(a) The purpose of a DoS, as described in SOLAS Chapter XI-2, Regulation 10, and the ISPS Code (Incorporated by reference, see § 101.115), is to state the agreement reached between a vessel and a facility, or between vessels in the case of a vessel-to-vessel activity, as to the respective security measures each must undertake during a specific vessel-to-facility interface, during a series of interfaces between the vessel and the facility, or during a vessel-to-vessel activity.

(b) Details as to who must complete a DoS, when a DoS must be completed, and how long a DoS must be retained are included in parts 104 through 106 of this subchapter. A DoS must, at a minimum, include the information found in the ISPS Code, part B, appendix 1 (Incorporated by reference, see § 101.115).

(c) All vessels and facilities required to comply with parts 104, 105, and 106 of this subchapter must, at a minimum, comply with the DoS requirements of the MARSEC Level set for the port.

(d) The COTP may also require a DoS be completed for vessels and facilities during periods of critical port operations, special marine events, or when vessels give notification of a higher MARSEC Level than that set in the COTP's Area of Responsibility (AOR).

Ports, vessels, and facilities required to conduct security assessments by part 103, 104, 105, or 106 of this subchapter may use any assessment tool that meets the standards set out in part 103, 104, 105, or 106, as applicable. These tools may include USCG assessment tools, which are available from the cognizant COTP or at https://www.dco.uscg.mil/Our-Organization/NVIC/, as set out in the following:

(a) Navigation and Vessel Inspection Circular titled, “Guidelines for Port Security Committees, and Port Security Plans Required for U.S. Ports” (NVIC 9-02 series);

(b) Navigation and Vessel Inspection Circular titled, “Security Guidelines for Vessels”, (NVIC 10-02 change 1); and

(c) Navigation and Vessel Inspection Circular titled, “Security Guidelines for Facilities”, (NVIC 11-02 change 1).

(a) All persons requiring unescorted access to secure areas of vessels, facilities, and OCS facilities regulated by parts 104, 105 or 106 of this subchapter must possess a TWIC before such access is granted, except as otherwise noted in this section. A TWIC must be obtained via the procedures established by TSA in 49 CFR part 1572.

(b) Federal officials are not required to obtain or possess a TWIC. Except in cases of emergencies or other exigent circumstances, in order to gain unescorted access to a secure area of a vessel, facility, or OCS facility regulated by parts 104, 105 or 106 of this subchapter, a Federal official must present his/her agency issued, HSPD 12 compliant credential. Until each agency issues its HSPD 12 compliant cards, Federal officials may gain unescorted access by using their agency's official credential. The COTP will advise facilities and vessels within his or her area of responsibility as agencies come into compliance with HSPD 12.

(c) Law enforcement officials at the State or local level are not required to obtain or possess a TWIC to gain unescorted access to secure areas. They may, however, voluntarily obtain a TWIC where their offices fall within or where they require frequent unescorted access to a secure area of a vessel, facility or OCS facility.

(d) Emergency responders at the State or local level are not required to obtain or possess a TWIC to gain unescorted access to secure areas during an emergency situation. They may, however, voluntarily obtain a TWIC where their offices fall within or where they desire frequent unescorted access to a secure area of a vessel, facility or OCS facility in non-emergency situations.

(a) Persons not described in § 101.514 must present personal identification in order to gain entry to a vessel, facility, and OCS facility regulated by parts 104, 105 or 106 of this subchapter. These individuals must be under escort, as that term is defined in § 101.105 of this part, while inside a secure area. This personal identification must, at a minimum, meet the following requirements:

(1) Be laminated or otherwise secure against tampering;

(2) Contain the individual's full name (full first and last names, middle initial is acceptable);

(3) Contain a photo that accurately depicts that individual's current facial appearance; and

(4) Bear the name of the issuing authority.

(b) The issuing authority in paragraph (a)(4) of this section must be:

(1) A government authority, or an organization authorized to act on behalf of a government authority; or

(2) The individual's employer, union, or trade association.

(c) Vessel, facility, and OCS facility owners and operators must permit law enforcement officials, in the performance of their official duties, who present proper identification in accordance with this section and § 101.514 to enter or board that vessel, facility, or OCS facility at any time, without delay or obstruction. Law enforcement officials, upon entering or boarding a vessel, facility, or OCS facility, will, as soon as practicable, explain their mission to the Master, owner, or operator, or their designated agent.

