Raise your hand if you are fine with business coming to a screaming, and expensive halt for, say a month or two.  A cyber-attack can be the business equivalent of a deadly, metal-on-metal sound coming from under the hood of your car.  Sure you can get it fixed, but it won’t be quick, or cheap, or easy.  A ransomware attack on the City of Baltimore had just this effect.  

At Seebald & Associates, we can’t prevent all cyber-attacks, but we can help organizations recognize their risk and build resilience.  We address cyber security during training courses, audits, and security assessments. Our goals during these activities are as follows:

  • We help FSOs and others to recognize that many of the systems they use have cyber components – and therefore cyber vulnerabilities.  These systems could be anything from simple wi-fi enabled cameras and web-based employee alert systems to sophisticated cargo and industrial control systems.

  • During audits and assessments, we gauge the client’s overall approach to cyber security, addressing, in the most basic of terms, topics such as employee training, network access policies, IT/OT segregation, and the role of cyber security in MTSA regulated functions such access control and cargo systems.

  • We encourage cooperation between FSOs/VSOs and the organization’s dedicated cyber security professionals.  This cooperation should include suspicious activity reporting, risk assessment and mitigation activity, and response operations.  

  • We encourage cyber professionals to participate in information sharing organizations, and to take advantage of well recognized cyber security standards and resources, such as are published by NIST,SANS, and CISA.

Maritime organizations will increasingly require more technical assistance, and we are proud to refer them to Make A Difference with MAD Security.  MAD Security is a highly respected managed security services organization with close ties to S&A and experience working with port and waterways organizations, industrial and other private sector clients, as well as with the U.S. Coast Guard, the Department of Defense, NASA, and other government agencies.  They provide 24/7 network monitoring and intrusion detection and will ensure you become compliant with emerging Coast Guard/DHS requirements. So go ahead and get MAD.  With their cyber expertise, and S&A’s holistic approach to security, your vessel or facility can be well prepared and resilient when (not if!) cyber or other threats come your way.  

Calendar year 2019 is almost halfway over and after conducting numerous Facility Security Plan annual mandated audits, we note many Facility Security Officers (FSO), Company Security Officers (CSO), Alternate FSOs, Personnel with Security Duties (PSD) and All Others (AO) are not current on their required Maritime Transportation Security Act (MTSA) training. 

This non-conformity is a compliance risk and will draw warnings and citations from a U.S. Coast Guard facility security inspection.  It is generally recommended that facility security staff attend a U.S. Coast Guard approved 33 CFR, Part 105 or Part 106 training course at a minimum initially, then every 3-5 years with a refresher course.  Depending on when security personnel have been trained, even within the past 5 years, many new MTSA regulation, guidance and policy updates and changes have taken place.  Recent topics of significant interest are cyber-security threats, seafarer access, active shooter threats, TWIC card access procedures and cruise terminal screening requirements. 

All Seebald & Associates facility security training courses address these topics, and our certified master instructors and Coast Guard-approved training courses fully address and inform students of the new topics.  You do not need an audit to know if your training is current and in compliance.  To request an FSO, CSO/OCS FSO, PSD, OCS PSD or AO training course or event please contact Ed Seebald at This email address is being protected from spambots. You need JavaScript enabled to view it., or phone 716-481-5597, and we will help you meet your MTSA training needs. 

The Specific Roles and Responsibilities of Owners and Operators of Regulated Maritime Transportation Security Act for 33 CFR Part 106 Outer Continental Shelf (OCS) Facilities

 

What are the specific duties and responsibilities of MTSA 33 CFR Part 106 Facility Owners and Operators?

33 CFR Part 106 Subpart B – OCS Facility Security Requirements, outlines and describes the roles and responsibilities of owners and operators of 33 CFR Part 106 Facilities. 

