Feasibility of a Consolidated Security Credential for Persons Who Transport Hazardous Materials (2011)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

49 Consolidating Credentials Hazardous materials are transported from many locations to many locations throughout the United States on a daily basis. These materials originate at chemical manufacturing facilities, tank farms, and other refining and manufacturing locations. They also originate outside the United States and are imported through border crossings and port facilities. Haz- ardous materials are used every day in the manufacture of products consumed within the United States. To facilitate the manufacture of so many products using these hazardous ma- terials (often purified raw chemicals), materials are transported by rail, highway, through marine ports, as cargo through air- ports, and—in some cases—by pipeline. It is this system of infrastructure in all modes, the facilities, and the vehicles of transport that constitute the HazMat transportation system. Hazardous materials by definition pose a potential risk to health, safety, and property when transported.(46) Thus, it is prudent to maintain a certain level of security throughout the HazMat transportation system to limit or prevent negative outcomes from this necessary part of the overall economic structure. The HazMat transportation system can be simpli- fied by observing its three basic parts—origin, transport, and destination. That is, the process may have multiple points of origin and multiple legs of transport; however, there is always a start and finish requiring a path in between. By achieving security in all three portions of the system, the entire system can be considered secure. Although this description is very basic, the overall concept remains constant. This research focused largely on the security credentials used to gain access to the points of origin and/or destination (and intermediary facilities along the transport pathway). The majority of the identified security credentials serve as a means for securing these facilities with the ultimate goal of preventing negative consequences associated with misuse of hazardous materials. Additionally, security of the facilities helps to prevent disruption to their operations, ensuring con- tinuous, economically positive existence. This level of security is accomplished largely by understanding who, and what, is accessing the facility. Security credentials provide this necessary information in the following two ways: • Vetting the individual credential-holder and • Communicating pertinent information for facility access control. The security credentialing process requires two parties— the applicants (who become credential-holders if approved) and the issuing agencies. The issuing agencies are burdened with collecting and storing personal information, adjudicating cases, and bearing the costs associated with these efforts. The applicants are burdened with providing personal information in the proper format and the associated costs. For the purposes of this research, a credential was defined as portable documentation to validate one’s identity and/or skill set. With that in mind, 19 credentials were identified as required of persons who transport hazardous materials. Fif- teen of these are designated security credentials with the pur- pose of (1) ensuring someone does not pose a security threat, (2) validating lawful status in the United States, and (3) verify- ing identity. Many of these security credentials share common requirements to obtain (i.e., name, date of birth, citizenship information, address, security threat assessment, gender, Social Security number, phone number, aliases, height, eye color, hair color, and employer name) and attributes (i.e., full name, date of expiration, photograph, tamper-resistant features, unique serial number, date of birth, citizenship, and sex). Currently, a single transportation worker (e.g., truck driver, port employee, or rail engineer) may be required to carry in excess of five security credentials in the course of his/her employment and associated duties. Each of these credentials requires a specific cost, and an investment of time to acquire. Additionally, the issuing agencies must manage the data collec- tion and data storage associated with that single transportation C H A P T E R 4 Conclusions and Suggested Research

worker’s multiple credentials. This system is the result of multiple factors associated with the creation of credentials. In some cases, the credentials were developed to prove the capa- bilities of the credential-holder, and in other cases, the cre- dentials were developed for the purposes of security. Each credential was designed for a specific mode, facility, or a com- bination of both. Some are required by the entity having authority over the facility; others are federally mandated. On the surface, the system appears to have significant redundancy by requiring the same personnel to maintain multiple creden- tials. However, each credential (with the exception of the TWIC and MMC) is specific to its purpose and was designed inde- pendently of the others. This has led to a system that has nearly as many credentials as it does specific security needs (and in some cases includes the need to prove a certain skill set such as the MML, STCW, or CDL). In addition to the many unique needs requiring different credentials, there is the information necessary to ensure that security credentials are verifiable. That is, security credentials that are all specifically focused on ensuring identity and low- risk histories are duplicated due to multiple issuing agencies and a lack of data sharing. This is evident when evaluating the nation’s marine ports, where individual ports typically man- age their own security and, thus, many developed their own security credential. The primary purpose for this research was to determine if it is feasible to consolidate security credentials and, if so, how this could be accomplished. This evaluation included each of the tasks described in the research approach section of this document, and resulted in the data contained in the results section of this document. The Phase I findings of the elemental analysis, time and costs analysis, regulatory analysis, and SWOT analysis indicated that the consolidation of several security credentials required of persons who transport hazardous materials would be feasible, including the CAC, MMD, SIDA, TWIC, and USPS. In Phase II, four options for consolidation were considered. This effort provided insight into the minimum elements and background processes required of a consolidated credential in order to remain consistent with existing security credentials. The evaluation provided the 64 unique elements necessary for a consolidated credential to replace all candidate credentials. It also demonstrated the similarities of the background check processes for all of the candidate credentials. It will be neces- sary to perform a full cost-benefit analysis to fully understand the costs associated with the various consolidation options. It also will be important to understand policy impetus as it relates to the potential consolidation of security credentials. The Phase II effort considered consolidation with regard to both existing data and needed data. However, it is also important to consider the policies and protocols of security credentials. HSPD-12 established requirements for federal departments and agencies to strengthen security and efficiency through the use of a stan- dardized security credential. The threats mitigated by this direc- tive are not significantly different from the threats facing the HazMat transportation sector. Therefore, the very same prin- ciples and justifications outlined in the HSPD-12 are applicable to the transportation sector, specifically the portion of the trans- portation sector that is involved with hazardous materials. HSPD-12 acknowledges the need to eliminate “variations in the quality and security of forms of identification used to gain access to secure federal and other facilities where there is poten- tial for terrorist attacks . . .”(47, p. 1) As a result of HSPD-12, the National Institute of Standards and Technology (NIST), by charge of the directive requiring the secretary of commerce to oversee the effort, developed the Federal Information Process- ing Standards (FIPS 201 and, subsequently, FIPS 201-1).(48) This standard satisfies the technical requirements of HSPD-12, improving the identification authentication related to accessing federal facilities and information systems. Further action was taken by NIST to develop the Personal Identity Verification (PIV) Program. This program includes a set of specifications that standardize the identification data types and protocols for transfer of data related to security cre- dentialing. The PIV Interoperability (PIV-I) specifications allow for entities outside of the federal government to partic- ipate at the same level. The PIV (and PIV-I) Program provides a growth-enabled framework within which to develop long- term, multimodal, and applicable, security credentials. This allows for streamlined efficiency, data sharing, and the main- tenance of security. Ultimately, the use of standards could allow for multiple security credentials that can function across plat- forms. This could lead to an elimination of multiple creden- tials for one person—instead, one credential could provide access to multiple facilities. Serious consideration should be given to the adoption of PIV (or similar) specifications and protocols for HazMat-specific security credentials. Each of the credentials to be consolidated has been designed for a specific function by the various issuing agencies. This level of specificity is based on the perceived need to tailor each credential for the individual requirements of the issuing agen- cies. The results of this research indicate that a consolidated security credential can be broadly applicable if appropriately designed. Additionally, as indicated in the regulatory analysis results, consolidation of security credentials across issuing agencies presents logistical issues such as cross-agency data storage and access. Finally, a determination must be made as to whether one agency issues the consolidated credential or if multiple agencies issue a standardized security credential. The decision regarding whether to implement a consoli- dated credential and the form that credential should take will be complex. As discussed, the implementation of a consoli- dated credential will require the input of a wide range of par- ties including agency officials, credential-holders, business 50

