC 
is not expired; and that the TWIC is not on the CCL. The term is 
specifically defined by reference to TSA's Qualified Technology List of 
acceptable TWIC readers, because only those devices meet TSA's required 
specifications.
    We propose to amend 33 CFR 101.105 by deleting the term ``recurring 
unescorted access''. This term was included in 33 CFR 101.105 as part 
of the TWIC 1 final rule, though we determined at that time to defer 
implementing TWIC reader requirements. RUA was initially proposed to 
provide relief to owners and operators of vessels otherwise required to 
use TWIC readers, because of the familiarity that exists between a 
relatively small number of crewmembers. Two important changes in 
approach from the ANPRM to this NPRM render RUA an unnecessary 
provision. First, this NPRM proposes to exempt from TWIC reader 
requirements all vessels with 14 or fewer TWIC-holding crewmembers, 
based on the SAFE Port Act's provision that prohibits requiring TWIC 
readers on vessels that the Secretary has determined do not have the 
requisite number of TWIC-holders as crewmembers.\72\ This exemption 
provides relief equivalent to that which RUA would have provided. 
Second, whereas the ANPRM proposed to require TWIC readers for Risk 
Groups A and B, this NPRM proposes to require TWIC readers for Risk 
Group A only. This change reduces the number of vessels and facilities 
to which TWIC reader requirements would apply, and renders the need for 
RUA as a mechanism for regulatory relief unnecessary.
---------------------------------------------------------------------------

    \72\ 46 U.S.C. 70105(m)(1).
---------------------------------------------------------------------------

B. Federalism

    A Presidential Memorandum, dated May 20, 2009, entitled 
``Preemption,'' \73\ requires an agency to codify a preemption 
provision in its regulations if the agency intends to preempt State 
law. We propose to add new 33 CFR 101.112, providing a statement 
regarding the preemption principles that apply to 33 CFR subchapter H.
---------------------------------------------------------------------------

    \73\ 74 FR 24693.
---------------------------------------------------------------------------

    We believe the field-preemption Federalism principles articulated 
in United States v. Locke and Intertanko v. Locke \74\ apply to 33 CFR 
parts 101, 103, 104, and 106. Therefore, States and local governments 
are foreclosed from regulating within this field. We believe the 
Federalism principles articulated in Locke also apply to 33 CFR part 
105, at least insofar as a State or local law or regulation applicable 
to MTSA-regulated facilities for the purpose of their protection, would 
conflict with a Federal regulation (i.e., it would either actually 
conflict or would frustrate an overriding Federal need for uniformity).
---------------------------------------------------------------------------

    \74\ 529 U.S. 89, 120 S.Ct. 1135 (March 6, 2000).
---------------------------------------------------------------------------

C. Additional Persons Required To Obtain TWICs

    This NPRM withdraws the ANPRM's proposal to include non-
credentialed individuals engaged on towing vessels not regulated under 
33 CFR part 104 among the list of mariners required to possess a TWIC. 
We seek public comment on the number of vessels pilots without a 
Federal license, and whether a specific provision to include them in 
the regulatory requirement to obtain a TWIC is necessary.
    In the ANPRM, we proposed to explicitly require non-Federally 
licensed vessel pilots and non-credentialed individuals engaged on 
towing vessels not regulated under 33 CFR part 104 to possess a TWIC. 
The purpose of this proposal was to update the regulations to more 
thoroughly incorporate the list of individuals required by 46 U.S.C. 
70105(b) to possess a TWIC.
    Subsequent developments have caused us to withdraw part of the 
ANPRM's proposal. Section 809 of the CGAA 2010 authorized the Secretary 
to exempt any credentialed mariner who is not granted unescorted access 
to secure areas of a vessel from the requirement to possess a TWIC. On 
December 19, 2011, the Coast Guard's Office of Vessel Activities (CG-
543) published Policy Letter No. 11-15,\75\ describing both policy and 
forthcoming regulatory solutions that we are undertaking to implement 
Section 809. Policy Letter No. 11-15 contains exemptions for certain 
mariners from the requirement to obtain or hold a TWIC. Exempt mariners 
would include mariners not operating under the authority of a 
credential and mariners serving on a vessel not required to have a 
Vessel Security Plan. These are mariners that the ANPRM's proposal 
would have explicitly included among the list of mariners required to 
obtain a TWIC.
---------------------------------------------------------------------------

    \75\ CG-543 Policy Letter No. 11-15, ``Processing of Merchant 
Mariner Credentials (MMC) For Mariners Not Requiring a 
Transportation Worker Identification Credential,'' available for 
viewing at https://homeport.uscg.mil/.
---------------------------------------------------------------------------

    In light of Section 809 and related Coast Guard regulatory action, 
this NPRM withdraws the ANPRM's proposal to include non-credentialed 
individuals engaged on towing vessels not regulated under 33 CFR part 
104 among the list of mariners required to possess a TWIC. 
Additionally, while there may be some vessel pilots that do not hold 
Federal licenses, we have not determined whether there is a population 
of State-licensed vessel pilots that are not otherwise required to 
obtain a TWIC because they access secure areas of MTSA-regulated 
vessels. We seek public comment on this subject, and whether a specific 
provision to include them in the regulatory requirement to obtain a 
TWIC is necessary. If there is a population of State-licensed vessel 
pilots not covered under the current regulatory requirement to obtain a 
TWIC, we intend to revise 33 CFR 101.514 to cover that population.

[[Page 17813]]

D. TWIC Reader Requirements for Risk Group A

    We propose to add new 33 CFR 101.520 that sets forth the TWIC 
reader requirements for Risk Group A. We have determined that owners 
and operators of vessels or facilities in Risk Group A should be 
required to implement the TWIC's most protective measures using a TWIC 
reader or TWIC-integrated PACS.
    At MARSEC Level 1, all persons seeking unescorted access to secure 
areas would be required to present a TWIC and fingerprint for biometric 
identity verification, card authentication, and card validity check. 
The owner or operator would be required to perform the card validity 
check based on CCL information no more than 7 days old. The owner or 
operator may perform these functions using a TWIC reader or a TWIC-
integrated PACS. If using a PACS, biometrics other than fingerprints 
may be used to perform the identity verification, provided that the 
owner or operator links the person, the TWIC, and the alternate 
biometric in the PACS. To do this, the owner or operator would be 
required to perform a one-time biometric match and card authentication 
using a TWIC reader. Owners or operators would be required to explain 
in their security plans how the PACS performs the required security 
functions and how the SSI captured by the PACS is protected.
    At MARSEC Level 2, the same procedures would apply as those at 
MARSEC Level 1, except that the owner or operator would be required to 
perform the card validity check based on CCL information no more than 1 
day old. The heightened security threats present at elevated MARSEC 
Levels justify this additional requirement.
    We propose two additional provisions in 33 CFR 101.520 to ensure 
that CCL information is updated and used appropriately. First, owners 
and operators would be required to update CCL information within 12 
hours of any increase in MARSEC Level, regardless of when the CCL 
information was last updated. Second, owners and operators would be 
required to use the most recently obtained CCL information when 
conducting card validity checks.
    Finally, we propose a provision in 33 CFR 101.520 that would 
authorize the COTP to temporarily suspend TWIC reader requirements at a 
facility if the COTP determines that such requirements are causing 
delays resulting in excessive vehicle build-up or other unintended 
consequence. A facility owner or operator could contact the COTP 
seeking such a determination. During the period of any such suspension, 
the owner or operator would be required to perform visual TWIC 
inspections for identity verification, card authentication, and card 
validation.

E. TWIC Reader Exemption for Vessels With 14 or Fewer TWIC-Holding 
Crewmembers

    We propose to add new 33 CFR 101.520(e), exempting all vessels with 
14 or fewer TWIC-holding crewmembers from TWIC reader requirements. The 
statutory basis for this exemption is the SAFE Port Act provision that 
prohibits the Secretary from requiring TWIC readers on a vessel unless 
the vessel has more individuals on the crew required to have a TWIC 
than the number the Secretary determines warrants such a reader.\76\ 
The underlying rationale for this exemption is that vessels with a 
small enough number of TWIC-holders on board have a reduced TSI 
vulnerability from unauthorized access because the small number of 
crewmembers are easily recognizable and known to one another. We 
propose 14 as the cutoff number based on a recommendation from TSAC. 
According to TSAC, vessels with 14 or fewer crewmembers have a reduced 
vulnerability because the individuals are all ``known'' to one another. 
The number was developed by taking into account the fact that for a 
small vessel, such as a towing vessel or offshore supply vessel, the 
crew would typically include up to one Master, one Chief Engineer, and 
three four-person crews who rotate through watch shifts.
---------------------------------------------------------------------------

    \76\ 46 U.S.C. 70105(m).
---------------------------------------------------------------------------

    We seek public comment on this proposal to exempt all vessels with 
14 or fewer TWIC-holding crewmembers from TWIC reader requirements, 
including whether 14 is an appropriate cut-off number. We request that 
commenters please explain and provide available data to support their 
comments.
    We recognize that, particularly for smaller vessels such as towing 
vessels, the value of electronic identity verification is less than it 
is for facilities, which generally interact with greater numbers of 
vendors, visitors, and facility employees. For this reason, and because 
TWIC readers are only proposed for Risk Group A, we believe it is 
neither appropriate nor necessary to exempt facilities with 14 or fewer 
TWIC-holders from TWIC reader requirements.

F. TWIC Inspection Requirements for Risk Groups B and C

    We propose to add new 33 CFR 101.525 and 101.530 that set forth the 
TWIC visual inspection requirements for Risk Groups B and C, 
respectively. In this NPRM, we are not proposing TWIC reader 
requirements for vessels and facilities in Risk Groups B and C. We 
believe the overall approach in this proposed rule would implement the 
TWIC reader program in a targeted manner that enhances the security of 
MTSA-regulated vessels and facilities without imposing undue burdens. 
We request public comment on this determination.
    At all MARSEC Levels, all persons seeking unescorted access to 
secure areas of vessels or facilities in Risk Groups B or C would be 
required to present a TWIC for visual identity verification, card 
authentication, and card validity check, prior to each entry. An owner 
or operator would perform identity verification by visually matching 
the photograph on the TWIC to the individual presenting it. An owner or 
operator would verify TWIC authenticity by visually checking its 
security features to determine whether it has been tampered with or 
forged. An owner or operator would validate the TWIC by visually 
checking the expiration date on the face of the TWIC to determine 
whether it has expired. Owners and operators of vessels or facilities 
in Risk Groups B and C would not be required to check TWICs against the 
CCL.
    As discussed above in Sections II. and III. above, we are 
considering a phased approach to implementing TWIC reader requirements 
by proposing such requirements first for vessels and facilities in Risk 
Group A, where the risk of harm is greatest. We have estimated that for 
Risk Group A, the ratio of annualized cost of TWIC reader requirements 
to average consequence figures (the monetized costs of fatalities and 
injuries resulting from a TSI) warrants the TWIC reader requirements 
proposed in this NPRM. For Risk Group B, we believe the estimated ratio 
of annualized cost of TWIC reader requirements to average consequence 
figures supports our phased approach. We will continue to analyze risk 
data and consider whether additional or modified TWIC reader 
requirements would be warranted in the future. For a more detailed 
discussion of the costs and benefits of the proposals in this NPRM, 
please refer to Section V., ``Regulatory Analyses'' below.
    The proposed TWIC inspection requirements in 33 CFR 101.525 and

[[Page 17814]]

101.530 would be minimum requirements. We have included proposed 
regulatory provisions stating that owners and operators would have the 
discretion to impose access control measures that are stricter than the 
minimum regulatory requirements.
    Although this NPRM proposes the same substantive TWIC inspection 
requirements for Risk Groups B and C, these requirements appear in 
separate sections because we are continuing to gather data and analyze 
whether different requirements would be appropriate for these risk 
groups. Any such modifications would be proposed in a separate 
rulemaking document, with the opportunity provided for public comment.

G. TWIC Inspection Requirements in Special Circumstances

    We propose to add new 33 CFR 101.535 that sets forth TWIC 
inspection requirements in special circumstances. These provisions are 
designed to provide an appropriate level of flexibility in the TWIC 
reader and inspection requirements when special circumstances arise.
    If an individual is unable to present a TWIC because it has been 
lost, damaged, or stolen, and the individual has previously been 
granted unescorted access to secure areas and is known to have 
previously possessed a TWIC, an owner or operator would be permitted to 
grant the individual unescorted access to secure areas for a period of 
no longer than 7 consecutive days, provided that the following 
conditions are met: (1) The individual has reported the TWIC as lost, 
damaged, or stolen to TSA as required in 49 CFR 1572.19(f); (2) the 
individual presents another identification credential that meets the 
requirements of 33 CFR 101.515; and (3) there are no other suspicious 
circumstances associated with the individual's claim of loss or theft. 
With the exception of these individuals, all others who are granted 
unescorted access to secure areas would be required to produce their 
TWIC upon request from TSA, the Coast Guard, any other authorized DHS 
representative, or a law enforcement officer.
    If an individual cannot present a TWIC for any reason other than 
those outlined in the immediately preceding paragraph, the individual 
may not be granted unescorted access to secure areas. In order to 
access secure areas, the individual would need to be escorted by a 
TWIC-holder authorized to be in the secure area.
    In some instances, when an individual has poor quality 
fingerprints, a TWIC reader may not be able to consistently perform the 
biometric identity verification function. Also, a small number of TWICs 
will be issued that contain either poor quality fingerprint templates, 
mostly due to badly damaged fingers, or no fingerprint minutiae, in the 
case of amputations. We expect owners and operators to describe the 
exception handling process to be used in such cases in their security 
plans. The exception handling process may include granting unescorted 
access after the individual has successfully provided a PIN. 
Alternatively, an owner or operator may require the individual to 
present an alternative biometric, such as a retina scan or other 
biometric that has been incorporated into a PACS.\77\
---------------------------------------------------------------------------

    \77\ Section 814 of the CGAA 2010 allows the Secretary to use a 
secondary authentication system to verify the identification of 
individuals using TWIC when the individual's fingerprints are not 
able to be taken or read.
---------------------------------------------------------------------------

    If a TWIC reader malfunctions, an owner or operator would still be 
permitted to grant the individual unescorted access to secure areas, 
provided that certain conditions are met. First, the individual would 
be required to have previously been granted unescorted access to secure 
areas in the past, and the individual would be required to be known to 
have a TWIC. Second, the owner or operator would be required to perform 
identity verification, card validation and card authentication by 
visual inspection. An owner or operator may rely on this alternative 
for a period of 7 calendar days while the TWIC reader malfunction is 
corrected.
    TWIC requirements in 33 CFR 104.265, 105.255, and 106.260 currently 
contain provisions regarding disciplinary measures to prevent fraud and 
abuse, coordination of access control with other vessels and 
conveyances, and security plan requirements. We propose to relocate 
those provisions to 33 CFR 101.535(f)-(h).

