Navigation and Vessel Inspection Circular (NVIC) 01-20; Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities
| Published date | 20 March 2020 |
| Citation | 85 FR 16108 |
| Record Number | 2020-05823 |
| Section | Notices |
| Court | Coast Guard,Homeland Security Department |
Federal Register, Volume 85 Issue 55 (Friday, March 20, 2020)
[Federal Register Volume 85, Number 55 (Friday, March 20, 2020)]
[Notices]
[Pages 16108-16115]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-05823]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Coast Guard
[Docket No. USCG-2016-1084]
RIN 1625-ZA39
Navigation and Vessel Inspection Circular (NVIC) 01-20;
Guidelines for Addressing Cyber Risks at Maritime Transportation
Security Act (MTSA) Regulated Facilities
AGENCY: Coast Guard, DHS.
ACTION: Notice of availability.
-----------------------------------------------------------------------
SUMMARY: The Coast Guard announces the availability of Navigation and
Vessel Inspection Circular (NVIC) 01-20, titled Guidelines for
Addressing Cyber Risks at Maritime Transportation Security Act (MTSA)
Regulated Facilities. This NVIC clarifies the existing MTSA
requirements related to computer system and network vulnerabilities of
MTSA-regulated facilities. It also provides owners and operators of the
facilities with guidance on how to analyze these vulnerabilities in
their required Facility Security Assessment (FSA) and address them in
the Facility Security Plan (FSP).
FOR FURTHER INFORMATION CONTACT: If you have questions on this notice,
call or email, CDR Brandon Link, U.S. Coast Guard; telephone 202-372-
1107, email [email protected].
SUPPLEMENTARY INFORMATION:
Discussion
As discussed in the United States Coast Guard Cyber Security
Strategy, released in June 2015,\1\ and the draft NVIC,\2\ published
for public comment on July 12, 2017 (82 FR 32189), cyber security is
one of the most serious economic and national security challenges for
the maritime industry and our nation. Maritime facility safety and
security systems, such as security monitoring, fire detection, and
general alarm installations increasingly rely on computer systems and
networks. While these computer systems and networks create benefits,
they are inherently vulnerable and introduce new vulnerabilities.
---------------------------------------------------------------------------
\1\ https://www.uscg.mil/Portals/0/Strategy/Cyber%20Strategy.pdf.
\2\ The Coast Guard assigns NVICs based on the year and order in
which they are issued in the final form. The draft version of this
NVIC was assigned NVIC number 05-17. However, since the final
version of the NVIC will be issued in the year 2020, we have
assigned it a new number 01-20.
---------------------------------------------------------------------------
There are many resources, technical standards, and recommended
practices available to the maritime industry that can help with
identifying vulnerabilities to facility computer systems and networks
and subsequently incorporating those vulnerabilities into FSPs.
However, recent Coast Guard experience suggests the maritime industry
may not be aware of or utilizing these resources. Therefore, this NVIC
recommends how MTSA-regulated facilities can address and mitigate cyber
security risks while ensuring the continued operational capability of
the nation's Marine Transportation System (MTS).
The Maritime Transportation Security Act of 2002 (MTSA) (Pub. L.
107-295, November 25, 2002, as codified in 46 U.S.C. Chapter 701)
addresses the security of the MTS and authorizes the Coast Guard to
prescribe regulations. Under the authority of MTSA, the Coast Guard
promulgated regulations in subchapter H of Title 33 of the Code of
Federal Regulations (CFR). These
[[Page 16109]]
regulations established general requirements for facility security and
provided facility owners and operators discretion to determine the
details of how they will comply with those requirements.
This NVIC provides recommended practices for MTSA-regulated
facilities to address computer system and network vulnerabilities, more
commonly referred to as cyber security vulnerabilities.\3\ Based on
industry comments, the Coast Guard has revised the NVIC and its
Enclosures. We revised the NVIC to clarify its advisory nature and
applicability. The Coast Guard also changed the title of the draft NVIC
Enclosure (1) from Cyber Security and MTSA: 33 CFR parts 105 and 106 to
Cyber Security and MTSA. The Coast Guard made this change because the
revised Enclosure (1) consists of two separate sections: The first
section advises on the nature and purpose of the MTSA regulations and
the second section discusses specific provisions of 33 CFR parts 105
and 106 that may apply to a Facility Security Plan (FSP) if a Facility
Security Assessment (FSA) identifies any computer system and network
vulnerabilities. In addition, the revised Enclosure (1) clarifies that
MTSA regulations in 33 CFR parts 105 and 106 include a facility's
obligation to assess cyber security vulnerabilities while retaining the
discretion over the ways to address and mitigate them. We note in the
Enclosure that MTSA-regulated facilities must comply with MTSA
regulations, but it is up to each facility to determine how to
identify, assess, and address the vulnerabilities of their computer
systems and networks. We added a line about discussing backup means of
communication, which are required by 33 CFR 105.235(d) and 106.240(c)
and are part of the information considered when developing the FSA. We
also corrected two typos on page 1-4. In the paragraph titled Security
measures for access control, we corrected the citation from ``33 CFR
105.260'' to ``33 CFR 106.260'' and in the paragraph titled Security
measures for restricted areas, we corrected the citation from ``33 CFR
105.265'' to ``33 CFR 106.265''.
---------------------------------------------------------------------------
\3\ The existing regulatory requirement for assessing and
addressing vulnerabilities to ``computer systems and networks'' is
written broadly enough to encompass the more common term ``cyber
security'' and to account for advances in technology. Under current
regulations, facility owners must regularly update their FSAs and
FSPs (see, e.g., 33 CFR 105.310, 105.410, and 105.415) to address
new or previously unidentified security vulnerabilities.
