TWIC rife with security flaws: IG Skinner

The Homeland Security Department's goal of rolling out identification cards for millions of transportation workers is jeopardized by numerous computer security shortcomings in the program's prototype phase, according to a new report today from DHS Inspector General Richard Skinner.

The Transportation Workers Identification Credential program is marred by significant vulnerabilities in its ability to protect sensitive data from unauthorized access and use, according to the report.

"The security-related issues identified may threaten the confidentiality, integrity and availability of sensitive TWIC data," the report said. "Until remedied, the significant security weaknesses jeopardize the certification and accreditation of the systems prior to full implementation of the TWIC program."

The redacted report also identified a broader group of information security concerns that need to be addressed before TWIC is fully implemented. The program lacks clear definitions for assigning and distributing IT system responsibilities, procedures for periodic threat reassessments on people who are granted TWIC cards, procedures for criminal history checks and a records-retention schedule.

In response to the report, the Transportation Security Administration, which is in charge of TWIC, agreed with the findings and supported the recommendations, the report said.

The initial TWIC program is expected to cover 750,000 workers, including merchant mariners, longshoremen, port operator employees, truck drivers and rail workers, though it could eventually grow to cover up to 12 million workers. TSA has said it will collect biographic information, as well as 10 fingerprints and a photograph, for all people who need unescorted access to secure areas of port facilities and vessels regulated under the Maritime Transportation Security Act.

Following three years of prototype testing, the TWIC program was put on a fast track toward deployment earlier this year by Secretary Michael Chertoff.