Transportation Worker Identification Credential (TWIC)-Reader Requirements, 57651-57713 [2016-19383]

Download as PDF Vol. 81 Tuesday, No. 163 August 23, 2016 Part II Department of Homeland Security sradovich on DSK3GMQ082PROD with RULES2 Coast Guard 33 CFR Parts 101, 103, 104, et al. Transportation Worker Identification Credential (TWIC)—Reader Requirements; Final Rule VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\23AUR2.SGM 23AUR2 57652 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations For information about this document, call or email LCDR Kevin McDonald, Coast Guard; telephone 202–372–1168, email Kevin.J.Mcdonald2@uscg.mil. SUPPLEMENTARY INFORMATION: FOR FURTHER INFORMATION CONTACT: DEPARTMENT OF HOMELAND SECURITY Coast Guard 33 CFR Parts 101, 103, 104, 105 and 106 Table of Contents for Preamble [Docket No. USCG–2007–28915] RIN 1625–AB21 Transportation Worker Identification Credential (TWIC)—Reader Requirements Coast Guard, DHS. Final rule. AGENCY: ACTION: The Coast Guard is issuing a final rule to require owners and operators of certain vessels and facilities regulated by the Coast Guard to conduct electronic inspections of Transportation Worker Identification Credentials (TWICs) as an access control measure. This final rule also implements recordkeeping requirements and security plan amendments that would incorporate these TWIC requirements. The TWIC program, including the electronic inspection requirements in this final rule, is an important component of the Coast Guard’s multilayered system of access control requirements designed to enhance maritime security. This rulemaking action builds upon existing regulations designed to ensure that only individuals who hold a valid TWIC are granted unescorted access to secure areas of Coast Guard-regulated vessels and facilities. The Coast Guard and the Transportation Security Administration have already promulgated regulations pursuant to the Maritime Transportation Security Act that require mariners and other individuals to hold a TWIC prior to gaining unescorted access to a secure area. By requiring certain high-risk vessels and facilities to perform electronic TWIC inspections, this rule enhances security at those locations. This rule also implements the Security and Accountability For Every Port Act of 2006 electronic reader requirements. DATES: This final rule is effective August 23, 2018. ADDRESSES: Comments and materials received from the public, as well as documents mentioned in this preamble as being available in the docket, are part of docket USCG–2007–28915 and are available using the Federal eRulemaking Portal. You can find this docket on the Internet by going to http:// www.regulations.gov, entering ‘‘USCG– 2007–28915’’ and then clicking ‘‘Search.’’ sradovich on DSK3GMQ082PROD with RULES2 SUMMARY: VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 I. Abbreviations II. Regulatory History and Information III. Executive Summary A. Basis and Purpose B. Summary of Costs and Benefits IV. Background V. Discussion of Comments and Changes to the Final Rule A. General Matters Relating to TWIC 1. Purpose and Efficacy of the TWIC Program 2. Risk Analysis Methodology B. Electronic TWIC Inspection 1. Electronic TWIC Inspection Does Not Necessarily Require a TWIC Reader 2. Integrating Electronic TWIC Inspection Into a PACS a. List of Acceptable TWIC Readers b. PIN Pads and Biometric Input Methods 3. Comments Related to Troubleshooting TWIC a. Lost, Stolen, or Damaged TWIC i. Vessels and Facilities Using a PACS ii. Vessels and Facilities Using TWIC Readers b. Transportation Worker Forgets to Bring TWIC to Work Site c. Inaccessible Biometrics d. Malfunctioning Access Control Systems e. Requirements for Varying MARSEC Levels 4. Recordkeeping Requirements C. When to Conduct Electronic TWIC Inspection 1. Secure, Restricted, Public Access, Passenger Access, and Employee Access Areas a. ‘‘Prior to Each Entry’’ for Risk Group A Facilities b. Recurring Unescorted Access 2. Risk Group A Vessels 3. Risk Groups B and C 4. Miscellaneous Questions Regarding the Locations of Electronic TWIC Inspection D. Determination of Risk Groups 1. Risk Group A Facilities a. Alternative Security Programs b. Determining Risk Group A Facilities 2. The Crewmember Exemption Does Not Apply to Facilities 3. The Low Number of Crewmembers Exemption 4. Calculating the Total Number of TWICholding Crewmembers 5. Threshold for the Crewmember Exemption of Vessels 6. Outer Continental Shelf Facilities 7. Vessels and Facilities Not in Risk Group A 8. Barge Fleeting Facilities 9. Switching Risk Groups E. Responses to Economic Comments 1. Costs of TWIC Readers 2. Number of TWIC Readers at Vessels and Facilities 3. Transaction Times 4. Security Personnel PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 5. Other Cost Comments 6. Costs Exceeding Benefits, Costeffectiveness, and Risk Reduction 7. Cumulative Costs of Security-related Rulemakings 8. Small Business Impact F. Other Issues 1. The GAO Report and the TWIC Pilot Program 2. Additional Comments a. General Comments on the TWIC Program b. Clarification of Specific Items c. Comments Outside the Scope of this Rulemaking VI. Regulatory Analyses A. Regulatory Planning and Review B. Small Entities C. Assistance for Small Entities D. Collection of Information E. Federalism F. Unfunded Mandates Reform Act G. Taking of Private Property H. Civil Justice Reform I. Protection of Children J. Indian Tribal Governments K. Energy Effects L. Technical Standards M. Environment I. Abbreviations AHP—Analytical Hierarchy Process ANPRM—Advanced Notice of Proposed Rulemaking ASP—Alternative Security Program CCA—Certificate for Card Authentication CCL—Canceled Card List CCTV—Closed-Circuit Television CDC—Certain Dangerous Cargoes CFR—Code of Federal Regulations CHUID—Card Holder Unique Identifier COI—Certificate of Inspection DHS—Department of Homeland Security DRAA—Designated Recurring Access Area E.O.—Executive Order FASC—N Federal Agency Smart Credential— Number FR—Federal Register FSP—Facility Security Plan ICE—Initial Capability Evaluation MARSEC—Maritime Security MISLE—Marine Information for Safety and Law Enforcement MSRAM—Maritime Security Risk Analysis Model MTSA—Maritime Transportation Security Act of 2002 NIST—National Institute of Standards and Technology NPRM—Notice of Proposed Rulemaking NTTAA—National Technology Transfer and Advancement Act NVIC—Navigation and Vessel Inspection Circular OCS—Outer Continental Shelf OMB—Office of Management and Budget PAC—Policy Advisory Council PACS—Physical Access Control System PVA—Passenger Vessel Association PII—Personal Identifying Information PIN—Personal Identification Number Pub. L.—Public Law QTL—Qualified Technology List RA—Regulatory Analysis RUA—Recurring Unescorted Access SAFE—Port Act Security and Accountability For Every Port Act of 2006 E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations SBA—Small Business Administration SSI—Sensitive Security Information TSA—Transportation Security Administration TSAC—Towing Safety Advisory Committee TSI—Transportation Security Incident TWIC—Transportation Worker Identification Credential U.S.C.—United States Code VSP—Vessel Security Plan II. Regulatory History and Information On May 22, 2006, the Coast Guard and the Transportation Security Administration (TSA) jointly published a Notice of Proposed Rulemaking (NPRM) entitled ‘‘Transportation Worker Identification Credential (TWIC) Implementation in the Maritime Sector; Hazardous Materials Endorsement for a Commercial Driver’s License.’’ 1 On January 25, 2007, the Coast Guard and TSA published the final rule, also entitled ‘‘Transportation Worker Identification Credential (TWIC) Implementation in the Maritime Sector; Hazardous Materials Endorsement for a Commercial Driver’s License.’’ 2 Although the May 22, 2006 NPRM proposed certain TWIC reader requirements, after reviewing the public comments, the Coast Guard decided to remove the proposed TWIC reader requirements from the January 25, 2007 final rule, address them in a separate rulemaking, and conducted a pilot program to address the feasibility of reader requirements before issuing a final rule.3 For a detailed discussion of those public comments and Coast Guard responses, please refer to the January 25, 2007 final rule.4 On March 27, 2009, the Coast Guard published an Advanced Notice of Proposed Rulemaking (ANPRM) for this rulemaking.5 On March 22, 2013, the Coast Guard published the NPRM for this rulemaking.6 Additionally, we held four public meetings across the country in 2013. III. Executive Summary A. Basis and Purpose In accordance with the Maritime Transportation Security Act of 2002 (MTSA) and the Security and Accountability For Every Port Act of 2006 (SAFE Port Act), the Coast Guard is establishing rules requiring electronic readers for use at high-risk vessels and sradovich on DSK3GMQ082PROD with RULES2 1 71 FR 29396. FR 3492. 3 The TWIC Reader Pilot was established pursuant to Section 104 of the Security and Accountability For Every Port Act of 2006 (SAFE Port Act) (P.L. 109–347), which was codified at 46 U.S.C. 70105 (k)(4). 4 72 FR 3511. 5 74 FR 13360. 6 78 FR 17782. 2 72 VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 at facilities. These rules will ensure that prior to being granted unescorted access to a designated secure area, an individual will have his or her TWIC authenticated, the status of that credential validated against an up-todate list maintained by the TSA, and the individual’s identity confirmed by comparing his or her biometric (i.e. fingerprint) with a biometric template stored on the credential. By promulgating these rules, the Coast Guard is complying with the statutory requirement in the SAFE Port Act, improving security at the highest risk maritime transportation-related vessels and facilities, and making full use of the electronic and biometric security features integrated into the TWIC and mandated by Congress in MTSA. The TWIC is currently being used as a visual identity badge on many vessels and facilities. Essentially, DHS requires that a security guard examines the security features (hologram and watermark) embedded on the surface of the credential, checks the expiration date listed on the card, and compares the photograph to the person presenting the credential. While this system of ‘‘visual TWIC inspection’’ provides some benefits, it does not address all security concerns, nor does it make full use of the security features contained in the TWIC. For example, if a TWIC is stolen or lost, an unauthorized individual could make use of the credential, and provided that individual resembles the picture on the TWIC, could gain access to a secure area. Additionally, if a TWIC is revoked because the individual has committed a disqualifying offense, such as the theft of explosives, there is no way for security officers on a vessel or at a facility to determine that fact from the face of the TWIC. Finally, a sophisticated adversary could forge a realistic replica of a credential. It is also worth noting that since a TWIC-holder is required to renew his or her credential every 5 years, the TWICholder’s resemblance to the picture on the TWIC may decrease over time, rendering visual inspection a somewhat less accurate means to confirm identity. Through the process of ‘‘electronic TWIC inspection,’’ by which TWICs are authenticated, validated, and the individual’s identity confirmed biometrically, all of these scenarios would be thwarted or mitigated. In this rulemaking process, the Coast Guard published an ANPRM, published an NPRM, hosted a series of public meetings around the country to solicit public input, and worked with the Transportation Security Administration to conduct a pilot program. As a result PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 57653 of this input, the Coast Guard made a number of changes and clarifications in this final rule that we believe provide a robust system that improves security, addresses industry, labor, and Congressional concerns, and clarifies numerous issues relating to the operational nature of the electronic TWIC inspection program. Primarily, this rule allows for an even more flexible implementation of the electronic TWIC inspection requirements than the proposed rule that will allow new systems to be integrated into existing security and access control systems. We believe that this flexibility will provide robust security without causing unnecessary costs or significantly disrupting business operations. A brief summary of the main changes from the proposed rule to the final rule follows. • This final rule provides additional flexibility with regard to the purchase, installation, and use of electronic readers. Instead of requiring the use of a TWIC reader on the TSA’s Qualified Technology List (QTL), owners and operators can choose to fully integrate electronic TWIC inspection and biometric matching into a new or existing Physical Access Control System (PACS). • We clarify that this final rule only affects Risk Group A vessels and facilities, and that no changes to the existing business practices of other MTSA-regulated vessels and facilities are required. • This final rule eliminates the distinction between Risk Groups B and C for both vessels and facilities. If and when a requirement for electronic TWIC inspection may be considered for MTSA-regulated vessels and facilities not currently in Risk Group A, we will provide an updated analysis of the costs and benefits of such an action and define new Risk Groups accordingly. • This final rule clarifies that for Risk Group A facilities, electronic TWIC inspection is required each time a person is granted unescorted access to a secure area (a limited exception is permitted for Recurring Unescorted Access, or RUA). For Risk Group A vessels, electronic TWIC inspection is only required when boarding the vessel, even if only parts of the vessel are considered secure areas. • This final rule eliminates the special requirement that barge fleeting facilities that handle or receive barges carrying Certain Dangerous Cargoes (CDC) in bulk be classified as Risk Group A. Barge fleeting facilities are instead classified the same as all other facilities. This change will effectively eliminate most isolated barge facilities E:\FR\FM\23AUR2.SGM 23AUR2 57654 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations from the electronic TWIC inspection requirements due to a lack of a secure area. • This final rule increases the exemption from electronic TWIC inspection requirements to vessels with 20 or fewer TWIC-holding crewmembers and defines that number as the minimum manning requirement specified on a vessel’s Certificate of Inspection. • This final rule provides additional flexibility for ferries and other vessels that use dedicated terminals in Risk Group A to integrate their electronic TWIC inspection programs with their terminals’ programs. B. Summary of Costs and Benefits Of the approximately 13,825 vessels, 3,270 facilities, and 56 Outer Continental Shelf (OCS) facilities regulated by MTSA, this final rule impacts only certain ‘‘Risk Group A’’ vessels and facilities, which currently number 1 vessel 7 and 525 facilities under the revised applicability definitions for the final rule. No OCS facilities are affected by this final rule. We estimate the annualized cost of this final rule to be approximately $22.5 million, while the 10-year cost is $157.9 million, discounted at 7 percent. The main cost drivers of this rule are the acquisition, installation, and integration of TWIC readers into access control systems. Annual costs will be driven by costs associated with updates of the list of cancelled TWICs, recordkeeping, training, system maintenance, and opportunity costs associated with failed TWIC reader transactions. The estimated annualized cost of this final rule discounted at 7 percent is approximately $5.1 million less than the estimated cost of the NPRM. The benefits of this final rule include the enhancement of the security of vessels, ports, and other facilities by ensuring that only individuals who hold TWICs are granted unescorted access to secure areas at those locations. The main benefit of this regulation, decreased risk of a Transportation Security Incident (TSI), cannot be quantified given current data limitations. We used a risk-based approach to apply these regulatory requirements to less than 5 percent of the MTSA-regulated population, which represents approximately 80 percent of the potential consequences of a TSI. The provisions in this final rule target the highest risk entities while maximizing the net benefits of the rule. Table 1 provides the estimated costs and functional benefits associated with the requirements of the TWIC reader. TABLE 1—ESTIMATED COSTS AND FUNCTIONAL BENEFITS OF TWIC READER REQUIREMENTS Category Final Rule Applicability ............................................................................................... High-risk MTSA-regulated facilities and high risk MTSA-regulated vessels with greater than 20 TWIC-holding crewmembers. 1 vessel. 525 facilities. $22.5 (annualized). $157.9 (10-year). Time to retrieve or replace lost PINs for use with TWICs. Enhanced access control and security at U.S. maritime facilities and on board U.S.-flagged vessels. Reduction of human error when checking identification and manning access points. Affected Population .................................................................................. Costs ($ millions, 7% discount rate) ........................................................ Costs (Qualitative) .................................................................................... Benefits (Qualitative) ................................................................................ IV. Background The MTSA provides a multi-layered approach to maritime security which includes measures to consider broader security issues at U.S. ports and waterways, the coastal zone, the open ocean, and foreign ports. Under this multi-layered system, the Coast Guard is authorized to regulate vessels and facilities, and owners and operators of MTSA-regulated vessels or facilities are required to submit for Coast Guard approval a comprehensive security plan detailing the access control and other security policies and procedures implemented on each vessel and facility. Security plans must identify and mitigate vulnerabilities by detailing the following items: (1) Security organization of the vessel or facility; (2) personnel training; (3) drills and exercises; (4) records and documentation; (5) response to changes in Maritime Security (MARSEC) Level; (6) procedures for interfacing with other facilities and/or vessels; (7) Declarations of Security; (8) communications; (9) security systems and equipment maintenance; (10) security measures for access control; (11) security measures for restricted areas; (12) security measures for handling cargo; (13) security measures regarding vessel stores and bunkers; (14) security measures for monitoring; (15) security incident procedures; (16) audits and security plan amendments; (17) Security Assessment Reports and other security reports; and (18) TWIC procedures.8 7 We note that the number of vessels affected by the provision is low, as most ‘‘Risk Group A’’ vessels are exempt from the electronic TWIC inspection requirements due to a low crewmember count. 8 See 33 CFR 104.405 and 33 CFR 105.405. sradovich on DSK3GMQ082PROD with RULES2 For a more detailed discussion of costs and benefits, see the full Final Regulatory Analysis and Final Regulatory Flexibility Analysis available in the online docket for this rulemaking. Appendix G of that document outlines the costs by provision and also discusses the complementary nature of the provisions. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 For the purposes of MTSA, the term ‘‘facility’’ means ‘‘any structure or facility of any kind located in, on, under, or adjacent to any waters subject to the jurisdiction of the United States.’’ 9 For the purposes of MTSA, the term ‘‘vessel’’ includes ‘‘every description of watercraft or other artificial contrivance used, or capable of being used, as a means of transportation on water.’’ 10 Coast Guard regulations implementing MTSA with respect to vessels 11 apply to: Mobile Offshore Drilling Units, cargo vessels, or passenger vessels subject to the International Convention for Safety of Life at Sea, 1974 (SOLAS), chapter XI– 1 or Chapter XI–2; foreign cargo vessels greater than 100 gross register tons; generally, self-propelled U.S. cargo vessels greater than 100 gross tons; offshore supply vessels; vessels subject to the Coast Guard’s regulations regarding passenger vessels; passenger 9 46 U.S.C. 70101(2). U.S.C. 115; 1 U.S.C. 3. 11 See 33 CFR 104.105(a). 10 46 E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations vessels certificated to carry more than 150 passengers; passenger vessels carrying more than 12 passengers engaged on an international voyage; barges carrying, in bulk, cargoes regulated under the Coast Guard’s regulations regarding tank vessels or CDC; 12 barges carrying CDC or cargo and miscellaneous vessels engaged on an international voyage; tank ships; and generally, towing vessels greater than 8 meters in register length engaged in towing barges. TWIC requirements in those regulations do not apply to: Foreign vessels; mariners employed aboard vessels moored at U.S. facilities only when they are working immediately adjacent to their vessels in the conduct of vessel activities; except pursuant to international treaty, convention, or agreement to which the U.S. is a party, to any foreign vessel that is not destined for, or departing from, a port or place subject to the jurisdiction of the U.S. and that is either (a) in innocent passage through the territorial sea of the U.S., or (b) in transit through the navigable waters of the U.S. that form a part of an international strait.13 Coast Guard regulations implementing MTSA with respect to facilities 14 apply to: waterfront facilities handling dangerous cargoes (as generally defined in 49 CFR parts 170 through 179); waterfront facilities handling liquefied natural gas and liquefied hazardous gas; facilities transferring oil or hazardous materials in bulk; facilities that receive vessels certificated to carry more than 150 passengers; facilities that receive vessels subject to SOLAS, Chapter XI; facilities that receive foreign cargo vessels greater than 100 gross register tons; generally, facilities that receive U.S. cargo and miscellaneous vessels greater than 100 gross register tons; barge fleeting facilities that receive barges carrying, in bulk, cargoes regulated under the Coast Guard’s regulations regarding tank vessels or CDC; and fixed or floating facilities operating on the OCS for the purposes of engaging in the exploration, development, or production of oil, natural gas, or mineral resources. Those regulations do not apply to: A facility owned or operated by the U.S. that is used primarily for military purposes; an oil and natural gas production, exploration, or development facility regulated by 33 CFR parts 126 or 154 if (a) the facility 12 The term ‘‘Certain Dangerous Cargoes’’ is defined in 33 CFR 101.105 by reference to 33 CFR 160.204, which lists all of the covered substances. 13 See 33 CFR 104.105(d)–(f). 14 See 33 CFR 105.105 and 106.105. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 is engaged solely in the exploration, development, or production of oil and natural gas, and (b) the facility does not meet or exceed the operating conditions in 33 CFR 106.105; a facility that supports the production, exploration, or development of oil and natural gas regulated by 33 CFR parts 126 or 154 if (a) the facility is engaged solely in the support of exploration, development, or production of oil and natural gas and transports or stores quantities of hazardous materials that do not meet or exceed those specified in 49 CFR 172.800(b)(1) through (b)(6), or (b) the facility stores less than 42,000 gallons of cargo regulated by 33 CFR part 154; a mobile facility regulated by 33 CFR part 154; or an isolated facility that receives materials regulated by 33 CFR parts 126 or 154 by vessel due to the lack of road access to the facility and does not distribute the material through secondary marine transfers.15 Additionally, the TWIC requirements in those regulations do not apply to mariners employed aboard vessels moored at U.S. facilities only when they are working immediately adjacent to their vessels in the conduct of vessel activities.16 This rulemaking applies to the abovedescribed vessels and facilities regulated by the Coast Guard pursuant to the authority granted in MTSA, and will further increase the security value of TWIC to the nation by making use of the statutorily-mandated biometric identification function and other security features. A complete statutory and regulatory history of this rulemaking can be found in Section III.B of the NPRM published on March 22, 2013.17 The TWIC program falls under the access control requirements as one component of MTSA. Since April 15, 2009, the TWIC has been used throughout the maritime sector for access to secure areas of MTSAregulated facilities and vessels. Its purpose is to ensure a vetted maritime workforce by establishing securityrelated eligibility criteria, and by requiring each TWIC-holder to undergo a security threat assessment from the TSA as part of the process of applying for and obtaining a TWIC. In addition to its visible security features, the TWIC stores two electronically readable reference biometric templates (i.e., fingerprint templates), a PIN, a digital facial image, authentication certificates, and a Federal Agency Smart Credential15 See 33 CFR 105.105(c). 33 CFR 105.105(d) and 106.105(b). 17 78 FR 17789. 16 See PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 57655 Number (FASC–N). These features enable the TWIC to be used in different ways for (1) card authentication, (2) card validation, and (3) identity verification. Card authentication ensures that the TWIC is not counterfeit. Security personnel can authenticate a TWIC by visually inspecting the security features on the card. An electronic reader provides enhanced authentication by performing a challenge/response protocol using the Certificate for Card Authentication (CCA) and the associated card authentication private key stored in the TWIC. The electronic reader will read the CCA from the TWIC and send a command to the TWIC requesting the card authentication private key be used to sign a random block of data (created and known to the electronic reader). The electronic reader software will use the public key embedded in the CCA to verify that the signature of the random data block returned by the TWIC is valid. If the signature is valid, the electronic reader will trust the TWIC submitted and will then pull the FASC–N and other information from the card for further processing. The CCA contains the FASC–N and a certificate expiration date harmonized to the TWIC expiration date. This minimizes the need for the electronic reader to pull more information from the TWIC (unless required for additional checking). The card validity check ensures that the TWIC has not expired or been cancelled by TSA, or reported as lost, stolen, or damaged. Security personnel can validate whether a TWIC has expired by visually checking the TWIC’s expiration date. Currently, a TSAcanceled TWIC is placed on TSA’s official CCL, which is updated daily. TSA’s CCL is available online at: https://universalenroll.dhs.gov/. Currently, the process of TWIC visual inspection does not require the security guard to compare the cardholder’s name to the CCL and therefore facilities do not know when specific card holders have had their credentials cancelled and may continue to grant access unknowingly. Using an electronic reader, card validity is further confirmed by finding no match on the CCL and electronically checking the expiration date on the TWIC. Checks against the CCL may be performed electronically by downloading the list onto a TWIC reader or integrated PACS. Identity verification entails comparing the individual presenting the TWIC to the same person to whom the TWIC was issued. Identity can be verified by visually comparing the photo on the TWIC to the TWIC-holder. Using an electronic reader, identity can be E:\FR\FM\23AUR2.SGM 23AUR2 57656 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 verified by matching one of the biometric templates stored in the TWIC to the TWIC-holder’s live sample biometric, matching to the PACS enrolled reference biometrics linked to the FASC–N of the TWIC, or requiring the TWIC-holder to place the TWIC into a TWIC reader (currently a PIN can only be accessed using a TWIC reader with a contact interface) and entering their PIN to release the digital facial image from the TWIC. This avoids the vulnerabilities of visual inspection by using the biometric capabilities mandated by Congress. V. Discussion of Comments and Changes to the Final Rule In response to publication of the March 22, 2013 NPRM, the Coast Guard received over 100 comment letters, consisting of over 1,200 unique comments. Commenters provided numerous opinions, arguments, questions, and recommendations regarding the proposed TWIC reader requirements. In this section, we describe the comments received, as well as how they influenced the decisions made in this final rule. Overall, we have grouped our discussion into five sections, as discussed below. In Section A, we address comments relating to the TWIC program generally, and electronic TWIC inspection specifically. This section includes comments relating to what the program’s purpose is, how it affects security, and how it is tailored to achieve these goals in the most costeffective and least-burdensome manner. We also discuss the risk analysis methodology in this section, in order to address comments relating to the specific types of threats the electronic TWIC inspection program is designed to combat. Sections B through D of this discussion respond to comments relating to the operational aspects of the electronic TWIC inspection program. Most comments received were of a practical nature, especially those asking for clarifications on exactly how the regulations would apply in a large variety of specific situations. Section B addresses the specific nature of what an ‘‘electronic TWIC inspection’’ is, including what must be carried out, how such an inspection can be carried out using a PACS, recordkeeping requirements arising from electronic TWIC inspections, and how specific problems, such as a misplaced TWIC, would be addressed in the regulations. Section C addresses when an electronic TWIC inspection must take place, including the specific locations on a facility or vessel where electronic VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 readers must be located, and the parameters of an RUA configuration. Section D responds to comments relating to the classification of vessels and facilities into Risk Groups, including questions relating to barge fleeting facilities, shifting Risk Groups, and the exemption from electronic TWIC inspection requirements for vessels with a low number of crewmembers. Items relating to the economic issues of electronic TWIC inspection are addressed in Section E. Comments on these issues related to the costs of TWIC readers, throughput times for TWIC transactions, and potential changes in security staffing needs. Finally, Section F addresses several miscellaneous issues. Primary among these issues are comments relating to the TWIC Pilot Program and the Government Accountability Office (GAO) report on TWIC readers, issued in 2013 shortly before publication of the NPRM and accompanying analysis.18 Additionally, this section addresses all other comments and questions that were not included in other sections. A. General Matters Relating to TWIC In response to the NPRM, the Coast Guard received a large variety of comments relating to the TWIC program. In this section, we begin with those comments that address the TWIC program as a whole. Multiple commenters expressed dissatisfaction with the TWIC program as a whole and suggested that it be dismantled. Many of these commenters noted that specific facilities or vessels had not been targeted by terrorists, and argued that the costs of the program were unnecessary. For a variety of reasons described extensively throughout this document, we believe that the targeted measures established in this final rule provide a cost-effective mitigation of various threats that could result in a TSI. For example, in the Regulatory Analysis (RA), we describe three hypothetical yet plausible scenarios in which an individual could gain access to a vessel or facility using a forged or stolen TWIC,19 threats that could specifically be reduced by electronic TWIC inspection. Congress has mandated, and we agree, that preventing unauthorized individuals from accessing secure areas of the nation’s transportation infrastructure is part of a necessary security program. While we also agree with many commenters who 18 ‘‘Transportation Worker Identification Credential: Card Reader Pilot Results Are Unreliable; Security Benefits Need to Be Reassessed’’ (GAO–13–198). 19 RA, p. 88. PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 suggested that it does not prevent every possible security threat, that is not the purpose of this final rule. The purpose of this final rule is to improve security at the highest risk maritime transportation-related vessels and facilities through the use of an electronic reader. One commenter criticized the Maritime Security Risk Analysis Model (MSRAM) threat analysis methodology, because it did not address the security issues raised by cargo containers, which include the potential for concealed threats within the containers. While we note that MSRAM does include scenarios associated with threats from cargo containers, for the purposes of the current analysis of electronic TWIC inspection, we limited our consideration to attack scenarios that require physical proximity to the intended target and for which access control would affect the ability to conduct an attack. Controlling access to a target is an essential component of security from such attacks because access control helps to detect and perhaps interdict or at least delay the attackers before they reach the target. TWIC readers enhance the reliability of access control measures, thereby increasing the likelihood of identifying and denying/delaying access to an individual or group attempting nefarious acts. For this reason, our analysis in this final rule focuses on threats that could be prevented or mitigated through use of electronic TWIC inspection. Concealed items or persons smuggled inside cargo containers are not attack scenarios that transportation worker identity verification (and electronic TWIC inspection in particular) addresses. Therefore, analyzing those scenarios would not be useful for this rule. Coast Guard regulations address security measures for those attack scenarios in other ways. Vessel and facility security plans must describe in detail how they meet all relevant security requirements, including the security measures in place for handling cargo.20 Multiple commenters expressed concern over the application process for obtaining a new or renewal TWIC, stating that delays have saddled workers with an undue burden. The Coast Guard understands the challenges encountered during the initial implementation of TWIC, and during the more recent surge of renewals. We note the progress that has been made in the TWIC application process since publication of the NPRM. 20 See 33 CFR 104.405; 33 CFR 105.405; 33 CFR part 104, subpart B; and 33 CFR part 105, subpart B. E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations Furthermore, we note that comments relating to the card application process are outside the scope of this rulemaking, which pertains to electronic TWIC inspection requirements only. One commenter sought clarification as to why the TWIC was not an acceptable form of identification for entry to U.S. Navy or Coast Guard bases, and stated that the TWIC should be recognized by the agency that is requiring its use within the maritime sector. This comment is also outside the scope of this rulemaking as it does not address TWIC readers or their application to maritime rather than Federal facilities (e.g., Coast Guard or Navy military bases). One commenter expressed concern with requiring electronic readers on vessels, stating that anyone boarding a vessel would need to first pass through a facility. The same commenter stated that seafarers should not be prevented from taking shore leave, and suggested that additional regulations be put in place to avoid unlawful charges to seafarers to transit facilities for shore leave. The Coast Guard understands these concerns and has applied this rulemaking to those vessels presenting the highest risk and to those vessels which, in most cases, will regularly visit international ports not regulated under MTSA. Additionally, Congress mandated seafarers’ access in section 811 of the Coast Guard Authorization Act of 2010. This mandate requires each Facility Security Plan to ‘‘provide a system for seamen assigned to a vessel at that facility, pilots, and representatives of seamen’s welfare and labor organizations to board and depart the vessel through the facility in a timely manner at no cost to the individual.’’ 21 The Coast Guard is currently conducting a separate rulemaking to implement section 811.22 Several commenters requested more flexibility within this final rule rather than a ‘‘one size fits all’’ approach. This final rule incorporates additional flexibility for vessel and facility operators in direct response to comments in which specific requests for flexibility were made. The Coast Guard wholly agrees that there is no ‘‘one size fits all’’ approach for maritime security given the vast range of facility and vessel operations which, in many cases, overlap or occur in close proximity to each other. This final rule moves to a 21 See the Seafarers’ Access to Maritime Facilities Notice of Proposed Rulemaking (79 FR 77981, 77985 (Dec. 29, 2014)). 22 The docket for the Seafarers’ Access rulemaking is available online at www.regulations.gov by entering ‘‘USCG–2013– 1087’’ in the Search box. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 more performance-based approach by defining the criteria for electronic inspection requirements that meet the TWIC access control measures. Additionally, this rule sets flexible baseline requirements for electronic reader implementation for those vessels and facilities. We believe that the increased flexibility will decrease the burden on industry by allowing the use of existing systems with minor modifications, increasing the pool of available electronic reader technology, and allowing the individual operators to determine the approach to meet the regulatory requirement that best facilitates their business needs. Some commenters suggested that the TWIC should be a standardized credential that can be used at multiple facilities, and that having this Federal credential should be a standard credential, rather than requiring truck drivers and others who need access to secure areas to obtain individual sitespecific badges. The commenters argued that the use of the credential could alleviate redundant and overlapping background checks for workers, such as drivers, that access multiple facilities. We partially agree with this argument, but believe we should elaborate more closely on the role that TWIC and other identification credentials play in ensuring security at maritime facilities. We disagree with the suggestion that the TWIC should be used as an ‘‘all-access’’ credential that would override the property rights and security responsibilities of vessel and facility owners. We believe (like many other commenters), that possession of TWIC should not automatically grant an individual access to secure areas because the mere possession of a TWIC does not entitle the holder to access another person’s property. The decision to grant access to a secure area of a vessel or facility appropriately lies with the owner or operator of that vessel or facility. We expect vessel and facility operators to limit access to their secure spaces to those who need such access, and to ensure that only those with a valid TWIC are granted unescorted access. However, we note that controlling access to facilities can be carried out in several ways. For example, a facility may grant unescorted access to employees who enter the facility multiple times per day on a regular basis, and also grant access to truck or bus drivers who may only enter the facility on an occasional basis. Such a facility may use different ways to control access, and ensure that all individuals granted unescorted access possess a valid TWIC. The facility may PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 57657 vary how it does this depending on the operator’s business needs and on the reasons why different individuals are requesting unescorted access. In this example, the facility might have one entrance for employees who use a PACS card to enter secure areas of the facility, and have another entrance for truck or bus drivers, who would present a TWIC for inspection. A single access point could also contain both a PACS reader and a TWIC reader, the latter for use by contractors or visitors who may not have been issued a facility-specific access card. In this final rule we have granted flexibility that allows operators to use a variety of means to grant unescorted access, including the use of the TWIC as a means of identification. However, this final rule does not require operators to grant unescorted access to any TWICholder. As is currently the case, access to any vessel or facility is granted by the owner or operator, who has the authority and responsibility to determine if the individual requesting access has a legitimate business purpose. 1. Purpose and Efficacy of the TWIC Program Several commenters questioned the overall efficacy of the TWIC program, questioning whether the program, with or without electronic readers, does anything to improve security. The Coast Guard understands that there have been many challenges with the implementation of the TWIC program, but does believe that TWIC has improved access control at vessels and at maritime facilities across the country. The TWIC program’s single standard and nationwide recognition is intended to ensure a secure, consistent biometrically enabled credential, and facilitate an efficient, resilient, mobile transportation workforce during routine and emergency situations. However, an individual successfully obtaining a TWIC is only the first half of a two-part process. First, vessel and facility security personnel must determine that an individual possesses a valid TWIC, meaning that they have been vetted. Second, they must verify the individual’s authorization for entering a vessel or facility before granting the person unescorted access. As mentioned above, the mere possession of a valid TWIC alone is not sufficient to gain the holder of that credential access to secure areas on vessels or facilities across the country. The TWIC provides a means by which a vessel or facility security officer can determine that an individual has been vetted to an established and accepted standard. This determination E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 57658 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations helps inform the vessel or facility security officer’s decision to grant unescorted access to an individual. Vessel and facility personnel may then evaluate a TWIC-holder’s authorization and determine whether the TWICholder should be granted unescorted access. One commenter took issue with a statement in the NPRM that read ‘‘TWIC readers will not help identify valid cards that were obtained via fraudulent means, e.g., through unreported theft or the use of fraudulent IDs.’’ 23 The commenter stated that TWIC readers can identify cards that were obtained through unreported theft of the TWIC card by performing biometric identification of the TWIC-holder. We believe the commenter misunderstood the statement in the NPRM, which referred to the use of fake or stolen (but unreported) identification documents, such as drivers licences and birth certificates, to fraudulently obtain an authentic TWIC from the TSA. The use of such fraudulently acquired, but genuine TWICs was one issue highlighted by the GAO and by several commenters as a shortcoming in the TWIC program, and we acknowledge that the use of electronic TWIC inspection will not address that particular scenario. However, we agree with the commenter that if a valid TWIC was stolen after it was produced, electronic TWIC inspection would help to identify such a card if an unauthorized person attempted to use it. Although visual TWIC inspection could also detect such unauthorized use, electronic TWIC inspection would do so more effectively by using the TWIC’s biometric and other security features. Some commenters argued that visual TWIC inspection does not provide ‘‘adequate security,’’ and that electronic TWIC inspection should be the standard procedure for all TWIC inspections, rather than used only for high-risk vessels and facilities. The commenter made several arguments as to why visual TWIC inspection should not be used. The commenter quoted guidance from the National Institute of Standards and Technology (NIST), issued with regard to identification for Federal employees when entering Federal facilities, which stated that visual inspection of an identification card offers little to no assurance that the claimed identity of the individual matches the identification. The commenter stated that visual inspection is a weak authentication mechanism and does not provide the level of assurance that an electronic inspection 23 78 FR 17787. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 can provide. Another commenter cited the 2011 GAO report on the TWIC program, which stated that visual TWIC inspection was not a particularly effective means of identity verification.24 While we agree that electronic TWIC inspection provides a more reliable means of identity verification than visual TWIC inspection, we disagree with the assertion that the visual inspection provides no security benefit. Many industries rely on photographic identification cards to verify a cardholder’s identity before granting access to accounts or locations. Some situations may require, and justify the cost of, additional layers of security. For example, the heightened risk at Risk Group A vessels and facilities warrant the greater security afforded by electronic TWIC inspection, along with the attendant costs. As explained in this preamble and the accompanying RA, we do not believe such costs are justified for vessels and facilities outside of Risk Group A at this time. The commenter made several other arguments relating to visual TWIC inspection. First, the commenter noted that there is no way for visual TWIC inspection to determine if a TWIC has been cancelled. While we agree that visual TWIC inspection will not perform an electronic check against the TSA’s list of cancelled TWICs, we disagree with the suggestion that visual inspection has no value in performing the card validity check. Security personnel perform the basic card validity check to ensure that a TWIC has not expired by checking the card’s expiration date. A TWIC reader does the same validity check electronically, but will further confirm card validity by finding no match on the list of cancelled TWICs. We explain in the RA that the costs associated with this added layer of security are warranted only for Risk Group A vessels and facilities. The commenter also stated visual TWIC inspection creates vulnerability because it relies on a ‘‘repetitive human process,’’ where the staff may become distracted or less attentive. While we agree generally that electronic TWIC inspection is more reliable than visual TWIC inspection, we disagree with the suggestion that visual TWIC inspection is unreliable. We are requiring TWIC readers for Risk Group A, in part, due to the potentially reduced human error that TWIC readers afford. As explained in the RA, that added benefit does not outweigh the costs associated with requiring TWIC readers outside of Risk Group A at this time. One commenter stated that the background check does not ensure that facilities are protected from crime. The Coast Guard agrees that crimes can still be committed despite background checks, although we note that MTSA specifically prohibits certain persons with extensive criminal histories from receiving TWICs.25 However, the purpose of requiring electronic TWIC inspection is not to prevent all crime, but to prevent TSIs at high-risk vessels and maritime facilities. In that regard, we believe that TWIC is a critical part of the layered approach to port security because it establishes a minimum, uniform vetting and threat assessment process for mariners and port workers across the country aimed at preventing a TSI. The existing TWIC Program ensures that workers needing routine, unescorted access to secure areas of facilities and vessels undergo lawful status checks (for non-U.S. citizens) and that they are vetted against a specific list in statute of terrorism associations and criminal convictions.26 It provides a standard baseline for determining an individual’s suitability to enter the secure area of a vessel or facility regulated under the MTSA. We note that the program does not exclude everyone with a criminal record and that most, but not all, of the permanent disqualifying crimes for a TWIC can be waived in extraordinary circumstances.27 However, there are aggressive procedures to remove a TWIC from any TWIC-holder found to have committed one of these crimes after receiving their TWIC, or to remove a TWIC from a TWIC-holder who is later added to any of the terrorism associated databases. Multiple commenters suggested that the risk analysis for the NPRM did not adequately address cargo containers and the related cargo container facilities. One commenter suggested that container terminals were the primary focus of the enactment of the MTSA and SAFE Port Act, yet they are not subject to the highest level of TWIC scrutiny. The Coast Guard disagrees that container terminals were the primary focus of the Acts, noting that there was substantial discretion permitted by the statutory language to implement electronic TWIC inspection requirements. We reiterate that with regard to threats carried within cargo 24 GAO–11–657, ‘‘Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives’’ 25 See 46 U.S.C. 70105(c) for the list of disqualifying criminal offenses. 26 46 U.S.C. 70105 and 49 CFR 1572.103. 27 46 U.S.C. 70105 and 49 CFR part 1515. PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations containers, electronic TWIC inspection is not particularly effective for threat mitigation since scenarios involving container contents (e.g., weapons, personnel) in an attack in the United States do not require access to the container inside the secure area. The risk analysis evaluated the consequence of an attack on the maritime facilities themselves, deeming it reasonable to confine attack scenarios to the facility because offsite scenarios (e.g., transfer of container contents) are not mitigated by TWIC, but are instead the focus of additional layers of protections in the larger MTSA regulatory regime. Based on the MSRAM calculations relating to the effect of an attack on a cargo container facility, the efficacy of electronic TWIC inspections in disrupting such attacks, and considering the costs of requiring electronic TWIC inspections, we arrived at the conclusion that it would not be the most cost-effective approach to improving public safety to require electronic TWIC inspection at these facilities at this time. We would refer interested parties to the accompanying RA for a detailed discussion of alternative regulatory approaches considered in this rulemaking. Furthermore, we note that under existing guidance, any facility not covered by this final rule may implement electronic TWIC inspection on a voluntary basis for any reason. One commenter stated that the classification for large general cargo container terminals was counterintuitive, because disruption to any one of these facilities could have significant negative consequences for the nation’s economy. We understand the commenter’s perspective. However, for this rule, as part of the MSRAM analysis, we evaluated the risk of a TSI that (1) occurs at cargo container facilities and (2) would be less likely to occur through TWIC reader implementation, and for these scenarios, the likelihood of long-term disruptions to the nation’s economy is assessed to be minimal. One commenter suggested that not placing container terminals in Risk Group A, and thus not requiring electronic TWIC inspection, would threaten the supply chain by allowing TWIC-holders, who have subsequently been determined by the TSA to be a security threat to the United States, to have unescorted access to the nation’s critical infrastructure with impunity. We disagree that not placing container facilities in Risk Group A is tantamount to exposing those facilities to security threats. We note that the general TWIC requirements located in § 101.515, which prohibit those who do not hold VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 a valid TWIC from receiving unescorted access to a secure area, is still effective for these facilities. Container facilities may voluntarily institute requirements for electronic verification, for example, for business reasons. Furthermore, such facilities are subject to spot checks by the U.S. Coast Guard where such invalidated TWIC-holders could be discovered through the use of portable TWIC readers by Coast Guard personnel. One commenter suggested that terrorists might use a small facility to transport a weapon, thus bypassing electronic TWIC inspection programs. Pursuant to existing requirements, unescorted access to a secure area of any MTSA-regulated maritime facility requires a TWIC, so all workers seeking unescorted access, not just those at high-risk facilities, are subject to background checks. However, we note that electronic TWIC inspection is not designed to directly protect against smuggling, including the smuggling of terrorist weapons. Electronic TWIC inspection is designed to ensure that unauthorized persons, who have not been provided a TWIC, are not provided unescorted access to high-risk vessels and facilities. Many, if not most, smuggling scenarios do not require adversary access to secure areas for success, and thus the enhanced access control afforded by electronic TWIC inspection does little to reduce the risk for these scenarios. One commenter added that facilities are poor targets for terrorist attacks and thus, screening workers on those facilities adds little value. We disagree, and note that we have tailored this rule to specifically encompass only those maritime facilities where the dangers of a TSI are heightened, such as those that handle or receive vessels carrying CDC in bulk. We have determined that the facilities in Risk Group A could be attractive targets for terrorist attacks due to the substantial loss of life and environmental effects that could result from a TSI. Furthermore, we tailored the requirements to only require electronic TWIC inspection when such inspection would have a substantial effect on reducing the likelihood of such an attack (the ‘‘TWIC utility’’ prong of the risk analysis, described in detail in the NPRM). See 78 FR 17791. 2. Risk Analysis Methodology Multiple commenters expressed concern with the risk analysis for this rulemaking. While we have considered the commenters’ concerns, our risk analysis model remains unchanged from that proposed in the NPRM. We believe that the existing risk analysis model, which considered a wide range of PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 57659 targets, attacks, and consequences, remains the most comprehensive and logical means available to implement the electronic TWIC inspection program. In this process, the Coast Guard analyzed 68 distinct types of vessels and facilities using the MSRAM database based on their purposes or operational descriptions. The Coast Guard initially separated this list of vessels and facilities into proposed Risk Groups A, B, and C in the ANPRM and have ultimately used this baseline to inform the classification of Risk Group A vessels and facilities in this final rule. We identify these vessels and facilities as those that can best be protected by electronic TWIC inspection. The risk analysis methodology used in this rulemaking consists of three distinct analytical factors. The first factor, which we described in the NPRM as the ‘‘maximum consequences to [a] vessel or facility resulting from a terrorist attack,’’ is the direct consequence of a type of attack that could be prevented or mitigated by use of electronic TWIC inspection. This factor was assessed for each class of vessel and facility. The second factor, which we described as the ‘‘criticality to the nation’s health, economy, and national security,’’ considered the impact of the loss of a vessel or facility beyond the direct consequences, taking into consideration regional or national impact on health and security. Finally, we considered TWIC utility, which we describe as the effectiveness of the TWIC program in reducing a vessel or facility’s vulnerability to a terrorist attack.’’ It is important to note that the electronic TWIC inspection program is not the only security measure protecting vessels and maritime facilities, and is not designed to counter every conceivable threat to them. In the preliminary RA, we explained that there were three specific attack scenarios most likely to be mitigated by electronic TWIC inspection, and thus used in our analysis. These scenarios were: (1) A truck bomb, (2) a terrorist assault team, and (3) an explosive attack carried out by a passenger or passerby (with the specific caveat that the terrorist is not an ‘‘insider’’).28 While several commenters criticized certain aspects of the TWIC program for not countering additional threats, we note that benefits outside the scope of the above threats were not considered to be likely successes of the TWIC program and were not considered in our analysis. One commenter suggested that the truck bomb scenario was unrealistic, as it would be easier to 28 Preliminary E:\FR\FM\23AUR2.SGM 23AUR2 RA, p.72. sradovich on DSK3GMQ082PROD with RULES2 57660 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations place a bomb in a container itself. We note that these are two distinct scenarios, and that the risk identified in the latter scenario is one that is not mitigated by electronic TWIC inspection. The first factor of the analysis was the most comprehensive, which was to determine the direct primary and secondary consequences of the total loss of a vessel or facility. To conduct this stage of the analysis, we used MSRAM data. MSRAM collects data from a wide variety of vessels and facilities and includes calculations of damages for each individual vessel or facility. The damages incorporated into the MSRAM analysis include: (1) Death and serious injuries; (2) direct property damage and the costs of business interruptions; (3) environmental consequences; (4) national security consequences; and (5) secondary economic consequences, such as damage done to the supply chain.29 To finish the first stage of analysis, we aggregated the MSRAM data from the individual vessels and facilities into averages for each of the 68 identified classes. The second factor in the analysis considered the impact of the total loss of the vessel or facility beyond the immediate local consequences. This involved examining the regional and national effects of such a loss on the state of human health, the economy, and national security. The third factor in the analysis focused on the effectiveness of the TWIC program in actually reducing the vessel or facility class’ vulnerability to a terrorist attack. In instances where electronic TWIC inspection would substantially reduce the effect or likelihood of an attack, this factor was assigned a greater value. Once the three analytical factors were determined, the Coast Guard combined the scores using the Analytic Hierarchy Process (AHP), developing a total score that combined the severity of an attack and the effectiveness of the TWIC program in countering that attack for each of the classes of vessels and facilities. These overall rankings were then used to determine the Risk Groups used in developing this rulemaking. We believe that this approach used in this risk analysis methodology is highly effective, and represents the best method available for assessing the benefits of the electronic TWIC inspection program to the specific vessels and facilities under consideration. One commenter suggested that the Coast Guard should not finalize this rule, and that a panel of private industry 29 Preliminary VerDate Sep<11>2014 RA, p.75. 19:12 Aug 22, 2016 Jkt 238001 representatives should be included in an objective review of where the risks and vulnerabilities are in order to develop the best tool for mitigation. The Coast Guard has taken a collaborative approach toward developing this final rule, and has considered information from numerous stakeholders in this rulemaking, including the large number of comments on both the ANPRM and NPRM. As a result, the Coast Guard has amended this final rule, targeting the affected population to those vessels for which the use of electronic TWIC inspection provides the greatest benefit at minimum cost. This would not have been possible without the extensive public input received. One commenter suggested that previous risk assessments of their operation had never identified a scenario in which rogue employees played a role. We do not agree with the commenter that this weakens the case for the implementation of electronic TWIC inspection requirements. We note that ‘‘rogue employees’’ (no precise definition of this term was supplied, but we assume it means an employee who intends to carry out a TSI) are unlikely to be a threat mitigated by this final rule. This final rule is primarily designed to identify and intercept those adversaries who are not employees, but are attempting to use a stolen or otherwise invalid card to gain access to a secure area. A ‘‘rogue employee’’ with a valid TWIC would not be intercepted by electronic TWIC inspection. The ‘‘rogue employee’’ scenario is partially addressed by the security threat assessment that each employee must undergo before obtaining a TWIC, and is also addressed by other layers of security. For example, 33 CFR 104.285 and 105.275 require owners and operators to have the capability to continuously monitor their vessels and facilities through the use of lighting, security guards, waterborne patrols, automatic intrusion devices, or surveillance equipment. The same commenter asserted that there are no facts, objective risk assessments, or examples provided to support how a TWIC reader would enhance security absent a known risk or vulnerability. Additionally, the commenter broadly suggested that an owner or operator should be allowed to self-assess and determine its own risk group category after taking into account the security measures already in place at their own location. We disagree with both comments. MSRAM is a fact-based, objective tool for assessing TSI risk in the maritime domain. MSRAM incorporates specific examples of vessels and facility types and various PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 attack modes. As explained in great detail in the ANPRM, NPRM, and elsewhere in this preamble, MSRAM is an analysis tool designed to estimate risk for potential terrorist targets. We consider MSRAM to be the best available tool for determining which vessels and facilities should be considered high-risk for the purpose of TWIC reader requirements. Because electronic TWIC inspection is generally more reliable than visual TWIC inspection, TWIC readers enhance access control more than visual inspection, increasing the likelihood of identifying an aggressor and denying access to secure areas. While the above rationale applies generally to Risk Group A, the Coast Guard also recognizes that the nature or operating conditions of certain vessels and facilities may warrant a waiver from certain regulatory requirements. The existing regulations in 33 CFR 104.130 and 105.130 provide that owners and operators may apply for a waiver of any requirement of the security regulations in 33 CFR parts 104 and 105 (including the TWIC reader requirements) in appropriate circumstances and where the waiver will not reduce overall security. Several commenters noted that while the Coast Guard used the MSRAM data to conduct its risk analysis, a number of TWIC Pilot Program participants were not contacted during this assessment. They argued that these participants could have provided local knowledge to produce supportable conclusions relative to risks and risk mitigation strategies in particular locations. We believe that these commenters misunderstand how MSRAM data were used. The Coast Guard carefully reviewed the pilot project in writing this final rule. MSRAM datawere used to help determine the consequences of a TSI. This was one factor used in determining the overall risk to the various classes of facilities analyzed in the Coast Guard’s risk analysis. The Coast Guard uses MSRAM in a variety of risk analysis applications and does not engage in discussion with each participant every time the data are utilized. Some commenters also argued that they were the subject of several counterterrorism studies, and that these studies had not identified TWIC as risk mitigation tool, nor had they identified a scenario in which an employee bringing harm to a ferry was an identified vulnerability. These studies were not provided by the commenter but, from their descriptions, seem to have focused on risks other than those posed by persons impersonating E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations employees. We note that while previous studies may not have identified TWIC as a risk mitigation tool, we have considered various scenarios in which electronic TWIC inspection would mitigate risk, and used them as the basis for our risk analysis. Furthermore, we note that electronic TWIC inspection is not designed to prevent a valid and cleared employee from bringing harm to a vessel or facility. Instead, it is specifically designed to prevent access to a secure area by an unauthorized person who is attempting to gain access by using a stolen or counterfeited TWIC. We believe that electronic TWIC inspection is an appropriate and costeffective tool to mitigate such risks. sradovich on DSK3GMQ082PROD with RULES2 B. Electronic TWIC Inspection Electronic TWIC inspection is the process by which the TWIC is authenticated, validated, and the individual presenting the TWIC is matched to the stored biometric template. This process consists of three discrete parts: (1) Card authentication, in which the TWIC at issue is identified as an authentic card issued by the TSA; (2) the card validity check, in which the TWIC is compared to the TSA-supplied list of cancelled TWICs 30 to ascertain that it has not been revoked, and is not expired; and (3) identity verification, in which the TWIC is matched to the person presenting identification through use of a biometric template stored on the TWIC. The purpose of electronic TWIC inspection is to improve the inspection of TWICs, as compared to visual TWIC inspection. We note that visual TWIC inspection accomplishes the same three 30 We note that at this time, this list is the Cancelled Card List (CCL). However, there are also several specific Certificate Revocation Lists maintained by TSA, which differ from the CCL. In order to provide a regulation that is flexible in terms of future technology adaptations, in this final rule, we have described the list in the regulatory requirement generically as the ‘‘list of cancelled TWICs.’’ See sections 101.520(b) and 101.525 of the final rule regulatory text. This allows TSA to continue to use the CCL, but will also allow additions from various Certificate Revocation Lists if and when that becomes feasible and efficient. Any such change in the list of cancelled TWICs would be a ‘‘back end’’ change on TSA’s part and would not impact the burdens or operations of private parties, who would still only be required to check a TWIC against the list as part of the card validity check. In this document, we generally refer to the ‘‘list of cancelled TWICs’’ when referring to the regulatory requirements in the final rule, while still using the ‘‘CCL’’ terminology when discussing comments on the Cancelled Card List or discussions in the NPRM that used that terminology. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 tasks as electronic TWIC inspection, but in different ways, and generally not as thoroughly or reliably as electronic TWIC inspection. Visual card authentication is accomplished by visually inspecting the security features on the card (such as the watermark). A visual card validity check is accomplished by checking the expiration date on the face of the card, although there is no way to visually check if the TWIC has been revoked by the TSA since it was issued. Finally, visual identity verification is conducted by comparing the photograph on the TWIC with the individual’s face. Electronic TWIC inspection improves upon the visual inspection checks, and adds two additional benefits. In electronic TWIC inspection, the authenticity of the card is verified by issuing a challenge/response to the TWIC’s unique electronic identifier, called a Card Holder Unique Identifier (CHUID). The card’s validity is determined by checking the TWIC against the most recently updated list of cancelled TWICs. Finally, the identity of the TWIC-holder is verified by matching the biometric template stored on the TWIC to the individual’s biometrics. Each of these methods is an improvement upon visual TWIC inspection as the electronic TWIC inspection uses methods of validation that are not easily manipulated through means such as counterfeiting or altering the surface of the TWIC. Additionally, electronic TWIC inspection ensures that the card being presented has not been invalidated by a means other than being expired, such as the card having been reported lost, or the TWIC being revoked due to a criminal conviction. TWIC inspection, either electronic or visual, provides a baseline of information to determine who may be provided unescorted access to secure areas of MTSA-regulated vessels and facilities. While not every TWIC-holder is authorized unescorted access, the TWIC ensures that facility security personnel do not grant unescorted access to individuals that have not been vetted or have been adjudicated unfit for access to secure areas. Several commenters suggested that the sole purpose of TWIC is for a worker to be vetted through security and criminal checks, and that access control is not a purpose of the TWIC program. We disagree with this description of a fundamental principle of the TWIC PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 57661 program. The controlling statute, 46 U.S.C. 70105(a)(1) reads, in part, ‘‘[t]he Secretary shall prescribe regulations to prevent an individual from entering an area of a vessel or facility that is designated as a secure area . . . unless the individual holds a transportation security card issued under this section. . .’’. This is a clear mandate for an access control program. We have implemented this mandate by requiring maritime workers to obtain a TWIC, and by requiring owners and operators to inspect each individual’s TWIC prior to granting access to secure areas. Using the biometric template, TWIC provides a highly secure means for security personnel to verify the identity of an individual seeking access to a secure vessel or facility and implementing this core requirement of the MTSA. In this final rule, we are revising the regulatory text to add flexibility and more accurately reflect the electronic TWIC inspection process. In the NPRM, we did not describe the process as ‘‘electronic TWIC inspection,’’ but stated in proposed § 101.520(a) that ‘‘all persons must present their TWICs for inspection using a TWIC reader, with or without a . . . PACS. . .’’. 31 In this final rule, we are modifying the process from presentation of a TWIC to a TWIC reader to the concept of electronic TWIC inspection. As stated below, and as defined in section 101.105 of this final rule, ‘‘Electronic TWIC inspection’’ means the process by which the TWIC is authenticated, validated, and the individual presenting the TWIC is matched to the stored biometric template. In doing so, we have laid out the exact requirements for this process in revised § 101.520. In this section, we address the comments and concerns submitted in response to the NPRM, and describe in detail how electronic TWIC inspection will work in a wide variety of operational situations. Table 2 provides a summary of the acceptable implementation options for owners and operators to perform electronic TWIC inspection. The owner or operator of a vessel or facility must ensure the options chosen to meet the electronic TWIC inspection requirements perform the required card authentication, card validity, and identity verification required in revised § 101.520. 31 78 E:\FR\FM\23AUR2.SGM FR 17829. 23AUR2 57662 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations TABLE 2—IMPLEMENTATION OPTIONS Option Description TWIC Reader (QTL) ............. Owner/operator uses a TWIC reader listed on TSA’s QTL. To gain entry to a secure area, employee presents TWIC and biometric for electronic inspection. Owner/operator uses a TWIC reader that adequately performs the three required electronic checks (card authentication, card validity check, identity verification). To gain entry to a secure area, employee presents TWIC and biometric for electronic inspection. Similar to non-QTL TWIC reader, except the Transparent Reader does not independently perform card validation, card authentication, and identity verification. Instead, the Transparent Reader transmits information from the employee’s TWIC and biometric to a back end system containing software that performs the TWIC check. Once the TWIC check is complete, the back end system shall perform what processes are required to either grant or deny access. Employee is issued a facility access card after initially registering employee’s TWIC and biometric into the facility’s access control database. To gain entry to a secure area, employee presents facility access card and biometric for electronic inspection to match against employee’s record in the facility’s database. Employee’s TWIC and biometric are initially registered into the facility’s access control database. To gain entry to a secure area, employee presents biometric (e.g., fingerprint) for electronic inspection to match against employee’s record in the facility’s database. TWIC Reader (non-QTL) ..... Transparent Reader ............. PACS (with facility access card). PACS (with biometric only) .. 1. Electronic TWIC Inspection Does Not Necessarily Require a TWIC Reader sradovich on DSK3GMQ082PROD with RULES2 Many commenters expressed concerns regarding the costs of purchasing, installing, and using TWIC readers that have been approved by the TSA. They argued that the costs of the TWIC readers were high, and that there were problems with the reliability of TWIC readers and cards. Many commenters requested that the Coast Guard extend guidance issued in Navigation and Vessel Inspection Circular (NVIC) 03–07 and Policy Advisory Council (PAC) Decision 08– 09, change 1, in which we outlined how an existing PACS could be used in lieu of a TWIC reader until the TWIC final rule was issued. In NVIC 03–07, we described how TWIC could be incorporated into an access control system even if the person accessing the secure area did not physically use the TWIC as an access control card. We stated that: Example: A facility employee who possesses a valid TWIC is registered into the facility’s access control database and is issued a facility access card after the TWIC is verified visually as described in 3.3 a. (7) [of NVIC 03–07]. To gain entry into a secure area, the employee inserts or scans his/her facility access card at a card reader, which verifies the access card as a valid card for the facility. The TWIC does not need to be used as a visual identity badge at each entry once the facility-specific card is issued. The card reader then verifies the individual by matching the facility access card to the individual’s record in the facility database and allows access to secure areas as dictated by the permissions established by the owner/ operator in the access control system. By virtue of the fact that the employee would not be issued a vessel or facility-specific card without first having a TWIC, the requirement VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 to possess a TWIC for unescorted access to secure areas is met.32 Many commenters noted, and we are aware that, the proposed regulatory text in the NPRM was worded in such a way that rendered this method of compliance impossible. The proposed regulatory text in § 101.520(a)(1) stated ‘‘Prior to each entry, all persons must present their TWICs for inspection using a TWIC reader, with or without a physical access control system (PACS), before being granted unescorted access to secure areas.’’ 33 Similarly, proposed §§ 101.525 and 101.530 required visual inspections of TWICs before permitting access. Many commenters took issue with the change in approach from current requirements as described in the NVIC. In this final rule, we are revising the regulatory text to allow electronic TWIC inspection to be conducted by either a TWIC reader or a PACS at vessels and facilities. This regulatory language will supersede previous guidance documents such as PAC 08–09, change 1 and NVIC 03–07. Under the new language in revised section 101.520 we are providing greater flexibility on the type of equipment used, as long as the three parts of electronic TWIC inspection are performed satisfactorily. Multiple commenters discussed the scenario where an owner or operator has a PACS which cross-checks successful electronic TWIC inspections against employment records and other internal security systems and records to verify that the cardholder works for the company, holds current certifications, and should be allowed into the facility. As explained in this document in 32 Enclosure (3) to NVIC 03–07, p. 1515 (Available in the docket by following the instructions in the ADDRESSES section of this preamble). 33 78 FR 17829. PO 00000 Frm 00012 Fmt 4701 Sfmt 4700 Section V.B., such a system could meet the requirements for electronic TWIC inspection as revised for this final rule. Two commenters at a public meeting suggested that if a facility could prove its PACS is superior to the TWIC requirements, then the facility should be exempt from them. Similarly, other commenters suggested alternatives the Coast Guard could require, including a color-coded system analogous to the former Homeland Security Advisory System. In this final rule, we are not providing a generalized exemption from electronic TWIC inspection requirements as suggested by the commenters. However, as explained, such requirements can be performed by a PACS, thus potentially eliminating the need for these particular commenters to purchase entirely new equipment or the need for an exemption from the electronic TWIC inspection requirements. Multiple commenters stated that it would be more cost effective in some cases to purchase one or two stationary TWIC readers, but also to purchase several portable TWIC readers for multiple temporary gates or entrances. One commenter asked whether the final rule requires fixed card readers at every point of access, even a temporary or infrequently used one. The same commenter asked whether portable TWIC readers would meet the TWIC reader requirements on an OCS facility. We clarify that neither the NPRM nor final rule required stationary TWIC readers. The final rule, as described above, allows for flexibility in terms of equipment. The arrangements the commenters suggested could all be accommodated by this final rule. In this final rule, we are removing prescriptive requirements regarding the permanence, type, and placement of electronic readers. If a E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 vessel or facility has an existing access control system, of any variety, whose electronic readers perform the requirements of the electronic TWIC inspection (including identity verification), and are approved under the relevant security plan, then the PACS is permissible. In response to the many comments we received on this issue, in this final rule, we are substantially altering the TWIC reader requirements to accomplish the goals set out by the TWIC reader program, but in a manner that provides more flexibility in terms of how those goals are met. The requirements in this final rule are designed to allow as much flexibility in design of an access control system as possible while still achieving the goals of the TWIC reader program. We believe that the increased flexibility offered by the revised, performance-based regulations is responsive to the many commenters who described existing access control systems that they believe are better suited for their individual vessels and facilities than those proposed in the NPRM. Under these final regulations, a system that accomplishes the goals of the TWIC program and uses the three electronic checks mandated by the regulation will be considered by the Coast Guard when reviewing the security plans. As long as the Coast Guard agrees that the proposed security plan accomplishes the goals in a robust fashion, we will not limit the choices of the means to do so. 2. Integrating Electronic TWIC Inspection Into a PACS NVIC 03–07 and PAC 08–09 change 1 explain that they are valid guidance until a TWIC reader final rule is issued, but many commenters requested that these documents remain valid even after the final rule becomes effective. Because this final rule significantly changes the TWIC inspection process for Risk Group A vessels and facilities, the TWICspecific guidance provided in those documents will not continue to apply to Risk Group A. However, because we are not making any changes to the TWIC requirements for those vessels and facilities not in Risk Group A, the guidance documents still retain their validity with regard to those entities. We will update and post these guidance documents online at https:// homeport.uscg.mil/ prior to the effective date of this final rule. In this final rule, we no longer require facility and vessel operators to use a TWIC reader listed on the QTL each time a person is granted unescorted access to a secure area. Instead, we are permitting multiple options as VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 previously described, including the use of a PACS approved in the required Facility Security Plan (FSP) or Vessel Security Plan (VSP), if the PACS can perform the electronic TWIC inspection requirements. Example: A facility employee who possesses a valid TWIC is registered into the facility’s access control database and is issued a facility access card after the TWIC is verified in accordance with 33 CFR 101.530. After the TWIC and holder of the TWIC are validated to ensure the TWIC is issued by TSA and the holder of the TWIC is bound to the TWIC, a biometric template of the employee is taken and stored on the facility access control system. To gain entry into a secure area, the employee inserts or scans his or her facility access card at a card reader, which verifies the access card as a valid card for the facility. The card reader then matches the facility access card to the employee’s record in the facility database. A biometric sample from the employee is taken and matched to the associated biometric template stored on the facility’s access control system. The facility’s access control system then checks the TWIC’s CHUID to assure that the TWIC is still valid (unexpired) as well as checks the list of cancelled TWICs to ensure that it has not been cancelled for any other reason. Upon verification that the TWIC is valid and the employee’s biometric matches the associated template, the facility access control system allows access to secure areas as dictated by the permissions established by the owner or operator in the access control system. By virtue of the fact that the employee would not be issued a facility-specific card without first having a TWIC, the requirement to possess a TWIC for unescorted access to secure areas is met. The requirement for a biometric match of the employee is met through the performance of a match to the biometric template stored on the facility access control system. We note that the requirement for electronic TWIC inspection can be met even without the use of any sort of card reader, so long as the three parts of the electronic TWIC inspection are met. Such a system could be designed to use an individual’s biometric check as a means of identification, such as described below. Example: A facility employee who possesses a valid TWIC is registered into the facility’s access control database and a biometric template of the employee is taken and stored on the facility access system. (We note that this is done after the TWIC and holder of the TWIC are validated to ensure the TWIC is issued by TSA and the holder of the TWIC is bound to the TWIC). To gain entry into a secure area, the employee presents a biometric (e.g., fingerprint) to a biometric reader connected to the facility’s access control system. The access control system identifies the employee from the fingerprint and then matches it to the biometric template and the employee’s TWIC information in the facility database. The facility’s access control system then checks PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 57663 the TWIC’s CHUID to assure that the TWIC is still valid (unexpired) as well as checks the list of cancelled TWICs to ensure that it has not been revoked for any other reason. Upon verification that that the TWIC is valid and the employee’s biometric matches the associated template, the facility access control system allows access to secure areas as dictated by the permissions established by the owner or operator in the access control system. By virtue of the fact that the employee would not be entered into the facility’s access control system without first having an authenticated TWIC, the requirement to possess a TWIC for unescorted access to secure areas is met. The requirement for a biometric match of the employee is met through the performance of a match to the biometric template, in this case a fingerprint stored on the facility access control system. Additionally, we note that although a biometric template is the particular biometric measurement used in the TWIC application process, an alternative biometric may be used to perform the identity verification check required by the regulations so long as the method is approved in the security plan. For example, as two commenters suggested, a vascular scan could be stored on a facility’s access control system instead of a fingerprint, which could be useful in situations where some employees have difficult-to-read fingerprints. a. List of Acceptable TWIC Readers In the NPRM, the Coast Guard proposed that only certain TWIC readers would be permitted to be used for purposes of electronic TWIC inspection. As stated above, proposed § 101.520(a)(1) read, ‘‘[p]rior to each entry, all persons must present their TWICs for inspection using a TWIC reader, . . .’’. The term ‘‘TWIC reader’’ was defined in proposed § 101.105 as ‘‘an electronic device listed on TSA’s Qualified Technology List . . .’’. Thus, by operation of the proposed regulatory text, TWIC readers listed on the QTL would be required at access points to secure areas on facilities and at the entrances to vessels requiring electronic TWIC inspection. TSA had not published the QTL at the time of publication of the NPRM. Thus, in its discussion regarding the types of approved TWIC readers, the NPRM reiterated guidance from PAC–D 01–11 regarding the use of TWIC readers to meet the existing regulatory requirements for effective identity verification, card validity, and card authentication.34 Specifically, in that guidance document, we stated that: In accordance with 33 CFR 101.130, the Coast Guard determines that a biometric 34 78 E:\FR\FM\23AUR2.SGM FR 17805. 23AUR2 57664 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 match using a TWIC reader from the TSA list of readers that have passed the Initial Capability Evaluation (ICE) Test (available at: http://www.tsa.gov/assets/pdf/twic_ice_ list.pdf) to confirm that the biometric template stored on the TWIC matches the fingerprint of the individual presenting the TWIC meets or exceeds the effectiveness of the identity verification check. The NPRM also noted that, in accordance with the guidance, ‘‘TWIC readers allowed pursuant to PAC–D 01– 11 may no longer be valid after promulgation of a TWIC reader final rule, and DHS will not fund replacement of TWIC readers.’’ 35 In recognition of advancing technology and standards, and to provide further flexibility to the end user that may meet business specific needs, this final rule does not require a TWIC reader from the TSA’s QTL, accessible online at http://www.tsa.gov/ stakeholders/reader-qualifiedtechnology-list-qtl. Instead, the Coast Guard is permitting multiple options for the implementation of electronic TWIC inspection. The first option for meeting these needs within this final rule remains the mechanism proposed in the NPRM, which is the use of TWIC readers listed on the QTL. These TWIC readers are defined as ‘‘Qualified Readers.’’ We believe that this option is most appropriate for vessels or facilities that currently do not conduct electronic TWIC inspection and are seeking a TWIC reader determined to be in conformance with the TWIC Reader Hardware and Card Application Specification, available in the online docket for this rulemaking. The QTL continues to remain useful for this and other purposes. A similar option would be to use a TWIC reader that is not on the QTL. While such electronic readers are not prohibited by this rule, they must still meet the performance requirements of § 101.520. This performance-oriented option is intended to provide more options to users to meet their individual needs while still relying on the TWIC as an access control credential. Another option would be to use an electronic reader or combination of separate devices—such as proximity readers, biometric readers, and PIN pads—that would transmit the information from the TWIC and individual seeking access to software that performs the card authentication, card validity check, and biometric identification functions required in § 101.520. We refer to this arrangement as a ‘‘Transparent Reader.’’ In this case, for example, a Transparent Reader 35 78 36 We have also included the current version of the list in the docket USCG–2007–28915. FR 17805. VerDate Sep<11>2014 19:12 Aug 22, 2016 would read the information from the TWIC along with the biometric sample provided by the individual and transmit it to a back end system containing software that performs the TWIC check. Once the TWIC check is complete, the back end system would perform what processes are required to either grant or deny access. This option may be highly popular with facilities that have already invested in electronic reader infrastructure and high tech software systems that may not be on the QTL. In this case, much as a situation with a PACS, the operator may have to add a biometric component, if not already in place, and modify software to include TWIC compatibility, but would not have to replace the entire system. The last option, described in detail above, would be the use of an existing PACS, with the inclusion of biometrics, with a facility-specific access card that uses the TWIC as the baseline credential. This is purely a performance requirement, and would not require the use of government-approved equipment. In this case, the PACS would be required to match the TWIC against the list of cancelled TWICs and, if positively matched, automatically cancel the facility access card so as to not allow unescorted access to secure areas of the facility. Several commenters provided comments that addressed the specific types of approved card readers, but we believe that many of the concerns raised by commenters are resolved by the Coast Guard moving to a more flexible series of options for conducting electronic TWIC inspection. One commenter in a public meeting expressed concern that there was not an approved card reader which he could use for cost estimates. We note that the TSA now has a list of approved TWIC readers, which is available on the Coast Guard’s Homeport site.36 One commenter suggested that this rule was not in alignment with the TSA’s Request for Information regarding development of the QTL. We disagree, and note that the Coast Guard and TSA worked closely in developing and implementing the electronic TWIC inspection requirements. Furthermore, we note that with the additional flexibility afforded by this final rule, equipment to conduct electronic TWIC inspections is available at a wide variety of prices, depending on the manner in which electronic TWIC inspection is conducted. Additional information on cost Jkt 238001 PO 00000 Frm 00014 Fmt 4701 Sfmt 4700 estimates is provided in the final RA accompanying this final rule. Additionally, one commenter requested that software be included on the QTL. We note that the list of TWIC readers on the QTL includes TWIC reader and software pairings. Beyond the physical aspects of TWIC reader testing in terms of environmental or drop testing, a large portion of what is tested in the QTL process is the software. Other commenters suggested that, based on the TWIC Pilot Program, TWIC reader technology is still not ready for requiring TWIC readers at facilities, and requested that this final rule be delayed. Similarly, one commenter recommended that the Coast Guard only proceed with the rule if it was confident in the reliability of existing TWIC readers. We believe that not only has technology continued to improve, but also additional flexibility has been afforded in this final rule, both of which should alleviate problems with specific TWIC readers used in the pilot. Vessels and facilities required to conduct electronic TWIC inspection can choose from a wide variety of means so as to meet their budget and operational needs. Furthermore, the flexibility built into this final rule allows for future advancement of both card and reader technologies in a manner that will provide for further reductions in impact on business operations of the maritime industry. b. PIN Pads and Biometric Input Methods One issue raised in the ANPRM was the use of PINs as part of the identification process. We note that upon getting a TWIC, each TWIC-holder is required to remember a PIN. As proposed in the NPRM, under most circumstances, the TWIC-holder would not be required to provide the PIN when seeking access to secure areas, except as a backup measure when the TWICholder’s biometric template is unreadable. For this reason, there is no requirement that access control systems have the capability to accept a PIN. Comments relating to the use of PINs were generally negative. Several commenters specifically argued against the use of PINs. Some commenters stated that because the PINs are rarely used, they are seldom remembered by TWIC-holders. We agree that rarely-used PINs will likely be forgotten, and thus the only people who would likely remember their PINs are those who use them regularly, such as those with impaired biometrics. Similarly, one commenter stated that 100 percent of cardholders would need to visit one of E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 the TWIC enrollment centers to reset or establish a new PIN in the event that the Coast Guard required PIN entry, implying that without regular use of PINs, they are quickly forgotten. PINs would not be required or permitted as a substitute for biometric identification of most users. Instead, this rule provides that PINs are available as an alternative only for individuals whose biometrics can not be read. The Coast Guard recognizes that for some people, taking a biometric read can be problematic. For example, people with severely injured fingers are often unable to have their fingerprints read. For such cases, the final rule provides an alternative means to ensure identity verification. As stated in § 101.520(c)(2), the use of a PIN plus a visual TWIC inspection is an acceptable alternative to a biometric match for individuals who are unable to have their biometric template captured at enrollment or who have unreadable biometrics due to injury after enrollment. For that reason, owners and operators may find it expedient to include an electronic reader with a PIN pad in at least some of their access control locations to accommodate people with unreadable biometrics. 3. Comments Related to Troubleshooting TWIC This section elaborates on certain programmatic issues relating to electronic TWIC inspection, specifically, how to address problems arising if either the electronic reader or access card malfunctions. In this section, we elaborate and expand on the provisions described in the NPRM as well as address issues raised by commenters. In the NPRM, the Coast Guard proposed regulations in § 101.535 that laid out requirements for TWIC inspection in special circumstances where a malfunction in the TWIC inspection system has occurred. In paragraph (a), we described how access could be granted in the event of a lost, stolen, or damaged TWIC card. In paragraph (b), we proposed how access could be granted in the event that a person’s biometric template could not be read due to either technology malfunction or the inability of an individual to provide a biometric template. In paragraph (c), we proposed that in the event of a TWIC reader malfunction, an individual could still be granted unescorted access to secure areas for a period not to exceed 7 days, provided that individual has been granted such unescorted access in the past and is known to possess a TWIC. We note that the period in paragraph (c) VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 was extended to 37 days in CG–FAC Policy Letter 12–04. Because the final rule, as written, sets forth a requirement for electronic TWIC inspection rather than specifically requiring that a TWIC be read by a TWIC reader, the text of this section needs some alterations to account for the new flexibility. We have integrated these alterations into the final regulatory text as detailed in the sections below. Furthermore, we have considered the requests and arguments of various commenters, and we are integrating many of the ideas presented into the final rule. Finally, we have attempted to modify and clarify the regulations where appropriate. a. Lost, Stolen, or Damaged TWIC The NPRM proposed that if an individual cannot present a TWIC because it has been lost, damaged, or stolen, the individual could be granted unescorted access for a period of up to seven days if various conditions were met. The conditions include the individual previously having been granted unescorted access, being known to have had a TWIC, being able to present alternative identification, and having reported the TWIC as lost, stolen, or damaged to the TSA. This proposed language was derived from existing requirements in 33 CFR parts 104 through 106. Additionally, in CG– FAC Policy Letter 12–04, the Coast Guard allowed an individual to be granted unescorted access for an additional 30 days (for a total of 37 days of unescorted access), if the individual provided proof that a replacement TWIC had been ordered. Policy Letter 12–04 also allowed unescorted access to those individuals with expired TWICs who had applied for a TWIC renewal prior to expiration. i. Vessels and Facilities Using a PACS Because the final rule provides more flexibility for electronic TWIC inspection beyond presenting a TWIC for access control purposes, some of the issues addressed in § 101.535 are significantly different if using a PACS to perform the electronic TWIC inspection. For example, if an employee’s TWIC is stolen and the theft is reported to the TSA, the affected TWIC will be placed on the list of cancelled TWICs, but the employee will still be registered in the facility’s PACS. However, upon attempting to gain access to a secure area, during the card validity check, the affected TWIC will appear on the list of cancelled TWICs, and thus fail the check. The revised final regulations are designed to allow a procedure where the employee can still be granted PO 00000 Frm 00015 Fmt 4701 Sfmt 4700 57665 unescorted access until he or she can obtain a replacement TWIC and update his or her profile in the facility access control system with the information from the new TWIC. In this final rule, we have added § 101.550(b), which allows unescorted access to secure areas to be granted by a facility operator for a period of up to 30 days if the TWIC appears on the list of cancelled TWICs if the individual is known to have had a TWIC and to have reported it lost, damaged, or stolen. Example: An individual who works at a facility where the PACS has been linked to a TWIC card reports his or her TWIC as lost. When presenting his or her facility access card to the PACS, the card validity check will return a TWIC on the list of cancelled TWICs because the TWIC has been reported lost. The FSO confirms that the TWIC was reported as lost. In that instance, the PACS will recognize the status of the TWIC as cancelled, but can still grant unescorted access to secure areas to the individual for a period of up to 30 days. If, after 30 days, the individual has not linked their facility access card to a valid TWIC, the PACS would have to deny unescorted access to secure areas to that individual. ii. Vessels and Facilities Using TWIC Readers We proposed in § 101.535 that vessel or facility operators using TWIC readers allow for temporary access in the case of a lost, stolen, or damaged TWIC. Specifically, the Coast Guard proposed that if a person is known to have had a TWIC, has previously been granted unescorted access, and can present another form of acceptable identification, and there are no other suspicious circumstances, then the operator may grant that person access for 30 days so that they can be issued a new TWIC. We received a wide variety of comments relating to the issue of lost or stolen TWICs. One commenter argued that any allowance for malfunctioning TWICs undermines the point of having the card at all. We disagree, and note that the procedure is necessary to ensure smooth operation of the TWIC system, and believe it contains enough safeguards so as not to function as a loophole in security. One commenter recommended splitting the CCL into separate categories, including categories of TWICs invalidated for ‘‘administrative reasons.’’ We disagree, because the list of cancelled TWICs is intended to help screen out invalid cards regardless of the reason. Many commenters argued that the 7day period proposed in § 101.535(a) is too short, and that the period should be extended, with a significant number of E:\FR\FM\23AUR2.SGM 23AUR2 57666 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 these commenters referring to the 30day extension of the 7-day period permitted by CG–FAC Policy Letter 12– 04. Based upon the comments received, which indicated that it can take longer than 7 days to be issued a new TWIC, we have decided to include a 30-day period for this situation in section 101.550(b) of the final rule. We believe that this provides ample time to be issued a new TWIC, without presenting an undue security risk. When effective, this regulation will supersede the current guidance in CG–FAC Policy Letter 12–04, which allowed for a total of 37 days. b. Transportation Worker Forgets To Bring TWIC To Work Site The existing regulations in 33 CFR parts 104 through 106, the policy arrangements in CG–FAC Policy Letter 12–04, as well as the proposed regulations in § 101.535, only grant unescorted access to those individuals whose TWICs have expired or have reported their TWIC as lost, stolen, or damaged to the TSA. For all other individuals who fail to present a TWIC, unescorted access would be denied under proposed § 101.535(d). Thus, under the proposed regulation, an employee who forgot his or her TWIC at home would not be permitted unescorted access to the facility, whereas an employee whose TWIC was stolen would be permitted unescorted access for a limited period of time. We received one comment relating to the issue of forgotten TWICs from a commenter who described such a situation in their submission to the docket for this rulemaking. This commenter suggested that we add an allowance for persons who forgot their TWIC at home. After reviewing comments on the proposed rule, we reiterate our existing position that persons who cannot present a valid TWIC, and have not reported their TWIC as lost, stolen, or damaged to the TSA, may not be granted unescorted access to a vessel or facility. We believe that providing an exemption for forgotten TWICs creates a potential degradation in security and additional risks that outweigh the benefits. Unlike the situation where a TWIC has been reported as stolen or lost to the TSA and is therefore no longer valid which can be verified by checking the list of cancelled TWICs, a claim of a forgotten TWIC cannot be validated. Instead, we reiterate that under current regulation at § 101.514(a), unless exempted from the TWIC requirements by § 101.514(b), (c), or (d), all persons must physically possess a TWIC, or undergo electronic TWIC inspection, VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 prior to being granted unescorted access to a secure area of a vessel or facility. Persons who do not physically present a TWIC or undergo electronic TWIC inspection, and have not reported their TWIC as lost, stolen, or damaged to the TSA, may not be granted unescorted access. c. Inaccessible Biometrics In the NPRM, we proposed two secondary authentication procedures that could be followed in the event that a person’s biometric template could not be read by a TWIC reader or PACS due to a technology malfunction or low quality biometric template. These alternatives were listed in proposed § 101.535(b), and allowed either the input of a PIN or the use of an alternative biometric that has been incorporated into the PACS. Given the change from requiring a TWIC reader to requiring electronic TWIC inspection, some changes to this section are needed as well. We discuss changes to this section and comments received below. One commenter suggested that people with unreadable biometric templates should be allowed to use a PACS card in addition to a PIN or alternate biometric. We agree, and note that under the final regulations, given that input of biometric information (including alternatives to fingerprints) into a PACS reader may now be a common manner of completing identification verification, the use of a PACS card in conjunction with an alternative biometric will be an accepted regular way to conduct an electronic TWIC inspection. However, upon consideration, we do not believe that the input of a PIN alone is equivalent to biometric identification. Biometric identification allows the facility to ascertain with a high degree of certainty whether the individual requesting access is the TWIC-holder. On the other hand, commenters noted that other methods of identification verification will not detect counterfeit, stolen, or borrowed TWICs. Similarly, the use of a PIN alone will not detect a borrowed TWIC or PACS card or, potentially, a stolen TWIC or PACS card, if the PIN has been illicitly obtained. Nonetheless, the Coast Guard believes that a method for accommodating persons with unreadable biometrics is important. In such cases, we believe that visual TWIC inspection, when combined with the PIN, provides enough certainty as to be an acceptable alternative to biometric identification. Combining visual identification with the PIN will help to ensure that stolen and borrowed cards are difficult to use. PO 00000 Frm 00016 Fmt 4701 Sfmt 4700 Thus, in this final rule, we are modifying the provision in proposed § 101.535(b), which allowed for PINs to be used in lieu of biometric matching, to include a requirement for visual identification in addition to the PIN. The new provision is located in § 101.550(c) of this final rule. We believe that this provision would present few problems, as people could use their TWICs for visual identification. Alternatively, if a PACS PIN is assigned and stored in the access control system, an employee with unreadable biometrics could enter his or her PIN and present a PACS card or driver’s license to conduct a visual identification check. d. Malfunctioning Access Control Systems In the NPRM, we proposed a mechanism by which persons could be granted unescorted access to secure areas if a TWIC reader malfunctioned. Specifically, proposed § 101.535(c) allowed owners and operators to use visual checks for a period of 7 days if a TWIC reader malfunctioned. In light of the change in this final rule from the required use of TWIC readers to the more flexible requirement for electronic TWIC inspection for Risk Group A vessels and facilities, we are making some conforming changes and clarifications to this procedure. We received several comments on the matter, which are addressed below. Upon consideration of this policy, we believe that a clause automatically allowing the use of visual TWIC inspections in lieu of biometric matching presents a serious security concern. As one commenter argued, any allowance for malfunctioning TWICs undermines the point of having the card at all. The Coast Guard agrees, and believes that allowing the use of visual TWIC inspections in lieu of biometric matching degrades security. This final rule represents a concerted effort to significantly upgrade the security at a relatively small group of high-risk vessels and facilities. Given the importance of security, we would not expect vessels or facilities to have only a single TWIC reader, but expect some redundancy in the system, and note that two commenters strongly echoed the view that redundancy is needed in any critical system. We would agree that, as a practical matter, the minimum number of electronic readers (either dedicated TWIC readers or those integrated into a PACS) at a facility or onboard a vessel would be two, in case one malfunctioned. As discussed in the RA, using the TWIC pilot data we estimated the average number of electronic readers E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations required by this final rule by facility and vessel types at a minimum 2 per vessel and 4 per facility (Tables 4.3 and 4.4 of the RA). While the TWIC readers on the QTL have been tested to ensure a degree of reliability, there are many factors external to the testing process that could cause any one individual electronic reader to fail. The immediate availability of a backup electronic reader should one fail (as documented in the relevant security plan) would allow a vessel or facility to maintain the appropriate level of security for access control and continue operating without further burden. Due to the security concerns discussed in this paragraph, we are removing from the final rule the proposed provision in § 101.535 that would have permitted automatic transition to visual TWIC inspections in the event of an electronic reader malfunction. As stated above, based on discussions with industry we expect that owners and operators will have an additional functioning electronic reader to use in those instances in case of equipment failures or malfunctions (§§ 104.260(c) and 105.250(c)). If the owners and operators plan for malfunctions as existing regulations require, there should be no significant disruption of operations. Further, in the unlikely event that both primary and redundant electronic readers malfunction, the owner or operator could obtain permission from the Captain of the Port (COTP) to continue operating. Two commenters suggested changing the language in proposed § 101.535(c) from a ‘‘reader malfunction’’ to ‘‘in the event of an access control system failure,’’ noting that many other systems (such as the software or electricity) could fail, thus rendering an electronic reader inoperable. As we are deleting this exemption in this final rule, the language question is no longer at issue. Commenters also suggested that 7 days is not sufficient to correct all problems that can result in a TWIC malfunction. They noted that it might take longer to procure parts, especially after a major regional disaster or holiday, and that a 15-day period where visual TWIC inspection is permitted would be more reasonable. On the other hand, one commenter suggested that it should take only hours to repair a malfunctioning TWIC reader. In this final rule, we are removing this provision. Thus, restoration of an access control system will be handled in accordance with the procedures for the reporting requirements for noncompliance in §§ 104.125, 105.125, and 106.125, which require the owner or operator to notify the cognizant Captain VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 of the Port and either suspend operations or request and receive permission from the COTP to continue operating. Similarly, in the event of a total system collapse or regional disaster, the COTP will work with the affected organization to restore an access control system as expeditiously as possible. The following examples provide illustrations relating to scenarios involving the failure of an access control system: Example: A facility using TWIC readers at five access points suffers equipment failure of TWIC readers at two of those access points. The facility would still be able to permit unescorted access through the remaining three access points. Unescorted access could also be granted using portable TWIC readers at the two affected access points immediately in accordance with the FSP. The facility would be required to notify the COTP that this equipment failure took place but could continue operations using the remaining TWIC readers. Example: A computer virus causes a facility’s PACS to become completely inoperable, but the FSP contains an alternative where access is controlled through the use of portable TWIC readers, compliant with § 101.520, at each access point to secure areas. The facility would be required to notify the COTP that such a failure of the PACS had occurred, but could continue operations uninterrupted by using the portable TWIC readers. Example: A computer virus causes a facility’s PACS to become completely inoperable, and the FSP does not contain an alternative means of conducting electronic TWIC inspection. The owner or operator could request permission from the COTP to conduct visual TWIC inspections for a limited time until the PACS is operational. Grants of unescorted access to secure areas would have to be suspended until such permission was granted by the COTP. Multiple commenters suggested that in the event that a TWIC reader malfunctions, a facility should be immediately able to continue to process workers using an alternative means defined in a security plan, rather than requesting approval from the COTP to do so. One commenter also suggested that an after-the-fact review by the Coast Guard could be used in such circumstances. We note that the proposed text of § 101.535(c) in the NPRM did not propose to require COTP authorization to allow continuing operation for a period of 7 days, so we are unsure of the provision to which the commenter may be referring. Nonetheless, the final regulatory text allows a facility to immediately continue to process workers using an alternative means as defined in an approved security plan as required by PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 57667 §§ 104.260(c) and 105.250(c) without additional COTP approval. One commenter suggested that the Facility Security Officer (FSO) should be able to determine if there are mitigating circumstances that need to be implemented for a temporary time frame. In such a case, the commenter suggested that the facility would conduct visual identification verification in lieu of electronic TWIC inspection. We disagree with this suggestion, for the reasons described above. The commenter also requested that the COTP be able to waive TWIC requirements in certain circumstances. We note that the COTP has the power to waive requirements or impose alternative equivalent measures generally. One commenter requested clarification on procedures to be used if TSA’s Web site is inaccessible and they are unable to access updates to the CCL. In general, the owner or operator of an access control system is required to download the TSA-supplied list of cancelled TWICs (currently, the CCL) periodically, depending on the MARSEC level, pursuant to § 101.525 of this final rule. However, if the problem with downloading the list is out of the operator’s control, such as the TSA Web site being down for an extended period of time, we would consider it acceptable to continue to operate the access control system by using the most recent version of the list available. e. Requirements for Varying MARSEC Levels In the NPRM, we proposed requirements for Risk Group A vessels and facilities that would vary based on the MARSEC level. MARSEC levels are set to reflect the prevailing threat environment of the maritime transportation system, including ports, vessels, facilities, and critical assets and infrastructure located on or adjacent to waters subject to the jurisdiction of the United States. Specifically, we proposed to require that at MARSEC Level 1, during the card validation process, a TWIC must be checked against a version of the list of cancelled TWICs that is no more than 7 days old. However, at higher MARSEC levels, we proposed that the version of the list used to conduct the card validity check be no more than one day old. Several commenters responded to this issue, and offered remarks relating to the use of MARSEC levels overall. One commenter agreed with the Coast Guard’s proposal to require, at a minimum, weekly updates of the CCL at MARSEC Level 1 and daily updates of the CCL at higher MARSEC levels. E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 57668 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations Another commenter stated that we did not adequately clarify how different MARSEC levels would interact with Risk Groups A, B, and C. In response, we note that vessels and facilities that were proposed to be classified as Risk Groups B or C are not affected by this final rule, and that MARSEC interacts with Risk Group A as described in § 101.525. We have moved the MARSEC level requirements to this separate section to improve clarity. Several commenters suggested that electronic TWIC inspection should only consist of card validation and card authentication at MARSEC Level 1, and that the Coast Guard should provide the flexibility for them to use electronic TWIC inspection for biometric matching purposes at higher MARSEC levels, or require it only at those levels. Other commenters recommended that electronic TWIC inspection should only be required once per day at MARSEC Level 1, with additional measures, such as full electronic TWIC inspection or random spot checks, implemented only at higher MARSEC levels. One commenter recommended that electronic TWIC inspection be used only at higher MARSEC levels, with visual TWIC inspections performed the rest of the time. We disagree with these suggestions. We believe that Risk Group A vessels and facilities should be secured at all times, not just at rare moments of heightened alert, and that biometric identification, one of the TWIC’s strongest security features, should be used regularly. Based on the experience with the pilot, we also believe that consistency in electronic TWIC inspection processes is important, as varying use of security features can create confusion that can hinder operations. One commenter suggested that the CCL should be updated daily at all MARSEC levels, not just at MARSEC Levels 2 and 3. Similarly, one commenter stated that the CCL should be continually updated at all times. The commenter stated that once an automated method is established to do this, there is no additional cost associated with the increased frequency. While we do agree that, if automated, it is simple to update the list of cancelled TWICs, we note that not all operators use an automated system at this time. While we realize that some larger operations can set up automatic updates of the list, other operations may need to conduct such updates manually. In our RA, we calculated that it takes 30 minutes to update the CCL. For that reason, we have only required in 33 CFR 101.525 that the list of cancelled TWICs be updated daily during periods of VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 heightened risk according to the specified MARSEC level. We note that the required periods to update the list are considered minimum requirements, but operators are free to update more often if desired. One commenter asked if electronic TWIC inspection requirements should be applied to Risk Groups B and C at higher MARSEC levels. We do not believe it should. This would require those vessels and facilities to purchase and install equipment for electronic TWIC inspection for use during those periods of heightened alert, dramatically increasing the costs of the rule for what we believe is, at this time, comparatively little corresponding benefit. Furthermore, changing electronic TWIC inspection procedures at irregular and long-spaced intervals can cause confusion that could impair operations. 4. Recordkeeping Requirements In the NPRM, the Coast Guard proposed specific recordkeeping requirements relating to the use of TWIC readers in vessels and facilities. These proposals, in proposed §§ 104.235(b)(9) and 105.225(b)(9), specified that owners or operators must keep records of each individual granted unescorted access to a secure area, which would include the FASC–N, date and time that unescorted access was granted, and the individual’s name (if captured). The NPRM also proposed to require that owners or operators keep documentation demonstrating that they had updated the CCL with the required frequency. The NPRM proposed a 2-year minimum retention time for such records, and specified that TWIC reader and PACS readers were sensitive security information (SSI), protected under 49 CFR 1520. We received several comments on the subject of recordkeeping, which are discussed below. Many commenters suggested that the 2-year recordkeeping requirement was too long. One commenter supported the 2-year recordkeeping requirement, although noted that a shorter period would not be objectionable if the 2-year requirement was deemed overly burdensome or unnecessary. Another commenter suggested the period was an issue of concern, and that the Coast Guard should provide the rationale behind the requirement to retain records for 2 years rather than any other amount of time. The same commenter added that the argument for consistency with other recordkeeping requirements did not justify the burden of a 2-year requirement, although the commenter did not suggest an alternative PO 00000 Frm 00018 Fmt 4701 Sfmt 4700 timeframe. One commenter recommended that the records be retained for only 30 days, noting that this would be less burdensome. In this final rule, as explained in more detail below, we are maintaining the 2year timeframe for record retention as we do not believe it is unduly burdensome or unnecessary. We also disagree with the commenter that consistency with all other MTSA-related records is an insufficient rationale for requiring records to be kept for a 2-year period. We believe that if differing records were required to be kept for varying amounts of time, it would needlessly complicate the storage of those records and potentially add additional expenses. One commenter stated that the 2-year retention period presents opportunities for the information to be mishandled or misused, and thus should be shorter, although no specific timeframe was suggested. While we realize that storing data for any period of time can result in misuse or mishandling, we note that the information is protected as SSI, and thus is subject to comparatively strict usage and storage controls. We believe that the risk of misuse or mishandling of the information is far outweighed by the security value of collecting and storing the data for use in security investigations. The commenter also stated that a shorter window would provide law enforcement sufficient data to assist in security investigation, but no alternative window was suggested nor supporting information supplied. Without additional information, we are not deviating from the 2-year period proposed in the NPRM and used in all other MTSA-related recordkeeping requirements. This commenter also stated that 46 U.S.C. 70105(e) implies that information gathered by a TWIC reader from a worker’s card must not be shared with an employer or otherwise publicly released. We do not believe that this characterization is correct. 46 U.S.C. 70105(e)(1) reads as follows: ‘‘Information obtained by the Attorney General or the Secretary under this section may not be made available to the public, including the individual’s employer.’’ This restriction only applies to information obtained by the Attorney General or the Secretary, and includes information received by the Coast Guard. The information generated by electronic TWIC inspection is obtained by a private entity (the facility or vessel owner or operator) to whom the restriction in 46 U.S.C. 70105(e)(1) does not apply. However, and as the commenter noted, some information collected by E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations the TWIC reader or PACS is considered SSI, and is thus protected from unauthorized disclosure under 49 CFR part 1520. The commenter recommended that the Coast Guard consider all electronic reader records, whether of an individual or of an aggregated group, be restricted to security use only and explicitly forbidden to be used in labormanagement issues (such as establishing hours worked or reporting criminal activity). Not all electronic reader records qualify as SSI and thus some information concurrently collected during electronic TWIC inspection can appropriately be used by an owner/ operator for non-security but still legitimate purposes without violating 49 CFR 1520. The preamble of the NPRM contains clear guidance regarding the treatment of certain information collected by electronic TWIC inspection. In that document, we clearly stated that ‘‘[w]e consider a TWICholder’s name and FASC–N to be SSI under 49 CFR 15.5.’’ We went on to explain that ‘‘to the extent that a PACS contains personal identity [including the FASC–N] and biometric information, it contains SSI, which must be protected in accordance with 49 CFR part 15.’’ 37 However, an important aspect of this final rule is that it allows electronic TWIC inspection to be integrated with a facility’s PACS, which serves many other purposes beyond security and contains non-SSI information. For example, PACSs are legitimately used to restrict access for non-security purposes (such as private or dangerous areas) and to help establish the hours worked by employees. Owners and operators of facilities have valid uses for the nonprivate information not covered in the SSI regulations but still collected by a PACS regarding the location of personnel on their property. One commenter requested specific information regarding the requirements established for owners or operators to secure the privacy of individual cardholders. We note that we have not established any new requirements in this rule for such safeguarding because the SSI requirements are already sufficiently comprehensive. See 49 CFR part 15 for regulations covering restrictions on disclosure, persons with a need to know, marking, consequences of unauthorized disclosure, and proper destruction of SSI. The Coast Guard weighed privacy and security concerns in the development of this requirement. To minimize the amount of personally-identifiable information transferred from the TWIC to the TWIC reader, TWIC readers are specifically designed to only collect the minimum amount of information necessary to assist in access control and maritime security. Owners and operators who collect and maintain protected data from electronic TWIC inspections cannot share this information outside of their vessel or facility. The only allowable sharing is back to the TSA or to the Coast Guard for auditing or law enforcement purposes, or to assist with customer redress.38 Owners and operators are also bound by the restrictions on disclosure of SSI.39 Unauthorized disclosure of SSI is grounds for a civil penalty and other enforcement or corrective action by DHS, and appropriate personnel actions for Federal employees. Corrective action may include the issuance of an order requiring retrieval of SSI to remedy unauthorized disclosure, or of an order to cease future unauthorized disclosure. Two commenters suggested that SSI requirements should not apply to electronic TWIC inspection records if no personally-identifiable information is recorded (i.e., only the FASC–N, date, and time of the transaction is recorded). We note that pursuant to 49 CFR 1520.5(b)(11)(i)(A), SSI includes identifying information of certain transportation security personnel, which includes ‘‘Lists of the names or other identifying information that identify persons as . . . having unescorted access to . . . a secure or restricted area of a maritime facility, port area, or vessel.’’ This information is specifically addressed in the recordkeeping requirements of this final rule. For example, § 105.225(b)(9) states that the TWIC Reader or PACS system must capture the ‘‘FASC–N, date and time that unescorted access was granted; and, if captured, the individual’s name.’’ If such information was captured, it would be considered SSI. Commenters also suggested additional information that could be collected during electronic TWIC inspection. One commenter suggested that an electronic TWIC reader transaction should also include an identifier for the specific electronic reader device, and if it is a portable electronic reader, an identifier for the operator of the device. The commenter suggested that this information would enhance the usefulness of an audit trail. While we see that there could be some value in having this information recorded, we 38 See 37 78 FR 17806–7. VerDate Sep<11>2014 19:12 Aug 22, 2016 39 See Jkt 238001 PO 00000 49 CFR part 1520. 49 CFR 15.9(a)(1). Frm 00019 Fmt 4701 Sfmt 4700 57669 believe that it would be overly complex to add this information into the suite of recorded information at this time, and the value of such information would not be worth the additional cost. We note that such information might be gathered from other sources even without a requirement to collect it in this final rule. Nonetheless, should we reconsider the scope of data collection for electronic TWIC inspection in future rulemakings, we will consider this suggestion. Two commenters recommended that recordkeeping requirements should be extended to situations where an electronic TWIC inspection is not used, such as visual TWIC inspections, RUA, and escorted access. One commenter suggested that without recordkeeping requirements for visual TWIC inspection, there is no incentive—other than avoiding the consequences of being caught—to actually conduct visual TWIC inspections. We disagree with these comments. A recordkeeping requirement for visual TWIC inspections would mean that each owner or operator would need to record information on each TWIC inspection. We would need to demonstrate that the cost of such a requirement is justified before imposing it on the regulated population. In that regard, we note that in 2013, the Coast Guard conducted 12,171 inspections at MTSA-regulated facilities for compliance with the regulations in 33 CFR part 105. As part of those inspections, Coast Guard personnel spot-checked 52,708 TWICs, finding a validity rate of greater than 97 percent. In light of the high validity rate, we do not believe that a recordkeeping requirement for visual TWIC inspections is appropriate or necessary. One commenter also suggested that there should be recordkeeping requirements for when a person is granted unescorted access through the ‘‘special circumstances,’’ described in § 101.550 of the final rule, such as if he or she had reported their TWIC as lost or stolen. In the NPRM, we did not propose any requirements that records be kept for transactions that do not make use of electronic TWIC inspection. While such a suggestion is outside the scope of this final rule, we will consider it in future regulatory actions. Furthermore, we are not creating new requirements for visual inspections in this final rule, including any recordkeeping requirements. This final rule pertains to requirements for electronic TWIC inspection. Requirements pertaining to other means of access, including access granted through visual TWIC inspection or escorted access to a secure area, are E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 57670 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations outside the scope of the final rule. We do note that electronic TWIC inspection is a prerequisite for RUA, and thus a record is created when that transaction occurs. However, due to the nature of RUA, no additional records are kept outside of the electronic TWIC inspection transactions. Such recordkeeping would be burdensome and defeat the purpose of RUA. One commenter suggested that the lack of criteria or specificity as to what the required records should contain severely limits their efficacy. We believe that the NPRM was clear on what records are required to be kept, but we will discuss them here in greater length. Specifically, a record should be kept of each instance in which a person is granted unescorted access to a secure area. This record must contain the FASC–N of the TWIC issued to the person granted unescorted access. If the TWIC reader or PACS captures the individual’s name, the name associated with the TWIC must also be part of the record. Finally, the record must include the date and time the person was granted unescorted access (the time can be rounded to the nearest minute; it is not required that the precise second that access was granted be captured, although it is acceptable to be more precise). As noted in the NPRM, ‘‘we allow individual regulated parties to determine the best method and manner of complying with the recordkeeping requirements.’’ 40 The commenter also requested additional justification for the 2-year period, stating that neither the argument for consistency nor the argument for law enforcement justify the length of time to hold records. As stated in the NPRM, the timeframe was designed, in part, for consistency with existing securityrelated and other recordkeeping requirements applicable to vessels and facilities, and we note that all other security recordkeeping requirements in the affected sections are subject to a 2year retention period. In response to the commenters who requested additional justification, we would add that investigations of TSIs can involve analysis of data that stretches back for that amount of time, and we want to ensure that any historical data that could be useful is available. We believe that a 2-year period is an appropriate amount of time to ask owner operators to store data to ensure that no investigation is limited due to the unavailability of relevant data. We continue to believe that a uniform timeframe for recordkeeping requirements, when practicable, 40 78 FR 17806. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 provides the most efficient regulatory system, and that the costs of storing data are minor compared to the security benefits provided. The commenter also referred to the 2013 GAO report, noting its concern that the TWIC Pilot Program had difficulties collecting accurate, consistent data from the pilot sites.41 While we are aware of the GAO’s criticisms of the TWIC Pilot Program, we do not believe those data collection concerns are relevant to the data collection proposed by the implemented electronic TWIC inspection regulations. Beyond the fact that both involved data collections, the nature and uses of the data collected in the two programs are very dissimilar. For example, among many other items that related to the overall operation of the facilities at issue, the Pilot Program collected data on the number of people using TWIC readers, the amount of time taken per transaction, and the failure rates for transactions. These are very different data than collected by electronic TWIC inspection, which collects items such as the FASC–N. The data collected by electronic TWIC inspection is narrowly tailored to assist the Coast Guard and other law enforcement agencies in investigating TSIs, and the criticisms of data collection on the Pilot Report are not analogous. One commenter stated that the recordkeeping requirements proposed in the NPRM would create a large amount of data and may need to be stored in a media that is not immediately accessible. The commenter requested that the final rule allow a reasonable amount of time to retrieve and produce the electronic records when requested. We agree with the commenter that a reasonable amount of time will be permitted to produce any requested records. This final rule deals only with recordkeeping requirements; it does not specify a timeframe for record retrieval. One commenter requested clarification of a specific situation: a Port Authority operates a cruise terminal which uses an FSP, but when a cruise ship is in port, the cruise security line operates under its own FSP. The commenter asked who would be responsible for maintaining the records. Based on the information described in this situation, the owner or operator of the TWIC reader or PACS system conducting the electronic TWIC inspection would be responsible for 41 ‘‘Transportation Worker Identification Credential: Card Reader Pilot Results Are Unreliable; Security Benefits Need to Be Reassessed’’ (GAO–13–198) is available in the docket by following the instructions in the ADDRESSES section of this preamble. PO 00000 Frm 00020 Fmt 4701 Sfmt 4700 maintaining the required records of those transactions. However, we note that recordkeeping requirements for any particular facility would be described in the FSP and that different situations may yield different results, but that these issues would be resolved during approval of the FSP. Similarly, another commenter described a scenario where a private security company and a public entity share a facility. The commenter asked if the entities would need to share records. In response, we note that there is no requirement to share records, and that the owner or operator of the TWIC reader or PACS conducting the electronic TWIC inspections is the entity required to keep the records. Which entity is responsible for recordkeeping should also be addressed in the FSPs. One commenter requested that, if a non-Risk Group A facility were to use electronic TWIC inspection on a voluntary basis, they should not be subject to the electronic recordkeeping requirements in proposed § 105.225(b)(9) and (c). Assuming that a facility is using electronic TWIC inspection on a voluntary basis to replace visual TWIC inspection, pursuant to the guidance in PAC 01–11, we disagree. If replacing security personnel with electronic TWIC inspection, then all elements of such an inspection, including recordkeeping requirements, would have to be met. Maintaining the electronic records as required provides additional security and information in case of a security breach in the future. Visual inspection programs are not required to maintain this type of information due to the large amount of time needed to manually enter the same information. C. When To Conduct Electronic TWIC Inspection One of the areas in which the Coast Guard received the most comments on the proposed rule was the issue of when a TWIC must be read. Specifically, the NPRM used language that stated, ‘‘prior to each entry, all persons seeking unescorted access to secure areas [must] present their [TWIC] for inspection before being granted such unescorted access’’ (this language was used in proposed §§ 101.520(a)(1), 101.525 introductory text, and 101.530 introductory text). Many commenters asked for clarification regarding this language, specifically relating to issues of where TWIC readers should be located, and to what specifically ‘‘prior to each entry’’ referred. Despite using identical language in the proposed regulatory E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 text, the requirement for when to perform electronic TWIC inspection is very different for vessels than it is for facilities. With regard to vessels, we stated in the NPRM that ‘‘for vessels, this NPRM proposes to require TWIC readers at the access points to the vessel itself, regardless of whether the secure area encompasses the entire vessel.’’ 42 On the other hand, with regard to facilities, we stated that ‘‘this NPRM proposes to require TWIC readers at the access points to each secure area,’’ 43 which could necessitate a large number of TWIC readers in facilities like passenger facilities, many of which have multiple access points to secure areas within the facility. Similarly, the NPRM RA reflected this information, estimating that each facility might use a number of TWIC readers (passenger facilities, with many access points to secure areas, were estimated to require an average of 16 TWIC readers each), whereas each vessel might only be equipped with one or two, reflecting the fact that they would only be deployed at the entrances to the vessels, not at each access point to a secure area within the vessel. Nonetheless, we recognize the confusion brought on by the proposed language. One commenter, for example, requested a clarification of the reference to ‘‘each entry’’ to a facility or vessel secure area. The commenter noted that passenger vessels and facilities included restricted areas, employee access areas, and passenger areas, and it was unclear from the NPRM where the electronic TWIC inspection requirements would be applied. In this final rule, we have used language that we believe more clearly describes the specific requirements of the rule. We broke the language down into two separate paragraphs, one for vessels (see § 101.535(a)), and one for facilities (see § 101.535(b)), using slightly different language for each. The final regulatory text for facilities now states, ‘‘Prior to each entry into a secure area of the facility,’’ while the final regulatory text for vessels now states, ‘‘Prior to each boarding of the vessel.’’ While the language is slightly modified, we believe it more clearly implements the proposed requirements in the NPRM. 1. Secure, Restricted, Public Access, Passenger Access, and Employee Access Areas In terms of clarifying that an electronic TWIC inspection must be performed prior to each entry into a secure area (for facilities), we believe 42 78 43 78 FR 17803. FR 17803. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 that it is important to clarify the term ‘‘secure area,’’ as well as explain the differences between secure areas and other types of areas on MTSA-regulated vessels and facilities. Many commenters asked questions that indicated the difference between secure areas, restricted areas, employee access areas, public access areas, and passenger access areas was not entirely clear. In this section, we discuss the definitions of these types of areas, given their definitions in 33 CFR part 101, as well as the additional explanation offered in NVIC 03–07 and other documents. The statutory requirement for TWIC readers, stated in 46 U.S.C. 70105(a)(1), requires that anyone granted unescorted access to a secure area of a vessel or facility maintain a valid TWIC. Secure areas are defined in 33 CFR 101.105. The relevant portion of the definition states that ‘‘Secure area means the area on board a vessel or at a facility over which the owner/operator has implemented security measures for access control in accordance with a Coast Guard approved security plan. It does not include passenger access areas, employee access areas, or public access areas.’’ The concept of a secure area is explained in more detail in NVIC 03–07, enclosure (3). Section 3.3b of that document explains that ‘‘for facilities, the secure area is the entire area within the outer-most access control perimeter of the facility, with the exception of public access areas, and encompasses all restricted areas.’’ Similarly, ‘‘for vessels and OCS facilities, the secure area encompasses the entirety of a vessel or OCS facility, with the exception of passenger or employee access areas for vessels.’’ Existing regulations distinguish between the secure area and areas designated as ‘‘restricted.’’ The term restricted area, as defined in existing 33 CFR 101.105, means ‘‘the infrastructures or locations identified in an area, vessel, or facility security assessment or by the operator that require limited access and a higher degree of security protection [than secure areas].’’ NVIC 03–07 also goes into detail explaining the difference between secure and restricted areas, noting that by virtue of the fact that the secure area encompasses the entire facility or vessel (with the exclusion of public, passenger, and employee-access areas), restricted areas fall within this perimeter. Multiple commenters with facilities expressed concerns about the existence of multiple secure areas within any one facility, and what access control measures would be required by this final rule. Other commenters PO 00000 Frm 00021 Fmt 4701 Sfmt 4700 57671 represented both vessels and facilities, but had similar concerns with regard to the differences among secure, restricted, and public access areas. The definitions of secure and restricted areas have implications when determining where to locate electronic TWIC inspection locations on various facilities. These locations would be marked in an FSP or a VSP. Given the requirement that electronic TWIC inspection be conducted ‘‘prior to each entry’’ into a secure area (for facilities), we would anticipate that the inspection points at facilities would be located at the access points to secure areas. For example, in a chemical cargo facility the entire facility may be considered a secure area, as security measures for access control may surround the entire facility. Such a facility would likely only conduct electronic TWIC inspection at the entrance to the facility. Alternatively, a facility might categorize the parking lot as a ‘‘public access area’’ so that employees and visitors can park, and electronic TWIC inspection could be conducted at the access point from the parking lot into the secure area of the facility. We note that a second round of electronic TWIC inspection is not required when passing from a secure area to a restricted area, although we would anticipate other security measures to be in place. For passenger facilities, the majority of the areas may be designated ‘‘public access areas,’’ ‘‘passenger access areas,’’ or ‘‘employee access areas’’ (such as break rooms). In such an instance, electronic TWIC inspection points may only be located at entrances to secure areas such as the pier or FSO’s office. The Coast Guard acknowledges the confusion surrounding this issue, which is why we have included a clarifying revision to 33 CFR 103.505, Elements of the Area Maritime Security (AMS) Plan, in which a parenthetical reference to the TWIC program may create confusion regarding whether TWIC provides access control for secure or restricted areas. This final rule creates electronic TWIC inspection requirements for access to secure areas, and does not address requirements for access control to restricted areas. Finally, we note the concerns commenters had relating to secure areas on water. One commenter noted that the water where barge fleets are located is considered a secure area, but the area was only accessible by boat. The commenter questioned how electronic TWIC inspection could be conducted in such a situation. Similarly, another commenter requested that they be allowed to conduct electronic TWIC inspections on shore before entering E:\FR\FM\23AUR2.SGM 23AUR2 57672 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 barge fleeting areas, as otherwise there would be no way to conduct an electronic TWIC inspection. Another commenter noted that the only ‘‘access point’’ into such secure areas may be a towing vessel with the dedicated purpose of guarding the area. These commenters raise important issues as to how we would apply the electronic TWIC inspection process to secure areas on water, such as barge fleeting facilities. Upon consideration, we do not believe that requiring electronic TWIC inspection prior to entering such areas would be practical, as there is no particular access point to such an area that can be controlled by a TWIC reader. Electronic TWIC inspection would instead be required at the barge fleeting facility’s shore side location. Many commenters representing vessels were concerned about a situation involving a passenger vessel (potentially in Risk Groups B or C) with multiple secure areas and no one standing watch at the entrances to each secure area. We note that while the electronic TWIC inspection requirements are different for vessels than for facilities, the definitions of secure areas and restricted areas are similar. On non-passenger vessels, generally the entire vessel is considered a secure area. Certain areas within the vessel may have higher levels of security, and those would be considered restricted, which again are not impacted by this final rule. On passenger vessels, while security measures would still encompass the vessel, only certain areas would be considered secure, as passenger access areas and employee access areas are excluded from the definition of secure areas. As described below in Section V.C.2 of this preamble, because electronic TWIC inspection on vessels is only conducted when boarding the vessel, the exact location of secure and restricted areas on a vessel would not affect the placement of electronic TWIC inspection points. a. ‘‘Prior to Each Entry’’ for Risk Group A Facilities In this final rule, we are finalizing without change the proposed requirement that electronic TWIC inspection is required prior to each entry into a secure area of a Risk Group A facility. Similarly, we are finalizing the proposed requirement that electronic TWIC inspection is required prior to each entry onto a Risk Group A vessel. While some commenters objected to this policy, we believe that it represents the best balance of security and practicability at this time. Furthermore, we believe that many VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 objections to the policy expressed by industry are addressed by clarifying that the new requirements apply only to Risk Group A vessels and facilities, and that vessels and facilities not in this group have no new requirements in this final rule. In this section, we address comments specifically related to Risk Group A facilities. Questions for Risk Groups B and C, as well as questions for vessels, are discussed in other sections of this preamble. Several commenters requested guidance related to operations conducted under PAC 08–09, change 1. That document allows owners and operators of a vessel or facility to use a local access card to grant unescorted access to secure areas, assuming that the local access card is tied to a valid TWIC and that verification (visual or electronic) of the local access card is conducted each time access is granted to a secure area. Pursuant to PAC 08–09, TWICs needed only to be validated once every 24 hours. However, PAC 08–09 is only valid until the Coast Guard publishes a final rule requiring the use of TWIC readers as an access control measure.44 Because this final rule establishes electronic TWIC inspection as a requirement for Risk Group A facilities, the guidance in PAC 08–09 will no longer be valid with respect to those facilities upon the effective date of this rule. Because there are no electronic TWIC inspection requirements for Risk Groups B and C, PAC 08–09 remains in force for those facilities. We intend to update PAC 08–09 before the effective date of this final rule. We note that while PAC 08–09 will no longer be valid for Risk Group A facilities, the flexible performance requirements of this final rule will continue to allow access using local access or PACS cards, assuming the PACS is able to perform the electronic TWIC inspection requirements of biometric identification, the card validity check, and card authentication. While many commenters requested that Risk Group A facilities be permitted to continue to follow the guidance in PAC 08–09 (some of whom suggested that it could be augmented by a daily card validity check), we are not granting that request. Electronic TWIC inspection is a more secure system than that used under PAC 08–09 for a variety of reasons, but most distinctly because it performs a biometric identification each time a person is granted unescorted access to a secure area, whereas the system described in the PAC 08–09 does not. Biometric identification provides a higher level of certainty that an 44 PAC PO 00000 08–09, change 1, p. 2. Frm 00022 Fmt 4701 Sfmt 4700 individual is an approved TWIC-holder than visual identification. One commenter suggested that the purpose of TWIC is for a worker to be vetted, and that TWIC should not be used as an access control system, noting that it is up to the owner of the secure space to determine which TWIC-holders are granted unescorted access. While we agree that one of the benefits of TWIC is that it ensures an individual has undergone a background check, we disagree that vetting is the only purpose of a TWIC. Congress mandated that the TWIC contain the biometric identification of the TWIC-holder. Furthermore, Congress explicitly required that the Coast Guard ensure that only individuals who hold a TWIC be granted unescorted access to secure areas of MTSA-regulated facilities in 46 U.S.C. 70105(a)(1). We conclude, therefore, that it is the clear mandate of Congress for this biometric identification to be used to ensure that only TWIC-holders are granted unescorted access to secure areas of Risk Group A vessels and facilities. Using this function of the TWIC for identification verification purposes will enhance the security afforded by the TWIC program in the highest-risk areas. Other commenters expressed the opposite view, arguing that the Coast Guard was wrong to limit the requirement of electronic TWIC inspection to Risk Group A vessels and facilities only. Multiple commenters suggested that the proposal to limit the use of electronic TWIC inspection to Risk Group A vessels and facilities deviated from Congress’ intent in developing the TWIC program, and that to conform to the intent of Congress, we should have extended the mandate to perform electronic TWIC inspection to Risk Group B as well. Other commenters noted that in the ‘‘findings’’ section of the MTSA statute (Pub. L. 107–251, 101(11)), Congress found that ‘‘[b]iometric identification procedures for individuals having access to secure areas in port facilities are important tools to deter and prevent port cargo crimes, smuggling, and terrorist actions.’’ The commenter argued that to be responsive to Congress, TWIC cards should not be used primarily as a ‘‘flash pass,’’ but should be used more often as biometric identification tools. The Coast Guard believes that the requirement instituted in this final rule represents a reasoned implementation of electronic TWIC inspection. As analyzed in the NPRM and associated preliminary RA, we believe the vessels and facilities in Risk Group A are at much greater risk than other MTSAregulated vessels and facilities. E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations Electronic TWIC inspection has a high utility in deterring and mitigating certain threats to these targets. Given the costs in infrastructure and operational needs associated with electronic TWIC inspection, as shown in the TWIC Pilot Program and in the Coast Guard’s regulatory analyses, we do not believe that electronic TWIC inspection should be extended to other vessels or facilities at this time. Information and experience gained through the implementation of Risk Group A vessels and facilities will, however, help to determine whether and how the electronic TWIC inspection program should be expanded in the future. Several commenters argued that the requirement to undergo electronic TWIC inspection prior to each entry into a secure area of facility was overly burdensome and unnecessary. One commenter stated that the Coast Guard does not understand the day-to-day operations of passenger vessels and facilities, and that only small areas are secure and restricted, requiring a TWICholder to move in and out of these areas multiple times per day. We disagree with this statement, and note that the NPRM and the NPRM RA repeatedly affirmed that a TWIC reader would be required at each access point to a secure area in a Risk Group A facility. We acknowledge that in cases where employees of a passenger facility move repeatedly from a non-secure area (such as a passenger access area) to a secure area, they will likely have to undergo repeated electronic TWIC inspections. We also note that these facilities already use access control measures to prevent unauthorized persons, including vessel passengers, from entering secure areas, and that this requirement only involves incorporating electronic TWIC inspection into those existing access control measures. Other commenters also made suggestions that would allow for reduced numbers of electronic TWIC inspections for employees that enter and leave secure areas multiple times per day. Several commenters suggested that checking TWICs against the CCL multiple times per day is redundant, as the list is only updated, at most, once per day. These commenters suggested that at lower MARSEC levels, one electronic TWIC inspection per day would be enough, and then a visual TWIC inspection could be used for each subsequent entry into a secure area. We note that electronic TWIC inspection performs much more than just the card validity check, and that there is a need to check that the individual presenting the card is the correct individual presenting an authentic card each time VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 he or she is granted unescorted access to a secure area. For these reasons, a single electronic TWIC inspection should not allow repeated grants of unescorted access to secure areas in Risk Group A facilities. One commenter argued that its security needs would be better met through cross-checking TWICs via its employment, human resources, and internal security systems, and then issuing badges that it has control over. The commenter stated that in that situation, it would have the ability to verify and revoke access as necessary for the security of the facility. With the new flexibility for electronic TWIC inspection in this final rule, such crosschecking using facility-specific identification cards linked to a PACS is possible, as long as the facility’s PACS performs the biometric identification, card validity check, and card authentication procedures required in this final rule prior to each entry into a secure area. One commenter stated that the ‘‘prior to each entry’’ requirement is impracticable for cruise ship terminals. This commenter stated that dozens of porters, stevedores, and shore staff constantly move baggage in and out of secure areas using mechanical equipment such as forklifts and hand trucks, and that requiring electronic TWIC inspection at each entry would be potentially unsafe. We realize that there is a need to balance the requirement to ensure that only TWIC-holders are granted unescorted access to secure areas with the operational needs of a facility. In a situation such as that described by the commenter, an RUA plan could alleviate the burden of repeated and constant electronic TWIC inspections. The RUA option was designed primarily to address the needs of baggage handlers and stevedores, and was developed to facilitate operations such as those described by the commenter where persons must enter and exit a secure area on a continual basis. RUA is described in more detail in Section V.C of this preamble. Several commenters were concerned that the proposed requirement for permanently placed TWIC readers at the access points for Risk Group A facilities offered no flexibility, and could restrict the use of portable TWIC readers as an option at less heavily-trafficked access points. We first note that the NPRM did not specifically require a fixed TWIC reader at all access points, but we assumed that many facilities would use fixed TWIC readers over portable ones at fixed access points for the purposes of analysis. However, we agree with the commenter that the NPRM did not offer PO 00000 Frm 00023 Fmt 4701 Sfmt 4700 57673 enough flexibility, and thus this final rule adds another option for electronic TWIC inspection. Facilities will be able to use fixed electronic readers, portable electronic readers, or a PACS to conduct electronic TWIC inspection, depending on which works best considering their business operations. One commenter raised a concern that a requirement to present a TWIC prior to each entry into a secure area would mean that TWIC-holders would have to carry their cards at all times, thus exposing cards to being damaged in a harsh environment or lost. The commenter recommended that a system be utilized that would allow them to keep their workers’ TWICs in a safe and secure location where, upon request, the TWICs could be retrieved and inspected within a reasonable amount of time. We agree that this could be appropriate in many maritime environments, and thus the flexibility allowed by this final rule would permit such a system. A facility could control access to secure areas using a PACS to conduct the electronic TWIC inspection, thus allowing the TWICs themselves to be maintained in a safe, nearby location, where they could be inspected if necessary. One commenter requested clarification with regard to overall personnel accountability within secured areas. Specifically, the commenter asked if the Coast Guard would require TWICholders to record when they exited a secure area, and if a facility should know who is in a secured area, at all times. In this rulemaking, we did not propose to require personnel accountability in this fashion, nor does the final rule require TWIC-holders to record when they exit a secured area. Another commenter expressed support for not proposing such a requirement in the NPRM. The final rule only requires electronic TWC inspection upon entering a secure area of a Risk Group A facility. With regard to recordkeeping, as discussed above, this final rule only requires that records be kept of individuals that enter the secure area, and of when they entered. This final rule does not require that records be kept of individuals leaving a secure area, nor does it require that records be kept of who is in a secure area at any particular time. b. Recurring Unescorted Access Many commenters requested that the Coast Guard reinstate the concept of RUA that had originally been considered in the ANPRM, but was not proposed in the NPRM. As described in the ANPRM, as part of an RUA plan, the owner or operator of a vessel or facility would conduct an initial biometric E:\FR\FM\23AUR2.SGM 23AUR2 57674 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations match of the individual against his or her TWIC, either at hiring or upon the effective date of a final rule, whichever occurs later. This biometric match would include a verification of the authenticity and validity of the TWIC. Once this check is done, the TWIC would only be used as a visual identity badge, at a frequency to be approved by the Coast Guard in the amended security plan, so long as the validity of the TWIC is verified periodically, ranging from monthly to daily, depending upon Risk Group and MARSEC Level.45 RUA, as described in the ANPRM, would be limited to 14 TWIC-holders per vessel or facility, although it was not clear whether that meant an RUA regime would only be approved if the vessel or facility crew were limited to 14 TWIC-holders, or if 14 people per vessel or facility would be exempted from electronic TWIC inspection procedures that would still be in place for other employees or persons seeking access. The Coast Guard opted not to include RUA in the proposed regulatory text in the NPRM, despite the fact that many ANPRM commenters supported various versions of RUA procedures. In the NPRM, we explained that ‘‘RUA was previously proposed [in the ANPRM] to introduce flexibility and provide relief to vessels otherwise required to use TWIC readers, based on the familiarity that exists between a relatively small number of crewmembers.’’ 46 However, by limiting electronic TWIC inspection requirements to Risk Group A vessels only, and including the vessel crewmember exemption in the TWIC applicability section, we believed we had rendered the need for RUA as a mechanism for regulatory relief unnecessary. One commenter requested clarification about whether the proposed RUA mechanism would apply to facilities as well, or just vessels. While the NPRM did not explicitly discuss the use of RUA for facilities, we did not consider such plans viable. Unlike vessels, facilities regularly receive unfamiliar personnel, such as 45 See sradovich on DSK3GMQ082PROD with RULES2 46 See 74 FR 13362. 78 FR 17804. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 visitors, contractors, and deliveries, and must have a means to ensure those visitors are valid TWIC-holders, regardless of the size of the regular staff. We received several comments in response to the decision in the NPRM not to include an RUA provision. Most commenters recommended that some sort of RUA provision be included in the final rule, although they differed in their interpretations of what, exactly, an RUA plan would entail. Furthermore, multiple commenters laid out specific examples of how RUA could improve operations in several scenarios. These comments are described below. One commenter suggested that an RUA plan for vessel and facility operations, including operations at facilities that service passenger vessels, would require that a TWIC-holder undergo electronic TWIC inspection once when he or she reports for work each day. It was unclear from these comments specifically how this plan would be implemented. If RUA were limited to certain crewmembers or employees, it is unclear how those crewmembers would differentiate themselves from other TWIC-holders who would still be required to undergo electronic TWIC inspection prior to each entry into the vessel or into a secure area of the facility. Furthermore, unless all crewmembers or employees were subject to the RUA plan, it is unclear how such a system would reduce costs, as access control measures would still need to be in place that would need to differentiate between TWIC-holders and non-TWIC-holders, but also differentiate between those TWIC-holders granted RUA and those subject to repeated electronic TWIC inspection. These questions, along with the exemption from electronic TWIC inspection requirements for vessels with low numbers of crewmembers, are the reason that the RUA plan was not proposed in the NPRM, despite being raised in the ANPRM, and we still do not have clear answers to these issues. Several commenters raised the issue of RUA with regard to certain port workers who repeatedly enter and leave secure areas, such as baggage porters at cruise terminals or workers such as PO 00000 Frm 00024 Fmt 4701 Sfmt 4700 stevedores transferring cargo into a secure area. Similarly, one commenter expressed concern about how porters would be able to do their jobs if required to conduct electronic TWIC inspection at each entry into the baggage area. Some commenters suggested that in order to permit workers to efficiently perform their jobs, which may entail entering and leaving a secure area several times an hour, biometric checks should be limited to the beginning of a shift and after extended breaks. The commenter stated that it is not operationally practical to have these workers undergo electronic TWIC inspection repeatedly. We agree that, for narrow classes of vessel or facility employees such as baggage porters, the electronic TWIC inspection requirements could prove particularly burdensome, and that these workers could be accommodated using a limited form of RUA as suggested by the commenter. Some scenarios where this may prove useful include, for example, porters who carry baggage from a curbside check-in area (unsecure) to a baggage storage area (secure) for cruise customers, or forklift operators who transport packages from a loading area (unsecure) to a secure storage area on a vessel or facility. These persons need to travel back and forth across the secure-unsecure boundary repeatedly, and repeated electronic TWIC inspections can be both cumbersome and redundant in these situations. Therefore, to accommodate these situations without compromising security, we have added a limited form of RUA into this rule as § 101.555. The system would operate as follows: a vessel or facility would designate an area as a ‘‘Designated Recurring Access Area (DRAA)’’ in its security plan. As shown in Figures 1 and 2, the DRAA would consist of adjoining secure and unsecure areas, as well as the access gates between them. As long as a TWICholder stayed inside the designated area, he or she could pass between the unsecure and secure portions of the DRAA without having to undergo an electronic TWIC inspection each time he or she entered the secure portion. BILLING CODE 9110–04–P E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations 57675 Figure 1: Designated Recurring Access Area (DRAA): Facility PIER FACE SECURE AREA WITHIN THE FACILITY DESIGNATED RECURRING ACCESS AREA (DRAAI VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 PO 00000 Frm 00025 Fmt 4701 Sfmt 4725 E:\FR\FM\23AUR2.SGM 23AUR2 ER23AU16.000</GPH> sradovich on DSK3GMQ082PROD with RULES2 DELIVERY TRUCK ACCESS Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 BILLING CODE 9110–04–C We have considered the problem of differentiating between those persons granted recurring access and those who must undergo electronic TWIC inspection prior to each entry. Certain restrictions and conditions would be applied to ensure that no unauthorized persons gain access to the secure area through the DRAA. In order to allow recurring access, the Coast Guard is requiring that security personnel be present at the access points to the secure areas where recurring access is used. Although electronic devices, such as TWIC readers or a PACS reader, can be used to control access at other entrances, in an RUA situation the VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 TWIC (or a linked PACS card) is not presented at each entry to the secure area. Instead, the presence of security personnel is necessary to properly control access while allowing the known DRAA participants to pass through repeatedly. An additional requirement for a DRAA is that the entire unsecured area must be visible at all times to the on-site security personnel. This requirement is necessary to ensure that all recurring access participants have undergone the necessary electronic TWIC inspection before entering a secure area. We believe that without this requirement, it might be possible for a non-TWIC-holder to ‘‘talk their way’’ into a secure area by PO 00000 Frm 00026 Fmt 4701 Sfmt 4700 claiming they had already undergone a TWIC inspection, and had merely returned from an authorized break. We note that among various GAO criticisms of the maritime security program, this was one of the means by which GAO investigators were able to bypass security measures. We agree with one commenter that suggested electronic TWIC inspection should be repeated once returning from a break. By requiring recurring access participants to stay within sight of the security personnel or undergo a new electronic TWIC inspection, we can ensure that these types of incidents do not happen. To gain recurring access, a TWICholder would need to undergo E:\FR\FM\23AUR2.SGM 23AUR2 ER23AU16.001</GPH> 57676 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 electronic TWIC inspection, including biometric matching, the first time the TWIC-holder entered the secure portion of a DRAA. This would of course happen at the beginning of a work shift, but would also happen after each time the TWIC-holder left the DRAA for any reason, including administrative reasons, lunch breaks, or even to use the restroom. We have also added a provision that requires at least one electronic TWIC inspection per change of security personnel in order to account for shift changes. We have attempted to make the RUA policy as flexible as possible while still maintaining security. We note that the use of a DRAA is a wholly voluntary option, and that access to secure areas of a vessel or facility may always be accomplished through the procedures in §§ 101.535 and 101.550. Even within a DRAA, only access points that are used for recurring access must be manned by security personnel, so there can be other access points controlled by unmanned means (such as a lock connected to a TWIC reader) for employees who do not need recurring access. Furthermore, an area can be designated a DRAA at certain times. For example, at a cruise ship terminal, a curbside area could be designated a DRAA only during boarding times. This would allow the access points to be secured by unmanned means during other periods when recurring access is not necessary. We also note that a DRAA may be incorporated in a Joint Vessel and Facility Security Plan, allowing an area where employees can cross from a pier to a vessel repeatedly without having to undergo electronic TWIC inspection each time. This can facilitate the loading or unloading of vessels considered secure areas. 2. Risk Group A Vessels We received fewer comments regarding the requirements for electronic TWIC inspection for Risk Group A vessels than for vessels in other Risk Groups. In the NPRM, we discussed the TWIC reader requirements as applied to the Risk Group A vessel population in Section IV.L, ‘‘Physical Placement of TWIC Readers.’’ In that section, we stated that ‘‘[w]e propose to amend 33 CFR 104.265(a)(4) by requiring a vessel owner or operator to place TWIC readers at the vessel’s access points only, regardless of whether the secure area encompasses the entire vessel.’’ 47 We realize that this sentence may have been confusing, as the only proposed modification to § 104.265(a)(4) was to add the sentence 47 78 48 78 FR 17830–17831, Amendatory Instruction 16a 49 We note that the language cited is actually from proposed § 101.520(a)(1), not § 104.265(a). FR 17816 VerDate Sep<11>2014 ‘‘Depending on a vessel’s Risk Group, TWICs must be checked either visually or electronically using a TWIC reader or as integrated into a PACS at the locations where TWIC-holders embark the vessel’’ to the existing requirement that the owners or operator of a vessel must ensure that only authorized TWICholders are granted unescorted access to secure areas of the vessel.48 A clearer citation would have been to § 101.514(a)(1), which contained the proposed requirement that prior to each entry, all persons seeking unescorted access to secure areas in Risk Group A vessels and facilities must present a TWIC. The regulatory text was also unclear about what ‘‘prior to each entry’’ meant, and many commenters believed that it meant prior to each entry into a secure area of the vessel, which was contrary to the stated intent of the preamble. As stated above, in this final rule, we are modifying the electronic TWIC inspection requirements so that they are both more flexible and more performance-oriented than described in the NPRM. In this final rule, we require electronic TWIC inspection rather than the presentation of a TWIC. Furthermore, again as stated above, we are clarifying the language relating to the locations of electronic TWIC inspection. The new language, contained in § 101.535(a), ‘‘Requirements for Risk Group A Vessels,’’ reads ‘‘prior to each boarding of the vessel.’’ We believe that this change should improve the clarity of the regulatory text. The Passenger Vessel Association (PVA) noted the confusion between the preamble and regulatory text, noting in its comments that ‘‘The proposed rule states (proposed § 104.265(a) 49), ‘Prior to each entry, all persons must present their TWICs for inspection using a TWIC reader.’’’ The PVA argued that ‘‘[t]he Coast Guard’s explanatory material in the Federal Register suggesting otherwise cannot override the very clear language of the proposed regulation.’’ We agree that the language is confusing, and have clarified it appropriately. The commenter also recommended that the Coast Guard adopt a version of RUA that would allow a single verification of the TWIC status when the TWIC-holder reports to the secure area for the first time each day. While this was not what RUA, as proposed in the ANPRM, was intended to do, we note that the clarified 19:12 Aug 22, 2016 Jkt 238001 PO 00000 Frm 00027 Fmt 4701 Sfmt 4700 57677 electronic TWIC inspection requirements in this final rule will result in far fewer inspections on vessels than the commenter anticipated. One commenter, who operates as a combined ferry/terminal operator, discussed methodologies to improve security through a ‘‘Combined Security Plan’’ that allowed them to effectively identify risk while allowing their employees to perform their duties in a secure and efficient manner. The commenter suggested that its ferries have multiple points of access from the terminal to the ferry as well as multiple points of access to secure areas within the ferry. The Coast Guard agrees that insofar as security measures between a terminal and ferry can be combined, a combined plan can produce a more effective and efficient security regime than separate plans. Furthermore, secure areas within terminals can be connected to the entrances of ferries. In those instances, where TWIC-holders pass directly from a secure area of the terminal onto a ferry, an additional electronic TWIC inspection is unnecessary. For that reason, we interpret the phrase ‘‘prior to each boarding of the vessel’’ in § 101.535(a)(1) to include the situation in which an electronic TWIC inspection has been carried out prior to boarding a ferry, and the TWIC-holder has not entered an unsecure area in the interim. We believe that such an allowance will reduce the costs of compliance with the electronic TWIC inspection program for combined ferry/terminal operators without compromising security. Several commenters posed questions relating to a situation in which a Risk Group A vessel, such as a ferry, has multiple secure areas separated by unsecure areas, but sole control of its terminal facilities. These commenters asked whether it would be possible to have only one TWIC reader at each terminal facility for both vessel and facility workers. As explained below, such a system could meet the requirements for electronic TWIC inspection. If a worker is granted unescorted access to a secure area of a Risk Group A facility, and remains in the secure area, he or she may board a Risk Group A vessel without a second electronic TWIC inspection. We note that once on board a Risk Group A vessel, a worker does not need to undergo additional electronic TWIC inspections when entering secure areas. One commenter stated that vessels at sea should be required to update the CCL if there are separate and distinct secure areas on board the vessel. We disagree, and note that the requirement for Risk Group A vessels is that E:\FR\FM\23AUR2.SGM 23AUR2 57678 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 electronic TWIC inspections are only performed when the personnel are boarding the vessel, not, like facilities, at each entry into a secure area. Therefore updating the CCL while at sea would not serve any functional purpose. 3. Risk Groups B and C In this final rule, we are completely removing any mention of additional TWIC requirements for vessels and facilities other than those covered under § 101.535, ‘‘Electronic TWIC inspection Requirements for Risk Group A.’’ Many commenters noted the apparent differences between the language on Risk Groups B and C in the NPRM preamble and the proposed regulatory text in §§ 101.525 and 101.530, which pertained to Risk Groups B and C respectively. In the preamble of the NPRM, we stated that we were making no changes to either of those groups. For example, in Section III.E.7.b of the NPRM, ‘‘Risk Group B TWIC Reader Requirements,’’ we stated that ‘‘proposing requirements for Risk Group A only in this NPRM is indicative of our desire to minimize highest risks first. . . .’’ 50 Likewise, in Section III.E.8.b, ‘‘Risk Group C TWIC Requirements,’’ we noted that ‘‘Under current regulations (which would not change under this NPRM) for vessels and facilities categorized in this NPRM Risk Group C, security personnel must visually inspect the TWIC of each person seeking unescorted access to secure areas.’’ 51 Our preliminary RA echoed this language. In that document, we did not include any cost analyses relating to vessels or facilities in Risk Groups B or C. However, as commenters noted, in proposed §§ 101.525 and 101.530, we included language from the ANPRM that contradicted the statements in the preamble that no new requirements were being proposed for Risk Groups B and C. The proposed regulatory text would have required vessels and facilities in Risk Groups B and C to undergo visual TWIC inspection prior to each entry into a secure area. Thus, the practical effect of such a requirement would have been to require security personnel be posted at each entry point, which many commenters argued would dramatically increase the compliance costs for MTSA-regulated vessels and facilities in Risk Groups B and C, contrary to the stated intent of the regulation. The specific comments are described in greater detail below. We received a large number of comments from the owners and operators of passenger vessels that would have been categorized as Risk Groups B and C. These individuals suggested that the proposed regulatory text would impose severe burdens on their operations, burdens that would be extremely costly and produce relatively little in the way of security benefits. The PVA’s comment summed up many of its members’ statements, noting that ‘‘Group B and C passenger vessels and facilities have multiple and widely separated secure areas with large public access areas in between. TWIC-holders move regularly in and out of those spaces multiple times during the day. As a practical matter, this means that in those vessels and facilities, there must be some other person stationed in or outside of each secure area to visually inspect the TWIC and presumably bar the holder from entry if the visual inspection is unsatisfactory.’’ 52 We agree with the PVA that, with regard to passenger facilities, the wording of the proposed regulatory text could have had this effect, but these concerns are moot because we removed the proposed provisions on Risk Groups B and C. Many operators of passenger vessels argued that the requirement to visually inspect TWICs at each entry point into a secure area would be enormously expensive, impracticable, and provide little security benefit. One commenter suggested that the use of existing access control systems on vessels could be used in place of visual TWIC inspection on vessels. One commenter wrote, ‘‘we do not have enough berthing to add 2 additional people that would do nothing but sit at the galley door on opposite shifts and request to see the TWIC card of [the] same person multiple times per day.’’ 53 Another commenter wrote that requiring a visual TWIC inspection at each entry to a secure area on a vessel ‘‘is a bit like asking your brother who lives in your household for his ID whenever he needs to use the restroom.’’ 54 Commenters also argued that needing to present a TWIC to enter an unmanned engine room space could hinder access in an emergency. Many other commenters echoed the substance of these remarks. In this final rule, we hope to clarify that: (1) With regard to Risk Group A vessels, the requirement to undergo electronic TWIC inspection applies only upon boarding the vessel, and (2) there are no new requirements, for either visual or electronic TWIC inspection, or anything else applicable to vessels or facilities outside of Risk Group A in this final rule. The existing 52 USCG–2007–28915–0190, 50 78 FR 17802. 51 78 FR 17803. VerDate Sep<11>2014 19:12 Aug 22, 2016 p. 12. 53 USCG–2007–28915–0139. 54 USCG–2007–28915–0215, Jkt 238001 PO 00000 Frm 00028 Fmt 4701 p. 3. Sfmt 4700 visual TWIC inspection requirements in 33 CFR Chapter I, Subchapter H continue to apply to vessels and facilities outside of Risk Group A. We received similar comments pertaining to Risk Group B and C facilities. Many commenters requested that the final rule should state that approved FSPs using PAC 08–09 practices continued to be allowed for Risk Group B and C facilities. We reiterate that this final rule imposes no changes on the operation of Risk Group B or C facilities; accordingly, such practices will continue to be allowed. One commenter suggested that the guidance permitting voluntary use of TWIC readers, contained in PAC 01–11, be continued for Risk Group B and C facilities. While that guidance is rendered obsolete by this final rule, we note that its contents have been largely incorporated into the final rule as § 101.540, which permits non-Risk Group A facilities to use electronic TWIC inspection procedures in lieu of visual TWIC inspection on a voluntary basis. One commenter recommended that language be added to proposed § 101.525 (Risk Group B) that would allow a PACS card to be used in place of a TWIC at each entry to a secure area. Some commenters noted that the PAC 08–09 practices are significantly less costly than inspecting a TWIC at each entry into a secure area. While the rule imposes no new TWIC inspection requirements on Risk Groups B or C, we follow this suggestion with regard to Risk Group A facilities in the form of increased flexibility for electronic TWIC inspection. One commenter added that this could be coupled with a periodic TWIC check to ensure it is still valid. We note that Coast Guard inspections, conducted at Risk Group B and C facilities, accomplish exactly this check. 4. Miscellaneous Questions Regarding the Locations of Electronic TWIC Inspection In this section, we address certain questions raised by commenters on issues related to the locations where electronic TWIC inspections must take place. Several similar comments asked us to clarify what an ‘‘access point’’ to a secure area is. The commenter provided an example of an alarmed fire escape door that leads to a pier, which is designated as a secure area. In response, we would clarify that an ‘‘access point’’ is any location where personnel access from a non-secure area to a secure area is permitted, in any circumstance, by a facility’s security plan. However, we agree with the commenter that requiring an electronic E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 TWIC inspection in the event of a fire would be unwise. For that reason, we are including language in § 101.535(e), allowing an exemption from electronic TWIC inspection requirements for emergency situations. We believe that this exemption will protect against unauthorized access to secure areas without compromising safety in the event of an emergency response. The commenter also provided an example of a roll-up baggage door, where the porters bring in luggage they collect from guests at the curb in front of a cruise ship terminal. Next to the roll-up door is ‘‘a typical personnel door.’’ The commenter asked if the two doors count as a single access point, or if they are two separate access points, where each door requires its own TWIC reader. Again we note that in this final rule, we are not requiring the installation of TWIC readers; instead the requirement is that prior to being granted unescorted access to a secure area, an individual must undergo electronic TWIC inspection. Thus, two doors to a secure area could be controlled by a single TWIC reader or PACS reader, if permitted in the FSP. The commenter also asked about an area that switches between being secure and non-secure based on the operations taking place there at a given time. In such an instance (and permitted, we assume, by the FSP), when the area is designated secure, persons would need to undergo electronic TWIC inspection before being granted unescorted access. At times when the area was designated non-secure, there would be no such requirement. We would expect the relevant FSP to contain more detail on how such an area would operate. D. Determination of Risk Groups The third major area of comments related to the determination of which vessels and facilities should be placed into which Risk Groups. In §§ 104.263 and 105.253 of the NPRM, we proposed three different Risk Groups, A, B, and C, although there were no differences between the requirements for Risk Groups B and C. The proposed Risk Groups were as follows: Risk Group A: • Vessels certificated to carry more than 1,000 passengers; • Vessels that carry CDC in bulk; • Vessels engaged in towing another Risk Group A vessel; • Facilities that handle CDC in bulk; • Facilities that receive vessels certificated to carry more than 1,000 passengers; and • Barge fleeting facilities that receive barges carrying CDC in bulk. Risk Group B: VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 • Vessels that carry hazardous materials, other than CDC, in bulk; • Vessels subject to 46 CFR chapter I, subchapter D, that carry any flammable or combustible liquid cargoes or residues; • Vessels certificated to carry 500 to 1,000 passengers; • Vessels engaged in towing a Risk Group B vessels; • Facilities that receive vessels that carry hazardous materials, other than CDC, in bulk; • Facilities that receive vessels subject to 46 CFR chapter I, subchapter D, that carry any flammable or combustible liquid cargoes or residues; • Facilities that receive vessels certificated to carry between 500 and 1,000 passengers; • Facilities that receive vessels subject to 46 CFR chapter I, subchapter D, that carry any flammable or combustible liquid cargoes or residues; • Facilities that receive a vessel engaged in towing a Risk Group B vessel; and • All OCS facilities subject to 33 CFR part 106. Risk Group C: • Vessels carrying non-hazardous cargoes that are required to have a VSP; • Vessels certificated to carry fewer than 500 passengers; • Vessels engaged in towing a Risk Group C vessel; • Facilities that receive vessels carrying non-hazardous cargoes; • Facilities that receive vessels certificated to carry fewer than 500 passengers; and • Facilities that receive vessels towing a Risk Group C vessel. Most comments were related to the categorization of vessels and facilities in Risk Group A, with many commenters requesting clarification on how to classify their own facilities, or offering rationales for why vessels and facilities should be categorized differently. As stated in previous parts of this discussion, the NPRM did not propose any additional requirements for Risk Groups B or C, and thus, for purposes of the electronic TWIC inspection requirements, whether or not a vessel or facility is classified as Risk Group A is the only relevant distinction. In this final rule, we have made a number of modifications to the classification of facilities and vessels in response to the comments. The major changes are summarized as follows: • We have changed the crewmember exemption cutoff for vessels from 14 crewmembers to 20 crewmembers, as well as clarified how to calculate the number of crewmembers to apply this exemption. PO 00000 Frm 00029 Fmt 4701 Sfmt 4700 57679 • We have removed the specific reference to barge fleeting facilities from the Risk Group A classification, and now treat barge fleeting facilities like all other MTSA-regulated facilities. • We have eliminated the distinction between Risk Groups B and C. Vessels and facilities are now classified as either Risk Group A or non-Risk Group A. 1. Risk Group A Facilities In the NPRM, we defined Risk Group A facilities in proposed § 105.253(a) as: (1) Facilities that handle CDC in bulk; (2) Facilities that receive vessels certificated to carry more than 1,000 passengers; and (3) Barge fleeting facilities that receive barges carrying CDC in bulk. We developed Risk Group A, along with the other Risk Groups, using a risk-based analysis system that identified which types of facilities were exposed to the most risk in the event of a TSI. This system used the MSRAM to derive a numeric ‘‘consequence’’ for a class of facilities. Once the potential risk to a class of facilities was ascertained, we then determined whether a program of electronic TWIC inspection would provide utility in alleviating that risk. This analysis is described in far greater detail in the ANPRM 55 and the NPRM,56 and we refer interested parties to those documents for a detailed discussion. Several commenters raised issues relating to the fundamental nature of our analysis, arguing that certain factors, such as the geographic location of a facility or its proximity to higher-risk facilities should have been incorporated into our analysis. After considering the comments, we have decided to largely retain the overall structure of how Risk Group A is structured. The basis for the analysis is discussed in Section V.A, above. Several commenters suggested that the MSRAM analysis used by the Coast Guard to determine Risk Group A was flawed, and that a different methodology to determine the Risk Groups should have been employed that would bring more facilities into the Risk Group A category. Many of these commenters recommended that the Coast Guard adopt a risk analysis approach that focuses on area risks or geography, rather than the risks associated with classes of facilities. For example, one commenter recommended that the risk analysis should have included the risk to port operations where the port has minimum channel depth, or for petrochemical facilities that would create a significant impact to 55 74 56 78 E:\FR\FM\23AUR2.SGM FR 13363. FR 17810. 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 57680 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations commodity supplies, or chemical facilities where an attack could have significant environmental consequences. Other commenters recommended that the Coast Guard consider the geographic area surrounding a facility as the most important factor in determining the appropriate Risk Group. Similarly, another commenter stated that the Coast Guard should expand the risk-based concept and aggregate risks to the port area first, before using MSRAM to determine specific risks. In response, the Coast Guard considered a broad range of factors, including geographic location, when determining the Risk Groups. The totality of that analysis identifies the highest risk vessels and facilities. One commenter stated that the Port of New York is the nation’s highest-risk port, suggesting that TWIC inspection should also be used to mitigate risks associated with criminal activity such as drug trafficking, cargo theft, and alien contraband smuggling. The commenter suggested that TWIC readers should be required at more facilities in that port than are required under this rule. We are not requiring electronic TWIC inspection as a crime prevention measure, and we reiterate that the primary purpose of requiring electronic TWIC inspection is not to prevent crime, but to prevent TSIs at high-risk vessels and maritime facilities. One commenter stated that MSRAM does not contain any data that identifies TWIC readers as a threat mitigation tool, and that assumptions must have been made that would connect the MSRAM data with mitigation scenarios based on TWIC readers. In response, as emphasized throughout this preamble, an electronic TWIC reader is a threat mitigation tool because it provides identity verification, card authentication, and card validity checks more effectively than visual TWIC inspection. In the MSRAM context, a target’s ‘‘vulnerability’’ is defined as the probability that an attack will be successful. MSRAM measures target vulnerability as a product of three factors: (1) Achievability, which assumes the absence of all security measures and then factors in the degree of difficulty delivering an attack on a target; (2) Target Hardness, which considers the probability that the attack focal point would fail to withstand the attack; and (3) System Security, which considers the probability of a security strategy in place to successfully thwart an attack before it occurs. Electronic TWIC inspection is a component of System Security. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 Some commenters argued that the relative locations of Risk Group A and B facilities should factor into the risk analysis. One commenter stated that the NPRM did not consider a scenario where a Risk Group B facility is immediately adjacent to a Risk Group A facility. The commenter suggested that a terrorist could use a counterfeit TWIC to gain access to the Risk Group B facility (which would conduct only a visual TWIC inspection), and then use the location to mount an attack on the adjacent Risk Group A facility. Other commenters echoed the sentiment, stating that a Risk Group B facility that is immediately adjacent to a Risk Group A facility should not automatically have less stringent requirements that could become a threat vector. While we agree that this specific scenario was not used in our analysis, we also do not believe that it would be appropriate to consider. We note that in this scenario, all the counterfeit TWIC accomplishes is to allow the adversary to get to the perimeter of the Risk Group A facility. If the Risk Group B facility was not located in the adjacent location, then it would be even easier for the terrorist to get to the aforementioned perimeter. Electronic TWIC inspection is designed to thwart access to the secure area of Risk Group A facility, not to prevent access to the secure perimeter. One commenter recommended that large container terminals should not be classified as Risk Group B, but rather as Risk Group A. The commenter stated that a disruption of operations at any one of these facilities could have a significant impact on the economy, and that the Coast Guard should have used secondary consequences in its economic analysis. While we agree that a disruption of a large container terminal could have significant economic impacts, we disagree with the suggestion that container facilities should be automatically classified in Risk Group A. As stated elsewhere in this preamble, MSRAM considers scenarios associated with threats to container facilities. However, for the purpose analyzing electronic TWIC inspection, we limited our consideration to attack scenarios that require physical proximity to the intended target. Controlling access to a target is an essential component of security from such attack scenarios because access control helps to detect and perhaps delay the attackers before they reach the target. Threats to cargo containers are typically not attack scenarios that require physical proximity to the intended target. Accordingly, electronic TWIC PO 00000 Frm 00030 Fmt 4701 Sfmt 4700 inspection would not mitigate such threats. Such threats are addressed in existing Coast Guard regulations (33 CFR 104.275 and 105.265) that specifically require owners and operators to implement detailed security measures relating to cargo handling on vessels and at facilities. a. Alternative Security Programs One commenter, representing the American Gaming Association, recommended that instead of the risk categorization approach proposed in the NPRM, the Coast Guard should adopt a case-by-case approach to classification of facilities participating in its Alternative Security Program (ASP). This commenter noted that the security measures adopted on these vessels and facilities can be more restrictive than Coast Guard regulations require, and that those vessels and facilities should not be required to use TWIC readers. Furthermore, the commenter stated that the TWIC reader technology may be duplicative with systems onboard gaming vessels. We disagree, for the reasons stated above, with using a caseby-case approach to risk categorization rather than the Risk Group system proposed in the ANPRM and NPRM. However, we note that several suggestions that the commenter made are permitted by this final rule. If the existing security system on a vessel or facility is duplicative of a TWIC reader (i.e., is capable of conducting a card authentication, card validity check, and biometric match), then a dedicated TWIC reader would not be required. We believe that a PACS can be modified to meet these requirements with relatively little additional costs, as discussed in the accompanying RA. Similarly, several commenters stated that the combined vessel and facility security plan, as adopted in the PVA ASP, should permit facilities to be exempt from electronic TWIC inspection requirements if the vessels they service are exempt. For reasons discussed below, we disagree. We note that all ASPs, including the PVA ASP, can be used to integrate security between passenger terminals and vessels, but that the ASP must meet all electronic TWIC inspection requirements in this final rule. b. Determining Risk Group A Facilities Several commenters asked questions or requested clarifications of issues related to whether certain facilities would be classified as Risk Group A facilities. Our thoughts on these specific questions are below: One commenter requested clarification regarding a cruise terminal E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations that handles general cargo (presumably not including bulk CDC) when cruise ships are not present. The commenter asked whether a Risk Group A classification would only apply to a facility when a passenger vessel certificated to carry 1,000 or more passengers was at the facility. In such an instance, movement between Risk Groups would be permissible, if detailed in the FSP in accordance with 33 CFR 105.253(b). One commenter suggested that allowing movement between Risk Groups would be unfair to those facilities that have installed electronic TWIC inspection technology. We disagree, and note that when subject to Risk Group A electronic TWIC inspection requirements, a facility would have to make full and complete use of such technology, and would incur all the costs of installing the technology. One commenter requested clarification that a facility would not be classed as a Risk Group A facility if it handles multiple passenger vessels not in Risk Group A simultaneously. This is correct, a facility (assuming, of course, that does not handle or receive vessels carrying CDC in bulk) would only be classified as Risk Group A if it handles one or more vessels certificated to carry over 1,000 passengers. The relevant risk factor is the presence at the facility of a vessel certificated to carry more than 1,000 passengers. The relevant risk factor is not the mere presence on the facility of more than 1,000 people, which would be a transient event driven by simultaneous arrivals. Several commenters requested clarification of the use of the word ‘‘handle.’’ Proposed § 105.253(a)(1) categorizes facilities that handle CDC in bulk as Risk Group A facilities, but commenters had questions about how to interpret this phrase. These commenters requested clarification on how a facility would be classified if a vessel carrying CDC in bulk were to stop at a facility, but not transfer any of the bulk CDC cargo there. After considering the comments, and to clarify risk groups, we have determined that any facility that handles or receives vessels carrying CDC in bulk will be classified as Risk Group A. While moored at a facility, a vessel must rely on the facility’s security program to adequately secure the interface between the facility and vessel and mitigate the threat of a TSI. For that reason, the facility should conduct electronic TWIC inspection to meet the security needs associated with handling or receiving vessels that carry CDC in bulk. Discussions at public meetings prompted the Coast Guard to clarify the VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 term ‘‘handle’’ as it related to nonmaritime commerce. Specifically, the question was raised whether a facility would be classified as Risk Group A if it was used to transfer CDC in bulk through rail or other non-maritime means. In this situation, such a facility would be considered to ‘‘handle CDC in bulk’’ and would be classified as Risk Group A. This is because the bulk CDC would be on the premises of a MTSAregulated facility, and thus the facility’s access control system would need to be used to mitigate the risk of a TSI. We note that there are provisions where non-maritime activities of a facility can be located outside of the facility’s MTSA footprint. In that situation, where the bulk CDC is not a part of the maritime transportation activities, it may be that a facility could define its MTSA footprint in such a way as to exclude that area. In such a case, the TWIC reader requirements that are being implemented in this final rule would not apply in that area. Several commenters also requested clarification of the term ‘‘in bulk.’’ The term ‘‘bulk’’ or ‘‘in bulk’’ is defined in the Coast Guard’s existing MTSA regulations (33 CFR 101.105) as meaning ‘‘. . . a commodity that is loaded or carried on board a vessel without containers or labels, and that is received and handled without mark or count.’’ Additionally, the term ‘‘bulk’’ is defined in 33 CFR 126.3 as ‘‘. . . without mark or count and directly loaded or unloaded to or from a hold or tank on a vessel without the use of containers or break-bulk packaging.’’ To clarify, the use of hoses and conveyor or vacuum systems would be considered direct loading or unloading and thus involve ‘‘bulk.’’ We have added such language to the definition of ‘‘bulk’’ in § 101.105 to improve clarity. We have also removed the phrase ‘‘on board a vessel’’ from the definition of ‘‘bulk or in bulk’’ to avoid confusion. Specifically, as stated above, a MTSAregulated facility would be classified as Risk Group A if it handled bulk CDC offloaded by a train or other nonmaritime means. A MTSA-regulated facility that handles or receives bulk CDC is determined to be Risk Group A whether or not the facility accepted the bulk CDC from a vessel. Finally, one commenter requested clarification that container terminals do not carry CDC in bulk. While we can clarify that CDC shipped in containers would not be considered bulk CDC, we note that some container facilities may also handle CDC in bulk. Some commenters requested clarification of the term ‘‘receive,’’ in regards to what the requirements would PO 00000 Frm 00031 Fmt 4701 Sfmt 4700 57681 be if a Risk Group A vessel were received by a Risk Group B facility. The term ‘‘receive’’ is used in this final rule only in § 105.253(a)(2), which states that ‘‘facilities that receive vessels certificated to carry more than 1,000 passengers’’ are considered Risk Group A. In this instance, the word ‘‘receive’’ means that the vessel moors or transfers passengers to or from the facility. If there is a need for such a passenger vessel to moor up or transfer passengers at a non-Risk Group A facility, the COTP would need to be contacted to ensure that proper security measures are in place. One commenter asked how Strategic Ports would be classified. A Strategic Port designation, which means the location is used by the military to load equipment, has no direct impact on the electronic TWIC inspection requirements. Individual vessels and facilities will be required to comply with the applicable parts of this regulation based on their specific operations. One commenter asked if facilities that receive vessels certificated to carry more than 1,000 passengers would be classified as Risk Group A if all the vessels the facility received are exempted from the electronic TWIC inspection requirements by virtue of having fewer than 14 crewmembers. The commenter further stated that it is rare that the vessels certificated to carry more than 1,000 passengers ever carry that many, and that there are rarely 1,000 passengers in the facility. Regardless of this fact, pursuant to § 105.253(a)(2), such a facility would be required to conduct an electronic TWIC inspection prior to each entry into a secure area of the facility. We note that neither condition the commenter discussed is grounds for classifying the facility as anything other than Risk Group A. The fact that the vessels are exempt from the electronic TWIC inspection requirement due to their low manning requirement does not grant a TWIC exemption to the facility, for reasons discussed in greater detail below. Furthermore, the fact that the ferries at issue ‘‘rarely’’ carry the number of passengers they are certificated to carry does not change the status of the facility either. Our analysis has shown that the class of facilities that receive large passenger vessels present a heightened risk of a TSI, and that the use of electronic TWIC inspection in such facilities is an effective means to mitigate that danger. We believe that the access control requirements in this rule represent a good balance between costs and security. E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 57682 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations Several commenters were concerned that the dichotomy between electronic TWIC inspections on vessels and facilities could present problems for mariners. One commenter called a situation ‘‘absurd’’ where a ferry terminal, servicing ferries certificated to carry over 1,000 passengers, would be required to meet electronic TWIC inspection requirements, while the ferries themselves would be exempt from those requirements due to their low crew size. We disagree with the commenter’s characterization of the regulations. Ferry terminals that handle large ferries present a risk of a largeconsequence TSI, so much so that we believe that requiring a biometric identification before granting an individual access to the non-passenger areas of the ferry terminal is a warranted security burden. On the other hand, we do not believe that electronic TWIC inspection is necessary to gain access to the ferries themselves, considering that non-TWIC-holding passengers will also have access to the same vessels. Contrary to the commenter’s assertion, we believe it is quite reasonable to only require electronic TWIC inspections when the TWIC-holder is accessing an area where non-TWIC-holders are excluded. As we stated previously, the electronic TWIC inspection requirements are designed in such a way as to only require a burden where the security benefits will be tangible and substantial, which is why they apply as they do. Some commenters suggested that where the presence of, and access to, CDC in bulk can be isolated from areas not containing these products within a large MTSA footprint, the facility should be allowed to limit elevated security measures to the higher-risk area only. This is a subject that was also raised in the NPRM.57 Upon consideration, and given the general flexibility accorded by this final rule, we believe that this suggestion is appropriate. If bulk CDC is contained in a discrete area of the facility, it may be possible to isolate that area from other areas of the facility. Any areas where bulk CDC is transferred, passed through, or stored (permanently or temporarily) would be subject to the electronic TWIC inspection access control requirements. If the owner or operator of a facility were to take this approach, we would still consider the facility a Risk Group A facility. However, the owner or operator would be permitted to delineate in the FSP a portion of the facility as not subject to the electronic TWIC inspection requirements. The FSP 57 78 FR 17797. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 would also have to contain details of how unescorted access to other secure areas is still limited to TWIC-holders. Finally, many commenters presented examples of specific situations where they believed that electronic TWIC inspection in parts or in all of their facilities was inefficient or redundant. With regard to those situations, we reiterate that an owner or operator may apply for a waiver of any requirement the owner or operator considers unnecessary, as provided in 33 CFR 104.130 and 105.130, as appropriate. We have endeavored to tailor these requirements to be as effective as possible, but certain situations must be dealt with on an individualized basis. One commenter in a public meeting asked the Coast Guard to consider an exemption for LNG/LPG facilities not conducting transfer operations. Similarly, this commenter and others requested an exemption for cruise ship terminals when vessels are not present at the terminal. Without specific information, we cannot comment on the likelihood of a waiver, but note that in certain circumstances, facilities can change Risk Groups depending on operational needs. One commenter in a public meeting stated that container facilities should not be considered CDC facilities, and would therefore not be in Risk Group A. Given the definition of ‘‘in bulk’’ provided in 33 CFR 101.105, any CDC being transported in a container (including tank containers) would be considered packaged and thus would not cause the facility to be classified as Risk Group A. We note that if a container facility were also used to transfer or store bulk CDC, it would be considered a Risk Group A facility and thus subject to electronic TWIC inspection requirements. 2. The Crewmember Exemption Does Not Apply to Facilities Many commenters supported the Coast Guard’s proposal to exempt vessels with 14 or fewer crewmembers, but felt that a similar exemption should be applied to facilities with 14 or fewer employees as well. For the reasons described below, we disagree with this concept and are not including an exemption for small facilities similar to the exemption for low-crew vessels. One reason not to expand the electronic TWIC inspection exemption to facilities is due to the specific language of the SAFE Port Act. As stated above, the vessel exemption is predicated on Section 104 of the SAFE Port Act, codified in 46 U.S.C. 70105(m)(1), which prohibits the Coast Guard from requiring the placement of PO 00000 Frm 00032 Fmt 4701 Sfmt 4700 an electronic reader on a vessel unless the vessel has more individuals on the crew that are required to have a TWIC than the number we determine warrants such a reader. No similar mandate exists regarding facilities. Secondly, we believe that the nature of access to facilities is fundamentally different from the nature of access to vessels, and thus the rationale that justifies an exemption for vessels with a low crew count does not transfer to facilities with a low employee count. As stated elsewhere in this preamble, the TWIC serves fundamentally different roles with regard to facilities and vessels, due to the nature of the respective populations. On vessels (with the exception of passenger vessels), everyone on the vessel is generally known to one another, and new persons are generally not introduced to the vessel population while at sea. For this reason, the electronic TWIC inspection requirements for vessels, when applied, require only that the electronic TWIC inspection occur when boarding the vessel, not prior to each entry into a secure area of the vessel (such as an engine room). Conversely, at facilities, the entrance, exit, and egress of persons who are not employees is a regular occurrence; drivers, contractors, pedestrians, mariners, and other nonemployees are on facility grounds regularly. Indeed, truck drivers make up one of the largest populations of TWICholders. For this reason, there are many persons on facility grounds that are not ‘‘known’’ to facility employees, and so additional security measures must be employed to ensure that unescorted access to the secure areas of a facility is granted only to TWIC-holders. For Risk Group A facilities, we believe that the appropriate level of security is to conduct an electronic TWIC inspection of each individual before granting them such access. That is why electronic TWIC inspection at facilities is required ‘‘prior to each entry into a secure area,’’ rather than only at the perimeter of the facility,58 as is the case with vessels. Due to the differences in electronic TWIC inspection requirements, we do not believe an exemption from the electronic TWIC inspection requirements based on a low number of employees is appropriate for Risk Group A facilities. One commenter, in addition to requesting the extension of the low crewmember exemption to facilities, specifically requested that barge fleeting facilities with 14 or fewer people be excluded as well. In this final rule, barge fleeting facilities are no longer a 58 See E:\FR\FM\23AUR2.SGM § 101.535(b)(1). 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations separate class of facilities specifically subject to electronic TWIC inspection requirements. However, barge fleeting facilities are treated as facilities, and are subject to the same electronic TWIC inspection requirements as other facilities. sradovich on DSK3GMQ082PROD with RULES2 3. The Low Number of Crewmembers Exemption The NPRM proposed that, unlike facilities, vessels in Risk Group A are exempt from the electronic TWIC inspection requirements unless they have more than 14 TWIC-holding crewmembers. This exemption was based, in part, on the statutory limit imposed in the SAFE Port Act, 46 U.S.C. 70105(m)(1), which prohibits the Coast Guard from requiring the placement of an electronic reader on a vessel unless the vessel has more individuals on the crew that are required to have a TWIC than the number we determine warrants such a reader. In the ANPRM and the NPRM, we tentatively proposed that this number would be 14 crewmembers, basing our recommendation on an analysis conducted by the Towing Safety Advisory Committee (TSAC). For the final rule, factoring in comments received and assumed risks, we have increased this number to 20 crewmembers. We received numerous comments on the proposal to exempt all vessels with 14 or fewer TWIC-holding crewmembers from the electronic TWIC inspection requirements. In the NPRM, we requested that commenters explain any alternative suggestions and provide available data to support their comments. Comments we received generally fell into two categories. Many commenters suggested different numbers for the exemption threshold, with a fair majority supporting a larger number, thus exempting more vessels from the electronic TWIC inspection requirement. The other main group of commenters requested clarification on how, specifically, we would calculate the crew size of any particular vessel to determine whether a Risk Group A vessel would be exempt from the electronic TWIC inspection requirements. Both items are discussed below. 4. Calculating the Total Number of TWIC-Holding Crewmembers Several commenters raised questions as to how, specifically, the Coast Guard would calculate the number of TWICholding crewmembers on a vessel to determine whether the vessel would be exempt from the electronic TWIC inspection requirements. Upon review, we found that there was some degree of VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 confusion with regard to how this number is determined. We have identified two approaches to calculating the exemption number that may have led to this confusion. One approach would be to calculate the number by counting the total number of persons employed as crewmembers on the vessel. The NPRM’s original determination of 14 crewmembers was calculated using this approach. That number included the Master, Chief Engineer, and three four-person rotating crews. We counted the total number of persons employed as crew, whether or not all of them would serve together simultaneously. The other approach would be to calculate the number by referring to a vessel’s Certificate of Inspection (COI) regarding crew size, which does not contain information regarding multiple crew rotations, but rather just the manning requirements for the vessel. Using that methodology, the same vessel described above, with a Master, Chief Engineer, and several four-person rotating crews would actually have had six crewmembers. As explained more fully below, this final rule adopts the latter approach. Commenters also put forth a number of detailed issues relating to how the number of crewmembers would be determined. One commenter noted that while at any given time during a shift, the total number of required TWICholders aboard will generally be 14 or fewer, during shift changes the number will swell to more than 14. The commenter went on to question the definition of the term ‘‘crewmember,’’ noting that there may be TWIC-holders on board, such as security personnel, who are not members of the marine crew required under the vessel’s COI. The commenter requested that the Coast Guard clarify the scope of the 14crewmember exemption with regard to TWIC-holders who are not members of the marine crew. Similarly, several commenters specifically requested that the Coast Guard clarify that the 14-crewmember threshold only includes the required number listed on the vessel’s COI, and does not include ‘‘persons in addition to the crew,’’ industrial workers, etc. Some commenters recommended that for uninspected vessels, ‘‘required crew’’ should include all personnel assigned to the vessel performing navigation, safety, and security functions. Commenters also asked whether crewmembers included additional individuals such as company representatives, cadets, and contractors. One commenter stated that 46 U.S.C. 2101(21) excludes certain company representatives from being PO 00000 Frm 00033 Fmt 4701 Sfmt 4700 57683 counted as passengers, so they could be counted as crew. Also, in situations where a vessel is forced to carry persons other than crew, such as emergency responders, commenters asked if they would still be subject to the exemption from the electronic TWIC inspection requirement. In response to these comments, the Coast Guard is providing additional detail and explanation regarding this exemption. Based on our own analysis, and on the comments received, we agree with the commenters who suggested that ‘‘crewmembers’’ should include all personnel required to hold a TWIC in the required manning section of the COI (and we note that there are no uninspected vessels subject to MTSA requirements). Other persons in the crew section and the ‘‘persons in addition to the crew’’ section of the COI do not count towards the calculation for total number of TWIC-holding crewmembers. We reached this decision for the following reasons. First, whether a vessel is subject to electronic TWIC inspection requirements should not vary based on transient circumstances, such as whether a company representative is on board, or a crew change causes the number of TWIC-holders on the vessel to temporarily swell and exceed the threshold. Electronic TWIC inspection programs must be incorporated into a security plan and followed consistently. We believe that the stability from having a consistent electronic TWIC inspection process will help serve the goals of the inspection requirements while minimizing the burden on vessels and facilities in Risk Group A. Second, establishing the minimum manning requirement as the threshold number helps to ensure that other manning decisions are not affected by the electronic TWIC inspection requirements. For example, if it were based on the total number of employed crew, irrespective of whether that crew was required for manning the vessel, then some owners or operators of vessels might choose to lower their staffing requirements rather than introduce the new procedures. We received several comments suggesting that certain companies might choose to eliminate staff rather than comply with electronic TWIC inspection requirements. Tying the electronic TWIC inspection requirements to the minimum manning requirements will significantly reduce the risk of this occurring. The minimum manning requirements of a vessel are tied to the intrinsic nature of the vessel, and are not nearly as elastic as the other crewing needs of the vessel. E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 57684 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations 5. Threshold for the Crewmember Exemption Based on the TSAC recommendation, we proposed in the NPRM that the cutoff number of crewmembers that make a vessel exempt from the electronic TWIC inspection requirement should be 14. We specifically requested comments from the public on whether 14 is an appropriate cutoff number, and requested explanations and available data to support any arguments for alternative numbers. We received numerous comments regarding this issue. Some commenters suggested that 14 was an appropriate number, but the majority suggested that it be increased. The PVA and other commenters suggested that the Coast Guard should not have followed TSAC’s recommendation, as not all sectors of the domestic maritime industry have input into that group’s recommendations. The PVA suggested that 20 was a more appropriate number, noting that the largest minimum manning requirement for its members’ vessels was 16. This figure is larger than 14, but not so large that long-time crewmembers would not recognize each other. This figure was suggested as appropriate because it would be a figure developed with the consultation of industry. Similarly, many passenger vessel operators suggested that the exemption threshold be set high enough to exempt passenger vessels. One commenter suggested that the threshold number of 14 did not make sense, and that even with a crew of 20–30 people, it would be impossible for an imposter amongst them to go unnoticed. Another commenter suggested that 40 crewmembers would be a better threshold, arguing that the regulatory compliance costs of electronic TWIC inspection, added to other costs relating to security, were too onerous. After considering all comments, we have decided to increase the number to 20 crewmembers as the figure for determining the threshold number under 46 U.S.C. 70105(m). Considering input received from all areas of industry, we believe it is an appropriate crew size at or under which all crewmembers will be able to quickly identify people who do not have unescorted access to secure areas. We realize that this may be a conservative figure, and that there is no hard number at which all crewmembers will recognize each other by sight. This number is highly dependent on the length of time the crew has served together, and on the reliability of every individual crewmember’s memory. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 Nonetheless, we believe that the figure of 20 crewmembers presents a reasonable threshold at which all members of the crew can be realistically be expected to recognize one another. However, we are continuing to study the issue, and may propose to expand the electronic TWIC inspection requirements by reducing the exemption threshold in a future rulemaking. The Coast Guard realizes that increasing the crewmember threshold now exempts not only most passenger vessels, but many vessels that carry CDC in bulk. We are comfortable with this exemption at this time for two reasons. First, as stated by many of the commenters, we believe that a crew of 20 on a vessel that carries CDC in bulk will all be familiar with one another, so the risk of an unauthorized person being unnoticed on the vessel is slim. Second, due to the requirements for electronic TWIC inspection at the facilities where the CDC vessels conduct a majority of their business, the vast majority of these crewmembers will have their TWIC verified when passing through the facility on their way to the vessel, during crew changes or other trips ashore. Finally, one commenter in a public meeting noted that TWIC readers on vessels may be exposed to explosive atmospheres, and that therefore, TWIC readers must be intrinsically safe. In the event that TWIC readers are installed in hazardous areas, they would need to comply with all applicable requirements associated with those areas, which would at the minimum likely entail additional costs for testing and certification, and we note that no TWIC reader on the QTL is currently certified as intrinsically safe. For these reasons, we believe that imposing an additional requirement that crewmembers undergo an additional round of electronic TWIC inspection each time they board the vessel would provide limited security value for vessel with fewer than 20 crewmembers carrying bulk CDC. 6. Outer Continental Shelf Facilities In the NPRM, we proposed to characterize all OCS facilities as Risk Group B, meaning that they would not need to undertake electronic TWIC inspection. In this final rule, the Coast Guard continues to exclude OCS facilities from electronic TWIC inspection requirements. One commenter, an owner of some OCS facilities, asked whether TWIC readers could be placed at ‘‘the point(s) of embarkation’’ as opposed to placing TWIC readers on the OCS facility itself. Such a placement would be permissible if described in an approved FSP. However, we note that because OCS PO 00000 Frm 00034 Fmt 4701 Sfmt 4700 facilities are not considered Risk Group A, no electronic TWIC inspection requirements will apply as a result of this final rule. 7. Vessels and Facilities Not in Risk Group A Many commenters supported the Coast Guard’s decision not to include additional requirements for Risk Groups B and C in the NPRM. We appreciate the support, and agree that at this time, only vessels and facilities in Risk Group A will be affected by the electronic TWIC inspection requirements in this final rule. However, as stated in the NPRM, this final rule ‘‘should not be read to foreclose revised TWIC reader requirements in the future.’’ 59 Many commenters took this, and similar statements, as an indication that we had planned to extend electronic TWIC inspection requirements to Risk Group B vessels and facilities. As a result, we received several comments on the categorization of vessels and facilities within those Risk Groups. One commenter suggested that all facilities, including those proposed to be in Risk Groups B and C, should be required to have at least one portable TWIC reader. The commenter stated that this would allow the facility to complete a comprehensive check of a TWIC, which would help to deter potential attackers by making it more likely that they would be caught. While we agree that adding electronic TWIC inspection to all facilities would produce a security benefit, for the reasons extensively detailed in this rulemaking, we do not believe that such measures would be efficient at this time for lower-risk facilities. The commenter also argued that security guards should not manually check the CCL during visual TWIC inspection, as it could distract him or her. We note there are no requirements to check the list of cancelled TWICs during visual TWIC inspection, nor does this rulemaking affect visual inspection procedures. One substantial change being made in this final rule is the discontinuation of the distinction between Risk Group B and Risk Group C. The distinction between these two Risk Groups was relevant in the ANRPM, where we had proposed that Risk Group B vessels and facilities would be required to use TWIC readers on a random basis, whereas Risk Group C vessels and facilities would not be required to use TWIC readers at all. However, in the NPRM, we proposed to eliminate the random TWIC screenings from the Risk Group B requirements, and thus there was no distinction in 59 78 E:\FR\FM\23AUR2.SGM FR 17790. 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations requirements between those two Risk Groups. Nonetheless, we still proposed that the terminology for Risk Groups B and C be included in the regulations. Despite the lack of distinct requirements, many commenters read the NPRM to mean that electronic TWIC inspection requirements would be applied in some manner to Risk Group B vessels and facilities, and many commenters discussed the criteria by which vessels and facilities were classified as Risk Group B or C. One commenter did not support the proposed placement of Oil Spill Response Vessels and Oil Spill Response Barges in Risk Group B, arguing that these vessels carry primarily an oily water mixture, rendering them at low risk for terrorist attack. The commenter provided additional analysis distinguishing Oil Spill Response Vessels from tank vessels, and requested that they be classified as Risk Group C. Multiple commenters supported the decision to place Offshore Supply Vessels in Risk Group C, but wanted to clarify the definition of ‘‘Offshore Supply Vessel’’ for the purposes of TWIC requirements. One commenter argued against the placement of all OCS facilities in Risk Group B. The commenter believed they should be subject to the same sitespecific analysis that other facilities are subject to, and placed into Risk Group B or C as appropriate. Several commenters responded to the Coast Guard’s request for information as to whether petroleum refineries and storage facilities should be categorized as Risk Group A. Some commenters stated that it would be inappropriate for the agency to arbitrarily re-categorize these facilities without supporting study and analysis, and requested that if the Coast Guard omitted a risk in its initial analysis, a second notice and comment opportunity should be provided. One commenter noted that, according to the Coast Guard’s RA, the risk level for petroleum facilities was more comparable to Risk Group C than Risk Group A. Commenters also noted that due to the spacing of petroleum tanks at facilities, it is highly unlikely that a fire at one tank could ‘‘jump’’ to another. Several commenters provided the Coast Guard with a 2008 study entitled ‘‘Risks Associated with Gasoline Storage Sites,’’ which they argued demonstrated that gasoline does not pose a high risk of off-site consequences if involved in an incident, particularly one related to security. One commenter expressed concern about the expectation regarding the phase-in statements made in the NPRM, VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 stating that the absence of ‘‘definitive statements’’ has left the owners and operators of facilities in Risk Groups B and C wondering what will happen and what they should do. Similarly, one commenter stated that it seemed as if ‘‘phased in’’ was already the basic approach being taken by the Coast Guard, and that revisions to the electronic TWIC inspection requirements were all but certain. That commenter requested that instead of this approach, the Coast Guard should specifically identify the vulnerabilities that will be addressed and develop a proposal accordingly. Finally, commenters noted that if the Coast Guard were to propose expanding electronic TWIC inspection requirements beyond Risk Group A, a new Regulatory Flexibility Act analysis would be required. One commenter drew a distinction between petroleum refineries and petroleum storage facilities. The commenter stated that the petroleum storage facilities only store petroleum, whereas refineries may contain many types of more hazardous materials, such as hydrogen, although the commenter also stated that such facilities are wellequipped to handle those materials. Based on the comments received on this issue, we are not categorizing petroleum storage or refining facilities as Risk Group A in this final rule. Furthermore, we note that if and when the Coast Guard decides to propose additional electronic TWIC inspection requirements for facilities not currently classed as Risk Group A, global factors such as the cost of implementing electronic TWIC inspection, risk factors relating to the threat of a TSI, or other unforeseen conditions may have changed, necessitating a reconsideration of which vessels and facilities should be subject to additional security measures. The factors raised by commenters will be considered if and when additional TWIC inspection requirements are proposed in the future. We agree with the argument put forth by commenters that before extending electronic TWIC inspection requirements, a revised analysis of the costs and benefits should be undertaken and that opportunity to comment on those proposed requirements should be provided. Given the arguments raised in the comments, it is clear that more analysis needs to be conducted before the requirements of electronic TWIC inspection are extended to vessels and facilities not in Risk Group A. We do not believe that setting out the risk parameters for the next group of vessels and facilities to which electronic TWIC inspection may be applied is PO 00000 Frm 00035 Fmt 4701 Sfmt 4700 57685 appropriate at this time. If and when the electronic TWIC inspection requirements are phased in further, the Coast Guard believes that the additional flexibility afforded by not having preset definitions for the lower-tier Risk Groups will allow us to better tailor the future rulemakings appropriately. As the analysis of risks, threats, and costs continues to evolve, we will conduct further analysis as appropriate as well as solicit additional information from the public. 8. Barge Fleeting Facilities The inclusion in Risk Group A of barge fleeting facilities that handle barges carrying CDC in bulk was a topic discussed by a large number of commenters. The Coast Guard received comments from a variety of barge fleet operators, towing operators, and trade associations. Universally, comments on this subject argued that barge fleeting facilities should not be required to install TWIC readers. For the reasons described below, based on the comments received, we have removed the separate requirement that barge fleeting facilities that handle barges carrying CDC in bulk are specifically considered Risk Group A. Instead, barge fleeting facilities are considered facilities, and may be required to perform electronic TWIC inspection if the standard criteria for Risk Group A are met. Barge fleeting facilities are defined in 33 CFR 101.105 as ‘‘a commercial area, subject to permitting by the Army Corps of Engineers . . . or pursuant to a regional general permit[,] the purpose of which is for the making up, breaking down, or staging of barge tows.’’ Because this rulemaking would only affect barge fleeting facilities that interact with barges carrying CDC in bulk, only those barge fleeting facilities which are used for the staging of barge tows would be affected by this final rule. In the NPRM, we proposed that all barge fleeting facilities that service barges carrying CDC in bulk would be considered Risk Group A. Comments on why barge fleeting facilities should not be included in Risk Group A fell into four general categories. First, many commenters argued that the cost of installing TWIC readers at barge fleeting facilities would be higher than the installation costs at other facilities due to their remoteness, and that the Coast Guard’s preliminary RA had not taken this into account. Second, several commenters argued that due to the remote location or lack of permanent infrastructure of many barge fleeting facilities, the consequences of a TSI would not be so great as to warrant E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 57686 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations an inclusion into Risk Group A. Third, one commenter argued that because barge fleeting facilities only service vessels that would be exempt from the TWIC reader requirement (because they have fewer than 14 crew), the facilities should also be exempt. Finally, several commenters argued that a TWIC reader would not enhance security at barge fleeting facilities. We address each of these comment categories below. The cost of installing TWIC readers at barge fleeting facilities was cited by commenters as a reason to reconsider placing them in Risk Group A. Commenters generally argued that logistical considerations made installing TWIC readers in barge fleeting facilities substantially more expensive than at traditional installations. Several commenters stated that infrastructure costs, such as electricity, Internet access, and a facility to protect the TWIC reader would cause this requirement to be dramatically more expensive than originally considered. Similarly, commenters stated that these costs were not considered by the Coast Guard in its preliminary RA. Multiple commenters stated that the $300,000 initial phase-in costs estimated for bulk liquid facilities seemed like a low estimate. These commenters suggested that they would refuse to handle barges carrying bulk CDC rather than bear this increased cost, and that a final rule would cause rates to rise at other facilities. Similarly, commenters suggested that the decision to require TWIC readers at these barge fleeting facilities could actually be detrimental to security because, building on the idea that many facilities would refuse to handle bulk CDC barges, those barges would become concentrated at the few facilities that did allow them, thus increasing the risk profile of the fleeting areas that service them. We disagree with the notion that TWIC readers would be substantially more expensive to operate at barge fleeting facilities than at other types of facilities. As summarized above, the commenters who made this argument all cited various infrastructure costs, including installing electrical connections, Internet service, and a facility to protect the TWIC reader as drivers of the increased costs. However, all of these costs are associated with fixed TWIC readers, which are not required by this rule. Isolated facilities without electrical or data connections could use portable electronic readers to comply rather than undertake these measures to install fixed readers. We note that portable electronic readers can be, and are, operated using battery power and wireless communication VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 technology to scan TWICs and check them against the list of cancelled TWICs. With regard to our preliminary RA, we disagree that the costs of TWIC readers was not applied to barge fleeting facilities. As stated above, as portable electronic readers can be used to conduct electronic TWIC inspections without expensive upgrades to infrastructure, we believe that the price of portable electronic readers estimated in the preliminary RA is applicable to barge fleeting facilities that are not connected to electrical and information infrastructure. Furthermore, barge fleeting facilities were counted in the overall analysis of facilities covered by the proposed rule. Thus, we believe that the preliminary RA sufficiently analyzed the cost impacts for barge fleeting facilities. Numerous commenters argued that barge fleeting facilities are so isolated they should not be placed in Risk Group A. For example, one commenter recommended that barge fleeting facilities be categorized as Risk Group C, or as an alternative, CDC fleeting areas should be categorized using a risk-based approach based on the geographic location in relation to populations, with those in higher-density locations placed in Risk Group A. One commenter added that for economic reasons, fleets are usually far removed from major industrial or population centers, thus limiting the risk as potential targets for terrorist attacks. Because of the MSRAM methodology used to determine risk, we disagree that perceived geographic isolation of a particular facility alone should justify lesser security requirements. The risk groupings are based on the averaged MSRAM scores for each class of facility. In conducting our risk analysis, one of the primary factors used was an estimate of the average maximum consequences of a TSI on a class of facility. In MSRAM, the Coast Guard calculates the maximum consequence for each facility, which is the estimate of all damages that would occur from the total loss of a facility caused by a TSI resulting from a terrorist attack. This singular maximum consequence score factors in the total loss of a target, factoring in injury, loss of life, economic and environmental impact, symbolic effect, and national security impact. Further included in the calculation is an estimation of damage done to areas surrounding the facility that would be affected in the event of a TSI, meaning a facility in a densely-populated area could have a much higher maximum consequence score if a TSI would inflict damage on nearby populated areas. PO 00000 Frm 00036 Fmt 4701 Sfmt 4700 Then, the average maximum consequence for the class of facilities is derived from the calculations of each facility in the class, taking into account their specific geography. Thus, geographic isolation, or lack thereof, has already been considered in the score calculation. Even considering the geographic isolation of some barge fleeting facilities, this class as a whole presents a risk of a serious TSI, which is why it was included in Risk Group A. One commenter also argued that because tugboats that service barges are exempt from the requirements for electronic TWIC inspection, due to having fewer than 14 crewmembers, then the barge fleeting facilities should not be subject to TWIC requirements. In the discussion relating to electronic TWIC inspection requirements at facilities that service exempted vessels, we discussed in detail why a facility may be required to conduct electronic TWIC inspection, even if the vessels the facility services are exempted due to low crew counts. This analysis applies equally with regard to barge fleeting facilities. A variety of other arguments were made to exclude barge fleeting facilities from the electronic TWIC inspection requirements. For example, a commenter argued that barge fleeting facilities by their very nature do not interact with vendors or visitors. We note that TWIC requirements apply to permanent personnel as well as vendors and visitors (some of whom may not have TWICs, and would thus need to be escorted), and that electronic TWIC inspection provides several security enhancements, such as the ability to detect revoked TWICs, that are applicable to personnel as well as vendors and visitors. Some commenters stated that fleet personnel traffic is very low compared to regular shore maritime facilities and therefore are very low risk. We note that regular personnel traffic is not related to the risk that electronic TWIC inspection is designed to mitigate. Electronic TWIC inspection helps to ensure that unauthorized personnel are not granted unescorted access to secure areas. This can happen regardless of the number of persons on the facility. Several commenters argued that screening for personnel on barge fleeting facilities is already in place, and is extensive, including TWIC checks. As stated above, for high-risk facilities, we do not believe that visual TWIC inspections provide enough security. This final rule requires that TWICs be electronically inspected before unescorted access to secure areas of a MTSA-regulated, high-risk facility is E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations granted. This logic applies to barge fleeting facilities as well as other facilities. One commenter described a barge fleeting facility as ‘‘one of the few safe places’’ for crew transfers. The commenter implied that requiring crewmembers to run their cards through an electronic reader, which the commenter described as redundant and burdensome, could somehow impact safety. Without additional reasoning, we see no linkage between the safety of the crew and the need for security measures, except for the obvious benefits of protecting the crew from a TSI. Finally, several commenters argued that due to the nature of barge fleeting facilities, TWIC readers would not provide security benefits. One commenter stated that if there is no access from the riverbank to the area where the barges are stored, then the TWIC reader is not adding any security value. Similarly, several commenters noted that while electronic TWIC inspection is required at the access points to each secure area, barge fleeting facilities do not have defined access points, but rather people come in via waterways. Several commenters described barge fleeting facilities as ‘‘parking lots,’’ and noted that very few individuals from outside the fleeting facility, other than the crews of tugs, enter the facility. Oftentimes, due to a lack of other means of access, persons entering the facilities need to come via vessel and can do so only with the coordination of the FSO. Lastly, one commenter, while arguing for an exemption for barge fleeting facilities, stated that its barge fleeting facilities have a different risk profile than landbased facilities, noting that the fleeting areas are ‘‘simply unmanned barge parking lots continuously serviced by towing vessels.’’ 60 We have carefully considered the arguments of these commenters, and believe that we can address their concerns through a modification of the regulatory requirement. If a typical maritime facility met the specific criteria that these commenters describe, where there is no bulk CDC at the facility to protect, and no access points at which electronic TWIC inspection would be conducted, the facility would not be considered a Risk Group A facility. We believe that with regard to barge fleeting facilities, the same standard should be applied. For that reason, we are removing the specific reference to barge fleeting facilities in 60 USCG–2007–28915–0195, USCG–2007–28915– 0213. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 proposed § 105.253(a)(3). Instead, we are adding text, in § 105.110(e), Exemptions, which clearly states that barge fleeting facilities that do not have a secure area are exempt from the requirements in 33 CFR 101.535(b)(1). Based on this change, many of the concerns from the commenters regarding the application and utility of electronic TWIC inspection will be addressed. We note that simply because the reference to barge fleeting facilities has been deleted from proposed § 105.253(a)(3), some barge fleeting facilities will still be required to comply with electronic TWIC inspection if they meet the requirements of § 105.253(a)(1). Thus, if a barge fleeting facility handles or receives CDC in bulk, it would be considered to be a Risk Group A facility, and would be subject to the electronic TWIC inspection requirements. However, we note that the electronic TWIC inspection requirements would be limited to secure areas only, as towing boats could still service barges without having their crews’ TWICs electronically inspected (see the discussion in Section V.C.1, above). 9. Switching Risk Groups Several commenters requested additional clarification and explanation regarding the NPRM’s discussion of moving between Risk Groups. In the NPRM, the Coast Guard stated that it was adding §§ 104.263(d) and 105.253(d) to ‘‘address the movement between risk groups by vessels and facilities, based on the materials they are carrying or handling, or the types of vessels they are receiving at any given time.’’ 61 These provisions, which are located at §§ 104.263(b) and 105.253(b) of this final rule, provide flexibility to owners and operators of vessels and facilities that only meet the criteria for Risk Group A classification on an infrequent or periodic basis, such as a facility that only occasionally receives a shipment of bulk CDC. Based on the comments received on this issue, we are finalizing this requirement without change. One commenter supported the Coast Guard’s proposal for movement between Risk Groups noting that the proposal would grant a facility a degree of flexibility to tailor its security precautions to the TSI risks posed at a given time. We appreciate the support. In the NPRM, we stated that an owner or operator wishing to take advantage of one of these provisions would be required to explain how the vessel or 61 78 PO 00000 FR 17815–6. Frm 00037 Fmt 4701 Sfmt 4700 57687 facility would move between Risk Groups in an approved security plan, and that the plan would be required to account for the timing of such movement, as well as how the owner or operator would comply with the requirements of both the higher and lower Risk Groups. One commenter requested more explicit guidance on the criteria for facilities to move between Risk Groups, asking for guidance regarding the process and for the types of security measures that would need to be in place for a facility to move from a higher Risk Group to a lower one. In response, we note that moving between Risk Groups is not dependent on security measures, it is dependent on whether a facility’s change in operations moves it into a different Risk Group. For example, if a facility that periodically handled CDC in bulk were to cease handling that material, it could move from a Risk Group A facility to a non-Risk Group A facility. While such a move is independent of any change in security measures, we note that the facility would still have to amend its FSP with regard to any changes in security procedures. One commenter stated that his facility occasionally handles bulk CDC for short periods of time. The commenter supported the NPRM’s proposal to permit switching Risk Groups, but requested that is should be possible to do so ‘‘without a lot of bureaucratic paperwork.’’ In such an instance, an FSP could contain two alternative security arrangements, one for operating as a Risk Group A facility, and one for operating as a non Risk Group A facility, along with the process for switching. Assuming that such an FSP was approved by the COTP, then switching risk groups could be accomplished without additional paperwork each time the operator changes risk groups. E. Responses to Economic Comments The Coast Guard received numerous comments from organizations and individuals regarding the costs and benefits associated with the requirement for electronic TWIC inspection. Many commenters, responding to specific requests for information, provided details and opinions regarding the costs of installing and operating an electronic TWIC inspection system. The issues involved the specific costs of purchasing and installing electronic TWIC reading equipment, the operational details concerning electronic TWIC inspection (including how it could increase or decrease the number of persons employed in security positions), and the costs to E:\FR\FM\23AUR2.SGM 23AUR2 57688 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 transportation workers who may need to replace malfunctioning TWICs. We appreciate these comments and have attempted to integrate them into our RA. We address the specific topics in the sections of this preamble below. 1. Costs of TWIC Readers We received numerous comments from both suppliers and users of electronic TWIC inspection equipment regarding the standard costs of TWIC inspection equipment. In the NPRM, we estimated the average costs of TWIC readers by researching the equipment costs for all TWIC readers that have passed the TSA’s test to conform with its Initial Capability Evaluation (ICE) test, which is maintained and made available to the public by TSA. One commenter stated that the preliminary RA overestimated the costs of procuring TWIC readers. The commenter stated that the TWIC Pilot Report overstated the costs of TWIC readers, as pilot participants used grant money for incidental security needs, such as PACS, costs related to guard stations, lift gates and fencing. We disagree with the commenter’s analysis, and note that we did not use the pilot grants as a basis for the costs of TWIC readers. As stated in the NPRM RA (Section 4.1.1., TWIC reader costs), the costs of TWIC readers were determined using approved TWIC readers that had passed the TSA ICE test. Multiple commenters stated that the NPRM RA overestimated the cost of TWIC readers, and of the software, needed. One commenter also stated that the Coast Guard used overstated software prices that came from a single supplier and should have used $4,250 for both fixed and portable TWIC readers that included both hardware and software. The commenter added that the price of electronic TWIC inspection continues to fall as technology develops and is deployed on a larger scale. The Coast Guard did not use pricing information from a single supplier, but relied on multiple vendors’ publicly available information for regulatory analyses supporting the NPRM and this final rule. While we agree that the price has fallen, we cannot use the prices cited by the commenter directly. However, we note that we have adjusted the TWIC reader cost prices in the final RA. The NPRM RA’s TWIC reader cost estimates relied on the ICE List and utilized those equipment costs listed on the U.S. General Services Administration (GSA) price schedule. The QTL includes all TWIC readers that are currently approved by TSA (at the time the final RA was developed) for use in reading VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 TWICs. For the final rule RA, instead of using GSA schedule listed prices for TWIC readers as was the case for the NPRM RA, we utilized the QTL’s TWIC reader information to obtain an average cost for portable TWIC readers, and used the GSA schedule for fixed TWIC readers. We note that, for the final rule’s cost analysis, we used average TWIC reader prices that we estimated $5,373 for fixed TWIC readers and $7,035 for portable TWIC readers. These prices are close to the one the commenter suggested at $4,250 for either fixed or portable TWIC reader. The same commenter also added that it would not be necessary to purchase an entirely new PACS software system, and that one could simply add an electronic reader to the existing PACS that supports the perimeter access points for some entities. We agree, and go further in our RA, noting that it is possible to integrate biometric input functions into an existing PACS, rather than install a separate integrated TWIC reader. Use of this discretionary option can reduce electronic TWIC inspection costs substantially, depending on the business operations of the facility using such a system. However, we do not quantify the potential for these cost savings in the RA. The commenters also made statements regarding the cost for CCL updates, which were echoed by other commenters. They stated that updates to the CCL should be an automated function taking about five seconds, and therefore, these should not be included as an ongoing item with assigned labor expense in the RA. In the NPRM RA, we estimated that the costs to update the CCL would be, on average, 30 minutes per week, which comes to 26 hours per year. In the final analysis, this figure is unchanged. While we recognize that some larger facilities may be able to automate this process, we do not believe that all facilities will have such an automated solution. One commenter stated that the adoption of the QTL could cause ‘‘change order costs’’ to replace more expensive TWIC readers, and that the facilities who need to change TWIC readers should get grants to cover these costs. The Coast Guard disagrees. The final rule will allow many different types of biometric scanners in addition to the ones published on the TSA’s QTL, and the rule is not designprescriptive, so many entities will be able to continue to use existing equipment and therefore should not incur additional costs. The Coast Guard is not mandating that owners or operators use only the TWIC readers PO 00000 Frm 00038 Fmt 4701 Sfmt 4700 listed on the TSA’s QTL in this final rule. 2. Number of TWIC Readers at Vessels and Facilities Additionally, several commenters believed that the Coast Guard has not appropriately addressed the overall numbers of TWIC readers. Several commenters claimed that the NPRM and the RA did not contain accurate estimates of the number of TWIC readers needed for a vessel or a facility. One commenter, who owns multiple vessels and a terminal, estimated that it would need as many as 20 TWIC readers to comply with the proposed regulatory text. One commenter described the Coast Guard as contradicting itself, by stating in the preamble that Risk Group A vessels would need only one TWIC reader, at the entrance to the vessel, yet the proposed regulatory text required a TWIC reader at ‘‘each entry.’’ 62 Another commenter, a city government agency in charge of passenger ferries and terminals, also disagreed with the idea of one point of access per ferry. That agency estimated at least 62 TWIC readers would be necessary for their facilities alone. We note that the confusion regarding the regulatory text language in the NPRM, which stated that TWIC readers were required ‘‘prior to each entry,’’ has been thoroughly discussed above. In this final rule, most vessels are exempted from electronic TWIC inspection requirements, and those subject to them are only required to conduct such an inspection once, prior to entry onto the vessel. With regard to facilities, we clearly state that electronic TWIC inspection must be conducted prior to each entry into a secure area. Given the nature of facilities, we acknowledge that many facilities will require multiple TWIC readers or other machines capable of conducting electronic TWIC inspection, either because they have a large number of access points to secure areas, or because they have a high throughput of people who must undergo electronic TWIC inspection in a timely manner. One commenter disagreed with the idea of ‘‘one point of access’’ to a ferry, as there may be multiple points of access, and the proposed rule might have required them to install TWIC readers at 62 locations, with additional staffing, to meet the requirements. The Coast Guard disagrees with this assessment. The commenter is not necessarily required to purchase a large 62 See 78 FR 17803 and proposed § 104.265(a)(4), 78 FR 17831. E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations number of TWIC readers because the electronic TWIC inspection for the vessel crew can be executed on the facility side, rather than at each and every access point to the ferry or the vessel. Given the ‘‘combined security plan’’ discussed by this commenter above, it is permissible that a ferry operating a secure facility could have no dedicated TWIC readers, if all crew boarded from secure areas of the facility. Thus, such a ferry operator could comply with the electronic TWIC inspection requirements in this final rule without a wholesale replacement of its security infrastructure with new TWIC Readers. Several commenters provided qualitative discussions regarding the number of TWIC readers that would be needed at passenger terminals, which while not providing firm numerical information, helped the Coast Guard refine its assessment of how the final rule would affect these sorts of terminals. One commenter argued that the Coast Guard ‘‘does not fully understand the day-to-day operations of Group A passenger vessels and facilities . . .’’ and that ‘‘most of these vessels, terminals, and facilities are designated ‘‘public access areas’’, with only small areas designated secure, which ‘‘tend to be located away from one another.’’ The commenter provided examples of ‘‘a fuel storage area here and a secure communications room elsewhere’’ as examples of dispersed secure areas, and stated that ‘‘the everyday reality for a TWIC holder is that he or she is likely to move between secure areas and public areas, as well as between the vessel and facility, multiple times a day in multiple locations.’’ Similarly, operators of other passenger terminals made qualitative remarks regarding the number of TWIC readers needed. One commenter, operating a large facility on the West Coast, stated that ‘‘installation of TWIC readers on our vessels and at our terminal would provide a negligible improvement in security, which would come at an unreasonable cost given that WSF has already implemented a superior security infrastructure.’’ We note that, at the time the comment was made, the NPRM had not proposed the option that would allow the operators of facilities to integrate electronic TWIC inspection into their PACS. Given comments like these, we expect that larger passenger facilities that have already implemented PACS would be likely to use that option rather than installing TWIC readers in a parallel security structure. Commenters representing smaller facilities also provided qualitative VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 information. One commenter stated that ‘‘our terminals are a mix of secure and public areas where employees move between areas throughout the day,’’ indicating that TWIC readers would be needed at multiple access points, not just at the entrances to the facility. Similarly, a facility operator in San Diego noted that ‘‘careful consideration needs to be taken into account for the passenger vessel industry because our vessels and facilities are not just one big secure area, but rather are interspersed amongst public areas.’’ Based on the substantial numbers of comments regarding the implementation of electronic TWIC inspection at passenger facilities, as well as the policy changes in this final rule, we have reevaluated how we analyzed the costs of this rule for passenger facilities. In the TWIC pilot program, TWIC readers were typically only employed at the exterior access points to facilities, whereas in the final rule things are quite different. For passenger facilities, it is likely that electronic TWIC inspections would not likely take place at the main entrances where passengers enter and exit, as those areas would lead to ‘‘passenger access areas’’ which are, by definition, not secure areas and do not need to be controlled by a TWIC reader. Instead, TWIC readers or a PACS would likely be installed throughout the facility, at each entrance into a secure area, to ensure that only TWIC-holders had access to these secure areas of the facility. Furthermore, based on the comments, we are reasonably certain that the largest passenger facilities are much more likely to implement the electronic TWIC inspection requirement by adding a biometric input method into their PACS, rather than by developing an entirely parallel TWIC reader system. This option permit substantial cost savings and operational efficiency benefits for facilities that have already invested in, as one commenter stated, ‘‘superior security.’’ For these reasons, we have adjusted the ‘‘number of TWIC readers’’ used by passenger facilities as the cost basis in our analysis. For the largest 5% of facilities, we have assumed a larger number of TWIC readers, representing our estimates that these facilities are quite extensive and will require either modification of their PACS or installation of a substantial TWIC reader system. For other passenger facilities, we have left the estimate at 2 access points per facility, for a total of four readers. We estimate that these facilities would likely have an access point to the vessel, as well as an additional access point to secure areas of the facility, such as a storage room or communications PO 00000 Frm 00039 Fmt 4701 Sfmt 4700 57689 area. We develop this reasoning at more length in the accompanying regulatory analysis. One commenter, operating several large terminals on the West Coast, provided information on the maintenance of readers. The comment estimated that they are planning to prepurchase 74 contact card reader inserts for their 33 existing readers over the next three years at a total cost of $28,800, or approximately $300 per reader per year. We have used this information to increase our cost estimate for the maintenance of readers from 5 percent of the cost of a reader to 10 percent of the cost of a reader per year to cover the expense of insert replacements. With regards to the number of TWIC readers, Coast Guard recognizes that there may be variability in the number of electronic readers required for any specific facility or vessel due to a large range of facility sizes, configurations, PACS types, and throughputs that will necessitate large variations in the numbers and types of TWIC access points. For the purposes of producing a cost estimate in the NPRM and RA, Coast Guard used data from Facility Security Plans (FSPs) to estimate the number of access points per facility and the TWIC pilot data to estimate an average number of TWIC readers needed per access point for a vessel or facility. The average number of TWIC readers at a vessel or facility was derived from the actual number of TWIC readers installed per facility or vessel in the pilot study that ranged from between 1 and 39 TWIC readers based on a minimum number of 1 to 24 access points from the FSPs. While we appreciate specific information about individual facilities, we note that the average figures developed through the TWIC Pilot Program, which sampled a broader spectrum of facilities, provides the best data for average numbers of TWIC readers and access points. 3. Transaction Times Many commenters stated that conducting electronic TWIC inspection at each entry to a secure area on a dayto-day basis would negatively impact the time needed to make entries. These commenters did not, however, provide any specific information regarding transaction times. One commenter that operates a cruise ship terminal stated that conducting electronic TWIC inspection with a biometric identification component takes 20 to 30 seconds per transaction, and thus would result in intolerable delays, especially regarding baggage handlers who enter secure areas repeatedly (we would note E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 57690 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations that the RUA provisions in this final rule may offer flexibilities to mitigate transaction time concerns). One commenter provided feedback on its TWIC reader experience. According to this commenter, the learning curve for adopting TWIC readers is short, with the proper signage and instruction. Within one year of implementing TWIC readers into the facility, the commenter had over 1 million reads that take 4 seconds each, and the use of TWIC readers on inbound trucking has caused no delays. Further, the commenter suggested that TWICs can last 3 years without breakage or delamination issues if properly cared for, and believes that many TWICs were broken because the issue of their care was not communicated. The Coast Guard agrees with some of the points made by this commenter: The learning curve for using TWIC readers is relatively short and TWIC readers can handle a large volume of reads. However, the read time may not be 4 seconds on average across all the TWIC reader users, although we appreciate the data point supplied by the commenter. Other commenters also felt that the Coast Guard overestimated transaction times and the amount of time needed for a CCL update. With regard to the CCL update, we estimated that it would take 0.5 hours to update the CCL. One commenter suggested that the process could be automated. We agree that some operators could automate the process, but currently, we are unaware of any that do. We still believe that absent automation, our estimate of time is accurate. Transactions were discussed by an additional commenter. One commenter stated that he had heard from an operator who has conducted over 1 million electronic TWIC transactions, and who had experienced an average transaction time of 3.5 seconds, as opposed to the 8 seconds per successful transaction experienced during the TWIC Pilot Program. In response to comments regarding transaction times, we acknowledge that transaction times may vary based on equipment, software, environmental conditions, user familiarity, the condition of the TWIC, and perhaps many other conditions. This variability is reflected in the range of transaction times spanning from 3.5 to 30 seconds provided in the comments. The TWIC pilot collected data from a variety of facilities and circumstances, and produced an overall average of 8 seconds per transaction. We note that the range of times collected by the Pilot Program (which used TWIC readers from the ICE list) was from 6 to 27 VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 seconds per transaction, which is not inconsistent with the experiences of the commenters.63 One commenter stated that the 17.1 percent failure rate from the TWIC Pilot Report is a high figure to use in the regulatory impact analysis, since the primary cause of TWIC read failures (internal antenna failures) was addressed by the design of better cards. The commenter noted that these older cards have been retired since 2009. While we believe that the design of TWICs themselves has improved, without comprehensive data demonstrating that improvement, we continue to use the 17.1 percent failure rate from the Pilot Report in our analysis as the best available estimate. This failure rate is still a reasonable one to use when estimating the delays due to TWIC reads because there are other reasons for TWIC reads to fail, such as exposure to harsh weather. Finally, we note that even this higher failure rate did not produce measureable throughput delays, and thus a lower failure rate would not substantially affect the transaction costs of this rule. One commenter argued that between 2,500 and 3,000 people a day undergoing visual TWIC inspections would cost a great deal of money, and asked if they could use a PACS instead. Certainly nothing in this final rule precludes voluntary compliance with the requirements for electronic TWIC inspections, and the Coast Guard encourages owners and operators to go beyond minimum levels of compliance. The Coast Guard believes that this final rule will not only increase security but may also reduce the costs for owners and operators who are currently relying on visual TWIC inspection. The final rule also allows other, less expensive biometric scanners to be integrated with existing facilities’ PACS, as long as a biometric TWIC read is accomplished. 4. Security Personnel We received several comments regarding potential reductions in security personnel that could result from the mandatory use of electronic TWIC inspection. These comments generally fell into two categories. Some commenters felt that the requirements in the proposed rule, if finalized, would cause employers to reduce security staff, as fewer guards would be needed to conduct visual TWIC inspections. While some commenters believed this reduction would be a detriment to overall port security, in contrast, other 63 See Pilot report, located in the online docket for this rulemaking at USCG–2007–28915–0121, Appendix G, pp. 49–50. PO 00000 Frm 00040 Fmt 4701 Sfmt 4700 commenters stated a possible reduction in personnel costs is a benefit we did not consider in the NPRM RA. We do not believe that this final rule will have a substantial effect on staffing for several reasons. With regard to the argument that use of electronic TWIC inspection would lead to a reduction of security, we believe this results from a misunderstanding of the role of inspection and the role of security personnel. While electronic TWIC inspection can be used as a substitute for visual TWIC inspection, the role of a security guard goes far beyond this limited function, including providing other components of access control and physical security. If anything, we believe that electronic TWIC inspection can improve the capability of security personnel by allowing them to focus on their more specialized securityproviding roles. One of the reasons suggested for a reduction in staffing related to a scenario in which a vessel’s crew slightly exceeded the threshold limit for an exemption from the electronic TWIC inspection requirement, and the operator of the vessel decided to reduce the crew size in order to qualify for the exemption. By clarifying that the number of crew used to determine whether the vessel is exempt is based on the minimum manning requirement in the COI, we believe that this scenario will not come to pass. Unlike a situation in which a vessel operator could dismiss an optional deckhand to qualify for the exemption, it is exceedingly difficult, if not impossible, to alter the minimum manning requirements of the vessel. Alternatively, some commenters believed that by installing TWIC readers, operators of facilities could dismiss security guards. We are not aware of any instances of operators terminating security personnel as a result of installing TWIC readers (which should have been reflected in a change to a security plan and approval by the local COTP). We also note that pursuant to PAC–D 01–11, facilities are already permitted to employ TWIC readers in lieu of visual TWIC inspection on a voluntary basis. Some commenters felt that the proposed requirements, especially for those vessels and facilities not in Risk Group A, would increase the necessary number of security guards per shift. These comments were based on the erroneous assumptions about the use of electronic TWIC inspection with regard to vessels, as well as the mischaracterization of the requirements for electronic TWIC inspection with regard to vessels and facilities not in E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 Risk Group A. We believe that the clarifications in this final rule clearly illustrate that the scenarios in which large numbers of security personnel are required on board vessels will not apply. Furthermore, access control requirements for vessels and facilities not in Risk Group A are unaffected by this final rule. 5. Other Cost Comments Several commenters stated that the NPRM requirements were expensive. For example, one commenter stated that the expense of outfitting their vessels and facilities with TWIC readers would be enormously expensive compared to their normal operating budgets. In this particular instance, the Coast Guard notes that vessels owned by this commenter are not in Risk Group A and are not subject to the requirements in the final rule for TWIC readers. Most of these commenters did not include estimates or specific costs to support their claims. For the one commenter that provided a specific cost estimate, we incorporated the information to increase our estimate of the cost to maintain readers. The Coast Guard has carefully considered this input on burden and in this final rule has further reduced burden from the NPRM and ANPRM. See the final RA, included in the docket for this rulemaking, for the Coast Guard’s analysis of the available data. One commenter suggested that the NPRM did not appear to consider the secondary economic cost impact that would result from the disruption of such facilities from a TSI. The same commenter also stated that the breakeven analysis in the NPRM did not consider the economic cost impact that would result from an attack on a petroleum facility. This latter statement is correct, because petroleum facilities are not included in the affected population of this rule. Furthermore, the former statement is correct, although the net effect of adding additional categories of terrorism impacts not now quantified in this rule would be to increase the benefits of avoiding a TSI. Multiple commenters stated that the NPRM did not do a cost analysis of domestic inbound fleeting areas (also known as barge fleeting facilities), and that it did not fully evaluate the impact of TWIC readers on those fleets. More specifically, one of these commenters felt that owners of those fleets would have to make a significant monetary investment to install equipment in an area that might not be able to support it. The NPRM did include all those affected domestic inbound fleeting areas VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 in the cost analysis. It fully assessed the impact on an average facility, including the barge fleeting facilities. However, this final rule no longer specifically requires barge fleeting facilities to install TWIC reader equipment (see Section V.D.7 of this preamble), which addresses the concerns of these commenters. One commenter said that it should not take 25 hours to update a facility security plan for TWIC. The Coast Guard disagrees. For some facilities, it may take fewer hours, but for many others it will take more than 25 hours, especially if changes to security plans are reviewed by multiple people, and we believe that the 25-hour assumption is a reasonable average for the full range of vessels and facilities impacted by this rule. One commenter suggested that the TWIC is not designed to be handled multiple times per day, (the commenter suggested that at their passenger ferry facility, an average employee could expect to have their TWIC inspected 2,400 times per year) and therefore this rule would likely cause TWICs to degrade and malfunction at a high rate, leading to increased costs for mariners to replace degraded TWIC cards. We disagree with this analysis for two reasons. First, while some older TWICs were issued with antennas that proved unreliable, the cardstock was upgraded in 2009 to be more reliable and can be used frequently without degrading. Second, we note that at most large facilities, such as the passenger facility at issue, employees use a PACS for access control rather than the physical TWIC. This final rule permits the use of a PACS card for access control in lieu of the TWIC, so we expect that the many employees at larger facilities will not suffer any degradation of their TWICs during normal usage. 6. Costs Exceeding Benefits, CostEffectiveness, and Risk Reduction Many commenters expressed a concern that the costs of installing TWIC readers on their vessels and facilities would exceed their benefits. One of these commenters said it has already implemented a superior security infrastructure and the installation of TWIC readers would be duplicative of security measures already in place. Another of these commenters expressed the view that terminal facility TWIC readers would be an unnecessary burden and cannot be justified for their operations. Another commenter felt that the added burden of the TWIC readers does not enhance overall security for their nature of operations. In addition to these commenters who questioned PO 00000 Frm 00041 Fmt 4701 Sfmt 4700 57691 whether the costs of the TWIC reader rulemaking exceed the benefits, several others argued that the TWIC card readers would neither significantly enhance security on U.S. facilities and vessels, nor make our nation safer. The Coast Guard disagrees. The regulatory impact analysis we provide in the docket discusses at length why and how security will be enhanced by this rule. The commenters do not appear to account for the benefits to the nation and its economy of avoiding TSIs or that this rule is a Congressional mandate, and therefore, it addresses a market failure in which individual owners and operators tend to under-invest in security infrastructure, equipment and operations. As previously explained, we used a risk-based approach to apply these regulatory requirements to less than 5 percent of the MTSA-regulated population, which represents approximately 80 percent of the potential consequences of a TSI. The provisions in this final rule target the highest risk entities while minimizing the overall burden of the rule. We conducted a robust alternatives analysis that considered the ‘‘break-even’’ point of several different alternatives and we chose the alternative that shows the final rule will be cost effective if it prevents 1 TSI with every 234.3 years. Such small changes in risk reduction strongly suggest the potential benefits of the proposed rule justify its costs. One commenter argued that reduction of human error, as part of visual TWIC inspection, should be a quantified benefit of the final rule, and not an ‘‘unquantifiable’’ benefit as described in the preliminary RA. However, the commenter did not ascribe a dollar value to this benefit that could be quantified. Considering the RA did not attempt to quantify each individual security threat mitigated, but instead provided an overall break-even analysis that encompassed the rule, we believe our analysis remains appropriate for this issue. 