The Coast Guard recently published NVIC 01-20, which addresses cyber security requirements for facilities subject to the MTSA.  Although the Coast Guard has been addressing cyber security in the marine transportation system since about 2013, this NVIC represents a significant policy change in that it requires facility operations to incorporate cyber security into their Facility Security Plans. 

A key purpose of the NVIC is “to assist owners and operators in identifying computer systems and networks whose failure or exploitation could cause or contribute to a Transportation Security Incident (TSI).” 

As FSOs and facility operators know, an informed, thoughtful Facility Security Assessment is the foundation of any Facility Security Plan.  The FSA starts with identifying and validating possible vulnerabilities, and then applying mitigation measures. 

To meet the intent of the NVIC, we simply have to incorporate our cyber dependent systems into that process.  That will include systems that contribute directly to security, like cameras, and PACS, and systems with security implications, like communications or cargo control.

There are, of course, challenges.  How can one determine if a given cyber system is “vulnerable?”  When selecting mitigation measures, what cyber security standards is the Coast Guard likely to accept?  How can facility operators identify what systems fall within the scope and intent of the MTSA?  How should those measures be described in an FSP in a way that provides reasonable clarity without constraining business flexibility or revealing proprietary information? 

Fear not.  At Seebald & Associates, we are in frequent contact with the Coast Guard personnel responsible for these policies, and our team includes personnel with a deep understanding of cyber security at both the policy and technical level.

One useful approach is to make use of the Cyber Security Framework, developed by the National Institute of Standards and Technology (NIST) and referenced in the section 3.b. of the NVIC.  The Framework is arranged around 5 basic concepts – Identify, Protect, Detect, Respond, and Recover – that align well with MTSA regulations.  The Framework is flexible, suitable to organizations of any size/complexity, and performance oriented.  If you use Industrial Control Systems, then we also recommend incorporating NIST 800-82, which is the other framework referenced in the NVIC.

Seebald & Associates will be hosting one or more webinars on this topic in the near future.  In the meantime, take a look at the table below to see a simplified example of how a facility might start the process of addressing cyber in a way that meets the intent of the NVIC: 

Coast Guard Requirement

NIST Framework

Example in FSP or Cyber Annex

Facility Security Assessment

Identify

Include cyber/IT/OT experts in the FSA.  Identify and evaluate ways that cyber vulnerabilities could contribute to a TSI.  Technical procedures such as security scans and penetration testing may be employed to validate and quantify cyber vulnerabilities. 

Security Organization

Identify

FSP should identify who in the organization has responsibility for cyber security, and how that person will communicate and coordinate with the FSO.

Access Control and Restricted Areas

Protect

FSP may reflect topics such as authentication, least privilege, encryption, and mobile device management (BYOD).

Monitoring

Detect

FSP may reflect topics such as routine scanning of inbound/outbound data, data logging, use of virus detection software.

Cargo Handling and DoS

Protect Detect

FSP may address security concerns with electronic transmission of cargo information between the facility and visiting vessels, including use of portable media (data in motion).  Other topics include security of databases used for tracking cargo status/location on the facility (data at rest).  DoS procedures may address data transmitting procedures and notifications of suspicious cyber activity for the facility and visiting vessels.   

Security Incidents, Drills, Exercises, and Training

Respond Recover

FSP may address topics such as incident monitoring, reporting, and logging, the use of backups, restoration procedures and testing, and procedures to ensure that a compromised system has been properly addressed and is now considered safe to operate. 

TSA issued a notice, Exemption to Extend the Expiration Date of Certain Transportation Worker Identification Credentials, on April 10, 2020. With this notice, TSA is granting a temporary exemption from requirements in 49 CFR part 1572 regarding the expiration of certain Transportation Worker Identification Credentials (TWIC®s).

For TWICs expiring between March 1, 2020, and July 31, 2020, the exemption extends the validity of a TWIC for 180 days for an individual whose TWIC would otherwise expire during the effective period of the exemption, which remains in effect through July 31, 2020. TSA may extend this exemption at a future date depending on the status of the Corona Virus Disease 2019 (COVID-19) National Emergency. 