(d) Inspection of credential. (1) Each person who has been issued or possesses a TWIC must present the TWIC for inspection upon a request from TSA, the Coast Guard, or other authorized DHS representative; an authorized representative of the National Transportation Safety Board; or a Federal, State, or local law enforcement officer.

(2) Each person who has been issued or possesses a TWIC must pass an electronic TWIC inspection, and must submit his or her reference biometric, such as a fingerprint, and any other required information, such as a Personal Identification Number, upon a request from TSA, the Coast Guard, any other authorized DHS representative, or a Federal, State, or local law enforcement officer.

To conduct electronic TWIC inspection, the owner or operator of a vessel or facility must ensure the following actions are performed.

(a) Card authentication. The TWIC must be authenticated by performing a challenge/response protocol using the Certificate for Card Authentication (CCA) and the associated card authentication private key stored in the TWIC.

(b) Card validity check. The TWIC must be checked to ensure the TWIC has not expired and against TSA's list of cancelled TWICs, and no match on the list may be found.

(c) Identity verification. (1) One of the biometric templates stored in the TWIC must be matched to the TWIC-holder's live sample biometric or, by matching to the PACS enrolled reference biometrics linked to the FASC-N of the TWIC; or

(2) If an individual is unable to provide a valid live sample biometric, the TWIC-holder must enter a Personal Identification Number (PIN) and pass a visual TWIC inspection.

(a) At Maritime Security (MARSEC) Level 1, the card validity check must be conducted using information from the TSA that is no more than 7 days old.

(b) At MARSEC Level 2, the card validity check must be conducted using information from the TSA that is no more than 1 day old.

(c) At MARSEC Level 3, the card validity check must be conducted using information from the TSA that is no more than 1 day old.

(d) The list of cancelled TWICs used to conduct the card validity check must be updated within 12 hours of any increase in MARSEC level, no matter when the information was last updated.

(e) Only the most recently obtained list of cancelled TWICs must be used to conduct card validity checks.

This section lays out requirements for a Physical Access Control System (PACS) that may be used to meet electronic TWIC inspection requirements.

(a) A PACS may use a TWIC directly to perform electronic TWIC inspection;

(b) Each PACS card issued to an individual must be linked to that individual's TWIC, and the PACS must contain the following information from each linked TWIC:

(1) The name of the TWIC-holder holder as represented in the Printed Information container of the TWIC.

(2) The TWIC-signed CHUID (with digital signature and expiration date).

(3) The TWIC resident biometric template.

(4) The TWIC digital facial image.

(5) The PACS Personal Identification Number (PIN).

(c) When first linked, a one-time electronic TWIC inspection must be performed, and the TWIC must be verified as authentic, valid, and biometrically matched to the individual presenting the TWIC.

(d) Each time the PACS card is used to gain access to a secure area, the PACS must—

(1) Conduct identity verification by:

(i) Conducting a biometric scan, and match the result with the biometric template stored in the PACS that is linked to the TWIC, or

(ii) Having the individual enter a stored PACS PIN and conducting a Non-TWIC visual identity verification as defined in § 101.105.

(2) Conduct a card validity check; and

(3) Maintain records in accordance with § 104.235(g) or § 105.225(g) of this subchapter, as appropriate.

Owners or operators of vessels or facilities subject to part 104 or 105 of this subchapter, that are assigned to Risk Group A in § 104.263 or § 105.253 of this subchapter, must ensure that a Transportation Worker Identification Credential (TWIC) Program is implemented as follows:

(a) Requirements for Risk Group A vessels. Prior to each boarding of the vessel, all persons who require access to a secure area of the vessel must pass an electronic TWIC inspection before being granted unescorted access to the vessel.

(b) Requirements for Risk Group A facilities. Prior to each entry into a secure area of the facility, all persons must pass an electronic TWIC inspection before being granted unescorted access to secure areas of the facility.

(c) A Physical Access Control System that meets the requirements of § 101.530 may be used to meet the requirements of this section.

(d) The requirements of this section do not apply under certain situations described in § 101.550 or § 101.555.

(e) Emergency access to secure areas, including access by law enforcement and emergency responders, does not require electronic TWIC inspection.

