Proposed Rule2024-03075
Cybersecurity in the Marine Transportation System
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
February 22, 2024
Issuing agencies
Homeland Security DepartmentCoast Guard
Abstract
The Coast Guard proposes to update its maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations. This proposed rule would help to address current and emerging cybersecurity threats in the marine transportation system. We seek your comments on this proposed rule and whether we should: use and define the term reportable cyber incident to limit cyber incidents that trigger reporting requirements, use alternative methods of reporting such incidents, and amend the definition of hazardous condition.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 36 (Thursday, February 22, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 36 (Thursday, February 22, 2024)]
[Proposed Rules]
[Pages 13404-13514]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-03075]
[[Page 13403]]
Vol. 89
Thursday,
No. 36
February 22, 2024
Part II
Department of Homeland Security
-----------------------------------------------------------------------
Coast Guard
-----------------------------------------------------------------------
33 CFR Parts 101 and 160
Cybersecurity in the Marine Transportation System; Proposed Rule
��Federal Register / Vol. 89, No. 36 / Thursday, February 22, 2024 /
Proposed Rules��
[[Page 13404]]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Coast Guard
33 CFR Parts 101 and 160
[Docket No. USCG-2022-0802]
RIN 1625-AC77
Cybersecurity in the Marine Transportation System
AGENCY: Coast Guard, Department of Homeland Security (DHS).
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The Coast Guard proposes to update its maritime security
regulations by adding regulations specifically focused on establishing
minimum cybersecurity requirements for U.S.-flagged vessels, Outer
Continental Shelf facilities, and U.S. facilities subject to the
Maritime Transportation Security Act of 2002 regulations. This proposed
rule would help to address current and emerging cybersecurity threats
in the marine transportation system. We seek your comments on this
proposed rule and whether we should: use and define the term reportable
cyber incident to limit cyber incidents that trigger reporting
requirements, use alternative methods of reporting such incidents, and
amend the definition of hazardous condition.
DATES: Comments and related material must be received by the Coast
Guard on or before April 22, 2024.
ADDRESSES: You may submit comments identified by docket number USCG-
2022-0802 using the Federal Decision-Making Portal at
<a href="http://www.regulations.gov">www.regulations.gov</a>. See the ``Public Participation and Request for
Comments'' portion of the SUPPLEMENTARY INFORMATION section for further
instructions on submitting comments. You may also find this notice of
proposed rulemaking, with its 100-word-or-less summary, in this same
docket at <a href="http://www.regulations.gov">www.regulations.gov</a>.
Collection of information. Submit comments on the collection of
information discussed in section VI.D of this preamble both to the
Coast Guard's online docket and to the Office of Information and
Regulatory Affairs (OIRA) in the White House Office of Management and
Budget (OMB) using their website, <a href="http://www.reginfo.gov/public/do/PRAMain">www.reginfo.gov/public/do/PRAMain</a>.
Comments sent to OIRA on the collection of information must reach OIRA
on or before the comment due date listed on their website.
FOR FURTHER INFORMATION CONTACT: For information about this document,
email <a href="/cdn-cgi/l/email-protection#86cbd2d5c5ffe4e3f4d4f3eae3c6f3f5e5e1a8ebefea"><span class="__cf_email__" data-cfemail="4b061f180832292e39193e272e0b3e38282c65262227">[email protected]</span></a> or call: Commander Brandon Link, Office of
Port and Facility Compliance, 202-372-1107, or Commander Frank Strom,
Office of Design and Engineering Standards, 202-372-1375.
SUPPLEMENTARY INFORMATION:
Table of Contents for Preamble
I. Public Participation and Request for Comments
II. Abbreviations
III. Basis and Purpose
A. The Problem We Seek To Address
B. Recent Legislation and Policy
C. Legal Authority To Address This Problem
IV. Background
A. The Current State of Cybersecurity in the MTS
B. Current Cybersecurity Regulations
V. Discussion of Proposed Rule
VI. Regulatory Analyses
A. Regulatory Planning and Review
B. Small Entities
C. Assistance for Small Entities
D. Collection of Information
E. Federalism
F. Unfunded Mandates
G. Taking of Private Property
H. Civil Justice Reform
I. Protection of Children
J. Indian Tribal Governments
K. Energy Effects
L. Technical Standards
M. Environment
I. Public Participation and Request for Comments
The Coast Guard views public participation as essential to
effective rulemaking and will consider all comments and material
received during the comment period. Your comment can help shape the
outcome of this rulemaking. If you submit a comment, please include the
docket number for this rulemaking, indicate the specific section of
this document to which each comment applies, and provide a reason for
each suggestion or recommendation.
Submitting comments. We encourage you to submit comments through
the Federal Decision-Making Portal at <a href="http://www.regulations.gov">www.regulations.gov</a>. To do so, go
to <a href="http://www.regulations.gov">www.regulations.gov</a>, type USCG-2022-0802 in the search box and click
``Search.'' Next, look for this document in the Search Results column,
and click on it. Then click on the Comment option. If you cannot submit
your material by using <a href="http://www.regulations.gov">www.regulations.gov</a>, call or email the persons
in the FOR FURTHER INFORMATION CONTACT section of this proposed rule
for alternate instructions.
Viewing material in docket. To view documents mentioned in this
proposed rule as being available in the docket, find the docket as
described in the previous paragraph, and then select ``Supporting &
Related Material'' in the Document Type column. Public comments will
also be placed in our online docket and can be viewed by following
instructions on the <a href="http://www.regulations.gov">www.regulations.gov</a> Frequently Asked Questions
(FAQ) web page. That FAQ page also explains how to subscribe for email
alerts that will notify you when comments are posted or if a final rule
is published. We review all comments received, but we will only post
comments that address the topic of the proposed rule. We may choose not
to post off-topic, inappropriate, or duplicate comments that we
receive.
Personal information. We accept anonymous comments. Comments we
post to <a href="http://www.regulations.gov">www.regulations.gov</a> will include any personal information you
have provided. For more about privacy and submissions to the docket in
response to this document, see the Department of Homeland Security's
eRulemaking System of Records notice (85 FR 14226, March 11, 2020).
Public meeting. We do not plan to hold a public meeting, but we
will consider doing so if we determine from public comments that a
meeting would be helpful. We would issue a separate Federal Register
notice to announce the date, time, and location of such a meeting.
II. Abbreviations
AMSC Area Maritime Security Committees
BLS Bureau of Labor Statistics
CEA Council of Economic Advisors
CFR Code of Federal Regulations
CGCSO Coast Guard Cyber Strategic Outlook
CG-CVC Coast Guard Office of Commercial Vessel Compliance
CGCYBER U.S. Coast Guard Cyber Command
CG-ENG Coast Guard Office of Design and Engineering Standards
CG-FAC Coast Guard Office of Port and Facility Compliance
CIRCIA Cyber Incident Reporting for Critical Infrastructure Act of
2022
CISA Cybersecurity and Infrastructure Security Agency
COTP Captain of the Port
CPG Cybersecurity Performance Goal
CRM Cyber risk management
CSF Cybersecurity framework
CSRC Computer Secure Resource Center
CySO Cybersecurity officer
DHS Department of Homeland Security
FR Federal Register
FSA Facility security assessment
FSP Facility security plan
HMI Human-machine interface
ICR Information collection request
IEc Industrial Economics, Incorporated
IMO International Maritime Organization
IP internet protocol
IRFA Initial Regulatory Flexibility analysis
ISM International Safety Management
IT Information technology
KEV Known exploited vulnerability
MCAAG Maritime Cybersecurity Assessment and Annex Guide
[[Page 13405]]
MISLE Marine Information for Safety and Law Enforcement
MODU Mobile offshore drilling unit
MSC Marine Safety Center
MSC-FAL International Maritime Organization's Marine Safety
Committee and Facilitation Committee
MTS Marine transportation system
MTSA Maritime Transportation Security Act of 2002
NAICS North American Industry Classification System
NIST National Institute of Standards and Technology
NMSAC National Maritime Security Advisory Committee
NPRM Notice of proposed rulemaking
NRC National Response Center
NVIC Navigation and Vessel Inspection Circular
OCMI Officer in Charge, Marine Inspection
OCS Outer continental shelf
OEWS Occupational Employment and Wage Statistics
OMB Office of Management and Budget
OSV Offshore supply vessel
OT Operational technology
PII Personally identifiable information
QCEW Quarterly Census of Employment and Wages
RIA Regulatory impact analysis
Sec. Section
SBA Small Business Administration
SME Subject matter expert
SMS Safety management system
TSI Transportation security incident
U.S.C. United States Code
VSA Vessel security assessment
VSP Vessel security plan
III. Basis and Purpose
A. The Problem We Seek To Address
The maritime industry is undergoing a significant transformation
that involves increased use of cyber-connected systems. While these
systems improve commercial vessel and port facility operations, they
also bring a new set of challenges affecting design, operations,
safety, security, training, and the workforce.
Every day, malicious actors (including, but not limited to,
individuals, groups, and adversary nations posing a threat) attempt
unauthorized access to control system devices or networks using various
communication channels. An example of a successful attempt occurred in
May 2021, when the Colonial Pipeline Company suffered a cyber-attack
that disrupted the supply of fuel to the east coast of the United
States. These cybersecurity threats require the maritime community to
effectively manage constantly changing risks to create a safer cyber
environment.
The purpose of this notice of proposed rulemaking (NPRM) is to
safeguard the marine transportation system (MTS) against current and
emerging threats associated with cybersecurity by adding minimum
cybersecurity requirements to part 101 of title 33 of the Code of
Federal Regulations (CFR) to help detect, respond to, and recover from
cybersecurity risks that may cause transportation security incidents
(TSIs). This proposed rule would help address current and emerging
cybersecurity threats to maritime security in the MTS.
Cybersecurity risks result from vulnerabilities in the operation of
vital systems, which increase the likelihood of cyber-attacks on
facilities, Outer Continental Shelf (OCS) facilities, and vessels.
Cyber-related risks to the maritime domain are threats to the critical
infrastructure that citizens and companies depend on to fulfill their
daily needs. Additionally, the proposed rule is necessary because it
would create a regulatory environment for cybersecurity in the maritime
domain to assist facilities, OCS facilities, and vessel firms that may
not have taken cybersecurity measures on their own, for various
reasons. In a 2018 report by the Council of Economic Advisors (CEA),
the CEA stated ``[a] firm with weak cybersecurity imposes negative
externalities on its customers, employees, and other firms, tied to it
through partnerships and supply chain relations. In the presence of
externalities, firms would rationally underinvest in cybersecurity
relative to the socially optimal level. Therefore, it often falls to
regulators to devise a series of penalties and incentives to increase
the level of investment to the desired level.'' \1\
---------------------------------------------------------------------------
\1\ Economic Report of the President Together with the Annual
Report of the Council of Economic Advisers (Feb. 2018), <a href="https://www.govinfo.gov/content/pkg/ERP-2018/pdf/ERP-2018.pdf">https://www.govinfo.gov/content/pkg/ERP-2018/pdf/ERP-2018.pdf</a> (accessed Dec.
15, 2023). Page 323-324.
---------------------------------------------------------------------------
In the report, the CEA also emphasized that ``[c]ontinued
cooperation between the public and private sectors is the key to
effectively managing cybersecurity risks. . . . The government is
likewise important in incentivizing cyber protection--for example, by
disseminating new cybersecurity standards, sharing best practices,
conducting basic research on cybersecurity, protecting critical
infrastructures, preparing future employees for the cybersecurity
workforce, and enforcing the rule of law in cyberspace.'' \2\
---------------------------------------------------------------------------
\2\ Id. at 324-325.
---------------------------------------------------------------------------
Furthermore, the CEA acknowledged that ``[f]irms and private
individuals are often outmatched by sophisticated cyber adversaries.
Even large firms with substantial resources committed to cybersecurity
may be helpless against attacks by sophisticated nation-states.'' \3\
As an example, the CEA stated, ``firms that own critical infrastructure
assets, such as parts of the nation's power grid, may generate
pervasive negative spillover effects for the wider economy.'' \4\
---------------------------------------------------------------------------
\3\ Id. at 326.
\4\ Id. at 326.
---------------------------------------------------------------------------
Lastly, the CEA stated another problem that exists in the
marketplace is, ``firms' reluctance to share information on cyber
threats and exposures'', which ``impairs effective cybersecurity.'' \5\
The CEA further stated that ``firms remain reluctant to increase their
exposure to legal and public affairs risks. The lack of information on
cyberattacks and data breaches suffered by other firms may cause less
sophisticated small firms to conclude that cybersecurity risk is not a
pressing problem. . . . [T]he lack of data may be stymying the ability
of law enforcement and other actors to respond quickly and effectively
and may be slowing the development of the cyber insurance market.'' \6\
---------------------------------------------------------------------------
\5\ Id. at 326.
\6\ Id. at 326.
---------------------------------------------------------------------------
This proposed rule would apply to the owners and operators of U.S.-
flagged vessels subject to 33 CFR part 104 (Maritime Security:
Vessels), facilities subject to 33 CFR part 105 (Maritime Security:
Facilities), and OCS facilities subject to 33 CFR part 106 (Marine
Security: Outer Continental Shelf (OCS) Facilities). The proposed
requirements include account security measures, device security
measures, data security measures, governance and training, risk
management, supply chain management, resilience, network segmentation,
reporting, and physical security.
This NPRM also seeks public comments specifically on defining a
reportable cyber incident in 33 CFR 101.615 and using that term to
limit reporting requirements; whether certain reports required under
proposed Sec. Sec. 101.620 and 101.650 should be sent to the
Cybersecurity and Infrastructure Security Agency (CISA); and whether to
amend the definition of hazardous condition in 33 CFR part 160. We will
consider comments on these three issues in deciding whether to amend
the regulatory text we have proposed.
The Coast Guard welcomes comments on all aspects of this
rulemaking, including the proposed changes to definitions and the
assumptions and estimates in section VI.A., Regulatory Planning and
Review. Section VI.A. of this preamble addresses, for instance,
developing a Cybersecurity Plan and
[[Page 13406]]
cybersecurity drill components, the affected population, device
security measures, supply chain management, network segmentation,
physical security, implementing and maintaining multifactor
authentication, and owners and operators' existing practices on the
proposed cybersecurity measures.
B. Recent Legislation, Regulations, and Policy
In the Maritime Transportation Security Act of 2002 (MTSA),\7\
Congress provided a framework for the Secretary of Homeland Security
(``Secretary''), acting through the Coast Guard,\8\ and maritime
industry to identify, assess, and prevent TSIs in the MTS. MTSA vested
the Secretary with authorities for broad security assessment, planning,
prevention, and response activities to address TSIs, including the
authority to require and set standards for Facility Security Plans
(FSPs), OCS FSPs, and Vessel Security Plans (VSPs), to review and
approve such plans, and to conduct inspections and take enforcement
actions.\9\ The Coast Guard's implementing regulations address a range
of considerations to deter TSIs to the maximum extent practicable,\10\
and require, among other general and specific measures, security
assessments and measures related to radio and telecommunication
systems, including computer systems and networks.\11\
---------------------------------------------------------------------------
\7\ Public Law 107-295, 116 Stat. 2064, November 25, 2002.
\8\ The Secretary delegated this authority to the Commandant of
the Coast Guard via Department of Homeland Security (DHS) Delegation
00170.1(II)(97)(b), Revision No. 01.3.
\9\ See generally, for example, 46 U.S.C. 70103.
\10\ See 46 U.S.C. 70103(c)(1).
\11\ See, for example, 33 CFR 104.300(d)(11), 104.305(d)(2)(v),
105.300(d)(11), 105.305(c)(1)(v), 106.300(d)(11), 106.305(c)(1)(v),
and 106.305(d)(2)(v).
---------------------------------------------------------------------------
The Coast Guard has also issued additional guidance and policies to
address potential cyber incidents in FSPs, OCS FSPs, and VSPs,\12\
including a cybersecurity risk assessment model that was issued in
January 2023,\13\ and voluntary guidance issued to Area Maritime
Security Committees (AMSC) in July 2023.\14\ Congress has repeatedly
reaffirmed the MTSA framework, including through amendments passed in
2016,\15\ 2018,\16\ and 2021.\17\ In the 2018 amendments, Congress
amended MTSA to specifically require VSPs and FSPs to include
provisions for detecting, responding to, and recovering from
cybersecurity risks that may cause TSIs.\18\ The proposed regulatory
amendments to 33 CFR part 101 reflect the Coast Guard's view on
cybersecurity under MTSA, including, but not limited to, recent
amendments to MTSA (such as Title 46 of the United States Code (U.S.C.)
Section 70103). The proposed amendments provide more detailed mandatory
baseline requirements for U.S.-flagged vessels and U.S. facilities
subject to MTSA.
---------------------------------------------------------------------------
\12\ One of the Coast Guard's guidance documents is the
Navigation and Vessel Inspection Circular (NVIC) 01-20, Guidelines
for Addressing Cyber Risks at Maritime Transportation Security Act
Regulated Facilities (85 FR 16108). This NVIC outlined Coast Guard's
view on requirements for FSPs and facility security, including
cybersecurity. A similar understanding with regard to VSPs was
expressed in the Coast Guard's Office of Commercial Vessel
Compliance's (CG-CVC) Vessel CRM Work Instruction CVC-WI-027(2),
Vessel Cyber Risk Management Work Instruction, October 27, 2020,
<a href="https://www.dco.uscg.mil/Portals/9/CVC-WI-27%282%29.pdf">https://www.dco.uscg.mil/Portals/9/CVC-WI-27%282%29.pdf</a>, accessed
July 18, 2023.
\13\ See Maritime Cybersecurity Assessment and Annex Guide
(MCAAG) (January 2023), <a href="https://dco.uscg.mil/Portals/9/CG-FAC/Documents/Maritime%20Cyber%20Assessment%20%20Annex%20Guide%20">https://dco.uscg.mil/Portals/9/CG-FAC/Documents/Maritime%20Cyber%20Assessment%20%20Annex%20Guide%20</a>(MCAAG)_released%2
023JAN2023.pdf, accessed Aug. 4, 2023. The MCAAG was developed in
coordination with the National Maritime Security Advisory Committee,
AMSCs, and other maritime stakeholders. The guide serves as a
resource for baseline cybersecurity assessments and plan development
and helps stakeholders address vulnerabilities that could lead to
transportation security incidents.
\14\ NVIC 09-02, Change 6.
\15\ Public Law 114-120, 130 Stat. 27, February 8, 2016.
\16\ Public Law 115-254, 132 Stat. 3186, October 5, 2018.
\17\ Public Law 116-283, 134 Stat. 4754, January 1, 2021.
\18\ See Public Law 115-254, sec. 1805(d)(2) (codified at 46
U.S.C. 70103(c)(3)(C)).
---------------------------------------------------------------------------
Through three administrations, presidential policy has advanced
cybersecurity in the maritime domain. Executive Order 13636 of February
12, 2013 (Improving Critical Infrastructure Cybersecurity) recognized
the Federal Government's efforts to secure our nation's critical
infrastructure by working with the owners and operators of U.S.
facilities, OCS facilities, and U.S.-flagged vessels to prepare for,
prevent, mitigate, and respond to cybersecurity threats.\19\
---------------------------------------------------------------------------
\19\ 78 FR 11739, February 19, 2013.
---------------------------------------------------------------------------
To defend against malicious cyber-related activities, Executive
Order 13694 of April 1, 2015 (Blocking the Property of Certain Persons
Engaging in Significant Malicious Cyber-Enabled Activities) recognized
malicious cyber-related activities as an ``extraordinary threat to the
national security, foreign policy, and economy of the United States,''
warranting a national emergency.\20\ The National Emergency with
Respect to Significant Malicious Cyber-Enabled Activities has been
extended as of March 30, 2023.\21\
---------------------------------------------------------------------------
\20\ 80 FR 18077, April 2, 2015. Executive Order 13694 was later
amended by Executive Order 13757 (82 FR 1, January 3, 2017), which
outlined additional measures the Federal Government must take to
address the national emergency identified in Executive Order 13694.
\21\ 88 FR 19209, March 30, 2023.
---------------------------------------------------------------------------
Executive Order 14028 of May 12, 2021 (Improving the Nation's
Cybersecurity) also recognized that ``the private sector must adapt to
the continuously changing threat environment, ensure its products are
built and operate securely, and partner with the Federal Government to
foster a more secure cyberspace.'' \22\
---------------------------------------------------------------------------
\22\ 86 FR 26633.
---------------------------------------------------------------------------
On July 28, 2021, the President issued the ``National Security
Memorandum on Improving Cybersecurity for Critical Infrastructure
Control Systems,'' \23\ which required the Secretary of Homeland
Security to coordinate with the Secretary of Commerce (through the
Director of the National Institute of Standards and Technology (NIST))
and other agencies, as appropriate, to develop baseline Cybersecurity
Performance Goals (CPGs). These baseline CPGs would further a common
understanding of the baseline security practices that critical
infrastructure owners and operators should follow to protect national
and economic security, as well as public health and safety. CISA's
release of the CPGs in October 2022 was ``intended to help establish a
common set of fundamental cybersecurity practices for critical
infrastructure, and especially help small- and medium-sized
organizations kickstart their cybersecurity efforts.'' \24\ The Coast
Guard relied on CISA's CPGs as the benchmark for technical requirements
in this proposed rule.
