Due to an increase of cyberthreats and vulnerabilities in the Marine Transportation System, the Coast Guard published Navigation and Vessel Inspection Circular (NVIC) 01-20, Guidelines for Addressing Cyber Risks at MSTA Regulated Facilities in March 2020.
NVIC 01-20 provides guidance on assessing cyber risks when conducting required Facility Security Assessments (FSA) and incorporating cybersecurity within Facility Security Plans (FSP).
Recognizing that NVIC 01-20 represented first-of-its-kind guidance when it was released last spring, the Coast Guard established an 18-month implementation period which allowed MTSA-regulated facility owners or operators time to incorporate cybersecurity into their FSAs and FSPs. During that time, the Coast Guard invested in training of its field personnel, dissemination of best practices, engagement with industry stakeholders, and similar internal alignment before the implementation period ended on Sept. 30, 2021.
Beginning on Oct. 1, 2021, facility owners and operators who have not already done so should submit FSP cyber amendments or annexes to their local Captain of the Port (COTP) as part of the facility’s annual audit. COTPs will verify that facilities have addressed cybersecurity within the FSA and FSP cyber amendments/annexes. COTPs retain discretion on whether the requirements have been met, and on any potential extension of submission dates.
In keeping with current Alternative Security Plan (ASP) processes, commandant via the Office of Port and Facility Compliance (CG-FAC) will maintain review and approval responsibilities for ASPs, while Coast Guard COTPs will retain verification responsibilities.
A Frequently Asked Questions (FAQs) List was developed in support of NVIC 01-20 and the incorporation of cyber into FSAs and FSPs, and is updated as questions and feedback are received. Additional information related to NVIC 01-20 can also be viewed on the Federal Register website.
For questions regarding NVIC 01-20 implementation guidance and FSP/ASP amendment/annex submission, it is recommended that MTSA-regulated facilities owners and operators contact their local Captain of the Port well in advance of their next annual audit date before Oct. 1, 2022.