Rule2025-00708
Cybersecurity in the Marine Transportation System
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
January 17, 2025
Effective
July 16, 2025
Issuing agencies
Homeland Security DepartmentCoast Guard
Abstract
The Coast Guard is updating its maritime security regulations by establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and facilities subject to the Maritime Transportation Security Act of 2002 regulations. This final rule addresses current and emerging cybersecurity threats in the marine transportation system by adding minimum cybersecurity requirements to help detect risks and respond to and recover from cybersecurity incidents. These include requirements to develop and maintain a Cybersecurity Plan, designate a Cybersecurity Officer, and take various measures to maintain cybersecurity within the marine transportation system. The Coast Guard is also seeking comments on a potential delay for the implementation periods for U.S.-flagged vessels.
Full Text
<html>
<head>
<title>Federal Register, Volume 90 Issue 11 (Friday, January 17, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 11 (Friday, January 17, 2025)]
[Rules and Regulations]
[Pages 6298-6453]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-00708]
[[Page 6297]]
Vol. 90
Friday,
No. 11
January 17, 2025
Part IV
Department of Homeland Security
-----------------------------------------------------------------------
Coast Guard
-----------------------------------------------------------------------
33 CFR Parts 101 and 160
Cybersecurity in the Marine Transportation System; Final Rule
��Federal Register / Vol. 90, No. 11 / Friday, January 17, 2025 / Rules
and Regulations��
[[Page 6298]]
DEPARTMENT OF HOMELAND SECURITY
Coast Guard
33 CFR Parts 101 and 160
[Docket No. USCG-2022-0802]
RIN 1625-AC77
Cybersecurity in the Marine Transportation System
AGENCY: Coast Guard, DHS.
ACTION: Final rule; request for comments.
-----------------------------------------------------------------------
SUMMARY: The Coast Guard is updating its maritime security regulations
by establishing minimum cybersecurity requirements for U.S.-flagged
vessels, Outer Continental Shelf facilities, and facilities subject to
the Maritime Transportation Security Act of 2002 regulations. This
final rule addresses current and emerging cybersecurity threats in the
marine transportation system by adding minimum cybersecurity
requirements to help detect risks and respond to and recover from
cybersecurity incidents. These include requirements to develop and
maintain a Cybersecurity Plan, designate a Cybersecurity Officer, and
take various measures to maintain cybersecurity within the marine
transportation system. The Coast Guard is also seeking comments on a
potential delay for the implementation periods for U.S.-flagged
vessels.
DATES: This final rule is effective July 16, 2025.
Comment period for solicited comments: Comments on a potential 2-
to-5-year delay for the implementation periods for U.S.-flagged vessels
in Section VII of this preamble must be submitted by March 18, 2025.
ADDRESSES:
Docket: To view documents mentioned in this preamble as being
available in the docket, go to <a href="http://www.regulations.gov">www.regulations.gov</a>, type USCG-2022-0802
in the search box, and click ``Search.'' Next, in the Document Type
column, select ``Supporting & Related Material.''
Comment period for solicited additional comments: You may submit
comments on the implementation periods for U.S.-flagged vessels
discussed in Section VII of this preamble via the electronic Federal
Docket Management System. To do so, go to <a href="http://www.regulations.gov">www.regulations.gov</a>, type
USCG-2022-0802 in the search box and click ``Search.'' Next, look for
this document in the Search Results column, and click on it. Then click
on the Comment option. If you cannot submit your material by using
<a href="http://www.regulations.gov">www.regulations.gov</a>, call or email the person in the FOR FURTHER
INFORMATION CONTACT section of this final rule for alternate
instructions.
FOR FURTHER INFORMATION CONTACT: For information about this document,
email <a href="/cdn-cgi/l/email-protection#9dd0c9cedee4fff8efcfe8f1f8dde8eefefab3f0f4f1"><span class="__cf_email__" data-cfemail="337e6760704a51564161465f5673464050541d5e5a5f">[email protected]</span></a> or call Commander Brandon Link, Office of
Port and Facility Compliance, 202-372-1107; or Commander Christopher
Rabalais, Office of Design and Engineering Standards, 202-372-1375.
SUPPLEMENTARY INFORMATION:
Table of Contents for Preamble
I. Abbreviations
II. Executive Summary
III. Basis and Purpose
A. Cybersecurity Threats
B. Legislation, Regulations, and Policy
C. Legal Authority
IV. Background
A. The Current State of Cybersecurity in the MTS
B. Current MTSA Regulations Related to Cybersecurity
V. Discussion of Comments and Changes
VI. Discussion of the Final Rule
VII. Request for Comment
VIII. Regulatory Analyses
A. Regulatory Planning and Review
B. Small Entities
C. Assistance for Small Entities
D. Collection of Information
E. Federalism
F. Unfunded Mandates
G. Taking of Private Property
H. Civil Justice Reform
I. Protection of Children
J. Indian Tribal Governments
K. Energy Effects
L. Technical Standards
M. Environment
N. Congressional Review Act
I. Abbreviations
ABS American Bureau of Shipping
The Act James M. Inhofe National Defense Authorization Act for
Fiscal Year 2023 (Pub. L. 117-263)
AGCS Allianz Global Corporate and Specialty
AIS Automatic Identification System
AMSCs Area Maritime Security Committees
ANPRM Advance notice of proposed rulemaking
ASP Alternative Security Program
BLS Bureau of Labor Statistics
BSEE Bureau of Safety and Environmental Enforcement
CEA Council of Economic Advisors
CFR Code of Federal Regulations
CGCSO Coast Guard Cyber Strategic Outlook
CG-CVC Coast Guard Office of Commercial Vessel Compliance
CGCYBER U.S. Coast Guard Cyber Command
CG-ENG Coast Guard Office of Design and Engineering Standards
CG-FAC Coast Guard Office of Port and Facility Compliance
CIRC Cyber Incident Reporting Council
CIRCIA Cyber Incident Reporting for Critical Infrastructure Act of
2022
CISA Cybersecurity and Infrastructure Security Agency
CISO Chief Information Security Officer
COTP Captain of the Port
CPG Cybersecurity Performance Goal
CRM Cyber risk management
CSF Cybersecurity Framework
CSO Company Security Officer
CSRC Computer Security Resource Center
CVC-WI Coast Guard's Office of Commercial Vessel Compliance's Work
Instruction
CySO Cybersecurity Officer
DC3 Defense Cyber Crimes Center
DCISE Defense Industrial Base Collaborative Information Sharing
Environment
DHS Department of Homeland Security
DOC Document of Compliance
DoD Department of Defense
FBI Federal Bureau of Investigation
FEMA Federal Emergency Management Agency
FR Federal Register
FRFA Final Regulatory Flexibility Analysis
FSA Facility Security Assessment
FSO Facility security officer
FSP Facility security plan
GPS Global Positioning System
HMI Human-machine interface
IACS International Association of Classification Societies
ICR Information collection request
IEc Industrial Economics, Incorporated
IMO International Maritime Organization
IP internet protocol
INMARSAT International Maritime Satellite
IRFA Initial Regulatory Flexibility Analysis
ISM International Safety Management
IT Information technology