7. Cumulative Costs of Security-Related Rulemakings Some commenters warned of the cumulative economic impacts of this rulemaking with several other finalized rules across Federal agencies. These comments did not provide specific data or information on these cumulative economic impacts. Understanding and considering the concerns about these cumulative economic impacts of all maritime security regulations, the Coast Guard decided to apply the final rule to a smaller population of MTSA-regulated entities after conducting its regulatory impact analysis. The Coast Guard E:\FR\FM\23AUR2.SGM 23AUR2 57692 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations believes that the increased flexibility of the final rule compared to the proposed regulations will help lower costs and ease the burden on the regulated stakeholders. 8. Small Business Impact One commenter expressed concern that its small profit margin would be negatively affected by new expenses for security due to changes to technology and additional regulations. Cognizant of regulatory impacts on small businesses, the Coast Guard sought to minimize these impacts by allowing businesses to integrate TWIC readers into their existing PACS, and to choose from a variety of biometric scanners that may cost less than those approved by the TSA and listed on the TSA’s QTL. F. Other Issues sradovich on DSK3GMQ082PROD with RULES2 1. The GAO Report and the TWIC Pilot Program Several commenters noted concerns with the final rule in light of the May 2013 GAO report ‘‘Transportation Worker Identification Credential: Card Reader Pilot Results Are Unreliable; Security Benefits Need to Be Reassessed’’ (GAO–13–198). Two commenters specifically called attention to the GAO report’s suggestion that results were less reliable due to ineffective evaluation design and the lack of requisite data. The Coast Guard fundamentally disagrees with the statement. Although there were many challenges in the implementation of the TWIC reader pilot, considerable data were obtained in sufficient quantity and quality to support the general findings and conclusions of the TWIC reader Pilot Report. The pilot obtained sufficient data to evaluate TWIC reader performance and assess the impact of using TWIC readers at maritime facilities. Furthermore, the Coast Guard supplemented the information from the TWIC Pilot Program with other sources of information. For example, in the RA, the Coast Guard estimated the number of access points per facility by facility type through the use of an independent data source (Facility Security Plans), and estimated the costs of TWIC readers through published pricing information. This independent data supplemented what we learned through the pilot and helped account for TWIC reader implementation at all access points when developing the NPRM. Similarly, multiple commenters suggested that the Coast Guard should not move forward on this final rule due to the GAO recommendations. We would encourage those who criticize the TWIC Pilot Program to closely review VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 how the information gained in the program was used in the development of this rulemaking. Because of the testing conditions endemic to a voluntary pilot program, the TWIC Pilot Program encountered many challenges. The Coast Guard was aware of the pilot’s limitations, and used it with discretion in developing the NPRM and, subsequently, in developing this final rule. For that reason, the pilot results were not the sole basis for the NPRM. The Coast Guard believes that the pilot produced valuable information concerning the environmental, operational, and fiscal impacts of the use of TWIC readers. The Coast Guard believes that data were obtained in sufficient quantity and quality to support the general findings and conclusions of the Pilot Report. The pilot data informed aspects of the rulemaking in which no other data were available. The Coast Guard is convinced that TWIC, including the use of biometric readers, can and should be a part of the nation’s maritime security system, for the reasons cited extensively in this final rule. Two commenters suggested that individual TWIC Pilot Program participants were not provided the opportunity to review the final draft Pilot Report prior to publication. In response, the Coast Guard participated along with TSA and the independent test agent in individual close-out meetings with each of the pilot participants. Individual test phase reports were provided to participants in advance of those meetings to verify and answer questions and concerns. One commenter suggested that they heard from participants that information contained in the Pilot Report was inconsistent with the participants’ records. We note that this commenter was not a pilot participant, nor did we receive such feedback from pilot participants. Given the nature of the program, we believe that the information from the pilot was generally helpful in providing data relating to certain operational aspects of the TWIC program. The RA for this final rule accounts for maintenance, replacement, and operation costs of TWIC readers in addition to the costs reported in the Pilot Report, contrary to the GAO’s assertions. As both the Pilot Report and the GAO’s review note, not all facilities implemented TWIC readers at all access points during the pilot in the same way they may have to do in the future to meet the requirements of this final rule. We believe that the immaturity of TWIC reader technology at the onset of the pilot, the voluntary nature of the Pilot PO 00000 Frm 00042 Fmt 4701 Sfmt 4700 Program, and lack of full cooperation at all facilities were major contributors to the pilot’s limitations. Furthermore, we note that the additional flexibility afforded by this final rule, especially with regard to utilizing PACS as a means to undertake electronic TWIC inspection, will further reduce the negative operational impacts of the TWIC requirement that were experienced by some participants during the pilot. One commenter took the opposite position, arguing that the GAO report went beyond the required purpose of assessing the validity of the pilot, and that TWIC reader technology could be seamlessly integrated into their facility access control systems. While we do acknowledge that there were some problems with the pilot, overall we agree with the commenter that it demonstrated the ability to integrate TWIC into access control systems at a wide range of maritime facilities. One commenter suggested that the Coast Guard does not have an accurate accounting of how long it will take to resolve TWIC reader issues. We addressed a similar comment in the section of this preamble regarding malfunctioning access control systems. Per that discussion, we note that in this final rule, we are removing the specific time period for repairs, and that restoration of an access control system will be handled in accordance with the procedures for the reporting requirements for non-compliance as described in 33 CFR 104.125, 105.125, and 106.125. These sections require the owner or operator to notify the cognizant COTP, and to either suspend operations or request and receive permission from the COTP to continue operating. Additionally, one commenter stated that the NPRM did not address the error rate experienced during the Pilot Program which, with repetitive failure, created distraction, confusion, and complacency with an overall degradation of security. The commenter suggested that another pilot should have been conducted to validate the original findings given technology problems encountered. The Coast Guard disagrees. The RA section in the NPRM did address error rates as potential opportunity costs associated with delays as a result of TWIC reader requirements. Furthermore, the Pilot Report did acknowledge both TWIC reader errors and card failures as challenges that were faced. The Coast Guard believes that the combination of technology advancement since the Pilot Program started and the enhanced flexibility and the movement to a more performance-based standard E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations in this final rule will have a significant role in reducing the rate of TWIC reader failure and the overall effect of TWIC reader failure on a vessel or facility. As noted in the NPRM, the Coast Guard anticipates that the rate of card failure requiring replacement will decrease as TWIC reader use increases. We believe the number of unreadable TWICs initially identified will decrease as the increased use of TWIC readers will enhance TWIC validity and readability by identifying damaged TWICs. However, as with any such critical system and as we have noted in previous sections, it is important for operators of vessels and facilities affected by this final rule to adequately address potential electronic reader failure scenarios in the development of their security plans to ensure that measures are identified, and to seamlessly react to a single electronic reader failure or, in the worst case, an entire PACS failure in a way that continues to meet the security intent of this rulemaking. Please see discussion in section V.B.3.d on malfunctioning access control systems for more discussion on this subject. One commenter highlighted GAO’s assertion that DHS has not yet adequately demonstrated how the TWIC actually enhances maritime security. We have addressed the efficacy of the TWIC program as a whole in Section V.A of this preamble. One commenter stated that the GAO report failed to account for the opinions of various container terminal operators that participated in the Pilot Program, and suggested that the GAO report itself was flawed and went beyond its mandate. The Coast Guard appreciates the extremely valuable information provided by all vessel and facility operators during the course of this rulemaking, and has evaluated all comments in comparison with economic and environmental data to enhance this final rule to address the greatest security threats in which TWIC and TWIC readers provide utility in the prevention of a TSI. We have modified this final rule in a manner that allows for the greatest flexibility for non-Risk Group A vessel and facility operators to implement electronic TWIC inspection procedures on a voluntary basis. Additionally, the Coast Guard is committed to the continued security of the nation’s ports. Accordingly, we will continue to evaluate the need for TWIC readers on vessels or facilities not covered in this final rule, and, should future cost benefit analysis show increased TWIC reader costeffectiveness to address the threats to VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 vessels and facilities within our ports, we may propose further requirements. Several commenters suggested that the Coast Guard did not engage with industry groups and advisory committees, other than TSAC, when drafting this rulemaking. The Coast Guard took into consideration input from a wide range of industry representatives during the development of this final rule through both formal and informal interaction. Formal interaction with stakeholders occurred in the form of direct contact with the National Maritime Security Advisory Committee, interaction with TWIC Pilot Program participants, and during multiple port and facility visits aimed at gathering specific feedback from industry on TWIC and the use of TWIC readers. Informal interaction occurred through multiple TWIC information sessions at industry-sponsored events such as meetings and conferences, and through feedback in the form of comments to both the ANPRM and NPRM for this rulemaking. 2. Additional Comments a. General Comments on the TWIC Program Many commenters supported the Coast Guard’s implementation of a delayed effective date for this final rule. As stated in the DATES section above, the Coast Guard will delay the effective date of this rulemaking by 2 years to allow the regulated industries time to comply with this final rule. One commenter asked if a non-Risk Group A vessel or facility decided, 1 year from the date of publication, to move up to Risk Group A, how many years that entity would have to comply with this final rule. In this example, the entity would have 1 more year to comply with the electronic TWIC inspection requirements of this final rule. All vessels and facilities meeting the Risk Group A criteria after the effective date of this final rule will have no extra time to comply, as the regulation will be in force. The commenter also asked what procedures such a facility would have to follow. Such a facility would have to adjust its FSP in accordance with all applicable regulations, and then implement the requirements of the approved FSP. Some commenters expressed concerns about the durability and reliability of TWICs themselves. As revealed in the TWIC Pilot Program, many users experienced problems with the TWIC. We note, as multiple commenters did, that prior to 2009, some cards were issued with antennas that experienced high rates of failure, but given the 5-year expiration period of the TWIC, those PO 00000 Frm 00043 Fmt 4701 Sfmt 4700 57693 cards should all be replaced by the time this final rule is effective. Furthermore, due to the flexibility added by this final rule, should an environment prove to have a negative effect on the TWIC, owners and operators can use one of the alternative means described above to provide for access control while keeping TWICs in a secure location where they will not become damaged. One commenter stated that mariners are already subject to background checks, which should preclude the need for another check conducted by an electronic reader. We would note that the electronic TWIC inspection does not actually conduct an additional background check, but merely verifies the individual presenting the card is the same person who underwent the original background check. This commenter also suggested that random Coast Guard checks of the TWIC ensure adequate security. We disagree, and believe that security validation at highrisk vessels and facilities should be conducted thoroughly, not occasionally, for the reasons described in this rule. One commenter in a public meeting suggested that because of the TWIC program, driver’s licenses and other forms of identification are no longer allowed for access to facilities, in favor of a TWIC, and that this has reduced security. The Coast Guard disagrees, and believes that TWIC enhances security. We note, for example, that merely having a driver’s license does not indicate that an individual has passed a background check. Some commenters discussed both possible TSIs and terrorist attacks which would not, in their view, have been averted by a TWIC reader requirement. The Coast Guard notes that the electronic TWIC inspection requirements are only part of the Coast Guard’s comprehensive port security program and will not address all attack scenarios. Issues relating to the overall effectiveness of the electronic TWIC inspection programs are discussed in Section V.A, above. Some commenters supported the use of the TWIC as a single Federal credential, and suggested that it should preempt and supersede other State, local, or site-specific credentials. One commenter suggested that using the TWIC as the only credential a person would need to enter multiple secure facilities would have substantial economic benefits, especially for individuals such as truck or bus drivers that need to access many different secure facilities. These benefits, according to the commenter, would include conducting only a single background check (as opposed to E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 57694 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations multiple background checks that might be needed to obtain State, local, and site-specific credentials), as well as reduced ‘‘wait time’’ as security credentials are examined. While there is an efficiency argument to having a single, nationwide credential, we believe that the disbenefits of such a mandatory program are substantial and outweigh that efficiency. To start, we note that part of the increased flexibility of this final rule allows for alternative cards, such as employee ID cards, to achieve electronic TWIC inspection, provided that these cards are linked to a TWIC in a manner described above. As several commenters noted, possession of an authorized TWIC should not, in and of itself, grant the TWIC-holder access to any secure area on any vessel or facility. While a valid TWIC is a necessary component for unescorted access to secure areas, it will not be the sole reason, as owners and operators must exercise their right and responsibility to decide to whom to provide such access. One commenter expressed concern regarding the tiered approach for the use of TWIC readers. This commenter suggested that multiple access control procedures could result in confusion for persons who visit many different facilities. The commenter proposed that the Coast Guard require the installation of TWIC readers at Risk Group A and B facilities, and require that Risk Group C facilities maintain portable TWIC Readers. We acknowledge that using different access procedures at different facilities could be confusing. Furthermore, for the reasons discussed extensively, we do not believe that requiring electronic TWIC inspection at non-Risk Group A facilities is an effective use of resources at this time. Two commenters suggested an alternative process where inspection requirements are relaxed during peak hours. One commenter stated that between 7 a.m. and 9 a.m., hundreds of vehicles enter a particular facility, often with multiple passengers, and that requiring biometric identification of each passenger could result in traffic delays. The commenter suggested that only the driver should be required to undergo electronic TWIC inspection, while the passengers could present their TWICs for visual TWIC inspection. The Coast Guard does not agree with this approach, as it creates a fairly obvious and exploitable gap in security. While we have worked to increase operator flexibility to reduce delays and minimize their effects, we have estimated in the Coast Guard’s RA that some facilities may have to make modifications to business operations to VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 accommodate electronic TWIC inspection requirements, such as increasing the number of access points for vehicles. Furthermore, it may be possible at some facilities to conduct electronic TWIC inspections at locations employees would walk through after disembarking from their automobiles. Several commenters considered existing requirements under the MTSA and/or under the International Ship and Port Security Code to be sufficient for themselves and others, and that electronic TWIC inspection requirements should not apply to them. We believe, for reasons extensively detailed in this document, that the statutorily-mandated enhancements to access control in this final rule have been applied to the class of vessels and facilities to which they are most costbeneficial. One commenter was concerned at the prospect of TWIC readers being considered ‘‘no-sail equipment,’’ that is, equipment which must be operational before a vessel can leave. We note that while a situation where a TWIC reader could become no-sail equipment theoretically exists (for example, if there were only one TWIC reader available on the vessel, no TWIC readers at the facility, and no portable TWIC readers available), we have elaborated on the many ways in which this could be avoided through advance planning. This final rule elaborates on procedures which would be acceptable in the event of an electronic reader or system failure. We would recommend that operators of vessels or facilities required to undertake electronic TWIC inspections utilize robust systems that are capable of withstanding a single point of failure. One commenter expressed confusion as to how the electronic TWIC inspection requirement would apply to the aviation industry. We note that the requirement for electronic TWIC inspection at Risk Group A vessels and facilities applies equally to individuals entering via helicopters or other airborne means. In such an instance, it would be the responsibility of the owner or operator to conduct electronic TWIC inspections to ensure that all persons granted unescorted access to secure areas within the facility or upon boarding the vessel possess a valid TWIC. One commenter in a public meeting suggested that multiple entrances and departures in a day may pose a safety risk, if for example a facility is surrounded by public roads and highways. We believe that businesses can design their access points to secure areas in such a way that mitigates traffic impacts and potential safety concerns PO 00000 Frm 00044 Fmt 4701 Sfmt 4700 regarding public roads. We note that with the requirement for electronic TWIC inspection prior to each entry into a secure area of the facility, the security risk of such an environment would be greatly mitigated compared to a system that only required, for example, one inspection per day. One commenter requested that the TWIC be used as a universal identification card for entrance to transportation facilities, replacing the issuance of State, county, and facilityspecific credentials. The commenter also suggested that bus and motorcoach drivers should be eligible for TWICs. Noting that many drivers travel to numerous MTSA-regulated sites, the commenter argued that using the TWIC exclusively could significantly reduce the costs and other burden associated with the need for multiple security credentials. While we do not dispute the efficiency argument, we are not requiring the use of a TWIC as universal identification card for a number of reasons. First, again, this suggestion is out of scope of the rulemaking, which is limited to the requirement for electronic TWIC inspections. Moreover, we note that nearly all MTSA-regulated facilities restrict access not only to those who have a TWIC, but also to those who have a valid reason to be on the premises. As many commenters repeated, simply having a TWIC does not guarantee access to a secure area of a vessel or facility. Many vessels and facilities use employment-specific identification cards both as a means to ensure that a person has been vetted as well as a means to show that they are employees. Furthermore, some of these PACS cards are used to track employee locations or restrict access within the facility. Requiring all facilities to use the TWIC exclusively could negatively impact security and business operations by removing the benefits of facilityspecific access cards. Several commenters encouraged the Coast Guard to dismiss or devalue the comments from other commenters. In accordance with the Administrative Procedure Act, the Coast Guard considered every comment it received, both through the docket and through public meetings, before issuing this final rule. Several commenters made statements asserting that their operations were more secure or employees better trained than public transit operations and employees, and yet the latter may not be required to perform electronic TWIC inspections. While we cannot attest to the validity of these statements, we continue to believe that the improved security of electronic TWIC inspection, E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 compared to visual TWIC inspection, is warranted for high-risk vessels and facilities for the reasons discussed extensively in this preamble. One commenter believed that disbanding the TWIC program would remove the ‘‘false crutch that TWIC provides’’ and encourage greater operational security. For the reasons discussed above, we disagree and believe that TWIC provides a necessary and effective element of a comprehensive security system. b. Clarification of Specific Items Several commenters asked for clarification about a term or idea used in the NPRM, or asked the Coast Guard to define it outright. Explanations of various terms are described below. One commenter requested clarification of the term ‘‘each entry.’’ As stated above, with regard to facilities, ‘‘each entry’’ is each distinct transition from a non-secure area to a secure area. With regard to vessels, ‘‘each entry’’ is each distinct transition from a nonsecure area prior to boarding the vessel. One commenter asked about the definition of ‘‘escorting,’’ specifically whether a visual inspection, such as the use of closed-circuit television (CCTV) systems, would be an acceptable form of escorting. In response, we refer the commenter to the detailed guidance on escorting found in NVIC 03–07. There, we provide guidance and examples of circumstances in which the use of surveillance equipment, including CCTV systems, might be sufficient for escorting purposes. The specific facts and circumstances of each case will determine whether the Coast Guard will permit CCTV systems for such purposes. In general, escorting in restricted areas requires side-by-side accompaniment with a TWIC-holder. However, escorting in secure areas that are not also designated restricted areas does not always require side-by-side accompaniment. In such secure, nonrestricted areas, escorting may be sufficient through CCTV or other monitoring method (see 33 CFR 104.285 and 105.275). Where such monitoring is appropriate, the general principle applies that monitoring must enable sufficient observation of the individual with a means to respond if the individual is observed to be engaging in unauthorized activities or crossing into an unauthorized area. One commenter raised the issue of how railroads would interact with the new electronic TWIC inspection requirements. PAC 05–08, ‘‘TWIC Requirements and Rail Access into Secure Areas,’’ is the existing policy guidance regarding railroad access as it VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 relates to facilities in the TWIC program. This guidance allows the railroad company’s local or regional scheduling coordinator to provide information on the TWIC status of the crew, and if all crewmembers are valid TWIC-holders, allows them to enter the secure area of a MTSA-regulated facility without further inspection of their TWICs. PAC 05–08 also permits trains on ‘‘continuous passage’’ through a facility to proceed without stopping to check TWICs in certain circumstances. One commenter, representing railroad companies, stated ‘‘[n]either the need for, nor the advisability of, a change has been demonstrated’’ in regards to this guidance. We agree, and reaffirm the guidance in PAC 05–08 in this final rule, with one caveat. If PAC 05–08 would require that an individual’s TWIC be checked at a Risk Group A facility, it must be checked using electronic TWIC inspection. c. Comments Outside the Scope of This Rulemaking Many commenters provided comments beyond the scope of this rulemaking when discussing the TWIC program generally. In addition to concerns about card stock and card reliability, comments concerning applicability of the TWIC card to other U.S. government or governmentregulated facilities, TWIC card applications, delays in issuing or renewing TWIC cards, and those concerning TWIC card waivers are all beyond the scope of this rulemaking. Similarly, it is beyond the scope of this rulemaking to require biometrics in the U.S. Merchant Mariners Document, commonly known as a ‘‘Z-Card,’’ or for multiple mariner documents to be consolidated into an ‘‘all-in-one’’ credential. The scope of this rulemaking is to establish requirements for electronic TWIC inspections on vessels and facilities regulated under the MTSA. Several commenters suggested ideas about how TSA’s CCL could be improved or altered. We note that these ideas are outside the scope of this rulemaking and are best addressed to the TSA. Some commenters expressed concerns with the background check criteria for receiving a TWIC. For example, one commenter noted that certain longshore workers were erroneously denied a TWIC based on incorrect information in the Federal Bureau of Investigation database, and another experienced difficulty proving citizenship because he was born on a military base. While we are aware that some challenges exist in the enrollment and application PO 00000 Frm 00045 Fmt 4701 Sfmt 4700 57695 process, we believe that the vast majority of enrollments are conducted accurately and efficiently, and that problems are generally dealt with in a courteous and timely manner. We note, however, that concerns relating to the background check are outside the scope of this rulemaking. One commenter expressed concern that no regulatory analysis was done for workers who need to acquire and pay for a TWIC. Another commenter stated that for workers in remote areas, the cost of obtaining a TWIC can be higher due to travel costs. We note that this final rule does not require any additional individuals to acquire a TWIC, and thus the comment is outside the scope of this rulemaking. However, we would refer interested parties to the RA for the TWIC final rule, available at http:// www.regulations.gov, docket number TSA–2006–24191–0745, for a detailed analysis of these costs. One commenter expressed concern that there is no requirement in this rule that obligates an employer to report individual TWIC-holders to the Coast Guard who commit TWIC-disqualifying offenses. This issue is outside the scope of this rulemaking. One commenter criticized facility owners for poor quality fences despite receiving money from the Federal government to improve security. This commenter also suggested that instead of investing funds into the TWIC readers, the Coast Guard should spend the money on bettering terminals and their surrounding areas. These comments do not address the use of electronic TWIC inspection, and therefore, are out of this rule’s scope. One commenter in a public meeting described a system where ‘‘personnel from other companies’’ must, prior to arrival at his facility, fax his company with basic information including whether or not the visitor holds a TWIC. Facility procedures other than those relating to the electronic TWIC inspection procedures are beyond the scope of this rulemaking. One commenter recommended using closed-circuit television systems for purposes of visual inspection, rather than having a guard physically present. This rule relates to electronic TWIC inspection, and we do not believe it is within the scope of this rulemaking to issue guidance on proper visual identification procedures. One commenter suggested that, if not requiring electronic TWIC inspection for all Risk Groups, the Coast Guard should institute a ‘‘display and challenge’’ requirement for all secure areas. This would require that all persons with unescorted access display their TWIC or E:\FR\FM\23AUR2.SGM 23AUR2 57696 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations other credential when in a secure area. As this final rule only relates to electronic TWIC inspection, such a suggestion is out of scope of this rulemaking. One commenter suggested that the Coast Guard has been lax in pursuing administrative action for TWIC-related offenses, such as loaning TWICs, entering facilities without undergoing proper screening processes, or using counterfeit TWICs. We note that these issues are taken seriously, but are outside the scope of this rulemaking as we are not changing the actions to be taken upon identification of TWIC issues, merely how they might be detected. One commenter noted that ‘‘terminals must abide by common law and practice,’’ in reference to the idea that TWICs are not the sole condition of entry. The Coast Guard agrees, but notes the improvement in access control that electronic TWIC inspection provides. One commenter implied that ammonium nitrate should not be considered CDC. Altering the list of CDC (defined in 33 CFR part 160) is beyond the scope of this rulemaking. One commenter noted that visual TWIC inspection presents a safety issue, as security personnel can be injured or killed by vehicles approaching the gate area. While there are certainly security incidents where attackers can try to use force to breach the perimeter of a secure facility, such incidents are beyond the scope of this rule. One commenter suggested that the U.S. Congress should fully fund the TWIC reader program, and asserted that funding of Federally mandated programs will ensure a degree of financial relief and minimize burdens. While we agree that funding would shift the industry burden to taxpayers, this comment remains beyond the scope of this rule. Finally, this final rule makes a number of minor, technical edits, including updating internal references, to the regulations in 33 CFR Chapter I, Subchapter H, in addition to the changes discussed elsewhere in the preamble. These edits affect the following sections in Title 33 of the CFR: • 101.105 Definitions. • 101.514 TWIC Requirement. • 101.515 TWIC/Personal Identification. • 104.105 Applicability. • 104.115 Compliance. • 104.120 Compliance documentation. • 104.200 Owner or operator. • 104.215 Vessel Security Officer (VSO). • 104.235 Vessel recordkeeping requirements. • 104.260 Security systems and equipment maintenance. • 104.267 Security measures for newly hired employees. • 104.292 Additional requirements— passenger vessels and ferries. • 104.405 Format of the Vessel Security Plan (VSP). • 104.410 Submission and approval. • 105.115 Compliance dates. • 105.120 Compliance documentation. • 105.200 Owner or operator. • 105.257 Security measures for newly hired employees. • 105.290 Additional requirements— cruise ship terminals. • 105.296 Additional requirements— barge fleeting facilities. • 105.405 Format and content of the Facility Security Plan (FSP). • 105.410 Submission and approval. • 106.110 Compliance dates. • 106.115 Compliance documentation. • 106.200 Owner or operator. • 106.262 Security measures for newly-hired employees. • 106.405 Format and content of the Facility Security Plan (FSP). • 106.410 Submission and approval. VI. Regulatory Analyses We developed this rule after considering numerous statutes and Executive Orders (E.O.s) related to rulemaking. Below we summarize our analyses based on these statutes or E.O.s. A. Regulatory Planning and Review E.O.s 12866 (‘‘Regulatory Planning and Review’’) and 13563 (‘‘Improving Regulation and Regulatory Review’’) direct agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This final rule is a significant regulatory action under section 3(f) of E.O. 12866. The Office of Management and Budget (OMB) has reviewed it under that Order. It requires an assessment of potential costs and benefits under section 6(a)(3) of E.O. 12866. A final assessment is available in the docket, and a summary follows. We amend our regulations on certain MTSA-regulated vessels and facilities to include requirements for electronic TWIC inspection to be used for access control for unescorted access to secure areas. Table 3 summarizes the costs and benefits of this final rule. TABLE 3—SUMMARY OF COSTS AND BENEFITS 64 Category Final rule Applicability ............................................................................................... High-risk MTSA-regulated facilities and high risk MTSA-regulated vessels with greater than 20 TWIC-holding crew. 1 vessel. 525 facilities. $21.9 (annualized). $153.8 (10-year). Time to retrieve or replace lost PINs for use with TWICs. Enhanced access control and security at U.S. maritime facilities and on board U.S.-flagged vessels. Reduction of human error when checking identification and manning access points. Affected Population .................................................................................. Costs ($ millions, 7% discount rate) ........................................................ sradovich on DSK3GMQ082PROD with RULES2 Costs (Qualitative) .................................................................................... Benefits (Qualitative) ................................................................................ VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 PO 00000 Frm 00046 Fmt 4701 Sfmt 4700 E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations Table 4 summarizes the changes in the regulatory analysis as we moved from the NPRM to this final rule. These changes to the RA came from either policy changes on the electronic TWIC inspection requirements, public comments received after the publication of the NPRM in March 2013, or simply 57697 from updating the data and information that informed our regulatory analysis. TABLE 4—CHANGES IN REGULATORY ANALYSIS FROM NPRM TO FINAL RULE Element of regulatory analysis Reason changed Explanation of change Affected Population ......................... Policy change ................................ Cost of TWIC Readers .................... Update to reflect current prices for TWIC readers. Comments received ....................... Wages for transportation workers ... Maintenance Cost of TWIC Readers. Number of TWIC Readers .............. More current BLS data .................. Comment received ........................ a. Barge fleeting facilities were removed reducing the previous facility population of 532 to 525, and b. Crew size changed to 20 (instead of 14) and thus reducing the number of vessels to 1. The most recent prices of electronic TWIC readers as published in GSA schedule and TSA’s QTL were significantly reduced. Some public comments suggested that TWIC reader costs have declined since the NPRM RA data was collected. Revised labor cost by using May 2012 BLS data. Revised this cost assumption from 5% of the total cost of a TWIC Reader to 10%. Per one large ferry passenger facility’s suggestion, accommodated this facility’s higher number of readers in cost estimates. Comment received ........................ sradovich on DSK3GMQ082PROD with RULES2 In this final rule, we require owners and operators of certain vessels and facilities regulated by the Coast Guard under 33 CFR Chapter I, subchapter H, to use electronic TWIC inspection designed to work with TWIC as an access control measure. This final rule also includes recordkeeping requirements for those owners and operators required to use an electronic TWIC inspection, and amendments to security plans previously approved by the Coast Guard to incorporate TWIC requirements. The provisions in this final rule enhance the security of vessels, ports, and other facilities by ensuring that only individuals who hold valid TWICs are granted unescorted access to secure areas at those locations. It will also further implement the MTSA transportation security card requirement, as well as the SAFE Port Act electronic TWIC inspection requirements. We estimate that this final rule would specifically affect owners and operators of certain MTSA-regulated vessels and facilities in Risk Group A with additional costs. As previously discussed, Risk Group A would consist of those vessels and facilities with highest consequence for a TSI. Affected facilities in Risk Group A would include: (1) Facilities, including barge fleeting facilities, that handle or receive vessels carrying CDC in bulk; and (2) Facilities that receive vessels certificated to carry more than 1,000 passengers. Affected vessels in Risk Group A would include: (1) Vessels that carry CDC in bulk; (2) Vessels certificated to carry more than 1,000 passengers; and (3) Towing vessels engaged in towing barges subject to (1) or (2). In addition, this proposal provides an electronic TWIC inspection exemption for vessels with 20 or fewer TWIC-holding crewmembers, further reducing the number of affected vessels in Risk Group A. Based on the risk-based hierarchy described in the preamble of this final rule and data from the Coast Guard’s MISLE database, we estimate this final rule will affect 525 facilities and 1 vessel with additional costs. All of these facilities and vessels are in Risk Group A. The final rule adds flexibility in using existing PACS to comply with the electronic TWIC inspection requirements, which may result in lower costs for affected facilities and vessels. For the purposes of regulatory analysis, however, we prepare the cost estimate assuming that all of the affected population will install and use electronic TWIC readers. The following discussion of the cost analysis is based on this assumption. To estimate the costs for this proposal, we use data from a variety of sources, including MISLE, TWIC Pilot Study, TSA’s ICE and QTL lists, public comments, and the GSA schedule among others. When data from the TWIC pilot are used (to estimate the costs for installation, integration, and PACS integration), the data are broken down by per electronic reader cost for each facility type. By distilling the costs from the TWIC Pilot down to a per TWIC reader cost by facility type, we are able to smooth out the varied costs in the TWIC Pilot and effectively normalize the TWIC Pilot costs before applying the costs to the full affected population of this rulemaking. The primary cost driver for this final rule is the capital cost associated with the purchase and installation of TWIC readers into access control systems. These costs include the cost of TWIC reader hardware and software, as well as costs associated with the installation, infrastructure, and integration with a PACS. Operational costs associated with this rulemaking include security plan amendments, recordkeeping, updates of the list of cancelled TWICs, training, and system maintenance. We also include operational and maintenance costs, which we estimate to be five percent of the cost of the TWIC reader hardware and software and are incurred annually. Table 5 summarizes our estimates for total capital costs by facility type during the 2-year implementation period; Table 6 provides the operational costs for facilities by four requirements throughout the analysis period.65 64 For a more detailed discussion of costs and benefits, see the full RA available in the online docket for this rulemaking. Appendix G of that document outlines the costs by provision and also discusses the complementary nature of the provisions and the subsequent difficulty in distinguishing independent benefits from individual provisions. 65 See RA Tables 4.10 and 4.16 and associated discussion for the specific sources for our estimates as well as how they were developed. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 PO 00000 Frm 00047 Fmt 4701 Sfmt 4700 E:\FR\FM\23AUR2.SGM 23AUR2 57698 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations TABLE 5—TOTAL FACILITY CAPITAL COSTS, 2-YEAR IMPLEMENTATION PERIOD (YEAR 1 AND YEAR 2) Total readers Facility type Total reader costs ($) Number Fixed Portable Fixed Total costs ($) Portable Install. Infra-structure PACS Total capital cost ($) Bulk Liquid ... Break Bulk and Solids Container ...... Large Passenger ....... Small Passenger ....... Mixed Use .... 290 1,535 292 8,247,555 2,054,220 11,475,387 20,033,055 15,279,201 57,089,418 16 3 91 36 45 8 488,943 193,428 316,575 56,280 904,128 909,612 3,724,904 589,952 2,938,552 1,020,184 8,373,102 2,769,456 92 42 524 225,666 3,686,340 1,682,152 4,102,368 841,642 10,538,168 63 61 0 180 426 72 0 967,140 2,996,910 506,520 0 8,191,008 0 6,300,000 0 1,242,108 2,996,910 17,206,776 Total ...... 525 1,884 1,367 10,122,732 9,616,845 23,162,287 34,750,279 21,321,687 98,973,830 TABLE 6—ANNUAL OPERATIONAL COSTS FOR FACILITIES Amendments Years after publication Recordkeeping Training Canceled card list Total Personnel FSO 1 ............................................................................... 2 ............................................................................... 3 ............................................................................... 4 ............................................................................... 5 ............................................................................... 6 ............................................................................... 7 ............................................................................... 8 ............................................................................... 9 ............................................................................... 10 ............................................................................. $467,614 465,836 0 0 0 0 0 0 0 0 $748,182 857,138 224,028 224,028 224,028 224,028 224,028 224,028 224,028 224,028 $486,319 484,469 970,788 970,788 970,788 970,788 970,788 970,788 970,788 970,788 $209,219 261,523 104,609 104,609 104,609 104,609 104,609 104,609 104,609 104,609 $74,676 93,345 37,338 37,338 37,338 37,338 37,338 37,338 37,338 37,338 $1,986,009 2,162,312 1,336,763 1,336,763 1,336,763 1,336,763 1,336,763 1,336,763 1,336,763 1,336,763 Total .................................................................. 933,450 3,397,544 8,737,092 1,307,616 466,725 14,842,427 Table 7 shows the 10-year period of analysis for the total costs by facility type. These facility costs do not include costs associated with delays or replacement of TWICs, which are discussed later. These estimates include capital replacement costs for TWIC reader hardware and software beginning 5 years after implementation. These costs are reduced from those estimated in the NPRM given cost reductions in TWIC readers and the removal of TWIC reader requirements for barge fleeting areas. TABLE 7—10-YEAR TOTAL COSTS, BY FACILITY TYPE * [$ Millions] Year Bulk liquid Break bulk and solids Container Large passenger Small passenger Mixed use Total $31.6 32.3 4.6 4.6 4.6 10.1 10.1 4.6 4.6 4.6 $2.4 2.4 0.3 0.3 0.3 0.8 0.8 0.3 0.3 0.3 $0.8 0.8 0.1 0.1 0.1 0.2 0.2 0.1 0.1 0.1 $9.8 10.0 1.4 1.4 1.4 3.1 3.1 1.4 1.4 1.4 $7.4 7.5 1.1 1.1 1.1 2.4 2.4 1.1 1.1 1.1 $4.4 4.5 0.6 0.6 0.6 1.4 1.4 0.6 0.6 0.6 $56.3 57.4 8.1 8.1 8.1 18.0 18.0 8.1 8.1 8.1 Total Undiscounted ........................... Total Discounted at 7% ........................... Total Discounted at 3% ........................... sradovich on DSK3GMQ082PROD with RULES2 1 ............................................................... 2 ............................................................... 3 ............................................................... 4 ............................................................... 5 ............................................................... 6 ............................................................... 7 ............................................................... 8 ............................................................... 9 ............................................................... 10 ............................................................. 111.5 88.7 100.4 8.3 6.6 7.5 2.7 2.1 2.4 34.5 27.5 31.1 26.0 20.7 23.4 15.4 12.2 13.9 198.3 157.8 178.7 Note: Numbers may not total due to rounding. * These facilities are regulated because they handle CDC or more than 1,000 passengers. In the U.S. marine transportation system, facilities often handle a variety of commodities and provide a variety of commercial services. These facility types have different costs based on physical characteristics, such as the number of access points that would require TWIC readers, and other data received from the TWIC Pilot Study. See the final RA for details on different facility types and data from the TWIC Pilot Study. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 PO 00000 Frm 00048 Fmt 4701 Sfmt 4700 E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations To account for potential opportunity costs associated with the delays as a result of the electronic TWIC inspection requirements, we estimate a cost associated with failed reads.66 We provide a range of delay costs based on different delays in seconds and also based on the number of times a TWIC- holder may have their card read on a weekly basis. By using a range of delay costs, we are able to account for multiple scenarios where an invalid electronic TWIC inspection transaction would lead to the use of a secondary processing operation, such as a visual TWIC inspection, additional 57699 identification validation, or other provisions as set forth in the FSP.67 Table 8 provides the annual costs associated with delays caused by invalid transactions for Risk Group A Facilities. TABLE 8—COST OF DELAYS DUE TO INVALID TRANSACTION PER YEAR, FOR RISK GROUP A FACILITIES 1 Read per week 2 Reads per week 3 Reads per week 4 Reads per week 5 Reads per week 6 Seconds ........................................................................ 14 Seconds ...................................................................... 30 Seconds ...................................................................... 60 Seconds ...................................................................... 120 Seconds .................................................................... $94,339 220,125 471,696 943,391 1,886,782 $188,678 440,249 943,391 1,886,782 3,773,564 $283,017 660,374 1,415,087 2,830,173 5,660,346 $377,356 880,498 1,886,782 3,773,564 7,547,129 $471,696 1,100,623 2,358,478 4,716,955 9,433,911 $283,017 660,374 1,415,087 2,830,173 5,660,346 Average ..................................................................... 723,266 1,446,533 2,169,799 2,893,066 3,616,332 2,169,799 For the purposes of this analysis, we used the cost of delay estimate of $2.2 million per year, which represents the average delay across all iterations of delay times and electronic TWIC inspection transactions. The use of TWIC readers will also increase the likelihood of faulty TWICs (TWICs that are not machine readable) being identified and the need for secondary screening procedures so affected workers and operators can address these issues.68 If a TWICholder’s card is faulty and cannot be read, the TWIC-holder would need to travel to a TWIC Enrollment Center to get a replacement TWIC, which may result in additional travel and replacement costs. To account for this, we estimate a cost for a percentage of TWIC-holders to obtain replacement TWICs. Based on information from the TWIC Pilot, we estimate that each year approximately five percent of TWICholders associated with Risk Group A would need to replace TWICs that cannot be read. We estimate that this would cost approximately $254.93 per TWIC-holder to travel to a TWIC Enrollment center and get a replacement TWIC.69 Overall, we estimate that TWIC replacement would cost approximately $2.3 million per year for TWIC Average transactions involving Risk Group A facilities. We assume this is an annual cost, though we anticipate that the rate of TWIC replacements will decrease as TWIC reader use increases, since the number of unreadable TWICs initially identified will decrease as the regular use of TWIC readers will serve to enhance TWIC validity and readability. Table 9 shows the average initial phase-in and annual recurring costs per facility by facility type. This includes capital, operational, delay, and TWIC replacement costs due to invalid TWIC reader transactions. It does not, however, account for vessel costs. TABLE 9—PER FACILITY COST, BY FACILITY TYPE Phase-in & recurring costs Bulk liquid Initial Phase-in Cost ......................................................... Annual Recurring Cost ..................................................... Annual Recurring Cost with Equipment Replacement .... $107,907 14,575 33,701 Break bulk and solids $145,588 19,664 45,470 Container Large passenger $251,211 33,931 78,457 $105,375 14,233 32,910 Small passenger $115,818 15,643 36,172 Mixed use $ 70,758 9,557 22,099 sradovich on DSK3GMQ082PROD with RULES2 For the single Risk Group A vessel with greater than 20 TWIC-holding crewmembers, we assume that this vessel will comply with the requirements by purchasing two portable TWIC readers (total first year cost of $14,070) and deploying them at the main access points of the vessel, replacing them at Year 6. We also estimate $1,339 for VSP amendments; $2,142 for the development of a recordkeeping system; and $2,028 for training in Year 1. Recurring costs include updates of the list of cancelled TWICs ($1,392 per year), ongoing training ($507 per year), and ongoing recordkeeping ($321 per year). We estimate the annualized costs to vessels of this rulemaking to be approximately $7,270 at a 7 percent discount rate. These costs are shown in Table 10. 66 Delays may result from operational, human- or weather-related factors. 67 The final RA contains a discussion of the different failure mode scenarios where an invalid TWIC reader transaction would lead to potential delays and the use of secondary processing. 68 Although current regulations require that TWICs be valid and readable upon request by DHS or law enforcement personnel, we anticipate that widespread use of TWIC readers will initially identify more unreadable cards. However, we expect the regular use of TWIC readers to ultimately serve to enhance compliance with current TWIC card validity and readability requirements. 69 This cost is explained in greater detail in the Final Regulatory Analysis and Final Regulatory Flexibility Analysis. It includes an estimated $194.93 for the average TWIC-holder to travel to a TWIC Enrollment Center, cost to be away from work, wait time at the Enrollment Center, and the $60 fee for a replacement TWIC. Some TWICholders may not need to pay a replacement fee if the TWIC is determined faulty as a result of the card production process. However, these TWIC-holders would chose to travel to a TWIC Enrollment Center to get a replacement TWIC instead of waiting to receive it by mail. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 PO 00000 Frm 00049 Fmt 4701 Sfmt 4700 E:\FR\FM\23AUR2.SGM 23AUR2 57700 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations TABLE 10—TOTAL VESSEL COSTS (RISK GROUP A WITH MORE THAN 20 TWIC-HOLDING CREWMEMBERS) * Year Undiscounted 7% 3% 1 ........................................................................................................................................................... 2 ........................................................................................................................................................... 3 ........................................................................................................................................................... 4 ........................................................................................................................................................... 5 ........................................................................................................................................................... 6 ........................................................................................................................................................... 7 ........................................................................................................................................................... 8 ........................................................................................................................................................... 9 ........................................................................................................................................................... 10 ......................................................................................................................................................... $20,971 3,627 3,627 3,627 3,627 17,697 3,627 3,627 3,627 3,627 $19,599 3,168 2,961 2,767 2,586 11,792 2,259 2,111 1,973 1,844 $20,360 3,419 3,319 3,222 3,129 14,821 2,949 2,863 2,780 2,699 Total .............................................................................................................................................. Annualized ........................................................................................................................................... 67,682 51,058 7,270 59,560 $,982 * Because the affected population is only one vessel, we assume that this vessel will comply within the first year of implementation. We estimate the annualized cost of this final rule to industry over 10 years to be approximately $21.9 million at a 7 percent discount rate. The main cost drivers of this final rule are the acquisition and installation of TWIC readers and the maintenance of the affected entity’s electronic TWIC inspection system. Initial costs, which will be distributed over a 2-year implementation phase, consist predominantly of the costs to purchase and install TWIC readers and to integrate them with owners’ and operators’ PACS. Annual costs will be driven by costs associated with updates of the list of cancelled TWICs, recordkeeping, training, system maintenance and opportunity costs associated with failed TWIC reader transactions. We estimated the present value average costs of this final rule on industry for a 10-year period as summarized in Table 11. The costs were discounted at 3 and 7 percent as set forth by guidance in OMB Circular A– 4. TABLE 11—TOTAL INDUSTRY COST, RISK GROUP A [$ Millions] Year Facility Vessel Additional costs * Undiscounted 7% 3% 1 ................................................................................... 2 ................................................................................... 3 ................................................................................... 4 ................................................................................... 5 ................................................................................... 6 ................................................................................... 7 ................................................................................... 8 ................................................................................... 9 ................................................................................... 10 ................................................................................. $51.5 52.6 3.3 3.3 3.3 13.2 13.2 3.3 3.3 3.3 $0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 $4.8 4.8 4.8 4.8 4.8 4.8 4.8 4.8 4.8 4.8 $56.3 57.4 8.1 8.1 8.1 18.0 18.0 8.1 8.1 8.1 $52.6 50.2 6.6 6.2 5.8 12.0 11.2 4.7 4.4 4.1 $54.7 54.1 7.4 7.2 7.0 15.1 14.6 6.4 6.2 6.0 Total ...................................................................... Annualized ................................................................... 150.3 0.1 48.0 198.4 157.8 22.5 178.8 21.0 * This includes additional delay, travel, and TWIC replacement costs due to TWIC failures. As this final rule will require amendments to FSPs and VSPs, we estimate a cost to the government to review these amendments during the implementation period, but do not anticipate any further annual cost to the government from this final rule. For the total implementation period, the total government cost will be $93,177 at a 7 percent discount rate. Table 12 shows the 10-year government costs. TABLE 12—GOVERNMENT COSTS * sradovich on DSK3GMQ082PROD with RULES2 Year FSP 1 ........................................................................................................... 2 ........................................................................................................... 3 ........................................................................................................... 4 ........................................................................................................... 5 ........................................................................................................... 6 ........................................................................................................... 7 ........................................................................................................... 8 ........................................................................................................... 9 ........................................................................................................... 10 ......................................................................................................... VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 PO 00000 Frm 00050 Fmt 4701 $51,450 51,450 0 0 0 0 0 0 0 0 Sfmt 4700 VSP Total undiscounted $166 0 0 0 0 0 0 0 0 0 E:\FR\FM\23AUR2.SGM $51,616 51,450 0 0 0 0 0 0 0 0 23AUR2 7% 3% $48,239 44,938 0 0 0 0 0 0 0 0 $50,112 48,497 0 0 0 0 0 0 0 0 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations 57701 TABLE 12—GOVERNMENT COSTS *—Continued Year FSP Total .............................................................................................. 102,900 Total undiscounted VSP 166 103,066 Annualized ........................................................................................... 13,266 7% 93,177 3% 98,609 11,560 * After implementation, we estimate there would be no additional government costs for plan review as additional updates would be covered under existing plan review requirements and resources. sradovich on DSK3GMQ082PROD with RULES2 Based on the provisions in this final rule and recent data, we estimated the average first-year cost of this final rule (combined industry and government) to be approximately $52.1 million or $54.1 million at a 7 or 3 percent discount rate, respectively. The undiscounted annual recurring cost for this final rule is approximately $7.5 million in every year except years 6 and 7, due to equipment replacement 5 years after implementation. The annualized cost of this final rule is $21.9 million at 7 percent and $20.4 million at 3 percent. The 10-year cost to industry and government of this final rule is approximately $153.8 million at a 7 percent discount rate, and $173.9 million at a 3 percent discount rate. The benefits of the final rule include enhancing the security of vessels, ports, and other facilities by ensuring that only individuals who hold TWICs are granted unescorted access to secure areas at those locations and reducing regulatory uncertainty by closing the gap between MTSA and SAFE Port Act requirements for electronic TWIC inspection and regulatory requirements. Electronic TWIC inspection programs will make identification, validation, and verification of individuals attempting to gain unescorted access to a secure area more reliable and also will help to alleviate potential sources of human error when checking credentials at access points. Identity verification ensures that the individual presenting the TWIC is the same person to whom the TWIC was issued. Card authentication ensures that the TWIC is not counterfeit, and card validation ensures that the TWIC has not expired or been revoked by TSA, or reported as lost, stolen, or damaged. Furthermore, the standardization of TWIC readers on a national scale could provide additional benefits in the form of efficiency gains in implementing access control systems throughout port facilities and nationally for companies operating in multiple locations. Data limitations preclude us monetizing these benefits, but instead, we use break-even analysis. Break-even analysis is useful when it is not possible to quantify the benefits of a regulatory action. OMB Circular A–4 recommends a ‘‘threshold’’ or ‘‘break-even’’ analysis when non-quantified benefits are important to evaluating the benefits of a regulation. Break-even analysis answers the question, ‘‘How small could the value of the non-quantified benefits be (or how large would the value of the non-quantified costs need to be) before the rule would yield zero net benefits?’’ 70 For this rulemaking, we calculate a potential range of break-even results from the estimated consequences of the three attack scenarios that are most likely to be mitigated by the use of TWIC readers. Because the primary function of the TWIC card and electronic TWIC inspection is to enhance access control and identity verification and validation, the attack scenarios evaluated within MSRAM to provide the consequence data for this analysis were limited to the following: • Truck Bomb Æ Armed terrorists use a truck loaded with explosives to attack the target focal point. The terrorists will attempt to overcome guards and barriers if they encounter them. • Terrorist Assault Team Æ A team of terrorists using weapons and explosives attack the target focal point. Assume the terrorists have done prior planning surveillance, but have no insider support of assault. • Passenger/Passerby Explosives/ Improvised Explosive Device Æ Terrorists exploit inadequate access control and detonate carried explosives at the target focal point. Assume the terrorists approach the target under cover of legitimate presence and are not armed. Note: for this attack mode, terrorist is not an insider. The focus on these three attack scenarios allows us to look at specific attack scenarios that are most likely to be mitigated by the electronic TWIC inspection programs. These scenarios were chosen because they represent the scenarios most likely to benefit from the enhanced access control afforded by electronic TWIC inspection, as they require would-be attackers gaining access to the target in question. For these three attack types, the aggressor would first need to gain access to the facility to inflict maximum damage. Because the function of the electronic TWIC inspection is to enhance access control, the deployment of TWIC readers would increase the likelihood of identifying and denying access to an individual attempting nefarious acts. For the break-even analysis, we estimate the consequences of these three scenarios by estimating the number of casualties and serious injuries that would occur had the attack been successful. To monetize the value of fatalities prevented, we use the concept of ‘‘value of a statistical life’’ (VSL), which is commonly used in regulatory analyses. The VSL does not represent the dollar value of a person’s life, but the amount society would be willing to pay to reduce the probability of premature death. We currently use a value of $9.1 million as an estimate of VSL.71 This break-even analysis does not consider any property damage, environmental damage, indirect or macroeconomic consequences these terrorist attacks might cause. Consequently, the economic impacts of the terrorist attacks estimated for this series of break-even analyses would be higher if these other impacts were considered. 70 U.S. Office of Management and Budget, Circular A–4, September 17, 2003, page 2. 71 See the Department of Transportation’s ‘‘Guidance on the Treatment of the Economic Value of a Statistical Life in U.S. Department of Transportation Analyses’’ http://www.dot.gov/sites/ dot.dev/files/docs/VSL%20Guidance%202013.pdf. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 PO 00000 Frm 00051 Fmt 4701 Sfmt 4700 E:\FR\FM\23AUR2.SGM 23AUR2 57702 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations TABLE 13—ANNUAL RISK REDUCTION AND ATTACKS AVERTED REQUIRED FOR COSTS TO EQUAL BENEFITS, FINAL RULE ALTERNATIVE Annualized cost, 7% discount rate ($ Millions) Final Rule Alternative ...................................................................................... As shown in Table 13, an avoided terrorist attack at an average target is equivalent to $5.01 billion in avoided consequences. This final rule is estimated to cost approximately $21.9 million annually. Using the estimated annualized cost of this regulation, the annual reduction in the probability of attack to a Risk Group A facility that would just equate avoided consequences with cost is less than 0.5 percent. To state this in another way, if implementing this regulation will lower the likelihood of a successful terrorist attack by more than 0.4 percent each year, then this would be a socially efficient use of resources. This final rule would be cost effective if it prevented Average maximum consequence ($ Millions) Required reduction in risk to break-even $5,014.1 0.4% $21.9 one terrorist attack with consequence equal to the average every 229 years ($5,014.1/$21.9). These small changes in required risk reduction suggest that the potential benefits of the final rule justify the costs. For the final rule alternative, we assess that all Risk Group A facilities will be required to conduct electronic TWIC inspections. On the vessel side, we assess that all Risk Group A vessels with a crew size greater than 20 TWICholding crewmembers will likely carry two portable TWIC readers. For this alternatives analysis, we look at several different ways to implement electronic TWIC inspection requirements based on the Risk Group hierarchy. These alternatives include requiring TWIC Frequency of attacks averted to breakeven One every 229 years readers for Risk Group A and B facilities, along with Risk Group A vessels with more than 14 TWICholding crewmembers, Risk Group A and container facilities, along with Risk Group A vessels with more than 14 TWIC-holding crewmembers, adding certain high-risk facilities to Risk Group A, including petroleum refineries, nonCDC bulk hazardous materials facilities, and petroleum storage facilities, and Risk Group A facilities and all selfpropelled Risk Group A vessels. Table 14 summarizes the cost of the alternatives considered. The costs displayed are the 10-year costs and the 10-year annualized cost, each discounted at 7 percent. TABLE 14—REGULATORY ALTERNATIVES Facility population Description Final Rule Alternative ........................ NPRM Alternative ............................. Alternative 2 ...................................... Alternative 3 ...................................... Alternative 4 ...................................... sradovich on DSK3GMQ082PROD with RULES2 Alternative 5 (ANPRM Alternative) ... All Risk Group A facilities and Risk Group A vessels with more than 20 crewmembers. All Risk Group A facilities and Risk Group A vessels with more than 14 crewmembers. All Risk Group A facilities and Risk Group A vessels (except barges). Risk Group A and all container facilities and Risk Group A vessels with more than 14 crewmembers. All Risk Group A facilities, plus additional high consequence facilities including petroleum refineries, non-CDC bulk hazardous materials facilities, and petroleum storage facilities, and Risk Group A vessels with more than 14 crewmembers. Risk Group A and B Facilities and Risk Group A vessels with more than 14 crewmembers. When comparing alternatives, we also looked at the results of the break-even analysis for these alternatives. As Table 15 shows, for the overall average maximum consequence, the final rule VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 Frm 00052 Fmt 4701 Sfmt 4700 Annualized cost ($ millions, at 7% discount rate) 525 1 $153.8 $21.9 532 38 153.5 21.9 532 138 158.2 22.5 651 38 182.6 26.0 1,174 38 309.5 44.1 2,173 38 548.9 78.1 alternative will require the lowest reduction in risk for the costs of the rule to be justified. As the purpose of this rulemaking is to enhance security to mitigate a TSI, we assess the break-even PO 00000 Total cost ($ millions, at 7% discount rate) Vessel population for the overall consequence of a TSI. It is assumed that the highest consequence targets will be the most attractive targets for potential terrorist attack. E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations 57703 TABLE 15—SUMMARY OF REQUIRED RISK REDUCTION AND ATTACKS AVERTED BY REGULATORY ALTERNATIVE, OVERALL (IN $ MILLIONS) Annualized cost, 7% discount rate Average consequence Required reduction in risk $21.9 $5,014.10 0.44% NPRM Alternative ....................................................................................... 21.9 5,014.10 0.44% Risk Group A facilities and all Risk Group A vessels, except barges ....... 22.5 5,014.10 0.45% Risk Group A and all container facilities and Risk Group A vessels with more than 14 crewmembers. All Risk Group A facilities, plus additional high consequence facilities including petroleum refineries, non-CDC bulk hazardous materials facilities, and petroleum storage facilities, and Risk Group A vessels with more than 14 crewmembers. ANPRM Alternative Risk Groups A and B facilities and Risk Group A vessels with more than 14 crewmembers. sradovich on DSK3GMQ082PROD with RULES2 Final Rule Alternative ................................................................................. 26.0 4,158.7 0.63% 44.1 2,211.3 1.99% 78.1 1,647.1 4.74% Final rule Alternative—Risk Group A Facilities and Risk Group A Vessels with More than 20 TWIC-Holding Crewmembers: The analysis for this alternative is discussed in detail previously in this section, as it is the alternative we have chosen in this final rule. NPRM Alternative—Risk Group A Facilities and Risk Group A Vessels with More than 14 TWIC-Holding Crewmembers: The analysis for this alternative was discussed in detail in the previously published NPRM’s regulatory impact analysis.72 The two key differences between the final rule and NPRM alternative are the exemption of barge fleeting facilities reducing the affected facility population to 525 and the adoption of the crew size of 20 or more removing all vessels except one in the final rule as opposed to all 532 facilities and 38 vessels in the Risk Group A. Alternative 2—Risk Group A Facilities and All Risk Group A Vessels, Except Barges: This alternative would require electronic TWIC inspection to be used at all Risk Group A facilities and for all Risk Group A vessels, except barges. This alternative would increase the burden on industry and small entities by increasing the affected population from 1 vessel to 138 vessels. The number of facilities would be the same as in the NPRM alternative. Under this alternative, annualized cost of this rulemaking would remain the same at $21.9 million, at a 7 percent discount rate. The discounted 10-year costs would go from $157.9 million to $158.2 million. While this alternative does not lead to a significant increase in costs, 72 78 FR 17782. VerDate Sep<11>2014 19:12 Aug 22, 2016 we reject it because requiring electronic TWIC inspection on vessels with 14 or fewer TWIC-holding crewmembers is unnecessary, as crews with that few members are known to all on the vessel. This crewmember limit was proposed in the ANPRM and in the NPRM, and was based on a recommendation from TSAC. See the discussion in the NPRM on ‘‘Recurring Unescorted Access’’ and ‘‘TWIC Reader Exemption for Vessels with 14 or Fewer TWIC-Holding Crewmembers’’ for more details.73 Alternative 3—Risk Group A and All Container Facilities and Risk Group A Vessels with More than 14 TWICHolding Crewmembers: For this alternative, we assumed that only those facilities in Risk Group A, as previously defined, and all container facilities will require electronic TWIC inspection. This alternative would increase the burden on industry and small entities by increasing the affected population from 525 facilities to 651 facilities. Under this scenario, the annualized cost of this rulemaking would increase from $21.9 million to $26.0 million, at a 7 percent discount rate. The discounted 10-year costs would go from $153.8 million to $182.6 million. The inclusion of container facilities would also potentially have adverse environmental impacts due to increased air emissions due to longer wait (‘‘queuing’’) times and congestion at facilities. We considered this alternative because of the risk associated with container facilities due to the transfer risk associated with containers. As discussed in the preamble of the NPRM, many of the high-risk threat scenarios at container facilities would not be 73 78 Jkt 238001 PO 00000 FR 17803 and 78 FR 17813, respectively. Frm 00053 Fmt 4701 Sfmt 4700 Frequency of attacks averted One every years. One every years. One every years. One every years. One every years. 229 229.0 222.8 160.0 50.1 One every 21.1 years. mitigated by electronic TWIC inspection. The costs for electronic TWIC inspection at container facilities would not be justified by the amount of potential risk reduction at these facilities from such a measure. While container facilities pose a higher transfer risk (i.e., there is a greater risk of a threat coming through a container facility and inflicting harm or damage elsewhere than with any other facility type), such threats are not mitigated by the use of TWIC readers. Furthermore, the use of TWIC readers, or other access control features, would not mitigate the threat associated with the contents of a container. The electronic TWIC inspection serves as an additional access control measure, but would not improve screening of cargoes for dangerous substances or devices. Alternative 4—Adding certain high consequence facilities to Risk Group A (these additional facilities to include petroleum refineries, non-CDC bulk hazardous materials facilities, and petroleum storage facilities): For this alternative, we moved three facility categories—petroleum refineries, non-CDC bulk hazardous materials facilities, and petroleum storage facilities—into Risk Group A from Risk Group B based on the average maximum consequence for these facility types. This alternative would increase the burden on industry by increasing the affected population from 525 facilities to 1,174 facilities. Under this scenario, the annualized cost of this rulemaking would increase from $21.9 million to $44.1 million, at a 7 percent discount rate. The discounted 10-year costs would go from $153.8 million to $309.5 million. We considered this alternative based on the high MSRAM consequences E:\FR\FM\23AUR2.SGM 23AUR2 sradovich on DSK3GMQ082PROD with RULES2 57704 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations associated with these three facility types, as well as due to the perception that petroleum facilities pose a greater security risk than other facility types. Despite the high MSRAM consequences for these facility types, the overall risk as determined in the AHP were not as high as those in the current Risk Group A, and therefore, we rejected this alternative and maintained the AHPbased risk groupings. Alternative 5—Risk Group A and Risk Group B Facilities and Risk Group A Vessels with More than 14 Crewmembers: Alternative 5 would require electronic TWIC inspection to be used at all Risk Group A and Risk Group B facilities, and Risk Group A vessels with greater than 14 TWIC-holding crewmembers. This alternative would increase the burden on industry and small entities by increasing the affected population from 525 facilities to 2,173 facilities. This increase in facilities would extend the affected population to facilities that fall under the second risk tier. Under this alternative, annualized cost of this rulemaking would increase from $21.9 million to $78.1 million, at a 7 percent discount rate. The discounted 10-year costs would go from $153.8 million to $548.9 million. Based on a recent study by the Homeland Security Institute, as discussed in the preamble to the NPRM, the difference in risk between facilities in Risk Groups A and B is clearly defined, indicating that the two Risk Groups do not require the same level of TWIC requirements. Further, as discussed in the benefits section of this analysis, the break-even point, or the amount of risk that would need to be reduced for costs to equal benefits, for this alternative is much higher than that of the final rule alternative. For these reasons, we rejected this alternative. The provisions in this final rule are taken in order to meet requirements set forth in MTSA and the SAFE Port Act. The final rule, as presented, represents the lowest cost alternative, as discussed above. We have focused this rulemaking on the highest risk population so as to reduce the impacts of this rule as much as possible. Also, we have created a performance standard that allows the affected population to implement the requirements in a manner most conducive to their own business practices. Furthermore, by allowing for flexibilities, such as the use of fixed or portable TWIC readers, and removing VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 vessels with 20 or fewer TWIC-holding crewmembers from the requirements, we have reduced potential burden on all entities, including small entities. Furthermore, we believe that providing any additional relief for small entities would conflict with the purpose of this rulemaking, as the objective is to enhance access control and reduce risk of a TSI. Providing relief of the proposed requirements based on entity size would contradict that stated purpose and leave small entities, which may possess as great a risk as entities that exceed the Small Business Administration (SBA) size standards, more vulnerable to a TSI. B. Small Entities Under the Regulatory Flexibility Act, 5 U.S.C. 601–612, we have considered whether this rule would have a significant economic impact on a substantial number of small entities. The term ‘‘small entities’’ comprises small businesses, not-for-profit organizations that are independently owned and operated and are not dominant in their fields, and governmental jurisdictions with populations of less than 50,000. A Final Regulatory Flexibility Analysis discussing the impact of this final rule on small entities is available in the docket, and a summary follows. For this final rule, we estimated costs for mandatory electronic TWIC inspection for approximately 1 vessel and 525 facilities based on the risk assessment hierarchy and current data from the Coast Guard’s MISLE database. Of these 525 facilities that would be affected by the electronic TWIC inspection requirements, we found 306 unique owners. Among these 306 unique owners, there were 31 government-owned entities, 114 companies that exceeded SBA small business size standards, 88 companies considered small by SBA size standards, and 73 companies for which no information was available. For the purposes of this analysis, we consider all entities for which information was not available to be small. There were no not-for-profit entities in our affected population. Of the 31 government jurisdictions that would be affected by this final rule, 24 exceed the 50,000 population threshold as defined by the Regulatory Flexibility Act to be considered small, and the remaining 7 have government revenue levels such that there would not be an impact PO 00000 Frm 00054 Fmt 4701 Sfmt 4700 greater than 1 percent of government revenue.74 We were able to find revenue information for 64 of the 88 businesses deemed small by SBA size standards.75 We then determined the impacts of the final rule on these companies by comparing the cost of the final rule to the average per facility cost of this rulemaking. To determine the average per facility cost, we average the per facility cost for all facility types using the same cost per facility type breakdown as used to assess the costs of this proposal. We then found what percent impact on revenue the final rule will have based on implementation costs (including capital costs) and annual recurring costs (including updates of the list of cancelled TWICs, recordkeeping, and training). We estimate these costs to be, on average $195,715 per entity during the implementation period and $12,612 per entity in annual recurring cost.76 The actual cost faced by a specific facility will vary based on a number of factors, such as the number of access points. Smaller facilities should in general incur lower costs, but the Coast Guard is unable to distinguish cost estimates on a facility-by-facility basis. We note that in some cases owners and operators might be able to finance the equipment costs as needed and such financing scenario could further decrease the impact on the facility owner and operators. We base our impact analysis on average cost to regulated entities due to the flexibility afforded by this final rule to individual facilities to determine how best to implement electronic TWIC inspection requirements.77 Table 16 shows the potential revenue impacts for small businesses impacted by this final rule. 74 ‘‘Government revenues’’ used for this analysis include tax revenues, and in some cases, operating revenues for government owned waterfront facilities. 75 SBA small business standards are based on either company revenue or number of employees. Many companies in our sample have employee numbers determining them small, but we were unable to find annual revenue data to pair with the employee data. 76 These are weighted averages, based on the per facility cost displayed in Table 4 and the number of facilities by type. 77 We do not know how a specific facility will comply with this rulemaking in regards to type and number of readers installed, number of personnel requiring training at a given facility, etc. E:\FR\FM\23AUR2.SGM 23AUR2 57705 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations TABLE 16—REVENUE IMPACTS ON AFFECTED SMALL BUSINESSES—FACILITIES Impacts from implementation costs Revenue impact range Number of entities Impacts from recurring annual costs Percent of entities Number of entities Percent of entities 0% < Impact ≤ 1% ........................................................................................... 1% < Impact ≤ 3% ........................................................................................... 3% < Impact ≤ 5% ........................................................................................... 5% < Impact ≤ 10% ......................................................................................... Above 10% ...................................................................................................... 33 4 5 8 14 52 6 8 13 22 57 6 0 1 0 89 9 0 2 0 Total .......................................................................................................... 64 100 64 100 sradovich on DSK3GMQ082PROD with RULES2 The greatest impact is expected to occur during the implementation phase when 48 percent of small businesses that we were able to find revenue data on will experience an impact of greater than 1 percent, and 22 percent of small businesses that we were able to find revenue data on will experience an impact greater than 10 percent. After implementation, the impacts decrease and 89 percent of affected small businesses will see an impact less than 1 percent. We expect the revenue impacts for years with equipment replacement to be between those for implementation and annual impacts. During those years with equipment replacement, we estimate that approximately 3 percent of businesses would see an impact greater than 1 percent, and 0 percent would see an impact greater than 10 percent.78 For vessels, we found that for the 1 vessel that will be affected by this final rule, there is 1 unique owner that did not qualify as small business by SBA size standards. Therefore, we do not provide a revenue impact analysis for affected small business as we provided above for affected facilities. C. Assistance for Small Entities Under section 213(a) of the Small Business Regulatory Enforcement Fairness Act of 1996, Public Law 104– 121, we offered to assist small entities in understanding this rule so that they could better evaluate its effects on them and participate in the rulemaking. The Coast Guard will not retaliate against small entities that question or complain about this rule or any policy or action of the Coast Guard. Small businesses may send comments on the actions of Federal employees who enforce, or otherwise determine compliance with, Federal regulations to the Small Business and Agriculture Regulatory Enforcement Ombudsman and the Regional Small Business 78 We estimate an average cost per facility in years with equipment replacement to be $48,110. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 Regulatory Fairness Boards. The Ombudsman evaluates these actions annually and rates each agency’s responsiveness to small business. If you wish to comment on actions by employees of the Coast Guard, call 1– 888–REG–FAIR (1–888–734–3247). D. Collection of Information This rule calls for a collection of information under the Paperwork Reduction Act of 1995, 44 U.S.C. 3501– 3520. You are not required to respond to a collection of information unless it displays a currently valid OMB control number. As required by 44 U.S.C. 3507(d), we submitted a copy of the final rule to the OMB for its review of the collection of information. As defined in 5 CFR 1320.3(c), ‘‘collection of information’’ comprises reporting, recordkeeping, monitoring, posting, labeling, and other similar actions. The title and description of the information collection, a description of those who must collect the information, and an estimate of the total annual burden follow. The estimate covers the time for reviewing instructions, searching existing sources of data, gathering and maintaining the data needed, and completing and reviewing the collection. Under the provisions of the final rule, the affected facilities and vessel will be required to update their FSPs and VSPs, as well as create and maintain a system of recordkeeping within 2 years of promulgation of the final rule. This requirement will be added to an existing collection with OMB control number 1625–0077. Title: Security Plans for Ports, Vessels, Facilities, Outer Continental Shelf Facilities and Other Security-Related Requirements. OMB Control Number: 1625–0077. Summary of the Collection of Information: This information collection is associated with the maritime security requirements mandated by MTSA. Security assessments, security plans, PO 00000 Frm 00055 Fmt 4701 Sfmt 4700 and other security-related requirements are found in 33 CFR Chapter I, subchapter H. The final rule will require certain vessel and facilities to use electronic readers designed to work with the TWIC as an access control measure. Affected owners and operators will also face requirements associated with electronic TWIC inspection, including recordkeeping requirements for those owners and operators required to use an electronic TWIC reader, and security plan amendments to incorporate TWIC requirements. Need for Information: The information is necessary to show evidence that affected vessels and facilities are complying with the electronic TWIC inspection requirements. Proposed Use of Information: We will use this information to ensure that facilities and vessels are properly implementing and utilizing electronic TWIC inspection programs. Description of the Respondents: The respondents are owners and operators of certain vessel and facilities regulated by the Coast Guard under 33 CFR Chapter I, subchapter H. Number of Respondents: The number of respondents is the 525 facilities that are considered ‘‘high-risk’’ and would be required to modify their existing FSPs, and 1 vessel that would be required to modify its VSP to account for the electronic TWIC inspection requirements. These same populations will be required to create and maintain recordkeeping systems as well. Frequency of Response: The FSP and VSP would need to be amended within 2 years of promulgation to include TWIC reader-related procedures. Recordkeeping requirements will need to be met along a similar timeline. Burden of Response: The estimated burden for facilities would be 17,063 hours in the first year, 17,063 hours in the second year and 3,150 hours in the third year and all subsequent years. The burden for vessels would be 65 burden E:\FR\FM\23AUR2.SGM 23AUR2 57706 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES2 hours in year one, and 6 burden hours for all subsequent years. This includes an estimated 25 burden hours to amend the FSP or VSP, along with an implementation period burden of 40 hours and an annual burden of 6 hours for designing and maintaining a system of records for each facility or vessel, to include recordkeeping related to the list of cancelled TWICs. Estimate of Total Annual Burden Facilities: The estimated burden over the 2-year implementation period for facilities is 25 hours per FSP amendment. Since there are currently 525 facilities that will need to amend their FSPs, the total burden on facilities would be 13,125 hours (525 FSPs × 25 hours per amendment) during the 2-year implementation period, or 6,563 hours each of the first 2 years. Facilities would also face a recordkeeping burden of 21,000 hours during the 2-year implementation period (525 facilities × 40 hours per recordkeeping system), or 10,500 hours each year over the first 2 years. There would also be an annual recordkeeping burden of 3,150 hours (525 facilities × 6 hours per year), starting in the third year. In the second year, the 262 facilities that implemented in the first year would incur the 6 hours of annual recordkeeping, at a burden of 1,572 (262 facilities × 6 hours). The total burden for facilities is estimated at 17,063 (6,563 + 10,500) in Year 1, 17,063 in Year 2 (6,563 + 10,500), and 3,150 in Year 3. Vessels: For the 1 vessel, the burden in the first year would be 25 hours (1 VSP × 25 hour per amendment). Vessels would also face a recordkeeping burden of 40 hours during the 1-year implementation period (1 vessel × 40 hours per recordkeeping system). There would also be an annual recordkeeping burden of 6 hours, starting in Year 2, (1 vessel × 6 hours per year). The total burden for vessels is estimated at 65 (25 + 40) in Year 1 and 6 hours in Years 2 and 3. Total: The total additional burden due to the electronic TWIC inspection rule is estimated at 17,128 (65 for vessels and 17,063 for facilities) in Year 1, 17,069 (6 for vessel and 17,063 for facilities) in Year 2, and 3,156 (6 for vessels and 3,150 for facilities) in Year 3. The current annual burden listed in this collection of information is 1,108,043. The new burden, as a result of this final rule, in Year 1 is 1,125,171 (1,108,043 + 17,128). In Year 2, the new burden, as a result of this final rule, is 1,125,171 (1,108,043 + 17,128) and in Year 3 it is 1,111,199 (1,108,043 + 3,156). The average annual additional burden across the 3 years is 12,425. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 As required by the Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)), we have submitted a copy of this final rule to OMB for its review of the collection of information. E. Federalism A rule has implications for Federalism under E.O. 13132, Federalism, if it has a substantial direct effect on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government. This final rule has been analyzed in accordance with the principles and criteria in E.O. 13132, and it has been determined that this final rule does have Federalism implications or a substantial direct effect on the States. This final rule would update existing regulations by creating a risk-based analysis of MTSA-regulated vessels and facilities. Based on this analysis, each vessel or facility is classified according to its risk level, which then determines whether the vessel or facility will be required to use TWIC readers. Additionally, this final rule will amend recordkeeping requirements and add requirements to amend security plans in order to ensure compliance. It is well-settled that States may not regulate in categories reserved for regulation by the Coast Guard. It is also well-settled, now, that all of the categories covered in 46 U.S.C. 3306, 3703, 7101, and 8101 (design, construction, alteration, repair, maintenance, operation, equipping, personnel qualification, and manning of vessels), as well as the reporting of casualties and any other category in which Congress intended the Coast Guard to be the sole source of a vessel’s obligations, are within fields foreclosed from regulation by the States or local governments. (See the decision of the Supreme Court in the consolidated cases of United States v. Locke and Intertanko v. Locke, 529 U.S. 89, 120 S.Ct. 1135 (March 6, 2000)). The Coast Guard believes the Federalism principles articulated in Locke apply to this final rule since it will require certain MTSA-regulated vessels to carry TWIC readers or a PACS that can conduct electronic TWIC inspection (i.e., required equipment), and to conform to recordkeeping and security plan requirements. In enacting MTSA, Congress articulated a need to address nationwide port security threats while preserving the free flow of interstate and international maritime commerce. Congress identified enhancing global maritime security through implementing international PO 00000 Frm 00056 Fmt 4701 Sfmt 4700 security instruments as furthering this statutory purpose. MTSA’s comprehensive and uniform maritime security regime, founded on the purpose of facilitating interstate and international maritime commerce, indicates that States and local governments are generally foreclosed from regulating within this field. As discussed above, vessel equipping and operation are traditionally fields foreclosed from State and local regulation. However, States and local governments have traditionally shared certain regulatory jurisdiction over waterfront facilities. Therefore, MTSA standards contained in 33 CFR part 105 (Maritime security: Facilities) are not preemptive of State or local law or regulations that do not conflict with them (i.e., they would either actually conflict or would frustrate an overriding Federal need for uniformity). The Coast Guard recognizes the key role that State and local governments may have in making regulatory determinations. Additionally, Sections 4 and 6 of E.O. 13132 require that for any rules with preemptive effect, the Coast Guard provide elected officials of affected State and local governments and their representative national organizations the notice and opportunity for appropriate participation in any rulemaking proceedings, and consult with such officials early in the rulemaking process. Therefore, we invited affected State and local governments and their representative national organizations to indicate their desire for participation and consultation in this rulemaking process by submitting comments to the NPRM. Numerous State and local governments responded to the Coast Guard’s invitation by actively participating in this rulemaking process. State and local government interests participated by submitting written comments and by attending and presenting their views in person at four public meetings we held across the country to solicit comments on this rulemaking. All comments have been posted to the docket for this rulemaking. Participating State and local government interests included: Alaska Marine Highway System; American Association of Port Authorities; Broward County, Florida Port Everglades Department; Calhoun Port Authority; King County, Washington Department of Transportation; New York City Department of Transportation; Port Authority of New York and New Jersey; Port of Galveston; Port of Houston Authority; Port of Seattle; Port of Stockton; Port of Tacoma; and E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations Washington State Department of Transportation. We considered this State and local government input in the promulgation of this final rule, and multiple changes to the final rule are attributable to these comments. Based on these consultations and the content of the final rule, we can ensure that the final rule is consistent with the fundamental federalism principles and preemption requirements described in E.O. 13132. F. Unfunded Mandates Reform Act The Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1531–1538, requires Federal agencies to assess the effects of their discretionary regulatory actions. In particular, the Act addresses actions that may result in the expenditure by a State, local, or tribal government, in the aggregate, or by the private sector of $100,000,000 (adjusted for inflation) or more in any one year. Though this rule will not result in such an expenditure, we do discuss the effects of this rule elsewhere in this preamble. G. Taking of Private Property This rule will not cause a taking of private property or otherwise have taking implications under E.O. 12630 (‘‘Governmental Actions and Interference with Constitutionally Protected Property Rights’’). H. Civil Justice Reform This rule meets applicable standards in sections 3(a) and 3(b)(2) of E.O. 12988, (‘‘Civil Justice Reform’’), to minimize litigation, eliminate ambiguity, and reduce burden. I. Protection of Children We have analyzed this rule under E.O. 13045 (‘‘Protection of Children from Environmental Health Risks and Safety Risks’’). Though this rule is a ‘‘significant regulatory action’’ under E.O. 12866, it does not create an environmental risk to health or risk to safety that might disproportionately affect children. sradovich on DSK3GMQ082PROD with RULES2 J. Indian Tribal Governments This rule does not have tribal implications under E.O. 13175 (‘‘Consultation and Coordination with Indian Tribal Governments’’), because it would not have a substantial direct effect on one or more Indian tribes, on the relationship between the Federal Government and Indian tribes, or on the distribution of power and responsibilities between the Federal Government and Indian tribes. VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 K. Energy Effects We have analyzed this rule under E.O. 13211 (‘‘Actions Concerning Regulations That Significantly Affect Energy Supply, Distribution, or Use’’). We have determined that it is not a ‘‘significant energy action’’ under E.O. 13211, because although it is a ‘‘significant regulatory action’’ under E.O. 12866, it is not likely to have a significant adverse effect on the supply, distribution, or use of energy, and the Administrator of OMB’s Office of Information and Regulatory Affairs has not designated it as a significant energy action. L. Technical Standards The National Technology Transfer and Advancement Act (NTTAA), codified as a note to 15 U.S.C. 272, directs agencies to use voluntary consensus standards in their regulatory activities unless the agency provides Congress, through OMB, with an explanation of why using these standards would be inconsistent with applicable law or otherwise impractical. Voluntary consensus standards are technical standards (e.g., specifications of materials, performance, design, or operation; test methods; sampling procedures; and related management systems practices) that are developed or adopted by voluntary consensus standards bodies. This final rule does not use technical standards. Therefore, we did not consider the use of voluntary consensus standards. The Federal government is constantly working on improving electronic TWIC inspection standards. Under NTTAA and OMB Circular A–119, NIST is tasked with the role of encouraging and coordinating Federal agency use of voluntary consensus standards and participation in the development of relevant standards, as well as promoting coordination between the public and private sectors in the development of standards and in conformity assessment activities. NIST and TSA have established the QTL and the associated standards for identity and privilege credential products, to be managed by TSA. NIST continues to assist TSA with the development of testing suites for qualifying products in conformity to specified standards and TSA specifications. M. Environment We have analyzed this rule under Department of Homeland Security Management Directive 023–01 and Commandant Instruction M16475.lD, which guide the Coast Guard in PO 00000 Frm 00057 Fmt 4701 Sfmt 4700 57707 complying with the National Environmental Policy Act of 1969, 42 U.S.C. 4321–4370f, and have concluded that this action is not likely to have a significant effect on the human environment. A Final Programmatic Environmental Assessment and a final Finding of No Significant Impact are available in the docket for this rulemaking. Our analysis indicates that electronic TWIC inspection operations will have insignificant direct, indirect or cumulative impacts on environmental resources, with special attention to potential air quality issues. List of Subjects 33 CFR Parts 101 and 103 Harbors, Incorporation by reference, Maritime security, Reporting and recordkeeping requirements, Security measures, Vessels, Waterways. 33 CFR Part 104 Maritime security, Reporting and recordkeeping requirements, Security measures, Vessels. 33 CFR Part 105 Maritime security, Reporting and recordkeeping requirements, Security measures. 33 CFR Part 106 Continental shelf, Maritime security, Reporting and recordkeeping requirements, Security measures. For the reasons discussed in the preamble, the Coast Guard amends 33 CFR parts 101, 103, 104, 105, and 106 as follows: PART 101—MARITIME SECURITY: GENERAL 1. The authority citation for part 101 continues to read as follows: ■ Authority: 33 U.S.C. 1226, 1231; 46 U.S.C. Chapter 701; 50 U.S.C. 191, 192; Executive Order 12656, 3 CFR 1988 Comp., p. 585; 33 CFR 1.05–1, 6.04–11, 6.14, 6.16, and 6.19; Department of Homeland Security Delegation No. 0170.1. 2. Amend § 101.105 as follows: a. Add the definitions, in alphabetical order, of ‘‘biometric match’’; ‘‘Canceled Card List (CCL)’’; ‘‘Card Holder Unique Identifier (CHUID)’’; ‘‘card validity check’’; ‘‘Designated Recurring Access Area (DRAA)’’; ‘‘electronic TWIC inspection’’; ‘‘identity verification’’; ‘‘Mobile Offshore Drilling Unit (MODU)’’; ‘‘Non-TWIC visual identity verification;’’ ‘‘Offshore Supply Vessel (OSV)’’; ‘‘Physical Access Control System (PACS)’’; ‘‘Qualified Reader’’; ‘‘Risk Group’’; ‘‘Transparent Reader’’; ‘‘TWIC reader’’; and ‘‘visual TWIC inspection’’; and ■ ■ E:\FR\FM\23AUR2.SGM 23AUR2 57708 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations b. Revise the definitions of ‘‘bulk or in bulk’’; ‘‘recurring unescorted access’’; and ‘‘TWIC Program’’. The revisions and additions read as follows: ■ § 101.105 Definitions. sradovich on DSK3GMQ082PROD with RULES2 * * * * * Biometric match means a confirmation that: One of the two biometric templates stored in the Transportation Worker Identification Credential (TWIC) matches the scanned biometric template of the person presenting the TWIC; or the alternate biometric stored in a Physical Access Control System (PACS) matches the corresponding biometric of the person. * * * * * Bulk or in bulk means a commodity that is loaded or carried without containers or labels, and that is received and handled without mark or count. This includes cargo transferred using hoses, conveyors, or vacuum systems. * * * * * Canceled Card List (CCL) is a list of Federal Agency Smart CredentialNumbers (FASC-Ns) that have been invalidated or revoked because TSA has determined that the TWIC-holder may pose a security threat, or the card has been reported lost, stolen, or damaged. * * * * * Card Holder Unique Identifier (CHUID) means the standardized data object comprised of the FASC–N, globally unique identifier, expiration date, and certificate used to validate the data integrity of other data objects on the credential. Card validity check means electronic verification that the TWIC has not been invalidated or revoked by checking the TWIC against the TSA-supplied list of cancelled TWICs or, for vessels and facilities not in Risk Group A, by verifying that the expiration date on the face of the TWIC has not passed. * * * * * Designated Recurring Access Area (DRAA) means an area designated under § 101.555 where persons are permitted recurring access to a secure area of a vessel or facility. * * * * * Electronic TWIC inspection means the process by which the TWIC is authenticated, validated, and the individual presenting the TWIC is matched to the stored biometric template. * * * * * Identity verification means the process by which an individual presenting a TWIC is verified as the owner of the TWIC. * * * * * VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 Mobile Offshore Drilling Unit (MODU) means the same as defined in 33 CFR 140.10. * * * * * Non-TWIC visual identity verification means the process by which an individual who is known to have been granted unescorted access to a secure area on a vessel or facility is matched to the picture on the facility’s PACS card or a government-issued identification card. * * * * * Offshore Supply Vessel (OSV) means the same as defined in 46 CFR 125.160. * * * * * Physical Access Control System (PACS) means a system that includes devices, personnel, and policies, that controls access to and within a facility or vessel. * * * * * Qualified Reader means an electronic device listed on TSA’s Qualified Technology List that is capable of reading a TWIC. Recurring unescorted access refers to special access procedures within a DRAA where a person may enter a secure area without passing an electronic TWIC inspection prior to each entry into the secure area. * * * * * Risk Group means the risk ranking assigned to a vessel, facility, or OCS facility according to §§ 104.263, 105.253, or 106.258 of this subchapter, for the purpose of TWIC requirements in this subchapter. * * * * * Transparent Reader means a device capable of reading the information from a TWIC or individual seeking access and transmitting it to a system capable of conducting electronic TWIC inspection. * * * * * TWIC Program means those procedures and systems that a vessel, facility, or outer continental shelf (OCS) facility must implement in order to assess and validate TWICs when maintaining access control. TWIC reader means a device capable of conducting an electronic TWIC inspection. * * * * * Visual TWIC inspection means the process by which the TWIC is authenticated, validated, and the individual presenting the TWIC is matched to the photograph on the face of the TWIC. * * * * * ■ 3. Add § 101.112 to read as follows: § 101.112 Federalism. (a) The regulations in 33 CFR parts 101, 103, 104, and 106 have preemptive PO 00000 Frm 00058 Fmt 4701 Sfmt 4700 effect over State or local regulation within the same field. (b) The regulations in 33 CFR part 105 have preemptive effect over State or local regulations insofar as a State or local law or regulation applicable to the facilities covered by part 105 would conflict with the regulations in part 105, either by actually conflicting or by frustrating an overriding Federal need for uniformity. § 101.514 [Amended] 4. Amend § 101.514 as follows: a. In paragraph (b), remove the word ‘‘federal’’ and add, in its place, the word ‘‘Federal’’; and ■ b. In paragraph (d), remove the word ‘‘State,’’ and add, in its place, the word ‘‘State’’. ■ 5. Amend § 101.515 as follows: ■ a. In paragraph (a), remove the words ‘‘of this part shall be required to’’ and add, in their place, the words ‘‘must’’; ■ b. In paragraph (b)(1), remove the words ‘‘of behalf’’ and add, in their place, the words ‘‘on behalf’’; ■ c. In paragraph (c), remove the words ‘‘of this part’’; and ■ d. Revise paragraph (d)(2). The revision reads as follows: ■ ■ § 101.515 TWIC/Personal Identification. * * * * * (d)* * * (2) Each person who has been issued or possesses a TWIC must pass an electronic TWIC inspection, and must submit his or her reference biometric, such as a fingerprint, and any other required information, such as a Personal Identification Number, upon a request from TSA, the Coast Guard, any other authorized DHS representative, or a Federal, State, or local law enforcement officer. ■ 6. Add § 101.520 to subpart E to read as follows: § 101.520 Electronic TWIC inspection. To conduct electronic TWIC inspection, the owner or operator of a vessel or facility must ensure the following actions are performed. (a) Card authentication. The TWIC must be authenticated by performing a challenge/response protocol using the Certificate for Card Authentication (CCA) and the associated card authentication private key stored in the TWIC. (b) Card validity check. The TWIC must be checked to ensure the TWIC has not expired and against TSA’s list of cancelled TWICs, and no match on the list may be found. (c) Identity verification. (1) One of the biometric templates stored in the TWIC must be matched to the TWIC-holder’s E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations live sample biometric or, by matching to the PACS enrolled reference biometrics linked to the FASC–N of the TWIC; or (2) If an individual is unable to provide a valid live sample biometric, the TWIC-holder must enter a Personal Identification Number (PIN) and pass a visual TWIC inspection. ■ 7. Add § 101.525 to subpart E to read as follows: § 101.525 TSA list of cancelled TWICs. (a) At Maritime Security (MARSEC) Level 1, the card validity check must be conducted using information from the TSA that is no more than 7 days old. (b) At MARSEC Level 2, the card validity check must be conducted using information from the TSA that is no more than 1 day old. (c) At MARSEC Level 3, the card validity check must be conducted using information from the TSA that is no more than 1 day old. (d) The list of cancelled TWICs used to conduct the card validity check must be updated within 12 hours of any increase in MARSEC level, no matter when the information was last updated. (e) Only the most recently obtained list of cancelled TWICs must be used to conduct card validity checks. ■ 8. Add § 101.530 to subpart E to read as follows: sradovich on DSK3GMQ082PROD with RULES2 § 101.530 Group A. PACS requirements for Risk This section lays out requirements for a Physical Access Control System (PACS) that may be used to meet electronic TWIC inspection requirements. (a) A PACS may use a TWIC directly to perform electronic TWIC inspection; (b) Each PACS card issued to an individual must be linked to that individual’s TWIC, and the PACS must contain the following information from each linked TWIC: (1) The name of the TWIC-holder holder as represented in the Printed Information container of the TWIC. (2) The TWIC-signed CHUID (with digital signature and expiration date). (3) The TWIC resident biometric template. (4) The TWIC digital facial image. (5) The PACS Personal Identification Number (PIN). (c) When first linked, a one-time electronic TWIC inspection must be performed, and the TWIC must be verified as authentic, valid, and biometrically matched to the individual presenting the TWIC. (d) Each time the PACS card is used to gain access to a secure area, the PACS must— (1) Conduct identity verification by: VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 (i) Conducting a biometric scan, and match the result with the biometric template stored in the PACS that is linked to the TWIC, or (ii) Having the individual enter a stored PACS PIN and conducting a NonTWIC visual identity verification as defined in § 101.105. (2) Conduct a card validity check; and (3) Maintain records in accordance with §§ 104.235(g) or 105.225(g) of this subchapter, as appropriate. ■ 9. Add § 101.535 to subpart E to read as follows: § 101.535 Electronic TWIC inspection requirements for Risk Group A. Owners or operators of vessels or facilities subject to part 104 or 105 of this subchapter, that are assigned to Risk Group A in §§ 104.263 or 105.253 of this subchapter, must ensure that a Transportation Worker Identification Credential (TWIC) Program is implemented as follows: (a) Requirements for Risk Group A vessels. Prior to each boarding of the vessel, all persons who require access to a secure area of the vessel must pass an electronic TWIC inspection before being granted unescorted access to the vessel. (b) Requirements for Risk Group A facilities. Prior to each entry into a secure area of the facility, all persons must pass an electronic TWIC inspection before being granted unescorted access to secure areas of the facility. (c) A Physical Access Control System that meets the requirements of § 101.530 may be used to meet the requirements of this section. (d) The requirements of this section do not apply under certain situations described in §§ 101.550 or 101.555. (e) Emergency access to secure areas, including access by law enforcement and emergency responders, does not require electronic TWIC inspection. ■ 10. Add § 101.540 to subpart E to read as follows: § 101.540 Electronic TWIC inspection requirements for vessels, facilities, and OCS facilities not in Risk Group A. A vessel or facility not in Risk Group A may use the electronic TWIC inspection requirements of § 101.535 in lieu of visual TWIC inspection. If electronic TWIC inspection is used, the recordkeeping requirements of §§ 104.235(b)(9) and (c) of this subchapter, or 105.225(b)(9) and (c) of this subchapter, as appropriate, apply. § 101.545 ■ [Added and Reserved] 11. Add reserved § 101.545 to subpart E. PO 00000 Frm 00059 Fmt 4701 Sfmt 4700 57709 12. Add § 101.550 to subpart E to read as follows: ■ § 101.550 TWIC inspection requirements in special circumstances. Owners or operators of any vessel, facility, or Outer Continental Shelf (OCS) facility subject to part 104, 105, or 106 of this subchapter must ensure that a Transportation Worker Identification Credential (TWIC) Program is implemented as follows: (a) Lost, damaged, stolen, or expired TWIC. If an individual cannot present a TWIC because it has been lost, damaged, stolen, or expired, and the individual previously has been granted unescorted access to secure areas and is known to have had a TWIC, the individual may be granted unescorted access to secure areas for a period of no longer than 30 consecutive calendar days if— (1) The individual provides proof that he or she has reported the TWIC as lost, damaged, or stolen to the Transportation Security Administration (TSA) as required in 49 CFR 1572.19(f), or the individual provides proof that he or she has applied for the renewal of an expired TWIC; (2) The individual can present another identification credential that meets the requirements of § 101.515; and (3) There are no other suspicious circumstances associated with the individual’s claim that the TWIC was lost, damaged, or stolen. (b) TWIC on the Canceled Card List. In the event an individual reports his or her TWIC as lost, damaged, or stolen, and that TWIC is then placed on the Canceled Card List, the individual may be granted unescorted access by a Physical Access Control System (PACS) that meets the requirements of § 101.530 for a period of no longer than 30 days. The individual must be known to have had a TWIC, and known to have reported the TWIC as lost, damaged, or stolen to TSA. (c) Special requirements for Risk Group A vessels and facilities. If a TWIC reader or a PACS cannot read an individual’s biometric templates due to poor biometric quality or no biometrics enrolled, the owner or operator may grant the individual unescorted access to secure areas based on either of the following secondary authentication procedures: (1) The owner or operator must conduct a visual TWIC inspection and require the individual to correctly submit his or her TWIC Personal Identification Number. (2) [Reserved] (d) If an individual cannot present a TWIC for any reason other than those E:\FR\FM\23AUR2.SGM 23AUR2 57710 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations outlined in paragraphs (a) or (b) of this section, the vessel or facility operator may not grant the individual unescorted access to secure areas. The individual must be under escort at all times while in the secure area. (e) With the exception of individuals granted access according to paragraphs (a) or (b) of this section, all individuals granted unescorted access to secure areas of a vessel, facility, or OCS facility must be able to produce their TWICs upon request from the TSA, the Coast Guard, another authorized Department of Homeland Security representative, or a Federal, State, or local law enforcement officer. (f) There must be disciplinary measures in place to prevent fraud and abuse. (g) Owners or operators must establish the frequency of the application of any security measures for access control in their approved security plans, particularly if these security measures are applied on a random or occasional basis. (h) The vessel, facility, or OCS facility operator should coordinate the TWIC Program, when practical, with identification and TWIC access control measures of other entities that interface with the vessel, facility, or OCS facility. ■ 13. Add § 101.555 to subpart E to read as follows: sradovich on DSK3GMQ082PROD with RULES2 § 101.555 Recurring Unescorted Access for Risk Group A vessels and facilities. 19:12 Aug 22, 2016 Jkt 238001 PART 103—MARITIME SECURITY: AREA MARITIME SECURITY 14. The authority citation for part 103 continues to read as follows: ■ Authority: 33 U.S.C. 1226, 1231; 46 U.S.C. 70102, 70103, 70104, 70112; 50 U.S.C. 191; 33 CFR 1.05–1, 6.04–11, 6.14, 6.16, and 6.19; Department of Homeland Security Delegation No. 0170.1. § 103.505 [Amended] 15. Amend § 103.505(f) by removing the words ‘‘(e.g., TWIC)’’. ■ PART 104—MARITIME SECURITY: VESSELS 16. The authority citation for part 104 continues to read as follows: ■ This section describes how designated TWIC-holders may access certain secure areas on Risk Group A vessels and facilities on a continual and repeated basis without undergoing repeated electronic TWIC inspections. (a) An individual may enter a secure area on a vessel or facility without undergoing an electronic TWIC inspection under the following conditions: (1) Access is through a Designated Recurring Access Area (DRAA), designated under an approved Vessel, Facility, or Joint Vessel-Facility Security Plan. (2) The entire DRAA is continuously monitored by security personnel at the access points to secure areas used by personnel seeking Recurring Unescorted Access. (3) The individual possesses a valid TWIC. (4) The individual has passed an electronic TWIC inspection within each shift and in the presence of the on-scene security personnel. (5) The individual passes an additional electronic TWIC inspection prior to being granted unescorted access to a secure area if he or she enters an VerDate Sep<11>2014 unsecured area outside the DRAA and then returns. (b) The following requirements apply to a DRAA: (1) It must consist of an unsecured area where personnel will be moving into an adjacent secure area repeatedly. (2) The entire DRAA must be visible to security personnel. (3) During operation as a DRAA, there must be security personnel present at all times. (c) An area may operate as a DRAA at certain times, and during other times, access to secure areas may be obtained through the procedures in § 101.535. (d) Personnel may enter the secure areas adjacent to a DRAA at any time using the procedures in § 101.535. Authority: 33 U.S.C. 1226, 1231; 46 U.S.C. Chapter 701; 50 U.S.C. 191; 33 CFR 1.05–1, 6.04–11, 6.14, 6.16, and 6.19; Department of Homeland Security Delegation No. 0170.1. § 104.105 [Amended] 17. Amend § 104.105(d) by removing the words ‘‘this part’’ and adding, in their place, the words ‘‘parts 101 and 104 of this subchapter’’. ■ 18. Add § 104.110(c) to read as follows: ■ § 104.110 Exemptions. * * * * * (c) Vessels with a minimum manning requirement of 20 or fewer TWICholding crewmembers are exempt from the requirements in 33 CFR 101.535(a)(1). ■ 19. Amend § 104.115 as follows: ■ a. Revise paragraph (c); and ■ b. Remove paragraph (d). The revision reads as follows: § 104.115 Compliance. * * * * * (c) By August 23, 2018, owners and operators of vessels subject to this part must amend their Vessel Security Plans PO 00000 Frm 00060 Fmt 4701 Sfmt 4700 to indicate how they will implement the TWIC requirements in this subchapter. By August 23, 2018, owners and operators of vessels subject to this part must operate in accordance with the TWIC provisions found within this subchapter. § 104.120 [Amended] 20. Amend § 104.120(a) introductory text by removing the words ‘‘, on or before July 1, 2004,’’. ■ § 104.200 [Amended] 21. Amend § 104.200 as follows: a. In paragraph (b)(12) introductory text, remove the word ‘‘part’’ and add, in its place, the word ‘‘subchapter’’; and ■ b. In paragraph (b)(14), remove the words ‘‘§ 104.265(c) of this part’’ and add, in their place, the words ‘‘§ 101.550(a) of this subchapter’’. ■ ■ § 104.215 [Amended] 22. Amend § 104.215 as follows: a. In paragraph (b)(5), remove the second use of the word ‘‘and’’; ■ b. In paragraph (b)(6), remove the symbol ‘‘.’’ and add, in its place, the word ‘‘; and’’; and ■ c. In paragraph (b)(7), after the word ‘‘TWIC’’, add the symbol ‘‘.’’. ■ 23. Amend § 104.235 as follows: ■ a. In paragraph (b)(7), remove the second use of the word ‘‘and’’; ■ b. In paragraph (b)(8), remove the symbol ‘‘.’’ and add, in its place, the word ‘‘; and’’; ■ c. Add paragraph (b)(9); and ■ d. Revise paragraph (c). The addition and revision read as follows: ■ ■ § 104.235 Vessel recordkeeping requirements. * * * * * (b) * * * (9) Electronic Reader/Physical Access Control System (PACS). For each individual granted unescorted access to a secure area, the: FASC–N; date and time that unescorted access was granted; and, if captured, the individual’s name. Additionally, documentation to demonstrate that the owner or operator has updated the Canceled Card List with the frequency required in § 101.525 of this subchapter. (c) Any records required by this part must be protected from unauthorized access or disclosure. TWIC reader records and similar records in a PACS are sensitive security information and must be protected in accordance with 49 CFR part 1520. § 104.260 [Amended] 24. Amend § 104.260(b) by removing the word ‘‘shall’’ wherever it appears ■ E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations and adding in its place the word ‘‘must’’. ■ 25. Add § 104.263 to read as follows: § 104.263 vessels. Risk Group classifications for (a) For purposes of the Transportation Worker Identification Credential requirements of this subchapter, the following vessels subject to this part are in Risk Group A: (1) Vessels that carry Certain Dangerous Cargoes in bulk. (2) Vessels certificated to carry more than 1,000 passengers. (3) Any vessel engaged in towing a vessel subject to paragraph (a)(1) or (a)(2) of this section. (b) Vessels may move from one Risk Group classification to another, based on the cargo they are carrying or handling at any given time. An owner or operator expecting a vessel to move between Risk Groups must explain, in the Vessel Security Plan, the timing of such movements, as well as how the vessel will move between the requirements of the higher and lower Risk Groups, with particular attention to the security measures to be taken moving from a lower Risk Group to a higher Risk Group. ■ 26. Amend § 104.265 as follows: ■ a. Revise paragraph (a)(4); ■ b. Remove paragraphs (c) and (d); ■ c. Redesignate paragraphs (e) through (h) as (c) through (f), respectively; ■ d. Revise newly redesignated paragraph (d)(1); ■ e. In newly redesignated paragraph (e)(6), remove the word ‘‘and’’; ■ f. In newly redesignated paragraph (e)(7), remove the symbol ‘‘.’’ and add, in its place, the word ‘‘; or’’; ■ g. Add paragraph (e)(8); ■ h. In newly redesignated paragraph (f)(9), remove the word ‘‘or’’; ■ i. In newly redesignated paragraph (f)(10), remove the symbol ‘‘.’’ and add, in its place, the word ‘‘; or’’; and ■ j. Add paragraph (f)(11). The revisions and additions read as follows: sradovich on DSK3GMQ082PROD with RULES2 § 104.265 control. Security measures for access (a) * * * (4) Prevent an unescorted individual from entering an area of the vessel that is designated as a secure area unless the individual holds a duly issued TWIC and is authorized to be in the area. Individuals seeking unescorted access to a secure area on a vessel in Risk Group A must pass electronic TWIC inspection and those seeking unescorted access to a secure area on a vessel not in Risk Group A must pass either electronic VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 TWIC inspection or visual TWIC inspection. * * * * * (d) * * * (1) Implement a TWIC Program as set out in subpart E of part 101 of this subchapter, as applicable, and in accordance with the vessel’s assigned Risk Group, as set out in § 104.263; * * * * * (e) * * * (8) Implementing additional electronic TWIC inspection requirements, as required by § 104.263, and by subpart E of part 101 of this subchapter, if relevant. * * * * * (f) * * * (11) Implementing additional electronic TWIC inspection requirements, as required by § 104.263, and by subchapter E of part 101 of this subchapter, if relevant. § 104.267 [Amended] 27. Amend § 104.267(a) by removing the last sentence. ■ § 104.292 [Amended] 28. Amend § 104.292 as follows: a. In paragraph (b) introductory text, remove the words ‘‘§ 104.265(f)(2), (f)(4), and (f)(9)’’ and add, in their place, the words ‘‘§ 104.265(d)(2), (d)(4), and (d)(9)’’, and remove the symbol ‘‘:’’ and add, in its place, the symbol ‘‘—’’; ■ b. In paragraph (e)(3), remove the words ‘‘§ 104.265(f)(4) and (g)(1)’’ and add, in their place, the words ‘‘§ 104.265(d)(4) and (e)(1)’’; and ■ c. In paragraph (f), remove the words ‘‘§ 104.265(f)(4) and (h)(1)’’, and add, in their place, the words ‘‘§ 104.265(d)(4) and (f)(1)’’. ■ 29. Amend § 104.405 as follows: ■ a. Revise paragraph (a)(10); and ■ b. In paragraph (b), remove the last sentence. The revision reads as follows: ■ ■ § 104.405 Format of the Vessel Security Plan (VSP). (a) * * * (10) Security measures for access control, including the vessel’s TWIC Program, designated passenger access areas and employee access areas; * * * * * § 104.410 [Amended] 30. Amend § 104.410 as follows: a. In paragraph (a) introductory text, remove the words ‘‘on or before December 31, 2003,’’, and remove the symbol ‘‘:’’ and add, in its place, the symbol ‘‘—’’; ■ b. In paragraph (b), remove the words ‘‘or by December 31, 2003, whichever is later’’; and ■ ■ PO 00000 Frm 00061 Fmt 4701 Sfmt 4700 57711 c. In paragraph (c) introductory text, remove the symbol ‘‘:’’ and add, in its place, the symbol ‘‘—’’. ■ PART 105—MARITIME SECURITY: FACILITIES 31. The authority citation for part 105 continues to read as follows: ■ Authority: 33 U.S.C. 1226, 1231; 46 U.S.C. 70103; 50 U.S.C. 191; 33 CFR 1.05–1, 6.04– 11, 6.14, 6.16, and 6.19; Department of Homeland Security Delegation No. 0170.1. 32. Revise § 105.110 to read as follows: ■ § 105.110 Exemptions. (a) A public access area designated under § 105.106 is exempt from the requirements for screening of persons, baggage, and personal effects and identification of persons in subpart E of part 101 of this subchapter, as applicable, in §§ 105.255 and § 105.285(a)(1). (b) An owner or operator of any general shipyard facility as defined in § 101.105 of this subchapter is exempt from the requirements of this part unless the facility— (1) Is subject to parts 126, 127, or 154 of this chapter; or (2) Provides any other service to vessels subject to part 104 of this subchapter not related to construction, repair, rehabilitation, refurbishment, or rebuilding. (c) Public access facility. (1) The COTP may exempt a public access facility from the requirements of this part, including establishing conditions for which such an exemption is granted, to ensure that adequate security is maintained. (2) The owner or operator of any public access facility exempted under this section must— (i) Comply with any COTP conditions for the exemption; and (ii) Ensure that the cognizant COTP has the appropriate information for contacting the individual with security responsibilities for the public access facility at all times. (3) The cognizant COTP may withdraw the exemption for a public access facility at any time the owner or operator fails to comply with any requirement of the COTP as a condition of the exemption or any measure ordered by the COTP pursuant to existing COTP authority. (d) An owner or operator of a facility is not subject to this part if the facility receives only vessels to be laid-up, dismantled, or otherwise placed out of commission provided that the vessels are not carrying and do not receive cargo or passengers at that facility. E:\FR\FM\23AUR2.SGM 23AUR2 57712 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations (e) Barge fleeting facilities without shore side access are exempt from the requirements in 33 CFR 101.535(b)(1). ■ 33. Revise § 105.115 to read as follows: § 105.115 c. Add paragraph (b)(9); and d. Revise paragraph (c). The addition and revision read as follows: ■ ■ § 105.225 Facility recordkeeping requirements. Compliance dates. (a) Facility owners or operators must submit to the cognizant Captain of the Port (COTP) for each facility— (1) The Facility Security Plan (FSP) described in subpart D of this part for review and approval; or (2) If intending to operate under an approved Alternative Security Program, a letter signed by the facility owner or operator stating which approved Alternative Security Program the owner or operator intends to use. (b) Facility owners or operators wishing to designate only those portions of their facility that are directly connected to maritime transportation or are at risk of being involved in a transportation security incident as their secure area(s) must do so by submitting an amendment to their FSP to their cognizant COTP, in accordance with § 105.415. (c) By August 23, 2018, owners and operators of facilities subject to this part must amend their FSPs to indicate how they will implement the TWIC requirements in this subchapter. By August 23, 2018, owners and operators of facilities subject to this part must be operating in accordance with the TWIC provisions found within this subchapter. § 105.120 [Amended] 34. Amend the introductory text of § 105.120 by removing the words ‘‘, on or before July 1, 2004,’’. ■ § 105.200 [Amended] 35. Amend § 105.200 as follows: a. In paragraph (b) introductory text, remove the symbol ‘‘:’’ and add, in its place, the symbol ‘‘—’’; ■ b. In paragraph (b)(6), remove the word ‘‘program’’ and add, in its place, the word ‘‘Program’’, and remove the word ‘‘part’’ and add, in its place, the word ‘‘subchapter’’, and remove the symbol ‘‘:’’ and add, in its place, the symbol ‘‘—’’; ■ c. In paragraph (b)(15), remove the words ‘‘section 105.255(c) of this part’’ and add, in their place, the words ‘‘§ 101.550 of this subchapter’’; and ■ d. In paragraph (b)(16), remove the words ‘‘of this part’’. ■ 36. Amend § 105.225 as follows: ■ a. In paragraph (b)(7), remove the second use of the word ‘‘and’’; ■ b. In paragraph (b)(8), remove the symbol ‘‘.’’ and add, in its place, the word ‘‘; and’’; sradovich on DSK3GMQ082PROD with RULES2 ■ ■ VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 * * * * * (b) * * * (9) TWIC Reader/Physical Access Control System (PACS). For each individual granted unescorted access to a secure area, the: FASC–N; date and time that unescorted access was granted; and, if captured, the individual’s name. Additionally, documentation to demonstrate that the owner or operator has updated the Canceled Card List with the frequency required in § 101.525 of this subchapter. (c) Any record required by this part must be protected from unauthorized access or disclosure. Electronic reader records and similar records in a PACS are sensitive security information and must be protected in accordance with 49 CFR part 1520. ■ 37. Add § 105.253 to read as follows: § 105.253 facilities. Risk Group classifications for (a) For purposes of the Transportation Worker Identification Credential (TWIC) requirements of this subchapter, the following facilities subject to this part are in Risk Group A: (1) Facilities that handle Certain Dangerous Cargoes (CDC) in bulk or receive vessels carrying CDC in bulk. (2) Facilities that receive vessels certificated to carry more than 1,000 passengers. (b) Facilities may move from one Risk Group classification to another, based on the material they handle or the types of vessels they receive at any given time. An owner or operator of a facility expected to move between Risk Groups must explain, in the Facility Security Plan, the timing of such movements, as well as how the facility will move between the requirements of the higher and lower Risk Groups, with particular attention to the security measures to be taken when moving from a lower Risk Group to a higher Risk Group. ■ 38. Amend § 105.255 as follows: ■ a. Revise paragraph (a)(4); ■ b. Remove paragraphs (c) and (d); ■ c. Redesignate paragraphs (e) through (h) as (c) through (f), respectively; ■ d. Revise newly redesignated paragraph (d)(1); ■ e. In newly redesignated paragraph (d)(4) introductory text, remove the word ‘‘shall’’ and add, in its place, the word ‘‘must’’; ■ f. In newly redesignated paragraph (d)(4)(vi), remove the words ‘‘paragraph PO 00000 Frm 00062 Fmt 4701 Sfmt 4700 (d) of this section’’ and add, in their place, the words ‘‘subpart E of part 101 of this subchapter’’; ■ g. In newly redesignated paragraph (e)(6), remove the word ‘‘or’’; ■ h. In newly redesignated paragraph (e)(7), remove the symbol ‘‘.’’ and add, in its place, the word ‘‘; or’’; ■ i. Add paragraph (e)(8); ■ j. In newly redesignated paragraph (f)(8), remove the word ‘‘or’’; ■ k. In newly redesignated paragraph (f)(9), remove the symbol ‘‘.’’ and add, in its place, the word ‘‘; or’’; and ■ l. Add paragraph (f)(10). The revisions and additions read as follows: § 105.255 control. Security measures for access (a) * * * (4) Prevent an unescorted individual from entering an area of the facility that is designated as a secure area unless the individual holds a duly issued TWIC and is authorized to be in the area. Individuals seeking unescorted access to a secure area in a facility in Risk Group A must pass electronic TWIC inspection and those seeking unescorted access to a secure area in a facility not in Risk Group A must pass either electronic TWIC inspection or visual TWIC inspection. * * * * * (d) * * * (1) Implement a TWIC Program as set out in subpart E of part 101 of this subchapter, as applicable, and in accordance with the facility’s assigned Risk Group, as set out in § 105.253. * * * * * (e) * * * (8) Implementing additional electronic TWIC inspection requirements, as required by § 105.253, and by subpart E of part 101 of this subchapter, if relevant. * * * * * (f) * * * (10) Implementing additional electronic TWIC inspection requirements, as required by § 105.253, and by subchapter E of part 101 of this subchapter, if relevant. § 105.257 [Amended] 39. Amend § 105.257(a) by removing the last sentence. ■ § 105.290 [Amended] 40. Amend § 105.290(b) by removing the word ‘‘shall’’ and adding, in its place, the word ‘‘must’’, and by removing the words ‘‘this part’’ and adding, in their place, the words ‘‘subpart E of part 101 of this subchapter’’. ■ E:\FR\FM\23AUR2.SGM 23AUR2 Federal Register / Vol. 81, No. 163 / Tuesday, August 23, 2016 / Rules and Regulations § 105.296 [Amended] 41. Amend § 105.296(a)(4) by removing the words ‘‘§ 105.255 of this part’’ and adding, in their place, the words ‘‘subpart E of part 101 of this subchapter, as applicable, and in accordance with the facility’s assigned Risk Group, as described in § 105.253’’. ■ 42. Amend § 105.405 as follows: ■ a. Revise paragraph (a)(10); and ■ b. In paragraph (b), remove the last sentence. The revision reads as follows: ■ § 105.405 Format and content of the Facility Security Plan (FSP). (a) * * * (10) Security measures for access control, including the facility’s TWIC Program and designated public access areas; * * * * * § 105.410 [Amended] 43. Amend § 105.410 as follows: a. In paragraph (a) introductory text, remove the words ‘‘On or before December 31, 2003, the’’ and add, in their place, the word ‘‘The’’; and ■ b. In paragraph (b), remove the words ‘‘or by December 31, 2003, whichever is later’’. ■ ■ PART 106—MARINE SECURITY: OUTER CONTINENTAL SHELF (OCS) FACILITIES 44. The authority citation for part 106 continues to read as follows: ■ Authority: 33 U.S.C. 1226, 1231; 46 U.S.C. Chapter 701; 50 U.S.C. 191; 33 CFR 1.05–1, 6.04–11, 6.14, 6.16, and 6.19; Department Of Homeland Security Delegation No. 0170.1. 45. Revise § 106.110 to read as follows: ■ § 106.110 Compliance dates. sradovich on DSK3GMQ082PROD with RULES2 (a) OCS facility owners or operators must submit to the cognizant District Commander for each OCS facility— (1) The Facility Security Plan described in subpart D of this part for review and approval; or (2) If intending to operate under an approved Alternative Security Program, a letter signed by the OCS facility owner or operator stating which approved VerDate Sep<11>2014 19:12 Aug 22, 2016 Jkt 238001 Alternative Security Program the owner or operator intends to use. (b) OCS facilities built on or after July 1, 2004 must submit a Facility Security Plan for approval 60 days prior to beginning operations. § 106.115 [Amended] 46. Amend the introductory text of § 106.115 by removing the words ‘‘before July 1, 2004,’’. ■ § 106.200 [Amended] 47. Amend § 106.200 as follows: a. In paragraph (b)(6) introductory text, remove the word ‘‘program’’ and add, in its place, the word ‘‘Program’’, and remove the word ‘‘part’’ and add, in its place, the word ‘‘subchapter’’; ■ b. In paragraph (b)(8), remove the word ‘‘Level’’ wherever it appears and add, in each place, the word ‘‘level’’; ■ c. In paragraph (b)(9), after the word ‘‘with’’, add the words ‘‘the requirements in’’; and ■ d. In paragraph (b)(12), remove the words ‘‘§ 106.260(c) of this part’’ and add, in their place, the words ‘‘§ 101.550 of this subchapter’’. ■ 48. Add § 106.258 to read as follows: ■ ■ § 106.258 Risk Group classification for OCS facilities. For the purposes of this subchapter, no OCS facilities are considered Risk Group A. ■ 49. Amend § 106.260 as follows: ■ a. Remove paragraphs (c) and (d); ■ b. Redesignate paragraphs (e) through (h) as (c) through (f), respectively; ■ c. Revise newly redesignated paragraph (d)(1); ■ d. In newly redesignated paragraph (e)(3), remove the word ‘‘or’’; ■ e. In newly redesignated paragraph (e)(4), remove the symbol ‘‘.’’ and add, in its place, the word ‘‘; or’’; ■ f. Add paragraph (e)(5); ■ g. In newly redesignated paragraph (f)(7), remove the word ‘‘or’’; ■ h. In newly redesignated paragraph (f)(8), remove the symbol ‘‘.’’ and add, in its place, the word ‘‘; or’’; and ■ i. Add paragraph (f)(9). The revisions and additions read as follows: PO 00000 Frm 00063 Fmt 4701 Sfmt 9990 § 106.260 control. 57713 Security measures for access * * * * * (d) * * * (1) Implement TWIC as set out in subpart E of part 101 of this subchapter and in accordance with the OCS facility’s assigned Risk Group, as set out in § 106.258. * * * * * (e) * * * (5) Implementing additional electronic TWIC inspection requirements, as required by § 106.258, and by subpart E of part 101 of this subchapter. (f) * * * (9) Implementing additional electronic TWIC inspection requirements, as required by § 106.258, and by subpart E of part 101 of this subchapter. § 106.262 [Amended] 50. Amend § 106.262(a) by removing the last sentence. ■ 51. Amend § 106.405 as follows: ■ a. Revise paragraph (a)(10); and ■ b. In paragraph (b), remove the last sentence. The revision reads as follows: ■ § 106.405 Format and content of the Facility Security Plan (FSP). (a) * * * (10) Security measures for access control, including the OCS facility’s TWIC Program; * * * * * § 106.410 [Amended] 52. Amend § 106.410 as follows: a. In paragraph (a) introductory text, remove the words ‘‘On or before December 31, 2003, the’’ and add, in their place, the word ‘‘The’’ and remove the symbol ‘‘:’’ and add, in its place, the symbol ‘‘—’’; and ■ b. In paragraph (b), remove the words ‘‘or by December 31, 2003, whichever is later’’. ■ ■ Dated: August 8, 2016. Paul F. Zukunft, Admiral, Commandant, U.S. Coast Guard. [FR Doc. 2016–19383 Filed 8–22–16; 8:45 am] BILLING CODE 9110–04–P E:\FR\FM\23AUR2.SGM 23AUR2

