As the summer boating season reaches its peak, we know that many of our clients, including FSOs and the many facility employees, like to head out on the water for some recreation after the work day is done.  As Seebald & Associates is made up of retired Coast Guard and Coast Guard Auxiliary members, we share this love of the water.

While you are out boating, always wear your life jacket, never boat while intoxicated, and keep a sharp lookout for other boaters, commercial vessels, heavy weather, and any other events that could create a safety risk.  We also encourage all boaters to take a Coast Guard boating safety course, and to have a qualified member of the Coast Guard Auxiliary conduct a courtesy vessel exam.  For more information on boating safety, go to https://www.uscgboating.org/.

Finally, an FSO’s work is never done, which means you should also be alert for any security risks on the water.  As boaters, you are in the best position to identify suspicious activity at marinas, along our waterways, or near commercial vessels or facilities.  If you see something concerning, call the NRC at 1 800-424-8802, or 877-24WATCH.  America’s Waterway Watch provides more information on identifying and responding to suspicious activity. 

So when you are getting your boat ready, wear your life jacket, pack your safety gear, and bring the same strong security culture you champion at work.  Help yourself and help our nation identify threats by staying alert on the water.

 

In conjunction with the novel coronavirus (COVID-19) guidance provided to commercial vessels by the Coast Guard in Marine Safety Information Bulletin (MSIB) Numbers 02-20 (as amended) and 06-20, the Coast Guard is providing the following updated information to port and facility operators as it relates to COVID-19. 

The facility compliance regulations outlined throughout 33 Code of Federal Regulations remains in force, and facility operators are expected to continue to comply with these requirements. Questions or issues that arise as a result of COVID-19 should, where possible, be addressed in accordance with regulations outlined in 33 Code of Federal Regulations, and any plans and manuals already approved/reviewed by the Coast Guard. However, it is recognized that the COVID-19 pandemic has resulted in a myriad of unique operating conditions that warrant special considerations. Some challenges have included cruise ships mooring at facilities not approved for passenger operations, garbage removal, and facility and vessel crew interactions. Because of these operational concerns, the following clarification and guidance is provided to help ensure the safety and security of workers, ports, and facilities: 

Signatures: Both Declarations of Security (DoS) and Declarations of Inspection (DOI) require signatures. Electronic signatures discussed below are acceptable. However, if electronic signatures are not reasonable, in lieu of having one DoS/DOI with two signatures, two separate forms may be used. Each DoS/DOI will be signed and the name of the other Person in Charge (PIC) or Facility Security Officer (FSO)/Vessel Security Officer (VSO) or their designated representative should be written on each form with a date and time. Each PIC and FSO/VSO shall keep their respective copies. Communications are key and both parties should ensure complete understanding of their duties and responsibilities before beginning any operations. (Ch 1) 

Declarations of Security (DoS) – 33 CFR 105.245 and approved Facility Security Plans require a DoS to be completed in certain situations, depending on the Maritime Security (MARSEC) level. While there may be a requirement to complete a DoS, there is no requirement for the coordination of security needs and procedures, signature of the DoS, or implementation of agreed upon measures to be conducted in a face-to-face manner between the FSO and the Master, VSO, or their designated representative. As such, electronic communication may be used for the purposes of completing the DoS, however a conversation should still occur between both the vessel and facility. 

Declarations of Inspection (DOI) – 33 CFR 156.150 requires a DOI to be completed before any transfer of oil or hazardous material to or from a vessel. Prior to the transfer beginning and in accordance with 33 CFR 156.120 and 156.120(w), the PIC from the vessel and facility shall meet to begin completing the DOI and hold a conference to ensure both parties understand the operation. The DOI meeting/conference can be completed over the radio, phone or at a safe social distance and still meet these requirements, however both PIC’s must communicate with each other before beginning any transfer. Additionally, both PIC’s shall sign the DOI, but it can be done electronically, or in accordance with the “Signatures” paragraph above. All other requirements of 33 CFR 156.150 must be met before the transfer begins. (Ch 2) 

Seafarer’s Access - Maritime facility operators are reminded they are not permitted to impede the embarkation/disembarkation of crew members as permitted under Seafarer's Access regulations. The authority to restrict access resides with Customs and Border Protection (CBP), the Coast Guard, and the Center for Disease Control (CDC) for medical matters. Facility operators should contact their local CBP, Coast Guard, or the CDC, State and local health department offices regarding specific questions or concerns about their individual operations. Nothing in the Seafarer Access requirements prevent the facility from maximizing options to minimize direct interaction that may include use of camera systems, barriers, or other measures. These modifications can be made to the Facility Security Plan (FSP) or use of Noncompliance, as discussed below, may be used. 

