As one of the lead agencies tasked with ensuring the safety and security of the Marine Transportation System (MTS) and maritime critical infrastructure and key resources, the Coast Guard has invested heavily in cyber risk management efforts. These efforts focus on the Coast Guard Cyber Strategy’s three strategic priorities of: defending cyberspace, enabling operations, and protecting infrastructure. The Coast Guard has approached these priorities through various policies, guidelines, and other initiatives both internally and through collaborative efforts. Below are a few of the cyber-focused initiatives the Coast Guard is leading, either in effect or in development, that will help to continue fortifying our nation’s cyber protection and response posture.
CG-5P Policy Letter 08-16: Reporting Suspicious Activity and Breaches of Security: An owner or operator of a vessel or facility that is required to maintain an approved security plan in accordance with parts 104, 105 or 106 of Title 33, Code of Federal Regulations, Subchapter H shall, without delay, report activities that may result in a transportation security incident to the National Response Center (NRC), including breaches of security and suspicious activity. Policy Letter 08-16 highlights requirements and guidance on reporting cyber security related events to the NRC or the Department of Homeland Security National Cybersecurity and Communications Integration Center (NCCIC).
Cyber Security Framework Profiles: Development of industry segment-specific profiles was led by the Coast Guard’s Office of Port and Facility Compliance (CG-FAC), in coordination with the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence. Based on the NIST Cyber Security Framework, these profiles are customized risk assessment tools tailored to specific maritime industry segments. The profiles outline a desired minimum state of cyber security and cyber risk management, and provide the opportunity to plan for future business decisions.
Developed through the cooperative efforts of industry stakeholders and subject matter experts, these voluntary risk assessment profiles were created for the Maritime Bulk Liquids Transfer, Offshore Operations, and Passenger Vessel Operations segments. A fourth profile focused on Navigation and Automated Systems for Vessels and Facilities is in the early stages of development. Information on the profiles, as well as the profiles themselves, are located at the Office of Port & Facility Compliance page, under Domestic Ports, Cyber Security.
Cyber Risk Management for Vessels: Led by the Office of Design and Engineering Standards (CG-ENG), cyber risk management on vessels is promoted using an international approach. Leveraging the consensus power of the 172 member states at the International Maritime Organization (IMO), the U.S. delegation worked with member states and industry representatives to develop the IMO MSC/FAC Circular Guidelines for Maritime Cyber Risk Management and subsequent MSC Resolution 428(98) Maritime Cyber Risk Management in Safety Management Systems. The Coast Guard will continue to work in collaboration with industry stakeholders to develop best practices and define a clear path to compliance with MSC Resolution 428(98) prior to the implementation date of January 2021.
CG-791 – Office of Cyberspace Forces: The Office of Cyberspace Forces (CG-791) attained Initial Operational Capability (IOC) in September 2017 to implement the Coast Guard Cyber Strategy and manage the Cyber Program. CG-791 delivers programmatic oversight and direction for the organization, training, equipping, and operational policy for the cyberspace workforce, and, in conjunction with CG-5P program offices, develops strategy and policy for enabling operations and protecting MTS infrastructure.
Marine Transportation System Cyber Awareness Training: CG-FAC, in coordination with ABS Group, provided “Marine Transportation System Cyber Awareness Training” via webinar. This training was developed to provide basic cyber awareness with a focus on maritime facility and vessel operations. The awareness training provides personnel at all levels of an organization basic knowledge of cyber terms and systems that may be encountered throughout the MTS.
A recording of the training is available online.
As the Coast Guard continues to address the evolving threats and vulnerabilities in the cyber environment, updates and additional information can be found at Maritime Commons and Coast Guard Homeport.
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.