The US Coast Guard (USCG) has issued new guidelines for confronting cyber risks at Maritime Transportation Security Act (MTSA)-regulated facilities
The updates provide guidance to facility owners and operators on complying with the requirements to assess, document, and address system and network risks.
Regulated facilities must assess and document risks associated with their computer systems and networks in a facility security assessment (FSA) or alternative security program (ASP).
Following this, owners and operators must demonstrate compliance by providing the information in a stand-alone cyber annex/addendum, incorporated into the FSP together with the physical security measures, or by another method identified by the owner or operator in concurrence with the local captain of the port or with US Coast Guard headquarters in the case of an ASP.
While owners need not identify a specific technology or business model, they are required to provide documentation to show how they are addressing the risks identified.
USCG said “it is up to each facility to determine how to identify, assess and address the vulnerabilities of their computer systems and networks.”
In addition, the USCG recommends that facilities use the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST Special Publication 800-82 to craft a risk management programme.
The implementation period will last 1.5 years with no submissions to update an FSA or ASP required until 30 September 2021.
The new guidelines are in part prompted by the Ryuk ransomware attack in December 2019 and concerns voiced by US lawmakers that the maritime network is vulnerable to cyber crime and follows a similar move made by the UK’s DfT in January 2020.
The USCG bulletin can be found here.