The U.S. Coast Guard is determining how many facilities handle certain dangerous cargoes and whether, according to a risk analysis, requiring those facilities to biometrically verify the Transportation Worker Identification Credential of every person accessing a secure area of such a facility would be cost-effective. This report answers those questions.

Risk-Informed Analysis of Transportation Worker Identification Credential Reader Requirements

Joseph C. Chang, James V. Marrone, David Metz, Sean Colbert-Kelly, Matthew A. DeNardo, Keith Gierlack, Chelsea Kolb, Ryan Bauer, Devon Hill, Kristin J. Leuschner

ResearchPublished Nov 10, 2022

A 2016 U.S. Coast Guard (USCG) regulation, "Transportation Worker Identification Credential (TWIC)–Reader Requirements," requires certain maritime facilities determined to be of high risk to use electronic and biometric access control programs in the facilities' secure areas. The final version of this rule, known as the final reader rule, has been delayed (from 2020) until May 8, 2023, for three categories of facilities that handle certain dangerous cargoes (CDCs) in bulk. The USCG asked the Homeland Security Operational Analysis Center to reestimate the population of such regulated facilities that could be subject to the final reader rule delay, develop an objective risk assessment model for these facilities, and conduct a cost–benefit analysis of the regulation.

This report describes the researchers' analytical efforts to address these three research areas. Because there is no database of Maritime Transportation Security Act–regulated facilities that has all the requisite information about CDCs that facilities handle in bulk, the researchers resorted to other data sources, such as the U.S. Environmental Protection Agency's databases, an online survey, and interviews, to estimate the facility population. For the facility risk model, they used the modeling approach for assessing potential consequence included in the risk engine of the Cybersecurity and Infrastructure Security Agency's Chemical Facility Anti-Terrorism Standards (CFATS) program, harmonizing the TWIC and CFATS programs in consequence assessment. Because there was no credible estimate for the probability of a transportation security incident, the researchers used a break-even analysis to assess whether the final reader rule is cost-effective.

Key Findings

  • Between 471 and 711 Maritime Transportation Security Act–regulated facilities handle CDCs in bulk and are therefore likely to be subject to the reader rule delay.
  • Among the facilities observed to handle CDCs, anhydrous ammonia was the most common CDC, although many facilities handle more than one type of CDC.
  • The consequence distribution of facilities that handle CDCs in bulk was highly skewed (i.e., many facilities with relatively low consequences and few facilities with extremely high consequences).
  • Observable facility attributes, such as CDC quantity and local population density, can be used to generally identify high-consequence facilities.
  • The TWIC reader rule would have to avert a transportation security incident (TSI) approximately every 60 to 90 years, at a minimum, to be cost-effective.
  • Although the final reader rule is potentially cost-effective even in its current form, reasons exist to consider a more-targeted approach that excludes low-quantity or low–population density facilities, or both. Under hypothetical regulatory options, a more-targeted approach affecting only higher-consequence facilities would need to avert only one TSI approximately every 200 to 600 years to be cost-effective.
  • The decision to use a wide net or a more-targeted approach could depend largely on policymakers' preferences and relative risk tolerance considering trade-offs among several competing factors.

Recommendations

  • Once the final reader rule is implemented, perform ongoing monitoring and enforcement to remain current as facilities open or close.
  • Develop a centralized reporting system that records, at a minimum, the types and amounts of CDCs being handled at each MTSA-regulated facility.
  • Build data infrastructure to implement and maintain the CDC reporting system.
  • Institutionalize an objective, transparent risk assessment approach (e.g., CFATS risk engine). Taxonomy Terms

Topics

Document Details

Citation

Chicago Manual of Style

Chang, Joseph C., James V. Marrone, David Metz, Sean Colbert-Kelly, Matthew A. DeNardo, Keith Gierlack, Chelsea Kolb, Ryan Bauer, Devon Hill, and Kristin J. Leuschner, Risk-Informed Analysis of Transportation Worker Identification Credential Reader Requirements. Homeland Security Operational Analysis Center operated by the RAND Corporation, 2022. https://www.rand.org/pubs/research_reports/RRA1687-1.html.
BibTeX RIS

Research conducted by

This research was sponsored by the USCG Office of Standards Evaluation and Development and conducted within the Strategy, Policy and Operations Program of the Homeland Security Operational Analysis Center (HSOAC).

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.