Noncompliance – 33 CFR 105.125 discusses noncompliance with the facility security requirements. If a situation arises where a facility will not be able to comply with the requirements of 33 CFR 105, the facility must contact the Captain of the Port (COTP) to request and receive permission to temporarily deviate from the requirements. Potential situations where this can be used are modified escort requirements in secure areas or mooring a cruise ship at a non-passenger terminal. This request should include any new measures or safeguards the facility plans to employ to mitigate any risk from the non-compliance with 33 CFR 105. While not discussed in 33 CFR 105, the facility operator should also evaluate and consider any safety risks that may be created from the non-compliance. For example, if a facility will receive a different type of vessel than they normally receive, the facility operator should consider if the dock is physically capable of handling that vessel, and any logistical issues that may arise such as movement of personnel from the vessel off the facility, any medical issues or personnel that may be introduced to the facility, supplies for the vessel, and waste removal from the vessel. 

Equipment Testing - 33 CFR 126, 127, 154, and 156 contain various requirements for conducting tests on different facility systems and equipment. Due to the COVID-19 pandemic, some of these tests may be impractical for various reasons. When a facility is unable to conduct these tests, as an alternative, they should submit a request to the local COTP in accordance with 33 CFRs 126.12, 127.017, 154.107, 156.107 as appropriate, to extend the deadline, outlining the reason(s) the delay is needed and any additional interim measures that will be employed to help ensure the safety of the system until the required test can be carried out. For example, if a facility desires to extend the hydrostatic test date of facility transfer pipeline required by 33 CFR 156.170, they should submit a written request to the COTP. The request may state the test is not safe at this time due to the need to introduce third party contractors onto the facility, the amount of product in the pipeline/tanks and that the facility will increase visual inspections of the transfer pipeline until the required annual hydrostatic test can be completed. If there are no significant safety issues, COTP’s may approve extension requests for up to three months to expire on 30 September 2020. (Ch 2) 

Third Party Audits/Assessments - In accordance with 33 CFR 105.415(b), the FSO must ensure an audit of the FSP is performed annually. The annual audit may be completed internally and there is no requirement to use third parties. The person conducting the audit must have knowledge of methods for conducting audits, not have regularly assigned security duties, and be independent of any security measures being audited, unless appropriately excepted, per 33 CFR 105.415(d). The facility may also maintain social distancing if performing the audit onsite or develop another method for a virtual review as there is no requirement for the audit to be conducted in person. If the facility chooses a virtual audit, encrypted emails should be used to protect Sensitive Security Information. However, the initial Facility Security Assessment or review/validation required every five years must have an on-scene survey per 33 CFR 105.305(b), but there is no requirement that it be performed by a third party. (Ch 2) 

Waste Reception Facilities – Garbage and Medical Waste 

33 CFR 158 regulations require all ports and terminals under the jurisdiction of the United States to provide vessels with reception facilities for garbage (33 CFR 158.133(c)). International regulations require these reception facilities to have a Certificate of Adequacy (COA) issued by the Coast Guard that attests to their ability to offload garbage, which may include medical waste (33 CFR 158.410). Medical waste is defined in 33 CFR 158.120 as “isolation wastes, infectious waste, human blood and blood products, pathological wastes, sharps, body parts, contaminated bedding, surgical wastes and potentially contaminated laboratory wastes, dialysis wastes and such additional medical items as prescribed by the EPA by regulation.” 

o Reception Facilities - Ports and terminals must be ready to receive any medical waste from any vessels calling at their facility. This means that those ports/terminal with or without a COA for garbage, must provide vessels with adequate reception facilities for medical waste or a list of persons authorized by federal, state or local law or regulation to transport and treat such wastes. 

o Vessels - In addition to notifying the COTP, vessels must coordinate with the port/terminal/recreational boating facility their needs for reception facilities for medical waste, 24 hours in advance of their arrival (33 CFR 151. 65(b)), or immediately if already in port. 

o COA Waivers - If there are issues or concerns with the health hazards associated with any garbage, reception facilities and vessels should work with the appropriate federal, state, and/or local agencies to determine the actual risks and formulate a plan of action based on information received from those agencies. COTP may also exercise their authority to grant waivers under 33 CFR 158.150, if necessary, to allow for offloading of medical waste or garbage to a reception facility without having a COA. 