---------------------------------------------------------------------------
\23\ The White House, National Security Memorandum on Improving
Cybersecurity for Critical Infrastructure Control Systems, July 28,
2021, <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/">https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/</a>, last accessed on July
24, 2023.
\24\ CISA, ``Cross-Sector Cybersecurity Performance Goals,''
<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals">https://www.cisa.gov/cross-sector-cybersecurity-performance-goals</a>,
accessed July 18, 2023.
---------------------------------------------------------------------------
In 2021, the Coast Guard published its Cyber Strategic Outlook
(CGCSO) to highlight the importance of managing cybersecurity risks in
the MTS.\25\ The CGCSO highlighted three lines of effort, or
priorities, to improve Coast Guard readiness in cyberspace: (1) Defend
and Operate the Coast Guard Enterprise Mission Platform; (2) Protect
the MTS; and (3) Operate in and through Cyberspace.\26\ As outlined in
the
[[Page 13407]]
CGCSO's second line of effort, ``Protect the MTS,'' the Coast Guard
proposes to implement a risk-based regulatory, compliance, and
assessment regime. We propose to establish minimum requirements for
cybersecurity plans that facilitate the use of international and
industry-recognized cybersecurity standards to manage cybersecurity
risks by owners and operators of maritime critical infrastructure.\27\
Specifically, this proposed rule would promulgate the Coast Guard's
baseline cybersecurity regulations for U.S.-flagged vessels and U.S.
facilities (including OCS facilities) subject to MTSA.
---------------------------------------------------------------------------
\25\ U.S. Coast Guard, ``Cyber Strategic Outlook,'' August 2021,
<a href="https://www.uscg.mil/Portals/0/Images/cyber/2021-Cyber-Strategic-Outlook.pdf">https://www.uscg.mil/Portals/0/Images/cyber/2021-Cyber-Strategic-Outlook.pdf</a>, accessed July 18, 2023.
\26\ These lines of effort evolved from the three ``strategic
priorities'' introduced in the Coast Guard's Cyber Strategy, June
2015. As cyber threats and vulnerabilities evolve, so will the Coast
Guard's posture. <a href="https://www.dco.uscg.mil/Portals/10/Cyber/Docs/CG_Cyber_Strategy.pdf?ver=nejX4g9gQdBG29cX1HwFdA%3D%3D">https://www.dco.uscg.mil/Portals/10/Cyber/Docs/CG_Cyber_Strategy.pdf?ver=nejX4g9gQdBG29cX1HwFdA%3D%3D</a>, accessed
July 18, 2023.
\27\ The Coast Guard is aware that some entities already follow
industry standards related to cybersecurity. The proposed minimum
requirements seek to establish a common baseline for all the
regulated vessels and facilities that would not be incompatible with
such standards, recognizing that in some instances these proposed
minimums may increase a requirement, but in other circumstances will
already be satisfied. The entity would be able to indicate within
their Cyber Plan that they are following a particular standard and
highlight how their compliance with that standard satisfies the
Coast Guard requirements.
---------------------------------------------------------------------------
As noted, in January 2023, the Coast Guard released the Maritime
Cybersecurity Assessment and Annex Guide (MCAAG). The MCAAG was
developed through coordination with the National Maritime Security
Advisory Committee, Area Maritime Security Committees, and other
maritime stakeholders, consistent with the activities described in
section 2(e) of the National Institute of Standards and Technology Act
(15 U.S.C. 272(e)). The MCAAG provides more detailed recommendations on
implementing existing MTSA regulations as they relate to computer
systems and networks. For example, the Coast Guard recommended a Cyber
Annex Template for stakeholders to address possible cybersecurity
vulnerabilities and risks.
This NPRM is meant to expand and clarify the information required
in security plans to remain consistent with 46 U.S.C. 70103(c)(3),
including section 70103(c)(3)(C)(v), which requires FSPs, OCS FSPs, and
VSPs to include provisions for detecting, responding to, and recovering
from cybersecurity risks that may cause TSIs. Some terms we use in the
MCAAG, such as cybersecurity vulnerability, may have a set proposed
definition in this NPRM.
C. Legal Authority To Address This Problem
The Coast Guard is proposing to promulgate these regulations under
43 U.S.C. 1333(d); 46 U.S.C. 3306, 3703, 70102 through 70104, 70124;
and the Department of Homeland Security (DHS) Delegation No. 00170,
Revision No. 01.3.
Section 4 of the Outer Continental Shelf Lands Act of 1953,
codified as amended at 43 U.S.C. 1333(d), authorizes the Secretary to
promulgate regulations with respect to lights and other warning
devices, safety equipment, and other matters relating to the promotion
of safety of life and property on the artificial islands,
installations, and other devices on the OCS. This authority was
delegated to the Coast Guard by DHS Delegation No. 00170(II)(90),
Revision No. 01.3.
Section 3306 of Title 46 of the United States Code authorizes the
Secretary to prescribe necessary regulations for the design,
construction, alteration, repair, equipping, manning and operation of
vessels and prevention and mitigation of damage to the marine
environment, propulsion machinery, auxiliary machinery, boilers,
unfired pressure vessels, piping, electric installations, and
accommodations for passengers and crew. This authority was delegated to
the Coast Guard by DHS Delegation No. 00170(II)(92)(b), Revision No.
01.3.
Section 3703 of Title 46 of the United States Code authorizes the
Secretary to prescribe similar regulations relating to tank vessels
that carry liquid bulk dangerous cargoes, including the design,
construction, alteration, repair, maintenance, operation, equipping,
personnel qualification, and manning of the vessels. This authority was
delegated to the Coast Guard by DHS Delegation No. 00170(II)(92)(b),
Revision No. 01.3.
Sections 70102 through 70104 of Title 46 of the United States Code
authorize the Secretary to evaluate for compliance vessel and facility
vulnerability assessments, security plans, and response plans. Section
70124 authorizes the Secretary to promulgate regulations to implement
Chapter 701, including sections 70102 through 70104, dealing with
vulnerability assessments for the security of vessels, facilities, and
OCS facilities; VSPs, FSPs, and OCS FSPs; and response plans for
vessels, facilities, and OCS facilities. These authorities were
delegated to the Coast Guard by DHS Delegation No. 00170(II)(97)(a)
through (c), Revision No. 01.3.
IV. Background
A. The Current State of Cybersecurity in the MTS
The maritime industry is relying increasingly on digital solutions
for operational optimization, cost savings, safety improvements, and
more sustainable business. However, these developments, to a large
extent, rely on information technology (IT) systems and operational
technology (OT) systems, which increases potential cyber
vulnerabilities and risks. Cybersecurity risks result from
vulnerabilities in secure and safe operation of vital systems, which
increase the likelihood of cyber-attacks on U.S. facilities, OCS
facilities, and U.S.-flagged vessels.
Cyber-attacks on public infrastructure have raised awareness of the
need to protect systems and equipment that facilitate operations within
the MTS because cyber-attacks have the potential to disable the IT and
OT onboard U.S.-flagged vessels, U.S. facilities, and OCS facilities.
Autonomous vessel technology, automated OT, and remotely operated
machines provide further opportunities for cyber-attackers. These
systems and equipment are prime targets for cyber-attacks stemming from
insider threats, criminal organizations, nation state actors, and
others.
Also, the MTS has become increasingly susceptible to cyber-attacks
due to the growing integration of digital technologies in their
operations. These types of cyber-attacks can range from altering a
vessel's navigational systems to disrupting its communication with
ports, which can lead to delays, accidents, or even potential
groundings that could potentially disrupt vessel movements and shut
down port operations, such as loading and unloading cargo. This
disruption can also negatively affect the MTS by interrupting the
transportation and commerce of goods, raw resources, and passengers, as
well as potential military operations when needed.
An attack that compromises navigational or operational systems can
pose a serious safety risk. It could result in accidents at sea,
potential environmental disasters like oil spills, and loss of life.
The maritime industry is not immune to ransomware attacks where
cybercriminals are targeting critical systems or data. Given the
critical nature of marine transportation to global trade, continued
efforts are being made to improve cybersecurity measures in the sector.
Maritime stakeholders can better detect, respond to, and recover
from cybersecurity risks that may cause TSIs by adopting a range of
cyber risk management (CRM) measures, as described in this proposed
rule. It is important that the Coast Guard work with the maritime
community to address both safety and security risks to better
facilitate operations and to protect
[[Page 13408]]
MTS entities from creating hazardous conditions within ports and
waterways. Updating regulations to include minimum cybersecurity
requirements would strengthen the security posture and increase
resilience against cybersecurity threats in the MTS.
In 2017, the International Maritime Organization (IMO) took steps
to address cybersecurity risks in the shipping industry by publishing
the Marine Safety Committee/Facilitation Committee (MSC-FAL) Circular
3, Guidelines on Maritime Cyber Risk Management,\28\ and MSC Resolution
428(98).\29\ The IMO affirmed that an approved Safety Management System
(SMS) should involve CRM to manage cybersecurity risks in accordance
with the objectives and functional requirements of the International
Safety Management (ISM) Code. An SMS is a structured and documented set
of procedures enabling company and vessel personnel to effectively
implement safety and environmental protection policies that are
specific to that company or vessel.
---------------------------------------------------------------------------
\28\ <a href="https://www.cdn.imo.org/localresources/en/OurWork/Facilitation/Facilitation/MSC-FAL.1-Circ.3-Rev.1%20-%20Guidelines%20On%20Maritime%20Cyber%20Risk%20Management%20">https://www.cdn.imo.org/localresources/en/OurWork/Facilitation/Facilitation/MSC-FAL.1-Circ.3-Rev.1%20-%20Guidelines%20On%20Maritime%20Cyber%20Risk%20Management%20</a>(Secretar
iat).pdf, accessed July 18, 2023.
\29\ See the IMO resolution on CRM: Resolution MSC.428(98),
Annex 10, ``Maritime Cyber Risk Management in Safety Management
Systems.'' <a href="https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/Resolution%20MSC.428">https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/Resolution%20MSC.428</a>(98).pdf, accessed July 18,
2023.
---------------------------------------------------------------------------
For applicable U.S.-flagged vessels, this proposed rule would
establish a baseline level of protection throughout the MTSA-regulated
vessel fleet. As the flag state, the Coast Guard can ensure these
proposed cybersecurity regulations are implemented appropriately by
approving Cybersecurity Plans and conducting routine inspections. This
proposed rule would also apply to U.S. facilities regulated by 33 CFR
part 105 and OCS facilities regulated by 33 CFR part 106.
B. Current Regulations Related to Cybersecurity
The MTSA-implementing regulations in 33 CFR parts 101, 103, 104,
105, and 106 give the Coast Guard the authority to review and approve
security assessments and plans that apply broadly to the various
security threats facing the maritime industry. Through the Navigation
and Vessel Inspection Circular (NVIC) 01-20 \30\ (85 FR 16108, March
20, 2020), the Coast Guard interpreted 33 CFR parts 105 and 106 as
requiring owners and operators of U.S. facilities and OCS facilities to
address cybersecurity in their facility security assessments (FSAs) and
OCS FSAs, as well as in their FSPs and OCS FSPs, and provided non-
binding guidance on how regulated entities could address these issues.
---------------------------------------------------------------------------
\30\ See footnote 12.
---------------------------------------------------------------------------
This proposed rule would expand upon the agency's prior actions by
establishing minimum performance-based cybersecurity requirements for
the MTS within the MTSA regulations. Similar to the existing
requirements in 33 CFR parts 104, 105 and 106, the Coast Guard would
allow owners and operators the flexibility to determine the best way to
implement and comply with these new requirements. The Coast Guard is
proposing an implementation period of 12 to 18 months following the
effective date of a final rule to allow sufficient time for the owners
and operators of applicable U.S.-flagged vessels, U.S. facilities, and
OCS facilities to comply with the requirements of this proposed
rule.\31\
---------------------------------------------------------------------------
\31\ Existing general requirements to address cyber issues in
security plans will continue to apply during this rulemaking.
---------------------------------------------------------------------------
V. Discussion of Proposed Rule
This NPRM proposes to add minimum cybersecurity requirements to 33
CFR part 101. The Coast Guard invites comment on whether any of the
proposed requirements would overlap, conflict, or duplicate existing
regulatory requirements from other Federal agencies. The requirements
would consist of the following sections:
<bullet> 101.600 Purpose
<bullet> 101.605 Applicability
<bullet> 101.610 Federalism
<bullet> 101.615 Definitions
<bullet> 101.620 Owner or Operator
<bullet> 101.625 Cybersecurity Officer
<bullet> 101.630 Cybersecurity Plan
<bullet> 101.635 Drills and Exercises
<bullet> 101.640 Records and Documentation
<bullet> 101.645 Communications
<bullet> 101.650 Cybersecurity Measures
<bullet> 101.655 Cybersecurity Compliance Dates
<bullet> 101.660 Cybersecurity Compliance Documentation
<bullet> 101.665 Noncompliance, Waivers, and Equivalents
In addition, the Coast Guard seeks comments on whether, in this
rulemaking, we should: define the term reportable cyber incident in
proposed 33 CFR 101.615 and use that term in the regulatory text to
limit cyber incidents that trigger reporting requirements; require
certain reports identified in Sec. Sec. 101.620 and 101.650 to be sent
to CISA; and amend the definition of hazardous condition in 33 CFR
160.202.
A section-by-section explanation of the proposed additions and
changes follows:
Section 101.600--Purpose
This proposed section states that the purpose of 33 CFR part 101,
subpart F, is to set minimum cybersecurity requirements for U.S.-
flagged vessels, U.S. facilities, and OCS facilities to safeguard and
ensure the security and resilience of the MTS. The proposed
requirements would help safeguard the MTS from the evolving risks of
cyber threats and align with the DHS goal of protecting critical U.S.
infrastructure.
Section 101.605--Applicability
This section proposes to make subpart F apply to the owners and
operators of the U.S.-flagged vessels listed in 33 CFR 104.105(a), the
facilities listed in 33 CFR 105.105(a), and the OCS facilities listed
in 33 CFR 106.105(a). A list of the vessels that would be subject to
subpart F is as follows:
<bullet> U.S. Mobile Offshore Drilling Units (MODUs), cargo
vessels, or passenger vessels subject to the International Convention
for Safety of Life at Sea, 1974, (SOLAS), Chapter XI-1 or Chapter XI-2;
<bullet> Self-propelled U.S. cargo vessels greater than 100 gross
register tons subject to 46 CFR chapter I, subchapter I, except
commercial fishing vessels inspected under 46 CFR part 105;
<bullet> U.S. vessels subject to 46 CFR chapter I, subchapter L;
<bullet> U.S. passenger vessels subject to 46 CFR chapter I,
subchapter H;
<bullet> U.S. passenger vessels certificated to carry more than 150
passengers;
<bullet> U.S. passenger vessels carrying more than 12 passengers,
including at least 1 passenger-for-hire, that are engaged on an
international voyage;
<bullet> U.S. barges subject to 46 CFR chapter I, subchapter D or
O;
<bullet> U.S. barges carrying certain dangerous cargo in bulk or
barges that are subject to 46 CFR chapter I, subchapter I, that are
engaged on an international voyage;
<bullet> U.S. tankships subject to 46 CFR chapter I, subchapter D
or O; and
<bullet> U.S. towing vessels greater than 8 meters (26 feet) in
registered length inspected under 46 CFR subchapter M that are engaged
in towing a barge or barges and subject to 33 CFR part 104, except a
towing vessel that--
[cir] Temporarily assists another vessel engaged in towing a barge
or barges subject to 33 CFR part 104;
[cir] Shifts a barge or barges subject to this part at a facility
or within a fleeting facility;
[cir] Assists sections of a tow through a lock; or
[cir] Provides emergency assistance.
This proposed rule would not apply to any foreign-flagged vessels
subject to
[[Page 13409]]
33 CFR part 104. Cyber regulations for foreign-flagged vessels under
domestic law may create unintended consequences with the ongoing and
future diplomatic efforts to address maritime cybersecurity in the
international arena. The IMO addressed cybersecurity measures for
foreign-flagged vessels through MSC-FAL.1/Circ.3 and MSC Resolution
428(98). Therefore, based on IMO guidelines and recommendations, an SMS
approved under the ISM Code should address foreign-flagged vessel
cybersecurity.
In addition, the Coast Guard verifies how CRM is incorporated into
a vessel's SMS via the process described in the October 27, 2020, CVC-
WI-027(2), Vessel Cyber Risk Management Work Instruction.\32\ This
process would continue to be the Coast Guard's primary means of
ensuring cybersecurity readiness on foreign-flagged vessels, which are
exempt from this proposed rule.
---------------------------------------------------------------------------
\32\ See footnote 12.
---------------------------------------------------------------------------
If your facility or vessel would be subject to this proposed rule
and you view a portion of it as redundant with the requirements of
another Federal agency, please let us know. We seek to eliminate any
unnecessary redundancies.
Section 101.610--Federalism
We discuss the purpose and contents of this proposed section in
section VI.E, Federalism, in this preamble.
Section 101.615--Definitions
This section lists new cybersecurity related definitions the Coast
Guard proposes to include in 33 CFR part 101, in addition to the
maritime security definitions in 33 CFR 101.105. These definitions
explain concepts relevant to cybersecurity and would help eliminate
uncertainty in referencing and using these terms in 33 CFR part 101.
The Coast Guard consulted several authoritative sources for these
proposed new definitions. These sources include Executive Order 14028,
6 U.S.C. 148, and the James M. Inhofe National Defense Authorization
Act for Fiscal Year 2023 (the Act).\33\
---------------------------------------------------------------------------
\33\ Public Law 117-263, Sec. 11224(a)(1) (2022).
---------------------------------------------------------------------------
Another source for definitions is the ``Vocabulary'' page on CISA's
National Initiative for Cybersecurity Careers and Studies website,\34\
which is an online Federal resource for cybersecurity training and
education. The Coast Guard also reviewed NIST's Computer Security
Resource Center (CSRC).\35\ NIST maintains CSRC to educate the public
on computer security, cybersecurity, information security, and privacy.
Definitions from CISA and NIST are authoritative sources in areas
related to technology and cybersecurity.
---------------------------------------------------------------------------
\34\ National Initiative for Cybersecurity Careers and Studies,
Explore Terms: A Glossary of Common Cybersecurity Words and Phrases,
<a href="https://niccs.cisa.gov/cybersecurity-career-resources/glossary">https://niccs.cisa.gov/cybersecurity-career-resources/glossary</a>,
accessed September 15, 2023.
\35\ CSRC, <a href="https://csrc.nist.gov/glossary">https://csrc.nist.gov/glossary</a>, accessed September
15, 2023.
---------------------------------------------------------------------------
In addition, the Coast Guard proposes to define the term
cybersecurity risk consistent with the definition at section 2200 of
the Homeland Security Act of 2002 (Pub. L. 107-296), as amended, see 6
U.S.C. 650(7). The Coast Guard notes, however, that it does not believe
paragraph (b) of subsection 2200(7), which contains an exception for
actions that solely involve a ``violation of a consumer term of service
or a consumer licensing agreement'' is relevant to the facilities and
vessels that are the subject of this rulemaking. Nevertheless, for
consistency with the definition found in the Homeland Security Act and
the sake of completeness, we have elected to include the complete
definition in this proposal. See also 46 U.S.C. 70101(2); Public Law
115-254, sec. 1805(b)(2).
The Coast Guard proposes to include definitions for Cyber incident,
Cyber risk, Cyber threat, and Cybersecurity vulnerability. Cyber
incident would relate to Information Systems and would be inclusive of
both Information Technology and Operational Technology, all of which
the Coast Guard is also proposing to define. The Coast Guard also
proposes new defined terms that are applicable to maritime
cybersecurity, including Critical Information Technology or Operational
Technology systems, Cyber Incident Response Plan, Cybersecurity Officer
or CySO, and Cybersecurity Plan. A CySO, for example, would be the
person(s) responsible for developing, implementing, and maintaining
cybersecurity portions of the VSP, FSP, or OCS FSP. The CySO would also
act as a liaison with the Captain of the Port (COTP) and company,
vessel, and facility security officers.
In addition, the Coast Guard welcomes comments on whether we should
define and use the term Reportable cyber incident. The proposed
definition of a reportable cyber incident would be based on the Cyber
Incident Reporting Council's model definition in DHS's Report to
Congress of September 19, 2023.\36\ If adopted, the term reportable
cyber incident would replace cyber incident in proposed Sec. Sec.
101.620(b)(7) and 101.650(g)(1). Specifically, a reportable cyber
incident would mean an incident that leads to, or, if still under
investigation, could reasonably lead to any of the following:
---------------------------------------------------------------------------
\36\ See DHS Office of Strategy, Policy, and Plans,
Harmonization of Cyber Incident Reporting to the Federal Government
(Sept. 19, 2023), <a href="https://www.dhs.gov/publication/harmonization-cyber-incident-reporting-federal-government">https://www.dhs.gov/publication/harmonization-cyber-incident-reporting-federal-government</a>, accessed Sept. 19,
2023.