As mentioned in the previous blogs, the absolute responsibility for a regulated facility’s security management regime starts and ends with the owners and operators.  While 33 CFR Parts 106 Subparts B, C and D sections are most familiar to Company Security Officers (CSO) and OCS Facility Security Officers (FSO), Subpart B – OCS Facility Security Requirements, identifies more specific requirements that owners and operators are responsible for.  Subpart B also addresses the knowledge, training and experience requirements for CSOs, OCS FSOs, Company or Facility Personnel with Security Duties and All Other persons who work at the facility.  For this final blog focusing on owners & operators, we remain focused on owners and operators of 33 CFR Part 106 Facilities and the specific roles and responsibilities of owners and operators are listed below:

  • Each OCS facility owner or operator must ensure that the OCS facility operates in compliance with the requirements of Subpart B.
  • For each OCS facility, the OCS facility owner or operator must:
    1. Define the security organizational structure for each OCS facility and provide each person exercising security duties or responsibilities within that structure the support needed to fulfill those obligations;
    2. Designate in writing, by name or title, a CSO and an FSO for each OCS facility and identify how those officers can be contacted at any time;
    3. Ensure that a Facility Security Assessment (FSA) is conducted;
    4. Ensure the development and submission for approval of a Facility Security Plan (FSP);
    5. Ensure that the OCS facility operates in compliance with the approved FSP;
    6. Ensure that the TWIC program is properly implemented as set forth in this part, including:
      • Ensuring that only individuals who hold a TWIC and are authorized to be in the secure area are permitted to escort; and
      • Identifying what action is to be taken by an escort, or other authorized individual, should individuals under escort engage in activities other than those for which escorted access was granted.
    7. Ensure that adequate coordination of security issues takes place be- tween OCS facilities and vessels, including the execution of a Declaration of Security (DoS) as required by Subpart B;
    8. Ensure, within 12 hours of notification of an increase in MARSEC Level, implementation of the additional security measures required by the FSP for the new MARSEC Level;
    9. Ensure all breaches of security and security incidents are reported in accordance with part 101 of this sub- chapter;
    10. Ensure consistency between security requirements and safety requirements;
    11. Inform OCS facility personnel of their responsibility to apply for and maintain a TWIC, including the dead- lines and methods for such applications, and of their obligation to inform TSA of any event that would render them ineligible for a TWIC, or which would invalidate their existing TWIC;
    12. Ensure that protocols consistent with 106.260(c) of Subpart B, for dealing with individuals requiring access who report a lost, damaged, or stolen TWIC, or who have applied for and not yet received a TWIC, are in place; and
    13. If applicable, ensure that proto- cols consistent with 106.262 of Subpart B part, for dealing with newly hired employees who have applied for and not yet received a TWIC, are in place.

CSOs and FSOs of CFR Parts 105 & 106, knowing the roles and responsibilities of your owners and operators will help you help them, especially when new persons come on board your facilities in leadership or management roles of your maritime security regime and have no prior experience with MTSA requirements.  Remember any violation issued by U.S. Coast Guard security compliance inspectors is permanently recorded in a database that is shared across the Coast Guard.

Owners and operators, security directors and managers, to ensure your plan renewals and announced and unannounced U.S. Coast Guard compliance inspections will pass training standards, register yourself, CSOs, FSOs and Alternates to attend a U.S. Coast Guard approved Seebald & Associates CSO/FSO training course.  To view a list of current and upcoming courses and for more information on how to register for a course visit www.seebald.com.

The Specific Roles and Responsibilities of Owners & Operators of Regulated Maritime Transportation Security Act for 33 CFR Part 105 Facilities

 

What are the specific duties and responsibilities of MTSA 33 CFR Part 105 Facility Owners and Operators?

33 CFR Part 105 Subpart B – Facility Security Requirements, outlines and describes the roles and responsibilities of owners and operators of 33 CFR Part 105 Facilities. 