H. Compliance Deadlines

    We propose to amend 33 CFR 104.115 and 105.115 to set forth the 
required compliance deadlines with respect to TWIC reader requirements. 
Within 2 years after publication of the TWIC reader final rule, owners 
and operators would be required to be operating in accordance with the 
requirements contained in that final rule. Also, within 2 years after 
publication of the TWIC reader final rule, owners and operators would 
have to amend their security plans to indicate how they implement the 
TWIC reader requirements contained in the applicable sections of 33 CFR 
parts 101, 104, and 105.
    In the ANPRM, we were not proposing to amend the section on ASPs to 
require amendments within 2 years of the final rule. Instead, in the 
ANPRM, we said we would exercise our authority under 33 CFR 
101.120(d)(1)(ii) to require those entities using ASPs to amend them to 
incorporate TWIC requirements. For the purpose of consistency with the 
other vessels and facilities subject to 33 CFR parts 104, 105, and 106, 
this NPRM eliminates the ANPRM's proposed approach to treat entities 
with approved ASPs differently. Accordingly, this NPRM proposes to 
require entities to update their ASPs in the same manner and on the 
same schedule as the other vessels and facilities subject to 33 CFR 
parts 104, 105, and 106.
    We recognize that in addition to this NPRM, there are a number of 
ongoing Coast Guard rulemakings (e.g., Updates to 33 CFR Subchapter H: 
Maritime Security (RIN 1625-AB30) and Consolidated Cruise Ship Security 
Measures (RIN 1625-AB38)) that could affect vessel, facility, and OCS 
facility security plans in the near future. In 2011, a majority of 
facilities that would be subject to these proposed requirements already 
updated and submitted for approval security plans in accordance with 33 
CFR subchapter H. If each of the ongoing rulemaking projects required 
an update to security plans, there could be a significant increase in 
workload for owners and operators, as well as at the Coast Guard Marine 
Safety Center, Districts, and Sectors. We are currently examining 
several options to coordinate the rulemakings and manage the plan 
submission and re-approval process to ensure that plan changes occur 
only as often as necessary to incorporate any new regulatory 
requirements. While this NPRM proposes a 2-year deadline for updated 
security plans, we invite comments or suggestions from the public on 
how to streamline and reduce the level of effort for all stakeholders.

I. Recordkeeping

    We propose to amend 33 CFR 104.235 and 105.225 to set forth TWIC 
reader recordkeeping requirements. These recordkeeping requirements 
would apply when TWIC readers are used, and not in the special 
circumstances described in the proposed regulations when the owner or 
operator is permitted to rely on visual TWIC inspection. Owners and 
operators using TWIC readers, with or without a PACS, would be required 
to maintain certain records for at least 2 years. During that time, 
owners and operators would be required to make those records available 
to the

[[Page 17815]]

Coast Guard upon request. Those records include, with respect to each 
individual granted unescorted access to a secure area: (1) FASC-N; (2) 
date that access was granted; (3) time that access was granted; and (4) 
if captured, the name of the individual to whom access was granted. If 
a TWIC reader or PACS captures the required data when the TWIC is 
scanned, and can retain and reproduce that data, the recordkeeping 
requirement would be met. Owners and operators would be required to 
also maintain records to demonstrate that they have performed the 
required card validity check using the CCL on each individual. Finally, 
we propose to include a regulatory provision indicating that TWIC 
reader records are SSI, and would be required to be protected in 
accordance with 49 CFR part 1520.

J. Risk Group Classifications

    We propose to add new 33 CFR 104.263, 105.253, and 106.258 to set 
forth the risk group classifications for vessels and facilities. The 
risk group classifications proposed in the NPRM are the same as those 
proposed in the ANPRM, with minor technical changes, as follows:
    For vessels subject to 33 CFR part 104, this NPRM proposes the 
following risk group classifications:
    Risk Group A
    (1) Vessels that carry Certain Dangerous Cargoes (CDC) in bulk.
    (2) Vessels certificated to carry more than 1,000 passengers.
    (3) Towing vessels engaged in towing a barge or barges subject to 
(1) of this section or vessels subject to (2) of this section.
Risk Group B
    (1) Vessels that carry hazardous materials other than CDC in bulk.
    (2) Vessels subject to 46 CFR chapter I, subchapter D, that carry 
any flammable or combustible liquid cargoes or residues.
    (3) Vessels certificated to carry 500 to 1,000 passengers.
    (4) Towing vessels engaged in towing a barge or barges subject to 
(1), (2), or vessels subject to (3) of this section.
Risk Group C
    (1) Vessels carrying non-hazardous cargoes that are required to 
have a vessel security plan (VSP).
    (2) Vessels certificated to carry less than 500 passengers.
    (3) Towing vessels engaged in towing a barge or barges subject to 
(1) of this section or vessels subject to (2) of this section.
    (4) Mobile Offshore Drilling Units (MODUs).
    (5) Offshore Supply Vessels (OSVs) subject to 46 CFR chapter I, 
subchapter L or I.
    For facilities subject to 33 CFR part 105, this NPRM proposes the 
following risk group classifications:
Risk Group A
    (1) Facilities that handle Certain Dangerous Cargoes (CDC) in bulk.
    (2) Facilities that receive vessels certificated to carry more than 
1,000 passengers.
    (3) Barge fleeting facilities that receive barges carrying CDC in 
bulk.
Risk Group B
    (1) Facilities that receive vessels that carry hazardous materials 
other than CDC in bulk.
    (2) Facilities that receive vessels subject to 46 CFR chapter I, 
subchapter D, that carry any flammable or combustible liquid cargoes or 
residues.
    (3) Facilities that receive vessels certificated to carry 500 to 
1,000 passengers.
    (4) Facilities that receive towing vessels engaged in towing a 
barge or barges carrying hazardous materials other than CDC in bulk, 
crude oil, or towing vessels certificated to carry 500 to 1,000 
passengers.
Risk Group C
    (1) Facilities that receive vessels carrying non-hazardous cargoes 
not otherwise included in Risk Groups A or B.
    (2) Facilities that receive vessels certificated to carry less than 
500 passengers.
    (3) Facilities that receive towing vessels engaged in towing a 
barge carrying non-hazardous cargoes or less than 500 passengers.
    This NPRM proposes to classify all OCS facilities subject to 33 CFR 
part 106 into Risk Group B.
    As discussed more fully above in Section III.C., we used the AHP to 
conduct a risk-based analysis of MTSA-regulated vessels and facilities. 
We identified 68 distinct types of vessels and facilities based on 
their purpose or operational description. We then assessed each of the 
68 types of vessels and facilities using three factors: (1) Maximum 
consequences to that vessel or facility resulting from a terrorist 
attack; (2) criticality to the nation's health, economy, and national 
security; and (3) utility of the TWIC in reducing risk.
    For the first factor, we used the Coast Guard's MSRAM terrorism 
risk-analysis tool to calculate the maximum potential consequence 
resulting from the total loss of a target, factoring in injury and loss 
of life, economic and environmental impact, symbolic effect, and 
national security impact. We averaged these MSRAM consequences within 
each of the 68 types to develop a standard consequence for each type.
    For the second and third factors, we considered the impact of the 
total loss of a vessel or facility beyond the immediate local 
consequences, and the utility of the TWIC program in reducing a vessel 
or facility's vulnerability to a terrorist attack.
    Using the AHP, we combined the above three factors and developed an 
overall risk ranking of vessels and facilities by type. At the end of 
this process, types of vessels and facilities with similar scores were 
combined into one of three risk groups. This NPRM proposes to classify 
vessels and facilities into Risk Groups A, B, and C based on the AHP 
risk rankings.
    Upon further analysis of the data generated through the AHP 
process, we note that certain types of facilities currently categorized 
in Risk Group B have relatively high MSRAM consequence scores. These 
facilities include petroleum refineries,\78\ non-CDC bulk hazardous 
materials facilities, and petroleum storage facilities. Due to their 
high MSRAM consequence scores, we are considering whether TWIC reader 
requirements would be appropriate for these three types of facilities 
and to include these types of facilities into Risk Group A. Note, 
however, that despite the relatively high consequence scores for these 
three facility types, they do not handle CDC in bulk. Like all Risk 
Group B facilities, these three facility types pose less operational 
risk than Risk Group A facilities because they do not handle CDC in 
bulk. We are soliciting public comments on this issue. Specifically, we 
request public comments on whether any or all of petroleum refineries, 
non-CDC bulk hazardous materials facilities, and petroleum storage 
facilities should be categorized in Risk Group A. We also seek public 
comments on how to define these facilities for the purpose of this 
rulemaking. Please see Section V., ``Regulatory Analyses'' below for a 
discussion of the costs and benefits associated with this alternative.
---------------------------------------------------------------------------

    \78\ Note that Risk Group A, as currently proposed in the NPRM, 
captures certain petroleum refineries. In the NPRM, Risk Group A 
includes refineries that handle Certain Dangerous Cargoes (CDCs) in 
bulk or receive vessels that do the same. There are 16 such 
refineries.
---------------------------------------------------------------------------

K. Movement Between Risk Groups

    We propose to add 33 CFR 104.263(d) and 105.253(d) to address the 
movement between risk groups by vessels and

[[Page 17816]]

facilities, based on the materials they are carrying or handling, or 
the types of vessels they are receiving at any given time. These 
regulatory provisions are designed to provide flexibility to owners and 
operators of vessels and facilities that only meet the Risk Group A 
criteria on a periodic basis. These provisions are not mandatory. The 
owner or operator of such a vessel or facility could choose to maintain 
its Risk Group A status, even during those periods when the vessel or 
facility is not handling or carrying materials that meet the Risk Group 
A criteria. However an owner or operator wishing to take advantage of 
one of these provisions would be required to explain how the vessel or 
facility would move between risk groups in an amended security plan. 
The security plan would be required to account for the timing of such 
movement, as well as how the owner or operator would comply with the 
requirements of the higher- and lower-level risk groups, with 
particular attention to the security measures to be taken when moving 
from a lower-level risk group to a higher-level risk group.

L. Physical Placement of TWIC Readers

    We propose to amend 33 CFR 104.265(a)(4) by requiring a vessel 
owner or operator to place TWIC readers at the vessel's access points 
only, regardless of whether the secure area encompasses the entire 
vessel. Thus, even if the secure area does not encompass the entire 
vessel (e.g., a passenger vessel consisting of secure areas and 
passenger and employee access areas), TWIC readers would be required 
only at the points of access to the vessel itself. TWIC-holders may be 
granted unescorted access to the vessel's secure areas after the TWIC 
has been verified, validated, and authenticated at a vessel access 
point. TWIC-holders may then move from passenger/employee access areas 
to secure areas without processing through a TWIC reader each time.
    We propose to amend 33 CFR 105.255(a)(4) by requiring a facility 
owner or operator to place TWIC readers at the access points to a 
facility's secure areas. If the entire facility is designated as a 
secure area, then TWIC readers would be required only at the facility's 
access points. If the secure area does not encompass the entire 
facility, then TWIC readers would be required at access points to the 
secure areas.
    We request additional comments from the public on the proposed 
regulatory provisions regarding the placement of TWIC readers for 
vessels and facilities.

M. Technical Amendments

    We propose several technical amendments to remove references to 
dates no longer relevant and to add or change cross-references within 
the regulations to align with the proposed new or updated provisions. 
These amendments appear at 33 CFR 101.514, 101.515(d)(2), 104.105(d), 
104.115(c), 104.200(b), 104.260(d)(1), 104.265(d)(1), 104.265(e)(8), 
104.265(f)(11), 104.267(a), 104.292(b), 104.292(e), 104.405(a)-(b), 
105.110(b), 105.115(c)-(d), 105.200(b), 105.255(d)(1), 105.255(e)(8), 
105.255(f)(10), 105.257(a), 105.290(b), 105.296(a)(4), 105.405(a)-(b), 
106.110(d)-(e), 106.200(b), 106.260(d)(1), 106.260(e)(5), 
106.260(f)(9), 106.262(a), and 106.405(a)-(b).

N. Privacy

    When an individual's TWIC is scanned using a TWIC reader, the TWIC 
reader captures limited information, including the TWIC-holder's FASC-N 
as well as the date and time of the scan. The TWIC-holder's name would 
also be captured in limited circumstances, depending on the type of 
TWIC reader employed. For example, a TWIC reader only captures the 
TWIC-holder's name when operating in ``contact'' mode,\79\ and only 
after the TWIC-holder enters a 6-8 digit PIN.\80\ An integrated PACS 
may also capture the name of the TWIC-holder.
---------------------------------------------------------------------------

    \79\ ``Contact'' TWIC readers perform a scan when an individual 
inserts a TWIC into a slot to provide direct contact between the 
device and the computer chip imbedded in the TWIC.
    \80\ As discussed in this preamble, the Coast Guard has observed 
operational challenges and limited utility associated with PIN 
usage. Therefore, the proposed rule would not require owners and 
operators to check TWIC-holder PINs. Owners and operators who wish 
to enhance access control would be allowed to require workers to 
input PIN information. However, because of the noted operational 
challenges and limited utility, the Coast Guard does not expect 
widespread PIN usage. Therefore, the Coast Guard does not expect 
TWIC readers to capture name information in most instances.
---------------------------------------------------------------------------

    The proposed rule contains recordkeeping requirements for owners or 
operators using TWIC readers. Owners and operators using TWIC readers, 
with or without a PACS, would be required to maintain certain records 
for at least 2 years. During that time, owners and operators would be 
required to make those records available to the Coast Guard upon 
request. Those records include, with respect to each individual granted 
unescorted access to a secure area: (1) FASC-N; (2) date that access 
was granted; (3) time that access was granted; and (4) if captured, the 
name of the individual to whom access was granted.
    If a TWIC reader or PACS captures the required data when the TWIC 
is scanned, and can retain and reproduce that data, the recordkeeping 
requirement would be met. Owners and operators would also be required 
to maintain records to demonstrate that they have performed the 
required card validity check using the CCL on each individual. The 
proposed rule also contains a regulatory provision indicating that TWIC 
reader records are SSI, and must be protected in accordance with 49 CFR 
part 1520.\81\
---------------------------------------------------------------------------

    \81\ In accordance with 49 U.S.C. 114(s), Sensitive Security 
Information (SSI) is information obtained or developed in the 
conduct of security activities, including research and development, 
the disclosure of which TSA has determined would: (1) Constitute an 
unwarranted invasion of privacy (including, but not limited to, 
information contained in any personnel, medical, or similar file); 
(2) reveal trade secrets or privileged or confidential information 
obtained from any person; or (3) be detrimental to the security of 
transportation. Part 1520 of Title 49 of the CFR generally requires 
that SSI be properly marked and protected from unauthorized 
disclosure. Unauthorized disclosure of SSI is grounds for a civil 
penalty and other enforcement or corrective action by DHS, and 
appropriate personnel actions for Federal employees. Corrective 
action may include issuance of an order requiring retrieval of SSI 
to remedy unauthorized disclosure or an order to cease future 
unauthorized disclosure.
---------------------------------------------------------------------------

O. Public Comment

    The Coast Guard invites comments on the risk-based approach to 
categorizing facilities and vessels and the assumptions and estimates 
used in the ``Preliminary Regulatory Analysis and Initial Regulatory 
Flexibility Analysis,'' which is available in the public docket for 
this rulemaking. Specifically, the Coast Guard requests comments on the 
following:
    1. We request comments from the public on the risk-based approach 
to classifying facilities and vessels including the use of MSRAM in the 
risk-based approach.
    2. We request comments from the public regarding the incremental 
security benefits of requiring TWIC readers for higher-risk facilities 
and vessels. We request comments from the public on the security 
benefits of performing TWIC-holder identification, validation, and 
authentication via a TWIC reader instead of visual inspection.
    3. We request comments from the public regarding the expected 
lifespan and replacement cycle for TWIC readers.
    4. We request comments from owners and operators of Risk Group A 
facilities and vessels on the maintenance costs associated with the 
proposed TWIC reader requirements.
    5. We request comments from owners and operator of MTSA-regulated 
vessels

