The US Coast Guard published a list of Frequently Asked Questions (FAQ) related to navigation and Vessel Inspection Circular (NVIC) 01-20, Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities.
ince October 1st, 2021, Maritime Transportation Security Act-regulated facilities have been incorporating cyber into their Facility Security Assessments (FSA) and Facility Security Plans (FSP) as part of their annual audit. Facilities still working on this aspect of their FSA and FSP should ensure that they are cognizant of their annual audit date, or engage in discussions with their local Captain of the Port to ensure the submissions are received prior to October 1st, 2022.
The Coast Guard previously published Navigation and Vessel Inspection Circular (NVIC) 01-20: Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities as voluntary guidance for complying with MTSA requirements for addressing cyber risks. As part of that messaging, the Coast Guard published a Frequently Asked Questions (FAQ) document supporting the NVIC and cyber inclusion in FSPs.
As the Coast Guard continues to work with its Facility Inspectors in the field, as well as maritime industry stakeholders, we will continue to update these FAQs based on feedback. In keeping with this goal, the Coast Guard announces the availability of updated FAQs
…says the Coast Guard.
Q: Is the Navigation and Vessel Inspection Circular (NVIC) 01-20 a new regulation or new requirement?
No. NVIC 01-20 is not a regulation. It is intended only to provide clarity regarding existing requirements under the law. It does not change any legal requirements, and does not impose new requirements on the public. This NVIC provides guidance to facility owners and operators in complying with the existing regulatory requirements to assess, document, and address computer system or network vulnerabilities.
Not all recommendations will apply to all facilities, depending on individual facility operations. Facility owners and operators may use a different approach than this NVIC recommends, if that approach satisfies the legal requirements.
Q: Are there approved standards or third parties that can help with training, education, etc.?
While the Coast Guard does not maintain a list of recommended third parties to help with training and education, facilities are welcome to seek out third parties that are qualified and working independently to provide training, education, and other services regarding the assessment and implementation of cyber in the FSAs, FSPs, and Alternative Security Programs (ASPs), as well as general facility operations.
Additionally, there are numerous cybersecurity standards that may assist in incorporation of cybersecurity and cyber risk management into the FSA, FSP, and operations. Currently there is not a Coast Guard-approved list of cybersecurity standards, though the NIST Cybersecurity Framework is one example that has been widely utilized.
Q: Do MTSA facilities have to rewrite their FSP?
No. If the FSA identifies a vulnerability to the computer system or network that is not already addressed in the FSP, the FSP needs to be amended to address that vulnerability and submitted to the Local Captain of the Port (COTPs) for review and approval. The Coast Guard will accept an annex, addendum, or other method identified by the facility owner/operator so long as the requirements within regulation are met. A complete rewrite is not necessary, unless the facility owner/operator prefers that approach.
Q: Does a form CG-6025 for Facility Vulnerability and Security Measures Summary need to be submitted?
Yes. The requirements for submission of form CG-6025 remain unchanged in light of the incorporation of cyber into the FSA and FSP. In accordance with 33 Code of Federal Regulations Part 105.405(a)(18) and (c), the Facility Vulnerability and Security Measures Summary, Form CG-6025) is required.
Q: What is the deadline for updating FSA and FSPs to address computer systems and networks?
The Coast Guard allowed a 1.5 year implementation period of the cybersecurity requirement, which ended on 09/30/2021. Facility owners and operators who already address cybersecurity in their FSAs and FSPs or ASPs should continue doing so, while considering whether the guidance in NVIC 01-20 can improve their ongoing practices. As of 10/01/2021, facilities are required to submit a cybersecurity FSA and FSP/ASP amendments or annexes by the facility’s annual audit date, based on the facility’s FSP/ASP approval date.
Captains of the Port still have the flexibility based on resource demands, or based upon request from a facility, to adjust when submissions are received, as long as all facility FSA and FSP/ASP submissions are received by the end of the one-year period, no later than 10/01/2022.
Q: A facility has incorporated cybersecurity into their FSA/FSP but the COTP has determined that cybersecurity is not adequately addressed. Should a discrepancy be issued to the facility?
The implementation period should have provided industry time to evaluate and incorporate cybersecurity into their FSA and FSP. FSOs, Facility owners and operators should be engaged in discussion with their COTP to work towards acceptable documentation. Discrepancies are not recommended at this time, though the COTP ultimately has the responsibility to ensure the safety and security of the port.
As a reminder, FSA and FSP/ASP cyber annex/addendums need to be submitted by the facility’s annual audit date to COTPs but no later than 10/01/2022. After 10/1/2022, discrepancies will follow the same regulatory author as with physical security discrepancies.
Q: Why focus on this now?
Per the National Cyber Strategy (September 2018), maritime cybersecurity is of particular concern because lost or delayed shipments can result in strategic economic disruptions and potential spillover effects on downstream industries and the supply chain.
Given the criticality of maritime transportation to the United States and global economy, the United States will move quickly to clarify maritime cybersecurity roles and responsibilities; promote and enhance mechanisms for international coordination and information sharing; and accelerate the development of next-generation cyber-resilient maritime infrastructure. To this end, the Coast Guard has worked closely with industry and other government agencies to provide guidance on complying with cybersecurity requirements for MTSA regulated facilities.
Since the 2018 National Cyber Strategy, the Coast Guard Cyber Strategic Outlook (CSO) was published in 2021, which involves three lines of effort to address cybersecurity issues:
#1 Defend and operate the enterprise mission platform,
#2 Protect the Marine Transportation and
#3 Operate in and through cyberspace.
Q: Does this NVIC address cybersecurity for vessels?
No. This NVIC addresses cybersecurity for facilities. The Coast Guard is currently developing separate guidance to address cybersecurity on board vessels.
Q: What cyber training or resources does the Coast Guard recommend to Facility Security Officers (FSO) and other facility security personnel for implementation of NVIC 01-20?
At this time, there are no Coast Guard approved or recommended cyber training(s) for FSOs. FSOs and facility owner/operators are encouraged to seek out and build relationships within their company’s IT/technical staffs to continue bridging the cyber knowledge and awareness gaps and to further assist in identifying potential cyber vulnerabilities.
Q: What if a MTSA facility’s IT system is controlled remotely, such as at the corporate or enterprise level (not at the facility itself)? In this circumstance, how does the facility owner/operator or FSO adequately identify cyber vulnerabilities within their FSA, and then also address those vulnerabilities within their FSP?
The facility owner/operator or FSO should determine who within their company is responsible for their IT network and systems. It is common, especially within larger organizations, for a facility’s IT systems be controlled and managed by an IT department at the corporate or enterprise level. Historically, IT staff/department may not have had significant engagement or interaction with FSOs or facility level operators/managers. However, this engagement is highly encouraged to adequately conduct the cyber portion of a facility’s FSA, and to address cyber vulnerabilities at a facility.
Once the FSO, facility owner/operator, and IT staff have jointly identified which vulnerabilities may impact a given facility, and at what level (corporate/enterprise, local, etc.), the FSO should then work with those IT individuals to determine how those vulnerabilities would then need to be addressed within the FSP cyber annex/addendum (in other words, conduct cyber portion of FSA/incorporate cyber into the FSA). For example, an FSO may determine with the assistance of the company’s IT personnel that certain IT policies or plans be included or referenced within the FSP to address known vulnerabilities.