---------------------------------------------------------------------------
(1) Substantial loss of confidentiality, integrity, or availability
of a covered information system, network, or OT system;
(2) Disruption or significant adverse impact on the reporting
entity's ability to engage in business operations or deliver goods or
services, including those that have a potential for significant impact
on public health or safety or may cause serious injury or death;
(3) Disclosure or unauthorized access directly or indirectly of
non-public personal information of a significant number of individuals;
(4) Other potential operational disruption to critical
infrastructure systems or assets; or
(5) Incidents that otherwise may lead to a TSI as defined in 33 CFR
101.105.
The Coast Guard's existing regulations in 33 CFR part 101 require
regulated entities to report suspicious activity that may result in a
TSI, breaches of security, and TSIs involving computer systems and
networks. See 33 CFR 101.305. The purpose of defining a reportable
cyber incident in this NPRM is to establish a threshold between the
cyber incidents that must be reported and the ones that do not. We
request public comment on the substance of this definition, its
elements, potential burden on industry, as well as the need and
effectiveness of including it in this regulation. We also invite
comments on whether we should define any terms we use in the proposed
rule that are not defined in proposed Sec. 101.615.
In this NPRM, the Coast Guard is also seeking comments on two
alternative potential regulatory measures for reporting cyber
incidents. In the first alternative, the Coast Guard would require that
reportable cyber incidents would be reported to the National Response
Center (NRC) without delay to the telephone number listed in 33 CFR
101.305(a). Cyber incidents with no physical or pollution effects could
also be reported directly to CISA via <a href="/cdn-cgi/l/email-protection#b7c5d2c7d8c5c3f7d4dec4d699d0d8c1"><span class="__cf_email__" data-cfemail="542631243b262014373d27357a333b22">[email protected]</span></a> or 1-888-282-
0870. All such reports would be shared between the NRC and CISA Central
and satisfy the requirement to report to the Coast Guard.
In the second alternative, the Coast Guard seeks comments on
whether it should require that reportable cyber incidents be reported
to CISA. While this alternative would be a change from current
practice, it could allow more
[[Page 13410]]
efficient use of DHS' cybersecurity resources and may advance the
cybersecurity vision laid out by Congress in the Cyber Incident
Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which will
be implemented by regulations that are still under development.
Information submitted to CISA would be shared with the Coast Guard,
ensuring continued efficient responses.
If we were to use either alternative, to the extent that the
reporting obligation imposed by this NPRM constitutes a requirement to
report ``substantially similar information . . . within a substantially
similar timeframe'' when compared to a rule implementing CIRCIA,
covered entities may be excused from any duplicative reporting
obligations under the CIRCIA rulemaking.\37\ In line with that
provision, we invite your comments on whether we should expressly
require reporting of ransom payments in connection with ransomware
attacks. We request comment on whether we should use either of these
two alternatives in a final rule.
---------------------------------------------------------------------------
\37\ See 6 U.S.C. 681b(a)(5)(B) (exception to reporting
requirements for certain substantially similar reporting
requirements ``where the Agency has an agreement in place that
satisfies the requirements of section 681g(a) of this title'').
---------------------------------------------------------------------------
Section 101.620--Owner or Operator
This proposed section would require each owner and operator of a
U.S.-flagged vessel, facility, or OCS facility to assign qualified
personnel to develop a Cybersecurity Plan and ensure the Cybersecurity
Plan incorporates detailed preparation, prevention, and response
activities for cybersecurity threats and vulnerabilities.
Additional responsibilities of owners and operators of U.S.-flagged
vessels, facilities, and OCS facilities would include:
<bullet> Designating a CySO, in writing, by name and title, and
identifying how the CySO can be contacted at any time. A CySO would
have to be accessible to the Coast Guard 24 hours a day, 7 days a week
(see proposed Sec. 101.620(b)(3));
<bullet> Ensuring that a Cybersecurity Assessment is conducted
annually or sooner, under the circumstances described in this NPRM (see
proposed Sec. Sec. 101.620(b)(4) and 101.650(e)(1));
<bullet> Ensuring that a Cybersecurity Plan is developed and
submitted for Coast Guard approval, either as a separate document or as
an addition to an existing FSP, VSP, or OCS FSP (see proposed
Sec. Sec. 101.620(b)(1) and 101.630(a));
<bullet> Operating the U.S.-flagged vessel, facility, or OCS
facility in accordance with the approved Cybersecurity Plan (see
proposed Sec. 101.620(b)(5)); and
<bullet> Reporting all cyber incidents, including TSIs, to the NRC
and relevant authorities according to the Cybersecurity Plan (see
proposed Sec. Sec. 101.305 and 101.620(b)(7)).
Section 101.625--Cybersecurity Officer
The CySO may be a full-time, collateral, or contracted position.
The same person may serve as the CySO for more than one vessel,
facility, or OCS facility. The CySO would need to have general
knowledge of a range of issues relating to cybersecurity, such as
cybersecurity administration, relevant laws and regulations, current
threats and trends, risk assessments, inspections, control procedures,
and procedures for conducting exercises and drills. When considering
assignment of the CySO role to the existing security officer, the owner
or operator should consider the depth and scope of these new
responsibilities in addition to existing security duties.
The most important duties a CySO would perform include ensuring
development, implementation, and finalization of a Cybersecurity Plan;
auditing and updating the Plan; ensuring adequate training of
personnel; and ensuring the U.S.-flagged vessel, facility, or OCS
facility is operating in accordance with the Plan and in continuous
compliance with this subpart. The CySO would have the authority to
assign cybersecurity duties to other personnel; however, the CySO would
remain responsible for the performance of these duties.
Section 101.630--Cybersecurity Plan
This proposed section contains minimum requirements for the
Cybersecurity Plan. The Cybersecurity Plan would be maintained
consistent with the recordkeeping requirements in 33 CFR 104.235 for
vessels, 33 CFR 105.225 for facilities, and 33 CFR 106.230 for OCS
facilities. See proposed Sec. 101.640. A Cybersecurity Plan would
incorporate the results of a Cybersecurity Assessment and consider the
recommended measures appropriate for the U.S.-flagged vessel, facility,
or OCS facility. A Cybersecurity Plan could be combined with or
complement an existing FSP, VSP, or OCS FSP. A Cybersecurity Plan could
be kept in an electronic format if it can be protected from being
deleted, destroyed, overwritten, accessed, or disclosed without
authorization.
The format of a Cybersecurity Plan required under this proposed
rule would include the following individual sections:
(1) Cybersecurity organization and identity of the CySO (see
proposed Sec. 101.625 Cybersecurity Officer);
(2) Personnel training (see proposed Sec. 101.625(d)(8), (9)
Cybersecurity Officer);
(3) Drills and exercises (see proposed Sec. 101.635 Drills and
Exercises);
(4) Records and documentation (see proposed Sec. 101.640 Records
and Documentation);
(5) Communications (see proposed Sec. 101.645 Communications);
(6) Cybersecurity systems and equipment with associated
maintenance; (see proposed Sec. 101.650(e)(3) Cybersecurity Measures:
Routine Maintenance);
(7) Cybersecurity measures for access control, including computer,
IT, and OT areas (see proposed Sec. 101.650(a) Cybersecurity Measures:
Account Measures);
(8) Physical security controls for IT and OT systems (see proposed
Sec. 101.650(i) Cybersecurity Measures: Physical Security);
(9) Cybersecurity measures for monitoring (see proposed Sec.
101.650(f) Cybersecurity Measures: Supply Chain; (h) Network
Segmentation; (i) Physical Security);
(10) Audits and amendments to the Cybersecurity Plan (see proposed
Sec. 101.630(f) Cybersecurity Plan: Audits);
(11) Cybersecurity audit and inspection reports to include
documentation of resolution or mitigation of all identified
vulnerabilities (see proposed Sec. 101.650(e) Cybersecurity Measures:
Risk Management);
(12) Documentation of all identified unresolved vulnerabilities to
include those that are intentionally unresolved due to risk acceptance
by the owner or operator (see proposed Sec. 101.650(e) Cybersecurity
Measures: Risk Management);
(13) Cyber incident reporting procedures in accordance with part
101 of this subchapter (see proposed Sec. 101.650(g) Cybersecurity
Measures: Resilience); and
(14) Cybersecurity Assessment (see proposed Sec. 101.650(e)
Cybersecurity Measures: Risk Management).
Depending on operational conditions and cybersecurity risks, the
owner or operator may develop a Cyber Incident Response Plan as a
separate document or as an addition to the Cybersecurity Plan.
Submission and Approval of the Cybersecurity Plan
An owner or operator would submit a Cybersecurity Plan for review
to the cognizant COTP or the Officer in
[[Page 13411]]
Charge, Marine Inspections (OCMI) for U.S. facilities and OCS
facilities, or to the U.S. Coast Guard's Marine Safety Center (MSC) for
U.S.-flagged vessels. See proposed Sec. 101.630(d). A letter
certifying that the Plan meets the requirements of this subpart must
accompany the submission. Once the COTP or MSC finds that the Plan
meets the cybersecurity requirements in Sec. 101.630, they would send
a letter to the owner or operator approving the Cybersecurity Plan or
approving the Plan under certain conditions.
If the cognizant COTP, OCMI, or MSC requires additional time to
review the Plan, they would have the authority to return a written
acknowledgement to the owner or operator stating that the Coast Guard
will review the Cybersecurity Plan submitted for approval, and that the
U.S.-flagged vessel, facility, or OCS facility may continue to operate
as long as it remains in compliance with the submitted Cybersecurity
Plan. See proposed Sec. 101.630(d)(1)(iv).
If the COTP, OCMI, or MSC finds that the Cybersecurity Plan does
not meet the requirements in Sec. 101.630, the Plan would be returned
to the owner or operator with a letter explaining why the Plan did not
meet the requirements. The owner or operator will have at least 60 days
to amend the Plan and cure deficiencies outlined in the letter. Until
the amendments are approved, the owner or operator must ensure
temporary cybersecurity measures are implemented to the satisfaction of
the Coast Guard. See proposed Sec. 101.630(e)(1)(ii).
Deficiencies would have to be corrected, and the Plan would have to
be resubmitted for approval within the time period specified in the
letter. If the owner or operator fails to cure those deficiencies
within 60 days, the Plan would be declared noncompliant with these
proposed regulations and other relevant regulations in title 33 of the
CFR. If the owner or operator disagrees with the deficiency
determination, they would have the right to appeal or submit a petition
for reconsideration or review to the respective COTP, District
Commander, OCMI, or MSC per Sec. 101.420.
Under proposed Sec. 101.650(e)(1), a cybersecurity assessment
would have to be conducted when one or both of the following situations
occurs:
<bullet> There is a change in ownership of a U.S.-flagged vessel,
facility, or an OCS facility; or
<bullet> There are major amendments to the Cybersecurity Plan.
Each owner or operator would determine what constitutes a ``major
amendment'' as appropriate for their organization based on types of
changes to their security measures and operational risks. When
submitting proposed amendments to the Coast Guard, either after a
cybersecurity assessment or at other times, you would not be required
to submit the Cybersecurity Plan with the proposed amendment. Under
Sec. 101.630(f)(1), the CySO must ensure that an audit of the
Cybersecurity Plan and its implementation is performed annually,
beginning no later than 1 year from the initial date of approval.
Additional audits would need to be conducted if there is a change in
ownership or modifications of cybersecurity measures, but such audits
may be limited to sections of the Plan affected by the modification.
See proposed Sec. 101.630(f)(2) and (3). Those conducting an internal
audit must have a level of knowledge and independence specified in
Sec. 101.630(f)(4). Under Sec. 101.630(f)(5), if the results of the
audit require the Cybersecurity Plan to be amended, the CySO must
submit the proposed amendments to the Coast Guard for review within 30
days of completing the audit.
Section 101.635--Drills and Exercises
Under this proposed section, cybersecurity drills and exercises
would be required to test the proficiency of U.S.-flagged vessel,
facility, and OCS facility personnel in assigned cybersecurity duties
and in the effective implementation of the VSP, FSP, OCS FSP, and
Cybersecurity Plan. Drills and exercises would also enable the CySO to
identify any related cybersecurity deficiencies that need to be
addressed.
Cybersecurity drills would generally test an operational response
of at least one specific element of the Cybersecurity Plan, as
determined by the CySO, such as access control for a critical IT or OT
system, or network scanning. A drill would be required at least once
every 3 months and may be held in conjunction with other drills, if
appropriate.
Cybersecurity exercises are a full test of an organization's
cybersecurity regime and would include substantial and active
participation of cybersecurity personnel. The participants may include
local, State, and Federal Government personnel. Cybersecurity exercises
would generally test and evaluate the organizational capacity to manage
a combination of elements in the Cybersecurity Plan, such as detecting,
responding to, and mitigating a cyber incident.
The exercises would be required at least once each calendar year,
with no more than 18 months between exercises. Exercises may be
specific to a facility, OCS facility, or a U.S.-flagged vessel, or may
serve as part of a cooperative exercise program or port exercises. The
exercises for the Cybersecurity Plans could be combined with other
required security exercises, if appropriate.
The proposed drill or exercise requirements specified in this
section may be satisfied by implementing cybersecurity measures
required by the VSP, FSP, OCS FSP, and Cybersecurity Plan after a cyber
incident, as long as the vessel, facility, or OCS facility achieves and
documents the drill and exercise goals for the cognizant COTP or MSC.
Any corrective action must be addressed and documented as soon as
possible.
Section 101.640--Records and Documentation
This proposed section would require owners and operators to follow
the recordkeeping requirements in 33 CFR 104.235 for vessels, 33 CFR
105.225 for facilities, and 33 CFR 106.230 for OCS facilities. For
example, records must be kept for at least 2 years and be made
available to the Coast Guard upon request. The records can be kept in
paper or electronic format and must be protected against unauthorized
access, deletion, destruction, amendment, and disclosure. Records that
each vessel, facility, or OCS facility keep would vary because each
organization would maintain records specific to their operations. At a
minimum, the records would have to capture the following activities:
training, drills, exercises, cybersecurity threats, incidents, and
audits of the Cybersecurity Plan as set forth in the cited
recordkeeping requirements above and made applicable to records under
this subpart per Sec. 101.640.
Section 101.645--Communications
This proposed section would require the CySO to maintain an
effective means of communication to convey changes in cybersecurity
conditions to the personnel of the U.S.-flagged vessel, facility, or
OCS facility. In addition, the CySO is required to maintain an
effective and continuous means of communicating with their security
personnel, U.S.-flagged vessels interfacing with the facility or OCS
facility, the cognizant COTP, and national and local authorities with
security responsibilities.
Section 101.650--Cybersecurity Measures
This section proposes specific cybersecurity measures to identify
risks,
[[Page 13412]]
detect threats and vulnerabilities, protect critical systems, and
recover from cyber incidents. Any intentional gaps in cybersecurity
measures would be documented as accepted risks under proposed Sec.
101.630(c)(12). If the owner or operator is unable to comply with the
requirements of this subpart, they may seek a waiver or an equivalence
determination under proposed Sec. 101.665.
A discussion of each component of proposed Sec. 101.650 follows.
Section 101.650 Paragraph (a): Account Security Measures
This paragraph would identify minimum account measures to protect
critical IT and OT systems from unauthorized cyber access and limit the
risk of a cyber incident. Access control is a foundational category and
is highlighted as a ``Protect'' function of NIST's Cybersecurity
Framework (CSF).\38\ Existing regulations in Sec. Sec. 104.265,
105.255 through 105.260, and 106.260 through 106.265 prescribe control
measures to limit access to restricted areas and detect unauthorized
introduction of devices capable of damaging U.S.-flagged vessels, U.S.
facilities, OCS facilities, or ports. This proposed provision is
derived from NIST's standards mentioned earlier for the cyber domain
and establish minimum account security measures to manage credentials
and secure access to critical IT and OT systems. We invite your
comments on the minimal requirements proposed in Sec. 101.650(a).
---------------------------------------------------------------------------
\38\ NIST CSF, <a href="http://www.nist.gov/cyberframework/protect">www.nist.gov/cyberframework/protect</a>, accessed
July 18, 2023.
---------------------------------------------------------------------------
Account security measures for cybersecurity would include lockouts
on repeated failed login attempts, password requirements, multifactor
authentication, applying the principle of least privilege to
administrator or otherwise privileged accounts, and removing
credentials of personnel no longer associated with the organization.
Numerous consensus standards that are generally accepted employ similar
requirements.\39\ Together, these provisions would mitigate the risks
of brute force attacks, unauthorized access, and privilege escalation.
The owner or operator would be responsible for implementing and
managing these account security measures, including ensuring that user
credentials are removed or revoked when a user leaves the organization.
The CySO would ensure documentation of such measures in Section 7 of
the Cybersecurity Plan.
---------------------------------------------------------------------------
\39\ See, for example, NIST CSF: PR.AC, CIS Controls 1, 12, 15,
16, and COBIT DSS05.04, DSS05.10, DSS06.10, and ISA 62443-2-1.
---------------------------------------------------------------------------
Section 101.650 Paragraph (b): Device Security Measures
This paragraph would provide specific proposed requirements to
mitigate risks and vulnerabilities in critical IT and OT systems and
equipment. With increased connectivity to public internet, networks on
U.S.-flagged vessels, U.S. facilities, and OCS facilities have an
expansive attack surface. These provisions would reduce the risks of
unauthorized access, malware introduction, and service interruption.
This paragraph would apply the ``Identify'' function of the NIST
CSF.\40\ Existing regulations in 33 CFR 104.265, 105.255 through
105.260, and 106.260 through 106.265 are similar. For example, Sec.
105.260 limits access to areas that require a higher degree of
protection.
---------------------------------------------------------------------------
\40\ NIST CSF; Identify, ``NIST Cybersecurity Publication by
Category,'' Asset Management ID.AM, updated May 3, 2021,
<a href="http://www.nist.gov/cyberframework/identify">www.nist.gov/cyberframework/identify</a>, accessed July 18, 2023. NIST
Special Publication 800-53, Revision 5, ``Security and Privacy
Controls for Information Systems and Organizations,'' September
2020, page 107, <a href="https://doi.org/10.6028/NIST.SP.800-53r5">https://doi.org/10.6028/NIST.SP.800-53r5</a>, accessed
August 24, 2023.
---------------------------------------------------------------------------
Proposed paragraph (b) would also require owners and operators to
designate critical IT and OT systems.\41\ Developing and maintaining an
accurate inventory and network map would reduce the risk of unknown or
improperly managed assets. The Cybersecurity Plan would also govern
device management. The CySO would maintain the network map and develop
and maintain the list of approved hardware, software, and firmware. In
addition to identifying risks, these provisions would aid in the proper
lifecycle management of assets, including patching and end-of-life
management. These requirements are foundational to many industry
consensus standards and would reinforce Coast Guard regulations to
protect communication networks.
---------------------------------------------------------------------------
\41\ To help CySOs identify which systems are critical, the
Coast Guard's Office of Port and Facility Compliance (CG-FAC) has
published maritime specific CSF profiles on its homepage at
<a href="http://www.dco.uscg.mil/Our-Organization/Assistant-Commandant-for-Prevention-Policy-CG-5P/Inspections-Compliance-CG-5PC-/Office-of-Port-Facility-Compliance/Domestic-Ports-Division/cybersecurity/">www.dco.uscg.mil/Our-Organization/Assistant-Commandant-for-Prevention-Policy-CG-5P/Inspections-Compliance-CG-5PC-/Office-of-Port-Facility-Compliance/Domestic-Ports-Division/cybersecurity/</a>,
accessed July 18, 2023 and in pages 20 through 24 of Appendix A,
Maritime Bulk Liquid Transfer Profile at <a href="https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fwww.dco.uscg.mil%2FPortals%2F9%2FCG-FAC%2FDocuments%2FCyber%2520Profiles%2520Overview.docx%3Fver%3D2018-01-10-143126-467&wdOrigin=BROWSELINK">https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fwww.dco.uscg.mil%2FPortals%2F9%2FCG-FAC%2FDocuments%2FCyber%2520Profiles%2520Overview.docx%3Fver%3D2018-01-10-143126-467&wdOrigin=BROWSELINK</a>, accessed July 18, 2023.
---------------------------------------------------------------------------
Section 101.650 Paragraph (c): Data Security Measures
This paragraph would prescribe fundamental data security measures
that stem from the ``Protect'' function of the NIST CSF. Data security
measures protect personnel, financial, and operational data and are
consistent with basic risk management activities of the maritime
industry. The IMO recognizes the importance of risk management related
to data security on U.S.-flagged vessels,\42\ and the Coast Guard
previously highlighted data security measures in its policy for MTSA-
regulated U.S. facilities.\43\
---------------------------------------------------------------------------
\42\ MSC-FAL.1/Circ.3/Rev.1: ``Implement risk control processes
and measures, and contingency planning to protect against a cyber-
event and ensure continuity of shipping operations.''