KEV Known exploited vulnerability
LANTAREA Coast Guard Atlantic Area
MARSEC Maritime Security
MCAAG Maritime Cybersecurity Assessment and Annex Guide
MISLE Marine Information for Safety and Law Enforcement
MMC Merchant Mariner Credential
MODU Mobile offshore drilling unit
MSC Marine Safety Center
MSC-FAL International Maritime Organization's Marine Safety
Committee and Facilitation Committee
MTS Marine transportation system
MTSA Maritime Transportation Security Act of 2002
NAICS North American Industry Classification System
NIST National Institute of Standards and Technology
NMSAC National Maritime Security Advisory Committee
NPRM Notice of proposed rulemaking
NRC National Response Center
NVIC Navigation and Vessel Inspection Circular
OCMI Officer in Charge, Marine Inspection
OCS Outer Continental Shelf
OCSLA Outer Continental Shelf Lands Act of 1953
OEWS Occupational Employment and Wage Statistics
OMB Office of Management and Budget
[[Page 6299]]
OSV Offshore supply vessel
OT Operational technology
PACS Physical Access Control Systems
PII Personally identifiable information
PRC People's Republic of China
PVA Passenger Vessel Association
QCEW Quarterly Census of Employment and Wages
RA Regulatory analysis
RO Recognized Organization
Sec. Section
SBA Small Business Administration
SME Subject matter expert
SMS Safety management system
SOLAS the International Convention for Safety of Life at Sea, 1974
TSA Transportation Security Administration
TSI Transportation security incident
UR Unified Requirement
U.S.C. United States Code
VHF Very high frequency
VSA Vessel Security Assessment
VSO Vessel Security Officer
VSP Vessel security plan
II. Executive Summary
The maritime industry faces increasing cybersecurity threats as it
increasingly relies on cyber-connected systems. The purpose of this
final rule is to safeguard the marine transportation system (MTS)
against current and emerging threats associated with cybersecurity by
adding minimum cybersecurity requirements to 33 CFR part 101 to help
detect, respond to, and recover from cybersecurity risks that may cause
transportation security incidents (TSIs). This final rule addresses
risks from the increased interconnectivity and digitalization of the
MTS and current and emerging cybersecurity threats to maritime security
in the MTS with the additional minimum requirements specified below.
First, this final rule requires that owners or operators of U.S.-
flagged vessels, facilities, or Outer Continental Shelf (OCS)
facilities required to have a security plan under 33 CFR parts 104,
105, and 106 to develop and maintain a Cybersecurity Plan and Cyber
Incident Response Plan. The Cybersecurity Plan must include seven
account security measures for owners or operators of a U.S.-flagged
vessel, facility, or OCS facility: (1) enabling of automatic account
lockout after repeated failed log in attempts on all password protected
information technology (IT) systems; (2) changing default passwords (or
implementing other compensating security controls if unfeasible) before
using any IT or operational technology (OT) systems; (3) maintaining a
minimum password strength on all IT and OT systems technically capable
of password protection; (4) implementing multifactor authentication on
password-protected IT and remotely accessible OT systems; (5) applying
the principle of least privilege to administrator or otherwise
privileged accounts on both IT and OT systems; (6) maintaining separate
user credentials on critical IT and OT systems; and (7) removing or
revoking user credentials when a user leaves the organization.
The Cybersecurity Plan also must include four device security
measure requirements: (1) develop and maintain a list of any hardware,
firmware, and software approved by the owner or operator that may be
installed on IT or OT systems; (2) ensure that applications running
executable code are disabled by default on critical IT and OT systems;
(3) maintain an accurate inventory of network-connected systems
including those critical IT and OT systems; and (4) develop and
document the network map and OT device configuration information. In
addition, the Cybersecurity Plan must include two data security measure
requirements: (1) ensure that logs are securely captured, stored, and
protected and accessible only to privileged users, and (2) deploy
effective encryption to maintain confidentiality of sensitive data and
integrity of IT and OT traffic when technically feasible. Owners or
operators of U.S.-flagged vessels, facilities, or OCS facilities must
also prepare and document a Cyber Incident Response Plan that outlines
instructions on how to respond to a cyber incident and identifies key
roles, responsibilities, and decision-makers amongst personnel.
Owners or operators must also designate a Cybersecurity Officer
(CySO) who must ensure that U.S.-flagged vessel, facility, or OCS
facility personnel implement the Cybersecurity Plan and the Cyber
Incident Response Plan. The CySO must also ensure that the
Cybersecurity Plan is up to date and undergoes an annual audit. The
CySO must also arrange for cybersecurity inspections, ensure that
personnel have adequate cybersecurity training, record and report
cybersecurity incidents to the owner or operator, and take steps to
mitigate them.
With this final rule, the Coast Guard finalizes the requirements
that were proposed in the notice of proposed rulemaking (NPRM),
``Cybersecurity in the Marine Transportation System,'' published on
February 22, 2024.\1\ We also respond to the public comments that we
received to the NPRM and make several clarifications regarding the
regulatory framework. The changes we make in this final rule as
compared to the NPRM include the following:
---------------------------------------------------------------------------
\1\ 89 FR 13404.
---------------------------------------------------------------------------
Applicability
<bullet> Revised the language in Sec. 101.605 to clarify that
these cyber regulations apply to the owners and operators of U.S.-
flagged vessels, facilities, and OCS facilities required to have
security plans under 33 CFR parts 104, 105, and 106.
<bullet> Added text to Sec. 101.660 to clarify that Alternative
Security Program (ASP) provisions apply to cybersecurity compliance
documentation.
Definitions
<bullet> Revised the definition of ``backup'' in Sec. 101.615 to
remove the phrase ``in a secondary location'' and the implication that
backups must be stored ``offsite.''
<bullet> Amended the definition of ``hazardous condition'' in Sec.
160.202 by incorporating the term ``cyber incident.''
<bullet> Revised the definition of ``cybersecurity officer'' in
Sec. 101.615 to clarify that the owner or operator must designate a
CySO, but that they also may designate an alternate CySO to assist in
the duties and responsibilities at all times, including at times when
the CySO may be away from the U.S.-flagged vessel, facility, or OCS
facility.
Owner or Operator
<bullet> Amended Sec. 101.620(b)(7) to clarify that all entities
not subject to 33 CFR 6.16-1 must report all reportable cyber incidents
to the National Response Center (NRC) and amended Sec. 101.650(g)(1)
to clarify that all entities not subject to 33 CFR 6.16-1 report
reportable cyber incidents to the NRC without delay.
Cybersecurity Officer
<bullet> Removed the term ``major amendment'' from Sec. Sec.
