The United States Coast Guard released a draft NVIC consisting of guidance regarding (1) the USCG's interpretation of the existing regulatory requirements under MTSA with respect to cybersecurity measures; and (2) the implementation of a "cyber risk management governance program."
On July 12, 2017, the United States Coast Guard ("USCG") announced a draft Navigation and Inspection Circular ("draft NVIC") No. 05-17 entitled "Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act ("MTSA")." The draft NVIC consists of two enclosures providing guidance regarding (1) the USCG's interpretation of the existing regulatory requirements under MTSA with respect to cybersecurity measures; and (2) the implementation of a "cyber risk management governance program." While not legally binding, the USCG instructed facility operators to utilize this guidance until specific cyber risk management regulations are put into place.
Pursuant to 33 CFR parts 105 and 106, regulated facilities must identify and assess security threats and develop a Facility Security Plan addressing and mitigating those threats. The USCG has interpreted these provisions to include cyber threats. At its outset, the draft NVIC lists a number of options available to facility owners regarding their cybersecurity and risk management programs. For example, those owners that have programs providing strong cyber defense may demonstrate that their cybersecurity policies meet or exceed the requirements under the above referenced CFR provisions. Additionally, owners with an existing comprehensive cybersecurity plan or those that wish to apply a standard security program spanning multiple facilities may also submit a security plan under 33 CFR 101.120. Further, the draft NVIC provides that once its guidance is finalized, owners may comply with MTSA regulations by including cyber risks in their Facility Security Assessment ("FSA") and FSP as appropriate. The draft NVIC provides that while owners are not required to "indicate specific or technical control," they "should provide general documentation on how they are addressing their cyber risks."
Enclosure (1) of the draft NVIC sets out to assist owners in identifying cyber systems related to MTSA or a Transportation Security Incident. As an overarching measure, the draft NVIC recommends that cybersecurity information be provided to and utilized by individuals conducting FSAs. Regulatory assessment topics include: security administration and organization, drills and exercises, records and documentation, responses to change in MARSEC levels, communications, vessel interfacing procedures, security systems and equipment maintenance, access control, restricted areas, cargo handling, delivery of stores, FSPs, as well as audits and security plan amendments. For each implicated area, the draft NVIC provides guidance as to how to properly apply it in the cybersecurity context.
Enclosure (2) is divided into four main sections establishing guidance regarding the identification and addressing of cyber risks based upon the National Institute of Standard and Technology ("NIST") Cybersecurity Framework and NIST Special Publication 800-82. It provides guidance regarding:
- establishing cyber risk management teams and policies as well as implementing said policies through a cyber risk management program and culture beginning at the executive level;
- procedures for a "thorough enterprise-wide cyber system inventory and analysis;"
- "implementation methods for identifying critical systems and assessing, prioritizing, and mitigating their vulnerabilities," including an evaluation of critical systems, vulnerabilities, and worst case scenarios utilizing a number of risk evaluation tables provided in Appendix A to the draft NVIC.
Notably, the draft NVIC suggests that all vulnerabilities and consequences identified in this process should be recorded for review by the Captain of the Port. Lastly, Enclosure (2) also contains a number of specific examples of recommended cyber practices under the draft NVIC in order to most effectively protect from, detect, respond to and recover from various cyber threats. These include recommendations with respect to elements of cyber awareness programs, control and use of cyber systems, segmenting networks, equipment protection, monitoring and reporting of cyber issues, planning for cyber incidences and effectively and efficiently responding and recovering when such an event occurs.
The USCG is soliciting comments on the feasibility of the draft NVIC's implementation, its flexibility and usefulness, as well as its ability to remain valid in light of technological changes and industry climates. Any such comments must be submitted to the USCG on or before September 11, 2017. The draft NVIC can be found here.