A vessel or facility not in Risk Group A may use the electronic TWIC inspection requirements of § 101.535 in lieu of visual TWIC inspection. If electronic TWIC inspection is used, the recordkeeping requirements of § 104.235(b)(9) and (c) of this subchapter, or § 105.225(b)(9) and (c) of this subchapter, as appropriate, apply.

Owners or operators of any vessel, facility, or Outer Continental Shelf (OCS) facility subject to part 104, 105, or 106 of this subchapter must ensure that a Transportation Worker Identification Credential (TWIC) Program is implemented as follows:

(a) Lost, damaged, stolen, or expired TWIC. If an individual cannot present a TWIC because it has been lost, damaged, stolen, or expired, and the individual previously has been granted unescorted access to secure areas and is known to have had a TWIC, the individual may be granted unescorted access to secure areas for a period of no longer than 30 consecutive calendar days if—

(1) The individual provides proof that he or she has reported the TWIC as lost, damaged, or stolen to the Transportation Security Administration (TSA) as required in 49 CFR 1572.19(f), or the individual provides proof that he or she has applied for the renewal of an expired TWIC;

(2) The individual can present another identification credential that meets the requirements of § 101.515; and

(3) There are no other suspicious circumstances associated with the individual's claim that the TWIC was lost, damaged, or stolen.

(b) TWIC on the Canceled Card List. In the event an individual reports his or her TWIC as lost, damaged, or stolen, and that TWIC is then placed on the Canceled Card List, the individual may be granted unescorted access by a Physical Access Control System (PACS) that meets the requirements of § 101.530 for a period of no longer than 30 days. The individual must be known to have had a TWIC, and known to have reported the TWIC as lost, damaged, or stolen to TSA.

(c) Special requirements for Risk Group A vessels and facilities. If a TWIC reader or a PACS cannot read an individual's biometric templates due to poor biometric quality or no biometrics enrolled, the owner or operator may grant the individual unescorted access to secure areas based on either of the following secondary authentication procedures:

(1) The owner or operator must conduct a visual TWIC inspection and require the individual to correctly submit his or her TWIC Personal Identification Number.

(2) [Reserved]

(d) If an individual cannot present a TWIC for any reason other than those outlined in paragraphs (a) or (b) of this section, the vessel or facility operator may not grant the individual unescorted access to secure areas. The individual must be under escort at all times while in the secure area.

(e) With the exception of individuals granted access according to paragraphs (a) or (b) of this section, all individuals granted unescorted access to secure areas of a vessel, facility, or OCS facility must be able to produce their TWICs upon request from the TSA, the Coast Guard, another authorized Department of Homeland Security representative, or a Federal, State, or local law enforcement officer.

(f) There must be disciplinary measures in place to prevent fraud and abuse.

(g) Owners or operators must establish the frequency of the application of any security measures for access control in their approved security plans, particularly if these security measures are applied on a random or occasional basis.

(h) The vessel, facility, or OCS facility operator should coordinate the TWIC Program, when practical, with identification and TWIC access control measures of other entities that interface with the vessel, facility, or OCS facility.

This section describes how designated TWIC-holders may access certain secure areas on Risk Group A vessels and facilities on a continual and repeated basis without undergoing repeated electronic TWIC inspections.

(a) An individual may enter a secure area on a vessel or facility without undergoing an electronic TWIC inspection under the following conditions:

(1) Access is through a Designated Recurring Access Area (DRAA), designated under an approved Vessel, Facility, or Joint Vessel-Facility Security Plan.

(2) The entire DRAA is continuously monitored by security personnel at the access points to secure areas used by personnel seeking Recurring Unescorted Access.

(3) The individual possesses a valid TWIC.

(4) The individual has passed an electronic TWIC inspection within each shift and in the presence of the on-scene security personnel.

(5) The individual passes an additional electronic TWIC inspection prior to being granted unescorted access to a secure area if he or she enters an unsecured area outside the DRAA and then returns.

(b) The following requirements apply to a DRAA:

(1) It must consist of an unsecured area where personnel will be moving into an adjacent secure area repeatedly.

(2) The entire DRAA must be visible to security personnel.

(3) During operation as a DRAA, there must be security personnel present at all times.

(c) An area may operate as a DRAA at certain times, and during other times, access to secure areas may be obtained through the procedures in § 101.535.

(d) Personnel may enter the secure areas adjacent to a DRAA at any time using the procedures in § 101.535.