101.625(d)(13) (as well as 101.630(e)(2)) to prevent ambiguity about
which amendments require resubmission of the Cybersecurity Plan and for
consistency with existing requirements in 33 CFR parts 104, 105, and
106.
<bullet> Revised Sec. 101.625(d)(10), regarding the CySO's
responsibilities in reporting incidents, to refer to reportable cyber
incidents, rather than breaches of security, suspicious activity that
may result in TSIs. Breaches of security and suspicious activity
reporting are already addressed under 33 CFR 101.305, whereas these
regulations are meant to address the reporting of reportable cyber
incidents as defined in this final rule.
Cybersecurity Plan
<bullet> Added references to OCS Facility Security Plans (FSPs) in
Sec. 101.630(a) to clarify that OCS FSPs follow the same
[[Page 6300]]
requirements as Vessel Security Plans (VSPs) and FSPs.
<bullet> Revised Sec. 101.630(d) to remove the requirement to
submit a letter certifying that the Cybersecurity Plan meets the
regulatory requirements.
<bullet> Revised Sec. 101.630(e)(1)(ii) to clarify that the owner
and operator will have at least 60 days to submit its proposed
amendments, and to leave the timeframes for curing any deficiencies up
to the local Captain of the Port (COTP) identifying them rather than
requiring that entities cure any deficiencies within the 60-day period.
<bullet> Revised Sec. 101.630(e)(2) to add new paragraph (e)(2)(i)
to note that nothing in that section should be construed as limiting
the owner or operator of a U.S.-flagged vessel, facility, or OCS
facility from the timely implementation of such additional security
measures as necessary to address exigent security situations.
<bullet> Revised Sec. 101.655 to reflect that the Cybersecurity
Plan must also be submitted to the Coast Guard for review and approval
within 24 months of the effective date of this final rule, rather than
during the second annual audit following the effective date.
Drills and Exercises
<bullet> Revised Sec. 101.635(b)(1) to require two cybersecurity
drills every 12 months instead of requiring at least one cybersecurity
drill every 3 months and added ``as required by 33 CFR 104.230,
105.220, or 106.225,'' where appropriate.
Definitions
<bullet> Revised Sec. 101.615 to add a definition for the term
``logs'' and revised Sec. 101.650(c)(1) to refer to the term ``logs''
rather than ``data logs,'' consistent with guidance from the National
Institute of Standards and Technology (NIST) and CISA's CPGs.
<bullet> Revised Sec. 101.615 to change the definition of
Cybersecurity Plan and the reference to Plan submission in Sec.
101.630(a) to clarify that separate submissions are acceptable.
<bullet> Revised Sec. 101.615 to change the definition of
multifactor authentication from ``a layered approach to securing data
and applications where a system requires users to present a combination
of two or more credentials to verify their identity for login'' to ``a
layered approach to securing data and applications for a system that
requires users to present more than one distinct authentication factor
for successful authentication. Multifactor authentication can be
performed using a multifactor authenticator or by a combination of
authenticators that provide different factors. The three authentication
factors are (1) something you know, (2) something you have, and (3)
something you are.''
Cybersecurity Measures
<bullet> Revised Sec. 101.650(a)(1) to remove the reference to OT
systems and specified that the requirements in Sec. 101.650(e)(1)(i)
and (iv) are for critical IT and OT systems in accordance with the
Cybersecurity Performance Goals (CPGs) of the Cybersecurity and
Infrastructure Security Agency (CISA).
<bullet> Revised Sec. 101.650(b) to clarify that each owner or
operator or designated CySO of a U.S.-flagged vessel, facility, or OCS
facility must ensure the device security measures are in place,
addressed in Section 6 of the Cybersecurity Plan, and made available to
the Coast Guard upon request.
<bullet> Revised Sec. 101.650(c)(2) to specify that effective
encryption must be deployed to maintain confidentiality of sensitive
data and integrity of IT and OT traffic and to require that only
sensitive data be encrypted.
<bullet> Revised Sec. 101.650(e)(1) to specify that owners and
operators will need to conduct the cyber assessment within 24 months of
the effective date of this final rule, which increases the timeframe
from the originally required 12 months.
<bullet> Revised Sec. 101.650(e)(1)(i) to limit the identification
of vulnerabilities to only ``critical'' OT and IT systems rather than
all OT and IT systems and revised Sec. 101.650(e)(iv) to remove
``mitigate any unresolved vulnerabilities'' and, instead, require that
the owner or operator ensure patching or implementation of documented
compensating controls for all known exploited vulnerabilities (KEVs) in
critical IT or OT systems, without delay.
<bullet> Revised Sec. 101.650(e)(2) in this final rule to clarify
that penetration testing must be completed in conjunction with renewing
the Cybersecurity Plan and to specify that the CySO must submit a
letter verifying that the test was conducted, as well as all
vulnerabilities identified from the penetration testing.
<bullet> Revised Sec. 101.650(f)(2) to remove the references to
``breaches'' and ``incidents'' and replaced them with ``reportable
cyber incidents,'' consistent with the decision to define ``reportable
cyber incident'' and use that term in these regulations. The definition
of ``reportable cyber incident'' being an incident that leads to, or,
if still under investigation, can reasonably lead to substantial loss
of confidentiality, integrity, or availability of a covered information
system, network, or OT system; (2) disruption or significant adverse
impact on the reporting entity's ability to engage in business
operations or deliver goods or services including those that have a
potential for significant impact on public health or safety or may
cause serious injury or death; (3) disclosure or unauthorized access
directly or indirectly of non-public personal information of a
significant number of individuals; (4) other potential operational
disruption to critical infrastructure systems or assets; or (5)
incidents that otherwise may lead to a TSI as defined in 33 CFR
101.105.
<bullet> Revised Sec. 101.650(f)(2) to remove the references to
``breaches'' and ``incidents'' and replaced them with ``reportable
cyber incidents,'' consistent with the decision to define ``reportable
cyber incident'' and use that term in these regulations. The definition
of ``reportable cyber incident'' being an incident that leads to, or,
if still under investigation, can reasonably lead to substantial loss
of confidentiality, integrity, or availability of a covered information
system, network, or OT system; (2) disruption or significant adverse
impact on the reporting entity's ability to engage in business
operations or deliver goods or services including those that have a
potential for significant impact on public health or safety or may
cause serious injury or death; (3) disclosure or unauthorized access
directly or indirectly of non-public personal information of a
significant number of individuals; (4) other potential operational
disruption to critical infrastructure systems or assets; or (5)
incidents that otherwise may lead to a TSI as defined in 33 CFR
101.105.
Noncompliance, Waivers, and Equivalents
<bullet> Revised Sec. 101.665 to clarify that an owner or
operator, after completing the required Cybersecurity Assessment, may
seek a waiver or an equivalence determination for the requirements in
subpart F consistent with the waiver and equivalence provisions in 33
CFR parts 104, 105, and 106. A Cybersecurity Assessment is necessary so
that an owner or operated can identify which requirements are
unnecessary. These changes ensure consistency with other regulations
for requesting waiver or equivalence.
