Editor’s note: This post was updated Jan. 16, 2018, to provide additional instructions for navigating CG-FAC’s website.
The Office of Port and Facility Compliance recently announced the release of new cybersecurity framework profiles for the Offshore Operations and Passenger Vessel industries, providing a pathway for these industries to implement the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
The NIST Cybersecurity Framework was developed in 2014 to address and manage cybersecurity risk in a cost-effective way based on business needs and without placing additional regulatory requirements on businesses. These profiles reflect how organizations align the NIST framework’s cybersecurity activities, outcomes, and informative references to organizational business requirements, risk tolerances, and resources. They outline a desired minimum state of cybersecurity and cyber risk management, and provide the opportunity to plan for future business decisions.
These two new profiles follow the November 2016 release of the Maritime Bulk Liquid Transfer cybersecurity framework profile, a voluntary cyber risk assessment tool developed in conjunction with the NIST as well as industry stakeholders. The series of industry profiles are the first of their kind for the marine transportation system sector, and they are the result of the coordination between the Coast Guard Office of Port and Facility Compliance, the NIST’s National Cybersecurity Center of Excellence (NCCoE), key industry stakeholders, and trade associations.
One of the primary focuses of the Coast Guard and NCCoE during the development of these profiles was to ensure they were industry-focused and leveraged existing standards and recommended practices. To that end, maritime industry stakeholders were crucial to the successful development of the profiles. The American Petroleum Institute, American Fuel and Petrochemical Manufacturers, International Association of Drilling Contractors, and Offshore Operators Committee were all instrumental in the development of the Offshore Operations profile. The Cruise Lines International Association and Passenger Vessel Association were equally important to the development of the Passenger Vessel profile.
Cyber-related risks are a growing portion of the vulnerabilities facing the Marine Transportation System (MTS). Cyber technologies enable the MTS to operate with an impressive record of reliability and at a capacity that drives the U.S. economy and supports national defense, homeland security, and related needs. While cyber systems create benefits, they also introduce risk. Exploitation, misuse, or failure of cyber systems could cause harm to the marine environment or disrupt vital trade activity. Even a temporary or partial disruption of MTS operations could have serious consequences. As a result, cyber risk management has become increasingly important.
“The cybersecurity framework profiles are designed to assist organizations in assessing cyber risks, and offer guidance on how to allocate limited resources in order to improve their cyber resiliency. The Coast Guard hopes these profiles will assist organizations in answering these questions and help with mitigating concerns,” said Lt. Cmdr. Brandon Link, a marine safety expert in the Critical Infrastructure Branch within the Coast Guard’s Office of Port and Facility Compliance. “We cannot stress enough our appreciation to the stakeholders from all sectors of industry for their assistance in drafting these profiles.”
The Coast Guard anticipates working with the NCCoE on at least one additional profile addressing navigation and automated systems onboard vessels as well as facilities.
For more information, and to view the profiles, please use this link, or visit the Coast Guard Office of Port & Facility Compliance website, select Domestic Ports from the left hand menu, and then select Cyber Security. Scroll to the Maritime Specific Cybersecurity Framework Profiles section. Navigate to the Profile Overview first, which includes an introduction, background, and explanation of the profiles. Industry-specific profiles for Maritime Bulk Liquid Transfer, Offshore Operations, and Passenger Vessel sections are then listed as appendices.
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.