Agencies

[Federal Register Volume 81, Number 163 (Tuesday, August 23, 2016)]
[Rules and Regulations]
[Pages 57651-57713]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-19383]



[[Page 57651]]

Vol. 81

Tuesday,

No. 163

August 23, 2016

Part II





Department of Homeland Security





-----------------------------------------------------------------------





 Coast Guard





-----------------------------------------------------------------------





33 CFR Parts 101, 103, 104, et al.





Transportation Worker Identification Credential (TWIC)--Reader 
Requirements; Final Rule

Federal Register / Vol. 81 , No. 163 / Tuesday, August 23, 2016 / 
Rules and Regulations

[[Page 57652]]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Coast Guard

33 CFR Parts 101, 103, 104, 105 and 106

[Docket No. USCG-2007-28915]
RIN 1625-AB21


Transportation Worker Identification Credential (TWIC)--Reader 
Requirements

AGENCY: Coast Guard, DHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Coast Guard is issuing a final rule to require owners and 
operators of certain vessels and facilities regulated by the Coast 
Guard to conduct electronic inspections of Transportation Worker 
Identification Credentials (TWICs) as an access control measure. This 
final rule also implements recordkeeping requirements and security plan 
amendments that would incorporate these TWIC requirements. The TWIC 
program, including the electronic inspection requirements in this final 
rule, is an important component of the Coast Guard's multi-layered 
system of access control requirements designed to enhance maritime 
security.
    This rulemaking action builds upon existing regulations designed to 
ensure that only individuals who hold a valid TWIC are granted 
unescorted access to secure areas of Coast Guard-regulated vessels and 
facilities. The Coast Guard and the Transportation Security 
Administration have already promulgated regulations pursuant to the 
Maritime Transportation Security Act that require mariners and other 
individuals to hold a TWIC prior to gaining unescorted access to a 
secure area. By requiring certain high-risk vessels and facilities to 
perform electronic TWIC inspections, this rule enhances security at 
those locations. This rule also implements the Security and 
Accountability For Every Port Act of 2006 electronic reader 
requirements.

DATES: This final rule is effective August 23, 2018.

ADDRESSES: Comments and materials received from the public, as well as 
documents mentioned in this preamble as being available in the docket, 
are part of docket USCG-2007-28915 and are available using the Federal 
eRulemaking Portal. You can find this docket on the Internet by going 
to http://www.regulations.gov, entering ``USCG-2007-28915'' and then 
clicking ``Search.''

FOR FURTHER INFORMATION CONTACT: For information about this document, 
call or email LCDR Kevin McDonald, Coast Guard; telephone 202-372-1168, 
email Kevin.J.Mcdonald2@uscg.mil.

SUPPLEMENTARY INFORMATION: 

Table of Contents for Preamble

I. Abbreviations
II. Regulatory History and Information
III. Executive Summary
    A. Basis and Purpose
    B. Summary of Costs and Benefits
IV. Background
V. Discussion of Comments and Changes to the Final Rule
    A. General Matters Relating to TWIC
    1. Purpose and Efficacy of the TWIC Program
    2. Risk Analysis Methodology
    B. Electronic TWIC Inspection
    1. Electronic TWIC Inspection Does Not Necessarily Require a 
TWIC Reader
    2. Integrating Electronic TWIC Inspection Into a PACS
    a. List of Acceptable TWIC Readers
    b. PIN Pads and Biometric Input Methods
    3. Comments Related to Troubleshooting TWIC
    a. Lost, Stolen, or Damaged TWIC
    i. Vessels and Facilities Using a PACS
    ii. Vessels and Facilities Using TWIC Readers
    b. Transportation Worker Forgets to Bring TWIC to Work Site
    c. Inaccessible Biometrics
    d. Malfunctioning Access Control Systems
    e. Requirements for Varying MARSEC Levels
    4. Recordkeeping Requirements
    C. When to Conduct Electronic TWIC Inspection
    1. Secure, Restricted, Public Access, Passenger Access, and 
Employee Access Areas
    a. ``Prior to Each Entry'' for Risk Group A Facilities
    b. Recurring Unescorted Access
    2. Risk Group A Vessels
    3. Risk Groups B and C
    4. Miscellaneous Questions Regarding the Locations of Electronic 
TWIC Inspection
    D. Determination of Risk Groups
    1. Risk Group A Facilities
    a. Alternative Security Programs
    b. Determining Risk Group A Facilities
    2. The Crewmember Exemption Does Not Apply to Facilities
    3. The Low Number of Crewmembers Exemption
    4. Calculating the Total Number of TWIC-holding Crewmembers
    5. Threshold for the Crewmember Exemption of Vessels
    6. Outer Continental Shelf Facilities
    7. Vessels and Facilities Not in Risk Group A
    8. Barge Fleeting Facilities
    9. Switching Risk Groups
    E. Responses to Economic Comments
    1. Costs of TWIC Readers
    2. Number of TWIC Readers at Vessels and Facilities
    3. Transaction Times
    4. Security Personnel
    5. Other Cost Comments
    6. Costs Exceeding Benefits, Cost-effectiveness, and Risk 
Reduction
    7. Cumulative Costs of Security-related Rulemakings
    8. Small Business Impact
    F. Other Issues
    1. The GAO Report and the TWIC Pilot Program
    2. Additional Comments
    a. General Comments on the TWIC Program
    b. Clarification of Specific Items
    c. Comments Outside the Scope of this Rulemaking
VI. Regulatory Analyses
    A. Regulatory Planning and Review
    B. Small Entities
    C. Assistance for Small Entities
    D. Collection of Information
    E. Federalism
    F. Unfunded Mandates Reform Act
    G. Taking of Private Property
    H. Civil Justice Reform
    I. Protection of Children
    J. Indian Tribal Governments
    K. Energy Effects
    L. Technical Standards
    M. Environment

I. Abbreviations

AHP--Analytical Hierarchy Process
ANPRM--Advanced Notice of Proposed Rulemaking
ASP--Alternative Security Program
CCA--Certificate for Card Authentication
CCL--Canceled Card List
CCTV--Closed-Circuit Television
CDC--Certain Dangerous Cargoes
CFR--Code of Federal Regulations
CHUID--Card Holder Unique Identifier
COI--Certificate of Inspection
DHS--Department of Homeland Security
DRAA--Designated Recurring Access Area
E.O.--Executive Order
FASC--N Federal Agency Smart Credential--Number
FR--Federal Register
FSP--Facility Security Plan
ICE--Initial Capability Evaluation
MARSEC--Maritime Security
MISLE--Marine Information for Safety and Law Enforcement
MSRAM--Maritime Security Risk Analysis Model
MTSA--Maritime Transportation Security Act of 2002
NIST--National Institute of Standards and Technology
NPRM--Notice of Proposed Rulemaking
NTTAA--National Technology Transfer and Advancement Act
NVIC--Navigation and Vessel Inspection Circular
OCS--Outer Continental Shelf
OMB--Office of Management and Budget
PAC--Policy Advisory Council
PACS--Physical Access Control System
PVA--Passenger Vessel Association
PII--Personal Identifying Information
PIN--Personal Identification Number
Pub. L.--Public Law
QTL--Qualified Technology List
RA--Regulatory Analysis
RUA--Recurring Unescorted Access
SAFE--Port Act Security and Accountability For Every Port Act of 
2006

[[Page 57653]]

SBA--Small Business Administration
SSI--Sensitive Security Information
TSA--Transportation Security Administration
TSAC--Towing Safety Advisory Committee
TSI--Transportation Security Incident
TWIC--Transportation Worker Identification Credential
U.S.C.--United States Code
VSP--Vessel Security Plan

II. Regulatory History and Information

    On May 22, 2006, the Coast Guard and the Transportation Security 
Administration (TSA) jointly published a Notice of Proposed Rulemaking 
(NPRM) entitled ``Transportation Worker Identification Credential 
(TWIC) Implementation in the Maritime Sector; Hazardous Materials 
Endorsement for a Commercial Driver's License.'' \1\ On January 25, 
2007, the Coast Guard and TSA published the final rule, also entitled 
``Transportation Worker Identification Credential (TWIC) Implementation 
in the Maritime Sector; Hazardous Materials Endorsement for a 
Commercial Driver's License.'' \2\
---------------------------------------------------------------------------

    \1\ 71 FR 29396.
    \2\ 72 FR 3492.
---------------------------------------------------------------------------

    Although the May 22, 2006 NPRM proposed certain TWIC reader 
requirements, after reviewing the public comments, the Coast Guard 
decided to remove the proposed TWIC reader requirements from the 
January 25, 2007 final rule, address them in a separate rulemaking, and 
conducted a pilot program to address the feasibility of reader 
requirements before issuing a final rule.\3\ For a detailed discussion 
of those public comments and Coast Guard responses, please refer to the 
January 25, 2007 final rule.\4\
---------------------------------------------------------------------------

    \3\ The TWIC Reader Pilot was established pursuant to Section 
104 of the Security and Accountability For Every Port Act of 2006 
(SAFE Port Act) (P.L. 109-347), which was codified at 46 U.S.C. 
70105 (k)(4).
    \4\ 72 FR 3511.
---------------------------------------------------------------------------

    On March 27, 2009, the Coast Guard published an Advanced Notice of 
Proposed Rulemaking (ANPRM) for this rulemaking.\5\ On March 22, 2013, 
the Coast Guard published the NPRM for this rulemaking.\6\ 
Additionally, we held four public meetings across the country in 2013.
---------------------------------------------------------------------------

    \5\ 74 FR 13360.
    \6\ 78 FR 17782.
---------------------------------------------------------------------------

III. Executive Summary

A. Basis and Purpose

    In accordance with the Maritime Transportation Security Act of 2002 
(MTSA) and the Security and Accountability For Every Port Act of 2006 
(SAFE Port Act), the Coast Guard is establishing rules requiring 
electronic readers for use at high-risk vessels and at facilities. 
These rules will ensure that prior to being granted unescorted access 
to a designated secure area, an individual will have his or her TWIC 
authenticated, the status of that credential validated against an up-
to-date list maintained by the TSA, and the individual's identity 
confirmed by comparing his or her biometric (i.e. fingerprint) with a 
biometric template stored on the credential. By promulgating these 
rules, the Coast Guard is complying with the statutory requirement in 
the SAFE Port Act, improving security at the highest risk maritime 
transportation-related vessels and facilities, and making full use of 
the electronic and biometric security features integrated into the TWIC 
and mandated by Congress in MTSA.
    The TWIC is currently being used as a visual identity badge on many 
vessels and facilities. Essentially, DHS requires that a security guard 
examines the security features (hologram and watermark) embedded on the 
surface of the credential, checks the expiration date listed on the 
card, and compares the photograph to the person presenting the 
credential. While this system of ``visual TWIC inspection'' provides 
some benefits, it does not address all security concerns, nor does it 
make full use of the security features contained in the TWIC. For 
example, if a TWIC is stolen or lost, an unauthorized individual could 
make use of the credential, and provided that individual resembles the 
picture on the TWIC, could gain access to a secure area. Additionally, 
if a TWIC is revoked because the individual has committed a 
disqualifying offense, such as the theft of explosives, there is no way 
for security officers on a vessel or at a facility to determine that 
fact from the face of the TWIC. Finally, a sophisticated adversary 
could forge a realistic replica of a credential. It is also worth 
noting that since a TWIC-holder is required to renew his or her 
credential every 5 years, the TWIC-holder's resemblance to the picture 
on the TWIC may decrease over time, rendering visual inspection a 
somewhat less accurate means to confirm identity. Through the process 
of ``electronic TWIC inspection,'' by which TWICs are authenticated, 
validated, and the individual's identity confirmed biometrically, all 
of these scenarios would be thwarted or mitigated.
    In this rulemaking process, the Coast Guard published an ANPRM, 
published an NPRM, hosted a series of public meetings around the 
country to solicit public input, and worked with the Transportation 
Security Administration to conduct a pilot program. As a result of this 
input, the Coast Guard made a number of changes and clarifications in 
this final rule that we believe provide a robust system that improves 
security, addresses industry, labor, and Congressional concerns, and 
clarifies numerous issues relating to the operational nature of the 
electronic TWIC inspection program. Primarily, this rule allows for an 
even more flexible implementation of the electronic TWIC inspection 
requirements than the proposed rule that will allow new systems to be 
integrated into existing security and access control systems. We 
believe that this flexibility will provide robust security without 
causing unnecessary costs or significantly disrupting business 
operations. A brief summary of the main changes from the proposed rule 
to the final rule follows.
     This final rule provides additional flexibility with 
regard to the purchase, installation, and use of electronic readers. 
Instead of requiring the use of a TWIC reader on the TSA's Qualified 
Technology List (QTL), owners and operators can choose to fully 
integrate electronic TWIC inspection and biometric matching into a new 
or existing Physical Access Control System (PACS).
     We clarify that this final rule only affects Risk Group A 
vessels and facilities, and that no changes to the existing business 
practices of other MTSA-regulated vessels and facilities are required.
     This final rule eliminates the distinction between Risk 
Groups B and C for both vessels and facilities. If and when a 
requirement for electronic TWIC inspection may be considered for MTSA-
regulated vessels and facilities not currently in Risk Group A, we will 
provide an updated analysis of the costs and benefits of such an action 
and define new Risk Groups accordingly.
     This final rule clarifies that for Risk Group A 
facilities, electronic TWIC inspection is required each time a person 
is granted unescorted access to a secure area (a limited exception is 
permitted for Recurring Unescorted Access, or RUA). For Risk Group A 
vessels, electronic TWIC inspection is only required when boarding the 
vessel, even if only parts of the vessel are considered secure areas.
     This final rule eliminates the special requirement that 
barge fleeting facilities that handle or receive barges carrying 
Certain Dangerous Cargoes (CDC) in bulk be classified as Risk Group A. 
Barge fleeting facilities are instead classified the same as all other 
facilities. This change will effectively eliminate most isolated barge 
facilities

[[Page 57654]]

from the electronic TWIC inspection requirements due to a lack of a 
secure area.
     This final rule increases the exemption from electronic 
TWIC inspection requirements to vessels with 20 or fewer TWIC-holding 
crewmembers and defines that number as the minimum manning requirement 
specified on a vessel's Certificate of Inspection.
     This final rule provides additional flexibility for 
ferries and other vessels that use dedicated terminals in Risk Group A 
to integrate their electronic TWIC inspection programs with their 
terminals' programs.