<bullet> Revised Sec. 101.665 to specify that owners or operators
must notify the Coast Guard when they must temporarily deviate from the
requirements rather than when they are temporarily unable to meet the
requirements. This revised text is more consistent with other
regulations regarding temporary waiver.
[[Page 6301]]
Compliance Dates
Table 1 shows the phased implementation schedule for this final
rule. Note that the rule's effective date will be July 16, 2025. In
Section VII of this preamble, we are requesting public comment on a
potential 2-to-5-year delay for the implementation periods for U.S.-
flagged vessels.
[[Page 6302]]
[GRAPHIC] [TIFF OMITTED] TR17JA25.006
The Coast Guard estimates that this final rule creates costs for
industry and Government of approximately $1.2 billion total and $138.7
million annualized, discounted at 2 percent (2022 dollars). This
increased estimate
[[Page 6303]]
from the NPRM is primarily driven by increases to our estimates of
costs related to cybersecurity drills, exercises, and penetration
testing. Cost estimates are also increased due to updated affected
population data. Benefits of this final rule include reduced risk and
mitigation of cyber incidents to protect impacted entities and
downstream economic participants, and improved protection of MTS
business operations to build consumer trust and promote increased
commerce in the U.S. economy. Additional benefits include improved
minimum standards of cybersecurity to protect the MTS, which is vital
to the U.S. economy and U.S. national security, and to avoid supply
chain disruptions.
III. Basis and Purpose
A. Cybersecurity Threats
The purpose of this final rule is to safeguard the MTS against
current and emerging threats associated with cybersecurity by adding
minimum cybersecurity requirements to 33 CFR part 101 to help detect,
respond to, and recover from cybersecurity risks that may cause TSIs.
This final rule addresses current and emerging cybersecurity threats to
maritime security in the MTS. The maritime industry is undergoing a
significant transformation that involves the increased use of cyber-
connected systems. While these increasingly interconnected and
networked systems improve commercial vessel and port facility
operations, they also bring a new set of challenges affecting design,
operations, safety, security, training, and the workforce.
Every day, malicious actors (including, but not limited to,
individuals, groups, and adversary nations posing a threat) attempt
unauthorized access to control system devices or networks using various
communication channels. An example of a successful attempt occurred in
May 2021, when a Russian-based cybercriminal group, DarkSide, conducted
a ransomware attack that forced a major pipeline company to go offline,
resulting in a weeklong shutdown of 5,500 miles of petroleum pipelines
on the East Coast of the United States. Cybersecurity threats require
the maritime community to effectively manage constantly changing risks
to create a safe cyber environment.
This final rule creates a regulatory environment for cybersecurity
in the maritime domain for U.S.-flagged vessels, facilities, and OCS
facilities. Vulnerabilities in the operation of vital systems increase
the risk of cyber-attacks. Unmitigated cyber-related risks to the
maritime domain can compromise the critical infrastructure that people
and companies depend on to fulfill their daily needs and that maintain
the effective operation of the MTS.
A 2018 report by the Council of Economic Advisors (CEA) stated that
``[a] firm with weak cybersecurity imposes negative externalities on
its customers, employees, and other firms, tied to it through
partnerships and supply chain relations. In the presence of
externalities, firms would rationally underinvest in cybersecurity
relative to the socially optimal level. Therefore, it often falls to
regulators to devise a series of penalties and incentives to increase
the level of investment to the desired level.'' \2\
---------------------------------------------------------------------------
\2\ Economic Report of the President Together with the Annual
Report of the Council of Economic Advisers 323-24 February 2018,
<a href="https://www.govinfo.gov/content/pkg/ERP-2018/pdf/ERP-2018.pdf">https://www.govinfo.gov/content/pkg/ERP-2018/pdf/ERP-2018.pdf</a>,
accessed August 12, 2024.
---------------------------------------------------------------------------
In the report, the CEA also emphasized that ``[c]ontinued
cooperation between the public and private sectors is the key to
effectively managing cybersecurity risks. . . . The government is
likewise important in incentivizing cyber protection--for example, by
disseminating new cybersecurity standards, sharing best practices,
conducting basic research on cybersecurity, protecting critical
infrastructures, preparing future employees for the cybersecurity
workforce, and enforcing the rule of law in cyberspace.'' \3\
---------------------------------------------------------------------------
\3\ Id. at 324-25.
---------------------------------------------------------------------------
Furthermore, the CEA acknowledged that ``[f]irms and private
individuals are often outmatched by sophisticated cyber adversaries.
Even large firms with substantial resources committed to cybersecurity
may be helpless against attacks by sophisticated nation-states.'' \4\
As an example, the CEA stated, ``firms that own critical infrastructure
assets, such as parts of the nation's power grid, may generate
pervasive negative spillover effects for the wider economy.'' \5\
---------------------------------------------------------------------------
\4\ Id. at 326
\5\ Id.
---------------------------------------------------------------------------
Lastly, the CEA stated another problem that exists in the
marketplace is, ``firms' reluctance to share information on cyber
threats and exposures,'' which ``impairs effective cybersecurity.'' \6\
The CEA further stated that ``firms remain reluctant to increase their
exposure to legal and public affairs risks. The lack of information on
cyber-attacks and data breaches suffered by other firms may cause less
sophisticated small firms to conclude that cybersecurity risk is not a
pressing problem. . . . [T]he lack of data may be stymying the ability
of law enforcement and other actors to respond quickly and effectively
and may be slowing the development of the cyber insurance market.'' \7\
---------------------------------------------------------------------------
\6\ Id.
\7\ Id.
---------------------------------------------------------------------------
This final rule applies to the owners and operators of U.S.-flagged
vessels required to have a security plan under 33 CFR part 104
(Maritime Security: Vessels), facilities required to have a security
plan under 33 CFR part 105 (Maritime Security: Facilities), and OCS
facilities required to have a security plan under 33 CFR part 106
(Marine Security: Outer Continental Shelf (OCS) Facilities).
B. Legislation, Regulations, and Policy
In the Maritime Transportation Security Act of 2002 (MTSA),\8\
Congress provided a framework for the Secretary of Homeland Security
(``Secretary''), acting through the Coast Guard,\9\ and maritime
industry to identify, assess, and prevent TSIs in the MTS. MTSA vested
the Secretary with authorities for broad security assessment, planning,
prevention, and response activities to address TSIs, including the
authority to require and set standards for FSPs, OCS FSPs, and VSPs, to
review and approve such plans, and to conduct inspections and take
enforcement actions.\10\ The Coast Guard's implementing regulations
address a range of considerations to prevent TSIs to the maximum extent
practicable \11\ and require, among other general and specific
measures, security assessments and measures related to radio and
telecommunication systems, including computer systems and networks.\12\
---------------------------------------------------------------------------
\8\ Pub. L. 107-295, 116 Stat. 2064, November 25, 2002.