[[Page 17817]]

and facilities already using TWIC readers, and whether the proposals in 
this NPRM would require additional investments, e.g., new readers or 
supporting infrastructure?
    6. We request comments from owners and operators of MTSA-regulated 
vessels and facilities on the additional hours of TWIC reader training 
that would result from this proposed rule.
    7. We request comments from the public regarding our estimates that 
it would take 25 hours to create an addendum for each VSP and FSP.
    8. We request comments from the public on potential delays due to 
TWIC reader use and the associated cost estimates used in this proposed 
rule.
    9. We request comments from owners and operator of MTSA-regulated 
vessels and facilities already using TWIC readers on the types and 
frequency of TWIC reader failures.
    10. We request comments from the public on the expected rates at 
which TWICs will need to be replaced during implementation and all 
subsequent years.
    11. We request comments from owners and operators of Risk Group A 
vessels and facilities regarding whether they intend to require the use 
of PINs, how often will PINs be used, and in what scenarios. What 
percentage of TWIC-holders do not currently remember their PIN, and 
also how many TWIC-holders are anticipated to travel to an enrollment 
center to retrieve their PIN?
    12. We request comments from the public on the anticipated 
frequency of the use of an escort and the availability of escorts to 
provide access to secure areas in the cases of an invalid TWIC reader 
transaction.
    13. We request comments from the public on any additional costs or 
benefits to TWIC reader requirements not accounted for in this NPRM.
    14. We have clarified in the preamble to this NPRM that a facility 
that receives Risk Group A vessels would be categorized as a Risk Group 
A facility. We request additional comments from the public on specific 
scenarios that might warrant further consideration of potential 
regulatory requirements to address the interaction of vessels and 
facilities in different risk groups.
    15. We seek comments from the public on whether the additional 
flexibility of being able to modify a facility's security footprint by 
assigning different portions of the facility to different risk groups 
is necessary or appropriate. Please be as specific as possible in 
explaining how this would apply to your facility.
    16. We request comments from the public regarding practical 
scenarios in which a vessel might not be able to download necessary CCL 
updates within the prescribed frequency (weekly or daily, depending on 
MARSEC Level). Additionally, we request comments from the public 
regarding the regulatory requirements that we should put in place when 
vessels are in one of those scenarios. In those scenarios, should we 
require the use of TWIC readers for identity verification, card 
authentication, and card validity, even though the CCL might not have 
been updated within the prescribed frequency? Should we require the 
owner or operator to update the CCL at the next available opportunity? 
What other alternatives should we consider?
    17. We request comments from the public on the proposed regulatory 
provisions regarding the placement of TWIC readers for vessels and 
facilities, and how to minimize crewmembers from entering secure and/or 
restricted areas if they do not hold a TWIC.
    18. We request comments from the public regarding whether 7 days is 
a sufficient amount of time in which to expect resolution of a typical 
TWIC reader or communication systems malfunction.
    19. We request comments from the public on the proposal to exempt 
all vessels with 14 or fewer TWIC-holding crewmembers from TWIC reader 
requirements, including whether 14 is an appropriate cut-off number. 
Please explain and provide available data to support your comments.
    20. We request comments from the public on whether any or all of 
petroleum refineries, non-CDC bulk hazardous materials facilities, and 
petroleum storage facilities should be categorized in Risk Group A. We 
also request comments from the public on how to define these facilities 
for the purpose of this rulemaking.
    21. We request comments from the public on whether there is a 
population of State-licensed vessel pilots that are not otherwise 
required to obtain a TWIC because they access secure areas of MTSA-
regulated vessels.
    22. We request comments from the public on the proposal for Risk 
Group A to update CCL information at different frequencies (weekly or 
daily) depending on MARSEC Level.
    23. We request comments from the public on whether this rule may 
help to reduce criminal activity at ports and on vessels. Please 
describe any anecdotal evidence or data to support your comments.
    24. We request comments from the public on the characterizations 
and conclusions in the preamble to this NPRM of the TWIC Pilot, and how 
we used the findings from the TWIC Pilot to inform the NPRM.
    25. We request comments from the public on any other matters 
relevant to the proposals in this NPRM and whether there are additional 
data sources that we should consider. If there are, please include 
information in your comments about these data sources and the reason 
for their relevance.

V. Regulatory Analyses

    We developed this proposed rule after considering numerous statutes 
and executive orders related to rulemaking. Below we summarize our 
analyses based on 13 of these statutes or executive orders.

A. Regulatory Planning and Review

    Executive Orders 12866 (``Regulatory Planning and Review'') and 
13563 (``Improving Regulation and Regulatory Review'') direct agencies 
to assess the costs and benefits of available regulatory alternatives 
and, if regulation is necessary, to select regulatory approaches that 
maximize net benefits (including potential economic, environmental, 
public health and safety effects, distributive impacts, and equity). 
Executive Order 13563 emphasizes the importance of quantifying both 
costs and benefits, of reducing costs, of harmonizing rules, and of 
promoting flexibility. This proposed rule is a significant regulatory 
action under section 3(f) of Executive Order 12866, Regulatory Planning 
and Review. OMB has reviewed it under that Order. It requires an 
assessment of potential costs and benefits under section 6(a)(3) of 
that Order. A draft Assessment is available in the docket where 
indicated under the ``Public Participation and Request for Comments'' 
section of this preamble. A summary of the Assessment follows:
    We propose amending our regulations on certain MTSA-regulated 
vessels and facilities to include requirements for electronic TWIC 
readers to be used for access control for unescorted access to secure 
areas.
    The following table summarizes the costs and benefits of this 
proposed rule.

[[Page 17818]]



               Table 1--Summary of Costs and Benefits \82\
------------------------------------------------------------------------
             Category                               NPRM
------------------------------------------------------------------------
Applicability.....................  High-risk MTSA-regulated facilities
                                     and high risk MTSA-regulated
                                     vessels with greater than 14 TWIC-
                                     holding crew.
Affected Population...............  38 vessels.
                                    532 facilities.
Costs ($ millions, 7% discount      $26.5 (annualized).
 rate).                             $186.1 (10-year).
Costs (Qualitative)...............  Time to retrieve or replace lost
                                     PINs for use with TWICs.
Benefits (Qualitative)............  Standardization of access control
                                     and credential verification
                                     throughout industry.
                                    Enhanced access control and security
                                     at U.S. maritime facilities and
                                     onboard U.S. flagged vessels.
                                    Reduction of human error when
                                     checking identification and manning
                                     access points.
------------------------------------------------------------------------

    In this NPRM, we propose to require owners and operators of certain 
vessels and facilities regulated by the Coast Guard under 33 CFR 
Chapter I, subchapter H, to use electronic readers designed to work 
with TWIC as an access control measure. This NPRM also proposes 
additional requirements associated with electronic TWIC readers, 
including recordkeeping requirements for those owners and operators 
required to use an electronic TWIC reader, and amendments to security 
plans previously approved by the Coast Guard to incorporate TWIC 
requirements.
---------------------------------------------------------------------------

    \82\ For a more detailed discussion of costs and benefits, see 
the full Preliminary Regulatory Analysis and Initial Regulatory 
Flexibility Analysis available on the docket for this rulemaking. 
Appendix G of that document outlines the costs by provision and also 
discusses the complementary nature of the provisions and the 
subsequent difficulty in distinguishing independent benefits from 
individual provisions.
---------------------------------------------------------------------------

    The proposals in this NPRM, once final, would enhance the security 
of vessels, ports, and other facilities by ensuring that only 
individuals who hold TWICs are granted unescorted access to secure 
areas at those locations. It would also further implement the MTSA 
transportation security card requirement, as well as the SAFE Port Act 
electronic TWIC reader requirements.
    We estimate that this proposed rule would specifically affect 
owners and operators of MTSA-regulated vessels and facilities in Risk 
Group A with additional costs. As previously discussed, Risk Group A 
would consist of those vessels and facilities with highest consequence 
for a TSI. Affected facilities in Risk Group A would include: (1) 
Facilities that handle CDC in bulk; (2) Facilities that receive vessels 
certificated to carry more than 1,000 passengers; and (3) Barge 
fleeting facilities that receive barges carrying CDC in bulk. Affected 
vessels in Risk Group A would include: (1) Vessels that carry CDC in 
bulk; (2) Vessels certificated to carry more than 1,000 passengers; and 
(3) Towing vessels engaged in towing barges subject to (1) or (2). In 
addition, this proposal provides a TWIC Reader exemption for vessels 
with 14 or fewer TWIC-holding crewmembers, further reducing the number 
of affected vessels in Risk Group A.
    Based on the risk-based hierarchy described in the preamble of this 
NPRM and data from the Coast Guard's MISLE database, we estimate this 
proposed rule would affect 532 facilities and 38 vessels with 
additional costs. All of these facilities and vessels are in Risk Group 
A.
    To estimate the costs for this proposal, we use data from the TWIC 
Pilot, which was broken down by facility type, to estimate a cost per 
TWIC reader deployed for installation, integration, and PACS 
integration, where applicable. By distilling the costs from the TWIC 
Pilot down to a per TWIC reader cost by facility type, we are able to 
smooth out the varied costs in the TWIC Pilot and effectively normalize 
the TWIC Pilot costs before extrapolating out over the full affected 
population of this rulemaking.
    The primary cost driver for this proposed rule is the capital cost 
associated with the purchase and installation of TWIC readers into 
access control systems. These costs include the cost of TWIC reader 
hardware and software, as well as costs associated with the 
installation, infrastructure, and integration with a PACS. Operational 
costs associated with this rulemaking, include security plan 
amendments, recordkeeping, CCL updates, training, and system 
maintenance. We also include operational and maintenance costs, which 
we estimate to be five percent of the cost of the TWIC reader hardware 
and software and are incurred annually. Table 2 shows the 10-year 
period of analysis for the total costs by facility type. These facility 
costs do not include costs associated with delays or replacement of 
TWICs, which are discussed later. These estimates include capital 
replacement costs for TWIC reader hardware and software beginning 5 
years after implementation.

                                Table 2--10-Year Total Costs, by Facility Type *
                                                  [$ Millions]
----------------------------------------------------------------------------------------------------------------
                                        Bulk    Break bulk                 Large       Small     Mixed
                Year                   liquid   and solids   Container   passenger   passenger    use     Total
----------------------------------------------------------------------------------------------------------------
1...................................    $37.2         $2.7        $0.9       $11.3        $5.0     $5.0    $62.2
2...................................     38.1          2.8         0.9        11.6         5.2      5.2     63.8
3...................................      2.0          0.1         0.0         0.6         0.3      0.3      3.3
4...................................      2.0          0.1         0.0         0.6         0.3      0.3      3.3
5...................................      2.0          0.1         0.0         0.6         0.3      0.3      3.3
6...................................     14.1          1.0         0.3         4.3         1.9      1.9     23.6
7...................................     14.1          1.0         0.3         4.3         1.9      1.9     23.6
8...................................      2.0          0.1         0.0         0.6         0.3      0.3      3.3
9...................................      2.0          0.1         0.0         0.6         0.3      0.3      3.3

[[Page 17819]]

 
10..................................      2.0          0.1         0.0         0.6         0.3      0.3      3.3
                                     ---------------------------------------------------------------------------
    Total Undiscounted..............    115.3          8.4         2.7        35.2        15.7     15.6    193.0
                                     ---------------------------------------------------------------------------
    Total Discounted at 7%..........     94.0          6.9         2.2        28.7        12.8     12.7    157.2
                                     ---------------------------------------------------------------------------
    Total Discounted at 3%..........    105.1          7.7         2.5        32.1        14.3     14.2    175.9
----------------------------------------------------------------------------------------------------------------
Note: Numbers may not total due to rounding.
* These facilities are regulated because they handle CDC or more than 1,000 passengers. In the U.S. marine
  transportation system, facilities often handle a variety of commodities and provide a variety of commercial
  services. These facility types have different costs based on physical characteristics, such as the number of
  access points that would require TWIC readers, and other data received from the TWIC Pilot Study. See the
  Preliminary Regulatory Analysis and Initial Regulatory Flexibility Analysis for details on different facility
  types and data from the TWIC Pilot Study.

    To account for potential opportunity costs associated with the 
delays as a result of the TWIC reader requirements, we estimate a cost 
of delay associated with failed reads.\83\ We provide a range of delay 
costs based on different delays in seconds and also based on the number 
of times a TWIC-holder may have their card read on a weekly basis. By 
using a range of delay costs, we are able to account for multiple 
scenarios where an invalid TWIC reader transaction would lead to the 
use of a secondary processing operation, such as a visual inspection, 
additional identification validation, or other provisions as set forth 
in the FSP.\84\
---------------------------------------------------------------------------

    \83\ Delays may result from operational, human- or weather-
related factors.
    \84\ The Preliminary Regulatory Analysis and Initial Regulatory 
Flexibility Analysis contains a discussion of the different failure 
mode scenarios where an invalid TWIC reader transaction would lead 
to potential delays and the use of secondary processing.

                                Table 3--Cost of Delays Due to Invalid Transaction per Year, for Risk Group A Facilities
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                            1 Read per      2 Reads per     3 Reads per     4 Reads per     5 Reads per
                                                               week            week            week            week            week           Average
--------------------------------------------------------------------------------------------------------------------------------------------------------
6 Seconds...............................................         $91,244        $182,489        $273,733        $364,977        $456,221        $273,733
14 Seconds..............................................         212,903         425,807         638,710         851,613       1,064,517         638,710
30 Seconds..............................................         456,221         912,443       1,368,664       1,824,886       2,281,107       1,368,664
60 Seconds..............................................         912,443       1,824,886       2,737,328       3,649,771       4,562,214       2,737,328
120 Seconds.............................................       1,824,886       3,649,771       5,474,657       7,299,543       9,124,428       5,474,657
Average.................................................         699,539       1,399,079       2,098,618       2,798,158       3,497,697       2,098,618
--------------------------------------------------------------------------------------------------------------------------------------------------------

    For the purposes of this analysis, we used the cost of delay 
estimate of $2.1 million per year, which represents the average delay 
across all iterations of delay times and TWIC reader transactions.
    The use of TWIC readers would also increase the likelihood of 
faulty TWICs (TWICs that are not machine readable) being identified and 
the need for secondary screening procedures so affected workers and 
operators can address these issues.\85\ If a TWIC-holder's card is 
faulty and cannot be read, the TWIC-holder would need to travel to a 
TWIC Enrollment Center to get a replacement TWIC, which results in 
additional travel and replacement costs. To account for this, we 
estimate a cost for a percentage of TWIC-holders to obtain replacement 
TWICs.
---------------------------------------------------------------------------

    \85\ Although current regulations require that TWICs be valid 
and readable upon request by DHS or law enforcement personnel, we 
anticipate that widespread use of TWIC readers will initially 
identify more unreadable cards. However, we expect the regular use 
of TWIC readers to ultimately serve to enhance compliance with 
current TWIC card validity and readability requirements.
---------------------------------------------------------------------------

    Based on information from the TWIC Pilot, we estimate that 
approximately five percent of TWIC-holders associated with Risk Group A 
would need to replace TWICs that cannot be read. We estimate that this 
would cost approximately $262.37 per TWIC-holder to travel to a TWIC 
Enrollment center and get a replacement TWIC.\86\ Overall, we estimate 
that TWIC replacement would cost approximately $1.9 million per year 
for TWIC transactions involving Risk Group A facilities. We assume this 
is an annual cost, though we anticipate that the rate of TWIC 
replacements will decrease as TWIC reader use increases, since the 
number of unreadable TWICs initially identified will decrease as the 
regular use of TWIC readers will serve to enhance TWIC validity and 
readability.
---------------------------------------------------------------------------

    \86\ This cost is explained in greater detail in the Preliminary 
Regulatory Analysis and Initial Regulatory Flexibility Analysis. It 
includes an estimated $202.37 for the average TWIC-holder to travel 
to a TWIC Enrollment Center, cost to be away from work, wait time at 
the Enrollment Center, and the $60 fee for a replacement TWIC. Some 
TWIC-holders may not need to pay a replacement fee if the TWIC is 
determined faulty as a result of the card production process. 
However, these TWIC-holders would still need to travel to a TWIC 
Enrollment Center to get a replacement TWIC.
---------------------------------------------------------------------------

    Table 4 shows the average initial phase-in and annual recurring 
costs per facility by facility type. This includes capital, 
operational, delay, and TWIC replacement costs due to invalid TWIC 
reader transactions. It does not, however, account for vessel costs. 
Table 5 shows the total cost to facilities over the 10-year period of 
analysis by facility type. This includes capital, operational, delay, 
and TWIC replacement costs due to invalid TWIC reader transactions.

