In the March 20, 2020 Federal Register, the Coast Guard published a Notice of Availability for Navigation and Inspection Circular (NVIC) 01-20: Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities. On the same day the Coast Guard also published ALCOAST Commandant Notice 040/20, which states that all facilities will be required to conduct facility security assessments (FSA) and amend their facility security plans (FSP) to incorporate cybersecurity vulnerabilities and mitigation strategies in accordance with the NVIC. This requirement applies to all MTSA facilities.
The implementation period runs from the date of the release of these documents until September 30, 2021. During this implementation period the Coast Guard intends for facilities to assess cybersecurity vulnerabilities for their FSAs and prepare mitigation strategies for their FSPs. At the end of the implementation period, once all the issues have been addressed and the kinks worked out, facilities must submit their proposed amendments for review and approval. Beginning October 1, 2021, facilities must begin submitting FSP amendments or cybersecurity annexes by the facility's annual audit date. All submissions must be made by October 1, 2022.
Cybersecurity is a complex issue. Writing these amendments and cybersecurity annexes will require significant input of facilities' IT and OT personnel. The NVIC suggests, but does not require the use of, the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity. This is a comprehensive management document which covers the subject in great detail. It appears, based upon the guidance published by the Coast Guard, that they intend for facilities to have a thorough cybersecurity management plan incorporated into their FSPs.
As we move forward creating these cybersecurity annexes for our clients, I have one major concern: "scope creep."The Coast Guard makes it clear that this mandate is not based upon a new law, but originates from the MTSA. The Coast Guard is just providing guidance on how best to address the existing requirement to assess "vulnerabilities in computer systems and networks." The MTSA requires facilities to submit security plans for deterring a transportation security incident (TSI) to the maximum extent practicable. A TSI is defined in the regulations as: "a security incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area." All threat scenarios evaluated during an MTSA facility security assessment are supposed to be considered within the context of this TSI definition. Over the past seventeen years Coast Guard guidance has been aligned with this principle.
There are many cybersecurity threats to facilities. However, I suspect not all will cause or contribute to a TSI, a Breach of Security, and/or the identification of Suspicious Activity, and therefore will not rise to the level that will require inclusion in the FSP. This limited scope, described in the ALCOAST, is partially mentioned in one sentence in the NVIC, and is not mentioned at all in the Facility Inspector Cyber Job Aid, thus causing the potential for "scope creep." Remember, whatever is incorporated into the FSP basically has the force of law, and you can't change it without amending the FSP. The biggest challenge I see will be keeping cybersecurity threats addressed in the FSP within the limited scope described in the ALCOAST. This will require careful conversations with the Coast Guard personnel charged with review and approval.