As mentioned in the previous blog, the absolute responsibility for a regulated facility’s security management regime starts and ends with the owners and operators.  While 33 CFR Part 105 Subparts B, C and D sections are most familiar to Facility Security Officers (FSO), 33 CFR Part 105 Subpart B – Facility Security Requirements, identifies more specific requirements that owners and operators are responsible for.  Subpart B also addresses the knowledge, training and experience requirements for Facility Security Officers, Maritime Personnel with Security Duties and All Other persons who work at the facility.  For this blog we are focused on owners and operators of 33 CFR Part 105 Facilities and the specific roles and responsibilities of owners and operators are listed below:

  • Each facility owner or operator must ensure that the facility operates in compliance with the requirements of Subpart B.
  • For each facility, the facility owner or operator must:
    1. Define the security organizational structure and provide each person exercising security duties and responsibilities within that structure the support needed to fulfill those obligations;
    2. Designate, in writing, by name or by title, a Facility Security Officer (FSO) and identify how the officer can be contacted at any time;
    3. Ensure that a Facility Security Assessment (FSA) is conducted;
    4. Ensure the development and submission for approval of an FSP;
    5. Ensure that the facility operates in compliance with the approved FSP;
    6. Ensure that the TWIC program is properly implemented as set forth in Subpart B, including:
      • Ensuring that only individuals who hold a TWIC and are authorized to be in the secure area in accordance with the FSP are permitted to escort;
      • Identifying what action is to be taken by an escort, or other authorized individual, should individuals under escort engage in activities other than those for which escorted access was granted; and
      • Notifying facility employees, and passengers if applicable, of what parts of the facility are secure areas
      • Identifying what action is to be taken by an escort, or other authorized individual, should individuals under escort engage in activities other than those for which escorted access was granted; and
      • Notifying facility employees, and passengers if applicable, of what parts of the facility are secure areas and public access areas, as applicable, and ensuring such areas are clearly marked.
    7. Ensure that restricted areas are controlled, and TWIC provisions are coordinated, if applied to such restricted areas;
    8. Ensure that adequate coordination of security issues takes place between the facility and vessels that call on it, including the execution of a Declaration of Security (DoS) as required by Subpart B;
    9. Ensure coordination of shore leave for vessel personnel or crew change- out, as well as access through the facility for visitors to the vessel (including representatives of seafarers’ welfare and labor organizations), with vessel operators in advance of a vessel’s arrival. In coordinating such leave, facility owners or operators may refer to treaties of friendship, commerce, and navigation between the U.S. and other nations;
    10. Ensure, within 12 hours of notification of an increase in MARSEC Level, implementation of the additional security measures required for the new MARSEC Level;
    11. Ensure security for unattended vessels moored at the facility;
    12. Ensure the report of all breaches of security and transportation security incidents to the National Response Center in accordance with Part 101 of Subchapter H;
    13. Ensure consistency between security requirements and safety requirements;
    14. Inform facility personnel of their responsibility to apply for and maintain a TWIC, including the deadlines and methods for such applications, and of their obligation to inform TSA of any event that would render them ineligible for a TWIC, or which would invalidate their existing TWIC;
    15. Ensure that protocols consistent with section 105.255(c) of Subpart B, for dealing with individuals requiring access who report a lost, damaged, or stolen TWIC, or who have applied for and not yet received a TWIC, are in place; and
    16. If applicable, ensure that protocols consistent with 105.257 of Subpart B, for dealing with newly hired employees who have applied for and not yet received a TWIC, are in place.

FSOs of CFR Parts 105, knowing the roles and responsibilities of your owners and operators will help you help them, especially when new persons come on board your facilities in leadership or management roles of your maritime security regime and have no prior experience with MTSA requirements.  Remember any violation issued by U.S. Coast Guard security compliance inspectors is permanently recorded in a database that is shared across the Coast Guard.

Owners and operators, security directors and managers, to ensure your plan renewals and announced and unannounced U.S. Coast Guard compliance inspections will pass training standards, register yourself, FSOs and Alternates to attend a U.S. Coast Guard approved Seebald & Associates CSO/FSO training course.  To view a list of current and upcoming courses and for more information on how to register for a course visit www.seebald.com .

The General Roles and Responsibilities of Owners & Operators of Regulated Maritime Transportation Security Act for 33 CFR Facilities and Outer Continental Shelf Facilities.