[[Page 17820]]



                                                      Table 4--Per Facility Cost, by Facility Type
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                          Break bulk and                       Large           Small
               Phase-in & recurring costs                   Bulk liquid       solids         Container       passenger       passenger       Mixed use
--------------------------------------------------------------------------------------------------------------------------------------------------------
Initial Phase-in Cost...................................        $256,267        $347,901        $604,007        $252,324        $164,011        $169,136
Annual Recurring cost...................................          14,531          19,727          34,248          14,307           9,300           9,590
Annual Recurring cost with Equipment Replacement........          94,399         128,154         222,493          92,947          60,415          62,303
--------------------------------------------------------------------------------------------------------------------------------------------------------


                     Table 5--10-Year Total Cost Risk Group A Facilities, by Facility Type *
                                                  [$ Millions]
----------------------------------------------------------------------------------------------------------------
                                 Bulk     Break bulk                 Large       Small
            Year                liquid    and solids   Container   passenger   passenger   Mixed use     Total
----------------------------------------------------------------------------------------------------------------
1...........................       $38.3        $2.8        $0.9       $11.7        $5.2        $5.2       $64.2
2...........................        40.5         3.0         1.0        12.4         5.5         5.5        67.8
3...........................         4.3         0.3         0.1         1.3         0.6         0.6         7.3
4...........................         4.3         0.3         0.1         1.3         0.6         0.6         7.3
5...........................         4.3         0.3         0.1         1.3         0.6         0.6         7.3
6...........................        16.5         1.2         0.4         5.0         2.2         2.2        27.6
7...........................        16.5         1.2         0.4         5.0         2.2         2.2        27.6
8...........................         4.3         0.3         0.1         1.3         0.6         0.6         7.3
9...........................         4.3         0.3         0.1         1.3         0.6         0.6         7.3
10..........................         4.3         0.3         0.1         1.3         0.6         0.6         7.3
                             -----------------------------------------------------------------------------------
    Total Undiscounted......       137.9        10.1         3.3        42.1        18.7        18.7       230.8
                             -----------------------------------------------------------------------------------
    Total Discounted at 7%..      $109.6        $8.0        $2.6       $33.4       $14.9       $14.9      $183.3
                             -----------------------------------------------------------------------------------
    Total Discounted at 3%..      $124.2        $9.1        $3.0       $37.9       $16.9       $16.8      $207.9
----------------------------------------------------------------------------------------------------------------
* This table includes the costs to facilities as well as additional costs such as delay, travel, and TWIC
  replacement costs due to TWIC failures.

    For the 38 Risk Group A vessels with greater than 14 TWIC-holding 
crewmembers, we assume that each vessel will comply with the 
requirements by purchasing two portable TWIC readers and deploying them 
at the main access points of the vessel. We estimate the annualized 
costs to vessels of this rulemaking to be approximately $0.4 million at 
a 7 percent discount rate. These costs are shown in Table 6.

                                           Table 6--Total Vessel Costs
                           [Risk Group A with more than 14 TWIC-holding crewmembers] *
----------------------------------------------------------------------------------------------------------------
                              Year                                 Undiscounted         7%              3%
----------------------------------------------------------------------------------------------------------------
1...............................................................      $1,257,866      $1,175,576      $1,221,229
2...............................................................         132,114         115,394         124,530
3...............................................................         132,114         107,845         120,903
4...............................................................         132,114         100,789         117,382
5...............................................................         132,114          94,196         113,963
6...............................................................       1,145,036         762,986         958,949
7...............................................................         132,114          82,274         107,421
8...............................................................         132,114          76,892         104,292
9...............................................................         132,114          71,861         101,255
10..............................................................         132,114          67,160          98,305
                                                                 -----------------------------------------------
    Total.......................................................      $3,459,815      $2,654,972      $3,068,229
                                                                 -----------------------------------------------
    Annualized..................................................  ..............         378,008         359,690
----------------------------------------------------------------------------------------------------------------
* Because the affected population is relatively small, we assume that all 38 vessels will comply within the
  first year of implementation. However, owners and operators of these vessels would have 2 years to comply with
  the rulemaking.

    We estimate the annualized cost of this proposed rule to industry 
over 10 years to be about $26.5 million at a 7 percent discount rate. 
The main cost drivers of this proposed rule are the acquisition and 
installation of TWIC readers and the maintenance of the affected 
entity's TWIC reader system. Initial costs, which would be distributed 
over a 2-year implementation phase, consist predominantly of the costs 
to purchase and install TWIC readers and to integrate them with owners' 
and operators' PACS. Annual costs would be driven by costs associated 
with CCL updates, recordkeeping, training, system maintenance and 
opportunity costs associated with failed reader transactions.
    We estimated the present value average costs of this proposed rule 
on industry for a 10-year period as summarized in Table 7. The costs 
were discounted at 3 and 7 percent as set forth by guidance in OMB 
Circular A-4.

[[Page 17821]]



                                                       Table 7--Total Industry Cost, Risk Group A
                                                                      [$ Millions]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                            Additional
                          Year                               Facility         Vessel          costs*       Undiscounted         7%              3%
--------------------------------------------------------------------------------------------------------------------------------------------------------
1.......................................................           $62.2            $1.3            $2.0           $65.4           $61.1           $63.5
2.......................................................            63.8             0.1             4.0            67.9            59.3            64.0
3.......................................................             3.3             0.1             4.0             7.4             6.0             6.8
4.......................................................             3.3             0.1             4.0             7.4             5.6             6.6
5.......................................................             3.3             0.1             4.0             7.4             5.3             6.4
6.......................................................            23.6             1.1             4.0            28.7            19.2            24.1
7.......................................................            23.6             0.1             4.0            27.7            17.3            22.6
8.......................................................             3.3             0.1             4.0             7.4             4.3             5.8
9.......................................................             3.3             0.1             4.0             7.4             4.0             5.7
10......................................................             3.3             0.1             4.0             7.4             3.8             5.5
                                                         -----------------------------------------------------------------------------------------------
    Total...............................................           193.0             3.5            37.8           234.2           186.0           210.9
                                                         -----------------------------------------------------------------------------------------------
Annualized..............................................  ..............  ..............  ..............  ..............            26.5           24.7
--------------------------------------------------------------------------------------------------------------------------------------------------------
* This includes additional delay, travel, and TWIC replacement costs due to TWIC failures.

    As this rule would require amendments to FSPs and VSPs, we estimate 
a cost to the government to review these amendments during the 
implementation period. We do not anticipate any additional annual cost 
to the government from this rulemaking. For the total implementation 
period, the total government cost would be $98,226 at a 7 percent 
discount rate. Table 8 shows the 10-year government costs.

                                           Table 8--Government Costs *
----------------------------------------------------------------------------------------------------------------
                                                                       Total
                                        FSP             VSP        undiscounted         7%              3%
----------------------------------------------------------------------------------------------------------------
1...............................         $51,072          $6,299         $57,371         $53,617         $56,507
2...............................          51,072               0          51,072          44,608          50,208
3...............................               0               0               0               0               0
4...............................               0               0               0               0               0
5...............................               0               0               0               0               0
6...............................               0               0               0               0               0
7...............................               0               0               0               0               0
8...............................               0               0               0               0               0
9...............................               0               0               0               0               0
10..............................               0               0               0               0               0
                                 -------------------------------------------------------------------------------
    Total.......................         102,144           6,299         108,443          98,226         103,840
                                 -------------------------------------------------------------------------------
    Annualized..................  ..............  ..............  ..............          13,985         12,173
----------------------------------------------------------------------------------------------------------------
* After implementation, we estimate there would be no additional government costs for plan review as additional
  updates would be covered under existing plan review requirements and resources.

    Based on the proposals in this NPRM and recent data, we estimated 
the average first-year cost of this NPRM (combined industry and 
government) to be about $61.2 million or $63.6 million at a 7 or 3 
percent discount rate, respectively. The undiscounted annual recurring 
cost for this proposal is approximately $7.4 million in every year 
except years 6 and 7, due to equipment replacement 5 years after 
implementation. The annualized cost of this proposed rule is $26.5 
million at 7 percent and $24.7 million at 3 percent. The 10-year cost 
to industry of this proposed rule is approximately $186.1 million at a 
7 percent discount rate, and $211.0 million at a 3 percent discount 
rate, respectively.
    The benefits of the proposed rule include enhancing the security of 
vessels, ports, and other facilities by ensuring that only individuals 
who hold TWICs are granted unescorted access to secure areas at those 
locations.
    TWIC readers will make identification, validation, and verification 
of individuals attempting to gain unescorted access to a secure area 
more reliable and also will help to alleviate potential sources of 
human error when checking credentials at access points. Identity 
verification ensures that the individual presenting the TWIC is the 
same person to whom the TWIC was issued. Card authentication ensures 
that the TWIC is not counterfeit, and card validation ensures that the 
TWIC has not expired or been revoked by TSA, or reported as lost, 
stolen, or damaged. Furthermore, the standardization of TWIC readers on 
a national scale could provide additional benefits in the form of 
efficiency gains in implementing access control systems throughout port 
facilities and nationally for companies operating in multiple 
locations.
    The proposed rule would also further implement the MTSA provision 
for the transportation security card requirement, as well as the SAFE 
Port Act electronic TWIC reader requirements. Due to current data 
limitations, we do not estimate monetized benefits of this proposed 
rule. We present qualitative benefits and a break-even analysis in this 
preliminary analysis.
    Break-even analysis is useful when it is not possible to quantify 
the benefits

[[Page 17822]]

of a regulatory action.\87\ OMB Circular A-4 recommends a ``threshold'' 
or ``break-even'' analysis when non-quantified benefits are important 
to evaluating the benefits of a regulation. Threshold or break-even 
analysis answers the question, ``How small could the value of the non-
quantified benefits be (or how large would the value of the non-
quantified costs need to be) before the rule would yield zero net 
benefits?'' \88\ For this rulemaking, we calculate a potential range of 
break-even results from the estimated consequences of the three attack 
scenarios that are most likely to be mitigated by the use of TWIC 
readers. Because the primary function of the TWIC card and TWIC reader 
is to enhance access control and identity verification and validation, 
the attack scenarios evaluated within MSRAM to provide the consequence 
data for this analysis were limited to the following:
---------------------------------------------------------------------------

    \87\ In order to monetize the benefits from an anti-terrorism 
regulation, we would need to know the incremental reduction in risk 
of a successful terrorist attack that would accrue from the 
regulatory action being analyzed. However, the data needed to 
estimate this reduction in risk are not available.
    \88\ U.S. Office of Management and Budget, Circular A-4, 
September 17, 2003.

 Truck Bomb
    [cir] Armed terrorists use a truck loaded with explosives to attack 
the target focal point. The terrorists will attempt to overcome guards 
and barriers if they encounter them.
 Terrorist Assault Team
    [cir] A team of terrorists using weapons and explosives attack the 
target focal point. Assume the terrorists have done prior planning and 
surveillance, but have no insider support of assault.
 Passenger/Passerby Explosives/Improvised Explosive Device
    [cir] Terrorists exploit inadequate access control and detonate 
carried explosives at the target focal point. Assume the terrorists 
approach the target under cover of legitimate presence and are not 
armed. Note: for this attack mode, terrorist is not an insider.

    The focus on these three attack scenarios allows us to look at 
specific attack scenarios that are most likely to be mitigated by the 
use of TWIC readers. We base our analysis on the highest consequence 
scenario of these three for each target. These scenarios were chosen 
because they represent the scenarios most likely to benefit from the 
enhanced access control afforded by TWIC readers, as they require 
would-be attackers gaining access to the target in question. For these 
three attack types, the aggressor would first need to gain access to 
the facility to inflict maximum damage. Because the function of the 
TWIC reader is to enhance access control, the deployment of TWIC 
readers would increase the likelihood of identifying and denying access 
to an individual attempting nefarious acts. The consequence of an 
attack scenario is dependent on both the target and the attack mode. 
The attack modes selected for this analysis, as described above, serve 
to limit the potential maximum consequence compared to other potential 
attack modes. Typically, one or more threat, vulnerability, or 
consequence drivers will contribute significantly more to a target's 
risk scores than others; these are known as major risk drivers. The 
local COTPs document major risk drivers such as inherent limitations on 
access control or the potential death and injury during the analysis 
process.
    For the break-even analysis, we estimate the consequences of these 
three scenarios by estimating the number of casualties and serious 
injuries that would occur had the attack been successful. To monetize 
the value of fatalities prevented, we use the concept of ``value of a 
statistical life'' (VSL), which is commonly used in safety and security 
analyses. The VSL does not represent the dollar value of a person's 
life, but the amount society would be willing to pay to reduce the 
probability of death. We currently use a value of $6.3 million as an 
estimate of VSL.\89\ This break-even analysis does not consider any 
property damage, environmental damage, indirect or macroeconomic 
consequences these terrorist attacks might cause. Consequently, the 
economic impacts of the terrorist attacks estimated for this series of 
break-even analyses would be higher if these other impacts were 
considered. See Table 9 for the average maximum consequence \90\ of the 
three attack scenarios on Group A facilities.
---------------------------------------------------------------------------

    \89\ ``Valuing Mortality Risk Reductions in Homeland Security 
Regulatory Analyses,'' prepared for the U.S. Customs and Border 
Protection, June 2008. See www.regulations.gov, search on docket 
USCG-2005-21869-003.
    \90\ The average maximum consequence is the average of the 
highest consequence attack scenario for each target in the 
referenced target group. The average maximum consequence compares 
the results from the three analyzed attack modes for each target and 
averages the maximum consequence for all targets.

                        Table 9--Annual Risk Reduction and Attacks Averted Required for Costs to Equal Benefits, NPRM Alternative
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                Annualized cost,         Average
                                                7% discount rate     consequence ($         Required               Frequency of  attacks averted
                                                  ($ millions)          millions)       reduction in risk
--------------------------------------------------------------------------------------------------------------------------------------------------------
NPRM Alternative.............................              $26.5            $3,468.7                0.8%   One every 130.9 years.
--------------------------------------------------------------------------------------------------------------------------------------------------------

    As shown in Table 9, an avoided terrorist attack at an average 
target is equivalent to $3,468.7 million in avoided consequences. Using 
the estimated annualized cost of this regulation, the annual reduction 
in the probability of attack to a Risk Group A facility that would just 
equate avoided consequences with cost is less than 1 percent. To state 
this in another way, if implementing this regulation would lower the 
likelihood of a successful terrorist attack by more than 1 percent each 
year, then this would be a socially efficient use of resources. This 
proposed rule is estimated to cost approximately $26.5 million 
annually. This proposed rule would be cost effective if it prevented 
one terrorist attack with consequence equal to the average every 130.9 
years ($3,468.7/$26.5). These small changes in risk reduction suggest 
the potential benefits of the proposed rule justify the costs.
    For the NPRM alternative, we assess that all Risk Group A 
facilities will be required to install and use TWIC readers. On the 
vessel side, we assess that all Risk Group A vessels with a crew size 
greater than 14 TWIC-holding crewmembers will likely carry two portable 
TWIC readers. For this alternatives analysis, we look at several 
different ways to implement TWIC reader requirements based on the risk 
group hierarchy. These alternatives include requiring TWIC readers for 
Risk Group A and B facilities, along with Risk Group A vessels with 
more than 14 TWIC-holding crewmembers, Risk

[[Page 17823]]

Group A and container facilities, along with Risk Group A vessels with 
more than 14 TWIC-holding crewmembers, adding certain high-risk 
facilities to Risk Group A, including petroleum refineries, non-CDC 
bulk hazardous materials facilities, and petroleum storage facilities, 
and Risk Group A facilities and all self-propelled Risk Group A 
vessels. Table 10 summarizes the alternatives considered. The costs 
displayed are the 10-year costs and the 10-year annualized cost, each 
discounted at 7 percent.