---------------------------------------------------------------------------
The draft NVIC contained an Enclosure (2) titled Cyber Governance
and Cyber Risk Management Program Implementation Guidance. This
Enclosure provided recommended practices, including the National
Institute of Standards and Technology (NIST) Cyber Security Framework
(CSF) and NIST Special Publication 800-82. For the reasons described
below, we have removed Enclosure (2) from the NVIC.
The Coast Guard sought public comments on the draft NVIC's
necessity, robustness, and its costs. Specifically, we sought comments
on the feasibility of the implementation of the NVIC's guidance, its
flexibility and usefulness in addressing the broad scope of
vulnerabilities and risk facing regulated facilities, and its ability
to remain valid when technology and industry's use of technology
changes. In addition, the Coast Guard sought comments on whether this
guidance aligned with activities that industry has already implemented.
After the 90-day public comment period closed on October 11, 2017,\4\
the Coast Guard reviewed and analyzed the comments contained in 25
letters received. Below we summarize and respond to the public
comments.
---------------------------------------------------------------------------
\4\ The Coast Guard extended the initial comment period end date
from September 11, 2017, to October 11, 2017 (82 FR 42560).
---------------------------------------------------------------------------
Comments Received
1. Comments on NVIC's Enclosure (2)
Many of the comments described concerns with Enclosure (2).
Enclosure (2) described best practices and expectations for all MTSA
regulated entities, and cited to the National Institute of Standards
and Technology's Cyber Security Framework (NIST CSF) to promote
effective self-governance. Some commenters perceived Enclosure (2) as
overly detailed and not suitable for application by small owners and
operators. Other commenters suggested that the Coast Guard simply
direct all owners and operators to use the NIST framework. Based on
these comments, we have concluded that Enclosure (2) created more
confusion than benefit for the owners and operators of MTSA-regulated
facilities. For example, some commenters mistook the described examples
and the framework for recommended parts of an FSA. Others expressed an
expectation for more specific recommendations on various technical
specifications. Therefore, the Coast Guard has removed Enclosure (2)
from the NVIC. However, in response to several comments supporting the
NIST CSF, which was discussed in Enclosure (2), we added a sentence to
paragraph (2) of the NVIC encouraging the use of the NIST CSF as a
means to improve a facility's cyber posture above what is outlined in
the NVIC.
2. Comments on Flexibility and Adaptability
Many commenters stated cyber security guidance should be flexible
and should allow each facility to create solutions that fit its
specific needs and changing risks. The Coast Guard agrees. This NVIC
does not include a checklist or otherwise prescribe cyber security
solutions. This NVIC emphasizes that existing regulations require MTSA-
regulated facilities to assess and address vulnerabilities in computer
systems and networks and provides guidance on how to mitigate those
cyber security vulnerabilities identified in the facility's FSA.
3. Comments on the Implementation of the NVIC
A. The draft NVIC stated that once it was finalized, facility
owners and operators could demonstrate their compliance with MTSA
regulations by including cyber security risks and a general description
of cyber security measures in their FSPs.
In response to that statement, many commenters expressed concerns
regarding potential delays in re-inspections and re-approvals of new
FSPs, and economic burdens for ports and facilities (including small
ports and facilities with a limited number of employees), that might
have to perform new FSAs and re-write existing FSPs immediately after
the NVIC's issuance. Similarly, one other commenter suggested that a
separate cyber section be added to FSAs and FSPs instead of using all
other sections for cyber information. One of the commenters also
suggested that smaller facilities with a limited number of employees
should have more general roles when it comes to cyber security.
The Coast Guard emphasizes this NVIC applies to MTSA-regulated
facilities only and does not apply to ports. However, those ports that
manage MTSA-regulated facilities are required to ensure that the
facilities comply with MTSA requirements.
This NVIC does not impose any new burdens or requirements on MTSA-
regulated facilities. As discussed above, current Coast Guard
regulatory authority in 33 CFR parts 105 and 106 already requires MTSA-
regulated facilities to evaluate their computer system and network
vulnerabilities in their FSAs and address them in the FSPs. Thus, all
owners or operators of MTSA-regulated facilities, regardless of size,
have to comply with MTSA regulations. As the draft NVIC indicated, the
owners and
[[Page 16110]]
operators could comply with the MTSA regulations by either revising
current FSPs or attaching a cyber-annex to the FSP. If the owner or
operator elects to create a cyber-annex, it would be the only part of
the FSP subject to re-inspection and re-approval. Likewise, if the
owner or operator chooses to incorporate cyber security vulnerabilities
into the FSP, then only those new parts would be subject to re-
inspection and re-approval. The MTSA regulations governing FSP
amendments can be found in 33 CFR 105.415 and 106.415.
As to the general roles of employees at small MTSA-regulated
facilities, this NVIC does not prescribe individual roles within a
facility's organization. It is the facility's responsibility to
determine the individual roles of its employees and how they can
address cyber security risks identified by the FSA.
Based on comments received, we have revised the final text of the
NVIC and Enclosure (1) to clarify the NVIC's advisory nature and a
facility's obligations under the MTSA regulations. We also added a
sentence to Enclosure (1) stating that the Coast Guard would only
review the newly added cyber-annex or FSP parts related to cyber
security.
B. The draft NVIC recommended facility owners and operators
describe the roles and responsibilities of facility cyber security
personnel, and provide facility cyber security information to Coast
Guard personnel conducting FSP reviews or approvals.
