08-14-2017 - USCG
Navigation and Vessel Inspection Circular (NVIC) 05-17; Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities
DRAFT NAVIGATION AND VESSEL INSPECTION CIRCULAR NO. 05-17
Subj: GUIDELINES FOR ADDRESSING CYBER RISKS AT MARITIME TRANSPORTATION SECURITY ACT (MTSA) REGULATED FACILITIES
Ref: (a) Title 33 of the Code of Federal Regulations (CFR) Subchapter H, Maritime
(b) National Institute of Standards and Technology (NIST) Cybersecurity
Framework (NIST CSF)
Purpose: In accordance with 33 CFR parts 105 and 106, MTSA-regulated facilities are instructed to analyze vulnerabilities with computer systems and networks in their Facility Security Assessment (FSA). This Navigation and Vessel Inspection Circular (NVIC) will assist Facility Security Officers (FSOs) in completing this requirement. Additionally, this NVIC provides guidance and recommended practices for Maritime Transportation Security Act (MTSA) regulated facilities to address cyber related vulnerabilities. Until specific cyber risk management regulations are promulgated, facility operators may use this document as guidance to develop and implement measures and activities for effective self governance of cyber vulnerabilities.
Cyber Security and MTSA: 33 CFR Parts 105 and 106.
Under current regulations in 33 CFR parts 105 and 106, facilities and outer continental shelf (OCS) facilities (hereinafter described as “facilities”) are required to identify and assess security threats, and develop a Coast Guard-approved Facility Security Plan (FSP) to address and mitigate those threats. The specific threats are covered by the existing language in parts 105 and 106 in general, but the Coast Guard interprets this language to specifically include threats to computer systems and attacks in the electronic (cyber) domain.
In this draft document, the Coast Guard is laying out its interpretation of regulatory provisions in parts 105 and 106 as applicable to electronic and cybersecurity systems. This enclosure discusses the specific regulatory provisions that instruct owners/operators of a Maritime Transportation Security Act (MTSA) regulated facility to address cyber/computer system security in the Facility Security Assessment (FSA) and, if applicable, provide guidance within their FSPs to address any vulnerabilities identified in the Facility Security Assessment (FSA). This document intends to assist the owner/operator in identifying cyber systems that are related to MTSA regulatory functions, or whose failure or exploitation could cause or contribute to a Transportation Security Incident. If there are electronic or cybersecurity-related vulnerabilities identified in an FSA, an owner/operator may choose to provide this information in a variety of formats, such as a stand-alone cyber annex to their FSP, or by incorporating cybersecurity procedures alongside the physical security measures of their FSP. In many cases, companies have established cybersecurity and risk management programs that provide for strong cyber defense. For those situations, the owner/operator may demonstrate that those policies meet or exceed the requirements of 33 CFR parts 105 and 106. Owners/operators that already employ a comprehensive cybersecurity plan for their organization, or who wish to apply a standard security program that incorporates cybersecurity to multiple facilities, may wish to submit a security plan under the Alternative Security Program, 33 CFR 101.120.
Once this guidance is finalized, an owner/operator may demonstrate compliance with the regulations by including cyber risks in their FSA and including a general description of the cybersecurity measures taken in the FSP, if appropriate. Owners/operators do not need to indicate specific or technical controls, but should provide general documentation on how they are addressing their cyber risks.