B. Summary of Costs and Benefits

    Of the approximately 13,825 vessels, 3,270 facilities, and 56 Outer 
Continental Shelf (OCS) facilities regulated by MTSA, this final rule 
impacts only certain ``Risk Group A'' vessels and facilities, which 
currently number 1 vessel \7\ and 525 facilities under the revised 
applicability definitions for the final rule. No OCS facilities are 
affected by this final rule. We estimate the annualized cost of this 
final rule to be approximately $22.5 million, while the 10-year cost is 
$157.9 million, discounted at 7 percent. The main cost drivers of this 
rule are the acquisition, installation, and integration of TWIC readers 
into access control systems. Annual costs will be driven by costs 
associated with updates of the list of cancelled TWICs, recordkeeping, 
training, system maintenance, and opportunity costs associated with 
failed TWIC reader transactions. The estimated annualized cost of this 
final rule discounted at 7 percent is approximately $5.1 million less 
than the estimated cost of the NPRM.
---------------------------------------------------------------------------

    \7\ We note that the number of vessels affected by the provision 
is low, as most ``Risk Group A'' vessels are exempt from the 
electronic TWIC inspection requirements due to a low crewmember 
count.
---------------------------------------------------------------------------

    The benefits of this final rule include the enhancement of the 
security of vessels, ports, and other facilities by ensuring that only 
individuals who hold TWICs are granted unescorted access to secure 
areas at those locations. The main benefit of this regulation, 
decreased risk of a Transportation Security Incident (TSI), cannot be 
quantified given current data limitations. We used a risk-based 
approach to apply these regulatory requirements to less than 5 percent 
of the MTSA-regulated population, which represents approximately 80 
percent of the potential consequences of a TSI. The provisions in this 
final rule target the highest risk entities while maximizing the net 
benefits of the rule.
    Table 1 provides the estimated costs and functional benefits 
associated with the requirements of the TWIC reader.

     Table 1--Estimated Costs and Functional Benefits of TWIC Reader
                              Requirements
------------------------------------------------------------------------
                Category                            Final Rule
------------------------------------------------------------------------
Applicability..........................  High-risk MTSA-regulated
                                          facilities and high risk MTSA-
                                          regulated vessels with greater
                                          than 20 TWIC-holding
                                          crewmembers.
Affected Population....................  1 vessel.
                                         525 facilities.
Costs ($ millions, 7% discount rate)...  $22.5 (annualized).
                                         $157.9 (10-year).
Costs (Qualitative)....................  Time to retrieve or replace
                                          lost PINs for use with TWICs.
Benefits (Qualitative).................  Enhanced access control and
                                          security at U.S. maritime
                                          facilities and on board U.S.-
                                          flagged vessels.
                                         Reduction of human error when
                                          checking identification and
                                          manning access points.
------------------------------------------------------------------------

    For a more detailed discussion of costs and benefits, see the full 
Final Regulatory Analysis and Final Regulatory Flexibility Analysis 
available in the online docket for this rulemaking. Appendix G of that 
document outlines the costs by provision and also discusses the 
complementary nature of the provisions.

IV. Background

    The MTSA provides a multi-layered approach to maritime security 
which includes measures to consider broader security issues at U.S. 
ports and waterways, the coastal zone, the open ocean, and foreign 
ports. Under this multi-layered system, the Coast Guard is authorized 
to regulate vessels and facilities, and owners and operators of MTSA-
regulated vessels or facilities are required to submit for Coast Guard 
approval a comprehensive security plan detailing the access control and 
other security policies and procedures implemented on each vessel and 
facility. Security plans must identify and mitigate vulnerabilities by 
detailing the following items: (1) Security organization of the vessel 
or facility; (2) personnel training; (3) drills and exercises; (4) 
records and documentation; (5) response to changes in Maritime Security 
(MARSEC) Level; (6) procedures for interfacing with other facilities 
and/or vessels; (7) Declarations of Security; (8) communications; (9) 
security systems and equipment maintenance; (10) security measures for 
access control; (11) security measures for restricted areas; (12) 
security measures for handling cargo; (13) security measures regarding 
vessel stores and bunkers; (14) security measures for monitoring; (15) 
security incident procedures; (16) audits and security plan amendments; 
(17) Security Assessment Reports and other security reports; and (18) 
TWIC procedures.\8\
---------------------------------------------------------------------------

    \8\ See 33 CFR 104.405 and 33 CFR 105.405.
---------------------------------------------------------------------------

    For the purposes of MTSA, the term ``facility'' means ``any 
structure or facility of any kind located in, on, under, or adjacent to 
any waters subject to the jurisdiction of the United States.'' \9\ For 
the purposes of MTSA, the term ``vessel'' includes ``every description 
of watercraft or other artificial contrivance used, or capable of being 
used, as a means of transportation on water.'' \10\ Coast Guard 
regulations implementing MTSA with respect to vessels \11\ apply to: 
Mobile Offshore Drilling Units, cargo vessels, or passenger vessels 
subject to the International Convention for Safety of Life at Sea, 1974 
(SOLAS), chapter XI-1 or Chapter XI-2; foreign cargo vessels greater 
than 100 gross register tons; generally, self-propelled U.S. cargo 
vessels greater than 100 gross tons; offshore supply vessels; vessels 
subject to the Coast Guard's regulations regarding passenger vessels; 
passenger

[[Page 57655]]

vessels certificated to carry more than 150 passengers; passenger 
vessels carrying more than 12 passengers engaged on an international 
voyage; barges carrying, in bulk, cargoes regulated under the Coast 
Guard's regulations regarding tank vessels or CDC; \12\ barges carrying 
CDC or cargo and miscellaneous vessels engaged on an international 
voyage; tank ships; and generally, towing vessels greater than 8 meters 
in register length engaged in towing barges.
---------------------------------------------------------------------------

    \9\ 46 U.S.C. 70101(2).
    \10\ 46 U.S.C. 115; 1 U.S.C. 3.
    \11\ See 33 CFR 104.105(a).
    \12\ The term ``Certain Dangerous Cargoes'' is defined in 33 CFR 
101.105 by reference to 33 CFR 160.204, which lists all of the 
covered substances.
---------------------------------------------------------------------------

    TWIC requirements in those regulations do not apply to: Foreign 
vessels; mariners employed aboard vessels moored at U.S. facilities 
only when they are working immediately adjacent to their vessels in the 
conduct of vessel activities; except pursuant to international treaty, 
convention, or agreement to which the U.S. is a party, to any foreign 
vessel that is not destined for, or departing from, a port or place 
subject to the jurisdiction of the U.S. and that is either (a) in 
innocent passage through the territorial sea of the U.S., or (b) in 
transit through the navigable waters of the U.S. that form a part of an 
international strait.\13\
---------------------------------------------------------------------------

    \13\ See 33 CFR 104.105(d)-(f).
---------------------------------------------------------------------------

    Coast Guard regulations implementing MTSA with respect to 
facilities \14\ apply to: waterfront facilities handling dangerous 
cargoes (as generally defined in 49 CFR parts 170 through 179); 
waterfront facilities handling liquefied natural gas and liquefied 
hazardous gas; facilities transferring oil or hazardous materials in 
bulk; facilities that receive vessels certificated to carry more than 
150 passengers; facilities that receive vessels subject to SOLAS, 
Chapter XI; facilities that receive foreign cargo vessels greater than 
100 gross register tons; generally, facilities that receive U.S. cargo 
and miscellaneous vessels greater than 100 gross register tons; barge 
fleeting facilities that receive barges carrying, in bulk, cargoes 
regulated under the Coast Guard's regulations regarding tank vessels or 
CDC; and fixed or floating facilities operating on the OCS for the 
purposes of engaging in the exploration, development, or production of 
oil, natural gas, or mineral resources.
---------------------------------------------------------------------------

    \14\ See 33 CFR 105.105 and 106.105.
---------------------------------------------------------------------------

    Those regulations do not apply to: A facility owned or operated by 
the U.S. that is used primarily for military purposes; an oil and 
natural gas production, exploration, or development facility regulated 
by 33 CFR parts 126 or 154 if (a) the facility is engaged solely in the 
exploration, development, or production of oil and natural gas, and (b) 
the facility does not meet or exceed the operating conditions in 33 CFR 
106.105; a facility that supports the production, exploration, or 
development of oil and natural gas regulated by 33 CFR parts 126 or 154 
if (a) the facility is engaged solely in the support of exploration, 
development, or production of oil and natural gas and transports or 
stores quantities of hazardous materials that do not meet or exceed 
those specified in 49 CFR 172.800(b)(1) through (b)(6), or (b) the 
facility stores less than 42,000 gallons of cargo regulated by 33 CFR 
part 154; a mobile facility regulated by 33 CFR part 154; or an 
isolated facility that receives materials regulated by 33 CFR parts 126 
or 154 by vessel due to the lack of road access to the facility and 
does not distribute the material through secondary marine 
transfers.\15\ Additionally, the TWIC requirements in those regulations 
do not apply to mariners employed aboard vessels moored at U.S. 
facilities only when they are working immediately adjacent to their 
vessels in the conduct of vessel activities.\16\
---------------------------------------------------------------------------

    \15\ See 33 CFR 105.105(c).
    \16\ See 33 CFR 105.105(d) and 106.105(b).
---------------------------------------------------------------------------

    This rulemaking applies to the above-described vessels and 
facilities regulated by the Coast Guard pursuant to the authority 
granted in MTSA, and will further increase the security value of TWIC 
to the nation by making use of the statutorily-mandated biometric 
identification function and other security features. A complete 
statutory and regulatory history of this rulemaking can be found in 
Section III.B of the NPRM published on March 22, 2013.\17\
---------------------------------------------------------------------------

    \17\ 78 FR 17789.
---------------------------------------------------------------------------

    The TWIC program falls under the access control requirements as one 
component of MTSA. Since April 15, 2009, the TWIC has been used 
throughout the maritime sector for access to secure areas of MTSA-
regulated facilities and vessels. Its purpose is to ensure a vetted 
maritime workforce by establishing security-related eligibility 
criteria, and by requiring each TWIC-holder to undergo a security 
threat assessment from the TSA as part of the process of applying for 
and obtaining a TWIC.
    In addition to its visible security features, the TWIC stores two 
electronically readable reference biometric templates (i.e., 
fingerprint templates), a PIN, a digital facial image, authentication 
certificates, and a Federal Agency Smart Credential-Number (FASC-N). 
These features enable the TWIC to be used in different ways for (1) 
card authentication, (2) card validation, and (3) identity 
verification.
    Card authentication ensures that the TWIC is not counterfeit. 
Security personnel can authenticate a TWIC by visually inspecting the 
security features on the card. An electronic reader provides enhanced 
authentication by performing a challenge/response protocol using the 
Certificate for Card Authentication (CCA) and the associated card 
authentication private key stored in the TWIC. The electronic reader 
will read the CCA from the TWIC and send a command to the TWIC 
requesting the card authentication private key be used to sign a random 
block of data (created and known to the electronic reader). The 
electronic reader software will use the public key embedded in the CCA 
to verify that the signature of the random data block returned by the 
TWIC is valid. If the signature is valid, the electronic reader will 
trust the TWIC submitted and will then pull the FASC-N and other 
information from the card for further processing. The CCA contains the 
FASC-N and a certificate expiration date harmonized to the TWIC 
expiration date. This minimizes the need for the electronic reader to 
pull more information from the TWIC (unless required for additional 
checking).
    The card validity check ensures that the TWIC has not expired or 
been cancelled by TSA, or reported as lost, stolen, or damaged. 
Security personnel can validate whether a TWIC has expired by visually 
checking the TWIC's expiration date. Currently, a TSA-canceled TWIC is 
placed on TSA's official CCL, which is updated daily. TSA's CCL is 
available online at: https://universalenroll.dhs.gov/. Currently, the 
process of TWIC visual inspection does not require the security guard 
to compare the cardholder's name to the CCL and therefore facilities do 
not know when specific card holders have had their credentials 
cancelled and may continue to grant access unknowingly. Using an 
electronic reader, card validity is further confirmed by finding no 
match on the CCL and electronically checking the expiration date on the 
TWIC. Checks against the CCL may be performed electronically by 
downloading the list onto a TWIC reader or integrated PACS.
    Identity verification entails comparing the individual presenting 
the TWIC to the same person to whom the TWIC was issued. Identity can 
be verified by visually comparing the photo on the TWIC to the TWIC-
holder. Using an electronic reader, identity can be

[[Page 57656]]

verified by matching one of the biometric templates stored in the TWIC 
to the TWIC-holder's live sample biometric, matching to the PACS 
enrolled reference biometrics linked to the FASC-N of the TWIC, or 
requiring the TWIC-holder to place the TWIC into a TWIC reader 
(currently a PIN can only be accessed using a TWIC reader with a 
contact interface) and entering their PIN to release the digital facial 
image from the TWIC. This avoids the vulnerabilities of visual 
inspection by using the biometric capabilities mandated by Congress.

V. Discussion of Comments and Changes to the Final Rule

    In response to publication of the March 22, 2013 NPRM, the Coast 
Guard received over 100 comment letters, consisting of over 1,200 
unique comments. Commenters provided numerous opinions, arguments, 
questions, and recommendations regarding the proposed TWIC reader 
requirements. In this section, we describe the comments received, as 
well as how they influenced the decisions made in this final rule. 
Overall, we have grouped our discussion into five sections, as 
discussed below.
    In Section A, we address comments relating to the TWIC program 
generally, and electronic TWIC inspection specifically. This section 
includes comments relating to what the program's purpose is, how it 
affects security, and how it is tailored to achieve these goals in the 
most cost-effective and least-burdensome manner. We also discuss the 
risk analysis methodology in this section, in order to address comments 
relating to the specific types of threats the electronic TWIC 
inspection program is designed to combat.
    Sections B through D of this discussion respond to comments 
relating to the operational aspects of the electronic TWIC inspection 
program. Most comments received were of a practical nature, especially 
those asking for clarifications on exactly how the regulations would 
apply in a large variety of specific situations. Section B addresses 
the specific nature of what an ``electronic TWIC inspection'' is, 
including what must be carried out, how such an inspection can be 
carried out using a PACS, recordkeeping requirements arising from 
electronic TWIC inspections, and how specific problems, such as a 
misplaced TWIC, would be addressed in the regulations.
    Section C addresses when an electronic TWIC inspection must take 
place, including the specific locations on a facility or vessel where 
electronic readers must be located, and the parameters of an RUA 
configuration. Section D responds to comments relating to the 
classification of vessels and facilities into Risk Groups, including 
questions relating to barge fleeting facilities, shifting Risk Groups, 
and the exemption from electronic TWIC inspection requirements for 
vessels with a low number of crewmembers.
    Items relating to the economic issues of electronic TWIC inspection 
are addressed in Section E. Comments on these issues related to the 
costs of TWIC readers, throughput times for TWIC transactions, and 
potential changes in security staffing needs.
    Finally, Section F addresses several miscellaneous issues. Primary 
among these issues are comments relating to the TWIC Pilot Program and 
the Government Accountability Office (GAO) report on TWIC readers, 
issued in 2013 shortly before publication of the NPRM and accompanying 
analysis.\18\ Additionally, this section addresses all other comments 
and questions that were not included in other sections.
---------------------------------------------------------------------------

    \18\ ``Transportation Worker Identification Credential: Card 
Reader Pilot Results Are Unreliable; Security Benefits Need to Be 
Reassessed'' (GAO-13-198).
---------------------------------------------------------------------------

A. General Matters Relating to TWIC

    In response to the NPRM, the Coast Guard received a large variety 
of comments relating to the TWIC program. In this section, we begin 
with those comments that address the TWIC program as a whole. Multiple 
commenters expressed dissatisfaction with the TWIC program as a whole 
and suggested that it be dismantled. Many of these commenters noted 
that specific facilities or vessels had not been targeted by 
terrorists, and argued that the costs of the program were unnecessary. 
For a variety of reasons described extensively throughout this 
document, we believe that the targeted measures established in this 
final rule provide a cost-effective mitigation of various threats that 
could result in a TSI. For example, in the Regulatory Analysis (RA), we 
describe three hypothetical yet plausible scenarios in which an 
individual could gain access to a vessel or facility using a forged or 
stolen TWIC,\19\ threats that could specifically be reduced by 
electronic TWIC inspection. Congress has mandated, and we agree, that 
preventing unauthorized individuals from accessing secure areas of the 
nation's transportation infrastructure is part of a necessary security 
program. While we also agree with many commenters who suggested that it 
does not prevent every possible security threat, that is not the 
purpose of this final rule. The purpose of this final rule is to 
improve security at the highest risk maritime transportation-related 
vessels and facilities through the use of an electronic reader.
---------------------------------------------------------------------------

    \19\ RA, p. 88.
---------------------------------------------------------------------------

    One commenter criticized the Maritime Security Risk Analysis Model 
(MSRAM) threat analysis methodology, because it did not address the 
security issues raised by cargo containers, which include the potential 
for concealed threats within the containers. While we note that MSRAM 
does include scenarios associated with threats from cargo containers, 
for the purposes of the current analysis of electronic TWIC inspection, 
we limited our consideration to attack scenarios that require physical 
proximity to the intended target and for which access control would 
affect the ability to conduct an attack. Controlling access to a target 
is an essential component of security from such attacks because access 
control helps to detect and perhaps interdict or at least delay the 
attackers before they reach the target. TWIC readers enhance the 
reliability of access control measures, thereby increasing the 
likelihood of identifying and denying/delaying access to an individual 
or group attempting nefarious acts. For this reason, our analysis in 
this final rule focuses on threats that could be prevented or mitigated 
through use of electronic TWIC inspection. Concealed items or persons 
smuggled inside cargo containers are not attack scenarios that 
transportation worker identity verification (and electronic TWIC 
inspection in particular) addresses. Therefore, analyzing those 
scenarios would not be useful for this rule. Coast Guard regulations 
address security measures for those attack scenarios in other ways. 
Vessel and facility security plans must describe in detail how they 
meet all relevant security requirements, including the security 
measures in place for handling cargo.\20\
---------------------------------------------------------------------------

    \20\ See 33 CFR 104.405; 33 CFR 105.405; 33 CFR part 104, 
subpart B; and 33 CFR part 105, subpart B.
---------------------------------------------------------------------------

    Multiple commenters expressed concern over the application process 
for obtaining a new or renewal TWIC, stating that delays have saddled 
workers with an undue burden. The Coast Guard understands the 
challenges encountered during the initial implementation of TWIC, and 
during the more recent surge of renewals. We note the progress that has 
been made in the TWIC application process since publication of the 
NPRM.

[[Page 57657]]

Furthermore, we note that comments relating to the card application 
process are outside the scope of this rulemaking, which pertains to 
electronic TWIC inspection requirements only.
    One commenter sought clarification as to why the TWIC was not an 
acceptable form of identification for entry to U.S. Navy or Coast Guard 
bases, and stated that the TWIC should be recognized by the agency that 
is requiring its use within the maritime sector. This comment is also 
outside the scope of this rulemaking as it does not address TWIC 
readers or their application to maritime rather than Federal facilities 
(e.g., Coast Guard or Navy military bases).
    One commenter expressed concern with requiring electronic readers 
on vessels, stating that anyone boarding a vessel would need to first 
pass through a facility. The same commenter stated that seafarers 
should not be prevented from taking shore leave, and suggested that 
additional regulations be put in place to avoid unlawful charges to 
seafarers to transit facilities for shore leave. The Coast Guard 
understands these concerns and has applied this rulemaking to those 
vessels presenting the highest risk and to those vessels which, in most 
cases, will regularly visit international ports not regulated under 
MTSA. Additionally, Congress mandated seafarers' access in section 811 
of the Coast Guard Authorization Act of 2010. This mandate requires 
each Facility Security Plan to ``provide a system for seamen assigned 
to a vessel at that facility, pilots, and representatives of seamen's 
welfare and labor organizations to board and depart the vessel through 
the facility in a timely manner at no cost to the individual.'' \21\ 
The Coast Guard is currently conducting a separate rulemaking to 
implement section 811.\22\
---------------------------------------------------------------------------

    \21\ See the Seafarers' Access to Maritime Facilities Notice of 
Proposed Rulemaking (79 FR 77981, 77985 (Dec. 29, 2014)).
    \22\ The docket for the Seafarers' Access rulemaking is 
available online at www.regulations.gov by entering ``USCG-2013-
1087'' in the Search box.
---------------------------------------------------------------------------

    Several commenters requested more flexibility within this final 
rule rather than a ``one size fits all'' approach. This final rule 
incorporates additional flexibility for vessel and facility operators 
in direct response to comments in which specific requests for 
flexibility were made. The Coast Guard wholly agrees that there is no 
``one size fits all'' approach for maritime security given the vast 
range of facility and vessel operations which, in many cases, overlap 
or occur in close proximity to each other. This final rule moves to a 
more performance-based approach by defining the criteria for electronic 
inspection requirements that meet the TWIC access control measures. 
Additionally, this rule sets flexible baseline requirements for 
electronic reader implementation for those vessels and facilities. We 
believe that the increased flexibility will decrease the burden on 
industry by allowing the use of existing systems with minor 
modifications, increasing the pool of available electronic reader 
technology, and allowing the individual operators to determine the 
approach to meet the regulatory requirement that best facilitates their 
business needs.
    Some commenters suggested that the TWIC should be a standardized 
credential that can be used at multiple facilities, and that having 
this Federal credential should be a standard credential, rather than 
requiring truck drivers and others who need access to secure areas to 
obtain individual site-specific badges. The commenters argued that the 
use of the credential could alleviate redundant and overlapping 
background checks for workers, such as drivers, that access multiple 
facilities. We partially agree with this argument, but believe we 
should elaborate more closely on the role that TWIC and other 
identification credentials play in ensuring security at maritime 
facilities. We disagree with the suggestion that the TWIC should be 
used as an ``all-access'' credential that would override the property 
rights and security responsibilities of vessel and facility owners. We 
believe (like many other commenters), that possession of TWIC should 
not automatically grant an individual access to secure areas because 
the mere possession of a TWIC does not entitle the holder to access 
another person's property. The decision to grant access to a secure 
area of a vessel or facility appropriately lies with the owner or 
operator of that vessel or facility. We expect vessel and facility 
operators to limit access to their secure spaces to those who need such 
access, and to ensure that only those with a valid TWIC are granted 
unescorted access.
    However, we note that controlling access to facilities can be 
carried out in several ways. For example, a facility may grant 
unescorted access to employees who enter the facility multiple times 
per day on a regular basis, and also grant access to truck or bus 
drivers who may only enter the facility on an occasional basis. Such a 
facility may use different ways to control access, and ensure that all 
individuals granted unescorted access possess a valid TWIC. The 
facility may vary how it does this depending on the operator's business 
needs and on the reasons why different individuals are requesting 
unescorted access. In this example, the facility might have one 
entrance for employees who use a PACS card to enter secure areas of the 
facility, and have another entrance for truck or bus drivers, who would 
present a TWIC for inspection. A single access point could also contain 
both a PACS reader and a TWIC reader, the latter for use by contractors 
or visitors who may not have been issued a facility-specific access 
card.
    In this final rule we have granted flexibility that allows 
operators to use a variety of means to grant unescorted access, 
including the use of the TWIC as a means of identification. However, 
this final rule does not require operators to grant unescorted access 
to any TWIC-holder. As is currently the case, access to any vessel or 
facility is granted by the owner or operator, who has the authority and 
responsibility to determine if the individual requesting access has a 
legitimate business purpose.
1. Purpose and Efficacy of the TWIC Program
    Several commenters questioned the overall efficacy of the TWIC 
program, questioning whether the program, with or without electronic 
readers, does anything to improve security. The Coast Guard understands 
that there have been many challenges with the implementation of the 
TWIC program, but does believe that TWIC has improved access control at 
vessels and at maritime facilities across the country. The TWIC 
program's single standard and nationwide recognition is intended to 
ensure a secure, consistent biometrically enabled credential, and 
facilitate an efficient, resilient, mobile transportation workforce 
during routine and emergency situations. However, an individual 
successfully obtaining a TWIC is only the first half of a two-part 
process. First, vessel and facility security personnel must determine 
that an individual possesses a valid TWIC, meaning that they have been 
vetted. Second, they must verify the individual's authorization for 
entering a vessel or facility before granting the person unescorted 
access. As mentioned above, the mere possession of a valid TWIC alone 
is not sufficient to gain the holder of that credential access to 
secure areas on vessels or facilities across the country. The TWIC 
provides a means by which a vessel or facility security officer can 
determine that an individual has been vetted to an established and 
accepted standard. This determination

[[Page 57658]]

helps inform the vessel or facility security officer's decision to 
grant unescorted access to an individual. Vessel and facility personnel 
may then evaluate a TWIC-holder's authorization and determine whether 
the TWIC-holder should be granted unescorted access.
    One commenter took issue with a statement in the NPRM that read 
``TWIC readers will not help identify valid cards that were obtained 
via fraudulent means, e.g., through unreported theft or the use of 
fraudulent IDs.'' \23\ The commenter stated that TWIC readers can 
identify cards that were obtained through unreported theft of the TWIC 
card by performing biometric identification of the TWIC-holder. We 
believe the commenter misunderstood the statement in the NPRM, which 
referred to the use of fake or stolen (but unreported) identification 
documents, such as drivers licences and birth certificates, to 
fraudulently obtain an authentic TWIC from the TSA. The use of such 
fraudulently acquired, but genuine TWICs was one issue highlighted by 
the GAO and by several commenters as a shortcoming in the TWIC program, 
and we acknowledge that the use of electronic TWIC inspection will not 
address that particular scenario. However, we agree with the commenter 
that if a valid TWIC was stolen after it was produced, electronic TWIC 
inspection would help to identify such a card if an unauthorized person 
attempted to use it. Although visual TWIC inspection could also detect 
such unauthorized use, electronic TWIC inspection would do so more 
effectively by using the TWIC's biometric and other security features.
---------------------------------------------------------------------------

    \23\ 78 FR 17787.
---------------------------------------------------------------------------

    Some commenters argued that visual TWIC inspection does not provide 
``adequate security,'' and that electronic TWIC inspection should be 
the standard procedure for all TWIC inspections, rather than used only 
for high-risk vessels and facilities. The commenter made several 
arguments as to why visual TWIC inspection should not be used. The 
commenter quoted guidance from the National Institute of Standards and 
Technology (NIST), issued with regard to identification for Federal 
employees when entering Federal facilities, which stated that visual 
inspection of an identification card offers little to no assurance that 
the claimed identity of the individual matches the identification. The 
commenter stated that visual inspection is a weak authentication 
mechanism and does not provide the level of assurance that an 
electronic inspection can provide. Another commenter cited the 2011 GAO 
report on the TWIC program, which stated that visual TWIC inspection 
was not a particularly effective means of identity verification.\24\ 
While we agree that electronic TWIC inspection provides a more reliable 
means of identity verification than visual TWIC inspection, we disagree 
with the assertion that the visual inspection provides no security 
benefit. Many industries rely on photographic identification cards to 
verify a card-holder's identity before granting access to accounts or 
locations. Some situations may require, and justify the cost of, 
additional layers of security. For example, the heightened risk at Risk 
Group A vessels and facilities warrant the greater security afforded by 
electronic TWIC inspection, along with the attendant costs. As 
explained in this preamble and the accompanying RA, we do not believe 
such costs are justified for vessels and facilities outside of Risk 
Group A at this time.
---------------------------------------------------------------------------

    \24\ GAO-11-657, ``Transportation Worker Identification 
Credential: Internal Control Weaknesses Need to Be Corrected to Help 
Achieve Security Objectives''
---------------------------------------------------------------------------

    The commenter made several other arguments relating to visual TWIC 
inspection. First, the commenter noted that there is no way for visual 
TWIC inspection to determine if a TWIC has been cancelled. While we 
agree that visual TWIC inspection will not perform an electronic check 
against the TSA's list of cancelled TWICs, we disagree with the 
suggestion that visual inspection has no value in performing the card 
validity check. Security personnel perform the basic card validity 
check to ensure that a TWIC has not expired by checking the card's 
expiration date. A TWIC reader does the same validity check 
electronically, but will further confirm card validity by finding no 
match on the list of cancelled TWICs. We explain in the RA that the 
costs associated with this added layer of security are warranted only 
for Risk Group A vessels and facilities.
    The commenter also stated visual TWIC inspection creates 
vulnerability because it relies on a ``repetitive human process,'' 
where the staff may become distracted or less attentive. While we agree 
generally that electronic TWIC inspection is more reliable than visual 
TWIC inspection, we disagree with the suggestion that visual TWIC 
inspection is unreliable. We are requiring TWIC readers for Risk Group 
A, in part, due to the potentially reduced human error that TWIC 
readers afford. As explained in the RA, that added benefit does not 
outweigh the costs associated with requiring TWIC readers outside of 
Risk Group A at this time.
    One commenter stated that the background check does not ensure that 
facilities are protected from crime. The Coast Guard agrees that crimes 
can still be committed despite background checks, although we note that 
MTSA specifically prohibits certain persons with extensive criminal 
histories from receiving TWICs.\25\ However, the purpose of requiring 
electronic TWIC inspection is not to prevent all crime, but to prevent 
TSIs at high-risk vessels and maritime facilities. In that regard, we 
believe that TWIC is a critical part of the layered approach to port 
security because it establishes a minimum, uniform vetting and threat 
assessment process for mariners and port workers across the country 
aimed at preventing a TSI. The existing TWIC Program ensures that 
workers needing routine, unescorted access to secure areas of 
facilities and vessels undergo lawful status checks (for non-U.S. 
citizens) and that they are vetted against a specific list in statute 
of terrorism associations and criminal convictions.\26\ It provides a 
standard baseline for determining an individual's suitability to enter 
the secure area of a vessel or facility regulated under the MTSA. We 
note that the program does not exclude everyone with a criminal record 
and that most, but not all, of the permanent disqualifying crimes for a 
TWIC can be waived in extraordinary circumstances.\27\ However, there 
are aggressive procedures to remove a TWIC from any TWIC-holder found 
to have committed one of these crimes after receiving their TWIC, or to 
remove a TWIC from a TWIC-holder who is later added to any of the 
terrorism associated databases.
---------------------------------------------------------------------------

    \25\ See 46 U.S.C. 70105(c) for the list of disqualifying 
criminal offenses.
    \26\ 46 U.S.C. 70105 and 49 CFR 1572.103.
    \27\ 46 U.S.C. 70105 and 49 CFR part 1515.
---------------------------------------------------------------------------

    Multiple commenters suggested that the risk analysis for the NPRM 
did not adequately address cargo containers and the related cargo 
container facilities. One commenter suggested that container terminals 
were the primary focus of the enactment of the MTSA and SAFE Port Act, 
yet they are not subject to the highest level of TWIC scrutiny. The 
Coast Guard disagrees that container terminals were the primary focus 
of the Acts, noting that there was substantial discretion permitted by 
the statutory language to implement electronic TWIC inspection 
requirements. We reiterate that with regard to threats carried within 
cargo

[[Page 57659]]

containers, electronic TWIC inspection is not particularly effective 
for threat mitigation since scenarios involving container contents 
(e.g., weapons, personnel) in an attack in the United States do not 
require access to the container inside the secure area. The risk 
analysis evaluated the consequence of an attack on the maritime 
facilities themselves, deeming it reasonable to confine attack 
scenarios to the facility because offsite scenarios (e.g., transfer of 
container contents) are not mitigated by TWIC, but are instead the 
focus of additional layers of protections in the larger MTSA regulatory 
regime. Based on the MSRAM calculations relating to the effect of an 
attack on a cargo container facility, the efficacy of electronic TWIC 
inspections in disrupting such attacks, and considering the costs of 
requiring electronic TWIC inspections, we arrived at the conclusion 
that it would not be the most cost-effective approach to improving 
public safety to require electronic TWIC inspection at these facilities 
at this time. We would refer interested parties to the accompanying RA 
for a detailed discussion of alternative regulatory approaches 
considered in this rulemaking. Furthermore, we note that under existing 
guidance, any facility not covered by this final rule may implement 
electronic TWIC inspection on a voluntary basis for any reason.
    One commenter stated that the classification for large general 
cargo container terminals was counterintuitive, because disruption to 
any one of these facilities could have significant negative 
consequences for the nation's economy. We understand the commenter's 
perspective. However, for this rule, as part of the MSRAM analysis, we 
evaluated the risk of a TSI that (1) occurs at cargo container 
facilities and (2) would be less likely to occur through TWIC reader 
implementation, and for these scenarios, the likelihood of long-term 
disruptions to the nation's economy is assessed to be minimal.
    One commenter suggested that not placing container terminals in 
Risk Group A, and thus not requiring electronic TWIC inspection, would 
threaten the supply chain by allowing TWIC-holders, who have 
subsequently been determined by the TSA to be a security threat to the 
United States, to have unescorted access to the nation's critical 
infrastructure with impunity. We disagree that not placing container 
facilities in Risk Group A is tantamount to exposing those facilities 
to security threats. We note that the general TWIC requirements located 
in Sec.  101.515, which prohibit those who do not hold a valid TWIC 
from receiving unescorted access to a secure area, is still effective 
for these facilities. Container facilities may voluntarily institute 
requirements for electronic verification, for example, for business 
reasons. Furthermore, such facilities are subject to spot checks by the 
U.S. Coast Guard where such invalidated TWIC-holders could be 
discovered through the use of portable TWIC readers by Coast Guard 
personnel.
    One commenter suggested that terrorists might use a small facility 
to transport a weapon, thus bypassing electronic TWIC inspection 
programs. Pursuant to existing requirements, unescorted access to a 
secure area of any MTSA-regulated maritime facility requires a TWIC, so 
all workers seeking unescorted access, not just those at high-risk 
facilities, are subject to background checks. However, we note that 
electronic TWIC inspection is not designed to directly protect against 
smuggling, including the smuggling of terrorist weapons. Electronic 
TWIC inspection is designed to ensure that unauthorized persons, who 
have not been provided a TWIC, are not provided unescorted access to 
high-risk vessels and facilities. Many, if not most, smuggling 
scenarios do not require adversary access to secure areas for success, 
and thus the enhanced access control afforded by electronic TWIC 
inspection does little to reduce the risk for these scenarios.
    One commenter added that facilities are poor targets for terrorist 
attacks and thus, screening workers on those facilities adds little 
value. We disagree, and note that we have tailored this rule to 
specifically encompass only those maritime facilities where the dangers 
of a TSI are heightened, such as those that handle or receive vessels 
carrying CDC in bulk. We have determined that the facilities in Risk 
Group A could be attractive targets for terrorist attacks due to the 
substantial loss of life and environmental effects that could result 
from a TSI. Furthermore, we tailored the requirements to only require 
electronic TWIC inspection when such inspection would have a 
substantial effect on reducing the likelihood of such an attack (the 
``TWIC utility'' prong of the risk analysis, described in detail in the 
NPRM). See 78 FR 17791.
2. Risk Analysis Methodology
    Multiple commenters expressed concern with the risk analysis for 
this rulemaking. While we have considered the commenters' concerns, our 
risk analysis model remains unchanged from that proposed in the NPRM. 
We believe that the existing risk analysis model, which considered a 
wide range of targets, attacks, and consequences, remains the most 
comprehensive and logical means available to implement the electronic 
TWIC inspection program. In this process, the Coast Guard analyzed 68 
distinct types of vessels and facilities using the MSRAM database based 
on their purposes or operational descriptions. The Coast Guard 
initially separated this list of vessels and facilities into proposed 
Risk Groups A, B, and C in the ANPRM and have ultimately used this 
baseline to inform the classification of Risk Group A vessels and 
facilities in this final rule. We identify these vessels and facilities 
as those that can best be protected by electronic TWIC inspection.
    The risk analysis methodology used in this rulemaking consists of 
three distinct analytical factors. The first factor, which we described 
in the NPRM as the ``maximum consequences to [a] vessel or facility 
resulting from a terrorist attack,'' is the direct consequence of a 
type of attack that could be prevented or mitigated by use of 
electronic TWIC inspection. This factor was assessed for each class of 
vessel and facility. The second factor, which we described as the 
``criticality to the nation's health, economy, and national security,'' 
considered the impact of the loss of a vessel or facility beyond the 
direct consequences, taking into consideration regional or national 
impact on health and security. Finally, we considered TWIC utility, 
which we describe as the effectiveness of the TWIC program in reducing 
a vessel or facility's vulnerability to a terrorist attack.''
    It is important to note that the electronic TWIC inspection program 
is not the only security measure protecting vessels and maritime 
facilities, and is not designed to counter every conceivable threat to 
them. In the preliminary RA, we explained that there were three 
specific attack scenarios most likely to be mitigated by electronic 
TWIC inspection, and thus used in our analysis. These scenarios were: 
(1) A truck bomb, (2) a terrorist assault team, and (3) an explosive 
attack carried out by a passenger or passerby (with the specific caveat 
that the terrorist is not an ``insider'').\28\ While several commenters 
criticized certain aspects of the TWIC program for not countering 
additional threats, we note that benefits outside the scope of the 
above threats were not considered to be likely successes of the TWIC 
program and were not considered in our analysis. One commenter 
suggested that the truck bomb scenario was unrealistic, as it would be 
easier to

[[Page 57660]]

place a bomb in a container itself. We note that these are two distinct 
scenarios, and that the risk identified in the latter scenario is one 
that is not mitigated by electronic TWIC inspection.
---------------------------------------------------------------------------

    \28\ Preliminary RA, p.72.
---------------------------------------------------------------------------

    The first factor of the analysis was the most comprehensive, which 
was to determine the direct primary and secondary consequences of the 
total loss of a vessel or facility. To conduct this stage of the 
analysis, we used MSRAM data. MSRAM collects data from a wide variety 
of vessels and facilities and includes calculations of damages for each 
individual vessel or facility. The damages incorporated into the MSRAM 
analysis include: (1) Death and serious injuries; (2) direct property 
damage and the costs of business interruptions; (3) environmental 
consequences; (4) national security consequences; and (5) secondary 
economic consequences, such as damage done to the supply chain.\29\ To 
finish the first stage of analysis, we aggregated the MSRAM data from 
the individual vessels and facilities into averages for each of the 68 
identified classes.
---------------------------------------------------------------------------

    \29\ Preliminary RA, p.75.
---------------------------------------------------------------------------

    The second factor in the analysis considered the impact of the 
total loss of the vessel or facility beyond the immediate local 
consequences. This involved examining the regional and national effects 
of such a loss on the state of human health, the economy, and national 
security. The third factor in the analysis focused on the effectiveness 
of the TWIC program in actually reducing the vessel or facility class' 
vulnerability to a terrorist attack. In instances where electronic TWIC 
inspection would substantially reduce the effect or likelihood of an 
attack, this factor was assigned a greater value.
    Once the three analytical factors were determined, the Coast Guard 
combined the scores using the Analytic Hierarchy Process (AHP), 
developing a total score that combined the severity of an attack and 
the effectiveness of the TWIC program in countering that attack for 
each of the classes of vessels and facilities. These overall rankings 
were then used to determine the Risk Groups used in developing this 
rulemaking. We believe that this approach used in this risk analysis 
methodology is highly effective, and represents the best method 
available for assessing the benefits of the electronic TWIC inspection 
program to the specific vessels and facilities under consideration.
    One commenter suggested that the Coast Guard should not finalize 
this rule, and that a panel of private industry representatives should 
be included in an objective review of where the risks and 
vulnerabilities are in order to develop the best tool for mitigation. 
The Coast Guard has taken a collaborative approach toward developing 
this final rule, and has considered information from numerous 
stakeholders in this rulemaking, including the large number of comments 
on both the ANPRM and NPRM. As a result, the Coast Guard has amended 
this final rule, targeting the affected population to those vessels for 
which the use of electronic TWIC inspection provides the greatest 
benefit at minimum cost. This would not have been possible without the 
extensive public input received.
    One commenter suggested that previous risk assessments of their 
operation had never identified a scenario in which rogue employees 
played a role. We do not agree with the commenter that this weakens the 
case for the implementation of electronic TWIC inspection requirements. 
We note that ``rogue employees'' (no precise definition of this term 
was supplied, but we assume it means an employee who intends to carry 
out a TSI) are unlikely to be a threat mitigated by this final rule. 
This final rule is primarily designed to identify and intercept those 
adversaries who are not employees, but are attempting to use a stolen 
or otherwise invalid card to gain access to a secure area. A ``rogue 
employee'' with a valid TWIC would not be intercepted by electronic 
TWIC inspection. The ``rogue employee'' scenario is partially addressed 
by the security threat assessment that each employee must undergo 
before obtaining a TWIC, and is also addressed by other layers of 
security. For example, 33 CFR 104.285 and 105.275 require owners and 
operators to have the capability to continuously monitor their vessels 
and facilities through the use of lighting, security guards, waterborne 
patrols, automatic intrusion devices, or surveillance equipment.
    The same commenter asserted that there are no facts, objective risk 
assessments, or examples provided to support how a TWIC reader would 
enhance security absent a known risk or vulnerability. Additionally, 
the commenter broadly suggested that an owner or operator should be 
allowed to self-assess and determine its own risk group category after 
taking into account the security measures already in place at their own 
location. We disagree with both comments. MSRAM is a fact-based, 
objective tool for assessing TSI risk in the maritime domain. MSRAM 
incorporates specific examples of vessels and facility types and 
various attack modes. As explained in great detail in the ANPRM, NPRM, 
and elsewhere in this preamble, MSRAM is an analysis tool designed to 
estimate risk for potential terrorist targets. We consider MSRAM to be 
the best available tool for determining which vessels and facilities 
should be considered high-risk for the purpose of TWIC reader 
requirements. Because electronic TWIC inspection is generally more 
reliable than visual TWIC inspection, TWIC readers enhance access 
control more than visual inspection, increasing the likelihood of 
identifying an aggressor and denying access to secure areas. While the 
above rationale applies generally to Risk Group A, the Coast Guard also 
recognizes that the nature or operating conditions of certain vessels 
and facilities may warrant a waiver from certain regulatory 
requirements. The existing regulations in 33 CFR 104.130 and 105.130 
provide that owners and operators may apply for a waiver of any 
requirement of the security regulations in 33 CFR parts 104 and 105 
(including the TWIC reader requirements) in appropriate circumstances 
and where the waiver will not reduce overall security.
    Several commenters noted that while the Coast Guard used the MSRAM 
data to conduct its risk analysis, a number of TWIC Pilot Program 
participants were not contacted during this assessment. They argued 
that these participants could have provided local knowledge to produce 
supportable conclusions relative to risks and risk mitigation 
strategies in particular locations. We believe that these commenters 
misunderstand how MSRAM data were used. The Coast Guard carefully 
reviewed the pilot project in writing this final rule. MSRAM datawere 
used to help determine the consequences of a TSI. This was one factor 
used in determining the overall risk to the various classes of 
facilities analyzed in the Coast Guard's risk analysis. The Coast Guard 
uses MSRAM in a variety of risk analysis applications and does not 
engage in discussion with each participant every time the data are 
utilized.
    Some commenters also argued that they were the subject of several 
counterterrorism studies, and that these studies had not identified 
TWIC as risk mitigation tool, nor had they identified a scenario in 
which an employee bringing harm to a ferry was an identified 
vulnerability. These studies were not provided by the commenter but, 
from their descriptions, seem to have focused on risks other than those 
posed by persons impersonating

[[Page 57661]]

employees. We note that while previous studies may not have identified 
TWIC as a risk mitigation tool, we have considered various scenarios in 
which electronic TWIC inspection would mitigate risk, and used them as 
the basis for our risk analysis. Furthermore, we note that electronic 
TWIC inspection is not designed to prevent a valid and cleared employee 
from bringing harm to a vessel or facility. Instead, it is specifically 
designed to prevent access to a secure area by an unauthorized person 
who is attempting to gain access by using a stolen or counterfeited 
TWIC. We believe that electronic TWIC inspection is an appropriate and 
cost-effective tool to mitigate such risks.

B. Electronic TWIC Inspection

    Electronic TWIC inspection is the process by which the TWIC is 
authenticated, validated, and the individual presenting the TWIC is 
matched to the stored biometric template. This process consists of 
three discrete parts: (1) Card authentication, in which the TWIC at 
issue is identified as an authentic card issued by the TSA; (2) the 
card validity check, in which the TWIC is compared to the TSA-supplied 
list of cancelled TWICs \30\ to ascertain that it has not been revoked, 
and is not expired; and (3) identity verification, in which the TWIC is 
matched to the person presenting identification through use of a 
biometric template stored on the TWIC.
---------------------------------------------------------------------------

    \30\ We note that at this time, this list is the Cancelled Card 
List (CCL). However, there are also several specific Certificate 
Revocation Lists maintained by TSA, which differ from the CCL. In 
order to provide a regulation that is flexible in terms of future 
technology adaptations, in this final rule, we have described the 
list in the regulatory requirement generically as the ``list of 
cancelled TWICs.'' See sections 101.520(b) and 101.525 of the final 
rule regulatory text. This allows TSA to continue to use the CCL, 
but will also allow additions from various Certificate Revocation 
Lists if and when that becomes feasible and efficient. Any such 
change in the list of cancelled TWICs would be a ``back end'' change 
on TSA's part and would not impact the burdens or operations of 
private parties, who would still only be required to check a TWIC 
against the list as part of the card validity check. In this 
document, we generally refer to the ``list of cancelled TWICs'' when 
referring to the regulatory requirements in the final rule, while 
still using the ``CCL'' terminology when discussing comments on the 
Cancelled Card List or discussions in the NPRM that used that 
terminology.
---------------------------------------------------------------------------

    The purpose of electronic TWIC inspection is to improve the 
inspection of TWICs, as compared to visual TWIC inspection. We note 
that visual TWIC inspection accomplishes the same three tasks as 
electronic TWIC inspection, but in different ways, and generally not as 
thoroughly or reliably as electronic TWIC inspection. Visual card 
authentication is accomplished by visually inspecting the security 
features on the card (such as the watermark). A visual card validity 
check is accomplished by checking the expiration date on the face of 
the card, although there is no way to visually check if the TWIC has 
been revoked by the TSA since it was issued. Finally, visual identity 
verification is conducted by comparing the photograph on the TWIC with 
the individual's face.
    Electronic TWIC inspection improves upon the visual inspection 
checks, and adds two additional benefits. In electronic TWIC 
inspection, the authenticity of the card is verified by issuing a 
challenge/response to the TWIC's unique electronic identifier, called a 
Card Holder Unique Identifier (CHUID). The card's validity is 
determined by checking the TWIC against the most recently updated list 
of cancelled TWICs. Finally, the identity of the TWIC-holder is 
verified by matching the biometric template stored on the TWIC to the 
individual's biometrics. Each of these methods is an improvement upon 
visual TWIC inspection as the electronic TWIC inspection uses methods 
of validation that are not easily manipulated through means such as 
counterfeiting or altering the surface of the TWIC. Additionally, 
electronic TWIC inspection ensures that the card being presented has 
not been invalidated by a means other than being expired, such as the 
card having been reported lost, or the TWIC being revoked due to a 
criminal conviction.
    TWIC inspection, either electronic or visual, provides a baseline 
of information to determine who may be provided unescorted access to 
secure areas of MTSA-regulated vessels and facilities. While not every 
TWIC-holder is authorized unescorted access, the TWIC ensures that 
facility security personnel do not grant unescorted access to 
individuals that have not been vetted or have been adjudicated unfit 
for access to secure areas.
    Several commenters suggested that the sole purpose of TWIC is for a 
worker to be vetted through security and criminal checks, and that 
access control is not a purpose of the TWIC program. We disagree with 
this description of a fundamental principle of the TWIC program. The 
controlling statute, 46 U.S.C. 70105(a)(1) reads, in part, ``[t]he 
Secretary shall prescribe regulations to prevent an individual from 
entering an area of a vessel or facility that is designated as a secure 
area . . . unless the individual holds a transportation security card 
issued under this section. . .''. This is a clear mandate for an access 
control program. We have implemented this mandate by requiring maritime 
workers to obtain a TWIC, and by requiring owners and operators to 
inspect each individual's TWIC prior to granting access to secure 
areas. Using the biometric template, TWIC provides a highly secure 
means for security personnel to verify the identity of an individual 
seeking access to a secure vessel or facility and implementing this 
core requirement of the MTSA.
    In this final rule, we are revising the regulatory text to add 
flexibility and more accurately reflect the electronic TWIC inspection 
process. In the NPRM, we did not describe the process as ``electronic 
TWIC inspection,'' but stated in proposed Sec.  101.520(a) that ``all 
persons must present their TWICs for inspection using a TWIC reader, 
with or without a . . . PACS. . .''. \31\ In this final rule, we are 
modifying the process from presentation of a TWIC to a TWIC reader to 
the concept of electronic TWIC inspection. As stated below, and as 
defined in section 101.105 of this final rule, ``Electronic TWIC 
inspection'' means the process by which the TWIC is authenticated, 
validated, and the individual presenting the TWIC is matched to the 
stored biometric template. In doing so, we have laid out the exact 
requirements for this process in revised Sec.  101.520.
---------------------------------------------------------------------------

    \31\ 78 FR 17829.
---------------------------------------------------------------------------

    In this section, we address the comments and concerns submitted in 
response to the NPRM, and describe in detail how electronic TWIC 
inspection will work in a wide variety of operational situations. Table 
2 provides a summary of the acceptable implementation options for 
owners and operators to perform electronic TWIC inspection. The owner 
or operator of a vessel or facility must ensure the options chosen to 
meet the electronic TWIC inspection requirements perform the required 
card authentication, card validity, and identity verification required 
in revised Sec.  101.520.

[[Page 57662]]



                     Table 2--Implementation Options
------------------------------------------------------------------------
            Option                            Description
------------------------------------------------------------------------
TWIC Reader (QTL)............  Owner/operator uses a TWIC reader listed
                                on TSA's QTL. To gain entry to a secure
                                area, employee presents TWIC and
                                biometric for electronic inspection.
TWIC Reader (non-QTL)........  Owner/operator uses a TWIC reader that
                                adequately performs the three required
                                electronic checks (card authentication,
                                card validity check, identity
                                verification). To gain entry to a secure
                                area, employee presents TWIC and
                                biometric for electronic inspection.
Transparent Reader...........  Similar to non-QTL TWIC reader, except
                                the Transparent Reader does not
                                independently perform card validation,
                                card authentication, and identity
                                verification. Instead, the Transparent
                                Reader transmits information from the
                                employee's TWIC and biometric to a back
                                end system containing software that
                                performs the TWIC check.
                               Once the TWIC check is complete, the back
                                end system shall perform what processes
                                are required to either grant or deny
                                access.
PACS (with facility access     Employee is issued a facility access card
 card).                         after initially registering employee's
                                TWIC and biometric into the facility's
                                access control database. To gain entry
                                to a secure area, employee presents
                                facility access card and biometric for
                                electronic inspection to match against
                                employee's record in the facility's
                                database.
PACS (with biometric only)...  Employee's TWIC and biometric are
                                initially registered into the facility's
                                access control database. To gain entry
                                to a secure area, employee presents
                                biometric (e.g., fingerprint) for
                                electronic inspection to match against
                                employee's record in the facility's
                                database.
------------------------------------------------------------------------

1. Electronic TWIC Inspection Does Not Necessarily Require a TWIC 
Reader
    Many commenters expressed concerns regarding the costs of 
purchasing, installing, and using TWIC readers that have been approved 
by the TSA. They argued that the costs of the TWIC readers were high, 
and that there were problems with the reliability of TWIC readers and 
cards. Many commenters requested that the Coast Guard extend guidance 
issued in Navigation and Vessel Inspection Circular (NVIC) 03-07 and 
Policy Advisory Council (PAC) Decision 08-09, change 1, in which we 
outlined how an existing PACS could be used in lieu of a TWIC reader 
until the TWIC final rule was issued.
    In NVIC 03-07, we described how TWIC could be incorporated into an 
access control system even if the person accessing the secure area did 
not physically use the TWIC as an access control card. We stated that:

    Example: A facility employee who possesses a valid TWIC is 
registered into the facility's access control database and is issued 
a facility access card after the TWIC is verified visually as 
described in 3.3 a. (7) [of NVIC 03-07]. To gain entry into a secure 
area, the employee inserts or scans his/her facility access card at 
a card reader, which verifies the access card as a valid card for 
the facility. The TWIC does not need to be used as a visual identity 
badge at each entry once the facility-specific card is issued. The 
card reader then verifies the individual by matching the facility 
access card to the individual's record in the facility database and 
allows access to secure areas as dictated by the permissions 
established by the owner/operator in the access control system. By 
virtue of the fact that the employee would not be issued a vessel or 
facility-specific card without first having a TWIC, the requirement 
to possess a TWIC for unescorted access to secure areas is met.\32\
---------------------------------------------------------------------------

    \32\ Enclosure (3) to NVIC 03-07, p. 1515 (Available in the 
docket by following the instructions in the ADDRESSES section of 
this preamble).

    Many commenters noted, and we are aware that, the proposed 
regulatory text in the NPRM was worded in such a way that rendered this 
method of compliance impossible. The proposed regulatory text in Sec.  
101.520(a)(1) stated ``Prior to each entry, all persons must present 
their TWICs for inspection using a TWIC reader, with or without a 
physical access control system (PACS), before being granted unescorted 
access to secure areas.'' \33\ Similarly, proposed Sec. Sec.  101.525 
and 101.530 required visual inspections of TWICs before permitting 
access. Many commenters took issue with the change in approach from 
current requirements as described in the NVIC.
---------------------------------------------------------------------------

    \33\ 78 FR 17829.
---------------------------------------------------------------------------

    In this final rule, we are revising the regulatory text to allow 
electronic TWIC inspection to be conducted by either a TWIC reader or a 
PACS at vessels and facilities. This regulatory language will supersede 
previous guidance documents such as PAC 08-09, change 1 and NVIC 03-07. 
Under the new language in revised section 101.520 we are providing 
greater flexibility on the type of equipment used, as long as the three 
parts of electronic TWIC inspection are performed satisfactorily.
    Multiple commenters discussed the scenario where an owner or 
operator has a PACS which cross-checks successful electronic TWIC 
inspections against employment records and other internal security 
systems and records to verify that the cardholder works for the 
company, holds current certifications, and should be allowed into the 
facility. As explained in this document in Section V.B., such a system 
could meet the requirements for electronic TWIC inspection as revised 
for this final rule.
    Two commenters at a public meeting suggested that if a facility 
could prove its PACS is superior to the TWIC requirements, then the 
facility should be exempt from them. Similarly, other commenters 
suggested alternatives the Coast Guard could require, including a 
color-coded system analogous to the former Homeland Security Advisory 
System. In this final rule, we are not providing a generalized 
exemption from electronic TWIC inspection requirements as suggested by 
the commenters. However, as explained, such requirements can be 
performed by a PACS, thus potentially eliminating the need for these 
particular commenters to purchase entirely new equipment or the need 
for an exemption from the electronic TWIC inspection requirements.
    Multiple commenters stated that it would be more cost effective in 
some cases to purchase one or two stationary TWIC readers, but also to 
purchase several portable TWIC readers for multiple temporary gates or 
entrances. One commenter asked whether the final rule requires fixed 
card readers at every point of access, even a temporary or infrequently 
used one. The same commenter asked whether portable TWIC readers would 
meet the TWIC reader requirements on an OCS facility. We clarify that 
neither the NPRM nor final rule required stationary TWIC readers. The 
final rule, as described above, allows for flexibility in terms of 
equipment.
    The arrangements the commenters suggested could all be accommodated 
by this final rule. In this final rule, we are removing prescriptive 
requirements regarding the permanence, type, and placement of 
electronic readers. If a

[[Page 57663]]

vessel or facility has an existing access control system, of any 
variety, whose electronic readers perform the requirements of the 
electronic TWIC inspection (including identity verification), and are 
approved under the relevant security plan, then the PACS is 
permissible.
    In response to the many comments we received on this issue, in this 
final rule, we are substantially altering the TWIC reader requirements 
to accomplish the goals set out by the TWIC reader program, but in a 
manner that provides more flexibility in terms of how those goals are 
met. The requirements in this final rule are designed to allow as much 
flexibility in design of an access control system as possible while 
still achieving the goals of the TWIC reader program.
    We believe that the increased flexibility offered by the revised, 
performance-based regulations is responsive to the many commenters who 
described existing access control systems that they believe are better 
suited for their individual vessels and facilities than those proposed 
in the NPRM. Under these final regulations, a system that accomplishes 
the goals of the TWIC program and uses the three electronic checks 
mandated by the regulation will be considered by the Coast Guard when 
reviewing the security plans. As long as the Coast Guard agrees that 
the proposed security plan accomplishes the goals in a robust fashion, 
we will not limit the choices of the means to do so.
2. Integrating Electronic TWIC Inspection Into a PACS
    NVIC 03-07 and PAC 08-09 change 1 explain that they are valid 
guidance until a TWIC reader final rule is issued, but many commenters 
requested that these documents remain valid even after the final rule 
becomes effective. Because this final rule significantly changes the 
TWIC inspection process for Risk Group A vessels and facilities, the 
TWIC-specific guidance provided in those documents will not continue to 
apply to Risk Group A. However, because we are not making any changes 
to the TWIC requirements for those vessels and facilities not in Risk 
Group A, the guidance documents still retain their validity with regard 
to those entities. We will update and post these guidance documents 
online at https://homeport.uscg.mil/ prior to the effective date of 
this final rule.
    In this final rule, we no longer require facility and vessel 
operators to use a TWIC reader listed on the QTL each time a person is 
granted unescorted access to a secure area. Instead, we are permitting 
multiple options as previously described, including the use of a PACS 
approved in the required Facility Security Plan (FSP) or Vessel 
Security Plan (VSP), if the PACS can perform the electronic TWIC 
inspection requirements.

    Example: A facility employee who possesses a valid TWIC is 
registered into the facility's access control database and is issued 
a facility access card after the TWIC is verified in accordance with 
33 CFR 101.530. After the TWIC and holder of the TWIC are validated 
to ensure the TWIC is issued by TSA and the holder of the TWIC is 
bound to the TWIC, a biometric template of the employee is taken and 
stored on the facility access control system. To gain entry into a 
secure area, the employee inserts or scans his or her facility 
access card at a card reader, which verifies the access card as a 
valid card for the facility. The card reader then matches the 
facility access card to the employee's record in the facility 
database. A biometric sample from the employee is taken and matched 
to the associated biometric template stored on the facility's access 
control system. The facility's access control system then checks the 
TWIC's CHUID to assure that the TWIC is still valid (unexpired) as 
well as checks the list of cancelled TWICs to ensure that it has not 
been cancelled for any other reason. Upon verification that the TWIC 
is valid and the employee's biometric matches the associated 
template, the facility access control system allows access to secure 
areas as dictated by the permissions established by the owner or 
operator in the access control system. By virtue of the fact that 
the employee would not be issued a facility-specific card without 
first having a TWIC, the requirement to possess a TWIC for 
unescorted access to secure areas is met. The requirement for a 
biometric match of the employee is met through the performance of a 
match to the biometric template stored on the facility access 
control system.

    We note that the requirement for electronic TWIC inspection can be 
met even without the use of any sort of card reader, so long as the 
three parts of the electronic TWIC inspection are met. Such a system 
could be designed to use an individual's biometric check as a means of 
identification, such as described below.

    Example:  A facility employee who possesses a valid TWIC is 
registered into the facility's access control database and a 
biometric template of the employee is taken and stored on the 
facility access system. (We note that this is done after the TWIC 
and holder of the TWIC are validated to ensure the TWIC is issued by 
TSA and the holder of the TWIC is bound to the TWIC). To gain entry 
into a secure area, the employee presents a biometric (e.g., 
fingerprint) to a biometric reader connected to the facility's 
access control system. The access control system identifies the 
employee from the fingerprint and then matches it to the biometric 
template and the employee's TWIC information in the facility 
database. The facility's access control system then checks the 
TWIC's CHUID to assure that the TWIC is still valid (unexpired) as 
well as checks the list of cancelled TWICs to ensure that it has not 
been revoked for any other reason. Upon verification that that the 
TWIC is valid and the employee's biometric matches the associated 
template, the facility access control system allows access to secure 
areas as dictated by the permissions established by the owner or 
operator in the access control system. By virtue of the fact that 
the employee would not be entered into the facility's access control 
system without first having an authenticated TWIC, the requirement 
to possess a TWIC for unescorted access to secure areas is met. The 
requirement for a biometric match of the employee is met through the 
performance of a match to the biometric template, in this case a 
fingerprint stored on the facility access control system.

    Additionally, we note that although a biometric template is the 
particular biometric measurement used in the TWIC application process, 
an alternative biometric may be used to perform the identity 
verification check required by the regulations so long as the method is 
approved in the security plan. For example, as two commenters 
suggested, a vascular scan could be stored on a facility's access 
control system instead of a fingerprint, which could be useful in 
situations where some employees have difficult-to-read fingerprints.
a. List of Acceptable TWIC Readers
    In the NPRM, the Coast Guard proposed that only certain TWIC 
readers would be permitted to be used for purposes of electronic TWIC 
inspection. As stated above, proposed Sec.  101.520(a)(1) read, 
``[p]rior to each entry, all persons must present their TWICs for 
inspection using a TWIC reader, . . .''. The term ``TWIC reader'' was 
defined in proposed Sec.  101.105 as ``an electronic device listed on 
TSA's Qualified Technology List . . .''. Thus, by operation of the 
proposed regulatory text, TWIC readers listed on the QTL would be 
required at access points to secure areas on facilities and at the 
entrances to vessels requiring electronic TWIC inspection.
    TSA had not published the QTL at the time of publication of the 
NPRM. Thus, in its discussion regarding the types of approved TWIC 
readers, the NPRM reiterated guidance from PAC-D 01-11 regarding the 
use of TWIC readers to meet the existing regulatory requirements for 
effective identity verification, card validity, and card 
authentication.\34\ Specifically, in that guidance document, we stated 
that:
---------------------------------------------------------------------------

    \34\ 78 FR 17805.

    In accordance with 33 CFR 101.130, the Coast Guard determines 
that a biometric

[[Page 57664]]

match using a TWIC reader from the TSA list of readers that have 
passed the Initial Capability Evaluation (ICE) Test (available at: 
http://www.tsa.gov/assets/pdf/twic_ice_list.pdf) to confirm that the 
biometric template stored on the TWIC matches the fingerprint of the 
individual presenting the TWIC meets or exceeds the effectiveness of 
---------------------------------------------------------------------------
the identity verification check.

    The NPRM also noted that, in accordance with the guidance, ``TWIC 
readers allowed pursuant to PAC-D 01-11 may no longer be valid after 
promulgation of a TWIC reader final rule, and DHS will not fund 
replacement of TWIC readers.'' \35\
---------------------------------------------------------------------------

    \35\ 78 FR 17805.
---------------------------------------------------------------------------

    In recognition of advancing technology and standards, and to 
provide further flexibility to the end user that may meet business 
specific needs, this final rule does not require a TWIC reader from the 
TSA's QTL, accessible online at http://www.tsa.gov/stakeholders/reader-qualified-technology-list-qtl. Instead, the Coast Guard is permitting 
multiple options for the implementation of electronic TWIC inspection. 
The first option for meeting these needs within this final rule remains 
the mechanism proposed in the NPRM, which is the use of TWIC readers 
listed on the QTL. These TWIC readers are defined as ``Qualified 
Readers.'' We believe that this option is most appropriate for vessels 
or facilities that currently do not conduct electronic TWIC inspection 
and are seeking a TWIC reader determined to be in conformance with the 
TWIC Reader Hardware and Card Application Specification, available in 
the online docket for this rulemaking. The QTL continues to remain 
useful for this and other purposes.
    A similar option would be to use a TWIC reader that is not on the 
QTL. While such electronic readers are not prohibited by this rule, 
they must still meet the performance requirements of Sec.  101.520. 
This performance-oriented option is intended to provide more options to 
users to meet their individual needs while still relying on the TWIC as 
an access control credential.
    Another option would be to use an electronic reader or combination 
of separate devices--such as proximity readers, biometric readers, and 
PIN pads--that would transmit the information from the TWIC and 
individual seeking access to software that performs the card 
authentication, card validity check, and biometric identification 
functions required in Sec.  101.520. We refer to this arrangement as a 
``Transparent Reader.'' In this case, for example, a Transparent Reader 
would read the information from the TWIC along with the biometric 
sample provided by the individual and transmit it to a back end system 
containing software that performs the TWIC check. Once the TWIC check 
is complete, the back end system would perform what processes are 
required to either grant or deny access. This option may be highly 
popular with facilities that have already invested in electronic reader 
infrastructure and high tech software systems that may not be on the 
QTL. In this case, much as a situation with a PACS, the operator may 
have to add a biometric component, if not already in place, and modify 
software to include TWIC compatibility, but would not have to replace 
the entire system.
    The last option, described in detail above, would be the use of an 
existing PACS, with the inclusion of biometrics, with a facility-
specific access card that uses the TWIC as the baseline credential. 
This is purely a performance requirement, and would not require the use 
of government-approved equipment. In this case, the PACS would be 
required to match the TWIC against the list of cancelled TWICs and, if 
positively matched, automatically cancel the facility access card so as 
to not allow unescorted access to secure areas of the facility.
    Several commenters provided comments that addressed the specific 
types of approved card readers, but we believe that many of the 
concerns raised by commenters are resolved by the Coast Guard moving to 
a more flexible series of options for conducting electronic TWIC 
inspection. One commenter in a public meeting expressed concern that 
there was not an approved card reader which he could use for cost 
estimates. We note that the TSA now has a list of approved TWIC 
readers, which is available on the Coast Guard's Homeport site.\36\ One 
commenter suggested that this rule was not in alignment with the TSA's 
Request for Information regarding development of the QTL. We disagree, 
and note that the Coast Guard and TSA worked closely in developing and 
implementing the electronic TWIC inspection requirements. Furthermore, 
we note that with the additional flexibility afforded by this final 
rule, equipment to conduct electronic TWIC inspections is available at 
a wide variety of prices, depending on the manner in which electronic 
TWIC inspection is conducted. Additional information on cost estimates 
is provided in the final RA accompanying this final rule.
---------------------------------------------------------------------------

    \36\ We have also included the current version of the list in 
the docket USCG-2007-28915.
---------------------------------------------------------------------------

    Additionally, one commenter requested that software be included on 
the QTL. We note that the list of TWIC readers on the QTL includes TWIC 
reader and software pairings. Beyond the physical aspects of TWIC 
reader testing in terms of environmental or drop testing, a large 
portion of what is tested in the QTL process is the software.
    Other commenters suggested that, based on the TWIC Pilot Program, 
TWIC reader technology is still not ready for requiring TWIC readers at 
facilities, and requested that this final rule be delayed. Similarly, 
one commenter recommended that the Coast Guard only proceed with the 
rule if it was confident in the reliability of existing TWIC readers. 
We believe that not only has technology continued to improve, but also 
additional flexibility has been afforded in this final rule, both of 
which should alleviate problems with specific TWIC readers used in the 
pilot. Vessels and facilities required to conduct electronic TWIC 
inspection can choose from a wide variety of means so as to meet their 
budget and operational needs. Furthermore, the flexibility built into 
this final rule allows for future advancement of both card and reader 
technologies in a manner that will provide for further reductions in 
impact on business operations of the maritime industry.
b. PIN Pads and Biometric Input Methods
    One issue raised in the ANPRM was the use of PINs as part of the 
identification process. We note that upon getting a TWIC, each TWIC-
holder is required to remember a PIN. As proposed in the NPRM, under 
most circumstances, the TWIC-holder would not be required to provide 
the PIN when seeking access to secure areas, except as a backup measure 
when the TWIC-holder's biometric template is unreadable. For this 
reason, there is no requirement that access control systems have the 
capability to accept a PIN.
    Comments relating to the use of PINs were generally negative. 
Several commenters specifically argued against the use of PINs. Some 
commenters stated that because the PINs are rarely used, they are 
seldom remembered by TWIC-holders. We agree that rarely-used PINs will 
likely be forgotten, and thus the only people who would likely remember 
their PINs are those who use them regularly, such as those with 
impaired biometrics. Similarly, one commenter stated that 100 percent 
of cardholders would need to visit one of

[[Page 57665]]

the TWIC enrollment centers to reset or establish a new PIN in the 
event that the Coast Guard required PIN entry, implying that without 
regular use of PINs, they are quickly forgotten.
    PINs would not be required or permitted as a substitute for 
biometric identification of most users. Instead, this rule provides 
that PINs are available as an alternative only for individuals whose 
biometrics can not be read. The Coast Guard recognizes that for some 
people, taking a biometric read can be problematic. For example, people 
with severely injured fingers are often unable to have their 
fingerprints read. For such cases, the final rule provides an 
alternative means to ensure identity verification. As stated in Sec.  
101.520(c)(2), the use of a PIN plus a visual TWIC inspection is an 
acceptable alternative to a biometric match for individuals who are 
unable to have their biometric template captured at enrollment or who 
have unreadable biometrics due to injury after enrollment. For that 
reason, owners and operators may find it expedient to include an 
electronic reader with a PIN pad in at least some of their access 
control locations to accommodate people with unreadable biometrics.
3. Comments Related to Troubleshooting TWIC
    This section elaborates on certain programmatic issues relating to 
electronic TWIC inspection, specifically, how to address problems 
arising if either the electronic reader or access card malfunctions. In 
this section, we elaborate and expand on the provisions described in 
the NPRM as well as address issues raised by commenters.
    In the NPRM, the Coast Guard proposed regulations in Sec.  101.535 
that laid out requirements for TWIC inspection in special circumstances 
where a malfunction in the TWIC inspection system has occurred. In 
paragraph (a), we described how access could be granted in the event of 
a lost, stolen, or damaged TWIC card. In paragraph (b), we proposed how 
access could be granted in the event that a person's biometric template 
could not be read due to either technology malfunction or the inability 
of an individual to provide a biometric template. In paragraph (c), we 
proposed that in the event of a TWIC reader malfunction, an individual 
could still be granted unescorted access to secure areas for a period 
not to exceed 7 days, provided that individual has been granted such 
unescorted access in the past and is known to possess a TWIC. We note 
that the period in paragraph (c) was extended to 37 days in CG-FAC 
Policy Letter 12-04.
    Because the final rule, as written, sets forth a requirement for 
electronic TWIC inspection rather than specifically requiring that a 
TWIC be read by a TWIC reader, the text of this section needs some 
alterations to account for the new flexibility. We have integrated 
these alterations into the final regulatory text as detailed in the 
sections below. Furthermore, we have considered the requests and 
arguments of various commenters, and we are integrating many of the 
ideas presented into the final rule. Finally, we have attempted to 
modify and clarify the regulations where appropriate.
a. Lost, Stolen, or Damaged TWIC
    The NPRM proposed that if an individual cannot present a TWIC 
because it has been lost, damaged, or stolen, the individual could be 
granted unescorted access for a period of up to seven days if various 
conditions were met. The conditions include the individual previously 
having been granted unescorted access, being known to have had a TWIC, 
being able to present alternative identification, and having reported 
the TWIC as lost, stolen, or damaged to the TSA. This proposed language 
was derived from existing requirements in 33 CFR parts 104 through 106. 
Additionally, in CG-FAC Policy Letter 12-04, the Coast Guard allowed an 
individual to be granted unescorted access for an additional 30 days 
(for a total of 37 days of unescorted access), if the individual 
provided proof that a replacement TWIC had been ordered. Policy Letter 
12-04 also allowed unescorted access to those individuals with expired 
TWICs who had applied for a TWIC renewal prior to expiration.
i. Vessels and Facilities Using a PACS
    Because the final rule provides more flexibility for electronic 
TWIC inspection beyond presenting a TWIC for access control purposes, 
some of the issues addressed in Sec.  101.535 are significantly 
different if using a PACS to perform the electronic TWIC inspection. 
For example, if an employee's TWIC is stolen and the theft is reported 
to the TSA, the affected TWIC will be placed on the list of cancelled 
TWICs, but the employee will still be registered in the facility's 
PACS. However, upon attempting to gain access to a secure area, during 
the card validity check, the affected TWIC will appear on the list of 
cancelled TWICs, and thus fail the check. The revised final regulations 
are designed to allow a procedure where the employee can still be 
granted unescorted access until he or she can obtain a replacement TWIC 
and update his or her profile in the facility access control system 
with the information from the new TWIC. In this final rule, we have 
added Sec.  101.550(b), which allows unescorted access to secure areas 
to be granted by a facility operator for a period of up to 30 days if 
the TWIC appears on the list of cancelled TWICs if the individual is 
known to have had a TWIC and to have reported it lost, damaged, or 
stolen.

    Example:  An individual who works at a facility where the PACS 
has been linked to a TWIC card reports his or her TWIC as lost. When 
presenting his or her facility access card to the PACS, the card 
validity check will return a TWIC on the list of cancelled TWICs 
because the TWIC has been reported lost. The FSO confirms that the 
TWIC was reported as lost. In that instance, the PACS will recognize 
the status of the TWIC as cancelled, but can still grant unescorted 
access to secure areas to the individual for a period of up to 30 
days. If, after 30 days, the individual has not linked their 
facility access card to a valid TWIC, the PACS would have to deny 
unescorted access to secure areas to that individual.
ii. Vessels and Facilities Using TWIC Readers
    We proposed in Sec.  101.535 that vessel or facility operators 
using TWIC readers allow for temporary access in the case of a lost, 
stolen, or damaged TWIC. Specifically, the Coast Guard proposed that if 
a person is known to have had a TWIC, has previously been granted 
unescorted access, and can present another form of acceptable 
identification, and there are no other suspicious circumstances, then 
the operator may grant that person access for 30 days so that they can 
be issued a new TWIC.
    We received a wide variety of comments relating to the issue of 
lost or stolen TWICs. One commenter argued that any allowance for 
malfunctioning TWICs undermines the point of having the card at all. We 
disagree, and note that the procedure is necessary to ensure smooth 
operation of the TWIC system, and believe it contains enough safeguards 
so as not to function as a loophole in security.
    One commenter recommended splitting the CCL into separate 
categories, including categories of TWICs invalidated for 
``administrative reasons.'' We disagree, because the list of cancelled 
TWICs is intended to help screen out invalid cards regardless of the 
reason.
    Many commenters argued that the 7-day period proposed in Sec.  
101.535(a) is too short, and that the period should be extended, with a 
significant number of

[[Page 57666]]

these commenters referring to the 30-day extension of the 7-day period 
permitted by CG-FAC Policy Letter 12-04. Based upon the comments 
received, which indicated that it can take longer than 7 days to be 
issued a new TWIC, we have decided to include a 30-day period for this 
situation in section 101.550(b) of the final rule. We believe that this 
provides ample time to be issued a new TWIC, without presenting an 
undue security risk. When effective, this regulation will supersede the 
current guidance in CG-FAC Policy Letter 12-04, which allowed for a 
total of 37 days.
b. Transportation Worker Forgets To Bring TWIC To Work Site
    The existing regulations in 33 CFR parts 104 through 106, the 
policy arrangements in CG-FAC Policy Letter 12-04, as well as the 
proposed regulations in Sec.  101.535, only grant unescorted access to 
those individuals whose TWICs have expired or have reported their TWIC 
as lost, stolen, or damaged to the TSA. For all other individuals who 
fail to present a TWIC, unescorted access would be denied under 
proposed Sec.  101.535(d). Thus, under the proposed regulation, an 
employee who forgot his or her TWIC at home would not be permitted 
unescorted access to the facility, whereas an employee whose TWIC was 
stolen would be permitted unescorted access for a limited period of 
time.
    We received one comment relating to the issue of forgotten TWICs 
from a commenter who described such a situation in their submission to 
the docket for this rulemaking. This commenter suggested that we add an 
allowance for persons who forgot their TWIC at home. After reviewing 
comments on the proposed rule, we reiterate our existing position that 
persons who cannot present a valid TWIC, and have not reported their 
TWIC as lost, stolen, or damaged to the TSA, may not be granted 
unescorted access to a vessel or facility.
    We believe that providing an exemption for forgotten TWICs creates 
a potential degradation in security and additional risks that outweigh 
the benefits. Unlike the situation where a TWIC has been reported as 
stolen or lost to the TSA and is therefore no longer valid which can be 
verified by checking the list of cancelled TWICs, a claim of a 
forgotten TWIC cannot be validated.
    Instead, we reiterate that under current regulation at Sec.  
101.514(a), unless exempted from the TWIC requirements by Sec.  
101.514(b), (c), or (d), all persons must physically possess a TWIC, or 
undergo electronic TWIC inspection, prior to being granted unescorted 
access to a secure area of a vessel or facility. Persons who do not 
physically present a TWIC or undergo electronic TWIC inspection, and 
have not reported their TWIC as lost, stolen, or damaged to the TSA, 
may not be granted unescorted access.
c. Inaccessible Biometrics
    In the NPRM, we proposed two secondary authentication procedures 
that could be followed in the event that a person's biometric template 
could not be read by a TWIC reader or PACS due to a technology 
malfunction or low quality biometric template. These alternatives were 
listed in proposed Sec.  101.535(b), and allowed either the input of a 
PIN or the use of an alternative biometric that has been incorporated 
into the PACS. Given the change from requiring a TWIC reader to 
requiring electronic TWIC inspection, some changes to this section are 
needed as well. We discuss changes to this section and comments 
received below.
    One commenter suggested that people with unreadable biometric 
templates should be allowed to use a PACS card in addition to a PIN or 
alternate biometric. We agree, and note that under the final 
regulations, given that input of biometric information (including 
alternatives to fingerprints) into a PACS reader may now be a common 
manner of completing identification verification, the use of a PACS 
card in conjunction with an alternative biometric will be an accepted 
regular way to conduct an electronic TWIC inspection.
    However, upon consideration, we do not believe that the input of a 
PIN alone is equivalent to biometric identification. Biometric 
identification allows the facility to ascertain with a high degree of 
certainty whether the individual requesting access is the TWIC-holder. 
On the other hand, commenters noted that other methods of 
identification verification will not detect counterfeit, stolen, or 
borrowed TWICs. Similarly, the use of a PIN alone will not detect a 
borrowed TWIC or PACS card or, potentially, a stolen TWIC or PACS card, 
if the PIN has been illicitly obtained.
    Nonetheless, the Coast Guard believes that a method for 
accommodating persons with unreadable biometrics is important. In such 
cases, we believe that visual TWIC inspection, when combined with the 
PIN, provides enough certainty as to be an acceptable alternative to 
biometric identification. Combining visual identification with the PIN 
will help to ensure that stolen and borrowed cards are difficult to 
use.
    Thus, in this final rule, we are modifying the provision in 
proposed Sec.  101.535(b), which allowed for PINs to be used in lieu of 
biometric matching, to include a requirement for visual identification 
in addition to the PIN. The new provision is located in Sec.  
101.550(c) of this final rule. We believe that this provision would 
present few problems, as people could use their TWICs for visual 
identification. Alternatively, if a PACS PIN is assigned and stored in 
the access control system, an employee with unreadable biometrics could 
enter his or her PIN and present a PACS card or driver's license to 
conduct a visual identification check.
d. Malfunctioning Access Control Systems
    In the NPRM, we proposed a mechanism by which persons could be 
granted unescorted access to secure areas if a TWIC reader 
malfunctioned. Specifically, proposed Sec.  101.535(c) allowed owners 
and operators to use visual checks for a period of 7 days if a TWIC 
reader malfunctioned. In light of the change in this final rule from 
the required use of TWIC readers to the more flexible requirement for 
electronic TWIC inspection for Risk Group A vessels and facilities, we 
are making some conforming changes and clarifications to this 
procedure. We received several comments on the matter, which are 
addressed below.
    Upon consideration of this policy, we believe that a clause 
automatically allowing the use of visual TWIC inspections in lieu of 
biometric matching presents a serious security concern. As one 
commenter argued, any allowance for malfunctioning TWICs undermines the 
point of having the card at all. The Coast Guard agrees, and believes 
that allowing the use of visual TWIC inspections in lieu of biometric 
matching degrades security. This final rule represents a concerted 
effort to significantly upgrade the security at a relatively small 
group of high-risk vessels and facilities. Given the importance of 
security, we would not expect vessels or facilities to have only a 
single TWIC reader, but expect some redundancy in the system, and note 
that two commenters strongly echoed the view that redundancy is needed 
in any critical system. We would agree that, as a practical matter, the 
minimum number of electronic readers (either dedicated TWIC readers or 
those integrated into a PACS) at a facility or onboard a vessel would 
be two, in case one malfunctioned. As discussed in the RA, using the 
TWIC pilot data we estimated the average number of electronic readers

[[Page 57667]]

required by this final rule by facility and vessel types at a minimum 2 
per vessel and 4 per facility (Tables 4.3 and 4.4 of the RA). While the 
TWIC readers on the QTL have been tested to ensure a degree of 
reliability, there are many factors external to the testing process 
that could cause any one individual electronic reader to fail. The 
immediate availability of a backup electronic reader should one fail 
(as documented in the relevant security plan) would allow a vessel or 
facility to maintain the appropriate level of security for access 
control and continue operating without further burden. Due to the 
security concerns discussed in this paragraph, we are removing from the 
final rule the proposed provision in Sec.  101.535 that would have 
permitted automatic transition to visual TWIC inspections in the event 
of an electronic reader malfunction. As stated above, based on 
discussions with industry we expect that owners and operators will have 
an additional functioning electronic reader to use in those instances 
in case of equipment failures or malfunctions (Sec. Sec.  104.260(c) 
and 105.250(c)). If the owners and operators plan for malfunctions as 
existing regulations require, there should be no significant disruption 
of operations. Further, in the unlikely event that both primary and 
redundant electronic readers malfunction, the owner or operator could 
obtain permission from the Captain of the Port (COTP) to continue 
operating.
    Two commenters suggested changing the language in proposed Sec.  
101.535(c) from a ``reader malfunction'' to ``in the event of an access 
control system failure,'' noting that many other systems (such as the 
software or electricity) could fail, thus rendering an electronic 
reader inoperable. As we are deleting this exemption in this final 
rule, the language question is no longer at issue.
    Commenters also suggested that 7 days is not sufficient to correct 
all problems that can result in a TWIC malfunction. They noted that it 
might take longer to procure parts, especially after a major regional 
disaster or holiday, and that a 15-day period where visual TWIC 
inspection is permitted would be more reasonable. On the other hand, 
one commenter suggested that it should take only hours to repair a 
malfunctioning TWIC reader. In this final rule, we are removing this 
provision. Thus, restoration of an access control system will be 
handled in accordance with the procedures for the reporting 
requirements for non-compliance in Sec. Sec.  104.125, 105.125, and 
106.125, which require the owner or operator to notify the cognizant 
Captain of the Port and either suspend operations or request and 
receive permission from the COTP to continue operating. Similarly, in 
the event of a total system collapse or regional disaster, the COTP 
will work with the affected organization to restore an access control 
system as expeditiously as possible.
    The following examples provide illustrations relating to scenarios 
involving the failure of an access control system:

    Example:  A facility using TWIC readers at five access points 
suffers equipment failure of TWIC readers at two of those access 
points. The facility would still be able to permit unescorted access 
through the remaining three access points. Unescorted access could 
also be granted using portable TWIC readers at the two affected 
access points immediately in accordance with the FSP. The facility 
would be required to notify the COTP that this equipment failure 
took place but could continue operations using the remaining TWIC 
readers.

    Example:  A computer virus causes a facility's PACS to become 
completely inoperable, but the FSP contains an alternative where 
access is controlled through the use of portable TWIC readers, 
compliant with Sec.  101.520, at each access point to secure areas. 
The facility would be required to notify the COTP that such a 
failure of the PACS had occurred, but could continue operations 
uninterrupted by using the portable TWIC readers.

    Example:  A computer virus causes a facility's PACS to become 
completely inoperable, and the FSP does not contain an alternative 
means of conducting electronic TWIC inspection. The owner or 
operator could request permission from the COTP to conduct visual 
TWIC inspections for a limited time until the PACS is operational. 
Grants of unescorted access to secure areas would have to be 
suspended until such permission was granted by the COTP.

    Multiple commenters suggested that in the event that a TWIC reader 
malfunctions, a facility should be immediately able to continue to 
process workers using an alternative means defined in a security plan, 
rather than requesting approval from the COTP to do so. One commenter 
also suggested that an after-the-fact review by the Coast Guard could 
be used in such circumstances. We note that the proposed text of Sec.  
101.535(c) in the NPRM did not propose to require COTP authorization to 
allow continuing operation for a period of 7 days, so we are unsure of 
the provision to which the commenter may be referring. Nonetheless, the 
final regulatory text allows a facility to immediately continue to 
process workers using an alternative means as defined in an approved 
security plan as required by Sec. Sec.  104.260(c) and 105.250(c) 
without additional COTP approval.
    One commenter suggested that the Facility Security Officer (FSO) 
should be able to determine if there are mitigating circumstances that 
need to be implemented for a temporary time frame. In such a case, the 
commenter suggested that the facility would conduct visual 
identification verification in lieu of electronic TWIC inspection. We 
disagree with this suggestion, for the reasons described above. The 
commenter also requested that the COTP be able to waive TWIC 
requirements in certain circumstances. We note that the COTP has the 
power to waive requirements or impose alternative equivalent measures 
generally.
    One commenter requested clarification on procedures to be used if 
TSA's Web site is inaccessible and they are unable to access updates to 
the CCL. In general, the owner or operator of an access control system 
is required to download the TSA-supplied list of cancelled TWICs 
(currently, the CCL) periodically, depending on the MARSEC level, 
pursuant to Sec.  101.525 of this final rule. However, if the problem 
with downloading the list is out of the operator's control, such as the 
TSA Web site being down for an extended period of time, we would 
consider it acceptable to continue to operate the access control system 
by using the most recent version of the list available.
e. Requirements for Varying MARSEC Levels
    In the NPRM, we proposed requirements for Risk Group A vessels and 
facilities that would vary based on the MARSEC level. MARSEC levels are 
set to reflect the prevailing threat environment of the maritime 
transportation system, including ports, vessels, facilities, and 
critical assets and infrastructure located on or adjacent to waters 
subject to the jurisdiction of the United States. Specifically, we 
proposed to require that at MARSEC Level 1, during the card validation 
process, a TWIC must be checked against a version of the list of 
cancelled TWICs that is no more than 7 days old. However, at higher 
MARSEC levels, we proposed that the version of the list used to conduct 
the card validity check be no more than one day old. Several commenters 
responded to this issue, and offered remarks relating to the use of 
MARSEC levels overall.
    One commenter agreed with the Coast Guard's proposal to require, at 
a minimum, weekly updates of the CCL at MARSEC Level 1 and daily 
updates of the CCL at higher MARSEC levels.