• Facility Safety and Security Inspections: Coast Guard COTP’s will continue to use risk based decision making to determine if a facility inspection or spot check will be conducted. Owners and operators should work closely with the COTP to determine if attendance for a full or abbreviated inspection is necessary and what mitigations measures may be taken to include social distancing, phone interviews, providing electronic logs, etc. The COTP may conduct and credit a virtual inspection based off facility inspection history, phone interviews, review of electronic records/pictures, etc, or defer an inspection/spot check for up to 90 days. (Ch 2) 

• TWIC Enrollment Centers – If applicants are planning to visit an enrollment center, please use the “Find an Enrollment Center” feature at the bottom of the Universal Enroll website (https://universalenroll.dhs.gov/locator) to determine if the center is open and its hours of operation. 

This release has been issued for public information and notification purposes only. 

The Coast Guard recently published NVIC 01-20, which addresses cyber security requirements for facilities subject to the MTSA.  Although the Coast Guard has been addressing cyber security in the marine transportation system since about 2013, this NVIC represents a significant policy change in that it requires facility operations to incorporate cyber security into their Facility Security Plans. 

A key purpose of the NVIC is “to assist owners and operators in identifying computer systems and networks whose failure or exploitation could cause or contribute to a Transportation Security Incident (TSI).” 

As FSOs and facility operators know, an informed, thoughtful Facility Security Assessment is the foundation of any Facility Security Plan.  The FSA starts with identifying and validating possible vulnerabilities, and then applying mitigation measures. 

To meet the intent of the NVIC, we simply have to incorporate our cyber dependent systems into that process.  That will include systems that contribute directly to security, like cameras, and PACS, and systems with security implications, like communications or cargo control.

There are, of course, challenges.  How can one determine if a given cyber system is “vulnerable?”  When selecting mitigation measures, what cyber security standards is the Coast Guard likely to accept?  How can facility operators identify what systems fall within the scope and intent of the MTSA?  How should those measures be described in an FSP in a way that provides reasonable clarity without constraining business flexibility or revealing proprietary information? 

Fear not.  At Seebald & Associates, we are in frequent contact with the Coast Guard personnel responsible for these policies, and our team includes personnel with a deep understanding of cyber security at both the policy and technical level.

One useful approach is to make use of the Cyber Security Framework, developed by the National Institute of Standards and Technology (NIST) and referenced in the section 3.b. of the NVIC.  The Framework is arranged around 5 basic concepts – Identify, Protect, Detect, Respond, and Recover – that align well with MTSA regulations.  The Framework is flexible, suitable to organizations of any size/complexity, and performance oriented.  If you use Industrial Control Systems, then we also recommend incorporating NIST 800-82, which is the other framework referenced in the NVIC.

Seebald & Associates will be hosting one or more webinars on this topic in the near future.  In the meantime, take a look at the table below to see a simplified example of how a facility might start the process of addressing cyber in a way that meets the intent of the NVIC: 

Coast Guard Requirement

NIST Framework

Example in FSP or Cyber Annex

Facility Security Assessment

Identify

Include cyber/IT/OT experts in the FSA.  Identify and evaluate ways that cyber vulnerabilities could contribute to a TSI.  Technical procedures such as security scans and penetration testing may be employed to validate and quantify cyber vulnerabilities. 

Security Organization

Identify

FSP should identify who in the organization has responsibility for cyber security, and how that person will communicate and coordinate with the FSO.

Access Control and Restricted Areas

Protect

FSP may reflect topics such as authentication, least privilege, encryption, and mobile device management (BYOD).

Monitoring

Detect

FSP may reflect topics such as routine scanning of inbound/outbound data, data logging, use of virus detection software.

Cargo Handling and DoS

Protect Detect

FSP may address security concerns with electronic transmission of cargo information between the facility and visiting vessels, including use of portable media (data in motion).  Other topics include security of databases used for tracking cargo status/location on the facility (data at rest).  DoS procedures may address data transmitting procedures and notifications of suspicious cyber activity for the facility and visiting vessels.   

Security Incidents, Drills, Exercises, and Training

Respond Recover

FSP may address topics such as incident monitoring, reporting, and logging, the use of backups, restoration procedures and testing, and procedures to ensure that a compromised system has been properly addressed and is now considered safe to operate. 