Based on those recommendations, some commenters expressed concerns
about the new methods of evaluation and approval of their FSAs and
FSPs; the role and level of cyber security knowledge and training of
Coast Guard personnel in reviewing FSAs and FSPs; and the level of
knowledge, required qualifications, and duties of a Facility Security
Officer (FSO). Some of the commenters also asked the Coast Guard to
provide training and conduct exercises for inspectors and port
personnel. In addition, the commenters asked if a facility's IT
department should become a part of the facility personnel with security
duties; if the IT data stored offsite would be subject to the MTSA
requirements; and if an FSA would be expected to extend to the building
where critical cyber systems are housed.
This NVIC does not alter the process the Coast Guard uses to
conduct FSA and FSP evaluations and approvals. This NVIC provides
guidance to facility owners and operators in complying with current
statutory and regulatory requirements to assess, document, and address
computer system and network vulnerabilities. Therefore, facility owners
and operators whose FSAs and FSPs do not currently address cyber
security vulnerabilities should revise them in compliance with MTSA
regulations, which require the FSAs and FSPs to be re-evaluated and re-
approved. Facility owners and operators are encouraged to work with the
local Captain of the Port to determine a suitable timeframe for MTSA-
regulated facilities to update their FSAs with computer system and
network security vulnerabilities.
Some comments suggested that the Coast Guard personnel lacked cyber
security knowledge and training necessary to assess cyber security
vulnerabilities. The Coast Guard will assess its needs and may address
this issue in the future through internal policy or guidance to Coast
Guard personnel. However, it remains the legal obligation of the
facility owner or operator to assess and address computer system and
network vulnerabilities in the FSA and FSP. In our discussion of FSAs
in the 2003 final rule, we explained that a facility's security depends
in large part on how well the owner or operator assess vulnerabilities
that only he or she would know about.\5\ The rule requires that those
involved in a FSA be able to draw upon expert assistance in variety of
areas including current security threats, techniques used to circumvent
security measures, and radio and telecommunications systems including
computer systems and networks.\6\ The Coast Guard believes this
includes the expertise needed to self-assess risk and establish
security measures to counter the risks involved with a MTSA-regulated
facility's computer systems and networks.
---------------------------------------------------------------------------
\5\ 68 FR 60533. In the same paragraph we added that the
facility owner or operator must assume that threats will increase
against the vulnerable part of the facility and develop
progressively increasing security measures, as appropriate.
\6\ 33 CFR 105.300(d) and 106.300(d).
---------------------------------------------------------------------------
The level of cyber security knowledge and training of facility
personnel is the responsibility of a facility's owner or operator, as
performed through their FSO. The FSO's responsibilities are provided in
MTSA regulations, 33 CFR 105.205 and 106.210. They include the
responsibility to ensure the completion of an FSA and completeness of
an FSP, which should capture all items identified by the FSA, including
existing computer system and network vulnerabilities. At this time, the
Coast Guard is not planning to provide specific cyber training nor lead
cyber exercises for MTSA-regulated facilities or their personnel.
However, in May 2018 the Coast Guard, in coordination with the American
Bureau of Shipping (ABS) group, created a ``Marine Transportation
System Cyber Awareness'' webinar. The webinar provides basic cyber
awareness with a focus on maritime facility and vessel operations and
provides personnel at all levels of an organization with an
understanding of cyber terms and issues that may be encountered in the
MTS. A recording of the webinar is available online.\7\ Maritime
industry personnel are encouraged to reach out to their local Area
Maritime Security Committee (AMSC) Executive Secretaries for additional
information on this webinar.
---------------------------------------------------------------------------
\7\ http://mariners.coastguard.dodlive.mil/2018/06/08/6-8-2018-marine-transportation-system-cyber-awareness-webinar-recording-available-online/.
---------------------------------------------------------------------------
In response to the question regarding a facility IT department's
inclusion into facility personnel with cyber security duties, the Coast
Guard notes this NVIC is not intended to dictate the structure of a
facility organization. Each individual facility should determine its
appropriate organizational structure and determine whether making a
facility's IT department a part of the security personnel would help
the facility address its cyber security risks.
In response to the question about offsite storage of IT data, the
Coast Guard agrees with the commenter that the Coast Guard's MTSA
jurisdiction ends at the facility's fence-line in the physical domain.
The Coast Guard notes that the regulations found in 33 CFR part 105 or
106 are not drafted to exert regulatory control over computer systems
physically located outside the regulated facility's footprint (for
example, in a building outside the facility footprint where the
critical cyber system is housed). However, if an FSA identifies
vulnerabilities to the facility, including to the onsite computer
systems, originating from or via computer systems and networks outside
of the MTSA-regulated facility's footprint, then the owner or operator
needs to address how they will mitigate those vulnerabilities.
Based on the comments received, the Coast Guard added text on pages
1-1 and 1-2 of the NVIC's Enclosure (1) to give the facility owners and
operators an example of what they should consider within their broad
discretion in addressing their facility cyber security vulnerabilities,
including the facility's structure, and its personnel training, roles
and responsibilities.
C. Several commenters stated that the NVIC should be revised to use
only common cyber security language, and
[[Page 16111]]
reference specific standards (for example, the International
Association of Drilling Contactors (IADC) Guidelines for Assessing and
Managing Cyber Security Risks at Drilling Assets, and IADC Guidelines
for Network Segmentation) to assist owners and operators in addressing
computer system and network vulnerabilities.
The Coast Guard recognizes the draft NVIC interchangeably used
various terms such as, ``cyber systems,'' ``cyber risks,'' ``cyber/
computer system security,'' and ``cyber security.'' We agree that the
NVIC should use common cyber security language. Based on these
comments, the Coast Guard revised the NVIC and its Enclosure (1) to
clarify the meaning of provisions of 33 CFR parts 105 and 106. These
MTSA regulations require facilities to evaluate their radio and
telecommunication equipment, including computer systems and networks,
for vulnerabilities. These provisions require facility owners and
operators of MTSA-regulated facilities to analyze cyber security
vulnerabilities within their facilities.
