The cyber landscape in the Marine Transportation System (MTS) is continually evolving. Computer systems and technology play an increasing role in systems, equipment, and operations throughout the maritime environment. Recognizing the critical role cyber plays, the Coast Guard worked closely with industry and other government agencies to provide guidance on complying with cybersecurity requirements. Today we are proud to announce the release of Navigation and Vessel Inspection Circular (NVIC) No. 01-20:Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities.
This NVIC provides guidance to facility owners and operators on complying with the requirements to assess, document, and address computer system and network vulnerabilities. In accordance with 33 CFR parts 105 and 106, which implement the Maritime Transportation Security Act (MTSA) of 2002, regulated facilities (including Outer Continental Shelf facilities) are required to assess and document vulnerabilities associated with their computer systems and networks in a Facility Security Assessment (FSA). Identified vulnerabilities in computer systems and networks are commonly referred to as cybersecurity vulnerabilities. Regulations require that any cybersecurity vulnerabilities identified in the FSA must be addressed in the Facility Security Plan (FSP) or Alternative Security Program (ASP).
The NVIC does not change the existing requirements found in regulation; it only provides guidance on how facility owners or operators may meet those requirements. Owners and operators may choose alternatives to the guidance in the NVIC if those alternatives meet the regulatory requirements.
In order to assist facilities in incorporating cybersecurity into their FSAs and FSPs, an implementation period of 1.5 years is being provided. This implementation period will end on 09/30/2021. Facility owners and operators who already address cybersecurity in their FSAs and FSPs/ASPs should continue doing so, while considering whether the guidance in NVIC 01-20 can improve their ongoing practices.
Beginning 10/01/2021, facilities that need to submit cyber FSA and FSP/ASP amendments or annexes should do so by the facility’s annual audit date, which is based on the facility’s FSP/ASP approval date. COTPs will still have the flexibility based on resource demands, or based upon request from a facility, to adjust when submissions are received, as long as all facility FSA and FSP (Headquarters for ASPs) submissions are received by the end of the one year period, no later than 10/01/2022.
A NVIC Frequently Asked Questions (FAQs) List has been developed and will be updated based on questions and feedback received. Additionally, a Coast Guard Facility Inspector Job Aid is being finalized. Both publications will be located on the CG-FAC website. The NVIC can also be viewed on the Federal Register site.
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.