\43\ NVIC 01-20 at page 2: ``Each facility should also determine
how, and where, its data is stored and, if it is stored offsite,
whether the data has a critical link to the safety and/or security
functions of the facility. If such a critical link exists, the
facility should address any vulnerabilities . . . . ''
---------------------------------------------------------------------------
Data security measures prevent data loss and aid in detection of
malicious activity on critical IT and OT systems. The fundamental
measures proposed here would establish baseline protections upon which
owners and operators could build. This paragraph would require data
logs to be securely captured, stored, and protected so that they are
accessible only by privileged users, and would require encryption for
data in transit and data at rest. CySOs would rely on generally
accepted industry standards and risk management principles to determine
the suitability of specific encryption algorithms for certain purposes,
such as protecting critical IT and OT data with a more robust algorithm
than for routine data.\44\ A CySO would establish more detailed data
security policies in Section 9 of the Cybersecurity Plan. Those
policies would be adapted to the unique operations of the U.S.-flagged
vessel, facility, or OCS facility.
---------------------------------------------------------------------------
\44\ See, for example, ISA 62443-3-3, CIS CSC 13, 14 in the EDM
NIST Cybersecurity Framework Crosswalks, available at <a href="http://www.cisa.gov/sites/default/files/publications/4_NIST_CSF_EDM_Crosswalk_v3_April_2020.pdf">www.cisa.gov/sites/default/files/publications/4_NIST_CSF_EDM_Crosswalk_v3_April_2020.pdf</a>, accessed July 18, 2023.
---------------------------------------------------------------------------
Section 101.650 Paragraph (d): Cybersecurity Training for Personnel
This paragraph would specify proposed cybersecurity training
requirements. Security training is a vital aspect of the MTSA. Relevant
provisions in 33 CFR already require all personnel to have knowledge,
through training or equivalent job experience, in the ``Recognition and
detection of dangerous . . . devices.'' \45\ Since 2020, the Coast
Guard has interpreted this requirement to include relevant
cybersecurity training.\46\ While formal
[[Page 13413]]
training may be appropriate, the Coast Guard is not proposing to
mandate a format of training. However, the training would have to, at
minimum, cover relevant provisions of the Cybersecurity Plan to include
recognizing, detecting, and preventing cybersecurity threats; and
reporting cyber incidents to the CySO.
---------------------------------------------------------------------------
\45\ 33 CFR 104.225(c) (Vessels), 105.215(c) (Facilities), and
106.220(c) (OCS Facilities).
\46\ NVIC 01-20 ENCL(1) at page 3: ``Describe how cybersecurity
is included as part of personnel training, policies, and procedures,
and how this material will be kept current and monitored for
effectiveness.''
---------------------------------------------------------------------------
The types of training would also need to be consistent with the
roles and responsibilities of personnel, including access to critical
IT and OT systems and operating network-connected machineries. Key
cybersecurity personnel and management would need to have current
knowledge of threats to deal with potential cyber-attacks and
understand procedures for responding to a cyber incident. The owner,
operator, or CySO would ensure all personnel designated by the CySO
complete the core training within 5 days of gaining system access, but
no later than 30 days after hiring, and annually thereafter, and that
key personnel receive specialized training annually or more frequently
as needed. Existing personnel would be required to receive training on
relevant provisions of the Cybersecurity Plan within 60 days of the
Plan being approved, and for all other required training within 180
days of the effective date of a final rule, and annually thereafter.
(See Sec. 101.650(d)(3)).
Section 101.650 Paragraph (e): Risk Management
This paragraph would establish three levels of Cybersecurity
Assessment and risk management: (1) conducting annual Cybersecurity
Assessments; (2) completing penetration testing upon renewal of a VSP,
FSP, or OCS FSP; and (3) ensuring ongoing routine system maintenance.
The CySO would ensure that these activities, which are listed in
Sections 11 and 12 of the Cybersecurity Plan, are documented and
completed.
Following a Cybersecurity Assessment, the CySO would incorporate
feedback from the assessment into the Cybersecurity Plan through an
amendment to the Plan. A Cybersecurity Assessment would be conducted
within 1 year from the effective date of a final rule and annually
thereafter. The Assessment must be conducted sooner than annually in
the following circumstances:
<bullet> There is a change in ownership of a U.S.-flagged vessel,
facility, or an OCS facility; or
<bullet> There are major events requiring amendments to the
Cybersecurity Plan.
While Cybersecurity Assessments provide a valuable picture of
potential security weaknesses, penetration tests can add additional
context by demonstrating whether malicious actors could leverage those
weaknesses. Penetration tests can also help prioritize resources based
on what poses the most risk. Routine system maintenance requires an
ongoing effort to identify vulnerabilities and would include scanning
and reviewing known exploited vulnerabilities (KEVs) by documenting,
tracking, and monitoring them. These proposed provisions would mirror
the security system and equipment maintenance requirements in 33 CFR
104.260 for vessels, 33 CFR 105.250 for facilities, and 33 CFR 106.255
for OCS facilities, and reflect the Coast Guard's longstanding view on
cybersecurity. To improve risk management across the maritime sector,
CySOs would establish, subject to any applicable antitrust law
limitations,\47\ information-sharing procedures for their
organizations, which would include procedures to receive and act on
KEVs, as well as methods for sharing threat and vulnerability
information.
---------------------------------------------------------------------------
\47\ The sharing of competitively sensitive information between
or among competitors raises antitrust concerns. For example,
information sharing is not exempted under the Cybersecurity
Information Sharing Act of 2015 if the information shared results in
price fixing, market allocation, boycotting, monopolistic conduct,
or other collusive conduct.
---------------------------------------------------------------------------
The ``Protect'' function of the NIST CSF emphasizes the importance
of strong processes and procedures for protecting information.\48\ For
example, organizations would have to ensure information and records
(data) are managed consistently with the organization's risk strategy
to protect the confidentiality, integrity, and availability of
information. Risk management is key in protecting IT and OT components
that may include cybersecurity vulnerabilities in their design, code,
or configuration.
---------------------------------------------------------------------------
\48\ NIST CSF Internal Controls, Appendix A, Table A-1, PR.IP-
12, page 261, <a href="http://link.springer.com/content/pdf/bbm:978-1-4842-3060-2/1.pdf">link.springer.com/content/pdf/bbm:978-1-4842-3060-2/1.pdf</a>, accessed July 18, 2023.
---------------------------------------------------------------------------
Owners and operators may use information-sharing services or
organizations such as an Information Sharing and Analysis Center or an
Information Sharing and Analysis Organization. The Coast Guard would
not endorse specific information-sharing organizations, so owners and
operators would be free to use information-sharing organizations to
suit their needs.\49\ Industry consensus standards provide generally
accepted techniques that sanitize and reduce attribution to information
to ensure information sharing does not compromise proprietary business
information.\50\ In addition, regardless of the services or
organizations used, owners and operators should comply with applicable
antitrust laws and should not share competitively sensitive
information, such as price or cost data, that can result in unlawful
price-fixing, market allocation, or other forms of competitor
collusion. Use of any information-sharing services or organizations
would not meet or replace reporting requirements under 33 CFR 101.305.
---------------------------------------------------------------------------
\49\ The Coast Guard encourages CySOs to explore resources
through CGCYBER Maritime Cyber Readiness Branch, available at
<a href="https://www.uscg.mil/MaritimeCyber/">https://www.uscg.mil/MaritimeCyber/</a>; see also CISA's ``Information
Sharing and Awareness,'' available at <a href="https://www.cisa.gov/information-sharing-and-awareness">https://www.cisa.gov/information-sharing-and-awareness</a>, accessed July 18, 2023.
\50\ See, e.g., NIST Special Publication 800-150, ``Guide to
Cyber Threat Information Sharing,'' Johnson et al., October 2016,
<a href="http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-150.pdf">nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-150.pdf</a>,
accessed July 18, 2023.
---------------------------------------------------------------------------
The Coast Guard emphasized its commitment to helping maritime
industry stakeholders identify and address vulnerabilities in its 2021
Cyber Trends and Insights in the Marine Environment report.\51\ In that
report, the Coast Guard highlighted additional resources that CySOs
should leverage to manage cybersecurity vulnerabilities.
---------------------------------------------------------------------------
\51\ ``2021 Cyber Trends and Insights in the Marine
Environment,'' August 5, 2022, <a href="https://www.dco.uscg.mil/Portals/9/2021CyberTrendsInsightsMarineEnvironmentReport.pdf">https://www.dco.uscg.mil/Portals/9/2021CyberTrendsInsightsMarineEnvironmentReport.pdf</a>.
---------------------------------------------------------------------------
Section 101.650 Paragraph (f): Supply Chain
This proposed paragraph would include provisions to specify
measures to manage cybersecurity risks in the supply chain. Legitimate
third-party contractors and vendors may inadvertently provide a means
of attack or vectors that allow malicious actors to exploit
vulnerabilities within the supply chain. Section 1.1 of the NIST CSF
emphasizes managing cybersecurity risks in the supply chain as part of
the ``Identify'' function.\52\
---------------------------------------------------------------------------
\52\ NIST CSF, Version 1.1, ``ID.SC: Supply Chain Risk
Management,'' <a href="https://csf.tools/reference/nist-cybersecurity-framework/v1-1/id/id-sc/">https://csf.tools/reference/nist-cybersecurity-framework/v1-1/id/id-sc/</a>, accessed July 18, 2023.
---------------------------------------------------------------------------
Under this proposed paragraph, the owner, operator, or CySO would
ensure that measures to manage cybersecurity risks in the supply chain
are in place to mitigate the risks associated with external parties.
These measures would include considering cybersecurity capabilities in
selecting vendors,
[[Page 13414]]
establishing procedures for information sharing and notifying relevant
parties, and monitoring third-party connections.
Through their contractual agreements, vendors would ensure the
integrity and security of software and hardware, such as software
releases and updates, notifications, and mitigations of
vulnerabilities. These provisions would establish a minimum level of
CRM within the supply chain. Industry standards provide additional
measures.\53\ The IMO also recognizes that cybersecurity risks in the
supply chain, and these provisions would align with the guidelines and
recommendations referenced in MSC-FAL Circ. 3/Rev.1.\54\
---------------------------------------------------------------------------
\53\ See, for example, NIST Special Publication 800-161,
``Supply Chain Risk Management Practices for Federal Information
Systems and Organizations,'' May 2022, <a href="https://doi.org/10.6028/NIST.SP.800-161r1">https://doi.org/10.6028/NIST.SP.800-161r1</a>, accessed July 18, 2023.
\54\ MSC-FAL.1/Circ.3/Rev.1, 2.1.6 and 4.2; see footnote 28.
---------------------------------------------------------------------------
Section 101.650 Paragraph (g): Resilience
This paragraph proposes a few key activities to ensure that U.S.-
flagged vessels, facilities, and OCS facilities can recover from major
cyber incidents with minimal impact to critical operations. Provisions
under response and recovery can help an organization recover from a
cyber-attack and restore capabilities and services.
This proposed rule would require the owner, operator, or CySO to
ensure the following response and recovery activities: report any cyber
incidents to the Coast Guard; develop, implement, maintain, and
exercise the Cyber Incident Response Plan; periodically validate the
effectiveness of the Cybersecurity Plan; and perform backups of
critical IT and OT systems. The Coast Guard would accept review of a
cyber incident as meeting the periodic validation requirement in Sec.
101.650(g).
In addition, the NIST CSF describes numerous provisions within the
``Recover'' function aimed at improving response and recovery.\55\ The
IMO also notes resilience.\56\
---------------------------------------------------------------------------
\55\ NIST CSF, Version 1.1 ``RC: Recover,'' <a href="https://csf.tools/reference/nist-cybersecurity-framework/v1-1/rc/">https://csf.tools/reference/nist-cybersecurity-framework/v1-1/rc/</a>, accessed July 19,
2023.
\56\ MSC-FAL Circ. 3/Rev. 1, 3.5.5; see footnote 28.
---------------------------------------------------------------------------
Section 101.650 Paragraph (h): Network Segmentation
This paragraph would require a CySO to ensure the network is
segmented and to document those activities in the Cybersecurity Plan.
Network integrity is a key provision under the ``Protect'' function of
the NIST CSF.\57\ Network architectures vary widely based on the
operations of a vessel or facility. Separating IT and OT networks is
challenging, and it becomes increasingly difficult with an increase in
the various devices connected to the network. Network segmentation
ensures valuable information is not shared with unauthorized users and
decreases damage that can be caused by malicious actors. Nonetheless,
the Coast Guard recognizes that the IT and OT interface represents a
weak link. Industry standards in this area are evolving, and it is an
area that NIST continues to research.\58\
---------------------------------------------------------------------------
\57\ NIST CSF, Version 1.1, ``PR.AC-5: Network integrity is
protected (e.g., network segregation, network segmentation).''
csf.tools/reference/nist-cybersecurity-framework/v1-1/pr/pr-ac/pr-
ac-5/, accessed July 19, 2023.
\58\ See NIST Special Publication 800-82r3,'' Guide to
Operational Technology (OT) Security,'' draft published April 26,
2022; <a href="http://doi.org/10.6028/NIST.SP.800-82r3.ipd">doi.org/10.6028/NIST.SP.800-82r3.ipd</a>, accessed July 19, 2023.
---------------------------------------------------------------------------
Section 101.650 Paragraph (i): Physical Security
This paragraph would specify that, along with the cybersecurity
provisions proposed for inclusion in this part, owners, operators, and
CySOs would manage physical access to IT and OT systems. As described
in the ``Protect'' function of the NIST CSF, physical security protects
critical IT and OT systems by limiting access to the human-machine
interface (HMI).\59\ Physical security measures proposed here would
supplement the existing vessel security assessment (VSA), FSA, and OCS
FSA requirements in 33 CFR 104.270 for vessels, 33 CFR 105.260 for
facilities, and 33 CFR 106.260 for OCS facilities. Similarly, under
this proposed paragraph, the CySO would designate areas restricted to
authorized personnel and secure HMIs and other hardware. Also under
this proposed paragraph, the CySO would establish policies to restrict
the use of unauthorized media and hardware. These proposed provisions
would mirror existing Coast Guard policy outlined in NVIC 01-20.\60\
---------------------------------------------------------------------------
\59\ NIST CSF, Version 1.1, ``PR.AC-2: Physical Access to Assets
is Managed and Protected.'' csf.tools/reference/nist-cybersecurity-
framework/v1-1/pr/pr-ac/pr-ac-2/, accessed July 19, 2023.
\60\ NVIC 01-20, enclosure (1), at page 4: ``Security measures
for access control 33 CFR 105.255 and 106.260 Establish security
measures to control access to the facility. This includes cyber
systems that control physical access devices such as gates and
cameras, as well as cyber systems within secure or restricted areas,
such as cargo or industrial control systems. Describe the security
measures for access control.'' (85 FR 16108).
---------------------------------------------------------------------------
Section 101.655--Cybersecurity Compliance Dates
This proposed section would state that a Cybersecurity Plan as
required by this proposed rule would be made available to the Coast
Guard for review during the second annual audit of the existing,
approved VSP, OCS FSP, or FSP after the effective date of a final rule,
as required by 33 CFR 104.415 for vessels, 33 CFR 105.415 for
facilities, and 33 CFR 106.415 for OCS facilities. The intent of this
proposed implementation period is to allow adequate time for owners and
operators to develop a Cybersecurity Plan.
Section 101.660--Cybersecurity Compliance Documentation
This proposed section would allow the Coast Guard to verify an
approved Cybersecurity Plan for U.S.-flagged vessels, facilities, and
OCS facilities. Each owner or operator would ensure that the
cybersecurity portion of their Plan and penetration test results are
available to the Coast Guard upon request.
Section 101.665--Noncompliance, Waivers, and Equivalents
This proposed section would provide the opportunity for waiver and
equivalence determinations for owners and operators when they are
unable to meet the requirements in subpart F, as outlined in 33 CFR
104.130, 104.135, 105.130, 105.135, and 106.130, to include the
cybersecurity regulations proposed in this NPRM. It would also expand
temporary permission provisions in 33 CFR 104.125, 105.125, and
106.120.
Section 101.670--Severability
This proposed section would reflect the Coast Guard's intent that
the provisions of subpart F be considered severable from each other to
the greatest extent possible. For instance, if a court of competent
jurisdiction were to hold that the rule or a portion thereof may not be
applied to a particular owner or operator or in a particular
circumstance, the Coast Guard would intend for the court to leave the
remainder of the rule in place with respect to all other covered
persons and circumstances. The inclusion of a severability clause in
subpart F would not be intended to imply a position on severability in
other Coast Guard regulations.
Inviting Comments on Regulatory Harmonization
As noted by the Office of the National Cyber Director in an August
2023 Request for Information,\61\ the National Cybersecurity Strategy
\62\ calls for
[[Page 13415]]
establishing cybersecurity regulations to secure critical
infrastructure where existing measures are insufficient, harmonizing
\63\ and streamlining new and existing regulations, and enabling
regulated entities to afford to achieve security.
---------------------------------------------------------------------------
\61\ See 88 FR 55694 (Aug. 16, 2023).
\62\ See The White House, National Cybersecurity Strategy (Mar.
2023), <a href="https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf">https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf</a>. (accessed Sept. 19, 2023).
\63\ As used in this context, ``harmonization'' refers to a
common set of updated baseline regulatory requirements that would
apply across sectors. Sector regulators such as the Coast Guard may
appropriately go beyond the harmonized baseline to address
cybersecurity risks specific to their sectors. See 88 FR at 55694.
---------------------------------------------------------------------------
The Coast Guard emphasizes its commitment to regulatory
harmonization and streamlining, and notes that this proposed rule,
which is grounded in NIST's Framework for Improving Critical
Infrastructure Cybersecurity, NIST's standards and best practices, and
CISA's CPGs, is consistent with such priorities. The Coast Guard also
acknowledges the ongoing rulemakings of other DHS components, including
ongoing rulemakings on cybersecurity in surface transportation modes
\64\ and implementation of CIRCIA.\65\ The Coast Guard notes potential
differences in terminology and policy as compared to those rulemakings;
although the Coast Guard views such differences as intentional and
based on sector-specific distinctions, we welcome comments on
opportunities to harmonize and streamline regulations where feasible
and appropriate. Note that proposed Sec. 101.665, Noncompliance,
Waivers, and Equivalents, could offer stakeholders an option for
requesting compliance that is harmonized with similar requirements.
---------------------------------------------------------------------------
\64\ See TSA, Fall 2023 Unified Agenda, RIN 1652-AA74: Enhancing
Surface Cyber Risk Management, <a href="https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=1652-AA74">https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=1652-AA74</a> (accessed Jan. 19, 2024).
\65\ See CISA, Fall 2023 Unified Agenda, RIN 1670-AA04:
Cybersecurity Incident Reporting for Critical Infrastructure Act
Regulations, <a href="https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=1670-AA04">https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=1670-AA04</a> (accessed Jan. 19, 2024).
---------------------------------------------------------------------------
Inviting Comments on Whether To Amend 33 CFR 160.202--Definitions
The Coast Guard invites comments on whether we should amend the
definition of hazardous condition in 33 CFR 160.202 to help address
current and emerging cybersecurity threats to the MTS. The amendment
would likely add ``cyber incident (as defined in Sec. 101.615 of this
chapter),'' to other existing examples of hazardous conditions--such as
collision, allision, fire, explosion, grounding, leaking, damage, and
personnel injury. Although a hazardous condition as currently defined
can already involve a cyber incident, this amendment would clearly link
the definition of a hazardous condition to the concept of a cyber
incident.
Under 33 CFR 160.216, the owner, agent, master, operator, or person
in charge of a vessel must immediately notify the Coast Guard of
certain hazardous conditions. A hazardous condition either on board the
vessel or caused by the vessel or its operation would be reported by
the vessels listed in 33 CFR 160.203. Under the existing regulations,
this reporting requirement already applies to U.S. commercial service
vessels and all foreign vessels that are bound for or departing from
ports or places within the navigable waters of the United States.
If we amend the definition of hazardous condition in Sec. 160.202,
we would consider a cyber incident report under part 160 satisfied by
those subject to 33 CFR part 101, subpart F, who report the incident
consistent with Sec. 101.620(b)(7). Given the variety of hazardous
conditions, for response purposes, it is best that such conditions be
reported to the nearest Coast Guard Sector Office or Group Office. The
Coast Guard would ensure that such officials are advised of relevant
cyber incidents reported by vessels subject to 33 CFR part 101, subpart
F.
VI. Regulatory Analyses
We developed this proposed rule after considering numerous statutes
and Executive orders related to rulemaking. A summary of our analyses
based on these statutes or Executive orders follows.
A. Regulatory Planning and Review
Executive Order 12866 (Regulatory Planning and Review), as amended
by Executive Order 14094 (Modernizing Regulatory Review), and Executive
Order 13563 (Improving Regulation and Regulatory Review), direct
agencies to assess the costs and benefits of available regulatory
alternatives and, if regulation is necessary, to select regulatory
approaches that maximize net benefits (including potential economic,
environmental, public health and safety effects, distributive impacts,
and equity). Executive Order 13563 emphasizes the importance of
quantifying costs and benefits, reducing costs, harmonizing rules, and
promoting flexibility.