TSA issued a notice, Exemption to Extend the Expiration Date of Certain Transportation Worker Identification Credentials, on April 10, 2020. With this notice, TSA is granting a temporary exemption from requirements in 49 CFR part 1572 regarding the expiration of certain Transportation Worker Identification Credentials (TWIC®s).

For TWICs expiring between March 1, 2020, and July 31, 2020, the exemption extends the validity of a TWIC for 180 days for an individual whose TWIC would otherwise expire during the effective period of the exemption, which remains in effect through July 31, 2020. TSA may extend this exemption at a future date depending on the status of the Corona Virus Disease 2019 (COVID-19) National Emergency. 

Frequently Asked Questions:

Q: Why is TSA granting this exemption? 

A: TSA determined that it is in the public interest to grant an exemption from the current expiration standard in 49 CFR part 1572, which is five years from the date of issuance, given the need for transportation workers to continue to work without interruption during the current National Emergency created by the COVID-19 pandemic. 

Q: Has the U.S. Coast Guard (USCG) provided guidance on the use of TWIC? 

A: Yes. USCG published Marine Safety Information Bulletin 13-20. Updated information on USCG operations and procedures, may be found under “Featured Content” on the USCG Deputy Commandant for Operations website and by monitoring Coast Guard Maritime Commons

Q: Do TWIC holders need to take any action(s) to extend their Security Threat Assessment? 

A: No. This exemption applies to TWICs that expire on or after March 1, 2020, through July 31, 2020. For those TWICs, TSA will extend the security threat assessment expiration date for an eligible TWIC to 180 days after the current expiration date that appears on the face of the credential. If the 180 day period extends past July 31, 2020, the TWIC will be valid for the remainder of the extended 180-day period based on the expiration date of the TWIC. In accordance with USCG requirements, facility or vessel owners and operators may accept TWIC cards that show an expired date for unescorted access to secure areas. (Note: For new TWIC enrollments, TSA is planning to keep enrollment centers open. Please visit https://universalenroll.dhs.gov to verify enrollment center operations.) 

Q: Does this exemption compromise national or transportation security? 

A: The risk to transportation security associated with this exemption is low. TSA maintains the ability to recurrently vet TWIC holders and take action to cancel or revoke a TWIC if derogatory information becomes available, regardless of the expiration date. 

Q: Where can I find more information on TSA’s temporary exemption? 

A: The exemption notice is appended to this fact sheet and published to the Federal Register. For additional information, please contact the TSA TWIC program at: This email address is being protected from spambots. You need JavaScript enabled to view it.

This release has been issued for public information and notification purposes only. 

Marine Safety Information Bulletin 13-20,  

COVID 19 – Transportation Worker Identification Credential (TWIC®) Operations 

The uninterrupted flow of commerce on our Marine Transportation System (MTS) is critical to both National Security and National economic well-being. During this National emergency for COVID-19 it is paramount that the Coast Guard safeguards the continued operation of the MTS to ensure our domestic supply chain continues uninterrupted. The regulations outlined throughout 33 and 46 Code of Federal Regulations remain in force, and maritime operators are expected to continue to comply with these requirements. However, when compliance with these regulations cannot reasonably be met as a result of COVID-19, the Coast Guard will exercise flexibility to prevent undue delays. The following clarification is provided regarding the Transportation Worker Identification Credential (TWIC®), which is jointly managed by the Coast Guard and the Transportation Security Administration (TSA). TSA may grant a temporary exemption from certain requirements in 49 CFR part 1572 for the expiration of the TWIC for current cardholders. If this occurs the Coast Guard will take these exemptions into consideration. 

Maritime Facilities and Vessels: 

TWIC Readers - the Coast Guard is not changing or delaying the TWIC Reader Rule implementation date of June 7, 2020, for facilities that receive vessels certificated to carry more than 1,000 passengers and vessels certificated to carry more than 1,000 passengers. However, the Coast Guard will delay enforcement until October 5, 2020. Applicable facilities and vessels are not required to update facility security plans (FSP)/vessel security plans (VSP) or install readers until the revised enforcement date. 

Escort Ratios – Escort ratios for secure and restricted areas of a facility are provided in Navigation and Inspection Circular (NVIC) 03-07. To provide flexibility due to COVID-19 related health impacts, the escort ratio may be adjusted to meet employee shortages or other demands. This would constitute a change to the FSP or require Captain of the Port approval via noncompliance (discussed below and in MSIB 07-20). 