                                                            Table 10--Regulatory Alternatives
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                                                            Annualized
                                                                                                                           Total cost ($      cost ($
                                                               Description                   Facility         Vessel       millions, at    millions, at
                                                                                            population      population      7% discount     7% discount
                                                                                                                               rate)           rate)
--------------------------------------------------------------------------------------------------------------------------------------------------------
NPRM Alternative...............................  All Risk Group A facilities and Risk                532              38          $186.1           $26.5
                                                  Group A vessels with more than 14
                                                  crewmembers.
Alternative 2..................................  All Risk Group A facilities and Risk                532             138           197.7            28.2
                                                  Group A vessels (except barges).
Alternative 3..................................  Risk Group A and all container                      651              38           624.9            89.0
                                                  facilities and Risk Group A vessels
                                                  with more than 14 crewmembers.
Alternative 4..................................  All Risk Group A facilities, plus                 1,174              38           419.6            59.7
                                                  additional high consequence facilities
                                                  including petroleum refineries, non-
                                                  CDC bulk hazardous materials
                                                  facilities, and petroleum storage
                                                  facilities, and Risk Group A vessels
                                                  with more than 14 crewmembers.
Alternative 5..................................  Risk Group A and B Facilities and Risk            2,173              38           991.6           141.2
                                                  Group A vessels with more than 14
                                                  crewmembers.
--------------------------------------------------------------------------------------------------------------------------------------------------------

    When comparing alternatives, we also looked at the results of the 
break-even analysis for these alternatives. As Table 11 shows, for the 
overall average maximum consequence, the NPRM alternative would require 
the lowest reduction in risk for the costs of the rule to be justified. 
As the purpose of this rulemaking is to enhance security to mitigate a 
TSI, we assess the break-even for the overall consequence of a TSI. It 
is assumed that the highest consequence targets will be the most 
attractive targets for potential terrorist attack.

       Table 11--Summary of Required Risk Reduction and Attacks Averted by Regulatory Alternative, Overall
                                                 [In $ millions]
----------------------------------------------------------------------------------------------------------------
                                   Annualized                       Required
                                    cost, 7%         Average      reduction in     Frequency of attacks averted
                                  discount rate    consequence   risk (percent)
----------------------------------------------------------------------------------------------------------------
NPRM Alternative...............           $26.5        $3,468.7             0.8  One every 130.9 years.
Risk Group A facilities and all            28.2         3,468.7             0.8  One every 123.2 years.
 Risk Group A vessels, except
 barges.
Risk Group A and all container             89.0         2,878.9             3.1  One every 32.4 years.
 facilities and Risk Group A
 vessels with more than 14
 crewmembers.
All Risk Group A facilities,               59.7         1,776.9             3.4  One every 29.8 years.
 plus additional high
 consequence facilities
 including petroleum
 refineries, non-CDC bulk
 hazardous materials
 facilities, and petroleum
 storage facilities, and Risk
 Group A vessels with more than
 14 crewmembers.
Risk Groups A and B facilities            141.2         1,143.3            12.4  One every 8.1 years.
 and Risk Group A vessels with
 more than 14 crewmembers.
----------------------------------------------------------------------------------------------------------------

NPRM Alternative--Risk Group A Facilities and Risk Group A Vessels With 
More Than 14 TWIC-Holding Crewmembers
    The analysis for this alternative is discussed in detail previously 
in this section, as it is the alternative we propose in this NPRM.
Alternative 2--Risk Group A Facilities and All Risk Group A Vessels, 
Except Barges
    This alternative would require TWIC readers to be used at all Risk 
Group A facilities and for all Risk Group A vessels, except barges. 
This alternative would increase the burden on industry and small 
entities by increasing the affected population from 38 vessels to 138 
vessels. The number of facilities would be the same as in the NPRM 
alternative. Under this alternative, annualized cost of this rulemaking 
would increase from $26.5 million to $28.2 million, at a 7 percent 
discount rate. The discounted 10-year costs would go from $186.1 
million to $197.7 million. While this alternative does not lead to a 
significant increase in costs, we reject it because requiring TWIC 
readers on vessels with 14 or fewer TWIC-holding crewmembers is 
unnecessary, as crews with that few members are known to all on the 
vessel. This crewmember limit was proposed in the ANPRM and was based 
on a recommendation from TSAC. In an effort to reduce unnecessary 
burden and minimize costs of this rulemaking, we estimate this is the 
most efficient way to regulate Risk Group A vessels. See the discussion 
in the NPRM on ``Recurring

[[Page 17824]]

Unescorted Access'' and ``TWIC Reader Requirements on Vessels'' for 
more details.
Alternative 3--Risk Group A and All Container Facilities and Risk Group 
A Vessels With More Than 14 TWIC-Holding Crewmembers
    For this alternative, we assumed that only those facilities in Risk 
Group A, as previously defined, and all container facilities will 
require TWIC readers. This alternative would increase the burden on 
industry and small entities by increasing the affected population from 
532 facilities to 651 facilities. Under this scenario, the annualized 
cost of this rulemaking would increase from $26.5 million to $89.0 
million, at a 7 percent discount rate. The discounted 10-year costs 
would go from $186.1 million to $624.9 million. The inclusion of 
container facilities would also potentially have adverse environmental 
impacts due to increased air emissions due to longer wait (``cueing'') 
times and congestion at facilities.
    We considered this alternative because container facilities are 
perceived to pose a unique threat to the maritime sector due to the 
transfer risk associated with containers. As discussed in the preamble 
of this NPRM, many of the high-risk threat scenarios at container 
facilities would not be mitigated by TWIC readers. The costs for TWIC 
readers at container facilities would not be justified by the amount of 
potential risk reduction at these facilities. While container 
facilities pose an increased transfer risk (i.e., there is a greater 
risk of a threat coming through a container facility and inflicting 
harm or damage elsewhere than with any other facility type), such 
threats are not mitigated by the use of TWIC readers. Furthermore, the 
use of TWIC readers, or other access control features, would not 
mitigate the threat associated with the contents of a container. The 
TWIC reader serves as an additional access control measure, but would 
not improve screening of cargoes for dangerous substances or devices. 
We request data and informed input regarding this assessment.
Alternative 4--Adding Certain High Consequence Facilities to Risk Group 
A (These Additional Facilities To Include Petroleum Refineries, Non-CDC 
Bulk Hazardous Materials Facilities, and Petroleum Storage Facilities)
    For this alternative, we moved three facility categories--petroleum 
refineries, non-CDC bulk hazardous materials facilities, and petroleum 
storage facilities--into Risk Group A from Risk Group B based on the 
average maximum consequence for these facility types. This alternative 
would increase the burden on industry by increasing the affected 
population from 532 facilities to 1,174 facilities. Under this 
scenario, the annualized cost of this rulemaking would increase from 
$26.5 million to $59.7 million, at a 7 percent discount rate. The 
discounted 10-year costs would go from $186.1 million to $419.6 
million.
    We considered this alternative based on the high MSRAM consequence 
scores associated with these three facility types, as well as due to 
the perception that petroleum facilities pose a greater security risk 
than other facility types. Despite the high MSRAM consequence scores 
for these facility types, the overall risk scores as determined in the 
analytical hierarchy process (AHP) were not as high as those in the 
current Risk Group A, and therefore, we rejected this alternative and 
maintained the AHP-based risk groupings.
Alternative 5--Risk Group A and Risk Group B Facilities and Risk Group 
A Vessels With More Than 14 Crewmembers
    Alternative 5 would require TWIC readers to be used at all Risk 
Group A and Risk Group B facilities, and Risk Group A vessels with 
greater than 14 TWIC-holding crewmembers. This alternative would 
increase the burden on industry and small entities by increasing the 
affected population from 532 facilities to 2,173 facilities. This 
increase in facilities would extend the affected population to 
facilities that fall under the second risk tier. Under this 
alternative, annualized cost of this rulemaking would increase from 
$26.5 million to $141.2 million, at a 7 percent discount rate. The 
discounted 10-year costs would go from $186.1 million to $991.6 
million. Based on a recent study by HSI, as discussed in the preamble 
to this NPRM, the difference in risk between facilities in Risk Groups 
A and B is clearly defined, indicating that the two risk groups do not 
require the same level of TWIC requirements. Further, as discussed in 
the benefits section of this analysis, the break-even point, or the 
amount of risk that would need to be reduced for costs to equal 
benefits, for this alternative is much higher than that of the NPRM 
alternative. Moreover, we understand many of the comments opposing TWIC 
reader requirements represented the interests of owners and operators 
of vessels or facilities assigned to Risk Group B. For these reasons, 
we rejected this alternative.
    The provisions in this proposed rule are taken in order to meet 
requirements set forth in MTSA and the SAFE Port Act. The proposal, as 
presented, represents the lowest cost alternative, as discussed above. 
We have focused this rulemaking on the highest risk population so as to 
reduce the impacts of this rule as much as possible. Also, we have 
created a performance standard that allows the affected population to 
implement the requirements in a manner most conducive to their own 
business practices. By allowing for flexibilities, such as the use of 
fixed or portable readers, and removing vessels with 14 or fewer TWIC-
holding crewmembers from the requirements, we have reduced potential 
burden on all entities, including small entities. Furthermore, we 
believe that providing any additional relief for small entities would 
conflict with the purpose of this rulemaking, as the objective is to 
enhance access control and reduce risk of a TSI. Providing relief of 
the proposed requirements based on entity size would contradict that 
stated purpose and leave small entities, which may possess as great a 
risk as entities that exceed the Small Business Administration (SBA) 
size standards, more vulnerable to a TSI.

B. Small Entities

    Under the Regulatory Flexibility Act (5 U.S.C. 601-612), we have 
considered whether this proposed rule would have a significant economic 
impact on a substantial number of small entities. The term ``small 
entities'' comprises small businesses, not-for-profit organizations 
that are independently owned and operated and are not dominant in their 
fields, and governmental jurisdictions with populations of fewer than 
50,000. An Initial Regulatory Flexibility Analysis discussing the 
impacts of this proposed rule on small entities is available in the 
docket where indicated under the ADDRESSES Section.
    For this proposed rule, we estimated mandatory TWIC reader 
requirement costs for approximately 38 vessels and 532 facilities based 
on the risk assessment hierarchy and current data from the Coast 
Guard's MISLE database. Of these 532 facilities that would be affected 
by the TWIC reader requirements, we found 311 unique owners. Among 
these 311 unique owners, there were 31 government-owned entities, 119 
companies that exceeded SBA small business size standards, 88 companies 
considered small by SBA size standards, and 73 companies for which no 
information was available. For the purposes of this analysis, we 
consider all entities for which information was not available to

[[Page 17825]]

be small. There were no not-for-profit entities in our affected 
population. Of the 31 government jurisdictions that would be affected 
by this proposed rule, 24 exceed the 50,000 population threshold as 
defined by the Regulatory Flexibility Act to be considered small and 
seven have government revenue levels such that there would not be an 
impact greater that 1 percent of government revenue.\91\
---------------------------------------------------------------------------

    \91\ ``Government revenues'' used for this analysis include tax 
revenues, and in some cases, operating revenues for government owned 
waterfront facilities.
---------------------------------------------------------------------------

    We were able to find revenue information for 64 of the 88 
businesses deemed small by SBA size standards.\92\ We then determined 
the impacts of the proposed rule on these companies by comparing the 
cost of the proposed rule to the average per facility cost of this 
rulemaking. To determine the average per facility cost, we average the 
per facility cost for all facility types using the same cost per 
facility type breakdown as used to assess the costs of this proposal. 
We then found what percent impact on revenue the proposed rule would 
have based on implementation costs (including capital costs) and annual 
recurring costs (including CCL updates, recordkeeping, and training). 
We estimate these costs to be, on average $233,736 per facility during 
the implementation period and $6,186 per facility in annual recurring 
cost.\93\ We base our impact analysis on average cost to regulated 
entities due to the flexibility afforded by this proposed rule to 
individual facilities to determine how best to implement TWIC reader 
requirements.\94\ Table 12 shows the potential revenue impacts for 
small businesses impacted by this rulemaking.
---------------------------------------------------------------------------

    \92\ SBA small business standards are based on either company 
revenue or number of employees. Many companies in our sample have 
employee numbers determining them small, but we were unable to find 
annual revenue data to pair with the employee data.
    \93\ These are weighted averages, based on the per facility cost 
displayed in Table 4 and the number of facilities by type.
    \94\ We do not know how a specific facility with comply with 
this rulemaking in regards to type and number of readers installed, 
number of personnel requiring training at a given facility, etc.

                       Table 12--Revenue Impacts on Affected Small Businesses--Facilities
----------------------------------------------------------------------------------------------------------------
                                                    Impacts from implementation    Impacts from recurring annual
                                                               costs                           costs
              Revenue impact range               ---------------------------------------------------------------
                                                     Number of      Percent of       Number of      Percent of
                                                     entities        entities        entities        entities
----------------------------------------------------------------------------------------------------------------
0% < Impact <= 1%...............................              27              42              57              89
1% < Impact <= 3%...............................              10              16               6               9
3% < Impact <= 5%...............................               5               8               1               2
5% < Impact <= 10%..............................               8              13               0               0
Above 10%.......................................              14              22               0               0
                                                 ---------------------------------------------------------------
    Total.......................................              64             100              64             100
----------------------------------------------------------------------------------------------------------------

    The greatest impact is expected to occur during the implementation 
phase when 58 percent of small businesses that we were able to find 
revenue data on will experience an impact of greater than 1 percent, 
and 22 percent of small businesses that we were able to find revenue 
data on will experience an impact greater than 10 percent. After 
implementation, the impacts decrease and 89 percent of affected small 
businesses will see an impact less than 1 percent. We expect the 
revenue impacts for years with equipment replacement to be between 
those for implementation and annual impacts. During those years with 
equipment replacement, we estimate that approximately 44 percent of 
businesses would see an impact greater than 1 percent, and 13 percent 
would see an impact greater than 10 percent.\95\
---------------------------------------------------------------------------

    \95\ We estimate an average cost per facility in years with 
equipment replacement to be $48,110.
---------------------------------------------------------------------------

    For vessels, we found that for the 38 vessels that would be 
affected by this proposed rule, there were 10 unique owners, all of 
which were businesses. We were able to find employee and revenue data 
for all but one of the companies. Out of the nine companies for which 
we were able to find data, only two qualified as small businesses by 
SBA size standards. We estimate these costs to be, on average $33,102 
per vessel during the implementation period, and $3,477 per vessel in 
annual cost. We base our impact analysis on average cost per vessel due 
to the flexibility afforded to vessels and the subsequent assumption 
that all vessels will deploy, on average, two portable TWIC readers. 
Both of these businesses would experience impacts less than 1 percent 
of revenue for both previously mentioned impact analyses.
    If you think that your business, organization, or governmental 
jurisdiction qualifies as a small entity and that this proposed rule 
would have a significant economic impact on it, please submit a comment 
to the Docket Management Facility at the address under ADDRESSES. In 
your comment, explain why you think it qualifies and how and to what 
degree this proposed rule would economically affect it.

