IG flags TWIC for security holes

DHS Must Address Significant Security Vulnerabilities Prior To TWIC Implementation (Redacted)

The Department of Homeland Security needs to address some basic security problems before fully deploying its system for issuing biometric-based identification cards to transportation workers nationwide, according to a report from the department's inspector general.

A redacted version of the report, released Aug. 2, states that the Transportation Worker Identification Credential (TWIC) program has significant security vulnerabilities in its systems, documentation and program management.

“The security-related issues identified may threaten the confidentiality, integrity and availability of sensitive TWIC data,” the report states. “Until remedied, the significant security weaknesses jeopardize the certification and accreditation of the systems prior to full implementation of the TWIC program.”

Specifics on the number and types of vulnerabilities were censored in the edited report. However, the problems are related to default security settings and accounts as well as patch management, the report indicates.

The program also does not comply with some requirements of the Federal Information Security Management Act, according to the report. The department needs to update its privacy assessment of the program, have the systems contingency plans approved and tested, and provide more security training to system and database administrators, the document states.

TWIC is currently in its prototype phase. Some of the systems that were evaluated by the IG included enrollment workstations, contractor data center databases and the printers and workstations used to print TWIC cards.

The IG recommends that vulnerabilities be dealt with and FISMA documentation be updated as soon as possible. TSA has concurred with the IG and agreed to work to solve the problems using the IG’s recommendations. The agency also said that it would address the settings and accounts and patch problems through technical enhancements to the prototype system and by conducting security tests and evaluations.