On January 23, 2023, the United States Coast Guard released new guidance on cybersecurity for port facilities regulated by the Maritime Transportation Security Act and 33 CFR Part 105.
The “Maritime Cybersecurity Assessment and Annex Guide (MCAAG)” helps facility operators with the cybersecurity aspects of a Facility Security Assessment (FSA) and provides a template for incorporating the results of that process into a Cybersecurity Annex to a Facility Security Plan (FSP).
Before getting into the details of this new guidance, let’s first clarify that this does NOT impact facilities that already have approved Cybersecurity Annexes. Those facility operators are NOT required to resubmit new Annexes based on this guidance. However, this guidance will clearly be an appropriate tool for when existing FSPs come up for their normal, five-year renewal.
Here at Seebald & Associates, our experts have taken a preliminary look at this guidance and we think it will be a useful tool in helping facilities identify and manage their cyber risks. Here are a few key points:
· The guidance begins with terms, definitions, examples, and a discussion of how various Information Technology (IT) and Operational Technology (OT) systems are often connected. This reflects sound cybersecurity principles and helps us all recognize that a vulnerability in one part of a network can have consequences elsewhere.
· The guidance recommends that facility operators identify a “Cybersecurity Officer (CySO) to work with the FSO on cybersecurity matters.
· The guidance includes a step-by-step process for facility operators to identify cyber vulnerabilities in an FSA, determine mitigation strategies, and document the results in a Cybersecurity Annex of an FSP.
· The guidance uses the NIST Framework functions (Identify, Protect, Detect, Respond, Recover), and select categories and subcategories as baseline or additional measures, based on the organization’s risk tolerance.
At Seebald & Associates, we are in regular contact with U.S. Coast Guard cybersecurity personnel, both at the Headquarters and local Captain of the Port level. We will keep all our clients informed as we all learn more about how to how the Coast Guard expects us to apply this guidance. In the meantime we look forward to working with all of you to improve your security programs.