In regard to the use of specific cyber security references and
standards, the Coast Guard encourages facilities to use the NIST CSF,
but does not prescribe any particular references or standards at this
time. This is to avoid limiting facility owners and operators in the
ways they may address computer system and network vulnerabilities at a
specific facility. The Coast Guard did not make any edits to the text
of the final NVIC in regards to specific references or standards.
However, in response to several public comments supporting the NIST
CSF, we added a sentence to paragraph (2) of the NVIC encouraging the
use of the NIST CSF as a means to improve a facility's cyber posture.
D. The draft NVIC's Enclosure (1) recommended facility owners and
operators establish security measures to control access to the
facility.
Based on that recommendation, some industry commenters expressed
concerns about the NVIC's focus on physical security rather than cyber
security. At the same time, other commenters indicated that MTSA was
meant to address only physical security of computer systems and
networks and did not apply to cyber security.
MTSA requires that security plans address both physical security
and communications systems, to deter to the maximum extent practicable
a transportation security incident.\8\ MTSA regulations in 33 CFR parts
105 and 106 require MTSA-regulated facilities to analyze their ``radio
and telecommunications equipment, including computer systems and
networks.'' \9\ As such, the FSAs must identify vulnerabilities to the
facility computer systems and networks, and, if any exist, the FSP must
address mitigation for those identified vulnerabilities. Moreover, in
the time since the Coast Guard solicited public comment on the draft
NVIC, Congress has amended MTSA to explicitly state that FSAs and FSPs
must cover cyber security risks.\10\ We disagree with assertions that
the existing requirement to assess vulnerabilities to computer systems
and networks refers only to physical security. In addition to the plain
language of ``computer systems and networks'' used in the 2003 rule,
the preamble to the rule specifically discussed camera monitoring as an
alternative to human patrols, showing that the Coast Guard had
contemplated electronic systems as part of the facility security
systems covered by the rule.\11\ The existing regulatory text
contemplates a regularly updated plan for responding to existing and
developing threats the facility owner or operator identifies. When
developing an FSA the facility security officer is expected to either
be able to, or draw upon third parties that have expertise to, identify
security vulnerabilities, including vulnerabilities to computer systems
and networks.\12\ This requirement has been in place since 2003. It is
not limited to physical threats, and the preamble said that the
facility owner or operator must assume that threats will increase, and
must develop progressively increasing security measures as
appropriate.\13\ While initial FSAs and FSPs did focus primarily on
physical security issues because those were readily identifiable, the
Coast Guard has continually raised cyber security as an emerging issue
for over a decade \14\ and the NVIC issued today is another form of
outreach to industry about this threat to facilities. We think it is
clear, therefore, that the existing requirement to assess and mitigate
vulnerabilities to computer systems and networks encompasses cyber
security.
---------------------------------------------------------------------------
\8\ 46 U.S.C. 70103(c)(3). We note that Congress was aware of
cyber security issues as early as the 1980s, and specifically
addressed viruses and Trojan horses the year after passing MTSA.
See, e.g., the Computer Fraud and Abuse Act of 1986, 18 U.S.C. 1030
(1986) (addressing malicious code and hacking, and under which
successful prosecution was brought in the early 1990s for damage
caused by internet-based worms); and the CAN-SPAM Act of 2003, 15
U.S.C. 7701, 7703(c)(1) (2003) (aiming to curb spam email containing
viruses, spyware, and other malicious code).
\9\ See 33 CFR 105.305(c)(1)(v), 105.400(a)(3), and
105.405(a)(17) for Facilities and 33 CFR 106.305(c)(1)(v),
106.400(a)(3), and 106.405(a)(16) for Outer Continental Shelf
Facilities.
\10\ Maritime Security Improvement Act of 2018, sec. 1801 et
seq., Public Law 115-254, 132 Stat. 3186 (2018) (the Act is Division
J of the FAA Reauthorization Act of 2018). The Coast Guard views
this as a reaffirmation and an indication of congressional emphasis,
rather than a new authority--a view supported by the House Report
accompanying an earlier version of the Act, which said the language
is clarifying and ``removes ambiguity'' as to the Coast Guard's
authority under MTSA (H. Rep. No. 115-356 (2018)).
\11\ 68 FR 60531.
\12\ 33 CFR 105.305(c) and (d). In the preamble to the 2003
rule, while discussing current security threats and patterns the
Coast Guard stated that ``Expertise in assessing risk is crucial for
establishing security measures to accurately counter the risk'' (68
FR 60515).
\13\ 68 FR 60533.
\14\ See, e.g., Maritime Transportation System Security
Recommendations (October 2005) available at https://www.dhs.gov/sites/default/files/publications/HSPD_MTSSPlan_0.pdf (``Use industry
outreach to help commercial operators understand what private
information could be exploited by terrorists and what cybersecurity
controls are appropriate for protecting the information.'').
---------------------------------------------------------------------------
Moreover, to the extent facility owners and operators have
automated physical security measures--for example by controlling access
gates with card readers and cameras instead of guards--MTSA's physical
security provisions encompass those electronic or virtual tools. The
regulations specifically enumerate requirements to consider
vulnerabilities to access, identification systems, utilities, and
similar functions that, if automated, may be vulnerable to cyber
security threats. At some facilities, operations and security are so
reliant on networks to operate, that cyber security and physical
security may be inextricably linked. We recognize that this is not true
of all facilities; some facilities may have no computer systems or
networks at all. The focus of this NVIC, therefore, is to highlight
each facility's responsibility to determine the existence of computer
and network vulnerabilities and address them in their FSAs and FSPs.