\9\ The Secretary delegated this authority to the Commandant of
the Coast Guard via Department of Homeland Security (DHS) Delegation
00170.1(II)(97)(b), Revision No. 01.4.
\10\ See generally, for example, 46 U.S.C. 70103.
\11\ See 46 U.S.C. 70103(c)(1).
\12\ See, for example, 33 CFR 104.300(d)(11), 104.305(d)(2)(v),
105.300(d)(11), 105.305(c)(1)(v), 106.300(d)(11), 106.305(c)(1)(v)
and (d)(2)(v).
---------------------------------------------------------------------------
The Coast Guard has also issued additional guidance and policies to
help regulated entities address potential cyber incidents in FSPs, OCS
FSPs, and VSPs,\13\ including a cybersecurity risk
[[Page 6304]]
assessment model that was issued in January 2023,\14\ and voluntary
guidance issued to Area Maritime Security Committees (AMSCs) in July
2023.\15\ Congress has repeatedly reaffirmed the MTSA framework,
including through amendments passed in 2016,\16\ 2018,\17\ and
2021.\18\ In the 2018 amendments, Congress amended MTSA to specifically
require VSPs, FSPs, and OCS FSPs to include provisions for detecting,
responding to, and recovering from cybersecurity risks that may cause
TSIs.\19\ By doing so, Congress explicitly identified cybersecurity
risk as an area of specific concern in the maritime domain that
deserved focused governmental regulatory effort. These regulations fall
squarely within the MTSA authorities that Congress expressly expanded
to address cybersecurity risk. The regulatory amendments to 33 CFR part
101 reflect the Coast Guard's view on cybersecurity under MTSA,
including, but not limited to, recent amendments to MTSA (such as 46
U.S.C. 70103). The amendments provide more detailed mandatory baseline
requirements for U.S.-flagged vessels and facilities subject to MTSA.
---------------------------------------------------------------------------
\13\ One of the Coast Guard's guidance documents is the
Navigation and Vessel Inspection Circular (NVIC) 01-20, Guidelines
for Addressing Cyber Risks at Maritime Transportation Security Act
Regulated Facilities (85 FR 16108). This NVIC outlined Coast Guard's
view on requirements for FSPs and facility security, including
cybersecurity. A similar understanding with regard to VSPs was
expressed in the Coast Guard's Office of Commercial Vessel
Compliance's (CG-CVC) Vessel CRM Work Instruction CVC-WI-027(3),
Vessel Cyber Risk Management Work Instruction, October 11, 2023,
<a href="https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/CG-CVC/CVC_MMS/CVC-WI-27">https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/CG-CVC/CVC_MMS/CVC-WI-27</a>(3)b.pdf, accessed January 6, 2025.
\14\ See Maritime Cybersecurity Assessment and Annex Guide
(MCAAG) (January 2023), <a href="https://dco.uscg.mil/Portals/9/CG-FAC/Documents/Maritime%20Cyber%20Assessment%20%20Annex%20Guide%20">https://dco.uscg.mil/Portals/9/CG-FAC/Documents/Maritime%20Cyber%20Assessment%20%20Annex%20Guide%20</a>(MCAAG)_released%2
023JAN2023.pdf, accessed Aug. 12, 2024. The MCAAG was developed in
coordination with the National Maritime Security Advisory Committee
(NMSAC), AMSCs, and other maritime stakeholders. The guide serves as
a resource for baseline Cybersecurity Assessments and Plan
development and helps stakeholders address vulnerabilities that can
lead to transportation security incidents.
\15\ NVIC 09-02, Change 6.
\16\ Pub. L. 114-120, 130 Stat. 27, February 8, 2016.
\17\ Pub. L. 115-254, 132 Stat. 3186, October 5, 2018.
\18\ Pub. L. 116-283, 134 Stat 4754, January 1, 2021.
\19\ See Pub. L. 115-254, sec. 1805(d)(2) (codified at 46 U.S.C.
70103(c)(3)(C)).
---------------------------------------------------------------------------
In response to the growing national security threat from malicious
cyber actions, presidential policy over the last three presidential
administrations has advanced cybersecurity in the maritime domain.
Executive Order 13636 of February 12, 2013 (Improving Critical
Infrastructure Cybersecurity) recognized the Federal Government's role
to secure our nation's critical infrastructure by working with the
private sector--including owners and operators of U.S.-flagged vessels,
facilities, and OCS facilities--to prepare for, prevent, mitigate, and
respond to cybersecurity threats.\20\
---------------------------------------------------------------------------
\20\ 78 FR 11739, February 19, 2013.
---------------------------------------------------------------------------
To defend against malicious cyber-related activities, Executive
Order 13694 of April 1, 2015 (Blocking the Property of Certain Persons
Engaging in Significant Malicious Cyber-Enabled Activities) recognized
malicious cyber-related activities as an ``extraordinary threat to the
national security, foreign policy, and economy of the United States,''
warranting a national emergency.\21\ The National Emergency with
Respect to Significant Malicious Cyber-Enabled Activities was extended
on March 26, 2024.\22\
---------------------------------------------------------------------------
\21\ 80 FR 18077, April 2, 2015. Executive Order 13694 was later
amended by Executive Order 13757 (82 FR 1, January 3, 2017), which
outlined additional measures the Federal Government must take to
address the national emergency identified in Executive Order 13694.
\22\ 89 FR 21427, March 27, 2024.
---------------------------------------------------------------------------
Executive Order 14028 of May 12, 2021 (Improving the Nation's
Cybersecurity) also recognized that ``the private sector must adapt to
the continuously changing threat environment, ensure its products are
built and operate securely, and partner with the Federal Government to
foster a more secure cyberspace.'' \23\
---------------------------------------------------------------------------
\23\ 86 FR 26633, May 17, 2021.
---------------------------------------------------------------------------
On July 28, 2021, the President issued the ``National Security
Memorandum on Improving Cybersecurity for Critical Infrastructure
Control Systems,'' \24\ which required the Secretary of Homeland
Security to coordinate with the Secretary of Commerce (through the
Director of NIST) and other agencies, as appropriate, to develop
baseline CPGs. These baseline CPGs will further a common understanding
of the baseline security practices that critical infrastructure owners
and operators should follow to protect national and economic security,
as well as public health and safety. CISA's release of the CPGs in
October 2022 was ``intended to help establish a common set of
fundamental cybersecurity practices for critical infrastructure, and
especially help small- and medium-sized organizations kickstart their
cybersecurity efforts.'' \25\ The Coast Guard relied on CISA's CPGs as
a benchmark for technical requirements in this final rule.
---------------------------------------------------------------------------
\24\ The White House, National Security Memorandum on Improving
Cybersecurity for Critical Infrastructure Control Systems, July 28,
2021, <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/">https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/</a>, accessed on July 24,
2023.
\25\ CISA, ``Cross-Sector Cybersecurity Performance Goals,''
<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals">https://www.cisa.gov/cross-sector-cybersecurity-performance-goals</a>,
accessed August 12, 2024.