[[Page 57668]]

Another commenter stated that we did not adequately clarify how 
different MARSEC levels would interact with Risk Groups A, B, and C. In 
response, we note that vessels and facilities that were proposed to be 
classified as Risk Groups B or C are not affected by this final rule, 
and that MARSEC interacts with Risk Group A as described in Sec.  
101.525. We have moved the MARSEC level requirements to this separate 
section to improve clarity.
    Several commenters suggested that electronic TWIC inspection should 
only consist of card validation and card authentication at MARSEC Level 
1, and that the Coast Guard should provide the flexibility for them to 
use electronic TWIC inspection for biometric matching purposes at 
higher MARSEC levels, or require it only at those levels. Other 
commenters recommended that electronic TWIC inspection should only be 
required once per day at MARSEC Level 1, with additional measures, such 
as full electronic TWIC inspection or random spot checks, implemented 
only at higher MARSEC levels. One commenter recommended that electronic 
TWIC inspection be used only at higher MARSEC levels, with visual TWIC 
inspections performed the rest of the time. We disagree with these 
suggestions. We believe that Risk Group A vessels and facilities should 
be secured at all times, not just at rare moments of heightened alert, 
and that biometric identification, one of the TWIC's strongest security 
features, should be used regularly. Based on the experience with the 
pilot, we also believe that consistency in electronic TWIC inspection 
processes is important, as varying use of security features can create 
confusion that can hinder operations.
    One commenter suggested that the CCL should be updated daily at all 
MARSEC levels, not just at MARSEC Levels 2 and 3. Similarly, one 
commenter stated that the CCL should be continually updated at all 
times. The commenter stated that once an automated method is 
established to do this, there is no additional cost associated with the 
increased frequency. While we do agree that, if automated, it is simple 
to update the list of cancelled TWICs, we note that not all operators 
use an automated system at this time. While we realize that some larger 
operations can set up automatic updates of the list, other operations 
may need to conduct such updates manually. In our RA, we calculated 
that it takes 30 minutes to update the CCL. For that reason, we have 
only required in 33 CFR 101.525 that the list of cancelled TWICs be 
updated daily during periods of heightened risk according to the 
specified MARSEC level. We note that the required periods to update the 
list are considered minimum requirements, but operators are free to 
update more often if desired.
    One commenter asked if electronic TWIC inspection requirements 
should be applied to Risk Groups B and C at higher MARSEC levels. We do 
not believe it should. This would require those vessels and facilities 
to purchase and install equipment for electronic TWIC inspection for 
use during those periods of heightened alert, dramatically increasing 
the costs of the rule for what we believe is, at this time, 
comparatively little corresponding benefit. Furthermore, changing 
electronic TWIC inspection procedures at irregular and long-spaced 
intervals can cause confusion that could impair operations.
4. Recordkeeping Requirements
    In the NPRM, the Coast Guard proposed specific recordkeeping 
requirements relating to the use of TWIC readers in vessels and 
facilities. These proposals, in proposed Sec. Sec.  104.235(b)(9) and 
105.225(b)(9), specified that owners or operators must keep records of 
each individual granted unescorted access to a secure area, which would 
include the FASC-N, date and time that unescorted access was granted, 
and the individual's name (if captured). The NPRM also proposed to 
require that owners or operators keep documentation demonstrating that 
they had updated the CCL with the required frequency. The NPRM proposed 
a 2-year minimum retention time for such records, and specified that 
TWIC reader and PACS readers were sensitive security information (SSI), 
protected under 49 CFR 1520. We received several comments on the 
subject of recordkeeping, which are discussed below.
    Many commenters suggested that the 2-year recordkeeping requirement 
was too long. One commenter supported the 2-year recordkeeping 
requirement, although noted that a shorter period would not be 
objectionable if the 2-year requirement was deemed overly burdensome or 
unnecessary. Another commenter suggested the period was an issue of 
concern, and that the Coast Guard should provide the rationale behind 
the requirement to retain records for 2 years rather than any other 
amount of time. The same commenter added that the argument for 
consistency with other recordkeeping requirements did not justify the 
burden of a 2-year requirement, although the commenter did not suggest 
an alternative timeframe. One commenter recommended that the records be 
retained for only 30 days, noting that this would be less burdensome.
    In this final rule, as explained in more detail below, we are 
maintaining the 2-year timeframe for record retention as we do not 
believe it is unduly burdensome or unnecessary. We also disagree with 
the commenter that consistency with all other MTSA-related records is 
an insufficient rationale for requiring records to be kept for a 2-year 
period. We believe that if differing records were required to be kept 
for varying amounts of time, it would needlessly complicate the storage 
of those records and potentially add additional expenses.
    One commenter stated that the 2-year retention period presents 
opportunities for the information to be mishandled or misused, and thus 
should be shorter, although no specific timeframe was suggested. While 
we realize that storing data for any period of time can result in 
misuse or mishandling, we note that the information is protected as 
SSI, and thus is subject to comparatively strict usage and storage 
controls. We believe that the risk of misuse or mishandling of the 
information is far outweighed by the security value of collecting and 
storing the data for use in security investigations. The commenter also 
stated that a shorter window would provide law enforcement sufficient 
data to assist in security investigation, but no alternative window was 
suggested nor supporting information supplied. Without additional 
information, we are not deviating from the 2-year period proposed in 
the NPRM and used in all other MTSA-related recordkeeping requirements.
    This commenter also stated that 46 U.S.C. 70105(e) implies that 
information gathered by a TWIC reader from a worker's card must not be 
shared with an employer or otherwise publicly released. We do not 
believe that this characterization is correct. 46 U.S.C. 70105(e)(1) 
reads as follows: ``Information obtained by the Attorney General or the 
Secretary under this section may not be made available to the public, 
including the individual's employer.'' This restriction only applies to 
information obtained by the Attorney General or the Secretary, and 
includes information received by the Coast Guard. The information 
generated by electronic TWIC inspection is obtained by a private entity 
(the facility or vessel owner or operator) to whom the restriction in 
46 U.S.C. 70105(e)(1) does not apply.
    However, and as the commenter noted, some information collected by

[[Page 57669]]

the TWIC reader or PACS is considered SSI, and is thus protected from 
unauthorized disclosure under 49 CFR part 1520. The commenter 
recommended that the Coast Guard consider all electronic reader 
records, whether of an individual or of an aggregated group, be 
restricted to security use only and explicitly forbidden to be used in 
labor-management issues (such as establishing hours worked or reporting 
criminal activity).
    Not all electronic reader records qualify as SSI and thus some 
information concurrently collected during electronic TWIC inspection 
can appropriately be used by an owner/operator for non-security but 
still legitimate purposes without violating 49 CFR 1520. The preamble 
of the NPRM contains clear guidance regarding the treatment of certain 
information collected by electronic TWIC inspection. In that document, 
we clearly stated that ``[w]e consider a TWIC-holder's name and FASC-N 
to be SSI under 49 CFR 15.5.'' We went on to explain that ``to the 
extent that a PACS contains personal identity [including the FASC-N] 
and biometric information, it contains SSI, which must be protected in 
accordance with 49 CFR part 15.'' \37\ However, an important aspect of 
this final rule is that it allows electronic TWIC inspection to be 
integrated with a facility's PACS, which serves many other purposes 
beyond security and contains non-SSI information. For example, PACSs 
are legitimately used to restrict access for non-security purposes 
(such as private or dangerous areas) and to help establish the hours 
worked by employees. Owners and operators of facilities have valid uses 
for the non-private information not covered in the SSI regulations but 
still collected by a PACS regarding the location of personnel on their 
property.
---------------------------------------------------------------------------

    \37\ 78 FR 17806-7.
---------------------------------------------------------------------------

    One commenter requested specific information regarding the 
requirements established for owners or operators to secure the privacy 
of individual cardholders. We note that we have not established any new 
requirements in this rule for such safeguarding because the SSI 
requirements are already sufficiently comprehensive. See 49 CFR part 15 
for regulations covering restrictions on disclosure, persons with a 
need to know, marking, consequences of unauthorized disclosure, and 
proper destruction of SSI.
    The Coast Guard weighed privacy and security concerns in the 
development of this requirement. To minimize the amount of personally-
identifiable information transferred from the TWIC to the TWIC reader, 
TWIC readers are specifically designed to only collect the minimum 
amount of information necessary to assist in access control and 
maritime security. Owners and operators who collect and maintain 
protected data from electronic TWIC inspections cannot share this 
information outside of their vessel or facility. The only allowable 
sharing is back to the TSA or to the Coast Guard for auditing or law 
enforcement purposes, or to assist with customer redress.\38\
---------------------------------------------------------------------------

    \38\ See 49 CFR part 1520.
---------------------------------------------------------------------------

    Owners and operators are also bound by the restrictions on 
disclosure of SSI.\39\ Unauthorized disclosure of SSI is grounds for a 
civil penalty and other enforcement or corrective action by DHS, and 
appropriate personnel actions for Federal employees. Corrective action 
may include the issuance of an order requiring retrieval of SSI to 
remedy unauthorized disclosure, or of an order to cease future 
unauthorized disclosure.
---------------------------------------------------------------------------

    \39\ See 49 CFR 15.9(a)(1).
---------------------------------------------------------------------------

    Two commenters suggested that SSI requirements should not apply to 
electronic TWIC inspection records if no personally-identifiable 
information is recorded (i.e., only the FASC-N, date, and time of the 
transaction is recorded). We note that pursuant to 49 CFR 
1520.5(b)(11)(i)(A), SSI includes identifying information of certain 
transportation security personnel, which includes ``Lists of the names 
or other identifying information that identify persons as . . . having 
unescorted access to . . . a secure or restricted area of a maritime 
facility, port area, or vessel.'' This information is specifically 
addressed in the recordkeeping requirements of this final rule. For 
example, Sec.  105.225(b)(9) states that the TWIC Reader or PACS system 
must capture the ``FASC-N, date and time that unescorted access was 
granted; and, if captured, the individual's name.'' If such information 
was captured, it would be considered SSI.
    Commenters also suggested additional information that could be 
collected during electronic TWIC inspection. One commenter suggested 
that an electronic TWIC reader transaction should also include an 
identifier for the specific electronic reader device, and if it is a 
portable electronic reader, an identifier for the operator of the 
device. The commenter suggested that this information would enhance the 
usefulness of an audit trail. While we see that there could be some 
value in having this information recorded, we believe that it would be 
overly complex to add this information into the suite of recorded 
information at this time, and the value of such information would not 
be worth the additional cost. We note that such information might be 
gathered from other sources even without a requirement to collect it in 
this final rule. Nonetheless, should we reconsider the scope of data 
collection for electronic TWIC inspection in future rulemakings, we 
will consider this suggestion.
    Two commenters recommended that recordkeeping requirements should 
be extended to situations where an electronic TWIC inspection is not 
used, such as visual TWIC inspections, RUA, and escorted access. One 
commenter suggested that without recordkeeping requirements for visual 
TWIC inspection, there is no incentive--other than avoiding the 
consequences of being caught--to actually conduct visual TWIC 
inspections. We disagree with these comments. A recordkeeping 
requirement for visual TWIC inspections would mean that each owner or 
operator would need to record information on each TWIC inspection. We 
would need to demonstrate that the cost of such a requirement is 
justified before imposing it on the regulated population. In that 
regard, we note that in 2013, the Coast Guard conducted 12,171 
inspections at MTSA-regulated facilities for compliance with the 
regulations in 33 CFR part 105. As part of those inspections, Coast 
Guard personnel spot-checked 52,708 TWICs, finding a validity rate of 
greater than 97 percent. In light of the high validity rate, we do not 
believe that a recordkeeping requirement for visual TWIC inspections is 
appropriate or necessary.
    One commenter also suggested that there should be recordkeeping 
requirements for when a person is granted unescorted access through the 
``special circumstances,'' described in Sec.  101.550 of the final 
rule, such as if he or she had reported their TWIC as lost or stolen. 
In the NPRM, we did not propose any requirements that records be kept 
for transactions that do not make use of electronic TWIC inspection. 
While such a suggestion is outside the scope of this final rule, we 
will consider it in future regulatory actions.
    Furthermore, we are not creating new requirements for visual 
inspections in this final rule, including any recordkeeping 
requirements. This final rule pertains to requirements for electronic 
TWIC inspection. Requirements pertaining to other means of access, 
including access granted through visual TWIC inspection or escorted 
access to a secure area, are

[[Page 57670]]

outside the scope of the final rule. We do note that electronic TWIC 
inspection is a prerequisite for RUA, and thus a record is created when 
that transaction occurs. However, due to the nature of RUA, no 
additional records are kept outside of the electronic TWIC inspection 
transactions. Such recordkeeping would be burdensome and defeat the 
purpose of RUA.
    One commenter suggested that the lack of criteria or specificity as 
to what the required records should contain severely limits their 
efficacy. We believe that the NPRM was clear on what records are 
required to be kept, but we will discuss them here in greater length. 
Specifically, a record should be kept of each instance in which a 
person is granted unescorted access to a secure area. This record must 
contain the FASC-N of the TWIC issued to the person granted unescorted 
access. If the TWIC reader or PACS captures the individual's name, the 
name associated with the TWIC must also be part of the record. Finally, 
the record must include the date and time the person was granted 
unescorted access (the time can be rounded to the nearest minute; it is 
not required that the precise second that access was granted be 
captured, although it is acceptable to be more precise). As noted in 
the NPRM, ``we allow individual regulated parties to determine the best 
method and manner of complying with the recordkeeping requirements.'' 
\40\
---------------------------------------------------------------------------

    \40\ 78 FR 17806.
---------------------------------------------------------------------------

    The commenter also requested additional justification for the 2-
year period, stating that neither the argument for consistency nor the 
argument for law enforcement justify the length of time to hold 
records. As stated in the NPRM, the timeframe was designed, in part, 
for consistency with existing security-related and other recordkeeping 
requirements applicable to vessels and facilities, and we note that all 
other security recordkeeping requirements in the affected sections are 
subject to a 2-year retention period. In response to the commenters who 
requested additional justification, we would add that investigations of 
TSIs can involve analysis of data that stretches back for that amount 
of time, and we want to ensure that any historical data that could be 
useful is available. We believe that a 2-year period is an appropriate 
amount of time to ask owner operators to store data to ensure that no 
investigation is limited due to the unavailability of relevant data. We 
continue to believe that a uniform timeframe for recordkeeping 
requirements, when practicable, provides the most efficient regulatory 
system, and that the costs of storing data are minor compared to the 
security benefits provided.
    The commenter also referred to the 2013 GAO report, noting its 
concern that the TWIC Pilot Program had difficulties collecting 
accurate, consistent data from the pilot sites.\41\ While we are aware 
of the GAO's criticisms of the TWIC Pilot Program, we do not believe 
those data collection concerns are relevant to the data collection 
proposed by the implemented electronic TWIC inspection regulations. 
Beyond the fact that both involved data collections, the nature and 
uses of the data collected in the two programs are very dissimilar. For 
example, among many other items that related to the overall operation 
of the facilities at issue, the Pilot Program collected data on the 
number of people using TWIC readers, the amount of time taken per 
transaction, and the failure rates for transactions. These are very 
different data than collected by electronic TWIC inspection, which 
collects items such as the FASC-N. The data collected by electronic 
TWIC inspection is narrowly tailored to assist the Coast Guard and 
other law enforcement agencies in investigating TSIs, and the 
criticisms of data collection on the Pilot Report are not analogous.
---------------------------------------------------------------------------

    \41\ ``Transportation Worker Identification Credential: Card 
Reader Pilot Results Are Unreliable; Security Benefits Need to Be 
Reassessed'' (GAO-13-198) is available in the docket by following 
the instructions in the ADDRESSES section of this preamble.
---------------------------------------------------------------------------

    One commenter stated that the recordkeeping requirements proposed 
in the NPRM would create a large amount of data and may need to be 
stored in a media that is not immediately accessible. The commenter 
requested that the final rule allow a reasonable amount of time to 
retrieve and produce the electronic records when requested. We agree 
with the commenter that a reasonable amount of time will be permitted 
to produce any requested records. This final rule deals only with 
recordkeeping requirements; it does not specify a timeframe for record 
retrieval.
    One commenter requested clarification of a specific situation: a 
Port Authority operates a cruise terminal which uses an FSP, but when a 
cruise ship is in port, the cruise security line operates under its own 
FSP. The commenter asked who would be responsible for maintaining the 
records. Based on the information described in this situation, the 
owner or operator of the TWIC reader or PACS system conducting the 
electronic TWIC inspection would be responsible for maintaining the 
required records of those transactions. However, we note that 
recordkeeping requirements for any particular facility would be 
described in the FSP and that different situations may yield different 
results, but that these issues would be resolved during approval of the 
FSP.
    Similarly, another commenter described a scenario where a private 
security company and a public entity share a facility. The commenter 
asked if the entities would need to share records. In response, we note 
that there is no requirement to share records, and that the owner or 
operator of the TWIC reader or PACS conducting the electronic TWIC 
inspections is the entity required to keep the records. Which entity is 
responsible for recordkeeping should also be addressed in the FSPs.
    One commenter requested that, if a non-Risk Group A facility were 
to use electronic TWIC inspection on a voluntary basis, they should not 
be subject to the electronic recordkeeping requirements in proposed 
Sec.  105.225(b)(9) and (c). Assuming that a facility is using 
electronic TWIC inspection on a voluntary basis to replace visual TWIC 
inspection, pursuant to the guidance in PAC 01-11, we disagree. If 
replacing security personnel with electronic TWIC inspection, then all 
elements of such an inspection, including recordkeeping requirements, 
would have to be met. Maintaining the electronic records as required 
provides additional security and information in case of a security 
breach in the future. Visual inspection programs are not required to 
maintain this type of information due to the large amount of time 
needed to manually enter the same information.

C. When To Conduct Electronic TWIC Inspection

    One of the areas in which the Coast Guard received the most 
comments on the proposed rule was the issue of when a TWIC must be 
read. Specifically, the NPRM used language that stated, ``prior to each 
entry, all persons seeking unescorted access to secure areas [must] 
present their [TWIC] for inspection before being granted such 
unescorted access'' (this language was used in proposed Sec. Sec.  
101.520(a)(1), 101.525 introductory text, and 101.530 introductory 
text).
    Many commenters asked for clarification regarding this language, 
specifically relating to issues of where TWIC readers should be 
located, and to what specifically ``prior to each entry'' referred. 
Despite using identical language in the proposed regulatory

[[Page 57671]]

text, the requirement for when to perform electronic TWIC inspection is 
very different for vessels than it is for facilities. With regard to 
vessels, we stated in the NPRM that ``for vessels, this NPRM proposes 
to require TWIC readers at the access points to the vessel itself, 
regardless of whether the secure area encompasses the entire vessel.'' 
\42\ On the other hand, with regard to facilities, we stated that 
``this NPRM proposes to require TWIC readers at the access points to 
each secure area,'' \43\ which could necessitate a large number of TWIC 
readers in facilities like passenger facilities, many of which have 
multiple access points to secure areas within the facility. Similarly, 
the NPRM RA reflected this information, estimating that each facility 
might use a number of TWIC readers (passenger facilities, with many 
access points to secure areas, were estimated to require an average of 
16 TWIC readers each), whereas each vessel might only be equipped with 
one or two, reflecting the fact that they would only be deployed at the 
entrances to the vessels, not at each access point to a secure area 
within the vessel.
---------------------------------------------------------------------------

    \42\ 78 FR 17803.
    \43\ 78 FR 17803.
---------------------------------------------------------------------------

    Nonetheless, we recognize the confusion brought on by the proposed 
language. One commenter, for example, requested a clarification of the 
reference to ``each entry'' to a facility or vessel secure area. The 
commenter noted that passenger vessels and facilities included 
restricted areas, employee access areas, and passenger areas, and it 
was unclear from the NPRM where the electronic TWIC inspection 
requirements would be applied. In this final rule, we have used 
language that we believe more clearly describes the specific 
requirements of the rule. We broke the language down into two separate 
paragraphs, one for vessels (see Sec.  101.535(a)), and one for 
facilities (see Sec.  101.535(b)), using slightly different language 
for each. The final regulatory text for facilities now states, ``Prior 
to each entry into a secure area of the facility,'' while the final 
regulatory text for vessels now states, ``Prior to each boarding of the 
vessel.'' While the language is slightly modified, we believe it more 
clearly implements the proposed requirements in the NPRM.

1. Secure, Restricted, Public Access, Passenger Access, and Employee 
Access Areas

    In terms of clarifying that an electronic TWIC inspection must be 
performed prior to each entry into a secure area (for facilities), we 
believe that it is important to clarify the term ``secure area,'' as 
well as explain the differences between secure areas and other types of 
areas on MTSA-regulated vessels and facilities. Many commenters asked 
questions that indicated the difference between secure areas, 
restricted areas, employee access areas, public access areas, and 
passenger access areas was not entirely clear. In this section, we 
discuss the definitions of these types of areas, given their 
definitions in 33 CFR part 101, as well as the additional explanation 
offered in NVIC 03-07 and other documents.
    The statutory requirement for TWIC readers, stated in 46 U.S.C. 
70105(a)(1), requires that anyone granted unescorted access to a secure 
area of a vessel or facility maintain a valid TWIC. Secure areas are 
defined in 33 CFR 101.105. The relevant portion of the definition 
states that ``Secure area means the area on board a vessel or at a 
facility over which the owner/operator has implemented security 
measures for access control in accordance with a Coast Guard approved 
security plan. It does not include passenger access areas, employee 
access areas, or public access areas.''
    The concept of a secure area is explained in more detail in NVIC 
03-07, enclosure (3). Section 3.3b of that document explains that ``for 
facilities, the secure area is the entire area within the outer-most 
access control perimeter of the facility, with the exception of public 
access areas, and encompasses all restricted areas.'' Similarly, ``for 
vessels and OCS facilities, the secure area encompasses the entirety of 
a vessel or OCS facility, with the exception of passenger or employee 
access areas for vessels.''
    Existing regulations distinguish between the secure area and areas 
designated as ``restricted.'' The term restricted area, as defined in 
existing 33 CFR 101.105, means ``the infrastructures or locations 
identified in an area, vessel, or facility security assessment or by 
the operator that require limited access and a higher degree of 
security protection [than secure areas].''
    NVIC 03-07 also goes into detail explaining the difference between 
secure and restricted areas, noting that by virtue of the fact that the 
secure area encompasses the entire facility or vessel (with the 
exclusion of public, passenger, and employee-access areas), restricted 
areas fall within this perimeter.
    Multiple commenters with facilities expressed concerns about the 
existence of multiple secure areas within any one facility, and what 
access control measures would be required by this final rule. Other 
commenters represented both vessels and facilities, but had similar 
concerns with regard to the differences among secure, restricted, and 
public access areas. The definitions of secure and restricted areas 
have implications when determining where to locate electronic TWIC 
inspection locations on various facilities. These locations would be 
marked in an FSP or a VSP. Given the requirement that electronic TWIC 
inspection be conducted ``prior to each entry'' into a secure area (for 
facilities), we would anticipate that the inspection points at 
facilities would be located at the access points to secure areas. For 
example, in a chemical cargo facility the entire facility may be 
considered a secure area, as security measures for access control may 
surround the entire facility. Such a facility would likely only conduct 
electronic TWIC inspection at the entrance to the facility. 
Alternatively, a facility might categorize the parking lot as a 
``public access area'' so that employees and visitors can park, and 
electronic TWIC inspection could be conducted at the access point from 
the parking lot into the secure area of the facility. We note that a 
second round of electronic TWIC inspection is not required when passing 
from a secure area to a restricted area, although we would anticipate 
other security measures to be in place.
    For passenger facilities, the majority of the areas may be 
designated ``public access areas,'' ``passenger access areas,'' or 
``employee access areas'' (such as break rooms). In such an instance, 
electronic TWIC inspection points may only be located at entrances to 
secure areas such as the pier or FSO's office. The Coast Guard 
acknowledges the confusion surrounding this issue, which is why we have 
included a clarifying revision to 33 CFR 103.505, Elements of the Area 
Maritime Security (AMS) Plan, in which a parenthetical reference to the 
TWIC program may create confusion regarding whether TWIC provides 
access control for secure or restricted areas. This final rule creates 
electronic TWIC inspection requirements for access to secure areas, and 
does not address requirements for access control to restricted areas.
    Finally, we note the concerns commenters had relating to secure 
areas on water. One commenter noted that the water where barge fleets 
are located is considered a secure area, but the area was only 
accessible by boat. The commenter questioned how electronic TWIC 
inspection could be conducted in such a situation. Similarly, another 
commenter requested that they be allowed to conduct electronic TWIC 
inspections on shore before entering

[[Page 57672]]

barge fleeting areas, as otherwise there would be no way to conduct an 
electronic TWIC inspection. Another commenter noted that the only 
``access point'' into such secure areas may be a towing vessel with the 
dedicated purpose of guarding the area.
    These commenters raise important issues as to how we would apply 
the electronic TWIC inspection process to secure areas on water, such 
as barge fleeting facilities. Upon consideration, we do not believe 
that requiring electronic TWIC inspection prior to entering such areas 
would be practical, as there is no particular access point to such an 
area that can be controlled by a TWIC reader. Electronic TWIC 
inspection would instead be required at the barge fleeting facility's 
shore side location.
    Many commenters representing vessels were concerned about a 
situation involving a passenger vessel (potentially in Risk Groups B or 
C) with multiple secure areas and no one standing watch at the 
entrances to each secure area. We note that while the electronic TWIC 
inspection requirements are different for vessels than for facilities, 
the definitions of secure areas and restricted areas are similar. On 
non-passenger vessels, generally the entire vessel is considered a 
secure area. Certain areas within the vessel may have higher levels of 
security, and those would be considered restricted, which again are not 
impacted by this final rule. On passenger vessels, while security 
measures would still encompass the vessel, only certain areas would be 
considered secure, as passenger access areas and employee access areas 
are excluded from the definition of secure areas. As described below in 
Section V.C.2 of this preamble, because electronic TWIC inspection on 
vessels is only conducted when boarding the vessel, the exact location 
of secure and restricted areas on a vessel would not affect the 
placement of electronic TWIC inspection points.
a. ``Prior to Each Entry'' for Risk Group A Facilities
    In this final rule, we are finalizing without change the proposed 
requirement that electronic TWIC inspection is required prior to each 
entry into a secure area of a Risk Group A facility. Similarly, we are 
finalizing the proposed requirement that electronic TWIC inspection is 
required prior to each entry onto a Risk Group A vessel. While some 
commenters objected to this policy, we believe that it represents the 
best balance of security and practicability at this time. Furthermore, 
we believe that many objections to the policy expressed by industry are 
addressed by clarifying that the new requirements apply only to Risk 
Group A vessels and facilities, and that vessels and facilities not in 
this group have no new requirements in this final rule. In this 
section, we address comments specifically related to Risk Group A 
facilities. Questions for Risk Groups B and C, as well as questions for 
vessels, are discussed in other sections of this preamble.
    Several commenters requested guidance related to operations 
conducted under PAC 08-09, change 1. That document allows owners and 
operators of a vessel or facility to use a local access card to grant 
unescorted access to secure areas, assuming that the local access card 
is tied to a valid TWIC and that verification (visual or electronic) of 
the local access card is conducted each time access is granted to a 
secure area. Pursuant to PAC 08-09, TWICs needed only to be validated 
once every 24 hours. However, PAC 08-09 is only valid until the Coast 
Guard publishes a final rule requiring the use of TWIC readers as an 
access control measure.\44\ Because this final rule establishes 
electronic TWIC inspection as a requirement for Risk Group A 
facilities, the guidance in PAC 08-09 will no longer be valid with 
respect to those facilities upon the effective date of this rule. 
Because there are no electronic TWIC inspection requirements for Risk 
Groups B and C, PAC 08-09 remains in force for those facilities. We 
intend to update PAC 08-09 before the effective date of this final 
rule.
---------------------------------------------------------------------------

    \44\ PAC 08-09, change 1, p. 2.
---------------------------------------------------------------------------

    We note that while PAC 08-09 will no longer be valid for Risk Group 
A facilities, the flexible performance requirements of this final rule 
will continue to allow access using local access or PACS cards, 
assuming the PACS is able to perform the electronic TWIC inspection 
requirements of biometric identification, the card validity check, and 
card authentication. While many commenters requested that Risk Group A 
facilities be permitted to continue to follow the guidance in PAC 08-09 
(some of whom suggested that it could be augmented by a daily card 
validity check), we are not granting that request. Electronic TWIC 
inspection is a more secure system than that used under PAC 08-09 for a 
variety of reasons, but most distinctly because it performs a biometric 
identification each time a person is granted unescorted access to a 
secure area, whereas the system described in the PAC 08-09 does not. 
Biometric identification provides a higher level of certainty that an 
individual is an approved TWIC-holder than visual identification.
    One commenter suggested that the purpose of TWIC is for a worker to 
be vetted, and that TWIC should not be used as an access control 
system, noting that it is up to the owner of the secure space to 
determine which TWIC-holders are granted unescorted access. While we 
agree that one of the benefits of TWIC is that it ensures an individual 
has undergone a background check, we disagree that vetting is the only 
purpose of a TWIC. Congress mandated that the TWIC contain the 
biometric identification of the TWIC-holder. Furthermore, Congress 
explicitly required that the Coast Guard ensure that only individuals 
who hold a TWIC be granted unescorted access to secure areas of MTSA-
regulated facilities in 46 U.S.C. 70105(a)(1). We conclude, therefore, 
that it is the clear mandate of Congress for this biometric 
identification to be used to ensure that only TWIC-holders are granted 
unescorted access to secure areas of Risk Group A vessels and 
facilities. Using this function of the TWIC for identification 
verification purposes will enhance the security afforded by the TWIC 
program in the highest-risk areas.
    Other commenters expressed the opposite view, arguing that the 
Coast Guard was wrong to limit the requirement of electronic TWIC 
inspection to Risk Group A vessels and facilities only. Multiple 
commenters suggested that the proposal to limit the use of electronic 
TWIC inspection to Risk Group A vessels and facilities deviated from 
Congress' intent in developing the TWIC program, and that to conform to 
the intent of Congress, we should have extended the mandate to perform 
electronic TWIC inspection to Risk Group B as well. Other commenters 
noted that in the ``findings'' section of the MTSA statute (Pub. L. 
107-251, 101(11)), Congress found that ``[b]iometric identification 
procedures for individuals having access to secure areas in port 
facilities are important tools to deter and prevent port cargo crimes, 
smuggling, and terrorist actions.'' The commenter argued that to be 
responsive to Congress, TWIC cards should not be used primarily as a 
``flash pass,'' but should be used more often as biometric 
identification tools.
    The Coast Guard believes that the requirement instituted in this 
final rule represents a reasoned implementation of electronic TWIC 
inspection. As analyzed in the NPRM and associated preliminary RA, we 
believe the vessels and facilities in Risk Group A are at much greater 
risk than other MTSA-regulated vessels and facilities.

[[Page 57673]]

Electronic TWIC inspection has a high utility in deterring and 
mitigating certain threats to these targets. Given the costs in 
infrastructure and operational needs associated with electronic TWIC 
inspection, as shown in the TWIC Pilot Program and in the Coast Guard's 
regulatory analyses, we do not believe that electronic TWIC inspection 
should be extended to other vessels or facilities at this time. 
Information and experience gained through the implementation of Risk 
Group A vessels and facilities will, however, help to determine whether 
and how the electronic TWIC inspection program should be expanded in 
the future.
    Several commenters argued that the requirement to undergo 
electronic TWIC inspection prior to each entry into a secure area of 
facility was overly burdensome and unnecessary. One commenter stated 
that the Coast Guard does not understand the day-to-day operations of 
passenger vessels and facilities, and that only small areas are secure 
and restricted, requiring a TWIC-holder to move in and out of these 
areas multiple times per day. We disagree with this statement, and note 
that the NPRM and the NPRM RA repeatedly affirmed that a TWIC reader 
would be required at each access point to a secure area in a Risk Group 
A facility. We acknowledge that in cases where employees of a passenger 
facility move repeatedly from a non-secure area (such as a passenger 
access area) to a secure area, they will likely have to undergo 
repeated electronic TWIC inspections. We also note that these 
facilities already use access control measures to prevent unauthorized 
persons, including vessel passengers, from entering secure areas, and 
that this requirement only involves incorporating electronic TWIC 
inspection into those existing access control measures.
    Other commenters also made suggestions that would allow for reduced 
numbers of electronic TWIC inspections for employees that enter and 
leave secure areas multiple times per day. Several commenters suggested 
that checking TWICs against the CCL multiple times per day is 
redundant, as the list is only updated, at most, once per day. These 
commenters suggested that at lower MARSEC levels, one electronic TWIC 
inspection per day would be enough, and then a visual TWIC inspection 
could be used for each subsequent entry into a secure area. We note 
that electronic TWIC inspection performs much more than just the card 
validity check, and that there is a need to check that the individual 
presenting the card is the correct individual presenting an authentic 
card each time he or she is granted unescorted access to a secure area. 
For these reasons, a single electronic TWIC inspection should not allow 
repeated grants of unescorted access to secure areas in Risk Group A 
facilities.
    One commenter argued that its security needs would be better met 
through cross-checking TWICs via its employment, human resources, and 
internal security systems, and then issuing badges that it has control 
over. The commenter stated that in that situation, it would have the 
ability to verify and revoke access as necessary for the security of 
the facility. With the new flexibility for electronic TWIC inspection 
in this final rule, such cross-checking using facility-specific 
identification cards linked to a PACS is possible, as long as the 
facility's PACS performs the biometric identification, card validity 
check, and card authentication procedures required in this final rule 
prior to each entry into a secure area.
    One commenter stated that the ``prior to each entry'' requirement 
is impracticable for cruise ship terminals. This commenter stated that 
dozens of porters, stevedores, and shore staff constantly move baggage 
in and out of secure areas using mechanical equipment such as forklifts 
and hand trucks, and that requiring electronic TWIC inspection at each 
entry would be potentially unsafe. We realize that there is a need to 
balance the requirement to ensure that only TWIC-holders are granted 
unescorted access to secure areas with the operational needs of a 
facility. In a situation such as that described by the commenter, an 
RUA plan could alleviate the burden of repeated and constant electronic 
TWIC inspections. The RUA option was designed primarily to address the 
needs of baggage handlers and stevedores, and was developed to 
facilitate operations such as those described by the commenter where 
persons must enter and exit a secure area on a continual basis. RUA is 
described in more detail in Section V.C of this preamble.
    Several commenters were concerned that the proposed requirement for 
permanently placed TWIC readers at the access points for Risk Group A 
facilities offered no flexibility, and could restrict the use of 
portable TWIC readers as an option at less heavily-trafficked access 
points. We first note that the NPRM did not specifically require a 
fixed TWIC reader at all access points, but we assumed that many 
facilities would use fixed TWIC readers over portable ones at fixed 
access points for the purposes of analysis. However, we agree with the 
commenter that the NPRM did not offer enough flexibility, and thus this 
final rule adds another option for electronic TWIC inspection. 
Facilities will be able to use fixed electronic readers, portable 
electronic readers, or a PACS to conduct electronic TWIC inspection, 
depending on which works best considering their business operations.
    One commenter raised a concern that a requirement to present a TWIC 
prior to each entry into a secure area would mean that TWIC-holders 
would have to carry their cards at all times, thus exposing cards to 
being damaged in a harsh environment or lost. The commenter recommended 
that a system be utilized that would allow them to keep their workers' 
TWICs in a safe and secure location where, upon request, the TWICs 
could be retrieved and inspected within a reasonable amount of time. We 
agree that this could be appropriate in many maritime environments, and 
thus the flexibility allowed by this final rule would permit such a 
system. A facility could control access to secure areas using a PACS to 
conduct the electronic TWIC inspection, thus allowing the TWICs 
themselves to be maintained in a safe, nearby location, where they 
could be inspected if necessary.
    One commenter requested clarification with regard to overall 
personnel accountability within secured areas. Specifically, the 
commenter asked if the Coast Guard would require TWIC-holders to record 
when they exited a secure area, and if a facility should know who is in 
a secured area, at all times. In this rulemaking, we did not propose to 
require personnel accountability in this fashion, nor does the final 
rule require TWIC-holders to record when they exit a secured area. 
Another commenter expressed support for not proposing such a 
requirement in the NPRM. The final rule only requires electronic TWC 
inspection upon entering a secure area of a Risk Group A facility. With 
regard to recordkeeping, as discussed above, this final rule only 
requires that records be kept of individuals that enter the secure 
area, and of when they entered. This final rule does not require that 
records be kept of individuals leaving a secure area, nor does it 
require that records be kept of who is in a secure area at any 
particular time.
b. Recurring Unescorted Access
    Many commenters requested that the Coast Guard reinstate the 
concept of RUA that had originally been considered in the ANPRM, but 
was not proposed in the NPRM. As described in the ANPRM, as part of an 
RUA plan, the owner or operator of a vessel or facility would conduct 
an initial biometric

[[Page 57674]]

match of the individual against his or her TWIC, either at hiring or 
upon the effective date of a final rule, whichever occurs later. This 
biometric match would include a verification of the authenticity and 
validity of the TWIC. Once this check is done, the TWIC would only be 
used as a visual identity badge, at a frequency to be approved by the 
Coast Guard in the amended security plan, so long as the validity of 
the TWIC is verified periodically, ranging from monthly to daily, 
depending upon Risk Group and MARSEC Level.\45\ RUA, as described in 
the ANPRM, would be limited to 14 TWIC-holders per vessel or facility, 
although it was not clear whether that meant an RUA regime would only 
be approved if the vessel or facility crew were limited to 14 TWIC-
holders, or if 14 people per vessel or facility would be exempted from 
electronic TWIC inspection procedures that would still be in place for 
other employees or persons seeking access.
---------------------------------------------------------------------------

    \45\ See 74 FR 13362.
---------------------------------------------------------------------------

    The Coast Guard opted not to include RUA in the proposed regulatory 
text in the NPRM, despite the fact that many ANPRM commenters supported 
various versions of RUA procedures. In the NPRM, we explained that 
``RUA was previously proposed [in the ANPRM] to introduce flexibility 
and provide relief to vessels otherwise required to use TWIC readers, 
based on the familiarity that exists between a relatively small number 
of crewmembers.'' \46\ However, by limiting electronic TWIC inspection 
requirements to Risk Group A vessels only, and including the vessel 
crewmember exemption in the TWIC applicability section, we believed we 
had rendered the need for RUA as a mechanism for regulatory relief 
unnecessary. One commenter requested clarification about whether the 
proposed RUA mechanism would apply to facilities as well, or just 
vessels. While the NPRM did not explicitly discuss the use of RUA for 
facilities, we did not consider such plans viable. Unlike vessels, 
facilities regularly receive unfamiliar personnel, such as visitors, 
contractors, and deliveries, and must have a means to ensure those 
visitors are valid TWIC-holders, regardless of the size of the regular 
staff.
---------------------------------------------------------------------------

    \46\ See 78 FR 17804.
---------------------------------------------------------------------------

    We received several comments in response to the decision in the 
NPRM not to include an RUA provision. Most commenters recommended that 
some sort of RUA provision be included in the final rule, although they 
differed in their interpretations of what, exactly, an RUA plan would 
entail. Furthermore, multiple commenters laid out specific examples of 
how RUA could improve operations in several scenarios. These comments 
are described below.
    One commenter suggested that an RUA plan for vessel and facility 
operations, including operations at facilities that service passenger 
vessels, would require that a TWIC-holder undergo electronic TWIC 
inspection once when he or she reports for work each day. It was 
unclear from these comments specifically how this plan would be 
implemented. If RUA were limited to certain crewmembers or employees, 
it is unclear how those crewmembers would differentiate themselves from 
other TWIC-holders who would still be required to undergo electronic 
TWIC inspection prior to each entry into the vessel or into a secure 
area of the facility. Furthermore, unless all crewmembers or employees 
were subject to the RUA plan, it is unclear how such a system would 
reduce costs, as access control measures would still need to be in 
place that would need to differentiate between TWIC-holders and non-
TWIC-holders, but also differentiate between those TWIC-holders granted 
RUA and those subject to repeated electronic TWIC inspection. These 
questions, along with the exemption from electronic TWIC inspection 
requirements for vessels with low numbers of crewmembers, are the 
reason that the RUA plan was not proposed in the NPRM, despite being 
raised in the ANPRM, and we still do not have clear answers to these 
issues.
    Several commenters raised the issue of RUA with regard to certain 
port workers who repeatedly enter and leave secure areas, such as 
baggage porters at cruise terminals or workers such as stevedores 
transferring cargo into a secure area. Similarly, one commenter 
expressed concern about how porters would be able to do their jobs if 
required to conduct electronic TWIC inspection at each entry into the 
baggage area. Some commenters suggested that in order to permit workers 
to efficiently perform their jobs, which may entail entering and 
leaving a secure area several times an hour, biometric checks should be 
limited to the beginning of a shift and after extended breaks. The 
commenter stated that it is not operationally practical to have these 
workers undergo electronic TWIC inspection repeatedly.
    We agree that, for narrow classes of vessel or facility employees 
such as baggage porters, the electronic TWIC inspection requirements 
could prove particularly burdensome, and that these workers could be 
accommodated using a limited form of RUA as suggested by the commenter. 
Some scenarios where this may prove useful include, for example, 
porters who carry baggage from a curbside check-in area (unsecure) to a 
baggage storage area (secure) for cruise customers, or forklift 
operators who transport packages from a loading area (unsecure) to a 
secure storage area on a vessel or facility. These persons need to 
travel back and forth across the secure-unsecure boundary repeatedly, 
and repeated electronic TWIC inspections can be both cumbersome and 
redundant in these situations.
    Therefore, to accommodate these situations without compromising 
security, we have added a limited form of RUA into this rule as Sec.  
101.555. The system would operate as follows: a vessel or facility 
would designate an area as a ``Designated Recurring Access Area 
(DRAA)'' in its security plan. As shown in Figures 1 and 2, the DRAA 
would consist of adjoining secure and unsecure areas, as well as the 
access gates between them. As long as a TWIC-holder stayed inside the 
designated area, he or she could pass between the unsecure and secure 
portions of the DRAA without having to undergo an electronic TWIC 
inspection each time he or she entered the secure portion.
BILLING CODE 9110-04-P

[[Page 57675]]

[GRAPHIC] [TIFF OMITTED] TR23AU16.000


[[Page 57676]]


[GRAPHIC] [TIFF OMITTED] TR23AU16.001

BILLING CODE 9110-04-C
    We have considered the problem of differentiating between those 
persons granted recurring access and those who must undergo electronic 
TWIC inspection prior to each entry. Certain restrictions and 
conditions would be applied to ensure that no unauthorized persons gain 
access to the secure area through the DRAA. In order to allow recurring 
access, the Coast Guard is requiring that security personnel be present 
at the access points to the secure areas where recurring access is 
used. Although electronic devices, such as TWIC readers or a PACS 
reader, can be used to control access at other entrances, in an RUA 
situation the TWIC (or a linked PACS card) is not presented at each 
entry to the secure area. Instead, the presence of security personnel 
is necessary to properly control access while allowing the known DRAA 
participants to pass through repeatedly.
    An additional requirement for a DRAA is that the entire unsecured 
area must be visible at all times to the on-site security personnel. 
This requirement is necessary to ensure that all recurring access 
participants have undergone the necessary electronic TWIC inspection 
before entering a secure area. We believe that without this 
requirement, it might be possible for a non-TWIC-holder to ``talk their 
way'' into a secure area by claiming they had already undergone a TWIC 
inspection, and had merely returned from an authorized break. We note 
that among various GAO criticisms of the maritime security program, 
this was one of the means by which GAO investigators were able to 
bypass security measures. We agree with one commenter that suggested 
electronic TWIC inspection should be repeated once returning from a 
break. By requiring recurring access participants to stay within sight 
of the security personnel or undergo a new electronic TWIC inspection, 
we can ensure that these types of incidents do not happen.
    To gain recurring access, a TWIC-holder would need to undergo

[[Page 57677]]

electronic TWIC inspection, including biometric matching, the first 
time the TWIC-holder entered the secure portion of a DRAA. This would 
of course happen at the beginning of a work shift, but would also 
happen after each time the TWIC-holder left the DRAA for any reason, 
including administrative reasons, lunch breaks, or even to use the 
restroom. We have also added a provision that requires at least one 
electronic TWIC inspection per change of security personnel in order to 
account for shift changes.
    We have attempted to make the RUA policy as flexible as possible 
while still maintaining security. We note that the use of a DRAA is a 
wholly voluntary option, and that access to secure areas of a vessel or 
facility may always be accomplished through the procedures in 
Sec. Sec.  101.535 and 101.550. Even within a DRAA, only access points 
that are used for recurring access must be manned by security 
personnel, so there can be other access points controlled by unmanned 
means (such as a lock connected to a TWIC reader) for employees who do 
not need recurring access. Furthermore, an area can be designated a 
DRAA at certain times. For example, at a cruise ship terminal, a 
curbside area could be designated a DRAA only during boarding times. 
This would allow the access points to be secured by unmanned means 
during other periods when recurring access is not necessary.
    We also note that a DRAA may be incorporated in a Joint Vessel and 
Facility Security Plan, allowing an area where employees can cross from 
a pier to a vessel repeatedly without having to undergo electronic TWIC 
inspection each time. This can facilitate the loading or unloading of 
vessels considered secure areas.
2. Risk Group A Vessels
    We received fewer comments regarding the requirements for 
electronic TWIC inspection for Risk Group A vessels than for vessels in 
other Risk Groups. In the NPRM, we discussed the TWIC reader 
requirements as applied to the Risk Group A vessel population in 
Section IV.L, ``Physical Placement of TWIC Readers.'' In that section, 
we stated that ``[w]e propose to amend 33 CFR 104.265(a)(4) by 
requiring a vessel owner or operator to place TWIC readers at the 
vessel's access points only, regardless of whether the secure area 
encompasses the entire vessel.'' \47\ We realize that this sentence may 
have been confusing, as the only proposed modification to Sec.  
104.265(a)(4) was to add the sentence ``Depending on a vessel's Risk 
Group, TWICs must be checked either visually or electronically using a 
TWIC reader or as integrated into a PACS at the locations where TWIC-
holders embark the vessel'' to the existing requirement that the owners 
or operator of a vessel must ensure that only authorized TWIC-holders 
are granted unescorted access to secure areas of the vessel.\48\ A 
clearer citation would have been to Sec.  101.514(a)(1), which 
contained the proposed requirement that prior to each entry, all 
persons seeking unescorted access to secure areas in Risk Group A 
vessels and facilities must present a TWIC. The regulatory text was 
also unclear about what ``prior to each entry'' meant, and many 
commenters believed that it meant prior to each entry into a secure 
area of the vessel, which was contrary to the stated intent of the 
preamble.
---------------------------------------------------------------------------

    \47\ 78 FR 17816
    \48\ 78 FR 17830-17831, Amendatory Instruction 16a
---------------------------------------------------------------------------

    As stated above, in this final rule, we are modifying the 
electronic TWIC inspection requirements so that they are both more 
flexible and more performance-oriented than described in the NPRM. In 
this final rule, we require electronic TWIC inspection rather than the 
presentation of a TWIC. Furthermore, again as stated above, we are 
clarifying the language relating to the locations of electronic TWIC 
inspection. The new language, contained in Sec.  101.535(a), 
``Requirements for Risk Group A Vessels,'' reads ``prior to each 
boarding of the vessel.'' We believe that this change should improve 
the clarity of the regulatory text.
    The Passenger Vessel Association (PVA) noted the confusion between 
the preamble and regulatory text, noting in its comments that ``The 
proposed rule states (proposed Sec.  104.265(a) \49\), `Prior to each 
entry, all persons must present their TWICs for inspection using a TWIC 
reader.''' The PVA argued that ``[t]he Coast Guard's explanatory 
material in the Federal Register suggesting otherwise cannot override 
the very clear language of the proposed regulation.'' We agree that the 
language is confusing, and have clarified it appropriately. The 
commenter also recommended that the Coast Guard adopt a version of RUA 
that would allow a single verification of the TWIC status when the 
TWIC-holder reports to the secure area for the first time each day. 
While this was not what RUA, as proposed in the ANPRM, was intended to 
do, we note that the clarified electronic TWIC inspection requirements 
in this final rule will result in far fewer inspections on vessels than 
the commenter anticipated.
---------------------------------------------------------------------------

    \49\ We note that the language cited is actually from proposed 
Sec.  101.520(a)(1), not Sec.  104.265(a).
---------------------------------------------------------------------------

    One commenter, who operates as a combined ferry/terminal operator, 
discussed methodologies to improve security through a ``Combined 
Security Plan'' that allowed them to effectively identify risk while 
allowing their employees to perform their duties in a secure and 
efficient manner. The commenter suggested that its ferries have 
multiple points of access from the terminal to the ferry as well as 
multiple points of access to secure areas within the ferry. The Coast 
Guard agrees that insofar as security measures between a terminal and 
ferry can be combined, a combined plan can produce a more effective and 
efficient security regime than separate plans. Furthermore, secure 
areas within terminals can be connected to the entrances of ferries. In 
those instances, where TWIC-holders pass directly from a secure area of 
the terminal onto a ferry, an additional electronic TWIC inspection is 
unnecessary. For that reason, we interpret the phrase ``prior to each 
boarding of the vessel'' in Sec.  101.535(a)(1) to include the 
situation in which an electronic TWIC inspection has been carried out 
prior to boarding a ferry, and the TWIC-holder has not entered an 
unsecure area in the interim. We believe that such an allowance will 
reduce the costs of compliance with the electronic TWIC inspection 
program for combined ferry/terminal operators without compromising 
security.
    Several commenters posed questions relating to a situation in which 
a Risk Group A vessel, such as a ferry, has multiple secure areas 
separated by unsecure areas, but sole control of its terminal 
facilities. These commenters asked whether it would be possible to have 
only one TWIC reader at each terminal facility for both vessel and 
facility workers. As explained below, such a system could meet the 
requirements for electronic TWIC inspection. If a worker is granted 
unescorted access to a secure area of a Risk Group A facility, and 
remains in the secure area, he or she may board a Risk Group A vessel 
without a second electronic TWIC inspection. We note that once on board 
a Risk Group A vessel, a worker does not need to undergo additional 
electronic TWIC inspections when entering secure areas.
    One commenter stated that vessels at sea should be required to 
update the CCL if there are separate and distinct secure areas on board 
the vessel. We disagree, and note that the requirement for Risk Group A 
vessels is that

[[Page 57678]]

electronic TWIC inspections are only performed when the personnel are 
boarding the vessel, not, like facilities, at each entry into a secure 
area. Therefore updating the CCL while at sea would not serve any 
functional purpose.
3. Risk Groups B and C
    In this final rule, we are completely removing any mention of 
additional TWIC requirements for vessels and facilities other than 
those covered under Sec.  101.535, ``Electronic TWIC inspection 
Requirements for Risk Group A.'' Many commenters noted the apparent 
differences between the language on Risk Groups B and C in the NPRM 
preamble and the proposed regulatory text in Sec. Sec.  101.525 and 
101.530, which pertained to Risk Groups B and C respectively.
    In the preamble of the NPRM, we stated that we were making no 
changes to either of those groups. For example, in Section III.E.7.b of 
the NPRM, ``Risk Group B TWIC Reader Requirements,'' we stated that 
``proposing requirements for Risk Group A only in this NPRM is 
indicative of our desire to minimize highest risks first. . . .'' \50\ 
Likewise, in Section III.E.8.b, ``Risk Group C TWIC Requirements,'' we 
noted that ``Under current regulations (which would not change under 
this NPRM) for vessels and facilities categorized in this NPRM Risk 
Group C, security personnel must visually inspect the TWIC of each 
person seeking unescorted access to secure areas.'' \51\ Our 
preliminary RA echoed this language. In that document, we did not 
include any cost analyses relating to vessels or facilities in Risk 
Groups B or C.
---------------------------------------------------------------------------

    \50\ 78 FR 17802.
    \51\ 78 FR 17803.
---------------------------------------------------------------------------

    However, as commenters noted, in proposed Sec. Sec.  101.525 and 
101.530, we included language from the ANPRM that contradicted the 
statements in the preamble that no new requirements were being proposed 
for Risk Groups B and C. The proposed regulatory text would have 
required vessels and facilities in Risk Groups B and C to undergo 
visual TWIC inspection prior to each entry into a secure area. Thus, 
the practical effect of such a requirement would have been to require 
security personnel be posted at each entry point, which many commenters 
argued would dramatically increase the compliance costs for MTSA-
regulated vessels and facilities in Risk Groups B and C, contrary to 
the stated intent of the regulation. The specific comments are 
described in greater detail below.
    We received a large number of comments from the owners and 
operators of passenger vessels that would have been categorized as Risk 
Groups B and C. These individuals suggested that the proposed 
regulatory text would impose severe burdens on their operations, 
burdens that would be extremely costly and produce relatively little in 
the way of security benefits. The PVA's comment summed up many of its 
members' statements, noting that ``Group B and C passenger vessels and 
facilities have multiple and widely separated secure areas with large 
public access areas in between. TWIC-holders move regularly in and out 
of those spaces multiple times during the day. As a practical matter, 
this means that in those vessels and facilities, there must be some 
other person stationed in or outside of each secure area to visually 
inspect the TWIC and presumably bar the holder from entry if the visual 
inspection is unsatisfactory.'' \52\ We agree with the PVA that, with 
regard to passenger facilities, the wording of the proposed regulatory 
text could have had this effect, but these concerns are moot because we 
removed the proposed provisions on Risk Groups B and C.
---------------------------------------------------------------------------

    \52\ USCG-2007-28915-0190, p. 12.
---------------------------------------------------------------------------

    Many operators of passenger vessels argued that the requirement to 
visually inspect TWICs at each entry point into a secure area would be 
enormously expensive, impracticable, and provide little security 
benefit. One commenter suggested that the use of existing access 
control systems on vessels could be used in place of visual TWIC 
inspection on vessels. One commenter wrote, ``we do not have enough 
berthing to add 2 additional people that would do nothing but sit at 
the galley door on opposite shifts and request to see the TWIC card of 
[the] same person multiple times per day.'' \53\ Another commenter 
wrote that requiring a visual TWIC inspection at each entry to a secure 
area on a vessel ``is a bit like asking your brother who lives in your 
household for his ID whenever he needs to use the restroom.'' \54\ 
Commenters also argued that needing to present a TWIC to enter an 
unmanned engine room space could hinder access in an emergency. Many 
other commenters echoed the substance of these remarks. In this final 
rule, we hope to clarify that: (1) With regard to Risk Group A vessels, 
the requirement to undergo electronic TWIC inspection applies only upon 
boarding the vessel, and (2) there are no new requirements, for either 
visual or electronic TWIC inspection, or anything else applicable to 
vessels or facilities outside of Risk Group A in this final rule. The 
existing visual TWIC inspection requirements in 33 CFR Chapter I, 
Subchapter H continue to apply to vessels and facilities outside of 
Risk Group A.
---------------------------------------------------------------------------

    \53\ USCG-2007-28915-0139.
    \54\ USCG-2007-28915-0215, p. 3.
---------------------------------------------------------------------------

    We received similar comments pertaining to Risk Group B and C 
facilities. Many commenters requested that the final rule should state 
that approved FSPs using PAC 08-09 practices continued to be allowed 
for Risk Group B and C facilities. We reiterate that this final rule 
imposes no changes on the operation of Risk Group B or C facilities; 
accordingly, such practices will continue to be allowed. One commenter 
suggested that the guidance permitting voluntary use of TWIC readers, 
contained in PAC 01-11, be continued for Risk Group B and C facilities. 
While that guidance is rendered obsolete by this final rule, we note 
that its contents have been largely incorporated into the final rule as 
Sec.  101.540, which permits non-Risk Group A facilities to use 
electronic TWIC inspection procedures in lieu of visual TWIC inspection 
on a voluntary basis.
    One commenter recommended that language be added to proposed Sec.  
101.525 (Risk Group B) that would allow a PACS card to be used in place 
of a TWIC at each entry to a secure area. Some commenters noted that 
the PAC 08-09 practices are significantly less costly than inspecting a 
TWIC at each entry into a secure area. While the rule imposes no new 
TWIC inspection requirements on Risk Groups B or C, we follow this 
suggestion with regard to Risk Group A facilities in the form of 
increased flexibility for electronic TWIC inspection. One commenter 
added that this could be coupled with a periodic TWIC check to ensure 
it is still valid. We note that Coast Guard inspections, conducted at 
Risk Group B and C facilities, accomplish exactly this check.
4. Miscellaneous Questions Regarding the Locations of Electronic TWIC 
Inspection
    In this section, we address certain questions raised by commenters 
on issues related to the locations where electronic TWIC inspections 
must take place. Several similar comments asked us to clarify what an 
``access point'' to a secure area is. The commenter provided an example 
of an alarmed fire escape door that leads to a pier, which is 
designated as a secure area. In response, we would clarify that an 
``access point'' is any location where personnel access from a non-
secure area to a secure area is permitted, in any circumstance, by a 
facility's security plan. However, we agree with the commenter that 
requiring an electronic

[[Page 57679]]

TWIC inspection in the event of a fire would be unwise. For that 
reason, we are including language in Sec.  101.535(e), allowing an 
exemption from electronic TWIC inspection requirements for emergency 
situations. We believe that this exemption will protect against 
unauthorized access to secure areas without compromising safety in the 
event of an emergency response.
    The commenter also provided an example of a roll-up baggage door, 
where the porters bring in luggage they collect from guests at the curb 
in front of a cruise ship terminal. Next to the roll-up door is ``a 
typical personnel door.'' The commenter asked if the two doors count as 
a single access point, or if they are two separate access points, where 
each door requires its own TWIC reader. Again we note that in this 
final rule, we are not requiring the installation of TWIC readers; 
instead the requirement is that prior to being granted unescorted 
access to a secure area, an individual must undergo electronic TWIC 
inspection. Thus, two doors to a secure area could be controlled by a 
single TWIC reader or PACS reader, if permitted in the FSP.
    The commenter also asked about an area that switches between being 
secure and non-secure based on the operations taking place there at a 
given time. In such an instance (and permitted, we assume, by the FSP), 
when the area is designated secure, persons would need to undergo 
electronic TWIC inspection before being granted unescorted access. At 
times when the area was designated non-secure, there would be no such 
requirement. We would expect the relevant FSP to contain more detail on 
how such an area would operate.
D. Determination of Risk Groups
    The third major area of comments related to the determination of 
which vessels and facilities should be placed into which Risk Groups. 
In Sec. Sec.  104.263 and 105.253 of the NPRM, we proposed three 
different Risk Groups, A, B, and C, although there were no differences 
between the requirements for Risk Groups B and C. The proposed Risk 
Groups were as follows:
    Risk Group A:
     Vessels certificated to carry more than 1,000 passengers;
     Vessels that carry CDC in bulk;
     Vessels engaged in towing another Risk Group A vessel;
     Facilities that handle CDC in bulk;
     Facilities that receive vessels certificated to carry more 
than 1,000 passengers; and
     Barge fleeting facilities that receive barges carrying CDC 
in bulk.
    Risk Group B:
     Vessels that carry hazardous materials, other than CDC, in 
bulk;
     Vessels subject to 46 CFR chapter I, subchapter D, that 
carry any flammable or combustible liquid cargoes or residues;
     Vessels certificated to carry 500 to 1,000 passengers;
     Vessels engaged in towing a Risk Group B vessels;
     Facilities that receive vessels that carry hazardous 
materials, other than CDC, in bulk;
     Facilities that receive vessels subject to 46 CFR chapter 
I, subchapter D, that carry any flammable or combustible liquid cargoes 
or residues;
     Facilities that receive vessels certificated to carry 
between 500 and 1,000 passengers;
     Facilities that receive vessels subject to 46 CFR chapter 
I, subchapter D, that carry any flammable or combustible liquid cargoes 
or residues;
     Facilities that receive a vessel engaged in towing a Risk 
Group B vessel; and
     All OCS facilities subject to 33 CFR part 106.
    Risk Group C:
     Vessels carrying non-hazardous cargoes that are required 
to have a VSP;
     Vessels certificated to carry fewer than 500 passengers;
     Vessels engaged in towing a Risk Group C vessel;
     Facilities that receive vessels carrying non-hazardous 
cargoes;
     Facilities that receive vessels certificated to carry 
fewer than 500 passengers; and
     Facilities that receive vessels towing a Risk Group C 
vessel.
    Most comments were related to the categorization of vessels and 
facilities in Risk Group A, with many commenters requesting 
clarification on how to classify their own facilities, or offering 
rationales for why vessels and facilities should be categorized 
differently. As stated in previous parts of this discussion, the NPRM 
did not propose any additional requirements for Risk Groups B or C, and 
thus, for purposes of the electronic TWIC inspection requirements, 
whether or not a vessel or facility is classified as Risk Group A is 
the only relevant distinction.
    In this final rule, we have made a number of modifications to the 
classification of facilities and vessels in response to the comments. 
The major changes are summarized as follows:
     We have changed the crewmember exemption cutoff for 
vessels from 14 crewmembers to 20 crewmembers, as well as clarified how 
to calculate the number of crewmembers to apply this exemption.
     We have removed the specific reference to barge fleeting 
facilities from the Risk Group A classification, and now treat barge 
fleeting facilities like all other MTSA-regulated facilities.
     We have eliminated the distinction between Risk Groups B 
and C. Vessels and facilities are now classified as either Risk Group A 
or non-Risk Group A.
1. Risk Group A Facilities
    In the NPRM, we defined Risk Group A facilities in proposed Sec.  
105.253(a) as: (1) Facilities that handle CDC in bulk; (2) Facilities 
that receive vessels certificated to carry more than 1,000 passengers; 
and (3) Barge fleeting facilities that receive barges carrying CDC in 
bulk. We developed Risk Group A, along with the other Risk Groups, 
using a risk-based analysis system that identified which types of 
facilities were exposed to the most risk in the event of a TSI. This 
system used the MSRAM to derive a numeric ``consequence'' for a class 
of facilities. Once the potential risk to a class of facilities was 
ascertained, we then determined whether a program of electronic TWIC 
inspection would provide utility in alleviating that risk. This 
analysis is described in far greater detail in the ANPRM \55\ and the 
NPRM,\56\ and we refer interested parties to those documents for a 
detailed discussion.
---------------------------------------------------------------------------

    \55\ 74 FR 13363.
    \56\ 78 FR 17810.
---------------------------------------------------------------------------

    Several commenters raised issues relating to the fundamental nature 
of our analysis, arguing that certain factors, such as the geographic 
location of a facility or its proximity to higher-risk facilities 
should have been incorporated into our analysis. After considering the 
comments, we have decided to largely retain the overall structure of 
how Risk Group A is structured. The basis for the analysis is discussed 
in Section V.A, above.
    Several commenters suggested that the MSRAM analysis used by the 
Coast Guard to determine Risk Group A was flawed, and that a different 
methodology to determine the Risk Groups should have been employed that 
would bring more facilities into the Risk Group A category. Many of 
these commenters recommended that the Coast Guard adopt a risk analysis 
approach that focuses on area risks or geography, rather than the risks 
associated with classes of facilities. For example, one commenter 
recommended that the risk analysis should have included the risk to 
port operations where the port has minimum channel depth, or for 
petrochemical facilities that would create a significant impact to

[[Page 57680]]

commodity supplies, or chemical facilities where an attack could have 
significant environmental consequences.
    Other commenters recommended that the Coast Guard consider the 
geographic area surrounding a facility as the most important factor in 
determining the appropriate Risk Group. Similarly, another commenter 
stated that the Coast Guard should expand the risk-based concept and 
aggregate risks to the port area first, before using MSRAM to determine 
specific risks. In response, the Coast Guard considered a broad range 
of factors, including geographic location, when determining the Risk 
Groups. The totality of that analysis identifies the highest risk 
vessels and facilities.
    One commenter stated that the Port of New York is the nation's 
highest-risk port, suggesting that TWIC inspection should also be used 
to mitigate risks associated with criminal activity such as drug 
trafficking, cargo theft, and alien contraband smuggling. The commenter 
suggested that TWIC readers should be required at more facilities in 
that port than are required under this rule. We are not requiring 
electronic TWIC inspection as a crime prevention measure, and we 
reiterate that the primary purpose of requiring electronic TWIC 
inspection is not to prevent crime, but to prevent TSIs at high-risk 
vessels and maritime facilities.
    One commenter stated that MSRAM does not contain any data that 
identifies TWIC readers as a threat mitigation tool, and that 
assumptions must have been made that would connect the MSRAM data with 
mitigation scenarios based on TWIC readers. In response, as emphasized 
throughout this preamble, an electronic TWIC reader is a threat 
mitigation tool because it provides identity verification, card 
authentication, and card validity checks more effectively than visual 
TWIC inspection. In the MSRAM context, a target's ``vulnerability'' is 
defined as the probability that an attack will be successful. MSRAM 
measures target vulnerability as a product of three factors: (1) 
Achievability, which assumes the absence of all security measures and 
then factors in the degree of difficulty delivering an attack on a 
target; (2) Target Hardness, which considers the probability that the 
attack focal point would fail to withstand the attack; and (3) System 
Security, which considers the probability of a security strategy in 
place to successfully thwart an attack before it occurs. Electronic 
TWIC inspection is a component of System Security.
    Some commenters argued that the relative locations of Risk Group A 
and B facilities should factor into the risk analysis. One commenter 
stated that the NPRM did not consider a scenario where a Risk Group B 
facility is immediately adjacent to a Risk Group A facility. The 
commenter suggested that a terrorist could use a counterfeit TWIC to 
gain access to the Risk Group B facility (which would conduct only a 
visual TWIC inspection), and then use the location to mount an attack 
on the adjacent Risk Group A facility. Other commenters echoed the 
sentiment, stating that a Risk Group B facility that is immediately 
adjacent to a Risk Group A facility should not automatically have less 
stringent requirements that could become a threat vector.
    While we agree that this specific scenario was not used in our 
analysis, we also do not believe that it would be appropriate to 
consider. We note that in this scenario, all the counterfeit TWIC 
accomplishes is to allow the adversary to get to the perimeter of the 
Risk Group A facility. If the Risk Group B facility was not located in 
the adjacent location, then it would be even easier for the terrorist 
to get to the aforementioned perimeter. Electronic TWIC inspection is 
designed to thwart access to the secure area of Risk Group A facility, 
not to prevent access to the secure perimeter.
    One commenter recommended that large container terminals should not 
be classified as Risk Group B, but rather as Risk Group A. The 
commenter stated that a disruption of operations at any one of these 
facilities could have a significant impact on the economy, and that the 
Coast Guard should have used secondary consequences in its economic 
analysis. While we agree that a disruption of a large container 
terminal could have significant economic impacts, we disagree with the 
suggestion that container facilities should be automatically classified 
in Risk Group A. As stated elsewhere in this preamble, MSRAM considers 
scenarios associated with threats to container facilities. However, for 
the purpose analyzing electronic TWIC inspection, we limited our 
consideration to attack scenarios that require physical proximity to 
the intended target. Controlling access to a target is an essential 
component of security from such attack scenarios because access control 
helps to detect and perhaps delay the attackers before they reach the 
target. Threats to cargo containers are typically not attack scenarios 
that require physical proximity to the intended target. Accordingly, 
electronic TWIC inspection would not mitigate such threats. Such 
threats are addressed in existing Coast Guard regulations (33 CFR 
104.275 and 105.265) that specifically require owners and operators to 
implement detailed security measures relating to cargo handling on 
vessels and at facilities.
a. Alternative Security Programs
    One commenter, representing the American Gaming Association, 
recommended that instead of the risk categorization approach proposed 
in the NPRM, the Coast Guard should adopt a case-by-case approach to 
classification of facilities participating in its Alternative Security 
Program (ASP). This commenter noted that the security measures adopted 
on these vessels and facilities can be more restrictive than Coast 
Guard regulations require, and that those vessels and facilities should 
not be required to use TWIC readers. Furthermore, the commenter stated 
that the TWIC reader technology may be duplicative with systems onboard 
gaming vessels. We disagree, for the reasons stated above, with using a 
case-by-case approach to risk categorization rather than the Risk Group 
system proposed in the ANPRM and NPRM. However, we note that several 
suggestions that the commenter made are permitted by this final rule. 
If the existing security system on a vessel or facility is duplicative 
of a TWIC reader (i.e., is capable of conducting a card authentication, 
card validity check, and biometric match), then a dedicated TWIC reader 
would not be required. We believe that a PACS can be modified to meet 
these requirements with relatively little additional costs, as 
discussed in the accompanying RA.
    Similarly, several commenters stated that the combined vessel and 
facility security plan, as adopted in the PVA ASP, should permit 
facilities to be exempt from electronic TWIC inspection requirements if 
the vessels they service are exempt. For reasons discussed below, we 
disagree. We note that all ASPs, including the PVA ASP, can be used to 
integrate security between passenger terminals and vessels, but that 
the ASP must meet all electronic TWIC inspection requirements in this 
final rule.
b. Determining Risk Group A Facilities
    Several commenters asked questions or requested clarifications of 
issues related to whether certain facilities would be classified as 
Risk Group A facilities. Our thoughts on these specific questions are 
below:
    One commenter requested clarification regarding a cruise terminal

[[Page 57681]]

that handles general cargo (presumably not including bulk CDC) when 
cruise ships are not present. The commenter asked whether a Risk Group 
A classification would only apply to a facility when a passenger vessel 
certificated to carry 1,000 or more passengers was at the facility. In 
such an instance, movement between Risk Groups would be permissible, if 
detailed in the FSP in accordance with 33 CFR 105.253(b). One commenter 
suggested that allowing movement between Risk Groups would be unfair to 
those facilities that have installed electronic TWIC inspection 
technology. We disagree, and note that when subject to Risk Group A 
electronic TWIC inspection requirements, a facility would have to make 
full and complete use of such technology, and would incur all the costs 
of installing the technology.
    One commenter requested clarification that a facility would not be 
classed as a Risk Group A facility if it handles multiple passenger 
vessels not in Risk Group A simultaneously. This is correct, a facility 
(assuming, of course, that does not handle or receive vessels carrying 
CDC in bulk) would only be classified as Risk Group A if it handles one 
or more vessels certificated to carry over 1,000 passengers. The 
relevant risk factor is the presence at the facility of a vessel 
certificated to carry more than 1,000 passengers. The relevant risk 
factor is not the mere presence on the facility of more than 1,000 
people, which would be a transient event driven by simultaneous 
arrivals.
    Several commenters requested clarification of the use of the word 
``handle.'' Proposed Sec.  105.253(a)(1) categorizes facilities that 
handle CDC in bulk as Risk Group A facilities, but commenters had 
questions about how to interpret this phrase. These commenters 
requested clarification on how a facility would be classified if a 
vessel carrying CDC in bulk were to stop at a facility, but not 
transfer any of the bulk CDC cargo there. After considering the 
comments, and to clarify risk groups, we have determined that any 
facility that handles or receives vessels carrying CDC in bulk will be 
classified as Risk Group A. While moored at a facility, a vessel must 
rely on the facility's security program to adequately secure the 
interface between the facility and vessel and mitigate the threat of a 
TSI. For that reason, the facility should conduct electronic TWIC 
inspection to meet the security needs associated with handling or 
receiving vessels that carry CDC in bulk.
    Discussions at public meetings prompted the Coast Guard to clarify 
the term ``handle'' as it related to non-maritime commerce. 
Specifically, the question was raised whether a facility would be 
classified as Risk Group A if it was used to transfer CDC in bulk 
through rail or other non-maritime means. In this situation, such a 
facility would be considered to ``handle CDC in bulk'' and would be 
classified as Risk Group A. This is because the bulk CDC would be on 
the premises of a MTSA-regulated facility, and thus the facility's 
access control system would need to be used to mitigate the risk of a 
TSI. We note that there are provisions where non-maritime activities of 
a facility can be located outside of the facility's MTSA footprint. In 
that situation, where the bulk CDC is not a part of the maritime 
transportation activities, it may be that a facility could define its 
MTSA footprint in such a way as to exclude that area. In such a case, 
the TWIC reader requirements that are being implemented in this final 
rule would not apply in that area.
    Several commenters also requested clarification of the term ``in 
bulk.'' The term ``bulk'' or ``in bulk'' is defined in the Coast 
Guard's existing MTSA regulations (33 CFR 101.105) as meaning ``. . . a 
commodity that is loaded or carried on board a vessel without 
containers or labels, and that is received and handled without mark or 
count.'' Additionally, the term ``bulk'' is defined in 33 CFR 126.3 as 
``. . . without mark or count and directly loaded or unloaded to or 
from a hold or tank on a vessel without the use of containers or break-
bulk packaging.'' To clarify, the use of hoses and conveyor or vacuum 
systems would be considered direct loading or unloading and thus 
involve ``bulk.'' We have added such language to the definition of 
``bulk'' in Sec.  101.105 to improve clarity. We have also removed the 
phrase ``on board a vessel'' from the definition of ``bulk or in bulk'' 
to avoid confusion. Specifically, as stated above, a MTSA-regulated 
facility would be classified as Risk Group A if it handled bulk CDC 
offloaded by a train or other non-maritime means. A MTSA-regulated 
facility that handles or receives bulk CDC is determined to be Risk 
Group A whether or not the facility accepted the bulk CDC from a 
vessel. Finally, one commenter requested clarification that container 
terminals do not carry CDC in bulk. While we can clarify that CDC 
shipped in containers would not be considered bulk CDC, we note that 
some container facilities may also handle CDC in bulk.
    Some commenters requested clarification of the term ``receive,'' in 
regards to what the requirements would be if a Risk Group A vessel were 
received by a Risk Group B facility. The term ``receive'' is used in 
this final rule only in Sec.  105.253(a)(2), which states that 
``facilities that receive vessels certificated to carry more than 1,000 
passengers'' are considered Risk Group A. In this instance, the word 
``receive'' means that the vessel moors or transfers passengers to or 
from the facility. If there is a need for such a passenger vessel to 
moor up or transfer passengers at a non-Risk Group A facility, the COTP 
would need to be contacted to ensure that proper security measures are 
in place.
    One commenter asked how Strategic Ports would be classified. A 
Strategic Port designation, which means the location is used by the 
military to load equipment, has no direct impact on the electronic TWIC 
inspection requirements. Individual vessels and facilities will be 
required to comply with the applicable parts of this regulation based 
on their specific operations.
    One commenter asked if facilities that receive vessels certificated 
to carry more than 1,000 passengers would be classified as Risk Group A 
if all the vessels the facility received are exempted from the 
electronic TWIC inspection requirements by virtue of having fewer than 
14 crewmembers. The commenter further stated that it is rare that the 
vessels certificated to carry more than 1,000 passengers ever carry 
that many, and that there are rarely 1,000 passengers in the facility. 
Regardless of this fact, pursuant to Sec.  105.253(a)(2), such a 
facility would be required to conduct an electronic TWIC inspection 
prior to each entry into a secure area of the facility. We note that 
neither condition the commenter discussed is grounds for classifying 
the facility as anything other than Risk Group A. The fact that the 
vessels are exempt from the electronic TWIC inspection requirement due 
to their low manning requirement does not grant a TWIC exemption to the 
facility, for reasons discussed in greater detail below.
    Furthermore, the fact that the ferries at issue ``rarely'' carry 
the number of passengers they are certificated to carry does not change 
the status of the facility either. Our analysis has shown that the 
class of facilities that receive large passenger vessels present a 
heightened risk of a TSI, and that the use of electronic TWIC 
inspection in such facilities is an effective means to mitigate that 
danger. We believe that the access control requirements in this rule 
represent a good balance between costs and security.

[[Page 57682]]

    Several commenters were concerned that the dichotomy between 
electronic TWIC inspections on vessels and facilities could present 
problems for mariners. One commenter called a situation ``absurd'' 
where a ferry terminal, servicing ferries certificated to carry over 
1,000 passengers, would be required to meet electronic TWIC inspection 
requirements, while the ferries themselves would be exempt from those 
requirements due to their low crew size. We disagree with the 
commenter's characterization of the regulations. Ferry terminals that 
handle large ferries present a risk of a large-consequence TSI, so much 
so that we believe that requiring a biometric identification before 
granting an individual access to the non-passenger areas of the ferry 
terminal is a warranted security burden. On the other hand, we do not 
believe that electronic TWIC inspection is necessary to gain access to 
the ferries themselves, considering that non-TWIC-holding passengers 
will also have access to the same vessels. Contrary to the commenter's 
assertion, we believe it is quite reasonable to only require electronic 
TWIC inspections when the TWIC-holder is accessing an area where non-
TWIC-holders are excluded. As we stated previously, the electronic TWIC 
inspection requirements are designed in such a way as to only require a 
burden where the security benefits will be tangible and substantial, 
which is why they apply as they do.
    Some commenters suggested that where the presence of, and access 
to, CDC in bulk can be isolated from areas not containing these 
products within a large MTSA footprint, the facility should be allowed 
to limit elevated security measures to the higher-risk area only. This 
is a subject that was also raised in the NPRM.\57\ Upon consideration, 
and given the general flexibility accorded by this final rule, we 
believe that this suggestion is appropriate. If bulk CDC is contained 
in a discrete area of the facility, it may be possible to isolate that 
area from other areas of the facility. Any areas where bulk CDC is 
transferred, passed through, or stored (permanently or temporarily) 
would be subject to the electronic TWIC inspection access control 
requirements. If the owner or operator of a facility were to take this 
approach, we would still consider the facility a Risk Group A facility. 
However, the owner or operator would be permitted to delineate in the 
FSP a portion of the facility as not subject to the electronic TWIC 
inspection requirements. The FSP would also have to contain details of 
how unescorted access to other secure areas is still limited to TWIC-
holders.
---------------------------------------------------------------------------

    \57\ 78 FR 17797.
---------------------------------------------------------------------------

    Finally, many commenters presented examples of specific situations 
where they believed that electronic TWIC inspection in parts or in all 
of their facilities was inefficient or redundant. With regard to those 
situations, we reiterate that an owner or operator may apply for a 
waiver of any requirement the owner or operator considers unnecessary, 
as provided in 33 CFR 104.130 and 105.130, as appropriate. We have 
endeavored to tailor these requirements to be as effective as possible, 
but certain situations must be dealt with on an individualized basis.
    One commenter in a public meeting asked the Coast Guard to consider 
an exemption for LNG/LPG facilities not conducting transfer operations. 
Similarly, this commenter and others requested an exemption for cruise 
ship terminals when vessels are not present at the terminal. Without 
specific information, we cannot comment on the likelihood of a waiver, 
but note that in certain circumstances, facilities can change Risk 
Groups depending on operational needs.
    One commenter in a public meeting stated that container facilities 
should not be considered CDC facilities, and would therefore not be in 
Risk Group A. Given the definition of ``in bulk'' provided in 33 CFR 
101.105, any CDC being transported in a container (including tank 
containers) would be considered packaged and thus would not cause the 
facility to be classified as Risk Group A. We note that if a container 
facility were also used to transfer or store bulk CDC, it would be 
considered a Risk Group A facility and thus subject to electronic TWIC 
inspection requirements.
2. The Crewmember Exemption Does Not Apply to Facilities
    Many commenters supported the Coast Guard's proposal to exempt 
vessels with 14 or fewer crewmembers, but felt that a similar exemption 
should be applied to facilities with 14 or fewer employees as well. For 
the reasons described below, we disagree with this concept and are not 
including an exemption for small facilities similar to the exemption 
for low-crew vessels.
    One reason not to expand the electronic TWIC inspection exemption 
to facilities is due to the specific language of the SAFE Port Act. As 
stated above, the vessel exemption is predicated on Section 104 of the 
SAFE Port Act, codified in 46 U.S.C. 70105(m)(1), which prohibits the 
Coast Guard from requiring the placement of an electronic reader on a 
vessel unless the vessel has more individuals on the crew that are 
required to have a TWIC than the number we determine warrants such a 
reader. No similar mandate exists regarding facilities.
    Secondly, we believe that the nature of access to facilities is 
fundamentally different from the nature of access to vessels, and thus 
the rationale that justifies an exemption for vessels with a low crew 
count does not transfer to facilities with a low employee count. As 
stated elsewhere in this preamble, the TWIC serves fundamentally 
different roles with regard to facilities and vessels, due to the 
nature of the respective populations. On vessels (with the exception of 
passenger vessels), everyone on the vessel is generally known to one 
another, and new persons are generally not introduced to the vessel 
population while at sea. For this reason, the electronic TWIC 
inspection requirements for vessels, when applied, require only that 
the electronic TWIC inspection occur when boarding the vessel, not 
prior to each entry into a secure area of the vessel (such as an engine 
room). Conversely, at facilities, the entrance, exit, and egress of 
persons who are not employees is a regular occurrence; drivers, 
contractors, pedestrians, mariners, and other non-employees are on 
facility grounds regularly. Indeed, truck drivers make up one of the 
largest populations of TWIC-holders. For this reason, there are many 
persons on facility grounds that are not ``known'' to facility 
employees, and so additional security measures must be employed to 
ensure that unescorted access to the secure areas of a facility is 
granted only to TWIC-holders. For Risk Group A facilities, we believe 
that the appropriate level of security is to conduct an electronic TWIC 
inspection of each individual before granting them such access. That is 
why electronic TWIC inspection at facilities is required ``prior to 
each entry into a secure area,'' rather than only at the perimeter of 
the facility,\58\ as is the case with vessels. Due to the differences 
in electronic TWIC inspection requirements, we do not believe an 
exemption from the electronic TWIC inspection requirements based on a 
low number of employees is appropriate for Risk Group A facilities.
---------------------------------------------------------------------------

    \58\ See Sec.  101.535(b)(1).
---------------------------------------------------------------------------

    One commenter, in addition to requesting the extension of the low 
crewmember exemption to facilities, specifically requested that barge 
fleeting facilities with 14 or fewer people be excluded as well. In 
this final rule, barge fleeting facilities are no longer a

[[Page 57683]]

separate class of facilities specifically subject to electronic TWIC 
inspection requirements. However, barge fleeting facilities are treated 
as facilities, and are subject to the same electronic TWIC inspection 
requirements as other facilities.
3. The Low Number of Crewmembers Exemption
    The NPRM proposed that, unlike facilities, vessels in Risk Group A 
are exempt from the electronic TWIC inspection requirements unless they 
have more than 14 TWIC-holding crewmembers. This exemption was based, 
in part, on the statutory limit imposed in the SAFE Port Act, 46 U.S.C. 
70105(m)(1), which prohibits the Coast Guard from requiring the 
placement of an electronic reader on a vessel unless the vessel has 
more individuals on the crew that are required to have a TWIC than the 
number we determine warrants such a reader. In the ANPRM and the NPRM, 
we tentatively proposed that this number would be 14 crewmembers, 
basing our recommendation on an analysis conducted by the Towing Safety 
Advisory Committee (TSAC). For the final rule, factoring in comments 
received and assumed risks, we have increased this number to 20 
crewmembers.
    We received numerous comments on the proposal to exempt all vessels 
with 14 or fewer TWIC-holding crewmembers from the electronic TWIC 
inspection requirements. In the NPRM, we requested that commenters 
explain any alternative suggestions and provide available data to 
support their comments. Comments we received generally fell into two 
categories. Many commenters suggested different numbers for the 
exemption threshold, with a fair majority supporting a larger number, 
thus exempting more vessels from the electronic TWIC inspection 
requirement. The other main group of commenters requested clarification 
on how, specifically, we would calculate the crew size of any 
particular vessel to determine whether a Risk Group A vessel would be 
exempt from the electronic TWIC inspection requirements. Both items are 
discussed below.
4. Calculating the Total Number of TWIC-Holding Crewmembers
    Several commenters raised questions as to how, specifically, the 
Coast Guard would calculate the number of TWIC-holding crewmembers on a 
vessel to determine whether the vessel would be exempt from the 
electronic TWIC inspection requirements. Upon review, we found that 
there was some degree of confusion with regard to how this number is 
determined. We have identified two approaches to calculating the 
exemption number that may have led to this confusion. One approach 
would be to calculate the number by counting the total number of 
persons employed as crewmembers on the vessel. The NPRM's original 
determination of 14 crewmembers was calculated using this approach. 
That number included the Master, Chief Engineer, and three four-person 
rotating crews. We counted the total number of persons employed as 
crew, whether or not all of them would serve together simultaneously.
    The other approach would be to calculate the number by referring to 
a vessel's Certificate of Inspection (COI) regarding crew size, which 
does not contain information regarding multiple crew rotations, but 
rather just the manning requirements for the vessel. Using that 
methodology, the same vessel described above, with a Master, Chief 
Engineer, and several four-person rotating crews would actually have 
had six crewmembers. As explained more fully below, this final rule 
adopts the latter approach.
    Commenters also put forth a number of detailed issues relating to 
how the number of crewmembers would be determined. One commenter noted 
that while at any given time during a shift, the total number of 
required TWIC-holders aboard will generally be 14 or fewer, during 
shift changes the number will swell to more than 14. The commenter went 
on to question the definition of the term ``crewmember,'' noting that 
there may be TWIC-holders on board, such as security personnel, who are 
not members of the marine crew required under the vessel's COI. The 
commenter requested that the Coast Guard clarify the scope of the 14-
crewmember exemption with regard to TWIC-holders who are not members of 
the marine crew.
    Similarly, several commenters specifically requested that the Coast 
Guard clarify that the 14-crewmember threshold only includes the 
required number listed on the vessel's COI, and does not include 
``persons in addition to the crew,'' industrial workers, etc. Some 
commenters recommended that for uninspected vessels, ``required crew'' 
should include all personnel assigned to the vessel performing 
navigation, safety, and security functions. Commenters also asked 
whether crewmembers included additional individuals such as company 
representatives, cadets, and contractors. One commenter stated that 46 
U.S.C. 2101(21) excludes certain company representatives from being 
counted as passengers, so they could be counted as crew. Also, in 
situations where a vessel is forced to carry persons other than crew, 
such as emergency responders, commenters asked if they would still be 
subject to the exemption from the electronic TWIC inspection 
requirement.
    In response to these comments, the Coast Guard is providing 
additional detail and explanation regarding this exemption. Based on 
our own analysis, and on the comments received, we agree with the 
commenters who suggested that ``crewmembers'' should include all 
personnel required to hold a TWIC in the required manning section of 
the COI (and we note that there are no uninspected vessels subject to 
MTSA requirements). Other persons in the crew section and the ``persons 
in addition to the crew'' section of the COI do not count towards the 
calculation for total number of TWIC-holding crewmembers. We reached 
this decision for the following reasons.
    First, whether a vessel is subject to electronic TWIC inspection 
requirements should not vary based on transient circumstances, such as 
whether a company representative is on board, or a crew change causes 
the number of TWIC-holders on the vessel to temporarily swell and 
exceed the threshold. Electronic TWIC inspection programs must be 
incorporated into a security plan and followed consistently. We believe 
that the stability from having a consistent electronic TWIC inspection 
process will help serve the goals of the inspection requirements while 
minimizing the burden on vessels and facilities in Risk Group A.
    Second, establishing the minimum manning requirement as the 
threshold number helps to ensure that other manning decisions are not 
affected by the electronic TWIC inspection requirements. For example, 
if it were based on the total number of employed crew, irrespective of 
whether that crew was required for manning the vessel, then some owners 
or operators of vessels might choose to lower their staffing 
requirements rather than introduce the new procedures. We received 
several comments suggesting that certain companies might choose to 
eliminate staff rather than comply with electronic TWIC inspection 
requirements. Tying the electronic TWIC inspection requirements to the 
minimum manning requirements will significantly reduce the risk of this 
occurring. The minimum manning requirements of a vessel are tied to the 
intrinsic nature of the vessel, and are not nearly as elastic as the 
other crewing needs of the vessel.