In response to these and other similar comments, the Coast Guard
made clarifying changes to both the NVIC and its Enclosure (1). We
added a sentence linking computer systems and networks to the term
``cyber security.'' We indicated that vulnerabilities in computer
systems and networks, as referenced in 33 CFR parts 105 and 106, mean
cyber security vulnerabilities. We also noted that it was up to each
facility to identify, assess, and address the vulnerabilities of their
computer systems and networks.
E. Three commenters asked the Coast Guard to recommend specific
cyber security technology (including state-of-
[[Page 16112]]
the art market cyber security solutions) that a facility would need to
have, and steps it would need to take, to implement the guidance
described in the NVIC. At the same time, some commenters noted that
mandating specific cyber risk management tools would not benefit MTSA-
regulated facilities as those tools would not be tailored to each
individual site.
This NVIC is not intended to inform facilities which cyber security
technology they need to use. Rather, it is intended to offer awareness
of MTSA regulatory requirements while allowing each facility the
discretion to determine the best way to assess and address any computer
system and network vulnerabilities. The NVIC does not mandate that
facilities use specific cyber security technology or take specific
actions to mitigate a computer system or network vulnerabilities. It
simply reminds facility owners and operators of existing MTSA
regulations that require the assessment of computer system and network
vulnerabilities in their FSAs and incorporation, where applicable, in
their FSPs. Therefore, for an owner and operator of an MTSA-regulated
facility to comply with the MTSA regulations referenced in the NVIC,
they would need to ensure the FSA assesses and FSP addresses computer
system and network vulnerabilities of their facility. Based on these
comments, the Coast Guard added clarifying language in the final NVIC
and its Enclosure (1). We stated that it is up to each facility to
identify, assess, and address the vulnerabilities of their computer
systems and networks.
F. The draft NVIC's Enclosure (1) recommended that facility owners
and operators describe additional cyber-related measures to be taken
during changes in MARSEC levels.
In response to that recommendation, several commenters stated that
requiring enhanced cyber security measures as a result of a MARSEC
level increase would be impractical, and asked the Coast Guard to
eliminate this expectation of the facilities. One of the commenters
also asked the Coast Guard to inform the industry on the level of cyber
security and any necessary response, as it does for physical security,
including changes in MARSEC levels.
Although both 33 CFR 105.230 and 33 CFR 106.235 require facility
owners and operators to implement additional security measures in the
event of a MARSEC level change, the Coast Guard agrees that it may not
always be practical to do the same with cyber security. Some changes in
MARSEC level could involve cyber security threats but others may not,
and a change in cyber security posture may not always be appropriate.
In response to public comments, the Coast Guard revised the NVIC's
Enclosure (1) to remove the language related to changes in MARSEC
levels and references to 33 CFR 105.230 and 106.235. Under existing
regulations including those at 33 CFR 105.405 and 106.405, however, the
FSP must indicate how the facility will respond to a changing MARSEC
level.
G. The draft NVIC's Enclosure (1) indicated that if any cyber
security vulnerabilities were identified in an FSA, owners and
operators could choose to provide that information in a variety of
formats, such as a stand-alone cyber annex to an FSP, or by
incorporating the vulnerabilities into the existing FSP. In response to
this statement, some commenters expressed confusion regarding multiple
formats in which the Coast Guard will require an incident report. The
Coast Guard notes that an FSA, a stand-alone cyber annex, or an
amendment to an approved FSP addressing computer system or network
vulnerabilities, are documents completely separate from a cyber-
incident report. This NVIC addresses MTSA cyber security requirements
related to FSAs and FSPs. For more information on reporting a cyber
security incident, please consult the CG-5P Policy Letter 08-16 titled
``Reporting Suspicious Activity and Breaches of Security,'' available
at https://homeport.uscg.mil. The Coast Guard did not revise the NVIC
in response to these comments because this NVIC does not impose any new
reporting requirements on owners and operators of MTSA-regulated
facilities.
H. The draft NVIC's Enclosure (1) stated that security patches
should be installed as they become available.
One commenter had a question as to the intervals with which
security patches should be installed at their facility.
The draft NVIC's Enclosure (1) indicated that it was best to
install security patches as they became available. The Coast Guard
notes that facilities can choose the intervals with which to install
security patches. However, waiting for scheduled intervals to install
security patches and other updates instead of performing such actions
immediately provides opportunities for system exploitation. However, we
have modified the paragraph titled Security systems and equipment
maintenance in the NVIC's Enclosure (1) to clarify that cyber-related
procedures for managing software updates and patch installations should
be described in the FSP.
I. One commenter asked about reporting a cyber security incident to
a police department as an alternative to the established reporting
requirements.
Contacting a local police department does not meet the reporting
requirements described in the MTSA regulations at 33 CFR 101.305
(``Reporting''). As noted above, the requirements for reporting
suspicious cyber related activity or breaches of security for MTSA-
regulated entities are outlined in CG-5P Policy Letter 08-16 titled
``Reporting Suspicious Activity and Breaches of Security,'' available
at https://homeport.uscg.mil.
J. Because the draft NVIC referred to various responsibilities of
facility employees, two commenters expressed concerns about access
facility employees may have to sensitive information and requested more
clarity on the access process for such employees. One of the commenters
also expressed concerns over making a company's cyber security program
more vulnerable to attack by including it into an FSP. Two other
commenters specifically asked about the interplay between this NVIC and
the Coast Guard's TWIC regulations. Another commenter was concerned
about the Coast Guard interfering with facility business models, which
reflect facility operations.
