In the midst of the chaos generated by the COVID-19 pandemic, on March 20, 2020, the United States Coast Guard (USCG) released an important Navigation and Vessel Inspection Circular (NVIC 20-01) concerning “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities,” together with a Commandant Notice commenting on the NVIC. NVIC 20-01 has had a long path to finalization via notice and comment rulemaking, and has been discussed previously during the comment period on this blog. Ironically, given the increased threat of cyber attacks during this period when so many are working remotely via potentially vulnerable online infrastructures, this NVIC is perhaps unintentionally particularly well-timed.
NVIC 20-01 applies to MTSA-regulated “regulated facilities,” which includes “any structure or facility of any kind located in, on, under, or adjacent to any waters subject to the jurisdiction of the U.S.,” 33 C.F.R. § 101.105, “including Outer Continental Shelf [OCS] facilities” (“fixed or floating facility[ies], including MODUs” operating on the Outer Continental Shelf (OCS) and engaged in oil and gas exploration/production, 33 C.F.R. §106.105. Under the MTSA, all regulated “facilities” are required (inter alia) to submit Facility Security Assessments (FSA) and Facility Security Plans (FSP) for approval by the USCG Captain of the Port (COTP), which then remain valid for five years or until the “facility” owner or COTP initiates an amendment to the FSP further to required annual audits (33 C.F.R. §105.415). The FSA and FSP are intended (according to specifics outlined in the regulations) to identify security vulnerabilities and appropriate countermeasures to address them.
NVIC 20-01 SCOPE AND CONTENT
NVIC 20-01 as originally proposed was intended to provide guidance “on incorporating cybersecurity risks into an effective [FSA], as well as additional recommendations for policies and procedures that may reduce cyber risk to operators of maritime facilities.” 82 Fed. Reg. 32189. Indeed, the NVIC simply provides guidance for cybersecurity measures already required under the MTSA regulations: “NVIC [20-01] does not impose any new burdens or requirements on MTSA-regulated facilities [because USCG] regulatory authority in 33 CFR parts 105 and 106 already requires MTSA-regulated facilities to evaluate their computer system and network vulnerabilities in their FSAs and address them in the FSPs.” 85 Fed. Reg. 16108, 16109 (March 20, 2020).
In the Federal Register notice promulgating NVIC 20-01, the USCG recognizes that “maritime facility safety and security systems, such as security monitoring, fire detection, and general alarm installations increasingly rely on computer systems and networks… [which] are inherently vulnerable and introduce new vulnerabilities.” 85 Fed. Reg. 16108 (March 20, 2020). Likewise, the notice points out that, although there are myriad resources and best practices available to maritime actors for addressing cybersecurity issues (several of which have been discussed on this blog), “recent [USCG] experience suggests the maritime industry may not be aware of or utilizing these resources,” and so NVIC 20-01 has been promulgated to provide a readily accessible, vetted source for guidance in this area. Id.
Enclosure 1 to NVIC 20-01 is perhaps the most practical aspect of the document. This enclosure specifies individual MTSA regulations and provides recommended approaches for how they might be addressed in an FSA/FSP. Some of these recommended approaches provide operation-specific suggestions, including:
- “During crew or shift changes, handover notes should include cyber security related information and updates.” (viz. 33 C.F.R. §§105.235, 106.240)
- “Describe cyber-related procedures for interfacing with vessels to include any network interaction, portable media exchange, remote access, or other wireless access sharing.” (viz. 33 C.F.R. §§105.240 33, 106.245)
- “Describe cyber-related procedures for managing software updates and patch installations on systems used to perform or support functions identified in the FSP (e.g. identification of needed security updates, planning and testing of patch installations).” (33 C.F.R. §§105.250, 106.355)
These real-time examples – which include such detail as how to manage electronic file sharing, handle crew change notes, and keep systems up to date – give helpful insight into how cybersecurity concerns relate to granular operations. Moreover, the Federal Register notice publishing NVIC 20-01 encourages “facilities” to review the May 2018 webinar (linked here and in the notice) presented jointly by the USCG and the American Bureau of Shipping entitled “Marine Transportation System Cyber Awareness,” which “provides basic cyber awareness with a focus on maritime facility and vessel operations and provides personnel at all levels of an organization with an understanding of cyber terms and issues” that may be encountered in marine facility operations. 85 Fed. Reg. at 16110. That said, NVIC 20-01 does reiterate that “[t]hese are examples [only]: facility owners and operators may use other approaches that have greater or lesser levels of complexity if those approaches meet the regulatory requirement.”
Importantly, NVIC 20-01 is not prescriptive: “[NVIC 20-01] provides recommended practices for MTSA-regulated facilities to address …cyber security vulnerabilities.” Moreover, “[b]ased on industry comments [to prior drafts] … the NVIC [was revised] to clarify its [mere] advisory nature and applicability.” Id. However, “Enclosure (1) [to NVIC 20-01] clarifies that MTSA regulations in 33 CFR parts 105 and 106 include a facility’s obligation [emphasis added] to assess cyber security vulnerabilities while retaining the discretion [emphasis added] over the ways to address and mitigate them.” In other words, NVIC 20-01 clarifies that while the countermeasures to address vulnerabilities in an FSP remain discretionary, “facilities” have an absolute obligation under the regulations to include cybersecurity vulnerabilities as part of their FSA. Simply put, NVIC 20-01 “does not include a checklist or otherwise prescribe cyber security solutions,” but simply emphasizes that cybersecurity vulnerabilities must be part of the FSA/FSP process.