C. Assistance for Small Entities

    Under section 213(a) of the Small Business Regulatory Enforcement 
Fairness Act of 1996 (Public Law 104-121), we want to assist small 
entities in understanding this proposed rule so that they can better 
evaluate its effects on them and participate in the rulemaking. If the 
proposed rule would affect your small business, organization, or 
governmental jurisdiction and you have questions concerning its 
provisions or options for compliance, please consult Lieutenant 
Commander Loan T. O'Brien, Coast Guard, telephone 202-372-1133. We will 
not retaliate against small entities that question or complain about 
this proposed rule or any policy or action of the Coast Guard.

D. Collection of Information

    This proposed rule would call for a collection of information under 
the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3520). As defined 
in 5 CFR 1320.3(c), ``collection of information'' comprises reporting, 
recordkeeping, monitoring, posting, labeling, and other similar 
actions. The title and description of the information collection, a 
description of those who must collect the information, and an estimate 
of the total annual burden follow. The estimate covers the time for 
reviewing instructions, searching existing sources of data, gathering 
and maintaining the data needed, and

[[Page 17826]]

completing and reviewing the collection.
    Under the provisions of the proposed rule, the affected facilities 
and vessels would be required to update their FSPs and VSPs, as well as 
create and maintain a system of recordkeeping within 2 years of 
promulgation of the final rule. This requirement would be added to an 
existing collection with OMB control number 1625-0077.
    Title: Security Plans for Ports, Vessels, Facilities, Outer 
Continental Shelf Facilities and Other Security-Related Requirements
    OMB Control Number: 1625-0077.
    Summary of the Collection of Information: This information 
collection is associated with the maritime security requirements 
mandated by MTSA. Security assessments, security plans, and other 
security-related requirements are found in 33 CFR chapter I, subchapter 
H. The proposed rule would require certain vessels and facilities to 
use electronic readers designed to work with the TWIC as an access 
control measure. Affected owners and operators would also face 
requirements associated with electronic TWIC readers, including 
recordkeeping requirements for those owners and operators required to 
use an electronic TWIC reader, and security plan amendments to 
incorporate TWIC requirements.
    Need for Information: The information is necessary to show evidence 
that affected vessels and facilities are complying with the TWIC reader 
requirements.
    Proposed Use of Information: We would use this information to 
ensure that facilities and vessels are properly implementing and 
utilizing TWIC readers.
    Description of the Respondents: The respondents are owners and 
operators of certain vessels and facilities regulated by the Coast 
Guard under 33 CFR Chapter I, subchapter H.
    Number of Respondents: The adjusted number of respondents is 13,825 
for vessels, 3,270 for facilities, and 56 for OCS facilities. Of these 
3,270 facilities and 13,825 vessels, approximately 532 facilities that 
are considered ``high risk'' would be required to modify their existing 
FSPs and approximately 38 vessels would be required to modify their 
VSPs to account for the TWIC reader requirements. These same 
populations would be required to create and maintain recordkeeping 
systems as well.
    Frequency of Response: The FSP and VSP would need to be amended 
within 2 years of promulgation to include TWIC reader-related 
procedures. Recordkeeping requirements would need to be met along a 
similar timeline.
    Burden of Response: The estimated burden for facilities would be 
17,290 hours in the first year, 18,886 hours in the second year and 
3,192 hours in the third year and all subsequent years. The burden for 
vessels would be 2,470 burden hours in year one, and 288 burden hours 
for all subsequent years. This includes an estimated 25 burden hours to 
amend the FSP or VSP, along with an implementation period burden of 40 
hours and an annual burden of 6 hours for designing and maintaining a 
system of records for each facility or vessel, to include recordkeeping 
related to the CCL.
Estimate of Total Annual Burden
    Facilities: The estimated burden over the 2-year implementation 
period for facilities is 25 hours per FSP amendment. Since there are 
currently 532 facilities that will need to amend their FSPs, the total 
burden on facilities would be 13,300 hours (532 FSPs x 25 hours per 
amendment) during the 2-year implementation period, or 6,650 hours each 
of the first 2 years. Facilities would also face a recordkeeping burden 
of 21,280 hours during the 2-year implementation period (532 facilities 
x 40 hours per recordkeeping system), or 10,640 hours each year over 
the first 2 years. There would also be an annual recordkeeping burden 
of 3,192 hours (532 facilities x 6 hours per year), starting in the 
third year. In the second year, the 266 facilities that implemented in 
the first year would incur the 6 hours of annual recordkeeping, at a 
burden of 1,596 (266 facilities x 6 hours). The total burden for 
facilities is estimated at 17,290 (6,650 + 10,640) in Year 1, 18,886 in 
Year 2 (6,650 + 10,640 + 1,596), and 3,192 in Year 3.
    Vessels: For the 38 vessels, the burden in the first year would be 
950 hours (38 VSPs x 25 hour per amendment). Vessels would also face a 
recordkeeping burden of 1,520 hours during the 1-year implementation 
period (38 vessels x 40 hours per recordkeeping system). There would 
also be an annual recordkeeping burden of 228 hours (38 vessels x 6 
hours per year). The total burden for vessels is estimated at 2,470 
(950 + 1,520) in Year 1 and 228 hours in Years 2 and 3.
    Total: The total additional burden due to the TWIC Reader rule is 
estimated at 19,760 (2,470 for vessels and 17,290 for facilities) in 
Year 1, 19,114 (228 for vessels and 18,886 for facilities) in Year 2, 
and 3,420 (228 for vessels and 3,192 for facilities) in Year 3. The 
current annual burden listed in this collection of information is 
1,108,043. The new burden, as a result of this proposed rulemaking, in 
Year 1 is 1,127,803 (1,108,043 + 19,760). The new burden, as a result 
of this proposed rule, is 1,127,803 (1,108,043 + 19,760). The total 
change in monetized burden in Year 1 is approximately $1.3 million. The 
total burden in Year 2 is 1,127,157 (1,108,043 + 19,114) and in Year 3 
is 1,111,463 (1,108,043 + 3,420). The average annual additional burden 
across the 3 years is 14,098 and the average total burden is 1,122,141 
(14,098 + 1,108,043).
    As required by the Paperwork Reduction Act of 1995 (44 U.S.C. 
3507(d)), we have submitted a copy of this proposed rule to OMB for its 
review of the collection of information.
    We ask for public comment on the proposed collection of information 
to help us determine how useful the information is--whether it can help 
us perform our functions better, whether it is readily available 
elsewhere, how accurate our estimate of the burden of collection is, 
how valid our methods for determining burden are, how we can improve 
the quality, usefulness, and clarity of the information, and how we can 
minimize the burden of collection.
    If you submit comments on the collection of information, submit 
them both to OMB and to the Docket Management Facility where indicated 
under ADDRESSES, by the date under DATES.
    You need not respond to a collection of information unless it 
displays a currently valid control number from OMB. Before the 
requirements for this collection of information become effective, we 
will publish a notice in the Federal Register of OMB's decision to 
approve, modify, or disapprove the proposed collection.

E. Federalism

    A rule has implications for Federalism under Executive Order 13132, 
Federalism, if it has a substantial direct effect on the States, on the 
relationship between the national government and the States, or on the 
distribution of power and responsibilities among the various levels of 
government. This proposed rule has been analyzed in accordance with the 
principles and criteria in Executive Order 13132, and as discussed 
earlier in the preamble, it has been determined that this proposed rule 
does have Federalism implications or a substantial direct effect on the 
States.
    This proposed rule would update existing regulations by creating a 
risk-based analysis of MTSA-regulated vessels and facilities. Based on 
this analysis, each vessel or facility is

[[Page 17827]]

classified according to its risk level, which then determines whether 
the vessel or facility would be required to use TWIC readers. 
Additionally, this proposed rule would amend recordkeeping requirements 
and add requirements to amend security plans in order to ensure 
compliance.
    It is well-settled that States may not regulate in categories 
reserved for regulation by the Coast Guard. It is also well-settled, 
now, that all of the categories covered in 46 U.S.C. 3306, 3703, 7101, 
and 8101 (design, construction, alteration, repair, maintenance, 
operation, equipping, personnel qualification, and manning of vessels), 
as well as the reporting of casualties and any other category in which 
Congress intended the Coast Guard to be the sole source of a vessel's 
obligations, are within fields foreclosed from regulation by the States 
or local governments. (See the decision of the Supreme Court in the 
consolidated cases of United States v. Locke and Intertanko v. Locke, 
529 U.S. 89, 120 S.Ct. 1135 (March 6, 2000).)
    The Coast Guard believes the Federalism principles articulated in 
Locke apply to this proposed rule since it would require certain MTSA-
regulated vessels to carry TWIC readers (i.e., required equipment), and 
to conform to recordkeeping and security plan requirements. Therefore, 
States and local governments are foreclosed from regulating within this 
field. This principle also applies to MTSA-regulated facilities, at 
least insofar as a State or local law or regulation applicable to these 
same facilities for the purpose of their protection, would conflict 
with a Federal regulation (i.e., it would either actually conflict or 
would frustrate an overriding Federal need for uniformity).
    Although State and local governments are foreclosed from regulating 
within this specific field, the Coast Guard recognizes the key role 
that State and local governments may have in making regulatory 
determinations. Additionally, Sections 4 and 6 of Executive Order 13132 
require that for any rules with preemptive effect, the Coast Guard 
shall provide elected officials of affected State and local governments 
and their representative national organizations the notice and 
opportunity for appropriate participation in any rulemaking 
proceedings, and to consult with such officials early in the rulemaking 
process. Therefore, we invite affected State and local governments and 
their representative national organizations to indicate their desire 
for participation and consultation in this rulemaking process by 
submitting comments to this notice. In accordance with Executive Order 
13132, the Coast Guard will provide a Federalism impact statement to 
document: (1) The extent of the Coast Guard's consultation with State 
and local officials that submit comments in response to this proposed 
rule; (2) a summary of the nature of any concerns raised by State or 
local governments and the Coast Guard's position thereon; and (3) a 
statement of the extent to which the concerns of State and local 
officials have been met.

F. Unfunded Mandates Reform Act

    The Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531-1538) 
requires Federal agencies to assess the effects of their discretionary 
regulatory actions. In particular, the Act addresses actions that may 
result in the expenditure by a State, local, or tribal government, in 
the aggregate, or by the private sector of $100,000,000 (adjusted for 
inflation) or more in any one year. Though this proposed rule would not 
result in such an expenditure, we do discuss the effects of this 
proposed rule elsewhere in this preamble.

G. Taking of Private Property

    This proposed rule would not cause a taking of private property or 
otherwise have taking implications under Executive Order 12630, 
Governmental Actions and Interference with Constitutionally Protected 
Property Rights.

H. Civil Justice Reform

    This proposed rule meets applicable standards in sections 3(a) and 
3(b)(2) of Executive Order 12988, Civil Justice Reform, to minimize 
litigation, eliminate ambiguity, and reduce burden.

I. Protection of Children

    We have analyzed this proposed rule under Executive Order 13045, 
Protection of Children from Environmental Health Risks and Safety 
Risks. Though this proposed rule is a ``significant regulatory action'' 
under Executive Order 12866, it would not create an environmental risk 
to health or a risk to safety that might disproportionately affect 
children.

J. Indian Tribal Governments

    This proposed rule does not have tribal implications under 
Executive Order 13175, Consultation and Coordination with Indian Tribal 
Governments, because it would not have a substantial direct effect on 
one or more Indian tribes, on the relationship between the Federal 
Government and Indian tribes, or on the distribution of power and 
responsibilities between the Federal Government and Indian tribes.

K. Energy Effects

    We have analyzed this proposed rule under Executive Order 13211, 
Actions Concerning Regulations That Significantly Affect Energy Supply, 
Distribution, or Use. We have determined that it is not a ``significant 
energy action'' under that order. Though it is a ``significant 
regulatory action'' under Executive Order 12866, it is not likely to 
have a significant adverse effect on the supply, distribution, or use 
of energy. The Administrator of the Office of Information and 
Regulatory Affairs has not designated it as a significant energy 
action. Therefore, it does not require a Statement of Energy Effects 
under Executive Order 13211.

L. Technical Standards

    The National Technology Transfer and Advancement Act (NTTAA) (15 
U.S.C. 272 note) directs agencies to use voluntary consensus standards 
in their regulatory activities unless the agency provides Congress, 
through OMB, an explanation of why using these standards would be 
inconsistent with applicable law or otherwise impractical. Voluntary 
consensus standards are technical standards (e.g., specifications of 
materials, performance, design, or operation; test methods; sampling 
procedures; and related management systems practices) that are 
developed or adopted by voluntary consensus standards bodies.
    This proposed rule does not use technical standards. Therefore, we 
did not consider the use of voluntary consensus standards.
    The Federal government is developing the TWIC reader standards. 
Under NTTAA and OMB Circular A-119, NIST is tasked with the role of 
encouraging and coordinating Federal agency use of voluntary consensus 
standards and participation in the development of relevant standards, 
as well as promoting coordination between the public and private 
sectors in the development of standards and in conformity assessment 
activities. NIST is assisting TSA with the establishment of a 
conformity assessment framework in support of a QTL for identity and 
privilege credential products, to be managed by TSA. NIST is also 
assisting TSA with the establishment of a testing suite for qualifying 
products in conformity to specified standards and TSA specifications.
    If you are aware of voluntary consensus standards that might apply 
to this rule, please send a comment to the

[[Page 17828]]

docket using one of the methods under ADDRESSES. In your comment, 
please explain why you disagree with our analysis and/or identify 
voluntary consensus standards we have not listed that might apply.

M. Environment

    We have analyzed this proposed rule under DHS Management Directive 
023-01 and Commandant Instruction M16475.lD, which guide the Coast 
Guard in complying with the National Environmental Policy Act of 1969 
(NEPA) (42 U.S.C. 4321-4370f), and have made a preliminary 
determination that this action is not likely to have a significant 
effect on the human environment. A ``Draft Programmatic Environmental 
Assessment'' (DPEA) and a draft ``Finding of No Significant Impact'' 
(FONSI) are available in the docket where indicated under the ``Public 
Participation and Request for Comments'' section of this preamble. Our 
analysis indicates that TWIC reader operations would have insignificant 
direct, indirect or cumulative impacts on environmental resources, with 
special attention to potential air quality issues. We encourage the 
public to submit comments on the DPEA and draft FONSI.

List of Subjects

33 CFR Part 101

    Harbors, Incorporation by reference, Maritime security, Reporting 
and recordkeeping requirements, Security measures, Vessels, Waterways.

33 CFR Part 104

    Maritime security, Reporting and recordkeeping requirements, 
Security measures, Vessels.

33 CFR Part 105

    Maritime security, Reporting and recordkeeping requirements, 
Security measures.

33 CFR Part 106

    Continental shelf, Maritime security, Reporting and recordkeeping 
requirements, Security measures.
    For the reasons discussed in the preamble, we propose to amend 33 
CFR parts 101, 104, 105, and 106 as follows:

PART 101--MARITIME SECURITY: GENERAL

0
1. The authority citation for part 101 continues to read as follows:

    Authority: 33 U.S.C. 1226, 1231; 46 U.S.C. Chapter 701; 50 
U.S.C. 191, 192; Executive Order 12656, 3 CFR 1988 Comp., p. 585; 33 
CFR 1.05-1, 6.04-11, 6.14, 6.16, and 6.19; Department of Homeland 
Security Delegation No. 0170.1.

0
2. Amend Sec.  101.105, as follows:
0
a. Add, in alphabetical order, definitions for the terms ``Biometric 
match'', ``Canceled Card List (CCL)'', ``Card authentication'', ``Card 
Holder Unique Identifier (CHUID)'', ``Card validity check'', ``Mobile 
Offshore Drilling Unit (MODU)'', ``Offshore Supply Vessel (OSV)'', 
``Physical Access Control System (PACS)'', ``Risk Group'', and ``TWIC 
reader''; and
0
b. Remove the definition for the term ``Recurring unescorted access''.
    The additions read as follows:


Sec.  101.105  Definitions.

