Recently, Capt. Ryan Manning, Office Chief for Port and Facility Compliance, participated in a panel called ‘The Evolution of Sector Profiles’ at the May 2017 NIST Cybersecurity Framework Workshop in Gaithersburg, Maryland.
The purpose of the workshop was to discuss the Coast Guard’s collaboration efforts related to the Cybersecurity Framework and work products as well as gather input to help NIST understand stakeholder awareness and current use of the Framework.
Below, Manning provides a summary of his comments for your informational purposes. His comments focus on the progress made between the Coast Guard and partner organizations to continue building cybersecurity profiles and the importance of constant stakeholder engagement.
From the desk of Capt. Ryan Manning, Office Chief for Port and Facility Compliance
Last November, after collaborating with the National Institute of Standards and Technology as well as the National Offshore Safety Advisory Committee’s (NOSAC) Cybersecurity Subcommittee and the American Petroleum Institute (API), we released the Maritime Bulk Liquids Transfer (MBLT) Cybersecurity Framework Profile, the first of several planned, voluntary, and non-regulatory resources intended to assist the maritime industry manage cyber risk. I’m pleased to say that much of the industry in the U.S., and even some internationally, are using the Cybersecurity Framework to help guide their discussions. Industry-focused Cybersecurity Framework Profiles are an excellent example of how the government and industry have used our collective resources to address challenges together.
Using the same process used to develop the MBLT Profile, we’re in the midst of developing Profiles for the offshore operations subsector of the oil and natural gas industry and the passenger vessel industry. The former is in the early stages of development with the National Cybersecurity Center of Excellence (NCCoE) as well as API, the International Association of Drilling Contractors, and the Offshore Operators Committee. We’re optimistic that the latter will be released by fall of 2017. A content preview of the Offshore Operations Profile is available for review and we welcome your feedback. Please send any comments or questions to HQS-SMB-CG-FAC-CYBER@uscg.mil by June 15.
Separate from the status of the Profiles themselves, the important takeaway is that the process used to develop the Profiles works. It works because we relied almost exclusively on you, the maritime professional, to tell us what is important to you and how to ensure your mission objectives and operational priorities are incorporated into the cyber risk management outcomes and recommended safeguards.
From the Coast Guard’s perspective, there are several primary benefits to using this process:
- It eliminates jargon and lingo specific to any one segment of maritime industry by establishing a common language to discuss cyber risk management
- It encourages dialogue among industry and between industry and the Coast Guard, providing the opportunity to align cyber risk management priorities
- It increases communication between IT and OT about mission priorities and how cyber risk management and mitigation impacts business decisions
We are also working with the NCCoE to develop a NIST 1800 series “how-to” guide in 2017, in an effort to help organizations of any size develop a customized Profile specific to their enterprise. If you would like insights into the Coast Guard’s industry collaboration process that will be discussed in the “how-to” guide, watch Cmdr. Nicholas Wong as he speaks at the May 2017 NIST Cybersecurity Framework Workshop. (Editor’s note: Wong’s portion of the presentation is found on Day 1, Part 3.)
I look forward to continuing our dialogue with the maritime industry as we work together to protect our vital U.S. Marine Transportation System from cyber risks.
Please address any questions or comments to HQS-SMB-CG-FAC-CYBER@uscg.mil, including feedback on the Offshore Operations Profile Content Preview.
To view a video of the full workshop, visit NIST’s Cybersecurity Framework Profile website.
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.