Frequently Asked Questions:

Q: Why is TSA granting this exemption? 

A: TSA determined that it is in the public interest to grant an exemption from the current expiration standard in 49 CFR part 1572, which is five years from the date of issuance, given the need for transportation workers to continue to work without interruption during the current National Emergency created by the COVID-19 pandemic. 

Q: Has the U.S. Coast Guard (USCG) provided guidance on the use of TWIC? 

A: Yes. USCG published Marine Safety Information Bulletin 13-20. Updated information on USCG operations and procedures, may be found under “Featured Content” on the USCG Deputy Commandant for Operations website and by monitoring Coast Guard Maritime Commons

Q: Do TWIC holders need to take any action(s) to extend their Security Threat Assessment? 

A: No. This exemption applies to TWICs that expire on or after March 1, 2020, through July 31, 2020. For those TWICs, TSA will extend the security threat assessment expiration date for an eligible TWIC to 180 days after the current expiration date that appears on the face of the credential. If the 180 day period extends past July 31, 2020, the TWIC will be valid for the remainder of the extended 180-day period based on the expiration date of the TWIC. In accordance with USCG requirements, facility or vessel owners and operators may accept TWIC cards that show an expired date for unescorted access to secure areas. (Note: For new TWIC enrollments, TSA is planning to keep enrollment centers open. Please visit https://universalenroll.dhs.gov to verify enrollment center operations.) 

Q: Does this exemption compromise national or transportation security? 

A: The risk to transportation security associated with this exemption is low. TSA maintains the ability to recurrently vet TWIC holders and take action to cancel or revoke a TWIC if derogatory information becomes available, regardless of the expiration date. 

Q: Where can I find more information on TSA’s temporary exemption? 

A: The exemption notice is appended to this fact sheet and published to the Federal Register. For additional information, please contact the TSA TWIC program at: This email address is being protected from spambots. You need JavaScript enabled to view it.

This release has been issued for public information and notification purposes only. 

Marine Safety Information Bulletin 13-20,  

COVID 19 – Transportation Worker Identification Credential (TWIC®) Operations 

The uninterrupted flow of commerce on our Marine Transportation System (MTS) is critical to both National Security and National economic well-being. During this National emergency for COVID-19 it is paramount that the Coast Guard safeguards the continued operation of the MTS to ensure our domestic supply chain continues uninterrupted. The regulations outlined throughout 33 and 46 Code of Federal Regulations remain in force, and maritime operators are expected to continue to comply with these requirements. However, when compliance with these regulations cannot reasonably be met as a result of COVID-19, the Coast Guard will exercise flexibility to prevent undue delays. The following clarification is provided regarding the Transportation Worker Identification Credential (TWIC®), which is jointly managed by the Coast Guard and the Transportation Security Administration (TSA). TSA may grant a temporary exemption from certain requirements in 49 CFR part 1572 for the expiration of the TWIC for current cardholders. If this occurs the Coast Guard will take these exemptions into consideration. 

Maritime Facilities and Vessels: 

TWIC Readers - the Coast Guard is not changing or delaying the TWIC Reader Rule implementation date of June 7, 2020, for facilities that receive vessels certificated to carry more than 1,000 passengers and vessels certificated to carry more than 1,000 passengers. However, the Coast Guard will delay enforcement until October 5, 2020. Applicable facilities and vessels are not required to update facility security plans (FSP)/vessel security plans (VSP) or install readers until the revised enforcement date. 

Escort Ratios – Escort ratios for secure and restricted areas of a facility are provided in Navigation and Inspection Circular (NVIC) 03-07. To provide flexibility due to COVID-19 related health impacts, the escort ratio may be adjusted to meet employee shortages or other demands. This would constitute a change to the FSP or require Captain of the Port approval via noncompliance (discussed below and in MSIB 07-20). 

