When and Why Do I Need to Do an FSA?
- Posted by Thomas Venezio
You might be thinking, “My FSP already has an FSA, so I can just change the date
and re-submit this.” Not so fast!! 33 CFR 105.310 is very clear in stating, “The FSA
must be reviewed and validated, and the FSA report must be updated each time the
FSP is submitted for re-approval or revisions.” So, the bottom line is we need to
conduct a complete FSA prior to re-submission of our FSP for approval. This is an
extremely important process so take the time to do a conscientious job because
threats are always changing.
33CFR105.300 details everything that must be considered in developing the FSA.
You must conduct a thorough on scene assessment but not limited to all of your
facility’s security systems, operations, infrastructure, threats, vulnerabilities and
weaknesses. You must also address important systems, resources and processes to
protect all of the personnel from contingencies, natural disasters, and mishaps. 33
CFR105.300 provides extensive specifics on all that must be addressed.
The FSA must also include a Risk-Based Analysis. We’ll address the RBA in next
week’s Blog. Remember to check your FSP approval date!!!
Facility Security Assessment, the foundation of your FSP
- Posted by Thomas Venezio
Facility Security Plans (FSP) were first written and submitted to the Coast Guard in
2004 with a 5 year re-write requirement. For everyone keeping track of the 5 year
re-write schedule for FSPs, that means in 2019 most facilities will need to re-write
their FSP. For those of you that are familiar with the Seebald Security Pyramid, you
know that at the base of the Pyramid is the Facility Security Assessment (FSA).
Without a well prepared and well thought out FSA, the FSP may be very weak and
not provide the level of security that your facility needs. The FSA will help you build
an FSP that truly takes into account current threats, real vulnerabilities at your site,
and design mitigation actions and security strategies that will be most effective in
reducing your risk. This means that you, the Facility Security Officer, must be
intimately involved in this development process! We’ll spend more time on this in
the coming blogs and in the November Webinar to be held on November 29, 2018 at
One final thought, be sure to check your FSP approval date. Many FSPs will need to
be resubmitted in 2019.
Cyber Security - How to Protect Your Facility.
- Posted by Cliff Neve
Seebald & Associates’ and MAD Security’s Cliff Neve delivered a webinar on October 25th discussing the recent cyber attacks at the Ports of Barcelona and San Diego. Cybersecurity has many analogies to physical security, and bad actors use the same basic steps to exploit victims’ information, property, and information systems. In addition, the convergence of information technology (IT) with operational technology (OT) allows for expanded access for administrators and operators to industrial control systems, camera systems, and other OT devices. It also, however, expands the attack surface for nefarious cyber actors, and Cliff discussed the ways to protect your converged networks from threats.
Most companies cannot afford to hire their own 24/7/365 cyber security operations center personnel, nor should they spend the money for at least a dozen people (~five people per 24/7/365 watch position), the facility, the software and licenses, the training for personnel, and the management oversight necessary to secure their information and information systems.
Seebald and Associates have partnered with MAD Security to offer a very affordable alternative: 24x7x365 Managed Security Services, including network monitoring and vulnerability scanning, that will harden your IT systems and allow for quick detection of cyber intrusions.
TWIC FINAL RULE ENFORCEMENT DELAY CONFUSION? HERE ARE YOUR ANSWERS…
- Posted by Ivan Ramirez
TWIC FINAL RULE ENFORCEMENT DELAY CONFUSION?
HERE ARE YOUR ANSWERS…
Per the H.R. 5729 law passed by Congress in July 2018, the Coast Guard is required to submit a report summarizing the DHS led security assessment study on TWIC readers. The study is currently being conducted and not expected to be completed until sometime late Spring of 2019. For at least 60 days after the report is submitted to Congress, TWIC Reader requirements are delayed for all Certain Dangerous Cargo (CDC) facilities to include facilities handling CDC but do NOT transfer them to or from vessels and receive vessels certified to carry 1000 or more passengers. Below explains where and how the confusion came about.
On August 23, 2016 the Coast Guard published a final rule in the Federal Register named “Transportation Worker Identification Credential (TWIC) Reader Requirements,” which was to be implemented on August 23, 2018. As we got closer to the effective date of this regulation, rumors started circulating that the Coast Guard would delay implementation.
In June 2018, the Coast Guard published a Notice of Proposed Rulemaking that delayed for three years the implementation of TWIC readers for facilities that handle CDCs in a non-maritime nexus, meaning they do not receive or transfer them to or from vessels. In July 2018, a court order delayed the enforcement of TWIC readers for all facilities handling CDC either by maritime means or by land.
Shortly after the court ruling, Congress passed a law, the aforementioned H.R. 5729, prohibiting the Coast Guard from implementing and enforcing the TWIC Reader requirements on any CDC facility and cruise ship terminals for at least 60 days after the Coast Guard provides Congress with a TWIC Reader security and feasibility study. This study is currently underway. The study is expected to be completed by late Spring of 2019. DHS and the Coast Guard will then review and assess the study before submitting their final report to Congress. This review process may take several weeks or months.
What does this mean for your facility and your business?
The regulatory delay is so the Coast Guard can reconsider the effectiveness and scope of the TWIC Final Rule and to re-evaluate which facilities would be subject to the electronic TWIC inspection requirements. The TWIC program’s purpose is clear - to keep persons who may be a security risk away from secure areas of vessels and waterfront facilities.
Key take-away points:
Expect the Coast Guard to significantly increase the number of TWIC verifications (with their own electronic readers) during their routine and/or unannounced inspections;
Certain vessel and facility operators will be required to use readers in the future;
TWIC is here to stay…so facility and vessel operators who voluntarily use their TWIC readers will be one step ahead; and
Seebald & Associates International is ready to assist you in getting ahead of the game by reducing your exposure to compliance risk, whether for the TWIC Final Rule or any regulatory concern you may have.
We’re proud of our reputation in helping you keep your facility and our nation’s ports secure.
Maritime Ports Are Under Cyber-Attack - Two Ports Attacked In Same Week.
- Posted by Cliff Neve
Ports are under Cyber-Attack - Prepare now!
Ports are constantly being probed by nefarious actors, and two ports last month confirmed that they had been hacked.
The Port of San Diego CEO, Randa Coniglio, released the following statement on September 26th:
“The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency's information technology systems. The Port first received reports of the disruption on Tuesday, September 25, 2018. The Port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems.”
The Port of Barcelona, Spain, was hacked the same week. As alarmingly, victims often do not find that they have been hacked until months later, if ever, because they lack the insight into their networks and information systems.
Prevention is the key, a Seebald & Associates Partner, MAD Security, offers a very affordable Cyber Security 360 Health Check that includes: an external network vulnerability assessment/scan and an assessment of defense strategy and technology. The deliverable includes a roadmap for meeting gaps in your cyber defenses, an overall rating, ratings in dozens of subcategories, and specific recommendations for how to resolve gaps.
More information can be found here: http://www.madsecurity.com/360_deg_health_check/