This is the first in a series of articles addressing cyber risk management and cybersecurity within the Marine Transportation System (MTS). The maritime community is facing daily threats to their information and operational technology systems, whether through malicious actors, antiquated systems, or lack of emphasis on securing the cyber landscape. Cyber threats are constantly evolving, and it is crucial that our stakeholders have the guidance, resources, and awareness to mitigate these risks.
From the desk of Captain Bradley Clare
Office Chief for the Office of Port and Facility Compliance (CG-FAC)
CG-FAC is proud to present the first of these articles, providing a summary of Navigation and Vessel Inspection Circular (NVIC) No. 01-20: Guidelines for Addressing Cyber at MTSA Regulated Facilities and reminder of upcoming due dates. CG-FAC will be collaborating with cyber-focused personnel in the field, along with Headquarters program offices, to provide more information in the months ahead.
Approaching deadlines for incorporating cyber into Facility Security Assessments (FSA) and Facility Security Plans (FSP)
As evidenced by news of cyber incidents affecting critical infrastructure and the maritime environment, we are reminded that cyber threats to, and vulnerabilities of the MTS are constantly evolving. With a clear need to mitigate these risks, the Coast Guard is reminding MTS stakeholders, but specifically those facilities regulated under the Maritime Transportation Security Act of 2002 (MTSA), that the timeframe for incorporating cyber into FSAs and FSPs is rapidly approaching.
Navigation and Vessel Inspection Circular (NVIC) No. 01-20: Guidelines for Addressing Cyber at MTSA Regulated Facilities was issued in March of 2020. This NVIC provides guidance to facility owners and operators on complying with requirements to assess, document, and address computer system and network vulnerabilities. In accordance with 33 CFR parts 105 and 106, which implement MTSA, regulated facilities (including Outer Continental Shelf facilities) are required to assess and document vulnerabilities associated with their computer systems and networks in a FSA and FSP.
In announcing this guidance, the Coast Guard understood that facilities would require time to properly assess their cyber risks and vulnerabilities and establish a plan for documenting those as part of their FSAs and FSPs. The Coast Guard advised that facilities shall provide that cyber documentation, whether as an annex, addendum, enclosure, or other form as appropriate, to their local Captain of the Port (COTP) at the time of their annual audit date, beginning October 1st, 2021. COTPs will still have the flexibility, based on resource demands or upon discussion with facility personnel, to adjust when submissions are received, as along as all facility FSA and FSP (Headquarters for ASPs) submissions are received by the end of a one year period, no later than October 1st, 2022.
We continue to stress the importance of engaging early and often with respective COTPs to ensure alignment of expectations for achieving compliance. The Coast Guard is continually reviewing and updating guidance to both industry and CG field personnel, including Frequently Asked Questions and Job Aids, for added awareness.