Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 17
17 and secure network connections). The number of credentials Requirements-to-Obtain Elements developed since 2002 is, to some extent, the result of the flurry of legislation resulting from the terrorist attacks of September During the application process, the issuing agencies require 11, 2001. Security credentials became the regulatory method of those seeking to obtain a security credential to submit various effecting access control. types of information (e.g., name, address, Social Security Num- ber). These requirements to obtain were gathered through the individual applications and organized into several matrices to Credential Categorization illustrate overlap or uniqueness among the various security credentials. These matrices were grouped by transportation Credentials were then categorized based on their primary mode to aid in identifying common requirements. Due to the purpose of security (i.e., confirms that a person does not pose number of identified requirements to obtain, the results were a security threat, establishes that a person possesses lawful sta- split into two matrices. Table 3-2 illustrates all requirements to tus in the United States, and verifies identity) or safety (i.e., ver- obtain that apply to more than one credential. There are 34 ifies a person's "skill" qualifications). Figure 3-2 illustrates this singularly applicable requirements to obtain (that is, applica- segregation of the credentials into the categories of security ble to only one credential) that are tabulated in Appendix B. or safety. Of these credentials, 13 were designed primarily to There are 30 requirements to obtain that apply to more than function as a security authentication for the credential- one credential. An applicant must submit his or her full name, holder, 4 were designed primarily to certify the skill qual- date of birth, citizenship information, address, and undergo a ifications of the credential-holder (i.e., the MML, STCW, security threat assessment for all of the identified security cre- Pilot's License, and Engineer's License), and 2 function as dentials. Additionally, two of the requirements are applicable both a means of security and safety (i.e., the CDL-HME and to 91% of the identified credentials: place of birth (not appli- MMC). The HazMat endorsement for the CDL requires a cable to the CDL-HME) and fingerprinting (not applicable to threat assessment (14), thus vetting the credential-holder from the passport). In total, 16 requirements apply to the majority a security perspective. The MMC is a consolidation of the (>50%) of the identified credentials, including the 9 require- MMD, MML, and STCW.(12) It requires both a demonstra- ments previously listed: sex (82% applicable), Social Security tion of the abilities of the credential-holder (MML and STCW) Number (73% applicable), phone number (64% applicable), and a determination of the perceived security risk (MMD) of aliases (64% applicable), height (55% applicable), eye color the credential-holder. (55% applicable), hair color (55% applicable), employer name This research effort was tasked with evaluating security (55% applicable), and e-mail address (55% applicable). In credentials for persons who transport hazardous materials. total, there are 64 different requirements of an applicant to As such, those credentials without a primary purpose of vet- obtain each of the 11 identified security credentials. Only 25% ting the credential-holder and communicating the informa- of the requirements apply to the majority (>50%) of creden- tion necessary to determine the credential-holder's validity tials, and only 8% of the requirements are universally applica- were dropped from the remaining analysis efforts. These safety ble across all 11 identified credentials. credentials were simply outside the scope of this project. Table 3-3 groups all background-check processes into the security threat assessment category. This was done to simplify the table for comparison purposes. However, this is an impor- tant aspect of the security credentials, especially with regard to duplication of effort and redundant costs (refer to the cost analysis section). Table 3-3 specifies the background check processes for each credential. The fingerprint-based criminal records check refers to the background check performed by the Federal Bureau of Inves- tigation (FBI) using the National Crime Information Center (NCIC). Regardless of the issuing agency, the FBI performs this portion of the investigation and then provides the relevant data to the issuing agency (or adjudicating organization). A name-based investigation of relevant databases includes non- fingerprint criminal history record checks (e.g., U.S. passport), and a review of the Terror Watch List (e.g., TWIC, MMC, and HME) maintained by DHS. This could also include other data- Figure 3-2. Credential bases as the issuing agency may deem fit for a given circum- categorization. stance. The MMD requires a drug test as part of the application