* * * * *
    Biometric match means a confirmation that: one of the two biometric 
(fingerprint) templates stored in the Transportation Worker 
Identification Credential (TWIC) matches the scanned fingerprint of the 
person presenting the TWIC; or the alternate biometric stored in a PACS 
matches the corresponding biometric of the person.
* * * * *
    Canceled Card List (CCL) means the list of TWIC Federal Agency 
Smart Credential-Numbers (FASC--Ns) that have been invalidated or 
revoked because TSA has determined that the TWIC-holder may pose a 
security threat, or because the card has been reported lost, stolen, or 
damaged.
* * * * *
    Card authentication means electronic verification that the TWIC is 
a valid credential issued by TSA, containing the Card Holder Unique 
Identifier (CHUID) and the correct digital signature.
    Card Holder Unique Identifier (CHUID) means the standardized data 
object comprised of the FASC--N, globally unique identifier, expiration 
date, and certificate used to validate the data integrity of other data 
objects on the credential.
    Card validity check means electronic verification that the TWIC has 
not been invalidated or revoked by checking the TWIC against the 
Canceled Card List or, for vessels and facilities assigned to Risk 
Group B or C according to Sec. Sec.  104.263 or 105.253 of this 
subchapter, by verifying that the expiration date on the face of the 
TWIC has not passed.
* * * * *
    Mobile Offshore Drilling Unit (MODU) means the same as defined in 
33 CFR 140.10.
* * * * *
    Offshore Supply Vessel (OSV) means the same as defined in 46 CFR 
125.160.
* * * * *
    Physical Access Control System (PACS) means a system, including 
devices, personnel, and policies, that controls access to and within a 
facility or vessel.
* * * * *
    Risk Group means the risk ranking assigned to a vessel, facility, 
or OCS facility according to Sec. Sec.  104.263, 105.253, or 106.258 of 
this subchapter, for the purpose of the TWIC requirements in this 
subchapter.
* * * * *
    TWIC reader means an electronic device listed on TSA's Qualified 
Technology List (QTL) and used to verify and validate: the authenticity 
of a TWIC; the identity of the TWIC-holder as the legitimate bearer of 
the credential; that the TWIC is not expired; and that the TWIC is not 
on the CCL. TSA's QTL of acceptable TWIC readers may be accessed online 
at http://(TBD).
* * * * *
0
3. Add Sec.  101.112 to read as follows:


Sec.  101.112  Federalism.

    (a) The regulations in 33 CFR parts 101, 103, 104, and 106 have 
preemptive effect over State or local regulation within the same field.
    (b) The regulations in 33 CFR part 105 have preemptive effect over 
State or local regulations insofar as a State or local law or 
regulation applicable to the facilities covered by part 105 would 
conflict with the regulations in part 105, either by actually 
conflicting or frustrating an overriding Federal need for uniformity.


Sec.  101.514  [Amended]

0
4. In Sec.  101.514, remove paragraph (e).
0
5. Revise Sec.  101.515(d)(2) to read as follows:


Sec.  101.515  TWIC/Personal identification.

* * * * *
    (d) * * *
    (2) Each person who has been issued or who possesses a TWIC must 
allow their TWIC to be read by a TWIC reader and must submit their 
reference biometric, such as a fingerprint, and any other required 
information, such as a Personal Identification Number (PIN), to the 
TWIC reader, upon a request from TSA, the Coast Guard, any other 
authorized DHS representative, or a Federal, State, or local law 
enforcement officer.
0
6. Add Sec.  101.520 to read as follows:


Sec.  101.520  TWIC reader requirements for Risk Group A.

    Owners or operators of vessels or facilities subject to part 104 or 
105 of this subchapter that are assigned to Risk Group A in Sec. Sec.  
104.263 or 105.253 of this

[[Page 17829]]

subchapter must ensure that a Transportation Worker Identification 
Credential (TWIC) program is implemented as follows:
    (a) Maritime Security (MARSEC) Level 1. (1) Prior to each entry, 
all persons must present their TWICs for inspection using a TWIC 
reader, with or without a Physical Access Control System (PACS), before 
being granted unescorted access to secure areas. The TWIC inspection 
must include an identity verification including a biometric match, card 
authentication, and card validity check using Canceled Card List (CCL) 
information that is no more than 7 days old.
    (2) With a PACS, biometrics other than the fingerprint templates 
stored in the TWIC may be used to perform the identity verification, 
provided that the owner or operator links the person, the TWIC, and the 
alternate biometric in the PACS. To do this, a one-time initial 
biometric match and card authentication using a TWIC reader must be 
performed. Owners and operators must update their security plans to 
explain how the PACS performs the required security functions and how 
they protect sensitive security information.
    (b) MARSEC Levels 2 and 3. At these MARSEC Levels, the same 
procedures outlined in paragraph (a) of this section must be used, 
except that the card validity check must use CCL information that is no 
more than 1 day old.
    (c) The CCL information used to verify card validity must be 
updated within 12 hours of any increase in MARSEC Level, no matter when 
the information was last updated.
    (d) Only the most recently obtained CCL information shall be used 
to conduct card validity checks.
    (e) Vessels in Risk Group A with more than 14 crewmembers required 
to hold a TWIC must comply with the applicable TWIC reader requirements 
in this subchapter. All vessels with 14 or fewer TWIC-holding 
crewmembers are exempt from the TWIC reader requirements in this 
subchapter. Owners or operators of vessels with 14 or fewer TWIC-
holding crewmembers are required to perform the following TWIC visual 
inspection requirements, prior to each entry, on persons seeking 
unescorted access to secure areas:
    (1) Visually match the photograph on the TWIC to the person 
presenting the TWIC.
    (2) Visually check the various security features present on the 
card to determine whether the TWIC has been tampered with or forged.
    (3) Visually verify that the expiration date on the face of the 
TWIC has not passed.
    (f) If the COTP determines that TWIC reader requirements are 
causing delays at a facility that result in excessive vehicle build-up 
or other consequence, the COTP is authorized to temporarily suspend 
TWIC reader requirements at that facility, and permit the owner or 
operator to satisfy the requirements of this section by performing the 
following TWIC visual inspections, prior to each entry, on persons 
seeking unescorted access to secure areas:
    (1) Visually match the photograph on the TWIC to the person 
presenting the TWIC.
    (2) Visually check the various security features present on the 
card to determine whether the TWIC has been tampered with or forged.
    (3) Visually verify that the expiration date on the face of the 
TWIC has not passed.
0
7. Add Sec.  101.525 to read as follows:


Sec.  101.525  TWIC inspection requirements for Risk Group B.

    Owners or operators of vessels, facilities, or Outer Continental 
Shelf facilities subject to part 104, 105, or 106 of this subchapter 
that are assigned to Risk Group B in Sec. Sec.  104.263, 105.253, or 
106.258 of this subchapter must ensure that at all Maritime Security 
(MARSEC) Levels, prior to each entry, all persons seeking unescorted 
access to secure areas present their Transportation Worker 
Identification Credentials (TWICs) for inspection before being granted 
such unescorted access.
    (a) Inspection must include--
    (1) A visual match of the photograph on the TWIC to the person 
presenting the TWIC;
    (2) A visual check of the various security features present on the 
card to determine whether the TWIC has been tampered with or forged; 
and
    (3) A visual verification that the expiration date on the face of 
the TWIC has not passed.
    (b) Nothing in this section shall be read to prohibit an owner or 
operator from implementing the TWIC requirements of a higher Risk Group 
for their vessel or facility.
0
8. Add Sec.  101.530 to read as follows:


Sec.  101.530  TWIC inspection requirements for Risk Group C.

    Owners or operators of vessels or facilities subject to part 104 or 
105 of this subchapter that are assigned to Risk Group C in Sec. Sec.  
104.263 or 105.253 of this subchapter must ensure that at all Maritime 
Security (MARSEC) Levels, prior to each entry, all persons seeking 
unescorted access to secure areas present their TWICs for inspection 
before being granted such unescorted access.
    (a) TWIC inspection must include--
    (1) A visual match of the photograph on the TWIC to the person 
presenting the TWIC;
    (2) A visual check of the various security features present on the 
card to determine whether the TWIC has been tampered with or forged; 
and
    (3) A visual verification that the expiration date on the face of 
the TWIC has not passed.
    (b) Nothing in this section shall be read to prohibit an owner or 
operator from implementing the TWIC requirements of a higher Risk Group 
for their vessel or facility.
0
9. Add Sec.  101.535 to read as follows:


Sec.  101.535  TWIC inspection requirements in special circumstances.

    Owners or operators of any vessel, facility, or Outer Continental 
Shelf (OCS) facility subject to part 104, 105, or 106 of this 
subchapter must ensure that a TWIC program is implemented as follows:
    (a) If a person cannot present a Transportation Worker 
Identification Credential (TWIC) because it has been lost, damaged, or 
stolen, and the person has previously been granted unescorted access to 
secure areas and is known to have had a TWIC, the person may be granted 
unescorted access to secure areas for a period of no longer than 7 
consecutive calendar days if--
    (1) The person has reported the TWIC as lost, damaged, or stolen to 
TSA as required in 49 CFR 1572.19(f);
    (2) The person can present another identification credential that 
meets the requirements of Sec.  101.515 of this part; and
    (3) There are no other suspicious circumstances associated with the 
person's claim that the TWIC was lost, damaged, or stolen.
    (b) If a person's fingerprints are not able to be read by a TWIC 
reader or Physical Access Control System (PACS) due to technology 
malfunction, poor fingerprint quality, or no fingerprint minutiae, the 
owner or operator may grant the person unescorted access to secure 
areas based on either of the following secondary authentication 
procedures:
    (1) The owner or operator may require the person to provide their 
Personal Identification Number (PIN); or
    (2) The owner or operator may require the person to present an 
alternative biometric that has been incorporated into the PACS.
    (c) If a TWIC reader malfunctions, and a person seeking unescorted 
access to

[[Page 17830]]

secure areas has previously been granted such unescorted access and is 
known to have a TWIC, the person may be granted unescorted access to 
secure areas for a period of no longer than 7 consecutive calendar 
days. During that period, the owner or operator must perform the 
following inspections prior to each entry:
    (1) A visual match of the photograph on the TWIC to the person 
presenting the TWIC.
    (2) A visual check of the various security features present on the 
card to determine whether the TWIC has been tampered with or forged.
    (3) A visual verification that the expiration date on the face of 
the TWIC has not passed.
    (d) If a person cannot present a TWIC for any other reason than 
those outlined in paragraph (a) of this section, the person must not be 
granted unescorted access to secure areas. The person must be under 
escort, at all times, while in a secure area.
    (e) With the exception of persons granted access according to 
paragraph (a) of this section, all persons granted unescorted access to 
secure areas of a vessel, facility, or OCS facility must be able to 
produce their TWICs upon request from the Transportation Safety 
Administration, the Coast Guard, other authorized Department of 
Homeland Security representatives, or a Federal, State, or local law 
enforcement officer.
    (f) There must be disciplinary measures in place to prevent fraud 
and abuse.
    (g) Owners or operators must establish the frequency of the 
application of any security measures for access control in their 
approved security plans, particularly if these security measures are 
applied on a random or occasional basis.
    (h) The vessel, facility, or OCS facility's TWIC program should be 
coordinated, when practicable, with identification and TWIC access 
control measures of other entities that interface with the vessel, 
facility, or OCS facility.

PART 104--MARITIME SECURITY: VESSELS

0
10. The authority citation for part 104 continues to read as follows:

    Authority: 33 U.S.C. 1226, 1231; 46 U.S.C. Chapter 701; 50 
U.S.C. 191; 33 CFR 1.05-1, 6.04-11, 6.14, 6.16, and 6.19; Department 
of Homeland Security Delegation No. 0170.1.


Sec.  104.105  [Amended]

0
11. In Sec.  104.105(d), remove the words ``this part'', and add, in 
their place, the words ``parts 101 and 104 of this subchapter''.
0
12. Amend Sec.  104.115 by removing paragraph (c), redesignating 
paragraph (d) as paragraph (c), and revising newly redesignated 
paragraph (c) to read as follows:


Sec.  104.115  Compliance.

* * * * *
    (c) By (2 YEARS AFTER DATE OF PUBLICATION OF FINAL RULE), owners 
and operators of vessels subject to this part must amend their security 
plans, if necessary, to indicate how they will implement the TWIC 
reader requirements in this subchapter. By (2 YEARS AFTER DATE OF 
PUBLICATION OF FINAL RULE), owners and operators of Risk Group A 
vessels subject to this part must operate in accordance with the TWIC 
reader provisions found within this subchapter.


Sec.  104.200  [Amended]

0
13. Amend Sec.  104.200 as follows:
0
a. In paragraph (b)(12) introductory text, remove the word ``part'', 
and add, in its place, the word ``subchapter''; and
0
b. In paragraph (b)(14), remove the words ``Sec.  104.265(c) of this 
part'', and add, in their place, the words ``Sec.  101.535(a) of this 
subchapter''.
0
14. Amend Sec.  104.235 as follows:
0
a. In paragraph (b)(7), following the words ``of its effective 
period;'', remove the word ``and'';
0
b. In paragraph (b)(8), following the words ``the audit was 
completed'', remove the symbol ``.'' and add, in its place, the word 
``; and'';
0
c. Add paragraph (b)(9); and
0
d. In paragraph (c), add a sentence to the end of the paragraph.
    The additions read as follows:


Sec.  104.235  Vessel recordkeeping requirements.

* * * * *
    (b) * * *
    (9) TWIC Reader/PACS. For each individual granted unescorted access 
to a secure area, the: FASC-N; date and time that unescorted access was 
granted; and, if captured, the individual's name. Additionally, 
documentation to demonstrate that the owner or operator has updated the 
CCL with the frequency required in Sec.  101.520 of this subchapter.
    (c) * * * TWIC reader records and similar records in a PACS are 
sensitive security information and must be protected in accordance with 
49 CFR part 1520.
0
15. Add Sec.  104.263 to read as follows:


Sec.  104.263  Risk Group classifications for vessels.

    (a) For purposes of the Transportation Worker Identification 
Credential (TWIC) requirements of this subchapter, the following 
vessels subject to this part are in Risk Group A:
    (1) Vessels that carry Certain Dangerous Cargoes (CDC) in bulk.
    (2) Vessels certificated to carry more than 1,000 passengers.
    (3) Towing vessels engaged in towing a barge or barges subject to 
paragraph (a)(1) or vessels subject to paragraph (a)(2) of this 
section.
    (b) For purposes of the TWIC requirements of this subchapter, the 
following vessels subject to this part are in Risk Group B:
    (1) Vessels that carry hazardous materials other than CDC in bulk.
    (2) Vessels subject to 46 CFR chapter I, subchapter D, that carry 
any flammable or combustible liquid cargoes or residues.
    (3) Vessels certificated to carry 500 to 1,000 passengers.
    (4) Towing vessels engaged in towing a barge or barges subject to 
paragraph (b)(1), (b)(2), or vessels subject to paragraph (b)(3) of 
this section.
    (c) For purposes of the TWIC requirements of this subchapter, the 
following vessels subject to this part are in Risk Group C:
    (1) Vessels carrying non-hazardous cargoes that are required to 
have a vessel security plan (VSP).
    (2) Vessels certificated to carry less than 500 passengers.
    (3) Towing vessels engaged in towing a barge or barges subject to 
paragraph (c)(1) or vessels subject to paragraph (c)(2) of this 
section.
    (4) Mobile Offshore Drilling Units (MODUs).
    (5) Offshore Supply Vessels (OSVs) subject to 46 CFR chapter I, 
subchapter L or I.
    (d) Vessels may move from one Risk Group classification to another, 
based on the cargo they are carrying or handling at any given time. An 
owner or operator expecting a vessel to move between Risk Groups must 
explain, in the VSP, the timing of such movements, as well as how the 
vessel will move between the requirements of the higher and lower Risk 
Groups, with particular attention to the security measures to be taken 
when moving from a lower Risk Group to a higher Risk Group.
0
16. Amend Sec.  104.265 as follows:
0
a. Revise paragraph (a)(4);
0
b. Remove paragraphs (c) and (d);
0
c. Redesignate paragraphs (e) through (h) as paragraphs (c) through 
(f), respectively;
0
d. Revise newly redesignated paragraph (d)(1);
0
e. In newly redesignated paragraph (e)(6), remove the word ``and'';
0
f. In newly redesignated paragraph (e)(7), following the words 
``cooperation

[[Page 17831]]

with the facility'', remove the symbol ``.'' and add, in its place, the 
word ``; and'';
0
g. Add paragraph (e)(8);
0
h. In newly redesignated paragraph (f)(9), remove the word ``or'';
0
i. In newly redesignated paragraph (f)(10), following the words 
``search of the vessel'', remove the symbol ``.'' and add, in its 
place, the word ``; or''; and
0
j. Add paragraph (f)(11).
    The revisions and additions read as follows:


Sec.  104.265  Security measures for access control.

