Cyber Awareness & Risk Management

Cyber Awareness Series Part 1: Facility compliance

Editors note: This article is the first in a series that the Coast Guard will be publishing in recognition of Cybersecurity Awareness Month.  Now in its 18th year, Cybersecurity Awareness Month offers an opportunity to emphasize the importance of cybersecurity and cyber risk management across all critical infrastructure, and especially the Marine Transportation System (MTS).  Cybersecurity Awareness Month also coincides with the Department of Homeland Security’s Cyber Sprint for Transportation Security. Through current authorities, rulemaking, and industry and stakeholder engagement, DHS is pursuing a strengthened cybersecurity posture among critical transportation operators with the Coast Guard charged with the maritime transportation sector.

Submitted by the Office of Port & Facility Compliance

Coast Guard begins verification of cybersecurity requirements for Maritime Transportation Security Act-regulated facilities

Due to an increase of cyber threats and vulnerabilities in the Marine Transportation System, the Coast Guard promulgated Navigation and Vessel Inspection Circular (NVIC) 01-20, Guidelines for Addressing Cyber Risks at MSTA Regulated Facilities in March of 2020. NVIC 01-20 provides guidance on assessing cyber risks when conducting required Facility Security Assessments (FSA) and incorporating cyber security within Facility Security Plans (FSP) required by 33 CFR parts 105 and 106.

Recognizing that NVIC 01-20 represented first-of-its-kind guidance when it was released last spring, the Coast Guard established a 1.5 year implementation period which allowed MTSA-regulated facility owners or operators time to incorporate cybersecurity into their FSAs and FSPs. During that time, the Coast Guard invested in training of its field personnel, dissemination of best practices, engagement with industry stakeholders, and similar internal alignment before the implementation period ended on Sept. 30, 2021.

Beginning on Oct. 1, 2021 facility owners and operators who have not already done so should submit FSP cyber amendments or annexes to their local Captain of the Port (COTP) as part of the facility’s annual audit. COTPs will verify that facilities have addressed cybersecurity within the FSA and FSP cyber amendments/annexes. COTPs retain discretion on whether the requirements have been met, and on any potential extension of submission dates.

In keeping with current Alternative Security Plan (ASP) processes, Commandant via the Office of Port and Facility Compliance (CG-FAC) will maintain review and approval responsibilities for ASPs, while Coast Guard COTPs will retain verification responsibilities. 

A Frequently Asked Questions (FAQs) List was developed in support of NVIC 01-20 and the incorporation of cyber into FSAs and FSPs, and is updated as questions and feedback are received. Additional information related to NVIC 01-20 can also be viewed on the Federal Register website.

For questions regarding NVIC 01-20 implementation guidance and FSP/ASP amendment/annex submission, it is recommended that MTSA regulated facilities owners and operators contact their local Captain of the Port well in advance of their next annual audit date before 10/01/2022.

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.