---------------------------------------------------------------------------
On February 21, 2024, the President signed Executive Order 14116
(Amending Regulations Relating to the Safeguarding of Vessels, Harbors,
Ports, and Waterfront Facilities of the United States), amending 33 CFR
part 6 regulations, which are issued pursuant to 46 U.S.C. 70051.\26\
In that Order, the President found that ``the security of the United
States is endangered by reasons of disturbance in the international
relations of the United States that exist as a result of persistent and
increasingly sophisticated malicious cyber campaigns against the United
States, and that such disturbances continue to endanger such
relations.''
---------------------------------------------------------------------------
\26\ 89 FR 13971, February 26, 2024.
---------------------------------------------------------------------------
The Executive Order expanded the regulatory authorities of the
Coast Guard COTP, a designated officer of the Coast Guard, to address,
inspect, and search vessels when there is an articulable cybersecurity
threat; take possession and control of vessels within the territorial
waters of the United States; and prevent access of things (including
data, information, network, program, system, or other digital
infrastructure) to vessels or waterfront facilities whenever it appears
that such actions are necessary to prevent damage or injury, including
damage to any data, information, network, program, system, or other
digital infrastructure on such vessel, or to any vessel, waterfront
facility, or the waters of the United States.\27\ Furthermore, the
Commandant's authority was extended to prescribe conditions and
restrictions relating to waterfront facilities and vessels in port,
specifically to ``prevent, detect, assess, and remediate an actual or
threatened cyber incident.'' \28\ The Commandant exercised this
authority in a February 21, 2024 Maritime Security (MARSEC)
Directive.\29\
---------------------------------------------------------------------------
\27\ 33 CFR 6.04-5, 6.04-7, and 6.04-8.
\28\ 33 CFR 6.14-1.
\29\ Issuance of Maritime Security (MARSEC) Directive 105-4:
Cyber Risk Management for Ship-to-Shore Cranes Manufactured by
People's Republic of China Companies, 89 FR 13726, Feb. 23, 2024.
---------------------------------------------------------------------------
The Executive Order also amended the reporting requirement in 33
CFR part 6 to add CISA and to also require the reporting of actual or
threatened cyber incidents. The amended 33 CFR 6.16-1 now requires the
reporting of ``evidence of sabotage, subversive activity, or an actual
or threatened cyber incident[s] involving or endangering any vessel,
harbor, port, or waterfront facility'' to the Federal Bureau of
Investigation (FBI), CISA, and the COTP or their respective
representatives.\30\
[[Page 6305]]
OCS facilities are not required to report under Part 6.
---------------------------------------------------------------------------
\30\ 89 FR 13971, 13973, February 26, 2024.
---------------------------------------------------------------------------
In 2021, the Coast Guard published its Cyber Strategic Outlook
(CGCSO) to highlight the importance of managing cybersecurity risks in
the MTS.\31\ The CGCSO highlighted three lines of effort, or
priorities, to improve Coast Guard readiness in cyberspace: (1) Defend
and Operate the Coast Guard Enterprise Mission Platform; (2) Protect
the MTS; and (3) Operate in and through Cyberspace.\32\ As outlined in
the CGCSO's second line of effort, ``Protect the MTS,'' the Coast Guard
has implemented a risk-based regulatory, compliance, and assessment
regime. We have established minimum requirements for Cybersecurity
Plans that facilitate the use of international and industry-recognized
cybersecurity standards to manage cybersecurity risks by owners and
operators of maritime critical infrastructure.\33\ Specifically, this
final rule promulgates the Coast Guard's baseline cybersecurity
regulations for U.S.-flagged vessels and facilities (including OCS
facilities) subject to MTSA.
---------------------------------------------------------------------------
\31\ U.S. Coast Guard, ``Cyber Strategic Outlook,'' August 2021,
<a href="https://www.uscg.mil/Portals/0/Images/cyber/2021-Cyber-Strategic-Outlook.pdf">https://www.uscg.mil/Portals/0/Images/cyber/2021-Cyber-Strategic-Outlook.pdf</a>, accessed August 13, 2024.
\32\ These lines of effort evolved from the three ``strategic
priorities'' introduced in the Coast Guard's Cyber Strategy, June
2015. As cyber threats and vulnerabilities evolve, so will the Coast
Guard's posture. <a href="https://www.dco.uscg.mil/Portals/10/Cyber/Docs/CG_Cyber_Strategy.pdf?ver=nejX4g9gQdBG29cX1HwFdA%3D%3D">https://www.dco.uscg.mil/Portals/10/Cyber/Docs/CG_Cyber_Strategy.pdf?ver=nejX4g9gQdBG29cX1HwFdA%3D%3D</a>, accessed
August 12, 2024.
\33\ The Coast Guard is aware that some entities already follow
industry standards related to cybersecurity. The minimum
requirements seek to establish a common baseline for all the
regulated vessels, facilities, and OCS facilities that is not
incompatible with such standards, recognizing that in some instances
these minimums may increase a requirement, but in other
circumstances may already be satisfied. The owner or operator can
indicate within their Cybersecurity Plan that they are following a
particular standard and highlight how their compliance with that
standard satisfies Coast Guard requirements.
---------------------------------------------------------------------------
As noted, in January 2023, the Coast Guard released the Maritime
Cybersecurity Assessment and Annex Guide (MCAAG). The MCAAG was
developed through coordination with the National Maritime Security
Advisory Committee (NMSAC), AMSCs, and other maritime stakeholders,
consistent with the activities described in section 2(e) of the
National Institute of Standards and Technology Act (specifically, 15
U.S.C. 272(e)). The MCAAG provides more detailed recommendations on
implementing existing MTSA regulations as they relate to computer
systems and networks. For example, the Coast Guard recommended a Cyber
Annex Template for stakeholders to address possible cybersecurity
vulnerabilities and risks.
This final rule expands and clarifies the information required in
security plans to remain consistent with 46 U.S.C. 70103(c)(3),
including section 70103(c)(3)(C)(v), which requires FSPs, OCS FSPs, and
VSPs to include provisions for detecting, responding to, and recovering
from cybersecurity risks that may cause TSIs. Some terms we use in the
MCAAG, such as cybersecurity vulnerability, may have a set definition
in this final rule.
C. Legal Authority
The Coast Guard is promulgating these regulations under 43 U.S.C.
1333(d); 46 U.S.C. 3306, 3703, 70102 through 70104, 70124; and the
Department of Homeland Security (DHS) Delegation No. 00170.1, Revision
No. 01.4.
Section 4 of the Outer Continental Shelf Lands Act of 1953 (OCSLA),
classified as amended at 43 U.S.C. 1333(d), authorizes the Secretary to
promulgate regulations with respect to lights and other warning
devices, safety equipment, and other matters relating to the promotion
of safety of life and property on the artificial islands,
installations, and other devices on the OCS thereto. This authority was
delegated to the Coast Guard by DHS Delegation No. 00170.1(II)(90),
Revision No. 01.4.