    (a) * * *
    (4) Prevent an unescorted individual from entering an area of the 
vessel that is designated as a secure area unless the individual holds 
a duly issued TWIC and is authorized to be in the area. Depending on a 
vessel's Risk Group, TWICs must be checked either visually or 
electronically using a TWIC reader or as integrated into a PACS at the 
locations where TWIC-holders embark the vessel.
* * * * *
    (d) * * *
    (1) Implement TWIC as set out in Sec. Sec.  101.520, 101.525, or 
101.530 of this subchapter, as applicable, and in accordance with the 
vessel's assigned Risk Group, as set out in Sec.  104.263 of this part;
* * * * *
    (e) * * *
    (8) Implementing additional TWIC requirements, as required by Sec.  
104.263 of this part and Sec. Sec.  101.520, 101.525, or 101.530 of 
this subchapter, if relevant.
* * * * *
    (f) * * *
    (11) Implementing additional TWIC requirements, as required by 
Sec.  104.263 of this part and Sec. Sec.  101.520, 101.525 or 101.530 
of this subchapter, if relevant.


Sec.  104.267  [Amended]

0
17. In Sec.  104.267(a), remove the last sentence.


Sec.  104.292  [Amended]

0
18. Amend Sec.  104.292 as follows:
0
a. In paragraph (b) introductory text, remove the words ``(f)(2), 
(f)(4), and (f)(9)'' and add, in its place, the words ``(d)(2), (d)(4), 
and (d)(9)'';
0
b. In paragraph (e)(3), remove the words ``Sec.  104.265(f)(4) and 
(g)(1)'', and add, in their place, the words ``Sec.  104.265(d)(4) and 
(e)(1)''; and
0
c. In paragraph (f), remove the words ``Sec.  104.265(f)(4) and 
(h)(1)'', and add, in their place, the words ``Sec.  104.265(d)(4) and 
(f)(1)''.
0
19. Amend Sec.  104.405 as follows:
0
a. Revise paragraph (a)(10); and
0
b. In paragraph (b), remove the last sentence.
    The revisions read as follows:


Sec.  104.405  Format of the Vessel Security Plan (VSP).

    (a) * * *
    (10) Security measures for access control, including the vessel's 
TWIC program, designated passenger access areas, and employee access 
areas;
* * * * *

PART 105--MARITIME SECURITY: FACILITIES

0
20. The authority citation for part 105 continues to read as follows:

    Authority: 33 U.S.C. 1226, 1231; 46 U.S.C. 70103; 50 U.S.C. 191; 
33 CFR 1.05-1, 6.04-11, 6.14, 6.16, and 6.19; Department of Homeland 
Security Delegation No. 0170.1.

0
21. Amend Sec.  105.110 by revising paragraph (b) to read as follows:


Sec.  105.110  Exemptions.

* * * * *
    (b) A public access area designated under Sec.  105.106 is exempt 
from the requirements for screening of persons, baggage, and personal 
effects and identification of persons in Sec. Sec.  101.520, 101.525, 
or 101.530 of this subchapter, as applicable, and Sec.  105.255(c)(1), 
(c)(3), (d)(1), and (e)(1) and Sec.  105.285(a)(1).
* * * * *
0
22. Amend Sec.  105.115 as follows:
0
a. In paragraph (c), following the words ``Sec.  105.415 of this 
part'', remove the words ``, by September 4, 2007''; and
0
b. Remove paragraph (d), redesignate paragraph (e) as paragraph (d), 
and revise newly redesignated paragraph (d) to read as follows:


Sec.  105.115  Compliance.

* * * * *
    (d) By (2 YEARS AFTER DATE OF PUBLICATION OF FINAL RULE), owners 
and operators of facilities subject to this part must amend their 
security plans, if necessary, to indicate how they will implement the 
TWIC reader requirements in this subchapter. By (2 YEARS AFTER DATE OF 
PUBLICATION OF FINAL RULE), owners and operators of Risk Group A 
facilities subject to this part must be operating in accordance with 
the TWIC reader provisions found within this subchapter.


Sec.  105.200  [Amended]

0
23. Amend Sec.  105.200 as follows:
0
a. In paragraph (b)(6) introductory text, remove the word ``part'', and 
add, in its place, the word ``subchapter''; and
0
b. In paragraph (b)(15), remove the words ``section 105.255(c) of this 
part'', and add, in their place, the words ``Sec.  101.535(a) of this 
subchapter''.
0
24. Amend Sec.  105.225 as follows:
0
a. In paragraph (b)(7), following the words ``of its effective 
period;'', remove the word ``and'';
0
b. In paragraph (b)(8), following the words ``the audit was 
completed'', remove the symbol ``.'' and add, in its place, the word 
``; and'';
0
c. Add paragraph (b)(9); and
0
d. In paragraph (c), add a sentence to the end of the paragraph.
    The additions read as follows:


Sec.  105.225  Facility recordkeeping requirements.

* * * * *
    (b) * * *
    (9) TWIC Reader/PACS. For each individual granted unescorted access 
to a secure area, the: FASC-N; date and time that unescorted access was 
granted; and, if captured, the individual's name. Additionally, 
documentation to demonstrate that the owner or operator has updated the 
CCL with the frequency required in Sec.  101.520 of this subchapter.
    (c) * * * TWIC reader records and similar records in a PACS are 
sensitive security information and must be protected in accordance with 
49 CFR part 1520.
0
25. Add Sec.  105.253 to read as follows:


Sec.  105.253  Risk Group classifications for facilities.

    (a) For purposes of the Transportation Worker Identification 
Credential (TWIC) requirements of this subchapter, the following 
facilities subject to this part are in Risk Group A:
    (1) Facilities that handle Certain Dangerous Cargoes (CDC) in bulk.
    (2) Facilities that receive vessels certificated to carry more than 
1,000 passengers.
    (3) Barge fleeting facilities that receive barges carrying CDC in 
bulk.
    (b) For purposes of the TWIC requirements of this subchapter, the 
following facilities subject to this part are in Risk Group B:
    (1) Facilities that receive vessels that carry hazardous materials 
other than CDC in bulk.
    (2) Facilities that receive vessels subject to 46 CFR chapter I, 
subchapter D, that carry any flammable or combustible liquid cargoes or 
residues.
    (3) Facilities that receive vessels certificated to carry 500 to 
1,000 passengers.
    (4) Facilities that receive towing vessels engaged in towing a 
barge or barges carrying hazardous materials other than CDC in bulk, 
crude oil, or towing vessels certificated to carry 500 to 1,000 
passengers.

[[Page 17832]]

    (c) For purposes of the TWIC requirements of this subchapter, the 
following facilities subject to this part are in Risk Group C:
    (1) Facilities that receive vessels carrying non-hazardous cargoes 
not otherwise included in paragraph (a) or (b) of this section.
    (2) Facilities that receive vessels certificated to carry less than 
500 passengers.
    (3) Facilities that receive towing vessels engaged in towing a 
barge carrying non-hazardous cargoes or less than 500 passengers.
    (d) Facilities may move from one Risk Group classification to 
another, based on the material they handle or the types of vessels they 
receive at any given time. An owner or operator of a facility expected 
to move between Risk Groups must explain, in the facility security 
plan, the timing of such movements, as well as how the facility will 
move between the requirements of the higher and lower Risk Groups, with 
particular attention to the security measures to be taken when moving 
from a lower Risk Group to a higher Risk Group.
0
26. Amend Sec.  105.255 as follows:
0
a. Revise paragraph (a)(4);
0
b. Remove paragraphs (c) and (d);
0
c. Redesignate paragraphs (e) through (h) as paragraphs (c) through 
(f), respectively;
0
d. Revise newly redesignated paragraph (d)(1);
0
e. In newly redesignated paragraph (c), remove the words ``Facility 
Security Plan (FSP)'' and add, in their place, the word ``FSP''.
0
f. In newly redesignated paragraph (e)(6), remove the word ``or'';
0
g. In newly redesignated paragraph (e)(7), following the words ``in the 
approved FSP'', remove the symbol ``.'' and add, in its place, the word 
``; or'';
0
h. Add paragraph (e)(8);
0
i. In newly redesignated paragraph (f)(8), remove the word ``or'';
0
j. In newly redesignated paragraph (f)(9), following the words ``within 
the facility'', remove the symbol ``.'' and add, in its place, the word 
``; or''; and
0
k. Add paragraph (f)(10) as follows:
    The revisions and additions read as follows:


Sec.  105.255  Security measures for access control.

    (a) * * *
    (4) Prevent an unescorted individual from entering an area of the 
facility that is designated as a secure area unless the individual 
holds a duly issued TWIC and is authorized to be in the area. Depending 
on a facility's Risk Group, TWICs must be inspected either visually or 
electronically using a TWIC reader or as integrated into a PACS at the 
access points to the secure areas designated in the facility security 
plan (FSP).
* * * * *
    (d) * * *
    (1) Implement TWIC as set out in Sec. Sec.  101.520, 101.525, or 
101.530 of this subchapter, as applicable, and in accordance with the 
facility's assigned Risk Group, as set out in Sec.  105.253 of this 
part;
* * * * *
    (e) * * *
    (8) Implementing additional TWIC requirements, as required by Sec.  
105.253 of this part and Sec. Sec.  101.520, 101.525, or 101.530 of 
this subchapter, if relevant.
* * * * *
    (f) * * *
    (10) Implementing additional TWIC requirements, as required by 
Sec.  105.253 of this part and Sec.  101.520, 101.525, or 101.530 of 
this subchapter, if relevant.


Sec.  105.257  [Amended]

0
27. In Sec.  105.257(a), remove the last sentence.
0
28. Revise Sec.  105.290(b) to read as follows:


Sec.  105.290  Additional requirements--cruise ship terminals.

* * * * *
    (b) Check the identification of all persons seeking to enter the 
facility. Persons holding a TWIC shall be checked as set forth in 
Sec. Sec.  101.520, 101.525 or 101.530 of this subchapter, as 
applicable, in accordance with the facility's assigned Risk Group, as 
set out in Sec.  105.253 of this part. For persons not holding a TWIC, 
this check includes confirming the reason for boarding by examining 
passenger tickets, boarding passes, government identification or 
visitor badges, or work orders;
* * * * *
0
29. Revise Sec.  105.296(a)(4) to read as follows:


Sec.  105.296  Additional requirements-barge fleeting facilities.

    (a) * * *
    (4) Control access to the barges once tied to the fleeting area by 
implementing TWIC as described in Sec. Sec.  101.520, 101.525 or 
101.530 of this subchapter, as applicable, in accordance with the 
facility's assigned Risk Group, as set out in Sec.  105.253 of this 
part.
* * * * *
0
30. Amend Sec.  105.405 as follows:
0
a. Revise paragraph (a)(10); and
0
b. In paragraph (b), remove the last sentence.
    The revisions read as follows:


Sec.  105.405  Format and content of the Facility Security Plan (FSP).

    (a) * * *
    (10) Security measures for access control, including the facility's 
TWIC program and designated public access areas;
* * * * *

PART 106--MARINE SECURITY: OUTER CONTINENTAL SHELF (OCS) FACILITIES

0
31. The authority citation for part 106 continues to read as follows:

    Authority: 33 U.S.C. 1226, 1231; 46 U.S.C. Chapter 701; 50 
U.S.C. 191; 33 CFR 1.05-1, 6.04-11, 6.14, 6.16, and 6.19; Department 
of Homeland Security Delegation No. 0170.1.

Sec.  106.110  [Amended]

0
32. In Sec.  106.110, remove paragraphs (d) and (e).


Sec.  106.200  [Amended]

0
33. Amend Sec.  106.200 as follows:
0
a. In paragraph (b)(6) introductory text, remove the word ``part'', and 
add, in its place, the word ``subchapter''; and
0
b. In paragraph (b)(12), remove the words ``Sec.  106.260(c) of this 
part'', and add, in their place, the words ``Sec.  101.535 of this 
subchapter''.
0
34. Add Sec.  106.258 to read as follows:


Sec.  106.258  Risk Group classifications for OCS facilities.

    For purposes of the Transportation Worker Identification Credential 
requirements of this subchapter, all Outer Continental Shelf facilities 
subject to this part are classified in Risk Group B.
0
35. Amend Sec.  106.260 as follows:
0
a. Remove paragraphs (c) and (d);
0
b. Redesignate paragraphs (e) through (h) as paragraphs (c) through 
(f), respectively;
0
c. Revise newly redesignated paragraph (d)(1);
0
d. In newly redesignated paragraph (e)(3), remove the word ``or'';
0
e. In newly redesignated paragraph (e)(4), following the words 
``providing boat patrols'', remove the symbol ``.'' and add, in its 
place, the word ``; or'';
0
f. Add paragraph (e)(5);
0
g. In newly redesignated paragraph (f)(7), remove the word ``or'';
0
h. In newly redesignated paragraph (f)(8), following the words ``search 
of the OCS facility'', remove the symbol ``.'' and add, in its place, 
the word ``; or''; and
0
i. Add paragraph (f)(9).
    The revisions and additions read as follows:


Sec.  106.260  Security measures for access control.

* * * * *
    (d) * * *
    (1) Implement TWIC as set out in Sec.  101.525 of this subchapter 
in

[[Page 17833]]

accordance with the OCS facility's assigned Risk Group, as set out in 
Sec.  106.258 of this part.
* * * * *
    (e) * * *
    (5) Implementing additional TWIC requirements, as required by Sec.  
106.258 of this part and Sec.  101.525 of this subchapter.
* * * * *
    (f) * * *
    (9) Implementing additional TWIC requirements, as required by Sec.  
106.258 of this part and Sec.  101.525 of this subchapter.


Sec.  106.262  [Amended]

0
36. In Sec.  106.262(a), remove the last sentence.
0
37. Amend Sec.  106.405 as follows:
0
a. Revise paragraph (a)(10); and
0
b. In paragraph (b), remove the last sentence.
    The revisions read as follows:


Sec.  106.405  Format of the Facility Security Plan (FSP).

    (a) * * *
    (10) Security measures for access control, including the OCS 
facility's TWIC program;
* * * * *

    Dated: March 13, 2013.
Admiral Robert J. Papp Jr.,
Commandant, U.S. Coast Guard.
[FR Doc. 2013-06182 Filed 3-21-13; 8:45 am]
BILLING CODE 9110-04-P