Using Alternative Credentials for TWIC compliance with FIPSlink

No rip and replace!

The option to use existing access control cards (or in the case of a greenfield site, use in place of a TWIC card) is new as part of the TWIC final rule.  The TWIC Specification, updated in the 2016 Final Rule, does not explicitly require the use of TSA-issued TWIC Cards at time of access.  Using access control cards can save money and reduce the overall compliance burden when becoming TWIC compliant.
 
Here is how the TWIC Specification allows for you to continue to use existing commercial cards as “alternative credentials” for your compliant facility.

The TWIC Final Rule specifically describes the requirements of a compliant solution as being able to perform “electronic TWIC inspection requirements of biometric identification, the card validity check, and card authentication” (https://www.federalregister.gov/d/2016-19383/p-345) So what does this mean for your existing PACS?

Three tenets of TWIC compliance

Biometric Identification

Being able to check the biometric identity of a TWIC cardholder basically means that the PACS needs to be able to verify the physical person’s fingerprint against the template that has been stored on their TWIC card.

Card Validity Check

The card validity check ensures that the TWIC has not expired or been cancelled by TSA, or reported as lost, stolen, or damaged. This means that a compliant solution will need to check expiration dates as well as the TWIC Cancelled Card List to ensure that a presented TWIC card is still valid.

Card Authentication

Card authentication ensures that the TWIC card is not counterfeit. In the case of a visual inspection, this can be done by a guard, looking for the general features of the card as well as the reflective holographic designs on the cards surface. However, a PACS needs to be able to verify the card electronically and needs to do so by performing a challenge/response test with the digital certificates stored on the card. If the certificates are invalid or out of date, then a card cannot be authenticated.

What this means for Commercial Cards

The main tenets above are written to allow flexible compliance with the TWIC Final Rule, while not impeding or creating unnecessary costs to the end user. With the correct solution, a facility can continue using their commercial access cards as alternative credentials if their PACS solution can meet the criteria above.

How do commercial cards work with FIPSlink?

FIPSlink enables compliance with the TWIC final rule in existing PACS by performing the necessary electronic TWIC Card checks on its own, then updating information within your PACS. Not only does this make the process of enrollment simple and fast, but it also allows your cardholders to continue using their commercial access cards as alternative credentials. This means that there’s no need to manually reissue, alter, or otherwise interfere with the badges that are already working on site.