By Wade-Hahn Chan
Aug. 3, 2006
The Department of Homeland Security needs to address some basic security
problems before fully deploying its system for issuing biometric-based
identification cards to transportation workers nationwide, according to a
report from the department's inspector general.
A redacted version of the report, released Aug. 2, states that the
Transportation Worker Identification Credential (TWIC) program has
significant security vulnerabilities in its systems, documentation and
"The security-related issues identified may threaten the confidentiality,
integrity and availability of sensitive TWIC data," the report states.
"Until remedied, the significant security weaknesses jeopardize the
certification and accreditation of the systems prior to full
implementation of the TWIC program."
Specifics on the number and types of vulnerabilities were censored in the
edited report. However, the problems are related to default security
settings and accounts as well as patch management, the report indicates.
The program also does not comply with some requirements of the Federal
Information Security Management Act, according to the report. The
department needs to update its privacy assessment of the program, have the
systems contingency plans approved and tested, and provide more security
training to system and database administrators, the document states.
TWIC is currently in its prototype phase. Some of the systems that were
evaluated by the IG included enrollment workstations, contractor data
center databases and the printers and workstations used to print TWIC
The IG recommends that vulnerabilities be dealt with and FISMA
documentation be updated as soon as possible. TSA has concurred with the
IG and agreed to work to solve the problems using the IG's
recommendations. The agency also said that it would address the settings
and accounts and patch problems through technical enhancements to the
prototype system and by conducting security tests and evaluations.
Visit the InfoSec News store!