owners, port operators, security personnel, and others as appropriate. Because of the number of stakeholders involved, it is necessary to view potential solutions from organizational, technical, and personal perspectives. Issues within each per- spective are not mutually exclusive and may require analysis from a holistic perspective. Additionally, because of the com- plexities associated with the development of a new credential and the multi-jurisdictional nature of current credentialing systems, the authority for a new credentialing policy may need to come from a source above the agencies (i.e., executive order or legislation). Congressional and executive sources may be able to facilitate the diverse interest in a manner that will ensure the successful implementation of a consolidated security credential. Consolidating Background-Check Processes In addition to the potential consolidation of security cre- dentials for persons who transport hazardous materials, this research also evaluated the possibility of consolidating back- ground check processes. The analyses also demonstrated that several security credentials required for HazMat transport have background assessment redundancies that could be eval- uated for possible elimination; these include FAST, NEXUS, SENTRI, CDL-HME, MMC, and passport, in addition to the five credentials considered as candidates for consolidation. There is strong evidence that the background check processes for these credentials could be standardized and applicable across all transportation modes.(2) As shown in Table 3-3, 10 of the 11 credentials identified shared both a fingerprint back- ground check (i.e., required for all but the passport) and a name-based background check (i.e., required for all but the USPS). In some cases there are minor variations in how these processes are completed or which databases are checked; how- ever, the overall processes are extremely similar. More impor- tantly, the objective of these background checks (i.e., identifying any disqualifying offenses) is the same for all credentials. The premise for this research was concern over the redun- dancies of the security credentialing system for persons who transport hazardous materials. Based on the research, it is apparent that consolidation of existing credentials requires significant change to the current security credentialing system and could meet with organizational or institutional resistance. It is believed that the consolidation of background checks would deal largely with the application process, and would be transparent to the end user. An example of acceptance for other credential vetting processes would be the TWIC and the HME, where a cost reduction is applied to applicants already holding a CDL-HME when they apply for the TWIC. There are restrictions on this agreement; however, it provides a starting point. Ultimately, this system of reciprocity could be extended to the majority of credentials identified here. A system where background check processes are standard- ized could reduce cost due to increased efficiency. Multi-agency data sharing could also streamline the process for all stakehold- ers. This system would require that the results of a credential application be applicable to a secondary credential application regarding the background investigation. As is currently the case, it would likely require the expiration of any subsequent creden- tials to coincide with the time limit of applicability associated with the first credential. That is, if an applicant is granted a TWIC in 2010, and then applies for a FAST card in 2012 using the background check from the TWIC application, the FAST card would also expire in 2015. Initially, this could cause some issues with increased renewal processing demands due to renewal periods less than the standard. However, over time this should save money as alignment and efficiency occur. Future Research Based on the results of this research, the research team rec- ommends a full cost-benefit analysis regarding the consolida- tion of the credentials named above. This information is imperative in order to fully understand the effect of changing the system to reflect consolidation. Furthermore, this infor- mation can provide an avenue of comparison for consolidation of the credentials versus a consolidation of the background investigation processes. The research team also recommends a separate effort to focus entirely on consolidation of the background checks (the entire vetting process) for all credentials specific to transporta- tion of hazardous materials. This appears to be a beneficial middle ground that provides the most benefits for the great- est number of stakeholders. This evaluation should carefully consider which credentials are viable options and which cre- dentials are peripheral in nature. This research could result in intermediate change providing a real, positive impact to stakeholders while progressing toward an ultimate solution, should one exist. Although it is feasible to consolidate some credentials based on currently available data, an effort needs to be implemented at the federal level with input from stakeholders at all levels. The most important next step is to identify the specific cost data associated with the security credential consolidation process. 51