This proposed rule is a significant regulatory action under section
3(f) of Executive Order 12866, as amended by Executive Order 14094, but
it is not significant under section 3(f)(1) because its annual effects
on the economy do not exceed $200 million in any year of the analysis.
Accordingly, OMB has reviewed this proposed rule. A regulatory impact
analysis (RIA) follows.
In accordance with OMB Circular A-4 (available at
<a href="http://www.whitehouse.gov/omb/circulars/">www.whitehouse.gov/omb/circulars/</a>), we have prepared an accounting
statement showing the classification of impacts associated with this
proposed rule.\66\
---------------------------------------------------------------------------
\66\ The version of Circular A-4 issued November 9, 2023, is not
effective until March 24, 2024. Therefore, this new version does not
apply to this NPRM because this proposed rule was submitted to OIRA
on November 13, 2023.
---------------------------------------------------------------------------
Agency/Program Office: U.S. Coast Guard.
Rule Title: Cybersecurity in the Marine Transportation System.
RIN#: 1625-AC77.
Date: July 2023 (millions, 2022 dollars).
BILLING CODE
[[Page 13416]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.000
The Coast Guard proposes to update its maritime security
regulations by adding minimum cybersecurity requirements to 33 CFR part
101 for U.S.-flagged vessels subject to part 104, facilities subject to
part 105, and OCS
[[Page 13417]]
facilities subject to part 106. Specifically, this proposed rule would
require owners or operators of U.S.-flagged vessels, facilities, and
OCS facilities to develop an effective Cybersecurity Plan, which
includes actions to prepare for, prevent, and respond to threats and
vulnerabilities. One of these actions is to assign qualified personnel
to implement the Cybersecurity Plan and all activities within the Plan.
The Cybersecurity Plan would include: designating a CySO; conducting a
Cybersecurity Assessment; developing and submitting the Plan to the
Coast Guard for approval; operating a U.S.-flagged vessel, facility,
and OCS facility in accordance with the Plan; implementing security
measures based on new cybersecurity vulnerabilities; and reporting
cyber incidents to the NRC, as defined in this preamble.
This proposed rule would further require owners and operators of
U.S.-flagged vessels, U.S. facilities, and OCS facilities to perform
cybersecurity drills and exercises in accordance with their VSP, FSP,
and OCS FSP. Owners and operators of U.S.-flagged vessels, facilities,
and OCS facilities would also be required to maintain records of
cybersecurity related information in paper or electronic format.
Lastly, this proposed rule would require certain cybersecurity
measures to identify risks, detect threats and vulnerabilities, protect
critical systems, and to recover from cyber incidents. These measures
include account security measures, device security measures, data
security measures, cybersecurity training for personnel, risk
management, supply chain risk measures, penetration testing, resilience
measures, network segmentation, and physical security.
Baseline Summary
The Coast Guard is not codifying existing guidance in this NPRM.
The requirements of this proposed rule and the costs and benefits we
estimate in this RIA would be new. The Coast Guard drafted the
requirements of this proposed rule based on NIST's Framework for
Improving Critical Infrastructure Cybersecurity, NIST's standards and
best practices, and CISA's CPGs.
In February 2020, the Coast Guard issued NVIC 01-20, which provided
clarity and guidance for MTSA-regulated facility and OCS facility
owners and operators regarding existing requirements in the MTSA for
computer systems and network vulnerabilities. However, the NVIC does
not contain cybersecurity requirements for facility and OCS facility
owners. Furthermore, the NVIC does not address the topic of
cybersecurity for vessel owners and operators.
The IMO has issued other guidance on Cybersecurity in the past 6
years. In 2017, the IMO adopted resolution MSC.428(98) to the ISM Code
on ``Maritime Cyber Risk Management in Safety Management Systems
(SMS).'' Generally, this resolution states that an SMS should consider
CRM and encourages Administrations to appropriately address cyber risks
in an SMS by a certain date, in accordance with the ISM Code. In 2022,
the IMO provided further guidance on maritime CRM in MSC-FAL.1/Circ.3-
Rev.2, Guidelines on Maritime Cyber Risk Management, in an effort to
raise the awareness about cybersecurity risks.
In addition, survey data indicates that some portions of the
affected population of facility and OCS facility owners and operators
are already implementing cybersecurity measures consistent with select
provisions of the proposed rule, including 87 percent who have
implemented account security measures, 83 percent who have implemented
multifactor authentication, 25 percent who have implemented annual
cybersecurity training, and 68 percent who conduct penetration
tests.\67\ While we lack similar data on cybersecurity activities in
the affected population of U.S.-flagged vessels, we acknowledge that it
is likely that many owners and operators have implemented cybersecurity
measures in response to private incentives and increasing cybersecurity
risks over time. For the purposes of this analysis, however, we assume
that owners and operators have no baseline cybersecurity activity, in
the areas in which we lack data.
---------------------------------------------------------------------------
\67\ In this analysis, the Coast Guard references a survey
conducted by Jones Walker, a limited liability partnership (Jones
Walker LLP). The title of the survey is ``Ports and Terminals
Cybersecurity Survey,'' which they conducted in 2022. This survey
helped the Coast Guard to gain an understanding of the cybersecurity
measures that are currently in place at facilities and OCS
facilities in the United States. We cite relevant data from the
survey when calculating industry costs throughout the regulatory
analysis. Readers can access the survey at <a href="https://www.joneswalker.com/en/insights/2022-Jones-Walker-LLP-Ports-and-Terminals-Cybersecurity-Survey-Report.html">https://www.joneswalker.com/en/insights/2022-Jones-Walker-LLP-Ports-and-Terminals-Cybersecurity-Survey-Report.html</a>; accessed July 19, 2023.
---------------------------------------------------------------------------
Estimated Costs of the Proposed Rule
We estimate the total discounted costs of this proposed rule to
industry and the Federal Government to be approximately $562,740,969
over a 10-year period of analysis, using a 7-percent discount rate. We
estimate the annualized cost to be approximately $80,121,654, using a
7-percent discount rate. See table 2.
BILLING CODE
[[Page 13418]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.001
We present a summary of the impacts of this proposed rule in table
3.
[GRAPHIC] [TIFF OMITTED] TP22FE24.002
[[Page 13419]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.003
[[Page 13420]]
Affected Population
This proposed rule would affect owners and operators of U.S.-
flagged vessels subject to 33 CFR part 104 (Maritime Security:
Vessels), facilities subject to 33 CFR part 105 (Maritime Security:
Facilities), and OCS facilities subject to 33 CFR part 106 (Marine
Security: Outer Continental Shelf (OCS) Facilities). The Coast Guard
estimates this proposed rule would affect approximately 10,286 vessels
and 3,411 facilities (including OCS facilities).
The affected U.S.-flagged vessel population includes:
<bullet> U.S. towing vessels greater than 8 meters (26 feet) in
registered length inspected under 46 CFR, subchapter M that are engaged
in towing a barge or barges inspected under 46 CFR, subchapters D and
O;
<bullet> U.S. tankships inspected under 46 CFR, subchapters D and
O;
<bullet> U.S. barges inspected under 46 CFR, subchapters I
(includes combination barges), D, and O, carrying certain dangerous
cargo in bulk or barges and engaged on international voyages;
<bullet> Small U.S. passenger vessels carrying more than 12
passengers, including at least 1 passenger-for-hire, that are engaged
on international voyages;
<bullet> Small U.S. passenger vessels inspected under 46 CFR,
subchapter K that are certificated to carry more than 150 passengers;
<bullet> Large U.S. passenger vessels inspected under 46 CFR,
subchapter H;
<bullet> Offshore supply vessels (OSVs) inspected under 46 CFR,
subchapter L;
<bullet> Self-propelled U.S. cargo vessels greater than 100 gross
register tons inspected under 46 CFR, subchapter I, except for
commercial fishing vessels inspected under 46 CFR part 105; and
<bullet> U.S. MODUs and cargo or passenger vessels subject to SOLAS
(1974), Chapter XI-1 or Chapter XI-2.
The affected facility population includes:
<bullet> Facilities subject to 33 CFR parts 126 (Handling of
Dangerous Cargo at Waterfront Facilities) and 127 (Waterfront
Facilities Handling Liquefied Natural Gas and Liquefied Hazardous Gas);
<bullet> Facilities that receive vessels certificated to carry more
than 150 passengers, except vessels not carrying and not embarking or
disembarking passengers at the facility;
<bullet> Facilities that receive vessels subject to SOLAS (1974),
Chapter XI;
<bullet> Facilities that receive foreign cargo vessels greater than
100 gross register tons;
<bullet> Facilities that receive U.S. cargo vessels, greater than
100 gross register tons, inspected under 46 CFR, subchapter I, except
facilities that receive only commercial fishing vessels inspected under
46 CFR part 105; and
<bullet> Barge fleeting facilities that receive barges carrying, in
bulk, cargoes regulated by 46 CFR subchapter I, inspected under 46 CFR,
subchapters D or O, or certain dangerous cargoes.
Table 4 presents the affected population of U.S.-flagged vessels,
facilities, and OCS facilities of this proposed rule.\68\ For the
vessel population, the Coast Guard assumes the same number of vessels
that leave and enter service. Therefore, we assume the population to be
constant over the 10-year period of analysis. We also make the same
assumption for facilities and OCS facilities. Additionally, we assume
that changes in the ownership of vessels and facilities would be very
rare and any audits that would result from a change in ownership would
be accounted for by the annual audit requirements. We request public
comments on these assumptions, and generally, on the affected
population.
---------------------------------------------------------------------------
\68\ This data was retrieved from the Coast Guard's Marine
Information for Safety and Law Enforcement (MISLE) database in
September 2022.
---------------------------------------------------------------------------
[[Page 13421]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.004
[[Page 13422]]
Cost Analysis of the Proposed Rule
This proposed rule would impose costs on the U.S. maritime industry
for cybersecurity requirements that include:
<bullet> Developing a Cybersecurity Plan, which includes
designating a CySO, in proposed 33 CFR 101.630;
<bullet> Performing drills and exercises in proposed 33 CFR
101.635; and
<bullet> Ensuring and implementing cybersecurity measures in
proposed 33 CFR 101.650, such as account security measures, device
security measures, data security measures, cybersecurity training for
personnel, training for reporting an incident, risk management, supply
chain management, resilience, network segmentation, and physical
security.
We present the costs associated with some of the regulatory
provisions in the following analysis; however, we are not able to
estimate the costs fully for certain provisions because of the lack of
data and the uncertainty associated with these provisions. Also, some
regulatory provisions may be included in developing the Cybersecurity
Plan and maintaining it on an annual basis; therefore, we may not have
estimated a cost for these specific provisions in this analysis. We
clarify this in the analysis where applicable and request public
comment regarding these analyses.
In addition, U.S. barges inspected under 46 CFR, subchapters D, O,
or I (including combination barges), carrying certain dangerous cargo
in bulk or barges engaged on international voyages, represent a special
case in our analysis of cybersecurity-related costs. Unlike other
vessels in the affected population of this NPRM, in most cases, barges
do not have IT or OT systems onboard. Many types of barges rely on the
IT and OT systems onboard their associated towing vessels or the
facilities where they deliver their cargo. This also means that barges
are typically unmanned, making the costs associated with provisions
such as cybersecurity training difficult to estimate. While we
acknowledge that there are some barges with IT or OT systems onboard,
for the purposes of this analysis, we calculate costs only for the
affected population of barges related to developing, resubmitting,
maintaining, and auditing the Cybersecurity Plan, as well as developing
cybersecurity-related drill and exercise components.
We believe that the hour-burden estimates associated with the
components of the Cybersecurity Plan should still be sufficient to
capture the implementation of any cybersecurity measures identified as
necessary by the owner or operator of a barge. In addition, we believe
it should capture any burden associated with requests for waivers or
equivalents for provisions that would not apply to a vessel or vessel
company lacking significant IT or OT systems. The Coast Guard requests
comment on our assumptions and cost estimates related to barges and
their cybersecurity activities.
Cybersecurity Plan Costs
Each owner and operator of a U.S.-flagged vessel, facility, or OCS
facility would be required to develop and submit a Cybersecurity Plan
to the Coast Guard. The CySO would develop, implement, and verify a
Cybersecurity Plan for each U.S.-flagged vessel, facility, or OCS
facility. The owner or operator would submit the Plan for approval to
the cognizant COTP or the OCMI for a facility or OCS facility, or to
the MSC for a U.S.-flagged vessel. The contents of the Cybersecurity
Plan are detailed in proposed Sec. 101.630.
Unless otherwise stated, we used information and obtained estimates
in this RIA from subject matter experts (SMEs) in the Coast Guard's
offices of Design and Engineering Standards (CG-ENG), Commercial Vessel
Compliance (CG-CVC), and Port and Facility Compliance (CG-FAC). We also
obtained information from the U.S. Coast Guard Cyber Command (CGCYBER)
and the National Maritime Security Advisory Committee (NMSAC).
The Coast Guard acknowledges that some owners and operators of
medium-sized and larger facilities, OCS facilities, and U.S.-flagged
vessels may have already adopted a cybersecurity posture and
implemented measures to counter and prevent a cyber incident. We also
acknowledge that owners and operators of smaller facilities, OCS
facilities, and U.S.-flagged vessels may not have any cybersecurity
measures in place. For the purpose of this analysis, we assume that all
owners or operators of facilities, OCS facilities, and U.S.-flagged
vessels would be required to comply with the full extent of the
requirements of this proposed rule. However, we have survey data
indicating that a portion of owners and operators of affected
facilities and OCS facilities already have some cybersecurity measures
in place.\69\ We present this survey data in the applicable sections of
the cost analysis. For other regulatory provisions, we do not estimate
regulatory costs for industry because the Coast Guard does not have
data on the extent of cybersecurity measures currently in the industry
for these provisions. The Coast Guard requests owners and operators of
facilities, OCS facilities, and U.S.-flagged vessels who have some or
most of the required cybersecurity processes and procedures in their
current operations to provide comments on the outlining processes and
procedures they have implemented.
---------------------------------------------------------------------------
\69\ Readers can access the survey at <a href="https://www.joneswalker.com/en/insights/2022-Jones-Walker-LLP-Ports-and-Terminals-Cybersecurity-Survey-Report.html">https://www.joneswalker.com/en/insights/2022-Jones-Walker-LLP-Ports-and-Terminals-Cybersecurity-Survey-Report.html</a>; accessed July 19, 2023.
---------------------------------------------------------------------------
We list the regulatory provisions included in developing and
maintaining a Cybersecurity Plan that we did not estimate costs for in
other sections of this RIA:
<bullet> Device security measures in Sec. 101.650(b)(1) through
(4);
<bullet> Supply chain management in Sec. 101.650(f)(1) through
(3);
<bullet> Cybersecurity Assessment in Sec. 101.650(e)(1);
<bullet> Documentation of penetration testing results and
identified vulnerabilities in Sec. 101.650(e)(2);
<bullet> Routine system maintenance measures in Sec.
101.650(e)(3)(i) through (v); and
<bullet> Development and maintenance of a Cyber Incident Response
Plan in Sec. 101.650(g)(2).
Developing a Cybersecurity Plan has five cost components: the
initial development of the Plan; annual maintenance of the Plan
(including amendments); revision and resubmission of the Plan as
needed; renewal of the Plan after 5 years; and the cost for annual
audits. Owners and operators of U.S.-flagged vessels, facilities, and
OCS facilities would be required to submit their Cybersecurity Plan to
the Coast Guard during the second annual audit of the currently
approved VSP, FSP, or OCS FSP following the effective date of this
proposed rule; therefore, submitting a Cybersecurity Plan for approval
would likely not occur until the second year of the 10-year period of
analysis.
The CySO would be responsible for all aspects of developing and
maintaining the Cybersecurity Plan. The Coast Guard does not have data
on whether owners and operators of facilities, OCS facilities, and
vessels would hire a dedicated, salaried employee to serve as a CySO.
Proposed Sec. 101.625 states that a CySO may perform other duties
within an owner or operator's organization, and that a person may serve
as a CySO for more than one U.S.-flagged vessel, facility, or OCS
facility. For facilities and OCS facilities, this person may be the
Facility Security Officer. For vessels, this person may be the Vessel
Security Officer. When considering assigning the CySO role to the
existing security officer, the owner or operator should consider the
[[Page 13423]]
depth and scope of these new responsibilities in addition to existing
security duties. For the purpose of this analysis, we assume that an
existing person in a facility, OCS facility, or U.S.-flagged vessel
company or organization would assume the duties and responsibilities of
a CySO, and that owners and operators would not have to hire an
individual to fill this position. This means that any costs associated
with obtaining security credentials (including a Transportation Worker
Identification Card) would already be incurred prior to the
implementation of this proposed rule. Additionally, in the event that
the designated CySO has security responsibilities that overlap with an
existing Vessel, Facility, or Company Security Officer, we assume that
those individuals will work together to handle those duties.
We use the Bureau of Labor Statistics' (BLS) ``National
Occupational Employment and Wage Estimates'' for the United States for
May 2022. A CySO would be comparable to the occupational category of
``Information Security Analysts'' according to BLS's labor categories
with an occupational code of 15-1212 and an unloaded mean hourly wage
rate of $57.63.\70\ In order to obtain a loaded mean hourly wage rate,
we use BLS's ``Employer Costs for Employee Compensation'' database to
calculate the load factor, which we applied to the unloaded mean hourly
wage rate using fourth quarter data from 2022.\71\ We determine the
load factor for this occupational category to be about 1.46, rounded.
We then multiply this load factor by the unloaded mean hourly wage rate
of $57.63 to obtain a loaded mean hourly wage rate of about $84.14,
rounded ($57.63 x 1.46).
---------------------------------------------------------------------------
\70\ Readers can access BLS's website at <a href="https://www.bls.gov/oes/2022/may/oes151212.htm">https://www.bls.gov/oes/2022/may/oes151212.htm</a> to obtain information about the wage we
used in this analysis; accessed May 5, 2023.
\71\ A loaded mean hourly wage rate is what a company pays per
hour to employ a person, not the hourly wage an employee receives.
The loaded mean hourly wage rate includes the cost of non-wage
benefits (health insurance, vacation, etc.). We calculated the load
factor by accessing BLS's website at <a href="https://www.bls.gov/">https://www.bls.gov/</a> and
selecting the topic ``Subjects'' from the menu on this web page.
From the categories listed on this page, under the category titled
``Pay and Benefits,'' we then selected the category of ``Employment
Costs.'' The next page is titled ``Employment Cost Trends;'' in the
left margin, we selected the category ``ECT Databases'' at <a href="https://www.bls.gov/ncs/ect/data.htm">https://www.bls.gov/ncs/ect/data.htm</a>. At this page, we selected the database
titled ``Employer Costs for Employee Compensation'' using the
``Multi-Screen'' feature at <a href="https://data.bls.gov/cgi-bin/dsrv?cm">https://data.bls.gov/cgi-bin/dsrv?cm</a>. We
then selected the category of ``Private Industry Workers'' at screen
1. At screen 2, we first selected the category ``Total
Compensation,'' then we continued to select ``Transportation and
Materials Moving Occupations'' at screen 3, then ``All Workers'' at
screens 4 and 5, and then for ``Area,'' we selected ``United
States'' at screen 6. At screen 7, we selected the category
``Employer Cost for Employee Compensation.'' At screen 8, we
selected the category ``not seasonally adjusted.'' At screen 9, we
selected the series ID, CMU2010000520000D. We used the ``Cost of
Compensation'' for quarter 4 of 2022, or $33.07. We performed this
process again to obtain the value for ``Wages and Salaries,'' which
we selected on screen 2. On screen 9, we selected the series ID
CMU2020000520000D and obtained a value of $22.64. We divided $33.07
by $22.64 and obtained a load factor of 1.46, rounded; accessed May
3, 2023.
---------------------------------------------------------------------------
Cybersecurity Plan Cost for Facilities and OCS Facilities
This proposed rule would require owners and operators of facilities
and OCS facilities to create a Cybersecurity Plan for each facility
within a company. For the purpose of this analysis, the cost to develop
a Cybersecurity Plan is a function of the number of facilities, not the
number of owners and operators, because an owner or operator may own
more than one facility. Based on data obtained from the Coast Guard's
Marine Information for Safety and Law Enforcement (MISLE) database, we
estimate this NPRM would affect about 3,411 facilities and OCS
facilities (including MTSA-regulated facilities), and about 1,708
owners and operators of these facilities. MISLE data contains
incomplete information on owners and operators for 748 of the 3,411
facilities and OCS facilities included in the affected population. Of
the 2,663 facilities and OCS facilities with complete information for
owners and operators, we found 1,334 unique owners. This means that, on
average, each owner owns approximately 2 facilities (2,663 / 1,334 =
2.0, rounded). We apply this rate of ownership to the remaining
facilities and OCS facilities without complete ownership information to
arrive at our total of 1,708 owners [1,334 + (748 / 2)].
