Greetings, Facility Security Colleagues, 

The Coast Guard Office of Port and Facility Compliance (CG-FAC) recently released their 2016 Facility Year in Review. While busy with many initiaves, TWIC and reporting Suspicious Activity and Breaches of Security were prominent. 

The Coast Guard published a policy letter regarding criteria and procedures for reporting Suspicious Activity (SA) and Breaches of Security (BoS). (Note: We're already addressing this in our courses, audits, assessments, and plans.) Basically, the Department of Homeland Security (DHS) National Cyber Security and Communications Integration Center (NCCIC) may be contacted directly for cybersecurity incidents and suspicious activity NOT resulting in phyical or pollution effects (physical and pollution incidents must be reported to the National Response Center (NRC)). When reporting a cybersecurity SA or BoS, maritime owners and operators must identify themselves as a MTSA regulated entity in order to satisfy the reporting requirements of 33 CFR 101.305. NCCIC will document the activity, evaluates it against operations, provides technical assistance if requested, and passes the information to the NRC. Information-sharing between NCCIC and NRC may contain Sensitive Security Information and is protected per 49 CFR 1520.

In 2016, the Coast Guard conducted 6,002 MTSA compliance inspections covering 3,476 MTSA regulated facilites, resulting in 1,648 deficiencies. This resulted in 180 enforcement activites. More than half of the citations were in three cateories: Security Measures for Access Control (61), Owner or Operator Requirements (32), and Drill and Exercise Requirements (17). Remember from your training, Access Control is crucial in your first line of defese against security incidents. 

Over 54,000 TWIC cards were inspected visually or electronically resulting in 515 instances of non-compliance. This shows that facilities are not preoperly inspecting TWIC cards or individuals are not carrying them when working on the regulated secure footprint. Remember, TWIC cards need to be inspected at 100% and everyone must have them on their person. 

There is a lot of interesting information in the 2016 report, such as Rulemakings, Training, Cyber Risk Management, and much more. Please take the time to read it and learn how these policy changes or recommended advice affects your facility. Have a safe and secure day.