New Hires – After enrollment has been completed and a new hire has presented an acceptable form of identification per 33 CFR 101.515(a) to the vessel security officer or facility security officer, that new hire may be allowed access to secure or restricted areas where another person(s) is present who holds a TWIC and can provide reasonable monitoring. The side-by-side escorting required in 33 CFR 101.105 for restricted areas will not be enforced during the COVID-19 pandemic. Additional compliance options for new hires can be found in 33 CFR 104.267 and 105.257 or via noncompliance (discussed below). 

Alternative Security Program (ASP) – Local users who are unable to comply with the requirements in an approved ASP may pursue temporary relief via noncompliance (discussed below) or an amendment can be submitted to cover the entire ASP via submission to CG-FAC. 

Noncompliance – 33 CFR 104.125 and 105.125 discusses noncompliance with facility and vessel security requirements. If a situation arises where a facility or vessel will not be able to comply with the requirements of 33 CFR parts 104 or 105, they must contact the Captain of the Port (COTP) to request and receive permission to temporarily deviate from the requirements. While not discussed in 33 CFR 104.125 or 105.125, the vessel or facility operator should evaluate and consider any safety risks that may be created from the noncompliance. This request to continue operations should include new measures or safeguards the facility or vessel plans to employ to mitigate any risk from the non-compliance with 33 CFR part 104 or 105. 

This release has been issued for public information and notification purposes only. 

Merchant Mariner Credentials 

The Coast Guard is providing flexibility with regard to requirements to have a TWIC when applying for a credential or when serving under the authority of a credential. To date, the processing of submitted TWIC enrollments has not been impacted by the COVID-19 crisis, and there is no delay in vetting, card production, and issuance. However, TSA and the Coast Guard recognize that this is an evolving public health situation and enrollment centers closures or processing delays will impact applicants for a merchant mariner credential (see below for more on TSA enrollment centers). 

Under the 46 CFR 10.203(b), failure to hold a valid TWIC may serve as grounds for suspension or revocation of a merchant mariner credential (MMC). The Coast Guard will not pursue any suspension and revocation actions based on expired TWIC’s during the COVID-19 pandemic. The Coast Guard will update industry prior to reinstating enforcement of this requirement. This enforcement discretion for expired TWICs does not apply to cases where a mariner’s TWIC has been suspended or revoked due to a determination that they are a security threat. In those cases, the Coast Guard may pursue suspension or revocation of the MMC. 

With respect to expired TWICs in the MMC application process, mariners applying for an original credential will be treated differently than mariners seeking a renewal, raise of grade or new endorsement. This is because the TSA provides the Coast Guard with biometric and biographic information (including the photograph) necessary to evaluate and produce a MMC. 

Mariners applying for an original credential need to demonstrate that they have enrolled for a TWIC. Mariners may pre-enroll for a TWIC online, can schedule an appointment, but must complete the in-person enrollment process at the nearest TSA enrollment center. While this proof of application is sufficient to begin the merchant mariner credentialing process, an applicant for an original credential will be unable to obtain a MMC until their biographic and biometric information is provided to the Coast Guard by TSA. 

For mariners already holding a MMC, if their TWIC expires, and their credential remains valid, then no action needs to be taken and the credential remains valid. 

If a mariner applies for a renewal, raise of grade, new endorsement or duplicate merchant mariner credential while their TWIC is expired, they may apply without a valid TWIC if they demonstrate that they have enrolled for a TWIC renewal. 

TSA Enrollment Centers TSA’s Enrollment Centers remain open, at this time, and TSA is processing new TWIC enrollments. According to TSA, some enrollment centers have closed and may continue to close for a period of time to ensure the safety, health and wellness of staff and the public. If applicants are planning to visit an enrollment center, TSA encourages individuals to use the “Find an Enrollment Center” feature at the bottom of the Universal Enrollment Services home page (https://universalenroll.dhs.gov/locator) to determine if the center is open and its hours of operation. TWIC enrollments must be completed in-person at an enrollment center. You will be required to provide the necessary identity/immigration documentation and submit fingerprints during your in-person enrollment. It is recommended that you schedule an appointment. You may pre-enroll and schedule an appointment online (https://universalenroll.dhs.gov). 