What are the roles and responsibilities of owners and operators of 33 CFR Maritime Transportation Security Act (MTSA) Facilities and Outer Continental Shelf (OCS) Facilities?

Many of our Seebald & Associates International blogs over the past several years have focused on 33 CFR Part 105 Facility Security Officers (FSOs), Maritime Personnel with Security Duties (PSD) and more recently Part 106 OCS Company Security Officers (CSO)/OCS FSOs.  In this month of May 2019, we will bring you some important information about maritime security management and organization roles and responsibilities for 33 CFR Part 105 & 106 facilities.  

The absolute responsibility for a regulated facility’s security management regime starts and ends with the owners and operators.  While 33 CFR Parts 105 & 106 Subparts B, C and D sections are most familiar to CSOs and FSOs, Subpart Part A – General, identifies several mandatory requirements that owners and operators are responsible for. 

Why is this important for CSOs/FSOs to know?  In a successful maritime security regime, it makes strong operational sense for CSOs/FSOs to know and fully understand all the requirements below their positions and above.  The regulations permit owners and operators of facilities to designate personnel with the CSO and FSO duties in a relegated fashion, but regardless of designation, owners and operators are ultimately responsible in the eyes of the regulator, the U. S. Coast Guard.  Any security non-compliance issues may result in a citation to the owner and operator, CSO or FSO, and any critical citations may impact the facility’s ability to conduct its normal operations.  These mandatory requirements can result in loss of profits, productivity and services, and can impact shareholder opinion of how their investments are being managed.

Areas of 33 CFR Parts 105 & 106 Subpart A of significance are Applicability, Exemptions, Compliance dates, Compliance documentation, Non-compliance, Maritime Security (MARSEC) Directives and Rights of Appeal. 

  • Applicability - describes to owners and operators all the types of facilities and OCS facilities that are regulated under 33 CFR and required to have maritime security regimes in order to operate.
  • Exemptions - describe circumstances that owners and operators can expect to not comply with as long as they follow the local U.S. Coast Guard Captain of the Port (COTP) conditions. Failure to follow the COTP conditions may result in an exemption being withdrawn and the owners and operators must then comply with all the 33 CFR maritime security regime requirements.
  • Compliance dates – establishes mandatory dates the owners and operators must have their facility’s maritime security regime in place in order to operate. In some cases, interim FSPs and security operations are approved pending final submissions. For example, during the construction, drilling and production phases of OCS facility operations, owners and operators must demonstrate to the COTP/Officer in Charge Marine Inspection for the Gulf of Mexico (U.S. Coast Guard District 8 OCS Division), they incorporate appropriate security measures throughout each phase and give advanced notice as to when they are shifting from one phase to another.  Following the initial facility security assessment and FSP, there are set compliance dates going forward for renewals of the facility’s security regime requirements. 
  • Compliance documentation – directs owners and operators which security regime records are to be kept and the duration of required maintenance. Also directs the five-year resubmission and approval cycle for the FSP.
  • Non-compliance – defines actions taken by the owner or operator when the facility must temporarily deviate from Subpart A requirements.
  • MARSEC Directives – specify each owner or operator subject to Subpart A must comply with instructions contained in a MARSEC Directive issued under 33 CFR Part 101.405.
  • Rights of Appeal – states any person directly affected by a decision or action taken under Subpart A, by or on behalf of the U.S. Coast Guard may appeal as described in Part 101.420.

CSOs and FSOs of CFR Parts 105 & 106, knowing the roles and responsibilities of your owners and operators will help you help them, especially when new persons come on board your facilities in leadership or management roles of your maritime security regime and have no prior experience with MTSA requirements.  Remember any violation issued by U.S. Coast Guard security compliance inspectors is permanently recorded in a database that is shared across the Coast Guard.

Owners and operators, security directors and managers, to ensure your plan renewals and announced and unannounced U.S. Coast Guard compliance inspections will pass training standards, register your CSOs, FSOs/Alternates to attend a U.S. Coast Guard approved Seebald & Associates CSO/FSO training course.  To view a list of current and upcoming courses and for more information on how to register for a course visit www.seebald.com.