From: The Maritime Executive
In mid-July, the Coast Guard took its own action. Following its December 2016 addition of cybersecurity to the list of “security” items that are covered by the 2002 Maritime Transportation Security Act (MTSA), the Coast Guard, on July 15, announced a request for public comment its Navigation and Vessel Inspection Circular (NVIC) 05-17: Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities. If promulgated, this NVIC would “begin to lay out a series of policies and procedures” to mitigate the growing cybersecurity risks while ensuring the continued operational capability of the Maritime Transportation System. Essentially, the NVIC would clarify the existing requirements under the 2002 MTSA to incorporate the analysis of computer and cyber risks, and it would set forth guidance for addressing those risks. Additionally, this NVIC would provide guidance on incorporating cybersecurity risks into an effective Facility Security Assessment (FSA), as well as provide additional best practices for policies and procedures that could reduce cyber risk to operators of maritime facilities.
This Coast Guard initiative would bring maritime facility security more in line with cyber best practices across other industries. For example, the draft guidance relies heavily on the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). First published in 2014, the NIST CSF assists organizations in assessing their unique cyber risks and vulnerabilities so that they can systematically mitigate them. The Framework, like the Coast Guard’s proposed NVIC, favors a holistic, proactive, and tailored process, not a standardized, one-and-done approach. Both also propose certain recommendations, such as reviewing the security of third parties and “air gapping” certain networks to keep them free from internet-borne viruses.