Richard V. Timme, RDML, U. S. Coast Guard, Assistant Commandant for Prevention Policy sends 

U.S. Coast Guard Date: April 3, 2020 
Commandant MSIB Number: 13-20   
Inspections and Compliance Directorate 
2703 Martin Luther King Jr Ave SE, STOP 7501 
Washington, DC 20593-7501 E-Mail: This email address is being protected from spambots. You need JavaScript enabled to view it. 
Good friends,
 
The COVID situation is a challenge for all of us.  I certainly hope that you, your families, and your employees are all safe and healthy.
 
Maintaining security during these times is one of the many priorities we must meet.  We recently published a blog on this topic you can read here: https://seebald.com/blog
 
A related challenge is completing Coast Guard required audits, as well as updating Facility Security Plans on schedule.  With travel constrained, we all must make careful decisions on what business activities to postpone, and which should proceed on schedule.
 
We've been in steady contact with our Coast Guard colleagues, including those that manage the Coast Guard's overall MTSA program.  They have indicated a willingness to accommodate requests, and today they published guidance providing flexibility for vessel compliance activities.  https://mariners.coastguard.blog/2020/03/27/msib-09-20-vessel-inspections-exams-and-documentation/  I expect similar guidance for facilities in the near future.  
 
At Seebald & Associates, we will do everything possible to meet your needs, and to work with the Coast Guard on any special requests.  In some cases, conducting some portions of an audit or a Facility Security Assessment electronically may be possible, with a follow up in person when appropriate.
 
Please let me know if there is anything I can do to help you meet your security and other compliance needs at this time.  Stay safe and healthy!

Coronavirus (COVID-19) and Maritime Security

First, please know that here at Seebald & Associates, we hope that you, your family, employees, contractors, and others are safe and healthy.  You all remain in our thoughts and prayers.

The Coronavirus outbreak is a challenge for our nation.  There is excellent information on how to minimize your health risk at the Center for Disease Control: 

https://www.cdc.gov/coronavirus/2019-ncov/index.html.  Note that this includes specific guidance for ships:  https://www.cdc.gov/quarantine/maritime/recommendations-for-ships.html

The U.S. Coast Guard has also posted information on this topic, including links back the CDC, on their Maritime Commons blog.  In particular, note that the Coast Guard considers the presence of vessel personnel who show symptoms of COVID-19 or other flu like illness as a “hazardous condition” which must be reported to the nearest Captain of the Port.  While this regulation applies to vessels, not facilities, facility operators should consider making a courtesy notification to the Coast Guard if facility personnel display Coronavirus symptoms.

The Coast Guard has also posted information reminding facility operators to remain in compliance with all applicable regulations, and on merchant mariner credentials

The maritime industry has faced infectious diseases in the past, including quite recently with the Ebola outbreak in 2014 and the Zika virus in 2016.  At Seebald & Associates, we address infectious diseases in FSO courses and other discussions.  Our security recommendations for this situation are as follows:

  • To the maximum extent possible, ensure your personnel are aware of, and following, the guidance put out by the CDC and others concerning social distancing and sanitation.
  • Consider that accidents, security lapses, and other undesired events often occur when there has been a break in routine, or personnel are districted by unusual events. Remind your personnel to focus on safety, security, and following established procedures.
  • Recognize that your security may not be at its peak due to some employees working from home, or if some of your regular security personnel have been replaced with temporary or new workers. Remind your security forces and “All Others” to be alert for suspicious activity or other security concerns.
  • Cyber security is also a concern. An unusual volume of telework will put a strain on your IT department’s ability to monitor and secure such traffic. Ensure employees follow established policies while conducting telework and using VoIP systems.  Also, be aware of scams and misinformation; stick to reliable government and public health websites. 
  • Consider what procedures you would follow if you needed to allow an ambulance or other emergency/public health vehicles into your facility in order to assist a vessel crew member or facility employee with health issues. Such a situation would require attention to access control, vehicle transit through the facility, establishing a perimeter around the vessel and/or patient, notifications, and monitoring.