Section 3306 of Title 46 of the United States Code authorizes the
Secretary to prescribe necessary regulations for the design,
construction, alteration, repair, equipping, manning and operation of
vessels, propulsion machinery, auxiliary machinery, boilers, unfired
pressure vessels, piping, electric installations, and accommodations
for passengers and crew. This authority was delegated to the Coast
Guard by DHS Delegation No. 00170.1(II)(92)(b), Revision No. 01.4.
Section 3703 of Title 46 of the United States Code authorizes the
Secretary to prescribe similar regulations relating to tank vessels
that carry liquid bulk dangerous cargoes, including the design,
construction, alteration, repair, maintenance, operation, equipping,
personnel qualification, and manning of the vessels. This authority was
delegated to the Coast Guard by DHS Delegation No. 00170.1(II)(92)(b),
Revision No. 01.4.
Sections 70102 through 70104 of Title 46 of the United States Code
authorize the Secretary to evaluate for compliance vessel and facility
vulnerability assessments, security plans, and response plans, which
must address cybersecurity risks. Section 70124 authorizes the
Secretary to promulgate regulations to implement Chapter 701, including
sections 70102 through 70104, dealing with vulnerability assessments
for the security of vessels and facilities (which include OCS
facilities); security plans for vessels, facilities, and OCS
facilities; and response plans for vessels, facilities, and OCS
facilities. These authorities were delegated to the Coast Guard by DHS
Delegation No. 00170.1(II)(97)(a) through (c), and (n), Revision No.
01.4.
IV. Background
A. The Current State of Cybersecurity in the MTS
The maritime industry is relying increasingly on digital solutions
for operational optimization, cost savings, safety improvements, and
more sustainable business. These developments, to a large extent, rely
on IT systems and OT systems, which also increases potential cyber
vulnerabilities and risks. Cybersecurity risks result from
vulnerabilities to vital systems that increase the likelihood of cyber-
attacks on U.S.-flagged vessels, facilities, and OCS facilities.
Cyber-attacks on critical infrastructure across multiple sectors
have raised awareness of the need to protect the systems and equipment
that facilitate operations within the MTS because cyber-attacks have
the potential to disable the IT and OT on board U.S.-flagged vessels,
facilities, and OCS facilities. Autonomous vessel technology, automated
OT, and remotely operated machines provide further opportunities for
cyber-attackers. These systems and equipment are prime targets for
cyber-attacks stemming from insider threats, criminal organizations,
nation state actors, and others.
Also, the MTS has become increasingly susceptible to cyber-attacks
due to the growing integration of digital technologies in their
operations. These types of cyber-attacks can range from altering a
vessel's navigational systems to disrupting its communication with
ports, which can lead to delays, accidents, or even potential
groundings that can potentially disrupt vessel movements and shut down
port operations, such as loading and unloading cargo. This disruption
can also negatively affect the MTS by interrupting the transportation
and commerce of goods, raw resources, and passengers, as well as
potential military operations when needed.
An attack that compromises navigational or operational systems can
pose a serious safety risk. It can result in accidents at sea,
potential environmental disasters like oil spills,
[[Page 6306]]
and loss of life. The maritime industry is not immune to ransomware
attacks where cybercriminals are targeting critical systems or data.
Given the critical nature of marine transportation to global trade,
continued efforts are being made to improve cybersecurity measures in
the sector.
Maritime stakeholders can better detect, respond to, and recover
from cybersecurity risks that may cause TSIs by adopting a range of
cyber risk management (CRM) measures, as described in this final rule.
It is important that the Coast Guard work with the maritime community
to address both safety and security risks to better facilitate
operations and to protect MTS entities from creating hazardous
conditions within ports and waterways. Updating regulations to include
minimum cybersecurity requirements will strengthen the security posture
and increase resilience against cybersecurity threats in the MTS.
In 2017, the International Maritime Organization (IMO) took steps
to address cybersecurity risks in the shipping industry by publishing
the Marine Safety Committee/Facilitation Committee (MSC-FAL) Circular
3, Guidelines on Maritime Cyber Risk Management,\34\ and MSC Resolution
428(98).\35\ The IMO affirmed that an approved Safety Management System
(SMS) should involve CRM to manage cybersecurity risks in accordance
with the objectives and functional requirements of the International
Safety Management (ISM) Code. An SMS is a structured and documented set
of procedures enabling company and vessel personnel to effectively
implement safety and environmental protection policies that are
specific to that company or vessel.
---------------------------------------------------------------------------
\34\ <a href="https://wwwcdn.imo.org/localresources/en/OurWork/Facilitation/Facilitation/MSC-FAL.1-Circ.3-Rev.1%20-%20Guidelines%20On%20Maritime%20Cyber%20Risk%20Management%20">https://wwwcdn.imo.org/localresources/en/OurWork/Facilitation/Facilitation/MSC-FAL.1-Circ.3-Rev.1%20-%20Guidelines%20On%20Maritime%20Cyber%20Risk%20Management%20</a>(Secretar
iat).pdf, accessed August 13, 2024.
\35\ See the IMO resolution on CRM: Resolution MSC.428(98),
Annex 10, ``Maritime Cyber Risk Management in Safety Management
Systems.'' <a href="https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/Resolution%20MSC.428">https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/Resolution%20MSC.428</a>(98).pdf, accessed August 13,
2024.
---------------------------------------------------------------------------
For applicable U.S.-flagged vessels, this final rule establishes a
baseline level of protection throughout the MTSA-regulated vessel
fleet. Having regulatory oversight over U.S.-flagged vessels, the Coast
Guard can ensure these cybersecurity regulations are implemented
appropriately by approving Cybersecurity Plans and conducting routine
inspections. As discussed in Section VII of this preamble, the Coast
Guard requests public comment on a potential 2-to-5-year delay for the
implementation periods for U.S.-flagged vessels. (See the ADDRESSES
portion of this preamble, under Comment period for solicited additional
comments, for instructions on submitting comments.) This final rule
also applies to facilities regulated by 33 CFR part 105 and OCS
facilities regulated by 33 CFR part 106.
B. Current MTSA Regulations Related to Cybersecurity
The MTSA-implementing regulations in 33 CFR parts 101, 103, 104,
105, and 106 give the Coast Guard the authority to review and approve
security assessments and plans that apply broadly to the various
security threats facing the maritime industry. Through the Navigation
and Vessel Inspection Circular (NVIC) 01-20 \36\ (85 FR 16108, March
20, 2020), the Coast Guard interpreted 33 CFR parts 105 and 106 as
requiring owners and operators of facilities and OCS facilities to
address cybersecurity in their Facility Security Assessments (FSAs) and
OCS FSAs, as well as in their FSPs and OCS FSPs. The NVIC provides non-
binding guidance on how regulated entities can address these issues.