[[Page 57684]]

5. Threshold for the Crewmember Exemption
    Based on the TSAC recommendation, we proposed in the NPRM that the 
cutoff number of crewmembers that make a vessel exempt from the 
electronic TWIC inspection requirement should be 14. We specifically 
requested comments from the public on whether 14 is an appropriate 
cutoff number, and requested explanations and available data to support 
any arguments for alternative numbers. We received numerous comments 
regarding this issue. Some commenters suggested that 14 was an 
appropriate number, but the majority suggested that it be increased.
    The PVA and other commenters suggested that the Coast Guard should 
not have followed TSAC's recommendation, as not all sectors of the 
domestic maritime industry have input into that group's 
recommendations. The PVA suggested that 20 was a more appropriate 
number, noting that the largest minimum manning requirement for its 
members' vessels was 16. This figure is larger than 14, but not so 
large that long-time crewmembers would not recognize each other. This 
figure was suggested as appropriate because it would be a figure 
developed with the consultation of industry.
    Similarly, many passenger vessel operators suggested that the 
exemption threshold be set high enough to exempt passenger vessels. One 
commenter suggested that the threshold number of 14 did not make sense, 
and that even with a crew of 20-30 people, it would be impossible for 
an imposter amongst them to go unnoticed. Another commenter suggested 
that 40 crewmembers would be a better threshold, arguing that the 
regulatory compliance costs of electronic TWIC inspection, added to 
other costs relating to security, were too onerous.
    After considering all comments, we have decided to increase the 
number to 20 crewmembers as the figure for determining the threshold 
number under 46 U.S.C. 70105(m). Considering input received from all 
areas of industry, we believe it is an appropriate crew size at or 
under which all crewmembers will be able to quickly identify people who 
do not have unescorted access to secure areas. We realize that this may 
be a conservative figure, and that there is no hard number at which all 
crewmembers will recognize each other by sight. This number is highly 
dependent on the length of time the crew has served together, and on 
the reliability of every individual crewmember's memory. Nonetheless, 
we believe that the figure of 20 crewmembers presents a reasonable 
threshold at which all members of the crew can be realistically be 
expected to recognize one another. However, we are continuing to study 
the issue, and may propose to expand the electronic TWIC inspection 
requirements by reducing the exemption threshold in a future 
rulemaking.
    The Coast Guard realizes that increasing the crewmember threshold 
now exempts not only most passenger vessels, but many vessels that 
carry CDC in bulk. We are comfortable with this exemption at this time 
for two reasons. First, as stated by many of the commenters, we believe 
that a crew of 20 on a vessel that carries CDC in bulk will all be 
familiar with one another, so the risk of an unauthorized person being 
unnoticed on the vessel is slim. Second, due to the requirements for 
electronic TWIC inspection at the facilities where the CDC vessels 
conduct a majority of their business, the vast majority of these 
crewmembers will have their TWIC verified when passing through the 
facility on their way to the vessel, during crew changes or other trips 
ashore. Finally, one commenter in a public meeting noted that TWIC 
readers on vessels may be exposed to explosive atmospheres, and that 
therefore, TWIC readers must be intrinsically safe. In the event that 
TWIC readers are installed in hazardous areas, they would need to 
comply with all applicable requirements associated with those areas, 
which would at the minimum likely entail additional costs for testing 
and certification, and we note that no TWIC reader on the QTL is 
currently certified as intrinsically safe. For these reasons, we 
believe that imposing an additional requirement that crewmembers 
undergo an additional round of electronic TWIC inspection each time 
they board the vessel would provide limited security value for vessel 
with fewer than 20 crewmembers carrying bulk CDC.
6. Outer Continental Shelf Facilities
    In the NPRM, we proposed to characterize all OCS facilities as Risk 
Group B, meaning that they would not need to undertake electronic TWIC 
inspection. In this final rule, the Coast Guard continues to exclude 
OCS facilities from electronic TWIC inspection requirements. One 
commenter, an owner of some OCS facilities, asked whether TWIC readers 
could be placed at ``the point(s) of embarkation'' as opposed to 
placing TWIC readers on the OCS facility itself. Such a placement would 
be permissible if described in an approved FSP. However, we note that 
because OCS facilities are not considered Risk Group A, no electronic 
TWIC inspection requirements will apply as a result of this final rule.
7. Vessels and Facilities Not in Risk Group A
    Many commenters supported the Coast Guard's decision not to include 
additional requirements for Risk Groups B and C in the NPRM. We 
appreciate the support, and agree that at this time, only vessels and 
facilities in Risk Group A will be affected by the electronic TWIC 
inspection requirements in this final rule. However, as stated in the 
NPRM, this final rule ``should not be read to foreclose revised TWIC 
reader requirements in the future.'' \59\ Many commenters took this, 
and similar statements, as an indication that we had planned to extend 
electronic TWIC inspection requirements to Risk Group B vessels and 
facilities. As a result, we received several comments on the 
categorization of vessels and facilities within those Risk Groups.
---------------------------------------------------------------------------

    \59\ 78 FR 17790.
---------------------------------------------------------------------------

    One commenter suggested that all facilities, including those 
proposed to be in Risk Groups B and C, should be required to have at 
least one portable TWIC reader. The commenter stated that this would 
allow the facility to complete a comprehensive check of a TWIC, which 
would help to deter potential attackers by making it more likely that 
they would be caught. While we agree that adding electronic TWIC 
inspection to all facilities would produce a security benefit, for the 
reasons extensively detailed in this rulemaking, we do not believe that 
such measures would be efficient at this time for lower-risk 
facilities. The commenter also argued that security guards should not 
manually check the CCL during visual TWIC inspection, as it could 
distract him or her. We note there are no requirements to check the 
list of cancelled TWICs during visual TWIC inspection, nor does this 
rulemaking affect visual inspection procedures.
    One substantial change being made in this final rule is the 
discontinuation of the distinction between Risk Group B and Risk Group 
C. The distinction between these two Risk Groups was relevant in the 
ANRPM, where we had proposed that Risk Group B vessels and facilities 
would be required to use TWIC readers on a random basis, whereas Risk 
Group C vessels and facilities would not be required to use TWIC 
readers at all. However, in the NPRM, we proposed to eliminate the 
random TWIC screenings from the Risk Group B requirements, and thus 
there was no distinction in

[[Page 57685]]

requirements between those two Risk Groups. Nonetheless, we still 
proposed that the terminology for Risk Groups B and C be included in 
the regulations. Despite the lack of distinct requirements, many 
commenters read the NPRM to mean that electronic TWIC inspection 
requirements would be applied in some manner to Risk Group B vessels 
and facilities, and many commenters discussed the criteria by which 
vessels and facilities were classified as Risk Group B or C.
    One commenter did not support the proposed placement of Oil Spill 
Response Vessels and Oil Spill Response Barges in Risk Group B, arguing 
that these vessels carry primarily an oily water mixture, rendering 
them at low risk for terrorist attack. The commenter provided 
additional analysis distinguishing Oil Spill Response Vessels from tank 
vessels, and requested that they be classified as Risk Group C.
    Multiple commenters supported the decision to place Offshore Supply 
Vessels in Risk Group C, but wanted to clarify the definition of 
``Offshore Supply Vessel'' for the purposes of TWIC requirements.
    One commenter argued against the placement of all OCS facilities in 
Risk Group B. The commenter believed they should be subject to the same 
site-specific analysis that other facilities are subject to, and placed 
into Risk Group B or C as appropriate.
    Several commenters responded to the Coast Guard's request for 
information as to whether petroleum refineries and storage facilities 
should be categorized as Risk Group A. Some commenters stated that it 
would be inappropriate for the agency to arbitrarily re-categorize 
these facilities without supporting study and analysis, and requested 
that if the Coast Guard omitted a risk in its initial analysis, a 
second notice and comment opportunity should be provided. One commenter 
noted that, according to the Coast Guard's RA, the risk level for 
petroleum facilities was more comparable to Risk Group C than Risk 
Group A. Commenters also noted that due to the spacing of petroleum 
tanks at facilities, it is highly unlikely that a fire at one tank 
could ``jump'' to another.
    Several commenters provided the Coast Guard with a 2008 study 
entitled ``Risks Associated with Gasoline Storage Sites,'' which they 
argued demonstrated that gasoline does not pose a high risk of off-site 
consequences if involved in an incident, particularly one related to 
security.
    One commenter expressed concern about the expectation regarding the 
phase-in statements made in the NPRM, stating that the absence of 
``definitive statements'' has left the owners and operators of 
facilities in Risk Groups B and C wondering what will happen and what 
they should do.
    Similarly, one commenter stated that it seemed as if ``phased in'' 
was already the basic approach being taken by the Coast Guard, and that 
revisions to the electronic TWIC inspection requirements were all but 
certain. That commenter requested that instead of this approach, the 
Coast Guard should specifically identify the vulnerabilities that will 
be addressed and develop a proposal accordingly. Finally, commenters 
noted that if the Coast Guard were to propose expanding electronic TWIC 
inspection requirements beyond Risk Group A, a new Regulatory 
Flexibility Act analysis would be required.
    One commenter drew a distinction between petroleum refineries and 
petroleum storage facilities. The commenter stated that the petroleum 
storage facilities only store petroleum, whereas refineries may contain 
many types of more hazardous materials, such as hydrogen, although the 
commenter also stated that such facilities are well-equipped to handle 
those materials.
    Based on the comments received on this issue, we are not 
categorizing petroleum storage or refining facilities as Risk Group A 
in this final rule. Furthermore, we note that if and when the Coast 
Guard decides to propose additional electronic TWIC inspection 
requirements for facilities not currently classed as Risk Group A, 
global factors such as the cost of implementing electronic TWIC 
inspection, risk factors relating to the threat of a TSI, or other 
unforeseen conditions may have changed, necessitating a reconsideration 
of which vessels and facilities should be subject to additional 
security measures. The factors raised by commenters will be considered 
if and when additional TWIC inspection requirements are proposed in the 
future.
    We agree with the argument put forth by commenters that before 
extending electronic TWIC inspection requirements, a revised analysis 
of the costs and benefits should be undertaken and that opportunity to 
comment on those proposed requirements should be provided. Given the 
arguments raised in the comments, it is clear that more analysis needs 
to be conducted before the requirements of electronic TWIC inspection 
are extended to vessels and facilities not in Risk Group A. We do not 
believe that setting out the risk parameters for the next group of 
vessels and facilities to which electronic TWIC inspection may be 
applied is appropriate at this time. If and when the electronic TWIC 
inspection requirements are phased in further, the Coast Guard believes 
that the additional flexibility afforded by not having preset 
definitions for the lower-tier Risk Groups will allow us to better 
tailor the future rulemakings appropriately. As the analysis of risks, 
threats, and costs continues to evolve, we will conduct further 
analysis as appropriate as well as solicit additional information from 
the public.
8. Barge Fleeting Facilities
    The inclusion in Risk Group A of barge fleeting facilities that 
handle barges carrying CDC in bulk was a topic discussed by a large 
number of commenters. The Coast Guard received comments from a variety 
of barge fleet operators, towing operators, and trade associations. 
Universally, comments on this subject argued that barge fleeting 
facilities should not be required to install TWIC readers. For the 
reasons described below, based on the comments received, we have 
removed the separate requirement that barge fleeting facilities that 
handle barges carrying CDC in bulk are specifically considered Risk 
Group A. Instead, barge fleeting facilities are considered facilities, 
and may be required to perform electronic TWIC inspection if the 
standard criteria for Risk Group A are met.
    Barge fleeting facilities are defined in 33 CFR 101.105 as ``a 
commercial area, subject to permitting by the Army Corps of Engineers . 
. . or pursuant to a regional general permit[,] the purpose of which is 
for the making up, breaking down, or staging of barge tows.'' Because 
this rulemaking would only affect barge fleeting facilities that 
interact with barges carrying CDC in bulk, only those barge fleeting 
facilities which are used for the staging of barge tows would be 
affected by this final rule. In the NPRM, we proposed that all barge 
fleeting facilities that service barges carrying CDC in bulk would be 
considered Risk Group A.
    Comments on why barge fleeting facilities should not be included in 
Risk Group A fell into four general categories. First, many commenters 
argued that the cost of installing TWIC readers at barge fleeting 
facilities would be higher than the installation costs at other 
facilities due to their remoteness, and that the Coast Guard's 
preliminary RA had not taken this into account. Second, several 
commenters argued that due to the remote location or lack of permanent 
infrastructure of many barge fleeting facilities, the consequences of a 
TSI would not be so great as to warrant

[[Page 57686]]

an inclusion into Risk Group A. Third, one commenter argued that 
because barge fleeting facilities only service vessels that would be 
exempt from the TWIC reader requirement (because they have fewer than 
14 crew), the facilities should also be exempt. Finally, several 
commenters argued that a TWIC reader would not enhance security at 
barge fleeting facilities. We address each of these comment categories 
below.
    The cost of installing TWIC readers at barge fleeting facilities 
was cited by commenters as a reason to reconsider placing them in Risk 
Group A. Commenters generally argued that logistical considerations 
made installing TWIC readers in barge fleeting facilities substantially 
more expensive than at traditional installations. Several commenters 
stated that infrastructure costs, such as electricity, Internet access, 
and a facility to protect the TWIC reader would cause this requirement 
to be dramatically more expensive than originally considered. 
Similarly, commenters stated that these costs were not considered by 
the Coast Guard in its preliminary RA. Multiple commenters stated that 
the $300,000 initial phase-in costs estimated for bulk liquid 
facilities seemed like a low estimate. These commenters suggested that 
they would refuse to handle barges carrying bulk CDC rather than bear 
this increased cost, and that a final rule would cause rates to rise at 
other facilities. Similarly, commenters suggested that the decision to 
require TWIC readers at these barge fleeting facilities could actually 
be detrimental to security because, building on the idea that many 
facilities would refuse to handle bulk CDC barges, those barges would 
become concentrated at the few facilities that did allow them, thus 
increasing the risk profile of the fleeting areas that service them.
    We disagree with the notion that TWIC readers would be 
substantially more expensive to operate at barge fleeting facilities 
than at other types of facilities. As summarized above, the commenters 
who made this argument all cited various infrastructure costs, 
including installing electrical connections, Internet service, and a 
facility to protect the TWIC reader as drivers of the increased costs. 
However, all of these costs are associated with fixed TWIC readers, 
which are not required by this rule. Isolated facilities without 
electrical or data connections could use portable electronic readers to 
comply rather than undertake these measures to install fixed readers. 
We note that portable electronic readers can be, and are, operated 
using battery power and wireless communication technology to scan TWICs 
and check them against the list of cancelled TWICs.
    With regard to our preliminary RA, we disagree that the costs of 
TWIC readers was not applied to barge fleeting facilities. As stated 
above, as portable electronic readers can be used to conduct electronic 
TWIC inspections without expensive upgrades to infrastructure, we 
believe that the price of portable electronic readers estimated in the 
preliminary RA is applicable to barge fleeting facilities that are not 
connected to electrical and information infrastructure. Furthermore, 
barge fleeting facilities were counted in the overall analysis of 
facilities covered by the proposed rule. Thus, we believe that the 
preliminary RA sufficiently analyzed the cost impacts for barge 
fleeting facilities.
    Numerous commenters argued that barge fleeting facilities are so 
isolated they should not be placed in Risk Group A. For example, one 
commenter recommended that barge fleeting facilities be categorized as 
Risk Group C, or as an alternative, CDC fleeting areas should be 
categorized using a risk-based approach based on the geographic 
location in relation to populations, with those in higher-density 
locations placed in Risk Group A. One commenter added that for economic 
reasons, fleets are usually far removed from major industrial or 
population centers, thus limiting the risk as potential targets for 
terrorist attacks.
    Because of the MSRAM methodology used to determine risk, we 
disagree that perceived geographic isolation of a particular facility 
alone should justify lesser security requirements. The risk groupings 
are based on the averaged MSRAM scores for each class of facility. In 
conducting our risk analysis, one of the primary factors used was an 
estimate of the average maximum consequences of a TSI on a class of 
facility. In MSRAM, the Coast Guard calculates the maximum consequence 
for each facility, which is the estimate of all damages that would 
occur from the total loss of a facility caused by a TSI resulting from 
a terrorist attack. This singular maximum consequence score factors in 
the total loss of a target, factoring in injury, loss of life, economic 
and environmental impact, symbolic effect, and national security 
impact. Further included in the calculation is an estimation of damage 
done to areas surrounding the facility that would be affected in the 
event of a TSI, meaning a facility in a densely-populated area could 
have a much higher maximum consequence score if a TSI would inflict 
damage on nearby populated areas. Then, the average maximum consequence 
for the class of facilities is derived from the calculations of each 
facility in the class, taking into account their specific geography. 
Thus, geographic isolation, or lack thereof, has already been 
considered in the score calculation. Even considering the geographic 
isolation of some barge fleeting facilities, this class as a whole 
presents a risk of a serious TSI, which is why it was included in Risk 
Group A.
    One commenter also argued that because tugboats that service barges 
are exempt from the requirements for electronic TWIC inspection, due to 
having fewer than 14 crewmembers, then the barge fleeting facilities 
should not be subject to TWIC requirements. In the discussion relating 
to electronic TWIC inspection requirements at facilities that service 
exempted vessels, we discussed in detail why a facility may be required 
to conduct electronic TWIC inspection, even if the vessels the facility 
services are exempted due to low crew counts. This analysis applies 
equally with regard to barge fleeting facilities.
    A variety of other arguments were made to exclude barge fleeting 
facilities from the electronic TWIC inspection requirements. For 
example, a commenter argued that barge fleeting facilities by their 
very nature do not interact with vendors or visitors. We note that TWIC 
requirements apply to permanent personnel as well as vendors and 
visitors (some of whom may not have TWICs, and would thus need to be 
escorted), and that electronic TWIC inspection provides several 
security enhancements, such as the ability to detect revoked TWICs, 
that are applicable to personnel as well as vendors and visitors.
    Some commenters stated that fleet personnel traffic is very low 
compared to regular shore maritime facilities and therefore are very 
low risk. We note that regular personnel traffic is not related to the 
risk that electronic TWIC inspection is designed to mitigate.
    Electronic TWIC inspection helps to ensure that unauthorized 
personnel are not granted unescorted access to secure areas. This can 
happen regardless of the number of persons on the facility.
    Several commenters argued that screening for personnel on barge 
fleeting facilities is already in place, and is extensive, including 
TWIC checks. As stated above, for high-risk facilities, we do not 
believe that visual TWIC inspections provide enough security. This 
final rule requires that TWICs be electronically inspected before 
unescorted access to secure areas of a MTSA-regulated, high-risk 
facility is

[[Page 57687]]

granted. This logic applies to barge fleeting facilities as well as 
other facilities.
    One commenter described a barge fleeting facility as ``one of the 
few safe places'' for crew transfers. The commenter implied that 
requiring crewmembers to run their cards through an electronic reader, 
which the commenter described as redundant and burdensome, could 
somehow impact safety. Without additional reasoning, we see no linkage 
between the safety of the crew and the need for security measures, 
except for the obvious benefits of protecting the crew from a TSI.
    Finally, several commenters argued that due to the nature of barge 
fleeting facilities, TWIC readers would not provide security benefits. 
One commenter stated that if there is no access from the riverbank to 
the area where the barges are stored, then the TWIC reader is not 
adding any security value. Similarly, several commenters noted that 
while electronic TWIC inspection is required at the access points to 
each secure area, barge fleeting facilities do not have defined access 
points, but rather people come in via waterways. Several commenters 
described barge fleeting facilities as ``parking lots,'' and noted that 
very few individuals from outside the fleeting facility, other than the 
crews of tugs, enter the facility. Oftentimes, due to a lack of other 
means of access, persons entering the facilities need to come via 
vessel and can do so only with the coordination of the FSO. Lastly, one 
commenter, while arguing for an exemption for barge fleeting 
facilities, stated that its barge fleeting facilities have a different 
risk profile than land-based facilities, noting that the fleeting areas 
are ``simply unmanned barge parking lots continuously serviced by 
towing vessels.'' \60\
---------------------------------------------------------------------------

    \60\ USCG-2007-28915-0195, USCG-2007-28915-0213.
---------------------------------------------------------------------------

    We have carefully considered the arguments of these commenters, and 
believe that we can address their concerns through a modification of 
the regulatory requirement. If a typical maritime facility met the 
specific criteria that these commenters describe, where there is no 
bulk CDC at the facility to protect, and no access points at which 
electronic TWIC inspection would be conducted, the facility would not 
be considered a Risk Group A facility. We believe that with regard to 
barge fleeting facilities, the same standard should be applied. For 
that reason, we are removing the specific reference to barge fleeting 
facilities in proposed Sec.  105.253(a)(3). Instead, we are adding 
text, in Sec.  105.110(e), Exemptions, which clearly states that barge 
fleeting facilities that do not have a secure area are exempt from the 
requirements in 33 CFR 101.535(b)(1). Based on this change, many of the 
concerns from the commenters regarding the application and utility of 
electronic TWIC inspection will be addressed.
    We note that simply because the reference to barge fleeting 
facilities has been deleted from proposed Sec.  105.253(a)(3), some 
barge fleeting facilities will still be required to comply with 
electronic TWIC inspection if they meet the requirements of Sec.  
105.253(a)(1). Thus, if a barge fleeting facility handles or receives 
CDC in bulk, it would be considered to be a Risk Group A facility, and 
would be subject to the electronic TWIC inspection requirements. 
However, we note that the electronic TWIC inspection requirements would 
be limited to secure areas only, as towing boats could still service 
barges without having their crews' TWICs electronically inspected (see 
the discussion in Section V.C.1, above).
9. Switching Risk Groups
    Several commenters requested additional clarification and 
explanation regarding the NPRM's discussion of moving between Risk 
Groups. In the NPRM, the Coast Guard stated that it was adding 
Sec. Sec.  104.263(d) and 105.253(d) to ``address the movement between 
risk groups by vessels and facilities, based on the materials they are 
carrying or handling, or the types of vessels they are receiving at any 
given time.'' \61\ These provisions, which are located at Sec. Sec.  
104.263(b) and 105.253(b) of this final rule, provide flexibility to 
owners and operators of vessels and facilities that only meet the 
criteria for Risk Group A classification on an infrequent or periodic 
basis, such as a facility that only occasionally receives a shipment of 
bulk CDC. Based on the comments received on this issue, we are 
finalizing this requirement without change.
---------------------------------------------------------------------------

    \61\ 78 FR 17815-6.
---------------------------------------------------------------------------

    One commenter supported the Coast Guard's proposal for movement 
between Risk Groups noting that the proposal would grant a facility a 
degree of flexibility to tailor its security precautions to the TSI 
risks posed at a given time. We appreciate the support.
    In the NPRM, we stated that an owner or operator wishing to take 
advantage of one of these provisions would be required to explain how 
the vessel or facility would move between Risk Groups in an approved 
security plan, and that the plan would be required to account for the 
timing of such movement, as well as how the owner or operator would 
comply with the requirements of both the higher and lower Risk Groups.
    One commenter requested more explicit guidance on the criteria for 
facilities to move between Risk Groups, asking for guidance regarding 
the process and for the types of security measures that would need to 
be in place for a facility to move from a higher Risk Group to a lower 
one. In response, we note that moving between Risk Groups is not 
dependent on security measures, it is dependent on whether a facility's 
change in operations moves it into a different Risk Group. For example, 
if a facility that periodically handled CDC in bulk were to cease 
handling that material, it could move from a Risk Group A facility to a 
non-Risk Group A facility. While such a move is independent of any 
change in security measures, we note that the facility would still have 
to amend its FSP with regard to any changes in security procedures.
    One commenter stated that his facility occasionally handles bulk 
CDC for short periods of time. The commenter supported the NPRM's 
proposal to permit switching Risk Groups, but requested that is should 
be possible to do so ``without a lot of bureaucratic paperwork.'' In 
such an instance, an FSP could contain two alternative security 
arrangements, one for operating as a Risk Group A facility, and one for 
operating as a non Risk Group A facility, along with the process for 
switching. Assuming that such an FSP was approved by the COTP, then 
switching risk groups could be accomplished without additional 
paperwork each time the operator changes risk groups.
E. Responses to Economic Comments
    The Coast Guard received numerous comments from organizations and 
individuals regarding the costs and benefits associated with the 
requirement for electronic TWIC inspection. Many commenters, responding 
to specific requests for information, provided details and opinions 
regarding the costs of installing and operating an electronic TWIC 
inspection system. The issues involved the specific costs of purchasing 
and installing electronic TWIC reading equipment, the operational 
details concerning electronic TWIC inspection (including how it could 
increase or decrease the number of persons employed in security 
positions), and the costs to

[[Page 57688]]

transportation workers who may need to replace malfunctioning TWICs. We 
appreciate these comments and have attempted to integrate them into our 
RA. We address the specific topics in the sections of this preamble 
below.
1. Costs of TWIC Readers
    We received numerous comments from both suppliers and users of 
electronic TWIC inspection equipment regarding the standard costs of 
TWIC inspection equipment. In the NPRM, we estimated the average costs 
of TWIC readers by researching the equipment costs for all TWIC readers 
that have passed the TSA's test to conform with its Initial Capability 
Evaluation (ICE) test, which is maintained and made available to the 
public by TSA.
    One commenter stated that the preliminary RA overestimated the 
costs of procuring TWIC readers. The commenter stated that the TWIC 
Pilot Report overstated the costs of TWIC readers, as pilot 
participants used grant money for incidental security needs, such as 
PACS, costs related to guard stations, lift gates and fencing. We 
disagree with the commenter's analysis, and note that we did not use 
the pilot grants as a basis for the costs of TWIC readers. As stated in 
the NPRM RA (Section 4.1.1., TWIC reader costs), the costs of TWIC 
readers were determined using approved TWIC readers that had passed the 
TSA ICE test.
    Multiple commenters stated that the NPRM RA overestimated the cost 
of TWIC readers, and of the software, needed. One commenter also stated 
that the Coast Guard used overstated software prices that came from a 
single supplier and should have used $4,250 for both fixed and portable 
TWIC readers that included both hardware and software. The commenter 
added that the price of electronic TWIC inspection continues to fall as 
technology develops and is deployed on a larger scale. The Coast Guard 
did not use pricing information from a single supplier, but relied on 
multiple vendors' publicly available information for regulatory 
analyses supporting the NPRM and this final rule. While we agree that 
the price has fallen, we cannot use the prices cited by the commenter 
directly. However, we note that we have adjusted the TWIC reader cost 
prices in the final RA. The NPRM RA's TWIC reader cost estimates relied 
on the ICE List and utilized those equipment costs listed on the U.S. 
General Services Administration (GSA) price schedule. The QTL includes 
all TWIC readers that are currently approved by TSA (at the time the 
final RA was developed) for use in reading TWICs. For the final rule 
RA, instead of using GSA schedule listed prices for TWIC readers as was 
the case for the NPRM RA, we utilized the QTL's TWIC reader information 
to obtain an average cost for portable TWIC readers, and used the GSA 
schedule for fixed TWIC readers. We note that, for the final rule's 
cost analysis, we used average TWIC reader prices that we estimated 
$5,373 for fixed TWIC readers and $7,035 for portable TWIC readers. 
These prices are close to the one the commenter suggested at $4,250 for 
either fixed or portable TWIC reader.
    The same commenter also added that it would not be necessary to 
purchase an entirely new PACS software system, and that one could 
simply add an electronic reader to the existing PACS that supports the 
perimeter access points for some entities. We agree, and go further in 
our RA, noting that it is possible to integrate biometric input 
functions into an existing PACS, rather than install a separate 
integrated TWIC reader. Use of this discretionary option can reduce 
electronic TWIC inspection costs substantially, depending on the 
business operations of the facility using such a system. However, we do 
not quantify the potential for these cost savings in the RA.
    The commenters also made statements regarding the cost for CCL 
updates, which were echoed by other commenters. They stated that 
updates to the CCL should be an automated function taking about five 
seconds, and therefore, these should not be included as an ongoing item 
with assigned labor expense in the RA. In the NPRM RA, we estimated 
that the costs to update the CCL would be, on average, 30 minutes per 
week, which comes to 26 hours per year. In the final analysis, this 
figure is unchanged. While we recognize that some larger facilities may 
be able to automate this process, we do not believe that all facilities 
will have such an automated solution.
    One commenter stated that the adoption of the QTL could cause 
``change order costs'' to replace more expensive TWIC readers, and that 
the facilities who need to change TWIC readers should get grants to 
cover these costs. The Coast Guard disagrees. The final rule will allow 
many different types of biometric scanners in addition to the ones 
published on the TSA's QTL, and the rule is not design-prescriptive, so 
many entities will be able to continue to use existing equipment and 
therefore should not incur additional costs. The Coast Guard is not 
mandating that owners or operators use only the TWIC readers listed on 
the TSA's QTL in this final rule.
2. Number of TWIC Readers at Vessels and Facilities
    Additionally, several commenters believed that the Coast Guard has 
not appropriately addressed the overall numbers of TWIC readers. 
Several commenters claimed that the NPRM and the RA did not contain 
accurate estimates of the number of TWIC readers needed for a vessel or 
a facility. One commenter, who owns multiple vessels and a terminal, 
estimated that it would need as many as 20 TWIC readers to comply with 
the proposed regulatory text.
    One commenter described the Coast Guard as contradicting itself, by 
stating in the preamble that Risk Group A vessels would need only one 
TWIC reader, at the entrance to the vessel, yet the proposed regulatory 
text required a TWIC reader at ``each entry.'' \62\ Another commenter, 
a city government agency in charge of passenger ferries and terminals, 
also disagreed with the idea of one point of access per ferry. That 
agency estimated at least 62 TWIC readers would be necessary for their 
facilities alone.
---------------------------------------------------------------------------

    \62\ See 78 FR 17803 and proposed Sec.  104.265(a)(4), 78 FR 
17831.
---------------------------------------------------------------------------

    We note that the confusion regarding the regulatory text language 
in the NPRM, which stated that TWIC readers were required ``prior to 
each entry,'' has been thoroughly discussed above. In this final rule, 
most vessels are exempted from electronic TWIC inspection requirements, 
and those subject to them are only required to conduct such an 
inspection once, prior to entry onto the vessel.
    With regard to facilities, we clearly state that electronic TWIC 
inspection must be conducted prior to each entry into a secure area. 
Given the nature of facilities, we acknowledge that many facilities 
will require multiple TWIC readers or other machines capable of 
conducting electronic TWIC inspection, either because they have a large 
number of access points to secure areas, or because they have a high 
throughput of people who must undergo electronic TWIC inspection in a 
timely manner.
    One commenter disagreed with the idea of ``one point of access'' to 
a ferry, as there may be multiple points of access, and the proposed 
rule might have required them to install TWIC readers at 62 locations, 
with additional staffing, to meet the requirements. The Coast Guard 
disagrees with this assessment. The commenter is not necessarily 
required to purchase a large

[[Page 57689]]

number of TWIC readers because the electronic TWIC inspection for the 
vessel crew can be executed on the facility side, rather than at each 
and every access point to the ferry or the vessel. Given the ``combined 
security plan'' discussed by this commenter above, it is permissible 
that a ferry operating a secure facility could have no dedicated TWIC 
readers, if all crew boarded from secure areas of the facility. Thus, 
such a ferry operator could comply with the electronic TWIC inspection 
requirements in this final rule without a wholesale replacement of its 
security infrastructure with new TWIC Readers.
    Several commenters provided qualitative discussions regarding the 
number of TWIC readers that would be needed at passenger terminals, 
which while not providing firm numerical information, helped the Coast 
Guard refine its assessment of how the final rule would affect these 
sorts of terminals. One commenter argued that the Coast Guard ``does 
not fully understand the day-to-day operations of Group A passenger 
vessels and facilities . . .'' and that ``most of these vessels, 
terminals, and facilities are designated ``public access areas'', with 
only small areas designated secure, which ``tend to be located away 
from one another.'' The commenter provided examples of ``a fuel storage 
area here and a secure communications room elsewhere'' as examples of 
dispersed secure areas, and stated that ``the everyday reality for a 
TWIC holder is that he or she is likely to move between secure areas 
and public areas, as well as between the vessel and facility, multiple 
times a day in multiple locations.''
    Similarly, operators of other passenger terminals made qualitative 
remarks regarding the number of TWIC readers needed. One commenter, 
operating a large facility on the West Coast, stated that 
``installation of TWIC readers on our vessels and at our terminal would 
provide a negligible improvement in security, which would come at an 
unreasonable cost given that WSF has already implemented a superior 
security infrastructure.'' We note that, at the time the comment was 
made, the NPRM had not proposed the option that would allow the 
operators of facilities to integrate electronic TWIC inspection into 
their PACS. Given comments like these, we expect that larger passenger 
facilities that have already implemented PACS would be likely to use 
that option rather than installing TWIC readers in a parallel security 
structure.
    Commenters representing smaller facilities also provided 
qualitative information. One commenter stated that ``our terminals are 
a mix of secure and public areas where employees move between areas 
throughout the day,'' indicating that TWIC readers would be needed at 
multiple access points, not just at the entrances to the facility. 
Similarly, a facility operator in San Diego noted that ``careful 
consideration needs to be taken into account for the passenger vessel 
industry because our vessels and facilities are not just one big secure 
area, but rather are interspersed amongst public areas.''
    Based on the substantial numbers of comments regarding the 
implementation of electronic TWIC inspection at passenger facilities, 
as well as the policy changes in this final rule, we have re-evaluated 
how we analyzed the costs of this rule for passenger facilities. In the 
TWIC pilot program, TWIC readers were typically only employed at the 
exterior access points to facilities, whereas in the final rule things 
are quite different. For passenger facilities, it is likely that 
electronic TWIC inspections would not likely take place at the main 
entrances where passengers enter and exit, as those areas would lead to 
``passenger access areas'' which are, by definition, not secure areas 
and do not need to be controlled by a TWIC reader. Instead, TWIC 
readers or a PACS would likely be installed throughout the facility, at 
each entrance into a secure area, to ensure that only TWIC-holders had 
access to these secure areas of the facility.
    Furthermore, based on the comments, we are reasonably certain that 
the largest passenger facilities are much more likely to implement the 
electronic TWIC inspection requirement by adding a biometric input 
method into their PACS, rather than by developing an entirely parallel 
TWIC reader system. This option permit substantial cost savings and 
operational efficiency benefits for facilities that have already 
invested in, as one commenter stated, ``superior security.''
    For these reasons, we have adjusted the ``number of TWIC readers'' 
used by passenger facilities as the cost basis in our analysis. For the 
largest 5% of facilities, we have assumed a larger number of TWIC 
readers, representing our estimates that these facilities are quite 
extensive and will require either modification of their PACS or 
installation of a substantial TWIC reader system. For other passenger 
facilities, we have left the estimate at 2 access points per facility, 
for a total of four readers. We estimate that these facilities would 
likely have an access point to the vessel, as well as an additional 
access point to secure areas of the facility, such as a storage room or 
communications area. We develop this reasoning at more length in the 
accompanying regulatory analysis.
    One commenter, operating several large terminals on the West Coast, 
provided information on the maintenance of readers. The comment 
estimated that they are planning to pre-purchase 74 contact card reader 
inserts for their 33 existing readers over the next three years at a 
total cost of $28,800, or approximately $300 per reader per year. We 
have used this information to increase our cost estimate for the 
maintenance of readers from 5 percent of the cost of a reader to 10 
percent of the cost of a reader per year to cover the expense of insert 
replacements.
    With regards to the number of TWIC readers, Coast Guard recognizes 
that there may be variability in the number of electronic readers 
required for any specific facility or vessel due to a large range of 
facility sizes, configurations, PACS types, and throughputs that will 
necessitate large variations in the numbers and types of TWIC access 
points. For the purposes of producing a cost estimate in the NPRM and 
RA, Coast Guard used data from Facility Security Plans (FSPs) to 
estimate the number of access points per facility and the TWIC pilot 
data to estimate an average number of TWIC readers needed per access 
point for a vessel or facility. The average number of TWIC readers at a 
vessel or facility was derived from the actual number of TWIC readers 
installed per facility or vessel in the pilot study that ranged from 
between 1 and 39 TWIC readers based on a minimum number of 1 to 24 
access points from the FSPs. While we appreciate specific information 
about individual facilities, we note that the average figures developed 
through the TWIC Pilot Program, which sampled a broader spectrum of 
facilities, provides the best data for average numbers of TWIC readers 
and access points.
3. Transaction Times
    Many commenters stated that conducting electronic TWIC inspection 
at each entry to a secure area on a day-to-day basis would negatively 
impact the time needed to make entries. These commenters did not, 
however, provide any specific information regarding transaction times. 
One commenter that operates a cruise ship terminal stated that 
conducting electronic TWIC inspection with a biometric identification 
component takes 20 to 30 seconds per transaction, and thus would result 
in intolerable delays, especially regarding baggage handlers who enter 
secure areas repeatedly (we would note

[[Page 57690]]

that the RUA provisions in this final rule may offer flexibilities to 
mitigate transaction time concerns).
    One commenter provided feedback on its TWIC reader experience. 
According to this commenter, the learning curve for adopting TWIC 
readers is short, with the proper signage and instruction. Within one 
year of implementing TWIC readers into the facility, the commenter had 
over 1 million reads that take 4 seconds each, and the use of TWIC 
readers on inbound trucking has caused no delays. Further, the 
commenter suggested that TWICs can last 3 years without breakage or 
delamination issues if properly cared for, and believes that many TWICs 
were broken because the issue of their care was not communicated. The 
Coast Guard agrees with some of the points made by this commenter: The 
learning curve for using TWIC readers is relatively short and TWIC 
readers can handle a large volume of reads. However, the read time may 
not be 4 seconds on average across all the TWIC reader users, although 
we appreciate the data point supplied by the commenter.
    Other commenters also felt that the Coast Guard overestimated 
transaction times and the amount of time needed for a CCL update. With 
regard to the CCL update, we estimated that it would take 0.5 hours to 
update the CCL. One commenter suggested that the process could be 
automated. We agree that some operators could automate the process, but 
currently, we are unaware of any that do. We still believe that absent 
automation, our estimate of time is accurate.
    Transactions were discussed by an additional commenter. One 
commenter stated that he had heard from an operator who has conducted 
over 1 million electronic TWIC transactions, and who had experienced an 
average transaction time of 3.5 seconds, as opposed to the 8 seconds 
per successful transaction experienced during the TWIC Pilot Program.
    In response to comments regarding transaction times, we acknowledge 
that transaction times may vary based on equipment, software, 
environmental conditions, user familiarity, the condition of the TWIC, 
and perhaps many other conditions. This variability is reflected in the 
range of transaction times spanning from 3.5 to 30 seconds provided in 
the comments. The TWIC pilot collected data from a variety of 
facilities and circumstances, and produced an overall average of 8 
seconds per transaction. We note that the range of times collected by 
the Pilot Program (which used TWIC readers from the ICE list) was from 
6 to 27 seconds per transaction, which is not inconsistent with the 
experiences of the commenters.\63\
---------------------------------------------------------------------------

    \63\ See Pilot report, located in the online docket for this 
rulemaking at USCG-2007-28915-0121, Appendix G, pp. 49-50.
---------------------------------------------------------------------------

    One commenter stated that the 17.1 percent failure rate from the 
TWIC Pilot Report is a high figure to use in the regulatory impact 
analysis, since the primary cause of TWIC read failures (internal 
antenna failures) was addressed by the design of better cards. The 
commenter noted that these older cards have been retired since 2009. 
While we believe that the design of TWICs themselves has improved, 
without comprehensive data demonstrating that improvement, we continue 
to use the 17.1 percent failure rate from the Pilot Report in our 
analysis as the best available estimate. This failure rate is still a 
reasonable one to use when estimating the delays due to TWIC reads 
because there are other reasons for TWIC reads to fail, such as 
exposure to harsh weather. Finally, we note that even this higher 
failure rate did not produce measureable throughput delays, and thus a 
lower failure rate would not substantially affect the transaction costs 
of this rule.
    One commenter argued that between 2,500 and 3,000 people a day 
undergoing visual TWIC inspections would cost a great deal of money, 
and asked if they could use a PACS instead. Certainly nothing in this 
final rule precludes voluntary compliance with the requirements for 
electronic TWIC inspections, and the Coast Guard encourages owners and 
operators to go beyond minimum levels of compliance. The Coast Guard 
believes that this final rule will not only increase security but may 
also reduce the costs for owners and operators who are currently 
relying on visual TWIC inspection. The final rule also allows other, 
less expensive biometric scanners to be integrated with existing 
facilities' PACS, as long as a biometric TWIC read is accomplished.
4. Security Personnel
    We received several comments regarding potential reductions in 
security personnel that could result from the mandatory use of 
electronic TWIC inspection. These comments generally fell into two 
categories. Some commenters felt that the requirements in the proposed 
rule, if finalized, would cause employers to reduce security staff, as 
fewer guards would be needed to conduct visual TWIC inspections. While 
some commenters believed this reduction would be a detriment to overall 
port security, in contrast, other commenters stated a possible 
reduction in personnel costs is a benefit we did not consider in the 
NPRM RA. We do not believe that this final rule will have a substantial 
effect on staffing for several reasons.
    With regard to the argument that use of electronic TWIC inspection 
would lead to a reduction of security, we believe this results from a 
misunderstanding of the role of inspection and the role of security 
personnel. While electronic TWIC inspection can be used as a substitute 
for visual TWIC inspection, the role of a security guard goes far 
beyond this limited function, including providing other components of 
access control and physical security. If anything, we believe that 
electronic TWIC inspection can improve the capability of security 
personnel by allowing them to focus on their more specialized security-
providing roles.
    One of the reasons suggested for a reduction in staffing related to 
a scenario in which a vessel's crew slightly exceeded the threshold 
limit for an exemption from the electronic TWIC inspection requirement, 
and the operator of the vessel decided to reduce the crew size in order 
to qualify for the exemption. By clarifying that the number of crew 
used to determine whether the vessel is exempt is based on the minimum 
manning requirement in the COI, we believe that this scenario will not 
come to pass. Unlike a situation in which a vessel operator could 
dismiss an optional deckhand to qualify for the exemption, it is 
exceedingly difficult, if not impossible, to alter the minimum manning 
requirements of the vessel. Alternatively, some commenters believed 
that by installing TWIC readers, operators of facilities could dismiss 
security guards. We are not aware of any instances of operators 
terminating security personnel as a result of installing TWIC readers 
(which should have been reflected in a change to a security plan and 
approval by the local COTP). We also note that pursuant to PAC-D 01-11, 
facilities are already permitted to employ TWIC readers in lieu of 
visual TWIC inspection on a voluntary basis.
    Some commenters felt that the proposed requirements, especially for 
those vessels and facilities not in Risk Group A, would increase the 
necessary number of security guards per shift. These comments were 
based on the erroneous assumptions about the use of electronic TWIC 
inspection with regard to vessels, as well as the mischaracterization 
of the requirements for electronic TWIC inspection with regard to 
vessels and facilities not in

[[Page 57691]]

Risk Group A. We believe that the clarifications in this final rule 
clearly illustrate that the scenarios in which large numbers of 
security personnel are required on board vessels will not apply. 
Furthermore, access control requirements for vessels and facilities not 
in Risk Group A are unaffected by this final rule.
5. Other Cost Comments
    Several commenters stated that the NPRM requirements were 
expensive. For example, one commenter stated that the expense of 
outfitting their vessels and facilities with TWIC readers would be 
enormously expensive compared to their normal operating budgets. In 
this particular instance, the Coast Guard notes that vessels owned by 
this commenter are not in Risk Group A and are not subject to the 
requirements in the final rule for TWIC readers. Most of these 
commenters did not include estimates or specific costs to support their 
claims. For the one commenter that provided a specific cost estimate, 
we incorporated the information to increase our estimate of the cost to 
maintain readers. The Coast Guard has carefully considered this input 
on burden and in this final rule has further reduced burden from the 
NPRM and ANPRM. See the final RA, included in the docket for this 
rulemaking, for the Coast Guard's analysis of the available data.
    One commenter suggested that the NPRM did not appear to consider 
the secondary economic cost impact that would result from the 
disruption of such facilities from a TSI. The same commenter also 
stated that the break-even analysis in the NPRM did not consider the 
economic cost impact that would result from an attack on a petroleum 
facility. This latter statement is correct, because petroleum 
facilities are not included in the affected population of this rule. 
Furthermore, the former statement is correct, although the net effect 
of adding additional categories of terrorism impacts not now quantified 
in this rule would be to increase the benefits of avoiding a TSI.
    Multiple commenters stated that the NPRM did not do a cost analysis 
of domestic inbound fleeting areas (also known as barge fleeting 
facilities), and that it did not fully evaluate the impact of TWIC 
readers on those fleets. More specifically, one of these commenters 
felt that owners of those fleets would have to make a significant 
monetary investment to install equipment in an area that might not be 
able to support it.
    The NPRM did include all those affected domestic inbound fleeting 
areas in the cost analysis. It fully assessed the impact on an average 
facility, including the barge fleeting facilities. However, this final 
rule no longer specifically requires barge fleeting facilities to 
install TWIC reader equipment (see Section V.D.7 of this preamble), 
which addresses the concerns of these commenters.
    One commenter said that it should not take 25 hours to update a 
facility security plan for TWIC. The Coast Guard disagrees. For some 
facilities, it may take fewer hours, but for many others it will take 
more than 25 hours, especially if changes to security plans are 
reviewed by multiple people, and we believe that the 25-hour assumption 
is a reasonable average for the full range of vessels and facilities 
impacted by this rule.
    One commenter suggested that the TWIC is not designed to be handled 
multiple times per day, (the commenter suggested that at their 
passenger ferry facility, an average employee could expect to have 
their TWIC inspected 2,400 times per year) and therefore this rule 
would likely cause TWICs to degrade and malfunction at a high rate, 
leading to increased costs for mariners to replace degraded TWIC cards. 
We disagree with this analysis for two reasons. First, while some older 
TWICs were issued with antennas that proved unreliable, the cardstock 
was upgraded in 2009 to be more reliable and can be used frequently 
without degrading. Second, we note that at most large facilities, such 
as the passenger facility at issue, employees use a PACS for access 
control rather than the physical TWIC. This final rule permits the use 
of a PACS card for access control in lieu of the TWIC, so we expect 
that the many employees at larger facilities will not suffer any 
degradation of their TWICs during normal usage.
6. Costs Exceeding Benefits, Cost-Effectiveness, and Risk Reduction
    Many commenters expressed a concern that the costs of installing 
TWIC readers on their vessels and facilities would exceed their 
benefits. One of these commenters said it has already implemented a 
superior security infrastructure and the installation of TWIC readers 
would be duplicative of security measures already in place. Another of 
these commenters expressed the view that terminal facility TWIC readers 
would be an unnecessary burden and cannot be justified for their 
operations. Another commenter felt that the added burden of the TWIC 
readers does not enhance overall security for their nature of 
operations. In addition to these commenters who questioned whether the 
costs of the TWIC reader rulemaking exceed the benefits, several others 
argued that the TWIC card readers would neither significantly enhance 
security on U.S. facilities and vessels, nor make our nation safer.
    The Coast Guard disagrees. The regulatory impact analysis we 
provide in the docket discusses at length why and how security will be 
enhanced by this rule. The commenters do not appear to account for the 
benefits to the nation and its economy of avoiding TSIs or that this 
rule is a Congressional mandate, and therefore, it addresses a market 
failure in which individual owners and operators tend to under-invest 
in security infrastructure, equipment and operations. As previously 
explained, we used a risk-based approach to apply these regulatory 
requirements to less than 5 percent of the MTSA-regulated population, 
which represents approximately 80 percent of the potential consequences 
of a TSI. The provisions in this final rule target the highest risk 
entities while minimizing the overall burden of the rule. We conducted 
a robust alternatives analysis that considered the ``break-even'' point 
of several different alternatives and we chose the alternative that 
shows the final rule will be cost effective if it prevents 1 TSI with 
every 234.3 years. Such small changes in risk reduction strongly 
suggest the potential benefits of the proposed rule justify its costs.
    One commenter argued that reduction of human error, as part of 
visual TWIC inspection, should be a quantified benefit of the final 
rule, and not an ``unquantifiable'' benefit as described in the 
preliminary RA. However, the commenter did not ascribe a dollar value 
to this benefit that could be quantified. Considering the RA did not 
attempt to quantify each individual security threat mitigated, but 
instead provided an overall break-even analysis that encompassed the 
rule, we believe our analysis remains appropriate for this issue.
7. Cumulative Costs of Security-Related Rulemakings
    Some commenters warned of the cumulative economic impacts of this 
rulemaking with several other finalized rules across Federal agencies. 
These comments did not provide specific data or information on these 
cumulative economic impacts. Understanding and considering the concerns 
about these cumulative economic impacts of all maritime security 
regulations, the Coast Guard decided to apply the final rule to a 
smaller population of MTSA-regulated entities after conducting its 
regulatory impact analysis. The Coast Guard

[[Page 57692]]

believes that the increased flexibility of the final rule compared to 
the proposed regulations will help lower costs and ease the burden on 
the regulated stakeholders.
8. Small Business Impact
    One commenter expressed concern that its small profit margin would 
be negatively affected by new expenses for security due to changes to 
technology and additional regulations. Cognizant of regulatory impacts 
on small businesses, the Coast Guard sought to minimize these impacts 
by allowing businesses to integrate TWIC readers into their existing 
PACS, and to choose from a variety of biometric scanners that may cost 
less than those approved by the TSA and listed on the TSA's QTL.

F. Other Issues

1. The GAO Report and the TWIC Pilot Program
    Several commenters noted concerns with the final rule in light of 
the May 2013 GAO report ``Transportation Worker Identification 
Credential: Card Reader Pilot Results Are Unreliable; Security Benefits 
Need to Be Reassessed'' (GAO-13-198). Two commenters specifically 
called attention to the GAO report's suggestion that results were less 
reliable due to ineffective evaluation design and the lack of requisite 
data. The Coast Guard fundamentally disagrees with the statement. 
Although there were many challenges in the implementation of the TWIC 
reader pilot, considerable data were obtained in sufficient quantity 
and quality to support the general findings and conclusions of the TWIC 
reader Pilot Report. The pilot obtained sufficient data to evaluate 
TWIC reader performance and assess the impact of using TWIC readers at 
maritime facilities. Furthermore, the Coast Guard supplemented the 
information from the TWIC Pilot Program with other sources of 
information. For example, in the RA, the Coast Guard estimated the 
number of access points per facility by facility type through the use 
of an independent data source (Facility Security Plans), and estimated 
the costs of TWIC readers through published pricing information. This 
independent data supplemented what we learned through the pilot and 
helped account for TWIC reader implementation at all access points when 
developing the NPRM.
    Similarly, multiple commenters suggested that the Coast Guard 
should not move forward on this final rule due to the GAO 
recommendations. We would encourage those who criticize the TWIC Pilot 
Program to closely review how the information gained in the program was 
used in the development of this rulemaking. Because of the testing 
conditions endemic to a voluntary pilot program, the TWIC Pilot Program 
encountered many challenges. The Coast Guard was aware of the pilot's 
limitations, and used it with discretion in developing the NPRM and, 
subsequently, in developing this final rule. For that reason, the pilot 
results were not the sole basis for the NPRM. The Coast Guard believes 
that the pilot produced valuable information concerning the 
environmental, operational, and fiscal impacts of the use of TWIC 
readers. The Coast Guard believes that data were obtained in sufficient 
quantity and quality to support the general findings and conclusions of 
the Pilot Report. The pilot data informed aspects of the rulemaking in 
which no other data were available. The Coast Guard is convinced that 
TWIC, including the use of biometric readers, can and should be a part 
of the nation's maritime security system, for the reasons cited 
extensively in this final rule.
    Two commenters suggested that individual TWIC Pilot Program 
participants were not provided the opportunity to review the final 
draft Pilot Report prior to publication. In response, the Coast Guard 
participated along with TSA and the independent test agent in 
individual close-out meetings with each of the pilot participants. 
Individual test phase reports were provided to participants in advance 
of those meetings to verify and answer questions and concerns.
    One commenter suggested that they heard from participants that 
information contained in the Pilot Report was inconsistent with the 
participants' records. We note that this commenter was not a pilot 
participant, nor did we receive such feedback from pilot participants. 
Given the nature of the program, we believe that the information from 
the pilot was generally helpful in providing data relating to certain 
operational aspects of the TWIC program.
    The RA for this final rule accounts for maintenance, replacement, 
and operation costs of TWIC readers in addition to the costs reported 
in the Pilot Report, contrary to the GAO's assertions. As both the 
Pilot Report and the GAO's review note, not all facilities implemented 
TWIC readers at all access points during the pilot in the same way they 
may have to do in the future to meet the requirements of this final 
rule. We believe that the immaturity of TWIC reader technology at the 
onset of the pilot, the voluntary nature of the Pilot Program, and lack 
of full cooperation at all facilities were major contributors to the 
pilot's limitations. Furthermore, we note that the additional 
flexibility afforded by this final rule, especially with regard to 
utilizing PACS as a means to undertake electronic TWIC inspection, will 
further reduce the negative operational impacts of the TWIC requirement 
that were experienced by some participants during the pilot.
    One commenter took the opposite position, arguing that the GAO 
report went beyond the required purpose of assessing the validity of 
the pilot, and that TWIC reader technology could be seamlessly 
integrated into their facility access control systems. While we do 
acknowledge that there were some problems with the pilot, overall we 
agree with the commenter that it demonstrated the ability to integrate 
TWIC into access control systems at a wide range of maritime 
facilities.
    One commenter suggested that the Coast Guard does not have an 
accurate accounting of how long it will take to resolve TWIC reader 
issues. We addressed a similar comment in the section of this preamble 
regarding malfunctioning access control systems. Per that discussion, 
we note that in this final rule, we are removing the specific time 
period for repairs, and that restoration of an access control system 
will be handled in accordance with the procedures for the reporting 
requirements for non-compliance as described in 33 CFR 104.125, 
105.125, and 106.125. These sections require the owner or operator to 
notify the cognizant COTP, and to either suspend operations or request 
and receive permission from the COTP to continue operating.
    Additionally, one commenter stated that the NPRM did not address 
the error rate experienced during the Pilot Program which, with 
repetitive failure, created distraction, confusion, and complacency 
with an overall degradation of security. The commenter suggested that 
another pilot should have been conducted to validate the original 
findings given technology problems encountered. The Coast Guard 
disagrees. The RA section in the NPRM did address error rates as 
potential opportunity costs associated with delays as a result of TWIC 
reader requirements. Furthermore, the Pilot Report did acknowledge both 
TWIC reader errors and card failures as challenges that were faced. The 
Coast Guard believes that the combination of technology advancement 
since the Pilot Program started and the enhanced flexibility and the 
movement to a more performance-based standard

[[Page 57693]]

in this final rule will have a significant role in reducing the rate of 
TWIC reader failure and the overall effect of TWIC reader failure on a 
vessel or facility. As noted in the NPRM, the Coast Guard anticipates 
that the rate of card failure requiring replacement will decrease as 
TWIC reader use increases. We believe the number of unreadable TWICs 
initially identified will decrease as the increased use of TWIC readers 
will enhance TWIC validity and readability by identifying damaged 
TWICs. However, as with any such critical system and as we have noted 
in previous sections, it is important for operators of vessels and 
facilities affected by this final rule to adequately address potential 
electronic reader failure scenarios in the development of their 
security plans to ensure that measures are identified, and to 
seamlessly react to a single electronic reader failure or, in the worst 
case, an entire PACS failure in a way that continues to meet the 
security intent of this rulemaking. Please see discussion in section 
V.B.3.d on malfunctioning access control systems for more discussion on 
this subject.
    One commenter highlighted GAO's assertion that DHS has not yet 
adequately demonstrated how the TWIC actually enhances maritime 
security. We have addressed the efficacy of the TWIC program as a whole 
in Section V.A of this preamble.
    One commenter stated that the GAO report failed to account for the 
opinions of various container terminal operators that participated in 
the Pilot Program, and suggested that the GAO report itself was flawed 
and went beyond its mandate. The Coast Guard appreciates the extremely 
valuable information provided by all vessel and facility operators 
during the course of this rulemaking, and has evaluated all comments in 
comparison with economic and environmental data to enhance this final 
rule to address the greatest security threats in which TWIC and TWIC 
readers provide utility in the prevention of a TSI. We have modified 
this final rule in a manner that allows for the greatest flexibility 
for non-Risk Group A vessel and facility operators to implement 
electronic TWIC inspection procedures on a voluntary basis. 
Additionally, the Coast Guard is committed to the continued security of 
the nation's ports. Accordingly, we will continue to evaluate the need 
for TWIC readers on vessels or facilities not covered in this final 
rule, and, should future cost benefit analysis show increased TWIC 
reader cost-effectiveness to address the threats to vessels and 
facilities within our ports, we may propose further requirements.
    Several commenters suggested that the Coast Guard did not engage 
with industry groups and advisory committees, other than TSAC, when 
drafting this rulemaking. The Coast Guard took into consideration input 
from a wide range of industry representatives during the development of 
this final rule through both formal and informal interaction. Formal 
interaction with stakeholders occurred in the form of direct contact 
with the National Maritime Security Advisory Committee, interaction 
with TWIC Pilot Program participants, and during multiple port and 
facility visits aimed at gathering specific feedback from industry on 
TWIC and the use of TWIC readers. Informal interaction occurred through 
multiple TWIC information sessions at industry-sponsored events such as 
meetings and conferences, and through feedback in the form of comments 
to both the ANPRM and NPRM for this rulemaking.
2. Additional Comments
a. General Comments on the TWIC Program
    Many commenters supported the Coast Guard's implementation of a 
delayed effective date for this final rule. As stated in the DATES 
section above, the Coast Guard will delay the effective date of this 
rulemaking by 2 years to allow the regulated industries time to comply 
with this final rule. One commenter asked if a non-Risk Group A vessel 
or facility decided, 1 year from the date of publication, to move up to 
Risk Group A, how many years that entity would have to comply with this 
final rule. In this example, the entity would have 1 more year to 
comply with the electronic TWIC inspection requirements of this final 
rule. All vessels and facilities meeting the Risk Group A criteria 
after the effective date of this final rule will have no extra time to 
comply, as the regulation will be in force. The commenter also asked 
what procedures such a facility would have to follow. Such a facility 
would have to adjust its FSP in accordance with all applicable 
regulations, and then implement the requirements of the approved FSP.
    Some commenters expressed concerns about the durability and 
reliability of TWICs themselves. As revealed in the TWIC Pilot Program, 
many users experienced problems with the TWIC. We note, as multiple 
commenters did, that prior to 2009, some cards were issued with 
antennas that experienced high rates of failure, but given the 5-year 
expiration period of the TWIC, those cards should all be replaced by 
the time this final rule is effective. Furthermore, due to the 
flexibility added by this final rule, should an environment prove to 
have a negative effect on the TWIC, owners and operators can use one of 
the alternative means described above to provide for access control 
while keeping TWICs in a secure location where they will not become 
damaged.
    One commenter stated that mariners are already subject to 
background checks, which should preclude the need for another check 
conducted by an electronic reader. We would note that the electronic 
TWIC inspection does not actually conduct an additional background 
check, but merely verifies the individual presenting the card is the 
same person who underwent the original background check. This commenter 
also suggested that random Coast Guard checks of the TWIC ensure 
adequate security. We disagree, and believe that security validation at 
high-risk vessels and facilities should be conducted thoroughly, not 
occasionally, for the reasons described in this rule.
    One commenter in a public meeting suggested that because of the 
TWIC program, driver's licenses and other forms of identification are 
no longer allowed for access to facilities, in favor of a TWIC, and 
that this has reduced security. The Coast Guard disagrees, and believes 
that TWIC enhances security. We note, for example, that merely having a 
driver's license does not indicate that an individual has passed a 
background check.
    Some commenters discussed both possible TSIs and terrorist attacks 
which would not, in their view, have been averted by a TWIC reader 
requirement. The Coast Guard notes that the electronic TWIC inspection 
requirements are only part of the Coast Guard's comprehensive port 
security program and will not address all attack scenarios. Issues 
relating to the overall effectiveness of the electronic TWIC inspection 
programs are discussed in Section V.A, above.
    Some commenters supported the use of the TWIC as a single Federal 
credential, and suggested that it should preempt and supersede other 
State, local, or site-specific credentials. One commenter suggested 
that using the TWIC as the only credential a person would need to enter 
multiple secure facilities would have substantial economic benefits, 
especially for individuals such as truck or bus drivers that need to 
access many different secure facilities. These benefits, according to 
the commenter, would include conducting only a single background check 
(as opposed to

[[Page 57694]]

multiple background checks that might be needed to obtain State, local, 
and site-specific credentials), as well as reduced ``wait time'' as 
security credentials are examined.
    While there is an efficiency argument to having a single, 
nationwide credential, we believe that the disbenefits of such a 
mandatory program are substantial and outweigh that efficiency. To 
start, we note that part of the increased flexibility of this final 
rule allows for alternative cards, such as employee ID cards, to 
achieve electronic TWIC inspection, provided that these cards are 
linked to a TWIC in a manner described above. As several commenters 
noted, possession of an authorized TWIC should not, in and of itself, 
grant the TWIC-holder access to any secure area on any vessel or 
facility. While a valid TWIC is a necessary component for unescorted 
access to secure areas, it will not be the sole reason, as owners and 
operators must exercise their right and responsibility to decide to 
whom to provide such access.
    One commenter expressed concern regarding the tiered approach for 
the use of TWIC readers. This commenter suggested that multiple access 
control procedures could result in confusion for persons who visit many 
different facilities. The commenter proposed that the Coast Guard 
require the installation of TWIC readers at Risk Group A and B 
facilities, and require that Risk Group C facilities maintain portable 
TWIC Readers. We acknowledge that using different access procedures at 
different facilities could be confusing. Furthermore, for the reasons 
discussed extensively, we do not believe that requiring electronic TWIC 
inspection at non-Risk Group A facilities is an effective use of 
resources at this time.
    Two commenters suggested an alternative process where inspection 
requirements are relaxed during peak hours. One commenter stated that 
between 7 a.m. and 9 a.m., hundreds of vehicles enter a particular 
facility, often with multiple passengers, and that requiring biometric 
identification of each passenger could result in traffic delays. The 
commenter suggested that only the driver should be required to undergo 
electronic TWIC inspection, while the passengers could present their 
TWICs for visual TWIC inspection. The Coast Guard does not agree with 
this approach, as it creates a fairly obvious and exploitable gap in 
security.
    While we have worked to increase operator flexibility to reduce 
delays and minimize their effects, we have estimated in the Coast 
Guard's RA that some facilities may have to make modifications to 
business operations to accommodate electronic TWIC inspection 
requirements, such as increasing the number of access points for 
vehicles. Furthermore, it may be possible at some facilities to conduct 
electronic TWIC inspections at locations employees would walk through 
after disembarking from their automobiles.
    Several commenters considered existing requirements under the MTSA 
and/or under the International Ship and Port Security Code to be 
sufficient for themselves and others, and that electronic TWIC 
inspection requirements should not apply to them. We believe, for 
reasons extensively detailed in this document, that the statutorily-
mandated enhancements to access control in this final rule have been 
applied to the class of vessels and facilities to which they are most 
cost-beneficial.
    One commenter was concerned at the prospect of TWIC readers being 
considered ``no-sail equipment,'' that is, equipment which must be 
operational before a vessel can leave. We note that while a situation 
where a TWIC reader could become no-sail equipment theoretically exists 
(for example, if there were only one TWIC reader available on the 
vessel, no TWIC readers at the facility, and no portable TWIC readers 
available), we have elaborated on the many ways in which this could be 
avoided through advance planning. This final rule elaborates on 
procedures which would be acceptable in the event of an electronic 
reader or system failure. We would recommend that operators of vessels 
or facilities required to undertake electronic TWIC inspections utilize 
robust systems that are capable of withstanding a single point of 
failure.
    One commenter expressed confusion as to how the electronic TWIC 
inspection requirement would apply to the aviation industry. We note 
that the requirement for electronic TWIC inspection at Risk Group A 
vessels and facilities applies equally to individuals entering via 
helicopters or other airborne means. In such an instance, it would be 
the responsibility of the owner or operator to conduct electronic TWIC 
inspections to ensure that all persons granted unescorted access to 
secure areas within the facility or upon boarding the vessel possess a 
valid TWIC.
    One commenter in a public meeting suggested that multiple entrances 
and departures in a day may pose a safety risk, if for example a 
facility is surrounded by public roads and highways. We believe that 
businesses can design their access points to secure areas in such a way 
that mitigates traffic impacts and potential safety concerns regarding 
public roads. We note that with the requirement for electronic TWIC 
inspection prior to each entry into a secure area of the facility, the 
security risk of such an environment would be greatly mitigated 
compared to a system that only required, for example, one inspection 
per day.
    One commenter requested that the TWIC be used as a universal 
identification card for entrance to transportation facilities, 
replacing the issuance of State, county, and facility-specific 
credentials. The commenter also suggested that bus and motorcoach 
drivers should be eligible for TWICs. Noting that many drivers travel 
to numerous MTSA-regulated sites, the commenter argued that using the 
TWIC exclusively could significantly reduce the costs and other burden 
associated with the need for multiple security credentials. While we do 
not dispute the efficiency argument, we are not requiring the use of a 
TWIC as universal identification card for a number of reasons. First, 
again, this suggestion is out of scope of the rulemaking, which is 
limited to the requirement for electronic TWIC inspections. Moreover, 
we note that nearly all MTSA-regulated facilities restrict access not 
only to those who have a TWIC, but also to those who have a valid 
reason to be on the premises. As many commenters repeated, simply 
having a TWIC does not guarantee access to a secure area of a vessel or 
facility. Many vessels and facilities use employment-specific 
identification cards both as a means to ensure that a person has been 
vetted as well as a means to show that they are employees. Furthermore, 
some of these PACS cards are used to track employee locations or 
restrict access within the facility. Requiring all facilities to use 
the TWIC exclusively could negatively impact security and business 
operations by removing the benefits of facility-specific access cards.
    Several commenters encouraged the Coast Guard to dismiss or devalue 
the comments from other commenters. In accordance with the 
Administrative Procedure Act, the Coast Guard considered every comment 
it received, both through the docket and through public meetings, 
before issuing this final rule.
    Several commenters made statements asserting that their operations 
were more secure or employees better trained than public transit 
operations and employees, and yet the latter may not be required to 
perform electronic TWIC inspections. While we cannot attest to the 
validity of these statements, we continue to believe that the improved 
security of electronic TWIC inspection,

[[Page 57695]]

compared to visual TWIC inspection, is warranted for high-risk vessels 
and facilities for the reasons discussed extensively in this preamble.
    One commenter believed that disbanding the TWIC program would 
remove the ``false crutch that TWIC provides'' and encourage greater 
operational security. For the reasons discussed above, we disagree and 
believe that TWIC provides a necessary and effective element of a 
comprehensive security system.
b. Clarification of Specific Items
    Several commenters asked for clarification about a term or idea 
used in the NPRM, or asked the Coast Guard to define it outright. 
Explanations of various terms are described below.
    One commenter requested clarification of the term ``each entry.'' 
As stated above, with regard to facilities, ``each entry'' is each 
distinct transition from a non-secure area to a secure area. With 
regard to vessels, ``each entry'' is each distinct transition from a 
non-secure area prior to boarding the vessel.
    One commenter asked about the definition of ``escorting,'' 
specifically whether a visual inspection, such as the use of closed-
circuit television (CCTV) systems, would be an acceptable form of 
escorting. In response, we refer the commenter to the detailed guidance 
on escorting found in NVIC 03-07. There, we provide guidance and 
examples of circumstances in which the use of surveillance equipment, 
including CCTV systems, might be sufficient for escorting purposes. The 
specific facts and circumstances of each case will determine whether 
the Coast Guard will permit CCTV systems for such purposes. In general, 
escorting in restricted areas requires side-by-side accompaniment with 
a TWIC-holder. However, escorting in secure areas that are not also 
designated restricted areas does not always require side-by-side 
accompaniment. In such secure, non-restricted areas, escorting may be 
sufficient through CCTV or other monitoring method (see 33 CFR 104.285 
and 105.275). Where such monitoring is appropriate, the general 
principle applies that monitoring must enable sufficient observation of 
the individual with a means to respond if the individual is observed to 
be engaging in unauthorized activities or crossing into an unauthorized 
area.
    One commenter raised the issue of how railroads would interact with 
the new electronic TWIC inspection requirements. PAC 05-08, ``TWIC 
Requirements and Rail Access into Secure Areas,'' is the existing 
policy guidance regarding railroad access as it relates to facilities 
in the TWIC program. This guidance allows the railroad company's local 
or regional scheduling coordinator to provide information on the TWIC 
status of the crew, and if all crewmembers are valid TWIC-holders, 
allows them to enter the secure area of a MTSA-regulated facility 
without further inspection of their TWICs. PAC 05-08 also permits 
trains on ``continuous passage'' through a facility to proceed without 
stopping to check TWICs in certain circumstances. One commenter, 
representing railroad companies, stated ``[n]either the need for, nor 
the advisability of, a change has been demonstrated'' in regards to 
this guidance. We agree, and reaffirm the guidance in PAC 05-08 in this 
final rule, with one caveat. If PAC 05-08 would require that an 
individual's TWIC be checked at a Risk Group A facility, it must be 
checked using electronic TWIC inspection.
c. Comments Outside the Scope of This Rulemaking
    Many commenters provided comments beyond the scope of this 
rulemaking when discussing the TWIC program generally. In addition to 
concerns about card stock and card reliability, comments concerning 
applicability of the TWIC card to other U.S. government or government-
regulated facilities, TWIC card applications, delays in issuing or 
renewing TWIC cards, and those concerning TWIC card waivers are all 
beyond the scope of this rulemaking. Similarly, it is beyond the scope 
of this rulemaking to require biometrics in the U.S. Merchant Mariners 
Document, commonly known as a ``Z-Card,'' or for multiple mariner 
documents to be consolidated into an ``all-in-one'' credential. The 
scope of this rulemaking is to establish requirements for electronic 
TWIC inspections on vessels and facilities regulated under the MTSA.
    Several commenters suggested ideas about how TSA's CCL could be 
improved or altered. We note that these ideas are outside the scope of 
this rulemaking and are best addressed to the TSA.
    Some commenters expressed concerns with the background check 
criteria for receiving a TWIC. For example, one commenter noted that 
certain longshore workers were erroneously denied a TWIC based on 
incorrect information in the Federal Bureau of Investigation database, 
and another experienced difficulty proving citizenship because he was 
born on a military base. While we are aware that some challenges exist 
in the enrollment and application process, we believe that the vast 
majority of enrollments are conducted accurately and efficiently, and 
that problems are generally dealt with in a courteous and timely 
manner. We note, however, that concerns relating to the background 
check are outside the scope of this rulemaking.
    One commenter expressed concern that no regulatory analysis was 
done for workers who need to acquire and pay for a TWIC. Another 
commenter stated that for workers in remote areas, the cost of 
obtaining a TWIC can be higher due to travel costs. We note that this 
final rule does not require any additional individuals to acquire a 
TWIC, and thus the comment is outside the scope of this rulemaking. 
However, we would refer interested parties to the RA for the TWIC final 
rule, available at http://www.regulations.gov, docket number TSA-2006-
24191-0745, for a detailed analysis of these costs.
    One commenter expressed concern that there is no requirement in 
this rule that obligates an employer to report individual TWIC-holders 
to the Coast Guard who commit TWIC-disqualifying offenses. This issue 
is outside the scope of this rulemaking.
    One commenter criticized facility owners for poor quality fences 
despite receiving money from the Federal government to improve 
security. This commenter also suggested that instead of investing funds 
into the TWIC readers, the Coast Guard should spend the money on 
bettering terminals and their surrounding areas. These comments do not 
address the use of electronic TWIC inspection, and therefore, are out 
of this rule's scope.
    One commenter in a public meeting described a system where 
``personnel from other companies'' must, prior to arrival at his 
facility, fax his company with basic information including whether or 
not the visitor holds a TWIC. Facility procedures other than those 
relating to the electronic TWIC inspection procedures are beyond the 
scope of this rulemaking.
    One commenter recommended using closed-circuit television systems 
for purposes of visual inspection, rather than having a guard 
physically present. This rule relates to electronic TWIC inspection, 
and we do not believe it is within the scope of this rulemaking to 
issue guidance on proper visual identification procedures.
    One commenter suggested that, if not requiring electronic TWIC 
inspection for all Risk Groups, the Coast Guard should institute a 
``display and challenge'' requirement for all secure areas. This would 
require that all persons with unescorted access display their TWIC or

[[Page 57696]]

other credential when in a secure area. As this final rule only relates 
to electronic TWIC inspection, such a suggestion is out of scope of 
this rulemaking.
    One commenter suggested that the Coast Guard has been lax in 
pursuing administrative action for TWIC-related offenses, such as 
loaning TWICs, entering facilities without undergoing proper screening 
processes, or using counterfeit TWICs. We note that these issues are 
taken seriously, but are outside the scope of this rulemaking as we are 
not changing the actions to be taken upon identification of TWIC 
issues, merely how they might be detected.
    One commenter noted that ``terminals must abide by common law and 
practice,'' in reference to the idea that TWICs are not the sole 
condition of entry. The Coast Guard agrees, but notes the improvement 
in access control that electronic TWIC inspection provides.
    One commenter implied that ammonium nitrate should not be 
considered CDC. Altering the list of CDC (defined in 33 CFR part 160) 
is beyond the scope of this rulemaking.
    One commenter noted that visual TWIC inspection presents a safety 
issue, as security personnel can be injured or killed by vehicles 
approaching the gate area. While there are certainly security incidents 
where attackers can try to use force to breach the perimeter of a 
secure facility, such incidents are beyond the scope of this rule.
    One commenter suggested that the U.S. Congress should fully fund 
the TWIC reader program, and asserted that funding of Federally 
mandated programs will ensure a degree of financial relief and minimize 
burdens. While we agree that funding would shift the industry burden to 
taxpayers, this comment remains beyond the scope of this rule.
    Finally, this final rule makes a number of minor, technical edits, 
including updating internal references, to the regulations in 33 CFR 
Chapter I, Subchapter H, in addition to the changes discussed elsewhere 
in the preamble. These edits affect the following sections in Title 33 
of the CFR:
     101.105 Definitions.
     101.514 TWIC Requirement.
     101.515 TWIC/Personal Identification.
     104.105 Applicability.
     104.115 Compliance.
     104.120 Compliance documentation.
     104.200 Owner or operator.
     104.215 Vessel Security Officer (VSO).
     104.235 Vessel recordkeeping requirements.
     104.260 Security systems and equipment maintenance.
     104.267 Security measures for newly hired employees.
     104.292 Additional requirements--passenger vessels and 
ferries.
     104.405 Format of the Vessel Security Plan (VSP).
     104.410 Submission and approval.
     105.115 Compliance dates.
     105.120 Compliance documentation.
     105.200 Owner or operator.
     105.257 Security measures for newly hired employees.
     105.290 Additional requirements--cruise ship terminals.
     105.296 Additional requirements--barge fleeting 
facilities.
     105.405 Format and content of the Facility Security Plan 
(FSP).
     105.410 Submission and approval.
     106.110 Compliance dates.
     106.115 Compliance documentation.
     106.200 Owner or operator.
     106.262 Security measures for newly-hired employees.
     106.405 Format and content of the Facility Security Plan 
(FSP).
     106.410 Submission and approval.

VI. Regulatory Analyses

    We developed this rule after considering numerous statutes and 
Executive Orders (E.O.s) related to rulemaking. Below we summarize our 
analyses based on these statutes or E.O.s.

A. Regulatory Planning and Review

    E.O.s 12866 (``Regulatory Planning and Review'') and 13563 
(``Improving Regulation and Regulatory Review'') direct agencies to 
assess the costs and benefits of available regulatory alternatives and, 
if regulation is necessary, to select regulatory approaches that 
maximize net benefits (including potential economic, environmental, 
public health and safety effects, distributive impacts, and equity). 
E.O. 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This final rule is a significant regulatory action under 
section 3(f) of E.O. 12866. The Office of Management and Budget (OMB) 
has reviewed it under that Order. It requires an assessment of 
potential costs and benefits under section 6(a)(3) of E.O. 12866. A 
final assessment is available in the docket, and a summary follows.
    We amend our regulations on certain MTSA-regulated vessels and 
facilities to include requirements for electronic TWIC inspection to be 
used for access control for unescorted access to secure areas.
    Table 3 summarizes the costs and benefits of this final rule.

               Table 3--Summary of Costs and Benefits \64\
------------------------------------------------------------------------
                Category                            Final rule
------------------------------------------------------------------------
Applicability..........................  High-risk MTSA-regulated
                                          facilities and high risk MTSA-
                                          regulated vessels with greater
                                          than 20 TWIC-holding crew.
Affected Population....................  1 vessel.
                                         525 facilities.
Costs ($ millions, 7% discount rate)...  $21.9 (annualized).
                                         $153.8 (10-year).
Costs (Qualitative)....................  Time to retrieve or replace
                                          lost PINs for use with TWICs.
Benefits (Qualitative).................  Enhanced access control and
                                          security at U.S. maritime
                                          facilities and on board U.S.-
                                          flagged vessels.
                                         Reduction of human error when
                                          checking identification and
                                          manning access points.
------------------------------------------------------------------------


[[Page 57697]]

    Table 4 summarizes the changes in the regulatory analysis as we 
moved from the NPRM to this final rule. These changes to the RA came 
from either policy changes on the electronic TWIC inspection 
requirements, public comments received after the publication of the 
NPRM in March 2013, or simply from updating the data and information 
that informed our regulatory analysis.
---------------------------------------------------------------------------

    \64\ For a more detailed discussion of costs and benefits, see 
the full RA available in the online docket for this rulemaking. 
Appendix G of that document outlines the costs by provision and also 
discusses the complementary nature of the provisions and the 
subsequent difficulty in distinguishing independent benefits from 
individual provisions.

     Table 4--Changes in Regulatory Analysis From NPRM to Final Rule
------------------------------------------------------------------------
Element of regulatory analysis    Reason changed   Explanation of change
------------------------------------------------------------------------
Affected Population...........  Policy change....  a. Barge fleeting
                                                    facilities were
                                                    removed reducing the
                                                    previous facility
                                                    population of 532 to
                                                    525, and
                                                   b. Crew size changed
                                                    to 20 (instead of
                                                    14) and thus
                                                    reducing the number
                                                    of vessels to 1.
Cost of TWIC Readers..........  Update to reflect  The most recent
                                 current prices     prices of electronic
                                 for TWIC readers.  TWIC readers as
                                                    published in GSA
                                                    schedule and TSA's
                                                    QTL were
                                                    significantly
                                                    reduced.
                                Comments received  Some public comments
                                                    suggested that TWIC
                                                    reader costs have
                                                    declined since the
                                                    NPRM RA data was
                                                    collected.
Wages for transportation        More current BLS   Revised labor cost by
 workers.                        data.              using May 2012 BLS
                                                    data.
Maintenance Cost of TWIC        Comment received.  Revised this cost
 Readers.                                           assumption from 5%
                                                    of the total cost of
                                                    a TWIC Reader to
                                                    10%.
Number of TWIC Readers........  Comment received.  Per one large ferry
                                                    passenger facility's
                                                    suggestion,
                                                    accommodated this
                                                    facility's higher
                                                    number of readers in
                                                    cost estimates.
------------------------------------------------------------------------

    In this final rule, we require owners and operators of certain 
vessels and facilities regulated by the Coast Guard under 33 CFR 
Chapter I, subchapter H, to use electronic TWIC inspection designed to 
work with TWIC as an access control measure. This final rule also 
includes recordkeeping requirements for those owners and operators 
required to use an electronic TWIC inspection, and amendments to 
security plans previously approved by the Coast Guard to incorporate 
TWIC requirements.
    The provisions in this final rule enhance the security of vessels, 
ports, and other facilities by ensuring that only individuals who hold 
valid TWICs are granted unescorted access to secure areas at those 
locations. It will also further implement the MTSA transportation 
security card requirement, as well as the SAFE Port Act electronic TWIC 
inspection requirements.
    We estimate that this final rule would specifically affect owners 
and operators of certain MTSA-regulated vessels and facilities in Risk 
Group A with additional costs. As previously discussed, Risk Group A 
would consist of those vessels and facilities with highest consequence 
for a TSI. Affected facilities in Risk Group A would include: (1) 
Facilities, including barge fleeting facilities, that handle or receive 
vessels carrying CDC in bulk; and (2) Facilities that receive vessels 
certificated to carry more than 1,000 passengers. Affected vessels in 
Risk Group A would include: (1) Vessels that carry CDC in bulk; (2) 
Vessels certificated to carry more than 1,000 passengers; and (3) 
Towing vessels engaged in towing barges subject to (1) or (2). In 
addition, this proposal provides an electronic TWIC inspection 
exemption for vessels with 20 or fewer TWIC-holding crewmembers, 
further reducing the number of affected vessels in Risk Group A.
    Based on the risk-based hierarchy described in the preamble of this 
final rule and data from the Coast Guard's MISLE database, we estimate 
this final rule will affect 525 facilities and 1 vessel with additional 
costs. All of these facilities and vessels are in Risk Group A.
    The final rule adds flexibility in using existing PACS to comply 
with the electronic TWIC inspection requirements, which may result in 
lower costs for affected facilities and vessels. For the purposes of 
regulatory analysis, however, we prepare the cost estimate assuming 
that all of the affected population will install and use electronic 
TWIC readers. The following discussion of the cost analysis is based on 
this assumption.
    To estimate the costs for this proposal, we use data from a variety 
of sources, including MISLE, TWIC Pilot Study, TSA's ICE and QTL lists, 
public comments, and the GSA schedule among others. When data from the 
TWIC pilot are used (to estimate the costs for installation, 
integration, and PACS integration), the data are broken down by per 
electronic reader cost for each facility type. By distilling the costs 
from the TWIC Pilot down to a per TWIC reader cost by facility type, we 
are able to smooth out the varied costs in the TWIC Pilot and 
effectively normalize the TWIC Pilot costs before applying the costs to 
the full affected population of this rulemaking.
    The primary cost driver for this final rule is the capital cost 
associated with the purchase and installation of TWIC readers into 
access control systems. These costs include the cost of TWIC reader 
hardware and software, as well as costs associated with the 
installation, infrastructure, and integration with a PACS. Operational 
costs associated with this rulemaking include security plan amendments, 
recordkeeping, updates of the list of cancelled TWICs, training, and 
system maintenance. We also include operational and maintenance costs, 
which we estimate to be five percent of the cost of the TWIC reader 
hardware and software and are incurred annually. Table 5 summarizes our 
estimates for total capital costs by facility type during the 2-year 
implementation period; Table 6 provides the operational costs for 
facilities by four requirements throughout the analysis period.\65\
---------------------------------------------------------------------------

    \65\ See RA Tables 4.10 and 4.16 and associated discussion for 
the specific sources for our estimates as well as how they were 
developed.

[[Page 57698]]



                                 Table 5--Total Facility Capital Costs, 2-Year Implementation Period (Year 1 and Year 2)
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                     Total readers      Total reader costs ($)                 Total costs ($)                  Total
            Facility type               Number  --------------------------------------------------------------------------------------------   capital
                                                   Fixed     Portable     Fixed       Portable     Install.    Infra-structure      PACS       cost ($)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Bulk Liquid.........................        290      1,535        292    8,247,555    2,054,220   11,475,387        20,033,055   15,279,201   57,089,418
Break Bulk and Solids...............         16         91         45      488,943      316,575      904,128         3,724,904    2,938,552    8,373,102
Container...........................          3         36          8      193,428       56,280      909,612           589,952    1,020,184    2,769,456
Large Passenger.....................         92         42        524      225,666    3,686,340    1,682,152         4,102,368      841,642   10,538,168
Small Passenger.....................         63          0        426            0    2,996,910            0                 0            0    2,996,910
Mixed Use...........................         61        180         72      967,140      506,520    8,191,008         6,300,000    1,242,108   17,206,776
                                     -------------------------------------------------------------------------------------------------------------------
    Total...........................        525      1,884      1,367   10,122,732    9,616,845   23,162,287        34,750,279   21,321,687   98,973,830
--------------------------------------------------------------------------------------------------------------------------------------------------------


                                Table 6--Annual Operational Costs for Facilities
----------------------------------------------------------------------------------------------------------------
                                                                                   Training
   Years after publication      Amendments    Recordkeeping     Canceled  --------------------------    Total
                                                               card list    Personnel       FSO
----------------------------------------------------------------------------------------------------------------
1............................     $467,614          $748,182     $486,319     $209,219      $74,676   $1,986,009
2............................      465,836           857,138      484,469      261,523       93,345    2,162,312
3............................            0           224,028      970,788      104,609       37,338    1,336,763
4............................            0           224,028      970,788      104,609       37,338    1,336,763
5............................            0           224,028      970,788      104,609       37,338    1,336,763
6............................            0           224,028      970,788      104,609       37,338    1,336,763
7............................            0           224,028      970,788      104,609       37,338    1,336,763
8............................            0           224,028      970,788      104,609       37,338    1,336,763
9............................            0           224,028      970,788      104,609       37,338    1,336,763
10...........................            0           224,028      970,788      104,609       37,338    1,336,763
                              ----------------------------------------------------------------------------------
    Total....................      933,450         3,397,544    8,737,092    1,307,616      466,725   14,842,427
----------------------------------------------------------------------------------------------------------------

    Table 7 shows the 10-year period of analysis for the total costs by 
facility type. These facility costs do not include costs associated 
with delays or replacement of TWICs, which are discussed later. These 
estimates include capital replacement costs for TWIC reader hardware 
and software beginning 5 years after implementation. These costs are 
reduced from those estimated in the NPRM given cost reductions in TWIC 
readers and the removal of TWIC reader requirements for barge fleeting 
areas.