It is important to note that the draft NVIC originally included the following statement: “[u]ntil specific cyber risk management regulations are promulgated, facility operators may use this document as guidance to develop and implement measures and activities for effective selfgovernance of cyber vulnerabilities.” Id. at 16114. This provision was removed in the final version, again emphasizing that NVIC 20-01 is merely intended to provide helpful guidance, not prescriptive measures.
Likewise, the original draft NVIC also included a second enclosure, namely the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) and NIST Special Publication 800–82, which are cybersecurity guidelines promulgated by the leading U.S. governmental entity in the realm of cybersecurity in general. Based on confusion as to Enclosure (2) during the comment period – widely ranging from commenters mistakenly believing the NIST standards were requirements to others suggesting that more detail and specification was required to apply those standards – the USCG removed the enclosure from the final version of the NVIC. However, NVIC 20-01 does include a sentence “encouraging the use of the NIST CSF as a means to improve a facility’s cyber posture above what is outlined in the NVIC” (id. at 16109) but at the same time notes the availability of myriad other “resources, technical standards and recommended practices available to the marine industry” for addressing cybersecurity issues (NVIC 20-01, p. .3)
“Facility” owners may comply with their cybersecurity FSA and FSP obligations via the amendment process either by including a standalone cybersecurity annex to their FSP, or by amending specific relevant sections of the FSP to address cybersecurity issues. Additionally, NVIC 20-01 confirms that “facilities” may utilize an Alternative Security Program (ASP) to address cybersecurity concerns. ASPs are a third party or industry organization-developed standard that the USCG Commandant has determined provides an equivalent level of security as that required by the MTSA.
Likewise, while some commenters questioned whether NVIC 20-01 effectively requires “facilities” to designate a Facility Security Officer (FSO) (33 C.F.R. §105.205) with sophisticated technical knowledge of cybersecurity and/or to include their entire IT department among those designated “facility personnel with security duties” (33 C.F.R. §105.210). In response, the USCG has simply stated that “facilities” must do whatever is necessary specific to their cyber infrastructure and operations to ensure that their FSA and FSP adequately account for cybersecurity vulnerabilities. Accordingly, designation of FSOs and “personnel with security duties” may (depending on the circumstances) need to include IT departments or additional cyber-savvy personnel. Nonetheless, NVIC 20-01 itself expressly provides that “each individual facility should determine the organizational structure; number of employees; the employee roles, responsibilities, and access permissions; and, the employee training needed so that its security personnel can address the facility’s cyber security risks” (Encl. 1, p. 2).
REMINDER TO REPORT CYBERSECURITY INCIDENTS
Importantly, NVIC 20-01 reconfirms that cyber incidents of any kind must be reported to the USCG, and reporting to other law enforcement entities will not satisfy the USCG “requirements for reporting suspicious cyber related activity or breaches of security for MTSA-regulated entities [as] outlined in CG–5P Policy Letter 08–16 titled ‘Reporting Suspicious Activity and Breaches of Security.'”
TIMELINE FOR APPLICABILITY
The Commandant Notice accompanying publication of NVIC 20-01 critically notes that there will be a one-and-a-half-year implementation period (for updating FSA/FSP/ASPs), terminating on September 30, 2021, for the new guidance provided under the NVIC. New cyber FSA and FSP/ASP amendments or annexes will then be submitted after October 1, 2021 by each “facility’s” annual audit date. This initial implementation period is intended to allow “facilities” time to address their cyber-linked operations/systems/equipment and personnel requirements, but also to allow the USCG time to ramp up its own “necessary training of … field personnel, dissemination of best practices, or similar internal alignment.” Notably, in response to comments to the NVIC suggesting that USCG might not have sufficient properly trained personnel to adequately access cyber aspects of FSA/FSPs, the USCG confirmed that it “will assess its needs and may address this issue in the future through internal policy or guidance to [USCG] personnel,” but nonetheless reiterated that “facilities” must comply on their own in the interim.
WHAT’S ON THE HORIZON
NVIC 20-01 is a formal, notice-and-comment rulemaking step in what has been a steady march by the USCG to stay on the tip of the spear in terms of maritime cybersecurity. And while NVIC 20-01 addresses only “facilities,” its guidance will necessarily affect vessel operations at MTSA facilities. Moreover, given that vessels themselves are required to have FSAs/FSPs under the MTSA regulations (33 C.F.R. Part 103), similar formal guidance is likely coming for vessel owners/operators as well. Indeed, the Federal Register notice for NVIC 20-01 indicates as much: “The [USCG] notes this NVIC was not meant to address vessels. It addresses MTSA-regulated facilities only. We will consider addressing cyber security vulnerabilities for vessels in the future.” 85 Fed. Reg. at 16114. Further, such guidance will presumably be fairly imminent in light of the January 1, 2021 deadline set by the International Maritime Organization for all ISM Code-regulated vessels “to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code).” Thus, in the interim until formal vessel-specific guidance is issued, prudent owners/operators would be well served to adapt these “facility”-based best practices to their own shipboard and shoreside operations and systems.