MTSA regulations require the inclusion of computer system and
network vulnerabilities into an FSA and an FSP (See 33 CFR
105.305(c)(1)(v) and 105.405(a)(17) for Facilities and 33 CFR
106.305(c)(1)(v) and 33 CFR 106.405(a)(16) for OCS Facilities). This
NVIC simply reminds owners and operators of the existence of MTSA
regulations related to computer system and network vulnerabilities.
These requirements are intended to reduce security risks, not create
them. Although the process of granting access to facility employees was
not meant to be addressed in this NVIC or prescribed by the Coast
Guard, we note that it should be determined by each facility depending
on its specific cyber security risks. This NVIC does not change any
legal requirements including the existing requirements to operate in
accordance with TWIC requirements (see, e.g., 33 CFR 105.115(c)).
As to the comment regarding the inclusion of a facility's cyber
security risks into an FSP, the Coast Guard notes that FSPs are
considered Sensitive Security Information under 49 CFR 1520.5(b), which
can only be accessed by a covered person with a need to know. The risk
of adding cyber
[[Page 16113]]
mitigation measures to an FSP is not higher than the risk currently
posed for FSPs that address physical security mitigation measures. FSPs
are not released to the public by the Coast Guard,\15\ nor should they
be released by the facilities.
---------------------------------------------------------------------------
\15\ See 33 CFR 105.400(c) and (d) and 33 CFR 106.400(c) and
(d).
---------------------------------------------------------------------------
In regard to the comment about the interplay between TWIC
regulations and this NVIC, the Coast Guard notes that this NVIC has no
direct impact on the TWIC regulations. MTSA-regulated facilities should
continue to follow current TWIC regulations as written.
We also note that this NVIC is not intended to interfere with
facility business models, but reminds facility owners and operators of
their responsibilities under the MTSA regulations, which are meant to
help keep their facilities safe from transportation security incidents,
including Transportation Security Incidents (TSI) caused by cyber
security vulnerabilities.
We made no changes to the final NVIC in response to these comments.
K. Two commenters asked to see a national and port vulnerability
assessment for better understanding of the Coast Guard's expectations
for individual operators.
The Coast Guard does not believe that a national or port
vulnerability assessment is necessary for an individual facility to
assess its own cyber security vulnerabilities to comply with MTSA
regulations. However, local AMSCs led by Coast Guard Captains of the
Port, acting in their capacity as Federal Maritime Security
Coordinators, address, discuss, and share maritime security information
with the industry. The Coast Guard highly encourages personnel with
security duties at MTSA-regulated facilities to participate and
collaborate with local AMSCs to gain more insight into port level
security issues.
The Coast Guard made no changes to the final NVIC in response to
these comments.
4. Comments on the Enforcement of the NVIC
The draft NVIC's Enclosure (1) noted that the italicized text of
the enclosure provided general guidance on MTSA regulations that may
apply to an FSP, if an FSA identifies any computer system and network
vulnerabilities
Based on that statement, many commenters believed the NVIC
contained mandatory language. Some of those commenters also asked to
clarify the purpose of the italicized text, and how the Coast Guard
intended to enforce the NVIC and allocate its resources for this
purpose.
The Coast Guard clarifies that the NVIC itself is an advisory
document and is not subject to enforcement as a regulation. MTSA
regulations, however, are enforceable. Although the Coast Guard will
not change the enforcement process as a result of the NVIC, we will
verify that facility FSAs and FSPs address cyber security
vulnerabilities as required by 33 CFR 105.305(c)(1)(v), 33 CFR
105.400(a)(3), 33 CFR 105.405(a)(17), 33 CFR 106.305(c)(1)(v), 33 CFR
105.40(a)(3), and 33 CFR 106.405(a)(16).
The purpose of the bold text in Enclosure (1) is to provide the
industry with a list of regulatory citations that may apply to a
facility's FSP. The Coast Guard's recommendation on each regulatory
citation, for both FSA and FSP, is contained in italics under each
citation.
Based on these comments, the Coast Guard has revised the NVIC and
its Enclosure (1) to clarify that although the MTSA regulations in 33
CFR parts 105 and 106 are mandatory, it is up to each facility to
identify, assess, and address the vulnerabilities of their computer
systems and networks. We also added a sentence to the introduction of
Enclosure (1) to explain the purpose of the italicized text.
5. Comments Suggesting New Provisions or Clarifying Language
A. Several commenters asked the Coast Guard to add cyber security
recommendations on monitoring activity. In response to these comments,
the Coast Guard added the paragraph titled Security measures for
monitoring to Enclosure (1) of the NVIC.
B. The draft NVIC's Enclosure (1) stated that facility owners and
operators may utilize a security plan under the Alternative Security
Program (ASP).
In response to that statement, one commenter stated that requiring
a focused cyber security plan to go through the ASP program would
require facilities to design their own access control, restricted area,
cargo handling, and other measures that are not directly related to
cyber security. One other commenter suggested that the Coast Guard
should allow amendments to the FSP to be submitted under an ASP at the
time of the next scheduled revision of the ASP. One of the commenters
also asked to clarify if a facility could reference their existing
cyber security plan documents as an alternative to the Coast Guard's
review.
The ASP does not require a detailed cyber security plan. Nor does
it impose any new or different requirements. The ASP is an option that
owners and operators may use to comply with the MTSA regulations. In
response to the comment about referencing an existing cyber security
plan, we note that a facility owner or operator may reference other
documents in the ASP, but they would need to be reviewed and considered
in the Coast Guard's approval of the ASP.
We revised the NVIC's Enclosure (1) to clarify that the information
contained in the NVIC also applies to the ASP, per 33 CFR 101.120(b),
which means that the Coast Guard will accept documentation showing
equivalent levels of security required by MTSA regulations.