                                                    Table 7--10-Year Total Costs, by Facility Type *
                                                                      [$ Millions]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                             Break bulk                  Large        Small
                             Year                              Bulk liquid   and solids   Container    passenger    passenger    Mixed use      Total
--------------------------------------------------------------------------------------------------------------------------------------------------------
1............................................................        $31.6         $2.4         $0.8         $9.8         $7.4         $4.4        $56.3
2............................................................         32.3          2.4          0.8         10.0          7.5          4.5         57.4
3............................................................          4.6          0.3          0.1          1.4          1.1          0.6          8.1
4............................................................          4.6          0.3          0.1          1.4          1.1          0.6          8.1
5............................................................          4.6          0.3          0.1          1.4          1.1          0.6          8.1
6............................................................         10.1          0.8          0.2          3.1          2.4          1.4         18.0
7............................................................         10.1          0.8          0.2          3.1          2.4          1.4         18.0
8............................................................          4.6          0.3          0.1          1.4          1.1          0.6          8.1
9............................................................          4.6          0.3          0.1          1.4          1.1          0.6          8.1
10...........................................................          4.6          0.3          0.1          1.4          1.1          0.6          8.1
                                                              ------------------------------------------------------------------------------------------
    Total Undiscounted.......................................        111.5          8.3          2.7         34.5         26.0         15.4        198.3
Total Discounted at 7%.......................................         88.7          6.6          2.1         27.5         20.7         12.2        157.8
Total Discounted at 3%.......................................        100.4          7.5          2.4         31.1         23.4         13.9        178.7
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Numbers may not total due to rounding.
* These facilities are regulated because they handle CDC or more than 1,000 passengers. In the U.S. marine transportation system, facilities often
  handle a variety of commodities and provide a variety of commercial services. These facility types have different costs based on physical
  characteristics, such as the number of access points that would require TWIC readers, and other data received from the TWIC Pilot Study. See the final
  RA for details on different facility types and data from the TWIC Pilot Study.


[[Page 57699]]

    To account for potential opportunity costs associated with the 
delays as a result of the electronic TWIC inspection requirements, we 
estimate a cost associated with failed reads.\66\ We provide a range of 
delay costs based on different delays in seconds and also based on the 
number of times a TWIC-holder may have their card read on a weekly 
basis. By using a range of delay costs, we are able to account for 
multiple scenarios where an invalid electronic TWIC inspection 
transaction would lead to the use of a secondary processing operation, 
such as a visual TWIC inspection, additional identification validation, 
or other provisions as set forth in the FSP.\67\
---------------------------------------------------------------------------

    \66\ Delays may result from operational, human- or weather-
related factors.
    \67\ The final RA contains a discussion of the different failure 
mode scenarios where an invalid TWIC reader transaction would lead 
to potential delays and the use of secondary processing.
---------------------------------------------------------------------------

    Table 8 provides the annual costs associated with delays caused by 
invalid transactions for Risk Group A Facilities.

            Table 8--Cost of Delays Due to Invalid Transaction Per Year, for Risk Group A Facilities
----------------------------------------------------------------------------------------------------------------
                                     1 Read per  2 Reads per  3 Reads per  4 Reads per  5 Reads per
                                        week         week         week         week         week       Average
----------------------------------------------------------------------------------------------------------------
6 Seconds.........................      $94,339     $188,678     $283,017     $377,356     $471,696     $283,017
14 Seconds........................      220,125      440,249      660,374      880,498    1,100,623      660,374
30 Seconds........................      471,696      943,391    1,415,087    1,886,782    2,358,478    1,415,087
60 Seconds........................      943,391    1,886,782    2,830,173    3,773,564    4,716,955    2,830,173
120 Seconds.......................    1,886,782    3,773,564    5,660,346    7,547,129    9,433,911    5,660,346
                                   -----------------------------------------------------------------------------
    Average.......................      723,266    1,446,533    2,169,799    2,893,066    3,616,332    2,169,799
----------------------------------------------------------------------------------------------------------------

    For the purposes of this analysis, we used the cost of delay 
estimate of $2.2 million per year, which represents the average delay 
across all iterations of delay times and electronic TWIC inspection 
transactions.
    The use of TWIC readers will also increase the likelihood of faulty 
TWICs (TWICs that are not machine readable) being identified and the 
need for secondary screening procedures so affected workers and 
operators can address these issues.\68\ If a TWIC-holder's card is 
faulty and cannot be read, the TWIC-holder would need to travel to a 
TWIC Enrollment Center to get a replacement TWIC, which may result in 
additional travel and replacement costs. To account for this, we 
estimate a cost for a percentage of TWIC-holders to obtain replacement 
TWICs.
---------------------------------------------------------------------------

    \68\ Although current regulations require that TWICs be valid 
and readable upon request by DHS or law enforcement personnel, we 
anticipate that widespread use of TWIC readers will initially 
identify more unreadable cards. However, we expect the regular use 
of TWIC readers to ultimately serve to enhance compliance with 
current TWIC card validity and readability requirements.
---------------------------------------------------------------------------

    Based on information from the TWIC Pilot, we estimate that each 
year approximately five percent of TWIC-holders associated with Risk 
Group A would need to replace TWICs that cannot be read. We estimate 
that this would cost approximately $254.93 per TWIC-holder to travel to 
a TWIC Enrollment center and get a replacement TWIC.\69\ Overall, we 
estimate that TWIC replacement would cost approximately $2.3 million 
per year for TWIC transactions involving Risk Group A facilities. We 
assume this is an annual cost, though we anticipate that the rate of 
TWIC replacements will decrease as TWIC reader use increases, since the 
number of unreadable TWICs initially identified will decrease as the 
regular use of TWIC readers will serve to enhance TWIC validity and 
readability.
---------------------------------------------------------------------------

    \69\ This cost is explained in greater detail in the Final 
Regulatory Analysis and Final Regulatory Flexibility Analysis. It 
includes an estimated $194.93 for the average TWIC-holder to travel 
to a TWIC Enrollment Center, cost to be away from work, wait time at 
the Enrollment Center, and the $60 fee for a replacement TWIC. Some 
TWIC-holders may not need to pay a replacement fee if the TWIC is 
determined faulty as a result of the card production process. 
However, these TWIC-holders would chose to travel to a TWIC 
Enrollment Center to get a replacement TWIC instead of waiting to 
receive it by mail.
---------------------------------------------------------------------------

    Table 9 shows the average initial phase-in and annual recurring 
costs per facility by facility type. This includes capital, 
operational, delay, and TWIC replacement costs due to invalid TWIC 
reader transactions. It does not, however, account for vessel costs.

                                  Table 9--Per Facility Cost, by Facility Type
----------------------------------------------------------------------------------------------------------------
                                                  Break bulk                  Large        Small
    Phase-in & recurring costs      Bulk liquid   and solids   Container    passenger    passenger    Mixed use
----------------------------------------------------------------------------------------------------------------
Initial Phase-in Cost.............     $107,907     $145,588     $251,211     $105,375     $115,818     $ 70,758
Annual Recurring Cost.............       14,575       19,664       33,931       14,233       15,643        9,557
Annual Recurring Cost with               33,701       45,470       78,457       32,910       36,172       22,099
 Equipment Replacement............
----------------------------------------------------------------------------------------------------------------

    For the single Risk Group A vessel with greater than 20 TWIC-
holding crewmembers, we assume that this vessel will comply with the 
requirements by purchasing two portable TWIC readers (total first year 
cost of $14,070) and deploying them at the main access points of the 
vessel, replacing them at Year 6. We also estimate $1,339 for VSP 
amendments; $2,142 for the development of a recordkeeping system; and 
$2,028 for training in Year 1. Recurring costs include updates of the 
list of cancelled TWICs ($1,392 per year), ongoing training ($507 per 
year), and ongoing recordkeeping ($321 per year). We estimate the 
annualized costs to vessels of this rulemaking to be approximately 
$7,270 at a 7 percent discount rate. These costs are shown in Table 10.

[[Page 57700]]



   Table 10--Total Vessel Costs (Risk Group A With More Than 20 TWIC-
                         holding Crewmembers) *
------------------------------------------------------------------------
             Year                Undiscounted        7%           3%
------------------------------------------------------------------------
1.............................         $20,971      $19,599      $20,360
2.............................           3,627        3,168        3,419
3.............................           3,627        2,961        3,319
4.............................           3,627        2,767        3,222
5.............................           3,627        2,586        3,129
6.............................          17,697       11,792       14,821
7.............................           3,627        2,259        2,949
8.............................           3,627        2,111        2,863
9.............................           3,627        1,973        2,780
10............................           3,627        1,844        2,699
                               -----------------------------------------
    Total.....................          67,682       51,058       59,560
Annualized....................  ..............        7,270        $,982
------------------------------------------------------------------------
* Because the affected population is only one vessel, we assume that
  this vessel will comply within the first year of implementation.

    We estimate the annualized cost of this final rule to industry over 
10 years to be approximately $21.9 million at a 7 percent discount 
rate. The main cost drivers of this final rule are the acquisition and 
installation of TWIC readers and the maintenance of the affected 
entity's electronic TWIC inspection system. Initial costs, which will 
be distributed over a 2-year implementation phase, consist 
predominantly of the costs to purchase and install TWIC readers and to 
integrate them with owners' and operators' PACS. Annual costs will be 
driven by costs associated with updates of the list of cancelled TWICs, 
recordkeeping, training, system maintenance and opportunity costs 
associated with failed TWIC reader transactions.
    We estimated the present value average costs of this final rule on 
industry for a 10-year period as summarized in Table 11. The costs were 
discounted at 3 and 7 percent as set forth by guidance in OMB Circular 
A-4.

                                   Table 11--Total Industry Cost, Risk Group A
                                                  [$ Millions]
----------------------------------------------------------------------------------------------------------------
                                                            Additional
              Year                 Facility      Vessel      costs *     Undiscounted        7%           3%
----------------------------------------------------------------------------------------------------------------
1..............................        $51.5         $0.0         $4.8           $56.3        $52.6        $54.7
2..............................         52.6          0.0          4.8            57.4         50.2         54.1
3..............................          3.3          0.0          4.8             8.1          6.6          7.4
4..............................          3.3          0.0          4.8             8.1          6.2          7.2
5..............................          3.3          0.0          4.8             8.1          5.8          7.0
6..............................         13.2          0.0          4.8            18.0         12.0         15.1
7..............................         13.2          0.0          4.8            18.0         11.2         14.6
8..............................          3.3          0.0          4.8             8.1          4.7          6.4
9..............................          3.3          0.0          4.8             8.1          4.4          6.2
10.............................          3.3          0.0          4.8             8.1          4.1          6.0
                                --------------------------------------------------------------------------------
    Total......................        150.3          0.1         48.0           198.4        157.8        178.8
Annualized.....................  ...........  ...........  ...........  ..............         22.5         21.0
----------------------------------------------------------------------------------------------------------------
* This includes additional delay, travel, and TWIC replacement costs due to TWIC failures.

    As this final rule will require amendments to FSPs and VSPs, we 
estimate a cost to the government to review these amendments during the 
implementation period, but do not anticipate any further annual cost to 
the government from this final rule. For the total implementation 
period, the total government cost will be $93,177 at a 7 percent 
discount rate. Table 12 shows the 10-year government costs.

                                          Table 12--Government Costs *
----------------------------------------------------------------------------------------------------------------
                                                                             Total
                    Year                          FSP          VSP       undiscounted        7%           3%
----------------------------------------------------------------------------------------------------------------
1...........................................      $51,450         $166         $51,616      $48,239      $50,112
2...........................................       51,450            0          51,450       44,938       48,497
3...........................................            0            0               0            0            0
4...........................................            0            0               0            0            0
5...........................................            0            0               0            0            0
6...........................................            0            0               0            0            0
7...........................................            0            0               0            0            0
8...........................................            0            0               0            0            0
9...........................................            0            0               0            0            0
10..........................................            0            0               0            0            0

[[Page 57701]]

 
    Total...................................      102,900          166         103,066       93,177       98,609
                                             -------------------------------------------------------------------
Annualized..................................                                    13,266                    11,560
----------------------------------------------------------------------------------------------------------------
* After implementation, we estimate there would be no additional government costs for plan review as additional
  updates would be covered under existing plan review requirements and resources.

    Based on the provisions in this final rule and recent data, we 
estimated the average first-year cost of this final rule (combined 
industry and government) to be approximately $52.1 million or $54.1 
million at a 7 or 3 percent discount rate, respectively. The 
undiscounted annual recurring cost for this final rule is approximately 
$7.5 million in every year except years 6 and 7, due to equipment 
replacement 5 years after implementation. The annualized cost of this 
final rule is $21.9 million at 7 percent and $20.4 million at 3 
percent. The 10-year cost to industry and government of this final rule 
is approximately $153.8 million at a 7 percent discount rate, and 
$173.9 million at a 3 percent discount rate.
    The benefits of the final rule include enhancing the security of 
vessels, ports, and other facilities by ensuring that only individuals 
who hold TWICs are granted unescorted access to secure areas at those 
locations and reducing regulatory uncertainty by closing the gap 
between MTSA and SAFE Port Act requirements for electronic TWIC 
inspection and regulatory requirements.
    Electronic TWIC inspection programs will make identification, 
validation, and verification of individuals attempting to gain 
unescorted access to a secure area more reliable and also will help to 
alleviate potential sources of human error when checking credentials at 
access points. Identity verification ensures that the individual 
presenting the TWIC is the same person to whom the TWIC was issued. 
Card authentication ensures that the TWIC is not counterfeit, and card 
validation ensures that the TWIC has not expired or been revoked by 
TSA, or reported as lost, stolen, or damaged. Furthermore, the 
standardization of TWIC readers on a national scale could provide 
additional benefits in the form of efficiency gains in implementing 
access control systems throughout port facilities and nationally for 
companies operating in multiple locations.
    Data limitations preclude us monetizing these benefits, but 
instead, we use break-even analysis. Break-even analysis is useful when 
it is not possible to quantify the benefits of a regulatory action. OMB 
Circular A-4 recommends a ``threshold'' or ``break-even'' analysis when 
non-quantified benefits are important to evaluating the benefits of a 
regulation. Break-even analysis answers the question, ``How small could 
the value of the non-quantified benefits be (or how large would the 
value of the non-quantified costs need to be) before the rule would 
yield zero net benefits?'' \70\ For this rulemaking, we calculate a 
potential range of break-even results from the estimated consequences 
of the three attack scenarios that are most likely to be mitigated by 
the use of TWIC readers. Because the primary function of the TWIC card 
and electronic TWIC inspection is to enhance access control and 
identity verification and validation, the attack scenarios evaluated 
within MSRAM to provide the consequence data for this analysis were 
limited to the following:
---------------------------------------------------------------------------

    \70\ U.S. Office of Management and Budget, Circular A-4, 
September 17, 2003, page 2.
---------------------------------------------------------------------------

     Truck Bomb
    [cir] Armed terrorists use a truck loaded with explosives to attack 
the target focal point. The terrorists will attempt to overcome guards 
and barriers if they encounter them.
     Terrorist Assault Team
    [cir] A team of terrorists using weapons and explosives attack the 
target focal point. Assume the terrorists have done prior planning 
surveillance, but have no insider support of assault.
     Passenger/Passerby Explosives/Improvised Explosive Device
    [cir] Terrorists exploit inadequate access control and detonate 
carried explosives at the target focal point. Assume the terrorists 
approach the target under cover of legitimate presence and are not 
armed. Note: for this attack mode, terrorist is not an insider.
    The focus on these three attack scenarios allows us to look at 
specific attack scenarios that are most likely to be mitigated by the 
electronic TWIC inspection programs. These scenarios were chosen 
because they represent the scenarios most likely to benefit from the 
enhanced access control afforded by electronic TWIC inspection, as they 
require would-be attackers gaining access to the target in question. 
For these three attack types, the aggressor would first need to gain 
access to the facility to inflict maximum damage. Because the function 
of the electronic TWIC inspection is to enhance access control, the 
deployment of TWIC readers would increase the likelihood of identifying 
and denying access to an individual attempting nefarious acts.
    For the break-even analysis, we estimate the consequences of these 
three scenarios by estimating the number of casualties and serious 
injuries that would occur had the attack been successful. To monetize 
the value of fatalities prevented, we use the concept of ``value of a 
statistical life'' (VSL), which is commonly used in regulatory 
analyses. The VSL does not represent the dollar value of a person's 
life, but the amount society would be willing to pay to reduce the 
probability of premature death. We currently use a value of $9.1 
million as an estimate of VSL.\71\ This break-even analysis does not 
consider any property damage, environmental damage, indirect or 
macroeconomic consequences these terrorist attacks might cause. 
Consequently, the economic impacts of the terrorist attacks estimated 
for this series of break-even analyses would be higher if these other 
impacts were considered.
---------------------------------------------------------------------------

    \71\ See the Department of Transportation's ``Guidance on the 
Treatment of the Economic Value of a Statistical Life in U.S. 
Department of Transportation Analyses'' http://www.dot.gov/sites/dot.dev/files/docs/VSL%20Guidance%202013.pdf.

[[Page 57702]]



Table 13--Annual Risk Reduction and Attacks Averted Required for Costs to Equal Benefits, Final Rule Alternative
----------------------------------------------------------------------------------------------------------------
                                                    Annualized        Average        Required      Frequency of
                                                     cost, 7%         maximum      reduction in       attacks
                                                   discount rate    consequence   risk to break-    averted to
                                                   ($ Millions)    ($ Millions)        even         break-even
----------------------------------------------------------------------------------------------------------------
Final Rule Alternative..........................           $21.9        $5,014.1            0.4%   One every 229
                                                                                                           years
----------------------------------------------------------------------------------------------------------------

    As shown in Table 13, an avoided terrorist attack at an average 
target is equivalent to $5.01 billion in avoided consequences. This 
final rule is estimated to cost approximately $21.9 million annually. 
Using the estimated annualized cost of this regulation, the annual 
reduction in the probability of attack to a Risk Group A facility that 
would just equate avoided consequences with cost is less than 0.5 
percent. To state this in another way, if implementing this regulation 
will lower the likelihood of a successful terrorist attack by more than 
0.4 percent each year, then this would be a socially efficient use of 
resources. This final rule would be cost effective if it prevented one 
terrorist attack with consequence equal to the average every 229 years 
($5,014.1/$21.9). These small changes in required risk reduction 
suggest that the potential benefits of the final rule justify the 
costs.
    For the final rule alternative, we assess that all Risk Group A 
facilities will be required to conduct electronic TWIC inspections. On 
the vessel side, we assess that all Risk Group A vessels with a crew 
size greater than 20 TWIC-holding crewmembers will likely carry two 
portable TWIC readers. For this alternatives analysis, we look at 
several different ways to implement electronic TWIC inspection 
requirements based on the Risk Group hierarchy. These alternatives 
include requiring TWIC readers for Risk Group A and B facilities, along 
with Risk Group A vessels with more than 14 TWIC-holding crewmembers, 
Risk Group A and container facilities, along with Risk Group A vessels 
with more than 14 TWIC-holding crewmembers, adding certain high-risk 
facilities to Risk Group A, including petroleum refineries, non-CDC 
bulk hazardous materials facilities, and petroleum storage facilities, 
and Risk Group A facilities and all self-propelled Risk Group A 
vessels. Table 14 summarizes the cost of the alternatives considered. 
The costs displayed are the 10-year costs and the 10-year annualized 
cost, each discounted at 7 percent.

                                        Table 14--Regulatory Alternatives
----------------------------------------------------------------------------------------------------------------
                                                                                                    Annualized
                                                                                   Total cost ($      cost ($
                                   Description       Facility         Vessel       millions, at    millions, at
                                                    population      population      7% discount     7% discount
                                                                                       rate)           rate)
----------------------------------------------------------------------------------------------------------------
Final Rule Alternative........  All Risk Group A             525               1          $153.8           $21.9
                                 facilities and
                                 Risk Group A
                                 vessels with
                                 more than 20
                                 crewmembers.
NPRM Alternative..............  All Risk Group A             532              38           153.5            21.9
                                 facilities and
                                 Risk Group A
                                 vessels with
                                 more than 14
                                 crewmembers.
Alternative 2.................  All Risk Group A             532             138           158.2            22.5
                                 facilities and
                                 Risk Group A
                                 vessels (except
                                 barges).
Alternative 3.................  Risk Group A and             651              38           182.6            26.0
                                 all container
                                 facilities and
                                 Risk Group A
                                 vessels with
                                 more than 14
                                 crewmembers.
Alternative 4.................  All Risk Group A           1,174              38           309.5            44.1
                                 facilities,
                                 plus additional
                                 high
                                 consequence
                                 facilities
                                 including
                                 petroleum
                                 refineries, non-
                                 CDC bulk
                                 hazardous
                                 materials
                                 facilities, and
                                 petroleum
                                 storage
                                 facilities, and
                                 Risk Group A
                                 vessels with
                                 more than 14
                                 crewmembers.
Alternative 5 (ANPRM            Risk Group A and           2,173              38           548.9            78.1
 Alternative).                   B Facilities
                                 and Risk Group
                                 A vessels with
                                 more than 14
                                 crewmembers.
----------------------------------------------------------------------------------------------------------------

    When comparing alternatives, we also looked at the results of the 
break-even analysis for these alternatives. As Table 15 shows, for the 
overall average maximum consequence, the final rule alternative will 
require the lowest reduction in risk for the costs of the rule to be 
justified. As the purpose of this rulemaking is to enhance security to 
mitigate a TSI, we assess the break-even for the overall consequence of 
a TSI. It is assumed that the highest consequence targets will be the 
most attractive targets for potential terrorist attack.

[[Page 57703]]



    Table 15--Summary of Required Risk Reduction and Attacks Averted by Regulatory Alternative, Overall (in $
                                                    Millions)
----------------------------------------------------------------------------------------------------------------
                                          Annualized                       Required
                                           cost, 7%         Average      reduction in     Frequency of attacks
                                         discount rate    consequence        risk                averted
----------------------------------------------------------------------------------------------------------------
Final Rule Alternative................           $21.9       $5,014.10           0.44%  One every 229 years.
NPRM Alternative......................            21.9        5,014.10           0.44%  One every 229.0 years.
Risk Group A facilities and all Risk              22.5        5,014.10           0.45%  One every 222.8 years.
 Group A vessels, except barges.
Risk Group A and all container                    26.0         4,158.7           0.63%  One every 160.0 years.
 facilities and Risk Group A vessels
 with more than 14 crewmembers.
All Risk Group A facilities, plus                 44.1         2,211.3           1.99%  One every 50.1 years.
 additional high consequence
 facilities including petroleum
 refineries, non-CDC bulk hazardous
 materials facilities, and petroleum
 storage facilities, and Risk Group A
 vessels with more than 14 crewmembers.
ANPRM Alternative Risk Groups A and B             78.1         1,647.1           4.74%  One every 21.1 years.
 facilities and Risk Group A vessels
 with more than 14 crewmembers.
----------------------------------------------------------------------------------------------------------------

    Final rule Alternative--Risk Group A Facilities and Risk Group A 
Vessels with More than 20 TWIC-Holding Crewmembers:
    The analysis for this alternative is discussed in detail previously 
in this section, as it is the alternative we have chosen in this final 
rule.
    NPRM Alternative--Risk Group A Facilities and Risk Group A Vessels 
with More than 14 TWIC-Holding Crewmembers:
    The analysis for this alternative was discussed in detail in the 
previously published NPRM's regulatory impact analysis.\72\ The two key 
differences between the final rule and NPRM alternative are the 
exemption of barge fleeting facilities reducing the affected facility 
population to 525 and the adoption of the crew size of 20 or more 
removing all vessels except one in the final rule as opposed to all 532 
facilities and 38 vessels in the Risk Group A.
---------------------------------------------------------------------------

    \72\ 78 FR 17782.
---------------------------------------------------------------------------

    Alternative 2--Risk Group A Facilities and All Risk Group A 
Vessels, Except Barges:
    This alternative would require electronic TWIC inspection to be 
used at all Risk Group A facilities and for all Risk Group A vessels, 
except barges. This alternative would increase the burden on industry 
and small entities by increasing the affected population from 1 vessel 
to 138 vessels. The number of facilities would be the same as in the 
NPRM alternative. Under this alternative, annualized cost of this 
rulemaking would remain the same at $21.9 million, at a 7 percent 
discount rate. The discounted 10-year costs would go from $157.9 
million to $158.2 million. While this alternative does not lead to a 
significant increase in costs, we reject it because requiring 
electronic TWIC inspection on vessels with 14 or fewer TWIC-holding 
crewmembers is unnecessary, as crews with that few members are known to 
all on the vessel. This crewmember limit was proposed in the ANPRM and 
in the NPRM, and was based on a recommendation from TSAC. See the 
discussion in the NPRM on ``Recurring Unescorted Access'' and ``TWIC 
Reader Exemption for Vessels with 14 or Fewer TWIC-Holding 
Crewmembers'' for more details.\73\
---------------------------------------------------------------------------

    \73\ 78 FR 17803 and 78 FR 17813, respectively.
---------------------------------------------------------------------------

    Alternative 3--Risk Group A and All Container Facilities and Risk 
Group A Vessels with More than 14 TWIC-Holding Crewmembers:
    For this alternative, we assumed that only those facilities in Risk 
Group A, as previously defined, and all container facilities will 
require electronic TWIC inspection. This alternative would increase the 
burden on industry and small entities by increasing the affected 
population from 525 facilities to 651 facilities. Under this scenario, 
the annualized cost of this rulemaking would increase from $21.9 
million to $26.0 million, at a 7 percent discount rate. The discounted 
10-year costs would go from $153.8 million to $182.6 million. The 
inclusion of container facilities would also potentially have adverse 
environmental impacts due to increased air emissions due to longer wait 
(``queuing'') times and congestion at facilities.
    We considered this alternative because of the risk associated with 
container facilities due to the transfer risk associated with 
containers. As discussed in the preamble of the NPRM, many of the high-
risk threat scenarios at container facilities would not be mitigated by 
electronic TWIC inspection. The costs for electronic TWIC inspection at 
container facilities would not be justified by the amount of potential 
risk reduction at these facilities from such a measure. While container 
facilities pose a higher transfer risk (i.e., there is a greater risk 
of a threat coming through a container facility and inflicting harm or 
damage elsewhere than with any other facility type), such threats are 
not mitigated by the use of TWIC readers.
    Furthermore, the use of TWIC readers, or other access control 
features, would not mitigate the threat associated with the contents of 
a container. The electronic TWIC inspection serves as an additional 
access control measure, but would not improve screening of cargoes for 
dangerous substances or devices.
    Alternative 4--Adding certain high consequence facilities to Risk 
Group A (these additional facilities to include petroleum refineries, 
non-CDC bulk hazardous materials facilities, and petroleum storage 
facilities):
    For this alternative, we moved three facility categories--petroleum 
refineries, non-CDC bulk hazardous materials facilities, and petroleum 
storage facilities--into Risk Group A from Risk Group B based on the 
average maximum consequence for these facility types. This alternative 
would increase the burden on industry by increasing the affected 
population from 525 facilities to 1,174 facilities. Under this 
scenario, the annualized cost of this rulemaking would increase from 
$21.9 million to $44.1 million, at a 7 percent discount rate. The 
discounted 10-year costs would go from $153.8 million to $309.5 
million.
    We considered this alternative based on the high MSRAM consequences

[[Page 57704]]

associated with these three facility types, as well as due to the 
perception that petroleum facilities pose a greater security risk than 
other facility types. Despite the high MSRAM consequences for these 
facility types, the overall risk as determined in the AHP were not as 
high as those in the current Risk Group A, and therefore, we rejected 
this alternative and maintained the AHP-based risk groupings.
    Alternative 5--Risk Group A and Risk Group B Facilities and Risk 
Group A Vessels with More than 14 Crewmembers:
    Alternative 5 would require electronic TWIC inspection to be used 
at all Risk Group A and Risk Group B facilities, and Risk Group A 
vessels with greater than 14 TWIC-holding crewmembers. This alternative 
would increase the burden on industry and small entities by increasing 
the affected population from 525 facilities to 2,173 facilities. This 
increase in facilities would extend the affected population to 
facilities that fall under the second risk tier. Under this 
alternative, annualized cost of this rulemaking would increase from 
$21.9 million to $78.1 million, at a 7 percent discount rate. The 
discounted 10-year costs would go from $153.8 million to $548.9 
million. Based on a recent study by the Homeland Security Institute, as 
discussed in the preamble to the NPRM, the difference in risk between 
facilities in Risk Groups A and B is clearly defined, indicating that 
the two Risk Groups do not require the same level of TWIC requirements. 
Further, as discussed in the benefits section of this analysis, the 
break-even point, or the amount of risk that would need to be reduced 
for costs to equal benefits, for this alternative is much higher than 
that of the final rule alternative. For these reasons, we rejected this 
alternative.
    The provisions in this final rule are taken in order to meet 
requirements set forth in MTSA and the SAFE Port Act. The final rule, 
as presented, represents the lowest cost alternative, as discussed 
above. We have focused this rulemaking on the highest risk population 
so as to reduce the impacts of this rule as much as possible. Also, we 
have created a performance standard that allows the affected population 
to implement the requirements in a manner most conducive to their own 
business practices.
    Furthermore, by allowing for flexibilities, such as the use of 
fixed or portable TWIC readers, and removing vessels with 20 or fewer 
TWIC-holding crewmembers from the requirements, we have reduced 
potential burden on all entities, including small entities. 
Furthermore, we believe that providing any additional relief for small 
entities would conflict with the purpose of this rulemaking, as the 
objective is to enhance access control and reduce risk of a TSI. 
Providing relief of the proposed requirements based on entity size 
would contradict that stated purpose and leave small entities, which 
may possess as great a risk as entities that exceed the Small Business 
Administration (SBA) size standards, more vulnerable to a TSI.
B. Small Entities
    Under the Regulatory Flexibility Act, 5 U.S.C. 601-612, we have 
considered whether this rule would have a significant economic impact 
on a substantial number of small entities. The term ``small entities'' 
comprises small businesses, not-for-profit organizations that are 
independently owned and operated and are not dominant in their fields, 
and governmental jurisdictions with populations of less than 50,000. A 
Final Regulatory Flexibility Analysis discussing the impact of this 
final rule on small entities is available in the docket, and a summary 
follows.
    For this final rule, we estimated costs for mandatory electronic 
TWIC inspection for approximately 1 vessel and 525 facilities based on 
the risk assessment hierarchy and current data from the Coast Guard's 
MISLE database. Of these 525 facilities that would be affected by the 
electronic TWIC inspection requirements, we found 306 unique owners. 
Among these 306 unique owners, there were 31 government-owned entities, 
114 companies that exceeded SBA small business size standards, 88 
companies considered small by SBA size standards, and 73 companies for 
which no information was available. For the purposes of this analysis, 
we consider all entities for which information was not available to be 
small. There were no not-for-profit entities in our affected 
population. Of the 31 government jurisdictions that would be affected 
by this final rule, 24 exceed the 50,000 population threshold as 
defined by the Regulatory Flexibility Act to be considered small, and 
the remaining 7 have government revenue levels such that there would 
not be an impact greater than 1 percent of government revenue.\74\
---------------------------------------------------------------------------

    \74\ ``Government revenues'' used for this analysis include tax 
revenues, and in some cases, operating revenues for government owned 
waterfront facilities.
---------------------------------------------------------------------------

    We were able to find revenue information for 64 of the 88 
businesses deemed small by SBA size standards.\75\ We then determined 
the impacts of the final rule on these companies by comparing the cost 
of the final rule to the average per facility cost of this rulemaking. 
To determine the average per facility cost, we average the per facility 
cost for all facility types using the same cost per facility type 
breakdown as used to assess the costs of this proposal. We then found 
what percent impact on revenue the final rule will have based on 
implementation costs (including capital costs) and annual recurring 
costs (including updates of the list of cancelled TWICs, recordkeeping, 
and training). We estimate these costs to be, on average $195,715 per 
entity during the implementation period and $12,612 per entity in 
annual recurring cost.\76\ The actual cost faced by a specific facility 
will vary based on a number of factors, such as the number of access 
points. Smaller facilities should in general incur lower costs, but the 
Coast Guard is unable to distinguish cost estimates on a facility-by-
facility basis. We note that in some cases owners and operators might 
be able to finance the equipment costs as needed and such financing 
scenario could further decrease the impact on the facility owner and 
operators. We base our impact analysis on average cost to regulated 
entities due to the flexibility afforded by this final rule to 
individual facilities to determine how best to implement electronic 
TWIC inspection requirements.\77\ Table 16 shows the potential revenue 
impacts for small businesses impacted by this final rule.
---------------------------------------------------------------------------

    \75\ SBA small business standards are based on either company 
revenue or number of employees. Many companies in our sample have 
employee numbers determining them small, but we were unable to find 
annual revenue data to pair with the employee data.
    \76\ These are weighted averages, based on the per facility cost 
displayed in Table 4 and the number of facilities by type.
    \77\ We do not know how a specific facility will comply with 
this rulemaking in regards to type and number of readers installed, 
number of personnel requiring training at a given facility, etc.

[[Page 57705]]



                       Table 16--Revenue Impacts on Affected Small Businesses--Facilities
----------------------------------------------------------------------------------------------------------------
                                                    Impacts from implementation    Impacts from recurring annual
                                                               costs                           costs
              Revenue impact range               ---------------------------------------------------------------
                                                     Number of      Percent of       Number of      Percent of
                                                     entities        entities        entities        entities
----------------------------------------------------------------------------------------------------------------
0% < Impact <= 1%...............................              33              52              57              89
1% < Impact <= 3%...............................               4               6               6               9
3% < Impact <= 5%...............................               5               8               0               0
5% < Impact <= 10%..............................               8              13               1               2
Above 10%.......................................              14              22               0               0
                                                 ---------------------------------------------------------------
    Total.......................................              64             100              64             100
----------------------------------------------------------------------------------------------------------------

    The greatest impact is expected to occur during the implementation 
phase when 48 percent of small businesses that we were able to find 
revenue data on will experience an impact of greater than 1 percent, 
and 22 percent of small businesses that we were able to find revenue 
data on will experience an impact greater than 10 percent. After 
implementation, the impacts decrease and 89 percent of affected small 
businesses will see an impact less than 1 percent. We expect the 
revenue impacts for years with equipment replacement to be between 
those for implementation and annual impacts. During those years with 
equipment replacement, we estimate that approximately 3 percent of 
businesses would see an impact greater than 1 percent, and 0 percent 
would see an impact greater than 10 percent.\78\
---------------------------------------------------------------------------

    \78\ We estimate an average cost per facility in years with 
equipment replacement to be $48,110.
---------------------------------------------------------------------------

    For vessels, we found that for the 1 vessel that will be affected 
by this final rule, there is 1 unique owner that did not qualify as 
small business by SBA size standards. Therefore, we do not provide a 
revenue impact analysis for affected small business as we provided 
above for affected facilities.
C. Assistance for Small Entities
    Under section 213(a) of the Small Business Regulatory Enforcement 
Fairness Act of 1996, Public Law 104-121, we offered to assist small 
entities in understanding this rule so that they could better evaluate 
its effects on them and participate in the rulemaking. The Coast Guard 
will not retaliate against small entities that question or complain 
about this rule or any policy or action of the Coast Guard.
    Small businesses may send comments on the actions of Federal 
employees who enforce, or otherwise determine compliance with, Federal 
regulations to the Small Business and Agriculture Regulatory 
Enforcement Ombudsman and the Regional Small Business Regulatory 
Fairness Boards. The Ombudsman evaluates these actions annually and 
rates each agency's responsiveness to small business. If you wish to 
comment on actions by employees of the Coast Guard, call 1-888-REG-FAIR 
(1-888-734-3247).

D. Collection of Information

    This rule calls for a collection of information under the Paperwork 
Reduction Act of 1995, 44 U.S.C. 3501-3520. You are not required to 
respond to a collection of information unless it displays a currently 
valid OMB control number. As required by 44 U.S.C. 3507(d), we 
submitted a copy of the final rule to the OMB for its review of the 
collection of information. As defined in 5 CFR 1320.3(c), ``collection 
of information'' comprises reporting, recordkeeping, monitoring, 
posting, labeling, and other similar actions. The title and description 
of the information collection, a description of those who must collect 
the information, and an estimate of the total annual burden follow. The 
estimate covers the time for reviewing instructions, searching existing 
sources of data, gathering and maintaining the data needed, and 
completing and reviewing the collection.
    Under the provisions of the final rule, the affected facilities and 
vessel will be required to update their FSPs and VSPs, as well as 
create and maintain a system of recordkeeping within 2 years of 
promulgation of the final rule. This requirement will be added to an 
existing collection with OMB control number 1625-0077.
    Title: Security Plans for Ports, Vessels, Facilities, Outer 
Continental Shelf Facilities and Other Security-Related Requirements.
    OMB Control Number: 1625-0077.
    Summary of the Collection of Information: This information 
collection is associated with the maritime security requirements 
mandated by MTSA. Security assessments, security plans, and other 
security-related requirements are found in 33 CFR Chapter I, subchapter 
H. The final rule will require certain vessel and facilities to use 
electronic readers designed to work with the TWIC as an access control 
measure. Affected owners and operators will also face requirements 
associated with electronic TWIC inspection, including recordkeeping 
requirements for those owners and operators required to use an 
electronic TWIC reader, and security plan amendments to incorporate 
TWIC requirements.
    Need for Information: The information is necessary to show evidence 
that affected vessels and facilities are complying with the electronic 
TWIC inspection requirements.
    Proposed Use of Information: We will use this information to ensure 
that facilities and vessels are properly implementing and utilizing 
electronic TWIC inspection programs.
    Description of the Respondents: The respondents are owners and 
operators of certain vessel and facilities regulated by the Coast Guard 
under 33 CFR Chapter I, subchapter H.
    Number of Respondents: The number of respondents is the 525 
facilities that are considered ``high-risk'' and would be required to 
modify their existing FSPs, and 1 vessel that would be required to 
modify its VSP to account for the electronic TWIC inspection 
requirements. These same populations will be required to create and 
maintain recordkeeping systems as well.
    Frequency of Response: The FSP and VSP would need to be amended 
within 2 years of promulgation to include TWIC reader-related 
procedures. Recordkeeping requirements will need to be met along a 
similar timeline.
    Burden of Response: The estimated burden for facilities would be 
17,063 hours in the first year, 17,063 hours in the second year and 
3,150 hours in the third year and all subsequent years. The burden for 
vessels would be 65 burden

[[Page 57706]]

hours in year one, and 6 burden hours for all subsequent years. This 
includes an estimated 25 burden hours to amend the FSP or VSP, along 
with an implementation period burden of 40 hours and an annual burden 
of 6 hours for designing and maintaining a system of records for each 
facility or vessel, to include recordkeeping related to the list of 
cancelled TWICs.
Estimate of Total Annual Burden
    Facilities: The estimated burden over the 2-year implementation 
period for facilities is 25 hours per FSP amendment. Since there are 
currently 525 facilities that will need to amend their FSPs, the total 
burden on facilities would be 13,125 hours (525 FSPs x 25 hours per 
amendment) during the 2-year implementation period, or 6,563 hours each 
of the first 2 years. Facilities would also face a recordkeeping burden 
of 21,000 hours during the 2-year implementation period (525 facilities 
x 40 hours per recordkeeping system), or 10,500 hours each year over 
the first 2 years. There would also be an annual recordkeeping burden 
of 3,150 hours (525 facilities x 6 hours per year), starting in the 
third year. In the second year, the 262 facilities that implemented in 
the first year would incur the 6 hours of annual recordkeeping, at a 
burden of 1,572 (262 facilities x 6 hours). The total burden for 
facilities is estimated at 17,063 (6,563 + 10,500) in Year 1, 17,063 in 
Year 2 (6,563 + 10,500), and 3,150 in Year 3.
    Vessels: For the 1 vessel, the burden in the first year would be 25 
hours (1 VSP x 25 hour per amendment). Vessels would also face a 
recordkeeping burden of 40 hours during the 1-year implementation 
period (1 vessel x 40 hours per recordkeeping system). There would also 
be an annual recordkeeping burden of 6 hours, starting in Year 2, (1 
vessel x 6 hours per year). The total burden for vessels is estimated 
at 65 (25 + 40) in Year 1 and 6 hours in Years 2 and 3.
    Total: The total additional burden due to the electronic TWIC 
inspection rule is estimated at 17,128 (65 for vessels and 17,063 for 
facilities) in Year 1, 17,069 (6 for vessel and 17,063 for facilities) 
in Year 2, and 3,156 (6 for vessels and 3,150 for facilities) in Year 
3. The current annual burden listed in this collection of information 
is 1,108,043. The new burden, as a result of this final rule, in Year 1 
is 1,125,171 (1,108,043 + 17,128). In Year 2, the new burden, as a 
result of this final rule, is 1,125,171 (1,108,043 + 17,128) and in 
Year 3 it is 1,111,199 (1,108,043 + 3,156). The average annual 
additional burden across the 3 years is 12,425.
    As required by the Paperwork Reduction Act of 1995 (44 U.S.C. 
3507(d)), we have submitted a copy of this final rule to OMB for its 
review of the collection of information.

E. Federalism

    A rule has implications for Federalism under E.O. 13132, 
Federalism, if it has a substantial direct effect on the States, on the 
relationship between the national government and the States, or on the 
distribution of power and responsibilities among the various levels of 
government. This final rule has been analyzed in accordance with the 
principles and criteria in E.O. 13132, and it has been determined that 
this final rule does have Federalism implications or a substantial 
direct effect on the States.
    This final rule would update existing regulations by creating a 
risk-based analysis of MTSA-regulated vessels and facilities. Based on 
this analysis, each vessel or facility is classified according to its 
risk level, which then determines whether the vessel or facility will 
be required to use TWIC readers. Additionally, this final rule will 
amend recordkeeping requirements and add requirements to amend security 
plans in order to ensure compliance.
    It is well-settled that States may not regulate in categories 
reserved for regulation by the Coast Guard. It is also well-settled, 
now, that all of the categories covered in 46 U.S.C. 3306, 3703, 7101, 
and 8101 (design, construction, alteration, repair, maintenance, 
operation, equipping, personnel qualification, and manning of vessels), 
as well as the reporting of casualties and any other category in which 
Congress intended the Coast Guard to be the sole source of a vessel's 
obligations, are within fields foreclosed from regulation by the States 
or local governments. (See the decision of the Supreme Court in the 
consolidated cases of United States v. Locke and Intertanko v. Locke, 
529 U.S. 89, 120 S.Ct. 1135 (March 6, 2000)).
    The Coast Guard believes the Federalism principles articulated in 
Locke apply to this final rule since it will require certain MTSA-
regulated vessels to carry TWIC readers or a PACS that can conduct 
electronic TWIC inspection (i.e., required equipment), and to conform 
to recordkeeping and security plan requirements. In enacting MTSA, 
Congress articulated a need to address nationwide port security threats 
while preserving the free flow of interstate and international maritime 
commerce. Congress identified enhancing global maritime security 
through implementing international security instruments as furthering 
this statutory purpose. MTSA's comprehensive and uniform maritime 
security regime, founded on the purpose of facilitating interstate and 
international maritime commerce, indicates that States and local 
governments are generally foreclosed from regulating within this field. 
As discussed above, vessel equipping and operation are traditionally 
fields foreclosed from State and local regulation. However, States and 
local governments have traditionally shared certain regulatory 
jurisdiction over waterfront facilities. Therefore, MTSA standards 
contained in 33 CFR part 105 (Maritime security: Facilities) are not 
preemptive of State or local law or regulations that do not conflict 
with them (i.e., they would either actually conflict or would frustrate 
an overriding Federal need for uniformity).
    The Coast Guard recognizes the key role that State and local 
governments may have in making regulatory determinations. Additionally, 
Sections 4 and 6 of E.O. 13132 require that for any rules with 
preemptive effect, the Coast Guard provide elected officials of 
affected State and local governments and their representative national 
organizations the notice and opportunity for appropriate participation 
in any rulemaking proceedings, and consult with such officials early in 
the rulemaking process. Therefore, we invited affected State and local 
governments and their representative national organizations to indicate 
their desire for participation and consultation in this rulemaking 
process by submitting comments to the NPRM.
    Numerous State and local governments responded to the Coast Guard's 
invitation by actively participating in this rulemaking process. State 
and local government interests participated by submitting written 
comments and by attending and presenting their views in person at four 
public meetings we held across the country to solicit comments on this 
rulemaking. All comments have been posted to the docket for this 
rulemaking. Participating State and local government interests 
included: Alaska Marine Highway System; American Association of Port 
Authorities; Broward County, Florida Port Everglades Department; 
Calhoun Port Authority; King County, Washington Department of 
Transportation; New York City Department of Transportation; Port 
Authority of New York and New Jersey; Port of Galveston; Port of 
Houston Authority; Port of Seattle; Port of Stockton; Port of Tacoma; 
and

[[Page 57707]]

Washington State Department of Transportation. We considered this State 
and local government input in the promulgation of this final rule, and 
multiple changes to the final rule are attributable to these comments. 
Based on these consultations and the content of the final rule, we can 
ensure that the final rule is consistent with the fundamental 
federalism principles and preemption requirements described in E.O. 
13132.

F. Unfunded Mandates Reform Act

    The Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1531-1538, 
requires Federal agencies to assess the effects of their discretionary 
regulatory actions. In particular, the Act addresses actions that may 
result in the expenditure by a State, local, or tribal government, in 
the aggregate, or by the private sector of $100,000,000 (adjusted for 
inflation) or more in any one year. Though this rule will not result in 
such an expenditure, we do discuss the effects of this rule elsewhere 
in this preamble.

G. Taking of Private Property

    This rule will not cause a taking of private property or otherwise 
have taking implications under E.O. 12630 (``Governmental Actions and 
Interference with Constitutionally Protected Property Rights'').

H. Civil Justice Reform

    This rule meets applicable standards in sections 3(a) and 3(b)(2) 
of E.O. 12988, (``Civil Justice Reform''), to minimize litigation, 
eliminate ambiguity, and reduce burden.

I. Protection of Children

    We have analyzed this rule under E.O. 13045 (``Protection of 
Children from Environmental Health Risks and Safety Risks''). Though 
this rule is a ``significant regulatory action'' under E.O. 12866, it 
does not create an environmental risk to health or risk to safety that 
might disproportionately affect children.

J. Indian Tribal Governments

    This rule does not have tribal implications under E.O. 13175 
(``Consultation and Coordination with Indian Tribal Governments''), 
because it would not have a substantial direct effect on one or more 
Indian tribes, on the relationship between the Federal Government and 
Indian tribes, or on the distribution of power and responsibilities 
between the Federal Government and Indian tribes.

K. Energy Effects

    We have analyzed this rule under E.O. 13211 (``Actions Concerning 
Regulations That Significantly Affect Energy Supply, Distribution, or 
Use''). We have determined that it is not a ``significant energy 
action'' under E.O. 13211, because although it is a ``significant 
regulatory action'' under E.O. 12866, it is not likely to have a 
significant adverse effect on the supply, distribution, or use of 
energy, and the Administrator of OMB's Office of Information and 
Regulatory Affairs has not designated it as a significant energy 
action.

L. Technical Standards

    The National Technology Transfer and Advancement Act (NTTAA), 
codified as a note to 15 U.S.C. 272, directs agencies to use voluntary 
consensus standards in their regulatory activities unless the agency 
provides Congress, through OMB, with an explanation of why using these 
standards would be inconsistent with applicable law or otherwise 
impractical. Voluntary consensus standards are technical standards 
(e.g., specifications of materials, performance, design, or operation; 
test methods; sampling procedures; and related management systems 
practices) that are developed or adopted by voluntary consensus 
standards bodies.
    This final rule does not use technical standards. Therefore, we did 
not consider the use of voluntary consensus standards.
    The Federal government is constantly working on improving 
electronic TWIC inspection standards. Under NTTAA and OMB Circular A-
119, NIST is tasked with the role of encouraging and coordinating 
Federal agency use of voluntary consensus standards and participation 
in the development of relevant standards, as well as promoting 
coordination between the public and private sectors in the development 
of standards and in conformity assessment activities. NIST and TSA have 
established the QTL and the associated standards for identity and 
privilege credential products, to be managed by TSA. NIST continues to 
assist TSA with the development of testing suites for qualifying 
products in conformity to specified standards and TSA specifications.

M. Environment

    We have analyzed this rule under Department of Homeland Security 
Management Directive 023-01 and Commandant Instruction M16475.lD, which 
guide the Coast Guard in complying with the National Environmental 
Policy Act of 1969, 42 U.S.C. 4321-4370f, and have concluded that this 
action is not likely to have a significant effect on the human 
environment. A Final Programmatic Environmental Assessment and a final 
Finding of No Significant Impact are available in the docket for this 
rulemaking. Our analysis indicates that electronic TWIC inspection 
operations will have insignificant direct, indirect or cumulative 
impacts on environmental resources, with special attention to potential 
air quality issues.

List of Subjects

33 CFR Parts 101 and 103

    Harbors, Incorporation by reference, Maritime security, Reporting 
and recordkeeping requirements, Security measures, Vessels, Waterways.

33 CFR Part 104

    Maritime security, Reporting and recordkeeping requirements, 
Security measures, Vessels.

33 CFR Part 105

    Maritime security, Reporting and recordkeeping requirements, 
Security measures.

33 CFR Part 106

    Continental shelf, Maritime security, Reporting and recordkeeping 
requirements, Security measures.

    For the reasons discussed in the preamble, the Coast Guard amends 
33 CFR parts 101, 103, 104, 105, and 106 as follows:

PART 101--MARITIME SECURITY: GENERAL

0
1. The authority citation for part 101 continues to read as follows:

    Authority:  33 U.S.C. 1226, 1231; 46 U.S.C. Chapter 701; 50 
U.S.C. 191, 192; Executive Order 12656, 3 CFR 1988 Comp., p. 585; 33 
CFR 1.05-1, 6.04-11, 6.14, 6.16, and 6.19; Department of Homeland 
Security Delegation No. 0170.1.


0
2. Amend Sec.  101.105 as follows:
0
a. Add the definitions, in alphabetical order, of ``biometric match''; 
``Canceled Card List (CCL)''; ``Card Holder Unique Identifier 
(CHUID)''; ``card validity check''; ``Designated Recurring Access Area 
(DRAA)''; ``electronic TWIC inspection''; ``identity verification''; 
``Mobile Offshore Drilling Unit (MODU)''; ``Non-TWIC visual identity 
verification;'' ``Offshore Supply Vessel (OSV)''; ``Physical Access 
Control System (PACS)''; ``Qualified Reader''; ``Risk Group''; 
``Transparent Reader''; ``TWIC reader''; and ``visual TWIC 
inspection''; and

[[Page 57708]]

0
b. Revise the definitions of ``bulk or in bulk''; ``recurring 
unescorted access''; and ``TWIC Program''.
    The revisions and additions read as follows:


Sec.  101.105  Definitions.

* * * * *
    Biometric match means a confirmation that: One of the two biometric 
templates stored in the Transportation Worker Identification Credential 
(TWIC) matches the scanned biometric template of the person presenting 
the TWIC; or the alternate biometric stored in a Physical Access 
Control System (PACS) matches the corresponding biometric of the 
person.
* * * * *
    Bulk or in bulk means a commodity that is loaded or carried without 
containers or labels, and that is received and handled without mark or 
count. This includes cargo transferred using hoses, conveyors, or 
vacuum systems.
* * * * *
    Canceled Card List (CCL) is a list of Federal Agency Smart 
Credential-Numbers (FASC-Ns) that have been invalidated or revoked 
because TSA has determined that the TWIC-holder may pose a security 
threat, or the card has been reported lost, stolen, or damaged.
* * * * *
    Card Holder Unique Identifier (CHUID) means the standardized data 
object comprised of the FASC-N, globally unique identifier, expiration 
date, and certificate used to validate the data integrity of other data 
objects on the credential.
    Card validity check means electronic verification that the TWIC has 
not been invalidated or revoked by checking the TWIC against the TSA-
supplied list of cancelled TWICs or, for vessels and facilities not in 
Risk Group A, by verifying that the expiration date on the face of the 
TWIC has not passed.
* * * * *
    Designated Recurring Access Area (DRAA) means an area designated 
under Sec.  101.555 where persons are permitted recurring access to a 
secure area of a vessel or facility.
* * * * *
    Electronic TWIC inspection means the process by which the TWIC is 
authenticated, validated, and the individual presenting the TWIC is 
matched to the stored biometric template.
* * * * *
    Identity verification means the process by which an individual 
presenting a TWIC is verified as the owner of the TWIC.
* * * * *
    Mobile Offshore Drilling Unit (MODU) means the same as defined in 
33 CFR 140.10.
* * * * *
    Non-TWIC visual identity verification means the process by which an 
individual who is known to have been granted unescorted access to a 
secure area on a vessel or facility is matched to the picture on the 
facility's PACS card or a government-issued identification card.
* * * * *
    Offshore Supply Vessel (OSV) means the same as defined in 46 CFR 
125.160.
* * * * *
    Physical Access Control System (PACS) means a system that includes 
devices, personnel, and policies, that controls access to and within a 
facility or vessel.
* * * * *
    Qualified Reader means an electronic device listed on TSA's 
Qualified Technology List that is capable of reading a TWIC.
    Recurring unescorted access refers to special access procedures 
within a DRAA where a person may enter a secure area without passing an 
electronic TWIC inspection prior to each entry into the secure area.
* * * * *
    Risk Group means the risk ranking assigned to a vessel, facility, 
or OCS facility according to Sec. Sec.  104.263, 105.253, or 106.258 of 
this subchapter, for the purpose of TWIC requirements in this 
subchapter.
* * * * *
    Transparent Reader means a device capable of reading the 
information from a TWIC or individual seeking access and transmitting 
it to a system capable of conducting electronic TWIC inspection.
* * * * *
    TWIC Program means those procedures and systems that a vessel, 
facility, or outer continental shelf (OCS) facility must implement in 
order to assess and validate TWICs when maintaining access control.
    TWIC reader means a device capable of conducting an electronic TWIC 
inspection.
* * * * *
    Visual TWIC inspection means the process by which the TWIC is 
authenticated, validated, and the individual presenting the TWIC is 
matched to the photograph on the face of the TWIC.
* * * * *

0
3. Add Sec.  101.112 to read as follows:


Sec.  101.112  Federalism.

    (a) The regulations in 33 CFR parts 101, 103, 104, and 106 have 
preemptive effect over State or local regulation within the same field.
    (b) The regulations in 33 CFR part 105 have preemptive effect over 
State or local regulations insofar as a State or local law or 
regulation applicable to the facilities covered by part 105 would 
conflict with the regulations in part 105, either by actually 
conflicting or by frustrating an overriding Federal need for 
uniformity.


Sec.  101.514  [Amended]

0
4. Amend Sec.  101.514 as follows:
0
a. In paragraph (b), remove the word ``federal'' and add, in its place, 
the word ``Federal''; and
0
b. In paragraph (d), remove the word ``State,'' and add, in its place, 
the word ``State''.

0
5. Amend Sec.  101.515 as follows:
0
a. In paragraph (a), remove the words ``of this part shall be required 
to'' and add, in their place, the words ``must'';
0
 b. In paragraph (b)(1), remove the words ``of behalf'' and add, in 
their place, the words ``on behalf'';
0
c. In paragraph (c), remove the words ``of this part''; and
0
 d. Revise paragraph (d)(2).
    The revision reads as follows:


Sec.  101.515  TWIC/Personal Identification.

* * * * *
    (d)* * *
    (2) Each person who has been issued or possesses a TWIC must pass 
an electronic TWIC inspection, and must submit his or her reference 
biometric, such as a fingerprint, and any other required information, 
such as a Personal Identification Number, upon a request from TSA, the 
Coast Guard, any other authorized DHS representative, or a Federal, 
State, or local law enforcement officer.

0
6. Add Sec.  101.520 to subpart E to read as follows:


Sec.  101.520  Electronic TWIC inspection.

    To conduct electronic TWIC inspection, the owner or operator of a 
vessel or facility must ensure the following actions are performed.
    (a) Card authentication. The TWIC must be authenticated by 
performing a challenge/response protocol using the Certificate for Card 
Authentication (CCA) and the associated card authentication private key 
stored in the TWIC.
    (b) Card validity check. The TWIC must be checked to ensure the 
TWIC has not expired and against TSA's list of cancelled TWICs, and no 
match on the list may be found.
    (c) Identity verification. (1) One of the biometric templates 
stored in the TWIC must be matched to the TWIC-holder's

[[Page 57709]]

live sample biometric or, by matching to the PACS enrolled reference 
biometrics linked to the FASC-N of the TWIC; or
    (2) If an individual is unable to provide a valid live sample 
biometric, the TWIC-holder must enter a Personal Identification Number 
(PIN) and pass a visual TWIC inspection.

0
7. Add Sec.  101.525 to subpart E to read as follows:


Sec.  101.525  TSA list of cancelled TWICs.

    (a) At Maritime Security (MARSEC) Level 1, the card validity check 
must be conducted using information from the TSA that is no more than 7 
days old.
    (b) At MARSEC Level 2, the card validity check must be conducted 
using information from the TSA that is no more than 1 day old.
    (c) At MARSEC Level 3, the card validity check must be conducted 
using information from the TSA that is no more than 1 day old.
    (d) The list of cancelled TWICs used to conduct the card validity 
check must be updated within 12 hours of any increase in MARSEC level, 
no matter when the information was last updated.
    (e) Only the most recently obtained list of cancelled TWICs must be 
used to conduct card validity checks.

0
8. Add Sec.  101.530 to subpart E to read as follows:


Sec.  101.530  PACS requirements for Risk Group A.

    This section lays out requirements for a Physical Access Control 
System (PACS) that may be used to meet electronic TWIC inspection 
requirements.
    (a) A PACS may use a TWIC directly to perform electronic TWIC 
inspection;
    (b) Each PACS card issued to an individual must be linked to that 
individual's TWIC, and the PACS must contain the following information 
from each linked TWIC:
    (1) The name of the TWIC-holder holder as represented in the 
Printed Information container of the TWIC.
    (2) The TWIC-signed CHUID (with digital signature and expiration 
date).
    (3) The TWIC resident biometric template.
    (4) The TWIC digital facial image.
    (5) The PACS Personal Identification Number (PIN).
    (c) When first linked, a one-time electronic TWIC inspection must 
be performed, and the TWIC must be verified as authentic, valid, and 
biometrically matched to the individual presenting the TWIC.
    (d) Each time the PACS card is used to gain access to a secure 
area, the PACS must--
    (1) Conduct identity verification by:
    (i) Conducting a biometric scan, and match the result with the 
biometric template stored in the PACS that is linked to the TWIC, or
    (ii) Having the individual enter a stored PACS PIN and conducting a 
Non-TWIC visual identity verification as defined in Sec.  101.105.
    (2) Conduct a card validity check; and
    (3) Maintain records in accordance with Sec. Sec.  104.235(g) or 
105.225(g) of this subchapter, as appropriate.

0
9. Add Sec.  101.535 to subpart E to read as follows:


Sec.  101.535  Electronic TWIC inspection requirements for Risk Group 
A.

    Owners or operators of vessels or facilities subject to part 104 or 
105 of this subchapter, that are assigned to Risk Group A in Sec. Sec.  
104.263 or 105.253 of this subchapter, must ensure that a 
Transportation Worker Identification Credential (TWIC) Program is 
implemented as follows:
    (a) Requirements for Risk Group A vessels. Prior to each boarding 
of the vessel, all persons who require access to a secure area of the 
vessel must pass an electronic TWIC inspection before being granted 
unescorted access to the vessel.
    (b) Requirements for Risk Group A facilities. Prior to each entry 
into a secure area of the facility, all persons must pass an electronic 
TWIC inspection before being granted unescorted access to secure areas 
of the facility.
    (c) A Physical Access Control System that meets the requirements of 
Sec.  101.530 may be used to meet the requirements of this section.
    (d) The requirements of this section do not apply under certain 
situations described in Sec. Sec.  101.550 or 101.555.
    (e) Emergency access to secure areas, including access by law 
enforcement and emergency responders, does not require electronic TWIC 
inspection.

0
10. Add Sec.  101.540 to subpart E to read as follows:


Sec.  101.540  Electronic TWIC inspection requirements for vessels, 
facilities, and OCS facilities not in Risk Group A.

    A vessel or facility not in Risk Group A may use the electronic 
TWIC inspection requirements of Sec.  101.535 in lieu of visual TWIC 
inspection. If electronic TWIC inspection is used, the recordkeeping 
requirements of Sec. Sec.  104.235(b)(9) and (c) of this subchapter, or 
105.225(b)(9) and (c) of this subchapter, as appropriate, apply.


Sec.  101.545  [Added and Reserved]

0
 11. Add reserved Sec.  101.545 to subpart E.

0
 12. Add Sec.  101.550 to subpart E to read as follows:


Sec.  101.550  TWIC inspection requirements in special circumstances.

    Owners or operators of any vessel, facility, or Outer Continental 
Shelf (OCS) facility subject to part 104, 105, or 106 of this 
subchapter must ensure that a Transportation Worker Identification 
Credential (TWIC) Program is implemented as follows:
    (a) Lost, damaged, stolen, or expired TWIC. If an individual cannot 
present a TWIC because it has been lost, damaged, stolen, or expired, 
and the individual previously has been granted unescorted access to 
secure areas and is known to have had a TWIC, the individual may be 
granted unescorted access to secure areas for a period of no longer 
than 30 consecutive calendar days if--
    (1) The individual provides proof that he or she has reported the 
TWIC as lost, damaged, or stolen to the Transportation Security 
Administration (TSA) as required in 49 CFR 1572.19(f), or the 
individual provides proof that he or she has applied for the renewal of 
an expired TWIC;
    (2) The individual can present another identification credential 
that meets the requirements of Sec.  101.515; and
    (3) There are no other suspicious circumstances associated with the 
individual's claim that the TWIC was lost, damaged, or stolen.
    (b) TWIC on the Canceled Card List. In the event an individual 
reports his or her TWIC as lost, damaged, or stolen, and that TWIC is 
then placed on the Canceled Card List, the individual may be granted 
unescorted access by a Physical Access Control System (PACS) that meets 
the requirements of Sec.  101.530 for a period of no longer than 30 
days. The individual must be known to have had a TWIC, and known to 
have reported the TWIC as lost, damaged, or stolen to TSA.
    (c) Special requirements for Risk Group A vessels and facilities. 
If a TWIC reader or a PACS cannot read an individual's biometric 
templates due to poor biometric quality or no biometrics enrolled, the 
owner or operator may grant the individual unescorted access to secure 
areas based on either of the following secondary authentication 
procedures:
    (1) The owner or operator must conduct a visual TWIC inspection and 
require the individual to correctly submit his or her TWIC Personal 
Identification Number.
    (2) [Reserved]
    (d) If an individual cannot present a TWIC for any reason other 
than those

[[Page 57710]]

outlined in paragraphs (a) or (b) of this section, the vessel or 
facility operator may not grant the individual unescorted access to 
secure areas. The individual must be under escort at all times while in 
the secure area.
    (e) With the exception of individuals granted access according to 
paragraphs (a) or (b) of this section, all individuals granted 
unescorted access to secure areas of a vessel, facility, or OCS 
facility must be able to produce their TWICs upon request from the TSA, 
the Coast Guard, another authorized Department of Homeland Security 
representative, or a Federal, State, or local law enforcement officer.
    (f) There must be disciplinary measures in place to prevent fraud 
and abuse.
    (g) Owners or operators must establish the frequency of the 
application of any security measures for access control in their 
approved security plans, particularly if these security measures are 
applied on a random or occasional basis.
    (h) The vessel, facility, or OCS facility operator should 
coordinate the TWIC Program, when practical, with identification and 
TWIC access control measures of other entities that interface with the 
vessel, facility, or OCS facility.

0
13. Add Sec.  101.555 to subpart E to read as follows:


Sec.  101.555  Recurring Unescorted Access for Risk Group A vessels and 
facilities.

    This section describes how designated TWIC-holders may access 
certain secure areas on Risk Group A vessels and facilities on a 
continual and repeated basis without undergoing repeated electronic 
TWIC inspections.
    (a) An individual may enter a secure area on a vessel or facility 
without undergoing an electronic TWIC inspection under the following 
conditions:
    (1) Access is through a Designated Recurring Access Area (DRAA), 
designated under an approved Vessel, Facility, or Joint Vessel-Facility 
Security Plan.
    (2) The entire DRAA is continuously monitored by security personnel 
at the access points to secure areas used by personnel seeking 
Recurring Unescorted Access.
    (3) The individual possesses a valid TWIC.
    (4) The individual has passed an electronic TWIC inspection within 
each shift and in the presence of the on-scene security personnel.
    (5) The individual passes an additional electronic TWIC inspection 
prior to being granted unescorted access to a secure area if he or she 
enters an unsecured area outside the DRAA and then returns.
    (b) The following requirements apply to a DRAA:
    (1) It must consist of an unsecured area where personnel will be 
moving into an adjacent secure area repeatedly.
    (2) The entire DRAA must be visible to security personnel.
    (3) During operation as a DRAA, there must be security personnel 
present at all times.
    (c) An area may operate as a DRAA at certain times, and during 
other times, access to secure areas may be obtained through the 
procedures in Sec.  101.535.
    (d) Personnel may enter the secure areas adjacent to a DRAA at any 
time using the procedures in Sec.  101.535.

PART 103--MARITIME SECURITY: AREA MARITIME SECURITY

0
 14. The authority citation for part 103 continues to read as follows:

    Authority:  33 U.S.C. 1226, 1231; 46 U.S.C. 70102, 70103, 70104, 
70112; 50 U.S.C. 191; 33 CFR 1.05-1, 6.04-11, 6.14, 6.16, and 6.19; 
Department of Homeland Security Delegation No. 0170.1.


Sec.  103.505  [Amended]

0
15. Amend Sec.  103.505(f) by removing the words ``(e.g., TWIC)''.

PART 104--MARITIME SECURITY: VESSELS

0
 16. The authority citation for part 104 continues to read as follows:

    Authority:  33 U.S.C. 1226, 1231; 46 U.S.C. Chapter 701; 50 
U.S.C. 191; 33 CFR 1.05-1, 6.04-11, 6.14, 6.16, and 6.19; Department 
of Homeland Security Delegation No. 0170.1.


Sec.  104.105  [Amended]

0
17. Amend Sec.  104.105(d) by removing the words ``this part'' and 
adding, in their place, the words ``parts 101 and 104 of this 
subchapter''.

0
18. Add Sec.  104.110(c) to read as follows:


Sec.  104.110  Exemptions.

* * * * *
    (c) Vessels with a minimum manning requirement of 20 or fewer TWIC-
holding crewmembers are exempt from the requirements in 33 CFR 
101.535(a)(1).

0
 19. Amend Sec.  104.115 as follows:
0
a. Revise paragraph (c); and
0
b. Remove paragraph (d).
    The revision reads as follows:


Sec.  104.115  Compliance.

* * * * *
    (c) By August 23, 2018, owners and operators of vessels subject to 
this part must amend their Vessel Security Plans to indicate how they 
will implement the TWIC requirements in this subchapter. By August 23, 
2018, owners and operators of vessels subject to this part must operate 
in accordance with the TWIC provisions found within this subchapter.


Sec.  104.120  [Amended]

0
20. Amend Sec.  104.120(a) introductory text by removing the words ``, 
on or before July 1, 2004,''.


Sec.  104.200  [Amended]

0
21. Amend Sec.  104.200 as follows:
0
a. In paragraph (b)(12) introductory text, remove the word ``part'' and 
add, in its place, the word ``subchapter''; and
0
 b. In paragraph (b)(14), remove the words ``Sec.  104.265(c) of this 
part'' and add, in their place, the words ``Sec.  101.550(a) of this 
subchapter''.


Sec.  104.215  [Amended]

0
22. Amend Sec.  104.215 as follows:
0
 a. In paragraph (b)(5), remove the second use of the word ``and'';
0
b. In paragraph (b)(6), remove the symbol ``.'' and add, in its place, 
the word ``; and''; and
0
 c. In paragraph (b)(7), after the word ``TWIC'', add the symbol ``.''.

0
23. Amend Sec.  104.235 as follows:
0
 a. In paragraph (b)(7), remove the second use of the word ``and'';
0
b. In paragraph (b)(8), remove the symbol ``.'' and add, in its place, 
the word ``; and'';
0
c. Add paragraph (b)(9); and
0
d. Revise paragraph (c).
    The addition and revision read as follows:


Sec.  104.235  Vessel recordkeeping requirements.

* * * * *
    (b) * * *
    (9) Electronic Reader/Physical Access Control System (PACS). For 
each individual granted unescorted access to a secure area, the: FASC-
N; date and time that unescorted access was granted; and, if captured, 
the individual's name. Additionally, documentation to demonstrate that 
the owner or operator has updated the Canceled Card List with the 
frequency required in Sec.  101.525 of this subchapter.
    (c) Any records required by this part must be protected from 
unauthorized access or disclosure. TWIC reader records and similar 
records in a PACS are sensitive security information and must be 
protected in accordance with 49 CFR part 1520.


Sec.  104.260  [Amended]

0
24. Amend Sec.  104.260(b) by removing the word ``shall'' wherever it 
appears

[[Page 57711]]

and adding in its place the word ``must''.

0
 25. Add Sec.  104.263 to read as follows:


Sec.  104.263  Risk Group classifications for vessels.

    (a) For purposes of the Transportation Worker Identification 
Credential requirements of this subchapter, the following vessels 
subject to this part are in Risk Group A:
    (1) Vessels that carry Certain Dangerous Cargoes in bulk.
    (2) Vessels certificated to carry more than 1,000 passengers.
    (3) Any vessel engaged in towing a vessel subject to paragraph 
(a)(1) or (a)(2) of this section.
    (b) Vessels may move from one Risk Group classification to another, 
based on the cargo they are carrying or handling at any given time. An 
owner or operator expecting a vessel to move between Risk Groups must 
explain, in the Vessel Security Plan, the timing of such movements, as 
well as how the vessel will move between the requirements of the higher 
and lower Risk Groups, with particular attention to the security 
measures to be taken moving from a lower Risk Group to a higher Risk 
Group.

0
26. Amend Sec.  104.265 as follows:
0
a. Revise paragraph (a)(4);
0
b. Remove paragraphs (c) and (d);
0
 c. Redesignate paragraphs (e) through (h) as (c) through (f), 
respectively;
0
 d. Revise newly redesignated paragraph (d)(1);
0
e. In newly redesignated paragraph (e)(6), remove the word ``and'';
0
f. In newly redesignated paragraph (e)(7), remove the symbol ``.'' and 
add, in its place, the word ``; or'';
0
g. Add paragraph (e)(8);
0
 h. In newly redesignated paragraph (f)(9), remove the word ``or'';
0
i. In newly redesignated paragraph (f)(10), remove the symbol ``.'' and 
add, in its place, the word ``; or''; and
0
j. Add paragraph (f)(11).
    The revisions and additions read as follows:


Sec.  104.265  Security measures for access control.

    (a) * * *
    (4) Prevent an unescorted individual from entering an area of the 
vessel that is designated as a secure area unless the individual holds 
a duly issued TWIC and is authorized to be in the area. Individuals 
seeking unescorted access to a secure area on a vessel in Risk Group A 
must pass electronic TWIC inspection and those seeking unescorted 
access to a secure area on a vessel not in Risk Group A must pass 
either electronic TWIC inspection or visual TWIC inspection.
* * * * *
    (d) * * *
    (1) Implement a TWIC Program as set out in subpart E of part 101 of 
this subchapter, as applicable, and in accordance with the vessel's 
assigned Risk Group, as set out in Sec.  104.263;
* * * * *
    (e) * * *
    (8) Implementing additional electronic TWIC inspection 
requirements, as required by Sec.  104.263, and by subpart E of part 
101 of this subchapter, if relevant.
* * * * *
    (f) * * *
    (11) Implementing additional electronic TWIC inspection 
requirements, as required by Sec.  104.263, and by subchapter E of part 
101 of this subchapter, if relevant.


Sec.  104.267  [Amended]

0
27. Amend Sec.  104.267(a) by removing the last sentence.


Sec.  104.292  [Amended]

0
28. Amend Sec.  104.292 as follows:
0
a. In paragraph (b) introductory text, remove the words ``Sec.  
104.265(f)(2), (f)(4), and (f)(9)'' and add, in their place, the words 
``Sec.  104.265(d)(2), (d)(4), and (d)(9)'', and remove the symbol 
``:'' and add, in its place, the symbol ``--'';
0
b. In paragraph (e)(3), remove the words ``Sec.  104.265(f)(4) and 
(g)(1)'' and add, in their place, the words ``Sec.  104.265(d)(4) and 
(e)(1)''; and
0
c. In paragraph (f), remove the words ``Sec.  104.265(f)(4) and 
(h)(1)'', and add, in their place, the words ``Sec.  104.265(d)(4) and 
(f)(1)''.

0
29. Amend Sec.  104.405 as follows:
0
a. Revise paragraph (a)(10); and
0
b. In paragraph (b), remove the last sentence.
    The revision reads as follows:


Sec.  104.405  Format of the Vessel Security Plan (VSP).

    (a) * * *
    (10) Security measures for access control, including the vessel's 
TWIC Program, designated passenger access areas and employee access 
areas;
* * * * *


Sec.  104.410  [Amended]

0
30. Amend Sec.  104.410 as follows:
0
a. In paragraph (a) introductory text, remove the words ``on or before 
December 31, 2003,'', and remove the symbol ``:'' and add, in its 
place, the symbol ``--'';
0
b. In paragraph (b), remove the words ``or by December 31, 2003, 
whichever is later''; and
0
c. In paragraph (c) introductory text, remove the symbol ``:'' and add, 
in its place, the symbol ``--''.

PART 105--MARITIME SECURITY: FACILITIES

0
31. The authority citation for part 105 continues to read as follows:

    Authority:  33 U.S.C. 1226, 1231; 46 U.S.C. 70103; 50 U.S.C. 
191; 33 CFR 1.05-1, 6.04-11, 6.14, 6.16, and 6.19; Department of 
Homeland Security Delegation No. 0170.1.

0
32. Revise Sec.  105.110 to read as follows:


Sec.  105.110  Exemptions.

    (a) A public access area designated under Sec.  105.106 is exempt 
from the requirements for screening of persons, baggage, and personal 
effects and identification of persons in subpart E of part 101 of this 
subchapter, as applicable, in Sec. Sec.  105.255 and Sec.  
105.285(a)(1).
    (b) An owner or operator of any general shipyard facility as 
defined in Sec.  101.105 of this subchapter is exempt from the 
requirements of this part unless the facility--
    (1) Is subject to parts 126, 127, or 154 of this chapter; or
    (2) Provides any other service to vessels subject to part 104 of 
this subchapter not related to construction, repair, rehabilitation, 
refurbishment, or rebuilding.
    (c) Public access facility. (1) The COTP may exempt a public access 
facility from the requirements of this part, including establishing 
conditions for which such an exemption is granted, to ensure that 
adequate security is maintained.
    (2) The owner or operator of any public access facility exempted 
under this section must--
    (i) Comply with any COTP conditions for the exemption; and
    (ii) Ensure that the cognizant COTP has the appropriate information 
for contacting the individual with security responsibilities for the 
public access facility at all times.
    (3) The cognizant COTP may withdraw the exemption for a public 
access facility at any time the owner or operator fails to comply with 
any requirement of the COTP as a condition of the exemption or any 
measure ordered by the COTP pursuant to existing COTP authority.
    (d) An owner or operator of a facility is not subject to this part 
if the facility receives only vessels to be laid-up, dismantled, or 
otherwise placed out of commission provided that the vessels are not 
carrying and do not receive cargo or passengers at that facility.

[[Page 57712]]

    (e) Barge fleeting facilities without shore side access are exempt 
from the requirements in 33 CFR 101.535(b)(1).

0
33. Revise Sec.  105.115 to read as follows:


Sec.  105.115  Compliance dates.

    (a) Facility owners or operators must submit to the cognizant 
Captain of the Port (COTP) for each facility--
    (1) The Facility Security Plan (FSP) described in subpart D of this 
part for review and approval; or
    (2) If intending to operate under an approved Alternative Security 
Program, a letter signed by the facility owner or operator stating 
which approved Alternative Security Program the owner or operator 
intends to use.
    (b) Facility owners or operators wishing to designate only those 
portions of their facility that are directly connected to maritime 
transportation or are at risk of being involved in a transportation 
security incident as their secure area(s) must do so by submitting an 
amendment to their FSP to their cognizant COTP, in accordance with 
Sec.  105.415.
    (c) By August 23, 2018, owners and operators of facilities subject 
to this part must amend their FSPs to indicate how they will implement 
the TWIC requirements in this subchapter. By August 23, 2018, owners 
and operators of facilities subject to this part must be operating in 
accordance with the TWIC provisions found within this subchapter.


Sec.  105.120  [Amended]

0
34. Amend the introductory text of Sec.  105.120 by removing the words 
``, on or before July 1, 2004,''.


Sec.  105.200  [Amended]

0
35. Amend Sec.  105.200 as follows:
0
a. In paragraph (b) introductory text, remove the symbol ``:'' and add, 
in its place, the symbol ``--'';
0
b. In paragraph (b)(6), remove the word ``program'' and add, in its 
place, the word ``Program'', and remove the word ``part'' and add, in 
its place, the word ``subchapter'', and remove the symbol ``:'' and 
add, in its place, the symbol ``--'';
0
c. In paragraph (b)(15), remove the words ``section 105.255(c) of this 
part'' and add, in their place, the words ``Sec.  101.550 of this 
subchapter''; and
0
d. In paragraph (b)(16), remove the words ``of this part''.

0
36. Amend Sec.  105.225 as follows:
0
a. In paragraph (b)(7), remove the second use of the word ``and'';
0
b. In paragraph (b)(8), remove the symbol ``.'' and add, in its place, 
the word ``; and'';
0
c. Add paragraph (b)(9); and
0
d. Revise paragraph (c).
    The addition and revision read as follows:


Sec.  105.225  Facility recordkeeping requirements.

* * * * *
    (b) * * *
    (9) TWIC Reader/Physical Access Control System (PACS). For each 
individual granted unescorted access to a secure area, the: FASC-N; 
date and time that unescorted access was granted; and, if captured, the 
individual's name. Additionally, documentation to demonstrate that the 
owner or operator has updated the Canceled Card List with the frequency 
required in Sec.  101.525 of this subchapter.
    (c) Any record required by this part must be protected from 
unauthorized access or disclosure. Electronic reader records and 
similar records in a PACS are sensitive security information and must 
be protected in accordance with 49 CFR part 1520.

0
37. Add Sec.  105.253 to read as follows:


Sec.  105.253  Risk Group classifications for facilities.

    (a) For purposes of the Transportation Worker Identification 
Credential (TWIC) requirements of this subchapter, the following 
facilities subject to this part are in Risk Group A:
    (1) Facilities that handle Certain Dangerous Cargoes (CDC) in bulk 
or receive vessels carrying CDC in bulk.
    (2) Facilities that receive vessels certificated to carry more than 
1,000 passengers.
    (b) Facilities may move from one Risk Group classification to 
another, based on the material they handle or the types of vessels they 
receive at any given time. An owner or operator of a facility expected 
to move between Risk Groups must explain, in the Facility Security 
Plan, the timing of such movements, as well as how the facility will 
move between the requirements of the higher and lower Risk Groups, with 
particular attention to the security measures to be taken when moving 
from a lower Risk Group to a higher Risk Group.

0
38. Amend Sec.  105.255 as follows:
0
a. Revise paragraph (a)(4);
0
b. Remove paragraphs (c) and (d);
0
c. Redesignate paragraphs (e) through (h) as (c) through (f), 
respectively;
0
d. Revise newly redesignated paragraph (d)(1);
0
e. In newly redesignated paragraph (d)(4) introductory text, remove the 
word ``shall'' and add, in its place, the word ``must'';
0
f. In newly redesignated paragraph (d)(4)(vi), remove the words 
``paragraph (d) of this section'' and add, in their place, the words 
``subpart E of part 101 of this subchapter'';
0
g. In newly redesignated paragraph (e)(6), remove the word ``or'';
0
h. In newly redesignated paragraph (e)(7), remove the symbol ``.'' and 
add, in its place, the word ``; or'';
0
i. Add paragraph (e)(8);
0
j. In newly redesignated paragraph (f)(8), remove the word ``or'';
0
k. In newly redesignated paragraph (f)(9), remove the symbol ``.'' and 
add, in its place, the word ``; or''; and
0
l. Add paragraph (f)(10).
    The revisions and additions read as follows:


Sec.  105.255  Security measures for access control.

    (a) * * *
    (4) Prevent an unescorted individual from entering an area of the 
facility that is designated as a secure area unless the individual 
holds a duly issued TWIC and is authorized to be in the area. 
Individuals seeking unescorted access to a secure area in a facility in 
Risk Group A must pass electronic TWIC inspection and those seeking 
unescorted access to a secure area in a facility not in Risk Group A 
must pass either electronic TWIC inspection or visual TWIC inspection.
* * * * *
    (d) * * *
    (1) Implement a TWIC Program as set out in subpart E of part 101 of 
this subchapter, as applicable, and in accordance with the facility's 
assigned Risk Group, as set out in Sec.  105.253.
* * * * *
    (e) * * *
    (8) Implementing additional electronic TWIC inspection 
requirements, as required by Sec.  105.253, and by subpart E of part 
101 of this subchapter, if relevant.
* * * * *
    (f) * * *
    (10) Implementing additional electronic TWIC inspection 
requirements, as required by Sec.  105.253, and by subchapter E of part 
101 of this subchapter, if relevant.


Sec.  105.257  [Amended]

0
39. Amend Sec.  105.257(a) by removing the last sentence.


Sec.  105.290  [Amended]

0
40. Amend Sec.  105.290(b) by removing the word ``shall'' and adding, 
in its place, the word ``must'', and by removing the words ``this 
part'' and adding, in their place, the words ``subpart E of part 101 of 
this subchapter''.

[[Page 57713]]

Sec.  105.296  [Amended]

0
41. Amend Sec.  105.296(a)(4) by removing the words ``Sec.  105.255 of 
this part'' and adding, in their place, the words ``subpart E of part 
101 of this subchapter, as applicable, and in accordance with the 
facility's assigned Risk Group, as described in Sec.  105.253''.

0
 42. Amend Sec.  105.405 as follows:
0
 a. Revise paragraph (a)(10); and
0
 b. In paragraph (b), remove the last sentence.
    The revision reads as follows:


Sec.  105.405  Format and content of the Facility Security Plan (FSP).

    (a) * * *
    (10) Security measures for access control, including the facility's 
TWIC Program and designated public access areas;
* * * * *


Sec.  105.410  [Amended]

0
43. Amend Sec.  105.410 as follows:
0
a. In paragraph (a) introductory text, remove the words ``On or before 
December 31, 2003, the'' and add, in their place, the word ``The''; and
0
b. In paragraph (b), remove the words ``or by December 31, 2003, 
whichever is later''.

PART 106--MARINE SECURITY: OUTER CONTINENTAL SHELF (OCS) FACILITIES

0
44. The authority citation for part 106 continues to read as follows:

    Authority: 33 U.S.C. 1226, 1231; 46 U.S.C. Chapter 701; 50 
U.S.C. 191; 33 CFR 1.05-1, 6.04-11, 6.14, 6.16, and 6.19; Department 
Of Homeland Security Delegation No. 0170.1.

0
45. Revise Sec.  106.110 to read as follows:


Sec.  106.110  Compliance dates.

    (a) OCS facility owners or operators must submit to the cognizant 
District Commander for each OCS facility--
    (1) The Facility Security Plan described in subpart D of this part 
for review and approval; or
    (2) If intending to operate under an approved Alternative Security 
Program, a letter signed by the OCS facility owner or operator stating 
which approved Alternative Security Program the owner or operator 
intends to use.
    (b) OCS facilities built on or after July 1, 2004 must submit a 
Facility Security Plan for approval 60 days prior to beginning 
operations.


Sec.  106.115  [Amended]

0
46. Amend the introductory text of Sec.  106.115 by removing the words 
``before July 1, 2004,''.


Sec.  106.200  [Amended]

0
47. Amend Sec.  106.200 as follows:
0
a. In paragraph (b)(6) introductory text, remove the word ``program'' 
and add, in its place, the word ``Program'', and remove the word 
``part'' and add, in its place, the word ``subchapter'';
0
b. In paragraph (b)(8), remove the word ``Level'' wherever it appears 
and add, in each place, the word ``level'';
0
 c. In paragraph (b)(9), after the word ``with'', add the words ``the 
requirements in''; and
0
d. In paragraph (b)(12), remove the words ``Sec.  106.260(c) of this 
part'' and add, in their place, the words ``Sec.  101.550 of this 
subchapter''.

0
48. Add Sec.  106.258 to read as follows:


Sec.  106.258  Risk Group classification for OCS facilities.

    For the purposes of this subchapter, no OCS facilities are 
considered Risk Group A.

0
 49. Amend Sec.  106.260 as follows:
0
a. Remove paragraphs (c) and (d);
0
b. Redesignate paragraphs (e) through (h) as (c) through (f), 
respectively;
0
c. Revise newly redesignated paragraph (d)(1);
0
 d. In newly redesignated paragraph (e)(3), remove the word ``or'';
0
e. In newly redesignated paragraph (e)(4), remove the symbol ``.'' and 
add, in its place, the word ``; or'';
0
 f. Add paragraph (e)(5);
0
 g. In newly redesignated paragraph (f)(7), remove the word ``or'';
0
 h. In newly redesignated paragraph (f)(8), remove the symbol ``.'' and 
add, in its place, the word ``; or''; and
0
 i. Add paragraph (f)(9).
    The revisions and additions read as follows:


Sec.  106.260  Security measures for access control.

* * * * *
    (d) * * *
    (1) Implement TWIC as set out in subpart E of part 101 of this 
subchapter and in accordance with the OCS facility's assigned Risk 
Group, as set out in Sec.  106.258.
* * * * *
    (e) * * *
    (5) Implementing additional electronic TWIC inspection 
requirements, as required by Sec.  106.258, and by subpart E of part 
101 of this subchapter.
    (f) * * *
    (9) Implementing additional electronic TWIC inspection 
requirements, as required by Sec.  106.258, and by subpart E of part 
101 of this subchapter.


Sec.  106.262  [Amended]

0
50. Amend Sec.  106.262(a) by removing the last sentence.
0
 51. Amend Sec.  106.405 as follows:

0
a. Revise paragraph (a)(10); and
0
b. In paragraph (b), remove the last sentence.
    The revision reads as follows:


Sec.  106.405  Format and content of the Facility Security Plan (FSP).

    (a) * * *
    (10) Security measures for access control, including the OCS 
facility's TWIC Program;
* * * * *


Sec.  106.410  [Amended]

0
52. Amend Sec.  106.410 as follows:
0
a. In paragraph (a) introductory text, remove the words ``On or before 
December 31, 2003, the'' and add, in their place, the word ``The'' and 
remove the symbol ``:'' and add, in its place, the symbol ``--''; and
0
 b. In paragraph (b), remove the words ``or by December 31, 2003, 
whichever is later''.

    Dated: August 8, 2016.
 Paul F. Zukunft,
Admiral, Commandant, U.S. Coast Guard.
[FR Doc. 2016-19383 Filed 8-22-16; 8:45 am]
 BILLING CODE 9110-04-P