New Hires – After enrollment has been completed and a new hire has presented an acceptable form of identification per 33 CFR 101.515(a) to the vessel security officer or facility security officer, that new hire may be allowed access to secure or restricted areas where another person(s) is present who holds a TWIC and can provide reasonable monitoring. The side-by-side escorting required in 33 CFR 101.105 for restricted areas will not be enforced during the COVID-19 pandemic. Additional compliance options for new hires can be found in 33 CFR 104.267 and 105.257 or via noncompliance (discussed below). 

Alternative Security Program (ASP) – Local users who are unable to comply with the requirements in an approved ASP may pursue temporary relief via noncompliance (discussed below) or an amendment can be submitted to cover the entire ASP via submission to CG-FAC. 

Noncompliance – 33 CFR 104.125 and 105.125 discusses noncompliance with facility and vessel security requirements. If a situation arises where a facility or vessel will not be able to comply with the requirements of 33 CFR parts 104 or 105, they must contact the Captain of the Port (COTP) to request and receive permission to temporarily deviate from the requirements. While not discussed in 33 CFR 104.125 or 105.125, the vessel or facility operator should evaluate and consider any safety risks that may be created from the noncompliance. This request to continue operations should include new measures or safeguards the facility or vessel plans to employ to mitigate any risk from the non-compliance with 33 CFR part 104 or 105. 

This release has been issued for public information and notification purposes only. 

Merchant Mariner Credentials 

The Coast Guard is providing flexibility with regard to requirements to have a TWIC when applying for a credential or when serving under the authority of a credential. To date, the processing of submitted TWIC enrollments has not been impacted by the COVID-19 crisis, and there is no delay in vetting, card production, and issuance. However, TSA and the Coast Guard recognize that this is an evolving public health situation and enrollment centers closures or processing delays will impact applicants for a merchant mariner credential (see below for more on TSA enrollment centers). 

Under the 46 CFR 10.203(b), failure to hold a valid TWIC may serve as grounds for suspension or revocation of a merchant mariner credential (MMC). The Coast Guard will not pursue any suspension and revocation actions based on expired TWIC’s during the COVID-19 pandemic. The Coast Guard will update industry prior to reinstating enforcement of this requirement. This enforcement discretion for expired TWICs does not apply to cases where a mariner’s TWIC has been suspended or revoked due to a determination that they are a security threat. In those cases, the Coast Guard may pursue suspension or revocation of the MMC. 

With respect to expired TWICs in the MMC application process, mariners applying for an original credential will be treated differently than mariners seeking a renewal, raise of grade or new endorsement. This is because the TSA provides the Coast Guard with biometric and biographic information (including the photograph) necessary to evaluate and produce a MMC. 

Mariners applying for an original credential need to demonstrate that they have enrolled for a TWIC. Mariners may pre-enroll for a TWIC online, can schedule an appointment, but must complete the in-person enrollment process at the nearest TSA enrollment center. While this proof of application is sufficient to begin the merchant mariner credentialing process, an applicant for an original credential will be unable to obtain a MMC until their biographic and biometric information is provided to the Coast Guard by TSA. 

For mariners already holding a MMC, if their TWIC expires, and their credential remains valid, then no action needs to be taken and the credential remains valid. 

If a mariner applies for a renewal, raise of grade, new endorsement or duplicate merchant mariner credential while their TWIC is expired, they may apply without a valid TWIC if they demonstrate that they have enrolled for a TWIC renewal. 

TSA Enrollment Centers TSA’s Enrollment Centers remain open, at this time, and TSA is processing new TWIC enrollments. According to TSA, some enrollment centers have closed and may continue to close for a period of time to ensure the safety, health and wellness of staff and the public. If applicants are planning to visit an enrollment center, TSA encourages individuals to use the “Find an Enrollment Center” feature at the bottom of the Universal Enrollment Services home page (https://universalenroll.dhs.gov/locator) to determine if the center is open and its hours of operation. TWIC enrollments must be completed in-person at an enrollment center. You will be required to provide the necessary identity/immigration documentation and submit fingerprints during your in-person enrollment. It is recommended that you schedule an appointment. You may pre-enroll and schedule an appointment online (https://universalenroll.dhs.gov). 

Richard V. Timme, RDML, U. S. Coast Guard, Assistant Commandant for Prevention Policy sends 

U.S. Coast Guard Date: April 3, 2020 
Commandant MSIB Number: 13-20   
Inspections and Compliance Directorate 
2703 Martin Luther King Jr Ave SE, STOP 7501 
Washington, DC 20593-7501 E-Mail: This email address is being protected from spambots. You need JavaScript enabled to view it.