We use hour-burden estimates from Coast Guard SMEs and the
currently approved OMB Information Collection Request (ICR), Control
Number 1625-0077, titled, ``Security Plans for Ports, Vessels,
Facilities, and Outer Continental Shelf Facilities and other Security-
Related Requirements.'' The hour-burden estimates are 100 hours for
developing the Cybersecurity Plan (average hour burden), 10 hours for
annual maintenance of the Cybersecurity Plan (which would include
amendments), 15 hours to resubmit Cybersecurity Plans every 5 years,
and 40 hours to conduct annual audits of Cybersecurity Plans.
While the Cybersecurity Plan can be incorporated into an existing
FSP for a facility or OCS facility, this does not mean that the
Cybersecurity Plan is expected to be less complex to develop or
maintain than an FSP. In general, the provisions outlined in this
proposed rule are meant to reflect the depth and scope of the physical
security provisions established by MTSA. As a result, we feel the hour-
burden estimates for developing and maintaining the FSP represents a
fair proxy for what is expected with respect to a Cybersecurity Plan.
Nevertheless, the Coast Guard requests comment on the accuracy of these
hour-burden estimates as they relate to developing a Cybersecurity
Plan.
Based on estimates from the Coast Guard's FSP reviewers at local
inspections offices, approximately 10 percent of Plans would need to be
revised and resubmitted in the second year, which is consistent with
the current resubmission rate for FSPs. Plans must be renewed after 5
years (occurring in the seventh year of the analysis period), and we
estimate that 10 percent of renewals would also require revision and
resubmission. We estimate the time to revise and resubmit the
Cybersecurity Plan to be about half the time to develop the Plan
itself, or 50 hours in the second year of submission, and 7.5 hours
after 5 years (in the seventh year of the analysis period).
Because we include the annual Cybersecurity Assessment in the cost
to develop Cybersecurity Plans, and we do not assume that owners and
operators will wait until the second year of analysis to begin
developing the Plan or implementing related cybersecurity measures, we
divide the estimated 100 hours to develop Plans equally across the
first and second years of analysis. We estimate the first- and second-
year (the first year of Plan submission) undiscounted cost to develop a
Cybersecurity Plan for owners and operators of U.S. facilities and OCS
facilities to be about $28,700,154 (3,411 Plans x 100 hours x $84.14).
We estimate the second-year undiscounted cost for owners and operators
to resubmit Plans for facilities or OCS facilities (or to send
amendments) for corrections to be about $1,434,587 (341 Plans or
amendments x 50 hours x $84.14). Therefore, we estimate the total
undiscounted first- and second-year cost to facility and OCS facility
owners and operators to develop, submit, and resubmit a Cybersecurity
Plan to be approximately $30,134,741 ($28,700,154 + $1,434,587)).
In years 3 through 6 and years 8 through 10 of the analysis period,
owners and operators of U.S. facilities and OCS facilities would be
required to maintain their Cybersecurity Plans. This may include
recordkeeping and
[[Page 13424]]
documenting cybersecurity items at a facility or OCS facility, as well
as amending the Plan. The CySO would be required to maintain each Plan
for each facility or OCS facility. Maintaining the Plan does not occur
in the second year (initial year of Plan submission) or in the renewal
year, year 7 of the analysis period. We again obtain the hour-burden
estimate for the annual maintenance of Plans from ICR 1625-0077, which
is 10 hours.
In the same years of the analysis period, this proposed rule would
also require owners and operators of facilities and OCS facilities to
conduct annual audits. The audits would be necessary for owners and
operators of facilities and OCS facilities to identify vulnerabilities
(via the Cybersecurity Assessment) and to mitigate them.\72\ Audits
would also be necessary if there is a change in the ownership of a
facility, but because the costs for audits are estimated annually, this
should capture audits as a result of very rare changes in ownership
each year as well. The CySO would be responsible for ensuring the audit
of a Cybersecurity Plan. Based on input provided by Coast Guard SMEs
who review Plans at the Coast Guard, we estimate the time to conduct an
audit to be about 40 hours for each Plan. We estimate the undiscounted
cost for the annual maintenance of Cybersecurity Plans for facility and
OCS facility owners and operators to be approximately $2,870,015 (3,411
facility Plans x 10 hours x $84.14). We estimate the undiscounted cost
for annual audits of Cybersecurity Plans to be approximately
$11,480,062 (3,411 facility Plans x 40 hours x $84.14). We estimate the
total undiscounted annual cost each year in years 3 through 6 and 8
through 10 for Cybersecurity Plans to be approximately $14,350,077
($2,870,015 + $11,480,062).
---------------------------------------------------------------------------
\72\ The Jones Walker survey (see footnote 69) reports about 72
percent of ports and terminals conduct a risk assessment at least
once a year. We did not estimate a separate cost for this item
because the Coast Guard believes that a risk assessment can be a
part of an annual audit. Readers can access the survey at <a href="https://www.joneswalker.com/en/insights/2022-Jones-Walker-LLP-Ports-and-Terminals-Cybersecurity-Survey-Report.html">https://www.joneswalker.com/en/insights/2022-Jones-Walker-LLP-Ports-and-Terminals-Cybersecurity-Survey-Report.html</a>; accessed July 19, 2023.
---------------------------------------------------------------------------
Because a Cybersecurity Plan approved by the Coast Guard is valid
for 5 years, in year 7 of the analysis period, owners and operators of
facilities and OCS facilities would be required to renew the approval
of their Plans with the Coast Guard. We use the hour-burden estimate in
ICR 1625-0077for renewing the Plan, which is 15 hours. The hour-burden
estimate for revision and resubmission of renewals is half of the
original hour-burden for renewals, or 7.5 hours. The CySO would be
responsible for resubmitting the Cybersecurity Plan to the Coast Guard
for renewal, including additional resubmissions because of corrections.
We estimate the undiscounted cost for renewing and resubmitting a
Cybersecurity Plan due to corrections to be approximately $4,520,211
[(3,411 facility Plans x 15 hours x $84.14) + (341 resubmitted facility
Plans x 7.5 hours x $84.14)].
We estimate the total discounted cost of this proposed rule for
developing Cybersecurity Plans for facility and OCS facility owners and
operators to be approximately $95,920,412 over a 10-year period of
analysis, using a 7-percent discount rate. We estimate the annualized
cost to be approximately $13,656,909, using a 7-percent discount rate.
See table 5.
[[Page 13425]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.005
[[Page 13426]]
Cybersecurity Plan Cost for U.S.-Flagged Vessels
The methodology for owners and operators of U.S.-flagged vessels to
develop a Cybersecurity Plan is the same as for U.S. facilities and OCS
facilities. We estimate the affected vessel population to be about
10,286. We estimate the number of owners and operators of these vessels
to be about 1,775.
We use estimates provided by Coast Guard SMEs and ICR 1625-0077 for
the hour-burden estimates for vessels as we did for facilities and OCS
facilities. The hour-burden estimates are 80 hours for developing the
Cybersecurity Plan, 8 hours for annual Plan maintenance, 12 hours to
renew the Plan every 5 years, and 40 hours to conduct annual audits of
Plans for vessels. Similar to facilities, 10 percent of all
Cybersecurity Plans for vessels would need to be resubmitted for
corrections in the second year (initial year of Plan submission), and
10 percent of Cybersecurity Plans for vessels would need to be revised
and resubmitted in the seventh year of the analysis period. Based on
information from Coast Guard SMEs, we estimate the time to make
corrections to the Plan in the second year would be about half of the
initial time to develop the Plan, or 40 hours in the second year, and 6
hours in the seventh year. We include the annual Cybersecurity
Assessment in the cost to develop Plans, and we do not assume that
owners and operators will wait until the second year of analysis to
begin developing the Cybersecurity Plan or implementing related
cybersecurity measures. Therefore, we divide the estimated 80 hours to
develop Plans equally across the first and second years of analysis.
The methodology to determine the cost to develop a Cybersecurity
Plan for U.S.-flagged vessels is slightly different than the
methodology for facilities and OCS facilities. The Coast Guard does not
believe that a CySO for U.S.-flagged vessels would expend 80 hours
developing a Plan for each vessel in a company's fleet. For example, if
a vessel owner or operator has 10 vessels, it would take a CySO 800
hours of time to develop Plans for all 10 vessels, which is nearly 40
percent of the total hours of work in a calendar year. It is more
likely that the CySO would create a master Cybersecurity Plan for all
the vessels in the fleet, and then tailor each Plan according to a
specific vessel, as necessary.
Because a large portion of the provisions required under this
proposed rule would impact company-wide policies regarding network,
account, and data security practices, as well as company-wide
cybersecurity training, reporting procedures, and testing, we do not
believe there will be much variation in how these provisions are
implemented between specific vessels owned by the same owner or
operator. Therefore, the cost to develop a Cybersecurity Plan for
vessels becomes a function of the number of vessel owners and operators
and not a function of the number of vessels.
When a vessel owner or operator submits a Plan to the Coast Guard
for approval, the owner or operator would send the master Cybersecurity
Plan, which might include a more tailored or abbreviated Plan for each
vessel. For example, the owner or operator of 10 vessels would send the
master Cybersecurity Plan along with the tailored Plans for each vessel
in one submission to the Coast Guard for approval, instead of 10
separate documents. The Coast Guard requests comments on these
assumptions related to master and tailored vessel Cybersecurity Plans.
We estimate the first- and second-year (initial year of Plan
submission) undiscounted cost for owners and operators of U.S.-flagged
vessels to develop a Cybersecurity Plan to be approximately $11,947,880
(1,775 Plans x 80 hours x $84.14) split over the first two years of
analysis. We estimate the second-year undiscounted cost for owners and
operators to resubmit vessel Plans (or send amendments) for corrections
to be approximately $599,077 (178 Plans or amendments x 40 hours x
$84.14). Therefore, we estimate the total undiscounted first- and
second-year cost to the owners and operators of U.S.-flagged vessels to
develop a Cybersecurity Plan to be approximately $12,546,957
($11,947,880 + $599,077).
As with facilities and OCS facilities, in years 3 through 6 and
years 8 through 10 of the analysis period, CySOs, on behalf of owners
and operators of U.S.-flagged vessels, would be required to maintain
their Cybersecurity Plans. We again obtain the hour-burden estimate for
annual maintenance of Plans from ICR 1625-0077, which is 8 hours. In
the same years of the analysis period, this proposed rule would also
require owners and operators of U.S.-flagged vessels to conduct annual
audits. The audits would be necessary for owners and operators of U.S.-
flagged vessels to identify vulnerabilities through the Cybersecurity
Assessment and to mitigate them. Audits would also be necessary if
there is a change in the ownership of a vessel. The CySO would likely
conduct an audit of the master Cybersecurity Plan, which would include
each vessel, instead of conducting a separate audit for each individual
vessel.
The time estimate for a CySO to conduct an audit for U.S.-flagged
vessels in a fleet is the same as it is for facilities and OCS
facilities, or 40 hours per Plan. We estimate the undiscounted cost for
the annual maintenance of Cybersecurity Plans for the owners and
operators of U.S.-flagged vessels to be about $1,194,788 (1,775 Plans x
8 hours x $84.14). We estimate the undiscounted cost for annual audits
of Cybersecurity Plans to be approximately $5,973,940 (1,775 Plans x 40
hours x $84.14). We estimate the total undiscounted annual cost each
year in years 3 through 6 and 8 through 10 for Cybersecurity Plans to
be approximately $7,168,728 ($1,194,788 + $5,973,940).
Again, as with facilities and OCS facilities, Coast Guard approval
for the Cybersecurity Plan is valid for 5 years. Therefore, in year 7
of the analysis period, owners and operators of U.S.-flagged vessels
would be required to renew their Plans with the Coast Guard. We use the
hour-burden estimate in ICR 1625-0077 for Plan renewal, which is 12
hours. The CySO would be responsible for resubmitting the Cybersecurity
Plan to the Coast Guard for renewal. We estimate the undiscounted cost
for owners and operators of U.S.-flagged vessels to renew the Plan to
be approximately $1,882,044 [(1,775 Plans x 12 hours x $84.14) + (178
resubmitted vessel Plans x 6 hours x $84.14)].
We estimate the total discounted cost of this proposed rule for
owners and operators of U.S.-flagged vessels to develop Cybersecurity
Plans to be approximately $45,420,922 over a 10-year period of
analysis, using a 7-percent discount rate. We estimate the annualized
cost to be approximately $6,466,917, using a 7-percent discount rate.
See table 6.
[[Page 13427]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.006
[[Page 13428]]
Drills
In proposed Sec. 101.635(b), this NPRM would require drills that
test the proficiency of U.S.-flagged vessel, facility, and OCS facility
personnel who have assigned cybersecurity duties. The drills would
enable the CySO to identify any cybersecurity deficiencies that need to
be addressed. The CySO would need to conduct the drills every 3 months
or quarterly, (which is consistent with the MTSA regulations for drills
for vessels, facilities, and OCS facilities in 33 CFR parts 104, 105
and 106, respectively), and they may be held in conjunction with other
security or non-security-related drills, as appropriate. The drills
would test individual elements of the Plan, including responses to
cybersecurity threats and incidents.
The Coast Guard does not have data on who is currently conducting
cybersecurity drills in either the population of facilities and OCS
facilities or the population of U.S.-flagged vessels. Therefore, we
assume that the entire population of facilities and U.S.-flagged
vessels would need to develop new cybersecurity related drills to
comply with the proposed requirements. However, because the affected
populations are already required to conduct drills in accordance with
33 CFR parts 104, 105, and 106, and the proposed rule allows for owners
and operators to hold cybersecurity drills in conjunction with other
security and non-security related drills, we assume that owners and
operators will hold these new drills in conjunction with existing
drills and will not require additional time from participants. This
means that the only new cost associated with the proposed cybersecurity
drills is the development of cybersecurity components to add to
existing drills. Coast Guard SMEs who are familiar with MTSA's
requirements and practices for drills and exercises estimate that it
would take a CySO 0.5 hours (30 minutes) to develop new cybersecurity
components to add to existing drills. This time estimate is based on
the expected ease with which a CySO can access widely available
resources and planning materials for developing cybersecurity drills
online. The Coast Guard requests the public to comment on the accuracy
of our estimates related to the development of cybersecurity drill
components.
The CySO would be the person who develops cybersecurity components
to add to existing drills. Each CySO, on behalf of the owner or
operator of a facility or OCS facility, would be required to develop
the drill's components beginning in the first year of the analysis
period and document procedures in the Cybersecurity Plan.
Using the number of facilities owners and operators we presented
earlier--or 1,708--the CySO's loaded mean hourly wage rate, the
estimated time to develop the drill's components or 0.5 hours (30
minutes), and the frequency of the drill, or every 3 months, we
estimate the cost for facilities to develop cybersecurity components
for drills. We estimate the undiscounted annual cost of drills for
facility and OCS facility owners and operators to be approximately
$287,422 (1,708 facility CySOs x 4 drills per year x 0.5 hours per
drill x $84.14. We estimate the total discounted cost of drills for
owners and operators of facilities and OCS facilities to be
approximately $2,018,733 over a 10-year period of analysis, using a 7-
percent discount rate. We estimate the annualized cost to be
approximately $287,422, using a 7-percent discount rate. See table 7.
[GRAPHIC] [TIFF OMITTED] TP22FE24.007
We use the same methodology and estimates for U.S.-flagged vessel
drills. As we presented previously, there are about 1,775 CySOs, on
behalf of owners and operators of U.S.-flagged vessels, who would be
required to develop drills with this proposed rule. We estimate the
undiscounted annual cost of drills for the owners and operators of
U.S.-flagged vessels to be approximately $298,697 (1,775 vessel CySOs x
4 drills per year x 0.5 hours per drill x $84.14). We
[[Page 13429]]
estimate the total discounted cost of drills for U.S.-flagged vessels
to be approximately $2,097,922 over a 10-year period of analysis, using
a 7-percent discount rate. We estimate the annualized cost to be
approximately $298,697, using a 7-percent discount rate. See table 8.
[GRAPHIC] [TIFF OMITTED] TP22FE24.008
We estimate the total discounted cost of this proposed rule for
drills for the owners and operators of facilities, OCS facilities, and
U.S.-flagged vessels to be approximately $4,116,655 over a 10-year
period of analysis, using a 7-percent discount rate. We estimate the
annualized cost to be approximately $586,119, using a 7-percent
discount rate. See table 9.
[[Page 13430]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.009
Exercises
In proposed Sec. 101.635(c), this NPRM would require exercises
that test the communication and notification procedures of U.S.-flagged
vessels, facilities, and OCS facilities. These exercises may be vessel-
or facility-specific, or part of a cooperative exercise program or
comprehensive port exercises. The exercises would be a full test of the
cybersecurity program with active participation by the CySO and may
include Government authorities and vessels visiting a facility. The
exercises would have to be conducted at least once each calendar year,
with no more than 18 months between exercises. As with drills, we
assume that exercises will begin in the first year of the analysis
period as CySOs develop Cybersecurity Plans. We also assume that the
exercises developed to satisfy Sec. 101.635(c) would also satisfy the
exercise requirements outlined in Sec. 101.650 (g)(2) and (3), which
requires the exercise of the Cybersecurity Plan and Cyber Incident
Response Plan.
The Coast Guard does not have data on who is currently conducting
cybersecurity exercises in either the population of facilities and OCS
facilities or the population of U.S.-flagged vessels. Therefore, we
assume that the entire populations would need to develop new
cybersecurity-related exercises to comply with the proposed
requirements. However, because the affected populations are already
required to conduct exercises in accordance with 33 CFR parts 104, 105,
and 106, and because this proposed rule allows for owners and operators
to hold cybersecurity exercises in conjunction with other exercises, we
assume that owners and operators will hold these new exercises in
conjunction with existing exercises. This will not require any
additional time from participants, which means that the only new cost
associated with the proposed cybersecurity exercises is the development
of cybersecurity components to add to existing exercises.
Coast Guard SMEs familiar with MTSA's requirements and practices
for drills and exercises estimate that it would take a CySO 8 hours to
develop new cybersecurity components to add to existing exercises. This
time estimate is based on the expected ease with which a CySO can
access widely available resources and planning materials for developing
cybersecurity exercises online \73\ and the proliferation of
cybersecurity components already being added to AMSC exercises around
the United States.\74\ The Coast Guard requests comment on the accuracy
of our estimates related to the development of cybersecurity exercise
components.
---------------------------------------------------------------------------
\73\ For example, CISA offers free resources on cybersecurity
scenarios and cybersecurity exercises on their website. See <a href="https://www.cisa.gov/cybersecurity-training-exercises">https://www.cisa.gov/cybersecurity-training-exercises</a>, accessed July 19,
2023.
\74\ See <a href="https://digitaleditions.walsworthprintgroup.com/publication/?i=459304&article_id=2956672&view=articleBrowser">https://digitaleditions.walsworthprintgroup.com/publication/?i=459304&article_id=2956672&view=articleBrowser</a> for
just one example of AMSC cyber exercises in recent years; accessed
July 19, 2023.
---------------------------------------------------------------------------
We assume each CySO, on behalf of the owner and operator of a
facility or OCS facility, would develop the exercises specified in the
proposed rule. Using the 1,708 facility owners and operators we
presented earlier, the CySO's loaded mean hourly wage rate, the 8-hour
estimate for developing the exercise components, and one annual
exercise, we estimate the cost for facilities to develop cybersecurity
exercise components. We estimate the undiscounted annual cost of
exercises for owners and operators of facilities and OCS facilities to
be approximately $1,149,689 (1,708 facility CySOs x 8 hours per
exercise x $84.14). We estimate the total discounted cost of exercises
for facility owners and operators to be about $8,074,935 over a 10-year
period of analysis, using a 7-percent discount rate. We estimate the
annualized cost to be approximately $1,149,689, using a 7-percent
discount rate. See table 10.
[[Page 13431]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.010
We use the same methodology and estimates for vessel exercises that
we use for facilities. About 1,775 CySOs, on behalf of vessel owners
and operators, would be required to conduct exercises with this
proposed rule. We estimate the undiscounted annual cost of exercises
for the owners and operators of U.S.-flagged vessels to be
approximately $1,194,788 (1,775 vessel CySOs x 8 hours per exercise x
$84.14). We estimate the total discounted cost of exercises for U.S.-
flagged vessels to be approximately $8,391,691 over a 10-year period of
analysis, using a 7-percent discount rate. We estimate the annualized
cost to be approximately $1,194,788, using a 7-percent discount rate.
See table 11.
[GRAPHIC] [TIFF OMITTED] TP22FE24.011
[[Page 13432]]
We estimate the total discounted cost of this proposed rule for the
owners and operators of U.S. facilities, OCS facilities, and U.S.-
flagged vessels for exercises to be approximately $16,466,625 over a
10-year period of analysis, using a 7-percent discount rate. We
estimate the annualized cost to be approximately $2,344,477, using a 7-
percent discount rate. See table 12.
[GRAPHIC] [TIFF OMITTED] TP22FE24.073
We estimate the total discounted cost of this proposed rule for the
owners and operators of facilities, OCS facilities, and U.S.-flagged
vessels, to conduct annual drills and exercises to be approximately
$20,583,281 over a 10-year period of analysis, using a 7-percent
discount rate. We estimate the annualized cost to be approximately
$2,930,596, using a 7-percent discount rate. See table 13.
