The National Alternative Security Program (ASP) Sponsoring Organizations held a workshop in Arlington, Virginia, May 2, 2019, to discuss ongoing and emerging issues related to regulatory requirements of the Maritime Transportation Security Act (MTSA) of 2002. MTSA was enacted to keep U.S. shores and vital waterways open, safe and secure for commerce.
The annual workshop was hosted at the offices of the North American Export Grain Association and the National Grain and Feed Association. Attendees came from as far away as Seattle and represented 11 industry organizations that oversee thousands of MTSA-regulated vessels and over two hundred MTSA-regulated facilities that share common business models. Industries represented included passenger, ferry and gaming vessels, offshore service and towing vessels, chemical and barge fleeting facilities, and grain terminals.
Following a welcome from Ms. Betty McMenemy, a marine transportation specialist with the Coast Guard’s Office of Port and Facility Compliance, attendees heard from the Coast Guard on a variety of subjects:
• Seafarer’s Access Final Rule. The deadline for facilities to implement changes to facilities to comply with the rule is June 1, 2020; however, facilities must submit their amended Facility Security Plan (FSP) to their local Captain of the Port by Feb. 3, 2020.
• Transportation Worker Identification Credential (TWIC®) Reader Requirements Final Rule. The Coast Guard will use the DHS assessment, in addition to the public comments received on the NPRM, to develop its final rule. DHS’s assessment is scheduled to be complete by mid-2019.
• Various cybersecurity-related initiatives:
o The establishment of the Office of Cyberspace Forces (CG-791), whose mission is to obtain cyberspace capabilities, competencies, and capacity to meet operational requirements.
o Policy letter 08-16, which provides guidance on reporting breaches of security and suspicious activity, including cyber-related incidents.
o Draft cyber NVIC, currently under review, that will offer guidelines for addressing cyber risks at MTSA regulated facilities, including incorporating computer systems and networks into FSPs, and clarifies 33 CFR 105 & 106.
o Cybersecurity framework profiles. Based on the NIST Cybersecurity Framework, these voluntary, non-regulatory risk management tools can be applied to a company’s operations, procedures, and systems to help assess their cyber posture. The frameworks are customizable and scalable and designed to help develop goals and strategies based on available resources.
“It is the facility’s responsibility to do an assessment and identify any vulnerability, so get your operations and IT people together to discuss risks and management,” McMenemy said. “Take a look at the systems you have and see if they have a nexus to maritime operations. Ask yourself, ‘if [the system] were hacked, what would happen? How likely is it to happen? What are the consequences? How can we recover or stop it from happening?’”
Mr. Casey Johnson, a program analyst with the Office of Port and Facility Compliance, gave a brief on work the Area Maritime Security Committee in New Orleans has done to filter out reports of unauthorized unmanned aircraft systems (UAS) operating in the area. They created a simple email alert system used among the port partners to keep each other informed of legitimate UAS use. Johnson said erroneous reports to law enforcement have dropped by 90 percent because of this filtering.
Mr. Drew Sindlinger from the Transportation Security Administration (TSA) gave a presentation on a new TWIC mobile application that TSA is testing to assist inspectors with visual inspection of the TWIC card. Using the app, inspectors may enter or scan the card’s Credential Identification Number (CIN) and determine if the card was canceled by TSA and listed on the TWIC Canceled Card List.
Additionally, Sindlinger encouraged the workshop attendees and their members to contact the TSA TWIC program (TWIC-Technology@tsa.dhs.gov) to report issues with card functionality, adding that most of the reported problems stem from TWIC implementation with facility owned and operated Access Control Systems, not the card itself.
Sindlinger also briefly discussed recurrent vetting of TWIC holders.
“Recurrent vetting is a critical component of the TWIC program, and continuous monitoring remains a key program objective,” Sindlinger said. “Every TWIC cardholder is subject to continuous 24/7 recurrent vetting using TSA’s National Transportation Vetting Center. TSA is using DHS’s Automated Biometric Identification System (IDENT) encounter information for recurrent terrorist, criminal and immigration vetting and is in the process of implementing FBI Rap Back Services. TSA is using this data to review and adjudicate potential derogatory or disqualifying activities conducted by TWIC cardholders.”
Ms. Zeina Azar and Ms. Nadya Owens with the Cybersecurity and Infrastructure Security Agency (CISA) at DHS, gave a brief on the Chemical Facility Anti-Terrorism Standards (CFATS), which regulates the use and storage of over 300 high risk chemicals to ensure they implement appropriate security measures to reduce the risk of a terrorist attack. Azar and Owens clarified that MTSA facilities are exempt from CFATS if they meet MTSA requirements and have COTP’s approval. However, if chemicals are stored in areas of the facility not covered by MTSA, CFATS applies.
CISA, which employs 150 chemical inspectors throughout the country, conducts authorization inspections, compliance assistance visits, compliance inspections, and stakeholder outreach at approximately 3,200 facilities nationwide. For more information, visit https://www.dhs.gov/CISA.
Other discussion items on the workshop agenda included:
• Compliance deficiencies
• An amendment to the Consolidated Cruise Ship Security Act that adds ammunition to the cruise ship passenger Prohibited Items List
• Characteristics of a breach of security vs. a security incident
• The Policy Advisory Council registry
• Training for security officers through the National Maritime Center
• The role of the Captain of the Port in the plan approval process
To close the meeting, McMenemy thanked the group for all the work done since the first ASP sponsoring organization workshop in 2010.
“ASPs are a real group effort – industry, Coast Guard Headquarters, and everyone in the field,” McMenemy said. “Everyone works so well together and the Coast Guard appreciates that you have stayed with this program and made it a success.”
The next National Alternative Security Plan Workshop is tentatively scheduled for May 2020. For more information, contact Ms. Betty McMenemy at email@example.com.
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.