C. Some commenters asked us to use different wording in various
parts of the NVIC and its Enclosure (1), and we discuss those changes
here.
1. ``[P]revent unauthorized loading/unloading cargo'' instead of
``prevent cargo that is not meant for carriage from being accepted'';
we made that change.
2. ``FSPs are in place and are considered to be appropriate and
effective'' instead of ``FSPs are in place and are believed to be
appropriate and effective''; we made that change.
3. ``Describe how those systems are protected and an alternative
means of communication as well as the communication responsibility
should the system be compromised or degraded'' instead of ``describe
how those systems are protected and an alternative means of
communication should the system be compromised or degraded.'' We made
this change with some modifications.
4. ``Describe cyber-related procedures for interfacing with vessels
to include any network interaction, portable media exchange, or
wireless access sharing or remote vendor servicing'' instead of
``Describe cyber-related procedures for interfacing with vessels to
include any network interaction, portable media exchange, or wireless
access sharing.'' Similarly, another commenter suggested that we add
the term ``remote access'' before the words ``portable media exchange''
in the original sentence. We added the term ``remote access'' and
believe it captures the intent of both commenters.
5. ``Describe cyber-related procedures for managing software
updates and patch installations of systems used to perform or support
functions identified in the FSP (e.g., identification of needed
security updates, planning and testing of patch installations)''
instead of ``Cyber systems used to perform or support functions
identified in the FSP should be maintained, tested, calibrated,
[[Page 16114]]
and in good working order (e.g., conduct regular software updates and
install security patches as they become available).'' We made this
change.
6. ``Describe how cyber security is included as part of personnel
training, policies and procedures and how the cyber security training
material will be kept current and monitored for effectiveness'' instead
of ``Describe how cyber security is included as part of personnel
training, policies and procedures.'' We added language about keeping
training material current.
7. Another commenter asked the Coast Guard to add the following
sentence to the paragraph titled ``Communications'' in Enclosure (1):
``During crew or shift changes, handover notes should include cyber
security related information and updates.'' The Coast Guard agrees that
this recommendation may be useful to other facilities. We have added
this recommendation as an example under the paragraph titled
``Communications'' in Enclosure (1).
8. One of these commenters also asked us to add the following
sentence ``In case gaps are identified, corrective actions should be
taken in order for the provisions in the FSP to be satisfied.'' to the
end of ``The audit should include the name, position, and qualification
of the person conducting the audit.'' We did not incorporate the new
audit sentence into the NVIC because it is expected that the FSPs
should account for gaps in security.
D. One commenter requested that we add guidelines applicable to
MTSA-regulated vessels.
The Coast Guard notes this NVIC was not meant to address vessels.
It addresses MTSA-regulated facilities only. We will consider
addressing cyber security vulnerabilities for vessels in the future.
Based on this comment, we have revised the text of the final NVIC
to clarify its applicability to MTSA-regulated facilities only.
E. Another commenter asked us to clarify where the abbreviation
``N/A'' was supposed to be placed as asked in the following sentence of
Enclosure (1): ``If the area or function has no cyber nexus, indicate
``N/A.''
We have added the clarification as requested and added the
following to the end of the sentence: ```N/A'' in the FSA and FSP.''
F. The Coast Guard was also asked to re-number the draft NVIC's
Enclosure (1) to preserve traditional NVIC formatting, which we have
done.
G. Five commenters asked us to clarify the definition of the term
``general documentation'' in the paragraph titled MTSA regulations in
33 CFR parts 105 and 106 in the NVIC's Enclosure (1).
The Coast Guard used the term ``general documentation'' to indicate
that owners and operators would not have to use any specific forms or
indicate the use of any specific technology when demonstrating
compliance with the MTSA regulations. In addition, the Coast Guard's
intent was to highlight that facility owners and operators could use an
ASP to submit documentation showing equivalent levels of security
required by MTSA.
Based on these comments, we deleted the word ``general'' from
Enclosure (1) and added a footnote stating ``[i]n addition, facility
owners and operators may rely on the Coast Guard Alternative Security
Program to submit documentation showing equivalent levels of security
required by MTSA.''
H. Three other commenters requested a clarification of security
requirements for ports, transportation sector facilities, seaport
systems, offshore facilities, and individual operators, based on their
operating environment.
We note that this NVIC was not intended to address security
requirements for ports, transportation sector facilities, or seaport
systems. This NVIC applies to MTSA-regulated facilities, including
offshore facilities, and individual operators subject to MTSA. The
NVIC's Enclosure (1) references MTSA regulations that may apply to
MTSA-regulated facilities, depending on a facility's operating
environment and structure. It is each facility's responsibility to
determine what computer system and network vulnerabilities may be
created by their operating environment and address those
vulnerabilities in their FSAs and FSPs.
Based on these comments, we have revised the final text of the NVIC
and its Enclosure (1) to clarify the NVIC's applicability.
I. Two industry commenters asked the Coast Guard to provide
additional language on Global Positioning Systems (GPS) and Internet of
Things (IoT) devices. Specifically, one of the commenters asked the
Coast Guard to include into the NVIC the following language: ``A
powerful but little recognized method of cyberattack, GPS disruption
can disable end-use devices, interfere with communications links, and
provide hazardously misleading information to users and databases.
Because GPS signals undergird nearly every technology, DHS officials
have called GPS a single point of failure for critical
infrastructure.''
If GPS systems or IoT devices present a vulnerability to a MTSA-
regulated facility's computer or network system, they fall within the
existing regulations at 33 CFR parts 105 and 106, and should be
addressed in the FSP. However, these concerns are broad and, in the
case of IoT, still developing, and so we don't think it is appropriate
to devote a section of the NVIC to them at this time.