[GRAPHIC] [TIFF OMITTED] TP22FE24.012
Cybersecurity Measure Costs
The remaining regulatory provisions with associated costs are the
cybersecurity measures in proposed Sec. 101.650. There are five cost
provisions associated with cybersecurity measures: account security
measures; cybersecurity training for personnel; penetration testing;
resilience; and risk management.
The first provision is account security measures in proposed Sec.
101.650(a). The owners and operators of each U.S.-flagged vessel,
facility, and OCS facility would ensure that account security measures
are implemented and documented. This includes general account security
measures in proposed Sec. 101.650(a)(1) through (3) and (5) through
(7) and multifactor authentication for end users in proposed Sec.
101.650(a)(4). Based on the Jones Walker ``Ports and Terminals
Cybersecurity Survey,'' (see footnote 69), 87 percent of facilities
currently have account security measures, and 83 percent of facilities
currently use multifactor authentication software. Using the total
number of 1,708 facility and OCS facility owners and operators, we
multiply this number by 0.13 and 0.17, respectively, to obtain the
number
[[Page 13433]]
of facility owners and operators who would need to implement security
measures and have multifactor authentication software under this
proposed rule, or about 222 and 290, respectively. The Coast Guard
acknowledges that the survey data used here may lead us to
underestimate the costs incurred by the population of facilities and
OCS facilities, given the high rate of respondents who indicated that
they have these measures in place. Accordingly, we request comments on
the accuracy of these rates of implementation in the population of
facilities and OCS facilities.
We obtain the hour estimates and the labor category for these
security measures for implementing and managing account security from
NMSAC members with extensive experience in contracting to implement
similar account security measures for facilities and OCS facilities in
the affected population. A Database Administrator would ensure that
account security measures are implemented. Using wage data from BLS's
Occupational Employment and Wage Statistics (OEWS) program as
previously referenced, the unloaded mean hourly wage rate for this
labor category, occupational code of 15-1242, is $49.29.\75\ Using
Employer Costs for Employee Compensation data from BLS, we apply the
same load factor of 1.46 to the aforementioned wage rate to obtain a
loaded mean hourly wage rate of approximately $71.96.
---------------------------------------------------------------------------
\75\ See <a href="https://www.bls.gov/oes/2022/may/oes151242.htm">https://www.bls.gov/oes/2022/may/oes151242.htm</a>,
accessed July 12, 2023.
---------------------------------------------------------------------------
It would take a Database Administrator about 8 hours to implement
the account security measures and 8 hours for account security
management annually thereafter for 222 U.S. facility and OCS facility
companies. We estimate the undiscounted initial-year cost to implement
account security for 222 facilities and OCS facilities and the annually
recurring cost of account security management to be approximately
$127,801, rounded [(222 facilities x ($71.96 x 8 hours)].
The number of facility and OCS facility companies that would need
multifactor authentication security is about 290. Based on estimates
from CG-FAC SMEs with experience implementing multifactor
authentication at other Government agencies, implementation of
multifactor authentication would cost each facility anywhere from
$3,000 to $15,000 in the initial year for setup and configuration. For
the purposes of this analysis, we use the average of approximately
$9,000 for the costs of initial setup and configuration. It would also
cost each facility approximately $150 per end user for annual
maintenance and support of the implemented multifactor authentication
system. These costs represent the average costs for implementing and
maintaining a multifactor authentication system across different
organization and company sizes based on the SMEs' experience.
We use the total number of estimated employees at an affected
facility company in our analysis of costs because the Coast Guard
currently lacks data on (1) which systems in use at a facility or OCS
facility would need multifactor authentication, and (2) whether only a
subset of the total employees would require access. This is largely
because owners and operators have the discretion to designate both
critical IT and OT systems as well as the number of employees needing
access. Therefore, for the purpose of this analysis, we assume all
employees would need multifactor authentication access. The Coast Guard
requests comment on the accuracy of our cost estimates for implementing
and maintaining multifactor authentication, and if only select systems
or certain employees would require multifactor authentication access in
most cases.
We obtain the average number of facility employees from a Coast
Guard contract that uses D&B Hoovers' database for company employee
data (available in the docket for this rulemaking, see the Public
Participation and Request for Comments section of this preamble.) The
average number of employees at a facility company is 74. We estimate
the undiscounted initial-year cost to implement multifactor
authentication for 290 facility and OCS facility companies to be
approximately $2,610,000 (290 facilities x $9,000). We estimate the
undiscounted initial-year and annual cost for multifactor
authentication support and maintenance at facilities and OCS facilities
to be approximately $3,219,000 (290 facility companies x 74 employees x
$150).
We estimate the total undiscounted initial-year cost to implement
account security measures for facilities and OCS facilities to be
approximately $5,956,801 ($127,801 cost to implement account security
measures + $2,610,000 cost to set up and configure multifactor
authentication + $3,219,000 cost for multifactor authentication
support). We estimate the undiscounted annual cost in years 2 through
10 to be approximately $3,346,801 ($127,801 cost to manage account
security + $3,219,000 cost to maintain and provide multifactor
authentication support).
We estimate the total discounted cost to implement account security
measures for (1) 222 facilities and OCS facilities that would need to
implement general account security measures and (2) 290 facilities and
OCS facilities that would need to implement multifactor authentication
to be approximately $25,945,783 over a 10-year period of analysis,
using a 7-percent discount rate. We estimate the annualized cost to be
approximately $3,694,096, using a 7-percent discount rate. See table
14.
[[Page 13434]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.013
Owners and operators of U.S.-flagged vessels would need to
implement the same account security measures as facilities. The
population of vessels affected, where applicable, would be about 5,473,
rather than 10,286, because we subtract the barge population of 4,813
from 10,286, the total number of affected vessels. Because barges are
unmanned, we assume they do not have computer systems onboard and,
therefore, may not require account security measure implementation.
The number of affected vessel owners and operators would be about
1,602, excluding 173 barge owners and operators that do not own or
operate other affected vessels. Based on the NMSAC estimates detailed
above, it would take a Database Administrator about 8 hours to
implement the account security measures and 8 hours to manage account
security annually thereafter on behalf of each owner and operator of a
vessel. We estimate the undiscounted initial-year cost to implement and
annually recurring cost to manage account security measures for owners
and operators of U.S.-flagged vessels, excluding barge owners and
operators, to be approximately $922,239 [(1,602 vessel owners and
operators x (8 hours x $71.96)].
The number of owners and operators who would require multifactor
authentication security is about 1,602, for approximately 5,473
vessels. Based on Coast Guard information, multifactor authentication
systems would be implemented at the company level because networks and
account security policies would be managed at the company level, and
not for each individual vessel. Any security updates or multifactor
authentication programs implemented at the company level could be
pushed out to devices located on board vessels owned or operated by the
company. We use the same cost estimate from CG-FAC that we use for
facilities. It would cost the owner or operator of a vessel
approximately $9,000 to implement multifactor authentication in the
first year and about $150 annually for multifactor authentication
support and maintenance per end user. To determine the number of
employees for each vessel company, we use data from the certificate of
inspection manning requirements in MISLE for each vessel
subpopulation.\76\ We assume 2 crews and multiply the total number of
seafaring crew by 1.33 to account for shoreside staff in order to
obtain an estimate of total company employees per vessel.\77\ We
estimate the total undiscounted initial-year cost to implement
multifactor authentication for 1,602 vessel owners and operators to be
approximately $14,418,000 (1,602 vessel owners and operators x $9,000).
---------------------------------------------------------------------------
\76\ Manning requirements for U.S.-flagged vessels were
established by regulation in 46 CFR part 15.
\77\ To estimate the average number of mariners and shoreside
employees for each company, Coast Guard conducted an internet search
for publicly available employment data for the owners and operators
of MTSA-regulated vessels. In total, Coast Guard was able to
identify eight MTSA-regulated vessel owners and operators that
publicly provided their shoreside and seafarer employment numbers.
Using this data, we calculated the percentage of total employees
working shoreside for each vessel. We then took an average of these
percentages and applied that average to the population of MTSA
vessel owners and operators. The percentage of shoreside employees
ranged from 8 to 87 percent, with an average of 33 percent, which we
used for each subpopulation of vessels.
---------------------------------------------------------------------------
To calculate the annual cost per end user, we multiply the number
of vessels for a given vessel type by the average number of employees
per vessel and the $150 annual cost of support and maintenance. For
example, there are about 426 OSVs in the affected population, with an
average number of 16 employees for each OSV. Therefore, the
undiscounted annual cost of support and maintenance for OSV owners and
operators would be approximately $1,022,400 (16 employees per each OSV
(including shoreside) x $150 x 426 OSVs). We perform this calculation
for each vessel type in the affected population and add the costs
together to obtain the total initial-year cost and annual cost
thereafter. We estimate the total undiscounted annual cost for
multifactor authentication maintenance
[[Page 13435]]
and support on vessels to be about $18,938,100 (number of employees for
each vessel type x $150 x number of vessels for each vessel type). See
table 15. We add these costs to the previously calculated
implementation costs to obtain the initial-year costs associated with
multifactor authentication of $33,356,100 ($14,418,000 implementation
costs + $18,938,100 annual support and maintenance costs) as seen in
column 3 of table 15.
[GRAPHIC] [TIFF OMITTED] TP22FE24.014
We estimate the total undiscounted initial-year cost to implement
account security measures in proposed Sec. 101.650(a)(1) through (3),
and (5) through (7) and multifactor authentication for end users in
proposed Sec. 101.650(a)(4) for 1,602 U.S.-flagged vessels to be
approximately $34,278,339 ($922,239 cost to implement account security
+ $33,356,100 cost to implement and provide multifactor support costs).
We estimate the total undiscounted annual cost in years 2 through 10 to
be approximately $19,860,339 ($922,239 cost to manage account security
+ $18,938,100 cost to maintain and provide multifactor authentication).
We estimate the total discounted cost to implement all the account
security measures in proposed Sec. 101.650(a)(1) through (3), and (5)
through (7) and multifactor authentication for end users in proposed
Sec. 101.650(a)(4) for 1,602 U.S.-flagged vessels to be approximately
$152,965,477 over a 10-year period of analysis, using a 7-percent
discount rate. We estimate the annualized cost to be approximately
$21,778,843 using a 7-percent discount rate. See table 16.
[[Page 13436]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.015
We estimate the total discounted cost to implement account security
measures for owners and operators of U.S.-flagged vessels, facilities,
and OCS facilities, including multifactor authentication, to be
approximately $178,911,259 over a 10-year period of analysis, using a
7-percent discount rate. We estimate the annualized cost to be
approximately $25,472,938, using a 7-percent discount rate. See table
17.
[GRAPHIC] [TIFF OMITTED] TP22FE24.016
[[Page 13437]]
Cybersecurity Training Cost
The second cost provision under cybersecurity measures, in proposed
Sec. 101.650(d), would be training. All persons with access to IT and
OT would need annual training in topics such as the relevant aspects of
the owner or operator's specific cybersecurity technology and concerns,
recognition of threats and incidents, and incident reporting
procedures. Given the importance of having a workforce trained on
onsite cybersecurity systems as soon as possible to detect and mitigate
cyber incidents, cybersecurity training would be verified during annual
inspections following the implementation of this proposed rule. This
means we assume there will be costs related to training in the first
year of analysis. The Coast Guard requests comment on the ability of
affected owners and operators to develop and provide relevant
cybersecurity training within the first year of implementation.
Based on information from the Jones Walker ``Ports and Terminals
Cybersecurity Survey,'' (see footnote 69), about 25 percent of
facilities are currently conducting cybersecurity training on an annual
basis.\78\ Therefore, we estimate the number of facility and OCS
facility owners and operators needing to implement training to be about
1,281 (1,708 owners and operators x 0.75).
---------------------------------------------------------------------------
\78\ See footnote 69 and page 48 of the survey in the docket.
---------------------------------------------------------------------------
Based on information from CISA's SMEs, we assume that the CySO at a
facility or OCS facility would spend 2 hours per year to develop,
update, and provide cybersecurity training. SMEs at CISA also estimate
that it would take 1 hour per facility employee to complete the
training annually, based on existing industry-leading cyber awareness
training programs. This proposed rule would also require part-time
employees and contractors to complete the training. However, the Coast
Guard has data only on the number of full-time employees at facilities
and OCS facilities, so we use this estimate with the acknowledgement
that costs may be higher for facilities than we estimate in this
analysis if we take other employees into account, such as part-time
employees and contractors. As before, we use the estimate of the
average number of employees at facilities and OCS facilities, or 74.
To obtain the unloaded mean hourly wage rate of employees at
facilities and OCS facilities, we use BLS's Quarterly Census of
Employment and Wages (QCEW) data. We also use the North American
Industry Classification System (NAICS) code for ``Port and Harbor
Operations,'' which is 488310, to obtain the representative hourly wage
for employees at facilities and OCS facilities. The BLS reports the
weekly wage to be $1,653.\79\ Dividing this value by the standard
number of hours in a work week, or 40, we obtain the unloaded hourly
wage rate of approximately $41.33. We once again apply a load factor of
1.46 to this wage to obtain a loaded mean hourly wage rate for facility
employees of approximately $60.34 (($1,653 / 40 hours) x 1.46)).
---------------------------------------------------------------------------
\79\ Readers can access this web page at <a href="http://www.bls.gov/cew/">www.bls.gov/cew/</a>. In
the menu at the top of the page, readers should use the dropdown
menu under ``QCEW Data,'' and select ``Databases.'' Doing this will
bring the reader to <a href="https://www.bls.gov/cew/data.htm">https://www.bls.gov/cew/data.htm</a>. On this page,
select the multi-screen tool (<a href="https://data.bls.gov/cgi-bin/dsrv?en">https://data.bls.gov/cgi-bin/dsrv?en</a>).
On screen 1, select ``488310 NAICS 488310 Port and harbor
operations.'' On screen 2, select ``US000 U.S. TOTAL.'' Select ``5
Private,'' ``4 Average Weekly Wage,'' and ``0 All establishment
sizes'' on screens 3, 4, and 5, respectively. Screen 6 shows the
relevant Series ID (ENUUS000405488310). Select ``Retrieve Data.''
Please consider that 2022 data from QCEW are preliminary and may
change from the estimate in the text. For the purposes of this
analysis, we used Q1 2022 QCEW data. Accessed on July 13, 2023.
---------------------------------------------------------------------------
We estimate the undiscounted initial-year and annual cost for
facility and OCS facility owners and operators to train employees on
aspects of cybersecurity to be approximately $5,935,437, rounded [1,281
facility owners and operators x ((74 employees at each facility company
x $60.34 x 1 hour) + (1 CySO developing training x $84.14 x 2 hours))].
We estimate the discounted cost for facility and OCS facility
owners and operators to complete annual training to be approximately
$41,688,025 over a 10-year period of analysis, using a 7-percent
discount rate. We estimate the annualized cost to be approximately
$5,935,437, using a 7-percent discount rate. See table 18.
[GRAPHIC] [TIFF OMITTED] TP22FE24.017
[[Page 13438]]
Employees on board U.S.-flagged vessels would also be required to
complete annual cybersecurity training. The hour estimates for the CySO
to develop cybersecurity training and employees to complete the
training are the same as for facility estimates, 2 hours and 1 hour,
respectively. The training costs for U.S.-flagged vessels are based
upon the number of employees for each vessel type, similar to the cost
analysis for account security measures. We chose several representative
labor categories of vessel employees based on the manning requirements
listed in the certificates of inspection for each vessel. From the BLS
OEWS program, we use the labor categories, ``Captains, Mates, and
Pilots of Water Vessels,'' with an occupational code of 53-5021,
``Sailors and Marine Oilers,'' with an occupational code of 53-5011,
and ``Ship Engineers,'' with an occupational code of 53-5031.\80\ The
unloaded mean hourly wage rates from May 2022 for these occupations are
$50.09, $25.65, and $48.55, respectively. We also use an assortment of
labor categories to estimate a mean hourly wage for the industrial
personnel identified in the certificate of inspection for MODUs in the
affected population. According to SMEs with CG-CVC, industrial
personnel aboard MODUs generally include a mixture of hotel and steward
staff; laborers and riggers; specialized technicians; and mechanics,
electricians, and electronic technicians for maintenance. For these
groups, we find a combined unloaded weighted mean hourly wage of
$25.16. For each vessel type, we weight the representative wages based
on the average occupational ratios across vessels in the population.
See Appendix A: Wages Across Vessel Types, for more details on how the
industrial personnel and weighted mean hourly wages for each vessel
type were calculated.\81\ We apply the same load factor we used
previously in this analysis, 1.46, to these wage rates, to obtain the
loaded mean hourly wage rates shown in table 19.\82\
---------------------------------------------------------------------------
\80\ See <a href="https://www.bls.gov/oes/2022/may/oes_nat.htm#00-0000">https://www.bls.gov/oes/2022/may/oes_nat.htm#00-0000</a>
for 2022 wage rates associated with the listed occupations. Accessed
September 9, 2023.
\81\ It should be noted that the wage calculations in Appendix
A: Wages Across Vessel Types are conducted with occupational ratios
based on employee counts without the 1.33 shoreside employee
modifier applied. Applying this multiplier evenly across all the
employee counts would not have an impact on the occupational ratios,
and thus would not impact our estimated weighted mean hourly wages.
Because we do not have a good grasp on what occupations the
shoreside employees would have, we simply apply the weighted mean
hourly wages to all employees in the give population of vessels.
\82\ See footnote 71.
\83\ See Appendix A: Wages Across Vessel Types for more
information on how these wages rates were calculated.
[GRAPHIC] [TIFF OMITTED] TP22FE24.018
We estimate the undiscounted initial-year and annual cost of
cybersecurity training for vessel employees to be approximately
$6,166,909 (number of vessels for each affected vessel category x
number of employees for each vessel type x representative mean hourly
wage for vessel type x 1 hours for training). For example, using OSVs,
there are about 426 OSVs, with 16 employees for each OSV. Therefore, we
estimate the annual training cost for OSVs to be about $374,335 (426
OSVs x 16 employees x $54.92 x 1 hour), rounded. We perform this
calculation for all for the affected vessel types in this proposed rule
and add it to the estimated costs for training development. We estimate
the undiscounted annual cost to develop cybersecurity training to be
approximately $269,585 (1,602 vessel companies x 1 CySO per vessel
company x $84.14 x 2 hours to develop training)]. This means the total
undiscounted annual training cost for the affected population of U.S.-
flagged vessels is $6,436,494 ($6.166,909 employee training costs +
$269,585 training development costs). Table 20 displays the total
employee training costs for each vessel type impacted by the proposed
training requirement.
[[Page 13439]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.019
We estimate the discounted cost for employees aboard U.S.-flagged
vessels to complete annual cybersecurity training to be approximately
$45,207,239 over a 10-year period of analysis, using a 7-percent
discount rate. We estimate the annualized cost to be approximately
$6,436,494, using a 7-percent discount rate. See table 21.
[GRAPHIC] [TIFF OMITTED] TP22FE24.020
We estimate the total discounted cost of cybersecurity training for
facilities and vessels to be approximately $86,895,266 over a 10-year
period of analysis, using a 7-percent discount rate. We estimate the
annualized cost to
[[Page 13440]]
be approximately $12,371,931, using a 7-percent discount rate. See
table 22.
[GRAPHIC] [TIFF OMITTED] TP22FE24.021
Penetration Testing
The third proposed provision under cybersecurity measures that
would impose costs on industry is penetration testing, in proposed
Sec. 101.650(e)(2). The CySO for each U.S.-flagged vessel, facility,
and OCS facility would ensure that a penetration test is completed in
conjunction with renewing the FSP, VSP, or OCS FSP. We assume facility
and vessel owners and operators in the affected population would pay a
third party to conduct a penetration test to maintain safety and
security within the IT and OT systems for all KEVs. The cost for
penetration testing is a function of the number of vessel and facility
owners and operators, because networks are typically managed at a
corporate level. At the conclusion of the test, the CySO would also
need to document all identified vulnerabilities in the FSA, OCS FSP, or
VSA--a cost that is included in our analysis of annual Cybersecurity
Plan maintenance. Further, it is expected that the CySO would also work
to correct or mitigate the identified vulnerabilities. However, the
methods employed and time taken to correct or mitigate these
vulnerabilities represent a source of uncertainty in our analysis, and
we are unable to estimate the associated costs.
Based on the Jones Walker survey (see footnote number 69), 68
percent of facilities and OCS facilities are currently conducting
penetration testing. Using 1,708 affected facility owners and
operators, the number of facility and OCS facility owners and operators
needing to conduct penetration testing is about 547 (1,708 x 0.32).
