Introduction

In the ever-evolving digital landscape, cybersecurity is one of the highest concerns and priorities for the United States Coast Guard (USCG). On February 22, 2024, the USCG published a Notice of Proposed Rulemaking (NPRM) in the Federal Register, proposing updates to maritime security regulations. These proposed regulations specifically focus on establishing minimum cybersecurity requirements for U.S.-flagged vessels, facilities on the Outer Continental Shelf, and U.S. facilities subject to regulations under the Maritime Transportation Security Act of 2002 (MTSA).

Who Will Be Affected?

The proposed rule will impact U.S. Flagged Vessels, including inspected towing vessels and barges subject to subchapter D or O, U.S. Facilities and U.S. Facilities on the Outer Continental Shelf. Basically, vessels and facilities under the MTSA that currently require a vessel of facility security plan.

Key Objectives

The proposed rule aims to elevate the U.S. maritime cybersecurity posture by proposing safeguards to critical digital systems against cyber threats.

Cybersecurity Officer (CySO): The proposed rule introduces the requirement for designated cybersecurity officers within the organizations. These officers will oversee cybersecurity implementation and compliance.

Cybersecurity Plan: Organizations must develop comprehensive cybersecurity plans tailored to their specific operations. The proposed rule would require the Cybersecurity Plan to include the cybersecurity organizational structure, training including drills and exercises, monitoring and control measures, assessments, response, recovery, and means for records and documentation. A Cybersecurity Plan as required by this proposed rule would then be made available to the Coast Guard for review during the second annual audit of the existing, approved VSP, OCS FSP, or FSP after the effective date of a final rule.

Cybersecurity Assessments: Vessel operators and facility owners must conduct comprehensive risk assessments to identify vulnerabilities, assess potential cyber risks and ensure vessels, facilities, or OCS facilities are operating in accordance with the approved Cybersecurity Plan. The proposed rule identifies three levels of risk management assessments for organizations: annual Cybersecurity Assessments, completing penetration testing upon renewal of a VSP, FSP, or OCS FSP, and ensuring ongoing routine system maintenance.

Cyber Incident Reporting: The proposed rule mandates timely reporting of cybersecurity incidents to the National Response Center (NRC).  The owner, operator, or CySO would develop, implement, maintain, and exercise the Cyber Incident Response Plan; periodically validate the effectiveness of the Cybersecurity Plan; and perform backups of critical IT (software) and OT (hardware) systems.

Link to the full Proposed Rule in the Federal Register: https://www.federalregister.gov/documents/2024/02/22/2024-03075/cybersecurity-in-the-marine-transportation-system

Questions and Assistance

As the proposed cybersecurity regulations move toward becoming official rules, we anticipate heightened and rigorous scrutiny from the USCG. Cybersecurity is undeniably one of their highest priorities. 

The ACTion group is here to address any inquiries you may have. Feel free to reach out - we’re here to support you. A Vision Today for Tomorrow's Journey.