Therefore, the Coast Guard did not make edits to the text of the
final NVIC based on these two comments
J. One other industry commenter asked for the NVIC to address the
risks of third party contractor access to critical cyber systems and
networks.
These concerns are valid. However, it is up to the owner or
operator of a particular facility to determine if a third party having
access to the facility's computer systems and networks presents a risk
that should be mentioned in the facility's FSA and FSP.
We made no changes to the final NVIC in response to this comment.
K. Three commenters suggested that we classify MTSA facilities as
``critical control systems/controls'' and require them to be air-gapped
from business network systems. Two other commenters requested more
clarity on mitigation of cyber security risks.
This NVIC is not meant to impose requirements on the owners and
operators of MTSA-regulated facilities or suggest specific ways cyber
risks should be mitigated. This NVIC is meant to make facility owners
and operators aware of the existence of the MTSA regulations, which are
meant to assist them in protecting their facilities. It is up to each
facility to determine if computer system and network vulnerabilities
existing at the facility require air-gapping to mitigate
vulnerabilities.
We made no changes to the final NVIC in response to this comment.
6. Other Comments About the NVIC
A. The draft NVIC stated: ``[u]ntil specific cyber risk management
regulations are promulgated, facility operators may use this document
as guidance to develop and implement measures and activities for
effective self-governance of cyber vulnerabilities.''
Based on these statements, two commenters expressed concerns as to
the Coast Guard's regulatory authority to control how companies execute
their cyber risk management and its authority to issue this NVIC
without a notice of proposed rulemaking (NPRM). Another commenter asked
the Coast Guard to perform a risk assessment and cost benefit analysis
as a next step in the NVIC's development.
[[Page 16115]]
The Coast Guard acknowledges the comments and notes that this NVIC
is not a rule. As explained in detail earlier in this notice, the Coast
Guard is also not using its regulatory authority to issue this NVIC or
control how companies execute their cyber risk management decisions. To
the contrary, this NVIC constitutes advisory guidance meant to assist
facility owners and operators in complying with existing MTSA
regulations. The NVIC emphasizes that a facility is already obligated
by existing MTSA regulations to assess and address vulnerabilities in
computer systems and networks, but it has discretion to determine how
it will comply with the regulations and address its own cyber security
risks.
Based on these comments, we have revised the text of the NVIC and
its Enclosure (1) to clarify the advisory nature of the NVIC.
B. The U.S. Chamber of Commerce asked us to keep the NVIC in the
draft form and to have an ongoing dialog facilitating input from
industry stakeholders. The Chamber suggested that the Coast Guard
present the NVIC as a voluntary risk management tool, which might
become a beacon around which cyber security efforts could orient.
The Coast Guard acknowledges this comment and agrees that the NVIC
is a voluntary risk management tool, in that it informs owners and
operators about their existing regulatory obligations, and provides
suggestions for fulfilling those obligations. However, the Coast Guard
believes that finalizing the NVIC will provide owners and operators
with needed guidance on how to comply with the MTSA regulations
relating to computer and network security. Dialogue about cyber risk
management will continue to occur in a variety of forms, and the NVIC
provides contact information should the regulated public wish to
contact the Coast Guard with questions or concerns.
Based on this comment, we did not make any revisions to the final
NVIC.
C. The draft NVIC stated the Coast Guard had the regulatory
authority to instruct MTSA-regulated facilities to analyze computer
systems and networks for potential vulnerabilities within their
required FSA and, if necessary, address those vulnerabilities in their
FSP.
In response to that statement, three commenters suggested the Coast
Guard state that the facilities, to comply with MTSA, could limit their
cyber security measures to those information technology systems and
networks that have a direct maritime nexus. One of the commenters also
asked the Coast Guard to develop clear guidelines on cyber TSIs and
connections to MTSA facilities.
The Coast Guard is vested with authority to verify that MTSA-
regulated facilities comply with MTSA regulations, including the ones
relating to computer systems and networks regardless of whether that
system or network has a direct maritime nexus. In regards to a TSI and
connections to MTSA facilities, the Coast Guard notes that this NVIC
was not intended to discuss TSIs. However, we note that a TSI, as
defined in 33 CFR 101.105, is not limited to incidents with a specific
maritime cause. A TSI may result from a physical or cyber security
incident which originates from outside of the maritime environment. For
example, plausible TSIs caused by cyber threats could include:
Deliberate disabling of a facility's fire detection equipment, security
cameras, or security locks; a hack or ransomware that leaves such
systems inaccessible; damage to computer-controlled ventilation or
temperature control features at chemical facilities; or tampering with
or disabling the automated supply chain in a way that causes
significant economic disruption.
For the reasons stated, we did not make any changes to the text of
the final NVIC.
D. The draft NVIC's Enclosure (1) recommended that owners and
operators address cyber security vulnerabilities in their FSPs.
In response to that recommendation, some commenters expressed
general concerns about regulating fast-paced cyber security demands of
the commercial industry, the NVIC's focus on cyber vulnerabilities
rather than cyber risk management, and provided a suggestion for the
government to protect private companies from cyber-attacks.
These comments are general in nature and do not raise any specific
issues within the NVIC. The Coast Guard acknowledges these comments and
will consider them as part of the general on-going dialog on how to
improve cyber security at maritime facilities. We did not make any
changes to the final NVIC based on these comments.
The Coast Guard appreciates all the comments received. We will
continue to study this issue in light of the comments received before
issuing other notices or policy letters on this matter.
Dated: February 26, 2020.
Karl L. Schultz,
Admiral, U.S. Coast Guard, Commandant.
[FR Doc. 2020-05823 Filed 3-19-20; 8:45 am]
BILLING CODE 9110-04-P