Using cost estimates for penetration testing from NMSAC members who
have experience conducting and contracting with facilities and OCS
facilities to conduct penetration tests, we estimate it would cost each
facility owner or operator $5,000 for the initial penetration test and
an additional $50 for each employee's internet Protocol (IP)
address,\84\ to capture the additional costs of network complexity. The
number of employees for each facility is 74. Facility and OCS facility
owners and operators would incur penetration testing costs in
conjunction with submitting and renewing the Cybersecurity Plan, or
every 5 years. This means penetration testing costs would be incurred
in the second and seventh year of analysis. We estimate the
undiscounted second- and seventh-year costs to facilities and OCS
facilities for penetration testing to be about $4,758,900 [(547
facility owners and operators x $5,000) + (74 employees x 547 facility
owners and operators x $50)]. We estimate the discounted cost for
owners and operators of facilities and OCS facilities to conduct
penetration testing to be about $7,120,212 over a 10-year period of
analysis, using a 7-percent discount rate. We estimate the annualized
cost to be about $979,477 using a 7-percent discount rate. See table
23.
---------------------------------------------------------------------------
\84\ An IP address is a unique numerical identifier for each
device or network that connects to the internet. Because we do not
have data on the number of devices each organization uses, we use
the number of employees as a proxy because each employee could have
a device using the organizational network.
---------------------------------------------------------------------------
[[Page 13441]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.022
Owners and operators of U.S.-flagged vessels would also need to
conduct penetration testing, similar to facilities. We do not include
barges or barge-specific owners and operators, given the unmanned
nature of barges and their relatively limited onboard IT and OT
systems. All estimates for vessel penetration testing are the same as
for facilities and OCS facilities. We estimate the undiscounted second-
and seventh-year costs for owners and operators of vessels to conduct
penetration testing to be approximately $14,322,700 [(1,602 vessel
owners and operators x $5,000) + (number of vessels for each vessel
type x number of employees for each vessel type x $50)]. See table 24
for a calculation of the costs per IP address for the various vessel
populations, which can be added to the costs per owner or operator
costs, or $8,010,000 (1,602 owners and operators x $5,000) in years 2
and 7.
[[Page 13442]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.023
We estimate the discounted cost for owners and operators of vessels
to conduct penetration testing to be approximately $21,429,459 over a
10-year period of analysis, using a 7-percent discount rate. We
estimate the annualized cost to be approximately $3,051,073 using a 7-
percent discount rate. See table 25.
[GRAPHIC] [TIFF OMITTED] TP22FE24.024
We estimate the total discounted cost to conduct penetration
testing for owners and operators of facilities, OCS facilities, and
U.S.-flagged vessels to be approximately $28,549,669 over a 10-year
period of analysis, using a 7-percent discount rate. We estimate the
annualized cost to be approximately $4,064,831 using a 7-percent
discount rate. See table 26.
[[Page 13443]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.025
Resilience
The fourth cost provision under cybersecurity measures would be
resilience, in proposed Sec. 101.650(g). Each CySO for a facility, OSC
facility, and U.S.-flagged vessel would be required to report any cyber
incident to the NRC, develop a Cyber Incident Response Plan, validate
the effectiveness of Cybersecurity Plans through annual tabletop
exercises or periodic reviews of incident response cases, and perform
backups of critical IT and OT systems. Of these proposed requirements,
the costs associated development of a Cyber Incident Response Plan are
already captured in the overall costs to develop the Cybersecurity
Plan, and any subsequent annual maintenance for the Cyber Incident
Response Plan would be captured in the costs for annual maintenance of
the Cybersecurity Plan. In addition, costs associated with validating
and conducting exercise of Cybersecurity Plans through annual tabletop
exercises or periodic reviews of incident response cases is already
captured in the costs estimated for drills and exercises in proposed
Sec. 101.635.
To estimate the costs associated with cyber incident reporting, the
Coast Guard uses historical cyber incident reporting data from the NRC.
From 2018 to 2022, the NRC fielded and processed an average of 18 cyber
incident reports from facilities and OCS facilities, and an average of
2 cyber incident reports from U.S.-flagged vessels, for a total of 20
cyber incident reports per year. While we anticipate that this number
could increase or decrease following the publication of a rule focused
on cybersecurity standards and procedures, we use the historical
averages to estimate costs for the affected population.\85\ Due to the
uncertainty surrounding how these regulatory changes may impact the
number of incident reports made in the future, the Coast Guard requests
comment on the expected number of incident reports submitted each year.
---------------------------------------------------------------------------
\85\ The Coast Guard believes that cyber incident reports could
increase following publication of this NPRM due to greater
enforcement of reporting procedures and greater awareness
surrounding the need to report. However, the Coast Guard
acknowledges that cyber incident reports could also decrease because
greater prevention measures would be implemented because of this
proposed rule. As a result, we use historical cyber incident
reporting data to analyze costs moving forward.
---------------------------------------------------------------------------
For both the population of facilities and OCS facilities and the
population of U.S.-flagged vessels, we assume that it will take 8.5
minutes (0.15 hours) of a CySO's time to report a cyber incident to the
NRC. We base this estimated hour burden on the time to report
suspicious maritime activity to the NRC in currently approved OMB ICR,
Control Number 1625-0096 titled ``Report of Oil or Hazardous Substance
Discharge and Report of Suspicious Maritime Activity.'' For the
population of facilities and OCS facilities, we estimate annual
undiscounted costs of $227 (18 cyber incident reports x 0.15 hours to
report x $84.14 CySO wage). We estimate the discounted cost for owners
and operators of facilities and OCS facilities to report cyber
incidents to be about $1,592 over a 10-year period of analysis, using a
7-percent discount rate. We estimate the annualized cost to be about
$227 using a 7-percent discount rate. See table 27.
[[Page 13444]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.026
For the population of U.S.-flagged vessels, we estimate annual
undiscounted costs of $25 (2 cyber incident reports x 0.15 hours to
report x $84.14 CySO wage). We estimate the discounted cost for owners
and operators of facilities and OCS facilities to report cyber
incidents to be about $250 over a 10-year period of analysis, using a
7-percent discount rate. We estimate the annualized cost to be about
$25 using a 7-percent discount rate. See table 28.
[GRAPHIC] [TIFF OMITTED] TP22FE24.027
[[Page 13445]]
We estimate the total discounted cost for owners and operators of
facilities, OCS facilities, and U.S.-flagged vessels to be
approximately $1,771 over a 10-year period of analysis, using a 7-
percent discount rate. We estimate the annualized cost to be
approximately $252 using a 7-percent discount rate. See table 29.
[GRAPHIC] [TIFF OMITTED] TP22FE24.028
The Coast Guard does not have data on the IT resources that owners
and operators would need to back up data, either internally or
externally. Coast Guard SMEs indicate that most of the affected
population is likely already performing data backups. The time burden
of backing up data is minimal because they can occur in the background
through automated processes, making any new costs a function of data
storage space. The external storage of data would require cloud storage
(storage on an external server), and the cost would be dependent upon
the capacity needed; for example, 1 terabyte or 100 terabytes of space.
These costs would likely be incurred on a monthly basis, although we do
not know how much additional data space a given owner or operator would
need, if any. Coast Guard SMEs with CG-CYBER indicate that the current
market prices for cloud storage subscriptions range from $21 to $41 per
month for 1 terabyte of data, $54 to $320 per month for 10 terabytes,
and up to $402 to $3,200 per month for 100 terabytes of data. There may
also be costs associated with the encryption of data that we are not
able to estimate in this analysis. The Coast Guard requests public
comment on the costs associated with data backup storage and
protection.
Routine System Maintenance for Risk Management
The final cost provision under cybersecurity measures would be
routine system maintenance for risk management, in proposed Sec.
101.650(e)(3)(i) through (vi). This proposed rule would require the
CySO of a U.S.-flagged vessel, facility, or OCS facility to ensure
patching (software updates) or implementing controls for all KEVs in
critical IT and OT systems in paragraph (e)(3)(i), maintain a method to
receive or act on publicly submitted vulnerabilities in paragraph
(e)(3)(ii), maintain a method to share threat and vulnerability
information with external stakeholders in paragraph (e)(3)(iii), ensure
there are no exploitable channels exposed to internet accessible
systems in paragraph (e)(3)(iv), ensure that no OT is connected to the
publicly accessible internet unless explicitly required for operation
in paragraph (e)(3)(v), and conduct vulnerability scans according to
the Cybersecurity Plan in paragraph (e)(3)(vi).
Based on information from CGCYBER and NMSAC, we estimate costs for
only the vulnerability scans in this analysis, because it is expected
that CySOs will incorporate many of these provisions into the initial
development and annual maintenance of the Cybersecurity Plan.
Provisions that require setting up routine patching, developing methods
for communicating vulnerabilities, and ensuring limited network
connectivity of OT and other exploitable systems are expected to be
less time-intensive efforts that will be completed following an initial
Cybersecurity Assessment and documented in the Cybersecurity Plan. As a
result, we include those costs in that portion of the analysis.
However, if an OT system does need to be taken offline or segmented
from other IT systems, the Coast Guard does not have information on how
long or intensive that process would be because of the great degree of
variability in OT systems within the affected population.
We discuss network segmentation and uncertainty more in later
sections in this NPRM. We request public comment on the expected costs
of network segmentation, particularly from those in the affected
population who have completed these processes in the past.
Based on information from CGCYBER, the cost to acquire third-party
software capable of vulnerability scans would be approximately $3,390
annually (which includes the software subscription cost) for each U.S.-
flagged vessel, facility, and
[[Page 13446]]
OCS facility. We base our analysis on the cost of a prevalent
vulnerability scanner or virus software for business. Vulnerability
scans can occur in the background while systems are operational and
represent a less intensive method of monitoring IT and OT systems for
vulnerabilities, which complements more intensive penetration tests
that would be required every 5 years. For this reason, we do not
estimate an hour burden in addition to the annual subscription cost of
securing vulnerability scanning software. We estimate the undiscounted
annual cost for facility owners and operators to subscribe to and use
vulnerability scanning software to be approximately $5,790,120 (1,708
facility owners and operators x $3,390). We estimate the undiscounted
annual cost for vessel owners and operators to subscribe to and use
vulnerability scanning software to be approximately $5,430,780 (1,602
vessel owners and operators x $3,390). Combined, we estimate the total
discounted cost for owners and operators of facilities, OCS facilities,
and U.S.-flagged vessels to use vulnerability scanning software to be
approximately $78,810,907 over a 10-year period of analysis, using a 7-
percent discount rate. We estimate the annualized cost to be
approximately $11,220,900, using a 7-percent discount rate. See table
30.
[GRAPHIC] [TIFF OMITTED] TP22FE24.029
Total Costs of the Proposed Rule to Industry
We estimate the total discounted cost of this proposed rule to the
affected population of facilities and OCS facilities to be
approximately $221,437,074 over a 10-year period of analysis, using a
7-percent discount rate. We estimate the annualized cost to be
approximately $31,527,658, using a 7-percent discount rate. See table
31.
[[Page 13447]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.030
As seen in table 31, the primary cost drivers for the population of
facilities and OCS facilities are Cybersecurity Plan-related costs
(development, resubmission, maintenance, and audits) at 43.26 percent
of the total costs to
[[Page 13448]]
industry. Cybersecurity training and vulnerability management costs
come in second and third at 19 percent and 18.54 percent of the total
costs, respectively. We believe some of this is due to the analysis of
Cybersecurity Plan costs and vulnerability management costs, which
assumes no baseline activity within the affected population because of
a lack of information. Costs that appear as a higher percentage of the
total costs in the population of U.S.-flagged vessels (account security
and multifactor authentication, for example) have been adjusted based
on current baseline activity within the population of facilities based
on survey results, and thus, appear as smaller impacts to the
population in general.
We estimate the total discounted cost of this proposed rule to the
affected population of U.S.-flagged vessels to be approximately
$313,656,415 over a 10-year period of analysis, using a 7-percent
discount rate. We estimate the annualized cost to be approximately
$44,657,617, using a 7-percent discount rate. See table 32.
[[Page 13449]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.031
As in table 32, the primary cost drivers for the population of
U.S.-flagged vessels are costs related to account security and
multifactor authentication at 48.43 percent of the total costs to
industry. Costs related to
[[Page 13450]]
the Cybersecurity Plan and cybersecurity training come in second and
third at 14.69 percent and 14.63 percent of the total costs,
respectively. We estimate that account security and multifactor
authentication costs represent such a high portion of the overall costs
related to cybersecurity because the Coast Guard was unable to estimate
current baseline activity for these provisions and used conservative
(upper-bound) estimates related to the costs of implementing and
managing multifactor authentication. As a result, the Coast Guard
requests public comment on who in the affected population of U.S.-
flagged vessels has already implemented multifactor authentication and
what the associated costs were.
We estimate the total discounted cost of this proposed rule to
industry to be approximately $535,093,488 over a 10-year period of
analysis, using a 7-percent discount rate. We estimate the annualized
cost to be approximately $76,185,275, using a 7-percent discount rate.
See table 33.
[[Page 13451]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.032
[[Page 13452]]
Total Costs of the Proposed Rule per Affected Owner or Operator
We estimate the average annual cost per owner or operator of a
facility or OCS facility to be approximately $27,589, under the
assumption that an owner or operator would need to implement each of
the provisions required by this proposed rule. Each additional facility
owned or operated would increase the estimated annual costs by an
average of $4,396 per facility, since each facility or OCS facility
will require an individual Cybersecurity Plan. Year 2 of the analysis
period represents the year with the highest costs incurred per owner,
with estimated costs of $37,667 for an owner or operator with one
facility or OCS facility. See table 34 for a breakdown of the costs per
entity for an owner or operator owning one facility or OCS facility.
[[Page 13453]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.033
To estimate the cost for an owner or operator of a facility or OCS
facility to develop, resubmit, conduct annual maintenance, and audit
the Cybersecurity Plan, we use estimates provided earlier in the
analysis. The
[[Page 13454]]
hour-burden estimates are 100 hours for developing the Cybersecurity
Plan (average hour burden), 10 hours for annual maintenance of the
Cybersecurity Plan (which would include amendments), 15 hours to renew
Cybersecurity Plans every 5 years, and 40 hours to conduct annual
audits of Cybersecurity Plans.
---------------------------------------------------------------------------
\86\ The cost totals in table 34 represent cost estimates for
owners and operators of 1 facility or OCS facility under the
assumption that they will need to implement all cost-creating
provisions of the proposed rule. Therefore, when multiplied over the
full number of affected entities, the calculated totals will exceed
those estimated for the population of facilities and OCS facilities
elsewhere in the analysis. In addition, the cost estimates for items
related to the Cybersecurity Plan are dependent upon the number of
facilities owned and must be multiplied accordingly by the number of
facilities owned. This is discussed in further detail later in the
analysis of costs per owner or operator.
---------------------------------------------------------------------------
Based on estimates from Coast Guard FSP and OCS FSP reviewers at
local inspections offices, approximately 10 percent of Cybersecurity
Plans would need to be resubmitted in the second year due to revisions
that would be needed to the Plans, which is consistent with the current
resubmission rate for FSPs and OCS FSPs. For renewals of Plans after 5
years (occurring in the seventh year of the analysis period), Plans
would need to be further revised and resubmitted in approximately 10
percent of cases as well. However, in this portion of the analysis, we
estimate costs as though the owner or operator will need to revise and
resubmit their Plans in all cases, resulting in an upper-bound (high)
estimate of per-entity costs. We estimate the time for revision and
resubmission to be about half the time to develop the Plan itself, or
50 hours in the second year of submission, and 7.5 hours after 5 years
(in the seventh year of the analysis period). Because we include the
annual Cybersecurity Assessment in costs to develop Plans, and we do
not assume that owners and operators will wait until the second year of
analysis to begin developing the Cybersecurity Plan or implementing
relevant cybersecurity measures, we divide the estimated 100 hours to
develop Plans equally across the first and second years of analysis.
Using the CySO loaded hourly CySO wage of $84.14, we estimate the
Cybersecurity Plan-related costs by adding the total number of hours to
develop, resubmit, maintain, and audit each year and multiplying by the
CySO wage. For example, we estimate owners would incur $8,414 in costs
in year 2 of the analysis period [1 facility x $84.14 CySO wage x (50
hours to develop the Plan + 50 hours to revise and resubmit the Plan) =
$8,414]. Table 35 displays the per-entity cost estimates for an owner
or operator of 1 facility or OCS facility over a 10-year period of
analysis. For an owner or operator of multiple facilities or OCS
facilities, we estimate the total costs by multiplying the total costs
in table 35 by the number of owned facilities.
[GRAPHIC] [TIFF OMITTED] TP22FE24.034
Similarly, we use earlier estimates for the calculation of per-
entity costs for drills and exercises, account security measures,
multifactor authentication, cybersecurity training, penetration
testing, vulnerability management and resilience.
For drills and exercises, we assume that a CySO on behalf of each
owner and operator will develop cybersecurity components to add to
existing physical security drills and exercises. This development is
expected to take 0.5 hours for each of the 4 annual drills and 8 hours
for an annual exercise. Using the loaded hourly wage for a CySO of
$84.14, we estimate annual costs of approximately $841 per facility
owner or operator [$84.14 CySO wage x ((0.5 hours x 4 drills) + (8
hours x 1 exercise)) = $841], as seen in table 34.
For account security measures, we assume that a database
administrator on behalf of each owner or operator will spend 8 hours
each year implementing and managing account security. Using the loaded
hourly wage for a database administrator of $71.96, we estimate annual
costs of approximately $576
[[Page 13455]]
($71.96 database administrator wage x 8 hours = $576), as seen in table
34.
For multifactor authentication, we assume that an owner or operator
of a facility or OCS facility will spend $9,000 in the initial year on
average to implement a multifactor authentication system and spend
approximately $150 per employee annually for system maintenance and
support. Therefore, we estimate first year costs of approximately
$20,100 [$9,000 implementation cost + ($150 support and maintenance
costs x 74 average facility company employees)], and subsequent year
costs of $11,100 ($150 support and maintenance costs x 74 average
facility company employees), as seen in table 34.
For cybersecurity training, we assume that a CySO will take 2 hours
each year to develop and manage employee cybersecurity training, and
employees at a facility or OCS facility will take 1 hour to complete
the training each year. Using the estimated CySO wage of $84.14 and the
estimated facility employee wage of $60.34, we estimate annual training
costs of approximately $4,633 [($84.14 x 2 hours) + ($60.34 x 74
facility company employees x 1 hour)].
For penetration testing, we estimate costs only in the second and
seventh years of analysis since tests are required to be performed in
conjunction with submitting and renewing the Cybersecurity Plan. We
assume that facility owners and operators will spend approximately
$5,000 per penetration test and an additional $50 per IP address at the
organization in order to capture network complexity. We use the total
number of company employees as a proxy for the number of IP addresses,
since the Coast Guard does not have data on IP addresses or the network
complexity at a given company. As a result, we estimate second- and
seventh-year costs of approximately $8,700 [$5,000 testing cost + ($50
x 74 employees)], as seen in table 34.
For vulnerability management, we assume that each facility or OCS
facility will need to secure a vulnerability scanning program or
software. Because vulnerability scans can occur in the background, we
do not assume an additional hour burden associated with the
implementation or use of a vulnerability scanner each year. Using the
annual subscription cost of an industry leading vulnerability scanning
software, we estimate annual costs of approximately $3,390, as seen in
table 34.
Finally, for resilience, we assume that each facility or OCS
facility owner or operator will need to make at least one cybersecurity
incident report per year. While this is incongruent with historical
data that shows the entire affected population of facilities and OCS
facilities reports only 18 cybersecurity incidents per year, we are
attempting to capture a complete estimate of what the costs of this
proposed rule could be for an affected entity. As such, we estimate
that a CySO will need to take 0.15 hours to report a cybersecurity
incident to the NRC, leading to annual per entity costs of
approximately $13 ($84.14 CySO wage x 0.15 hours), as seen in table 34.
We perform the same calculations to estimate the per-entity costs
for owners and operators of U.S.-flagged vessels. However, the
estimates for the population of U.S.-flagged vessels have more
dependency upon the type and number of vessels owned by the company
being analyzed. This is largely due to the varying numbers of employees
per vessel, by vessel type. We estimate fixed, average per-entity costs
of approximately $10,877 per U.S.-flagged vessel owner or operator, as
seen in table 36.
[[Page 13456]]
[GRAPHIC] [TIFF OMITTED] TP22FE24.035
To estimate the per-entity costs that are dependent upon the number
and type of vessel, we use the number of employees per vessel, and in
the case of cybersecurity training costs, a unique weighted hourly wage
based on the
[[Page 13457]]
personnel employed on each vessel type as calculated in Appendix A:
Wages Across Vessel Types. Table 37 displays the average number of
employees for each vessel type, including shoreside employees, and
their unique weighted mean hourly wages. Table 38 displays the per-
vessel costs associated with each type of vessel.
---------------------------------------------------------------------------
\87\ The cost estimates in table 36 represent the costs incurred
at a company level for each U.S.-flagged vessel owner and operator,
and thus must be added to the costs calculated in table 38, which
are dependent on the type and number of vessels owned, to create a
full picture of the estimated costs per owner or operator. When
these totals are multiplied over the full number of affected
entities, the calculated totals will exceed those estimated for the
population of U.S.-flagged vessels elsewhere in the analysis bec
[…truncated; see source link]Indexed from Federal Register on February 22, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.