Click for next page ( 50

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement

Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 49
49 CHAPTER 4 Conclusions and Suggested Research Consolidating Credentials tinuous, economically positive existence. This level of security is accomplished largely by understanding who, and what, is Hazardous materials are transported from many locations accessing the facility. Security credentials provide this necessary to many locations throughout the United States on a daily information in the following two ways: basis. These materials originate at chemical manufacturing facilities, tank farms, and other refining and manufacturing Vetting the individual credential-holder and locations. They also originate outside the United States and are Communicating pertinent information for facility access imported through border crossings and port facilities. Haz- control. ardous materials are used every day in the manufacture of products consumed within the United States. To facilitate the The security credentialing process requires two parties-- manufacture of so many products using these hazardous ma- the applicants (who become credential-holders if approved) terials (often purified raw chemicals), materials are transported and the issuing agencies. The issuing agencies are burdened by rail, highway, through marine ports, as cargo through air- with collecting and storing personal information, adjudicating ports, and--in some cases--by pipeline. It is this system of cases, and bearing the costs associated with these efforts. The infrastructure in all modes, the facilities, and the vehicles of applicants are burdened with providing personal information transport that constitute the HazMat transportation system. in the proper format and the associated costs. Hazardous materials by definition pose a potential risk to For the purposes of this research, a credential was defined health, safety, and property when transported.(46) Thus, it is as portable documentation to validate one's identity and/or prudent to maintain a certain level of security throughout the skill set. With that in mind, 19 credentials were identified as HazMat transportation system to limit or prevent negative required of persons who transport hazardous materials. Fif- outcomes from this necessary part of the overall economic teen of these are designated security credentials with the pur- structure. The HazMat transportation system can be simpli- pose of (1) ensuring someone does not pose a security threat, fied by observing its three basic parts--origin, transport, and (2) validating lawful status in the United States, and (3) verify- destination. That is, the process may have multiple points of ing identity. Many of these security credentials share common origin and multiple legs of transport; however, there is always requirements to obtain (i.e., name, date of birth, citizenship a start and finish requiring a path in between. By achieving information, address, security threat assessment, gender, Social security in all three portions of the system, the entire system Security number, phone number, aliases, height, eye color, hair can be considered secure. Although this description is very color, and employer name) and attributes (i.e., full name, date basic, the overall concept remains constant. This research of expiration, photograph, tamper-resistant features, unique focused largely on the security credentials used to gain access serial number, date of birth, citizenship, and sex). to the points of origin and/or destination (and intermediary Currently, a single transportation worker (e.g., truck driver, facilities along the transport pathway). port employee, or rail engineer) may be required to carry in The majority of the identified security credentials serve as excess of five security credentials in the course of his/her a means for securing these facilities with the ultimate goal of employment and associated duties. Each of these credentials preventing negative consequences associated with misuse of requires a specific cost, and an investment of time to acquire. hazardous materials. Additionally, security of the facilities Additionally, the issuing agencies must manage the data collec- helps to prevent disruption to their operations, ensuring con- tion and data storage associated with that single transportation

OCR for page 49
50 worker's multiple credentials. This system is the result of to strengthen security and efficiency through the use of a stan- multiple factors associated with the creation of credentials. In dardized security credential. The threats mitigated by this direc- some cases, the credentials were developed to prove the capa- tive are not significantly different from the threats facing the bilities of the credential-holder, and in other cases, the cre- HazMat transportation sector. Therefore, the very same prin- dentials were developed for the purposes of security. Each ciples and justifications outlined in the HSPD-12 are applicable credential was designed for a specific mode, facility, or a com- to the transportation sector, specifically the portion of the trans- bination of both. Some are required by the entity having portation sector that is involved with hazardous materials. authority over the facility; others are federally mandated. On HSPD-12 acknowledges the need to eliminate "variations in the the surface, the system appears to have significant redundancy quality and security of forms of identification used to gain by requiring the same personnel to maintain multiple creden- access to secure federal and other facilities where there is poten- tials. However, each credential (with the exception of the TWIC tial for terrorist attacks . . ."(47, p. 1) As a result of HSPD-12, and MMC) is specific to its purpose and was designed inde- the National Institute of Standards and Technology (NIST), by pendently of the others. This has led to a system that has nearly charge of the directive requiring the secretary of commerce to as many credentials as it does specific security needs (and in oversee the effort, developed the Federal Information Process- some cases includes the need to prove a certain skill set such as ing Standards (FIPS 201 and, subsequently, FIPS 201-1).(48) the MML, STCW, or CDL). This standard satisfies the technical requirements of HSPD-12, In addition to the many unique needs requiring different improving the identification authentication related to accessing credentials, there is the information necessary to ensure that federal facilities and information systems. security credentials are verifiable. That is, security credentials Further action was taken by NIST to develop the Personal that are all specifically focused on ensuring identity and low- Identity Verification (PIV) Program. This program includes risk histories are duplicated due to multiple issuing agencies a set of specifications that standardize the identification data and a lack of data sharing. This is evident when evaluating the types and protocols for transfer of data related to security cre- nation's marine ports, where individual ports typically man- dentialing. The PIV Interoperability (PIV-I) specifications age their own security and, thus, many developed their own allow for entities outside of the federal government to partic- security credential. ipate at the same level. The PIV (and PIV-I) Program provides The primary purpose for this research was to determine if a growth-enabled framework within which to develop long- it is feasible to consolidate security credentials and, if so, how term, multimodal, and applicable, security credentials. This this could be accomplished. This evaluation included each of allows for streamlined efficiency, data sharing, and the main- the tasks described in the research approach section of this tenance of security. Ultimately, the use of standards could allow document, and resulted in the data contained in the results for multiple security credentials that can function across plat- section of this document. The Phase I findings of the elemental forms. This could lead to an elimination of multiple creden- analysis, time and costs analysis, regulatory analysis, and SWOT tials for one person--instead, one credential could provide analysis indicated that the consolidation of several security access to multiple facilities. Serious consideration should be credentials required of persons who transport hazardous given to the adoption of PIV (or similar) specifications and materials would be feasible, including the CAC, MMD, SIDA, protocols for HazMat-specific security credentials. TWIC, and USPS. Each of the credentials to be consolidated has been designed In Phase II, four options for consolidation were considered. for a specific function by the various issuing agencies. This This effort provided insight into the minimum elements and level of specificity is based on the perceived need to tailor each background processes required of a consolidated credential in credential for the individual requirements of the issuing agen- order to remain consistent with existing security credentials. cies. The results of this research indicate that a consolidated The evaluation provided the 64 unique elements necessary for security credential can be broadly applicable if appropriately a consolidated credential to replace all candidate credentials. It designed. Additionally, as indicated in the regulatory analysis also demonstrated the similarities of the background check results, consolidation of security credentials across issuing processes for all of the candidate credentials. It will be neces- agencies presents logistical issues such as cross-agency data sary to perform a full cost-benefit analysis to fully understand storage and access. Finally, a determination must be made as the costs associated with the various consolidation options. It to whether one agency issues the consolidated credential or if also will be important to understand policy impetus as it relates multiple agencies issue a standardized security credential. to the potential consolidation of security credentials. The Phase The decision regarding whether to implement a consoli- II effort considered consolidation with regard to both existing dated credential and the form that credential should take will data and needed data. However, it is also important to consider be complex. As discussed, the implementation of a consoli- the policies and protocols of security credentials. HSPD-12 dated credential will require the input of a wide range of par- established requirements for federal departments and agencies ties including agency officials, credential-holders, business