---------------------------------------------------------------------------
\36\ See footnote 13.
---------------------------------------------------------------------------
This final rule also expands upon the agency's previous actions by
establishing minimum performance-based cybersecurity requirements for
the MTS within the MTSA regulations. Similar to the existing
requirements in 33 CFR parts 104, 105, and 106, the Coast Guard allows
owners and operators the flexibility to determine the best way to
implement and comply with these new requirements. Following the
effective date of this final rule, personnel must complete certain
training requirements within approximately 6 months, and owners or
operators must sequentially complete a Cybersecurity Assessment and
submit the Cybersecurity Plan to the Coast Guard for review and
approval within 24 months. The Cybersecurity Plan also includes
designating the CySO. These implementation periods allow sufficient
time for the owners and operators of applicable U.S.-flagged vessels,
facilities, and OCS facilities to comply with the requirements of this
final rule.\37\
---------------------------------------------------------------------------
\37\ Existing general requirements to address cyber issues in
security plans will continue to apply during this rulemaking.
---------------------------------------------------------------------------
V. Discussion of Comments and Changes
In response to the NPRM we published on February 22, 2024,\38\ we
received 99 written submissions to our docket. These written
submissions are available in the public docket for this rulemaking,
where indicated under the ADDRESSES portion of the preamble, or use the
direct link <a href="http://www.regulations.gov/docket/USCG-2022-0802">www.regulations.gov/docket/USCG-2022-0802</a>. The Coast Guard
appreciates the comments from the public, as these insights continue to
inform Coast Guard actions and programs. Below, we summarize the
comments and our responses.
---------------------------------------------------------------------------
\38\ 89 FR 13404.
---------------------------------------------------------------------------
Extension of Comment Period and Public Meetings
The Coast Guard received a number of comments about extending the
initial comment period of 60 days for additional time to review the
proposed rule and the impacts. The requests asked for additional time
ranging from 30 to 90 days, with 30 days being the most common request.
After considering these comments, we extended the comment period by 30
days through May 22, 2024.\39\ The Coast Guard determined that the
extended comment period offered sufficient opportunity for industry
stakeholders, and the general public to express their feedback on the
NPRM.
---------------------------------------------------------------------------
\39\ 89 FR 24751.
---------------------------------------------------------------------------
One commenter requested that we hold a public hearing during which
they could ask us questions and receive further information before
submitting a public comment on the NPRM. The Coast Guard did not grant
this request. Any public meeting that we held would include a
presentation about the contents of the NPRM and an opportunity for
members of the public to submit oral comments, but it is unlikely that
we would have been able to share information materially different than
the information that was already provided in the published NPRM.
One commenter requested that the Coast Guard hold a series of
``industry days'' focused on specific threats to the maritime
stakeholders.
This comment was received on May 22, 2024, the day the extended
comment period closed, which did not allow time to consider this
request or hold a public meeting or series of ``industry days'' before
the end of the comment period. Additionally, we had already extended
the comment period to allow for more time for industry to submit
comments about specific impacts to the maritime industry. We received
many comments during that period and have carefully considered them in
developing this final rule.
[[Page 6307]]
A. General Comments
Several commenters submitted positive comments. Commenters
commended us for strengthening cybersecurity and noted that the rule is
needed, is very important for the marine transportation system, and is
a ``great idea.'' One commenter supported our inclusion of specific
proposals regarding device security measures in Sec. 101.650(b).
Another commenter supported requirements for vulnerability scanning and
penetration testing. One commenter noted that the increasing
interconnectivity of ports expands the attack surface and
vulnerabilities exploitable by cyber actors.
The Coast Guard agrees with the commenter. We are finalizing this
regulation to help mitigate these risks.
Out of Scope Comments
We received several comments that were out of scope for this
rulemaking. One commenter expressed concern about the ship-to-shore
cranes manufactured in the People's Republic of China (PRC).
Specific language to address PRC-manufactured cranes is outside the
scope of this regulation, which establishes general, baseline
cybersecurity requirements for regulated entities.
Another commenter asked for a list of crane manufacturers or
providers impacted by MARSEC Directive 105-4 related to the PRC-
manufactured cranes.
The Coast Guard announced the availability of MARSEC Directive 105-
4 on February 23, 2024, which provided actions for owners or operators
of ship-to-shore cranes manufactured by the PRC to manage cybersecurity
risks (89 FR 13726). This MARSEC Directive was announced at the same
time as the NPRM for this final rule, but its requirements are
separate. Interested parties should refer to the notice of availability
for MARSEC Directive 105-4.\40\
---------------------------------------------------------------------------
\40\ 89 FR 13726, February 23, 2024.
---------------------------------------------------------------------------
One commenter noted that CPGs specific to the maritime subsector
should be prioritized. The commenter also inquired about how feasible
it was to incorporate risk-based assessment processes into the MST
[Marine Science Technician] ``A'' School curriculum.
The Coast Guard is not currently working on sector-specific CPGs.
Entities are welcome to use their preferred references and standards to
help inform their required Assessments and Plans. ``A'' school
curricula are outside the scope of this regulation.
Formalizing Training
One commenter stated that the Coast Guard needs to consider
continuously monitoring OT devices and asked the Coast Guard to
formalize training, leverage industry best practices to apply to
maritime operations, and implement a ``Bug Bounty'' program like that
of the Department of Defense (DoD).\41\
---------------------------------------------------------------------------
\41\ A ``Bug Bounty'' program is an initiative that rewards
individuals for reporting bugs and vulnerabilities in software.
---------------------------------------------------------------------------
The commenter did not give additional information or a reason why
the Coast Guard should formalize the training. While formal training
can be beneficial, the Coast Guard will not mandate a specific training
format. It is up to the owners and operators of U.S.-flagged vessels,
facilities, and OCS facilities to assess the necessary level of
training based on their unique cyber threats and risks.
This final rule provides minimum baseline standards. Owners and
operators are welcome to implement additional cybersecurity measures if
they wish, including leveraging industry best practices, continuous
monitoring of OT devices, and establishing processes for vulnerability
notification such as the ``Bug Bounty'' program. However, these
additional measures are not required by this final rule.
Identity Protection and Authentication
Another commenter applauded the inclusion of identity protection
and authentication practices, and noted that some current practices,
such as ``bring your own device'' and ``work from anywhere'' models,
increase the risks of relying on traditional authentication methods and
further weaken obsolescent legacy security technologies.
The Coast Guard agrees that the rule's provisions appropriately
address current cybersecurity risks.
Automated Technologies
One commenter advised caution regarding ``unchecked reliance'' on
automated technologies and processes in the maritime industry. The
commenter also noted the lack of Federal regulations for ``smart''
containers. Another commenter recommended that the Coast Guard's
cybersecurity regulations should require private stakeholders to
collaborate with DHS to ensure national security and protect American
dockworkers from cyber-attacks and risks from automated technologies.
These comments fall outside the scope of the regulations, as our
intent is not to address specific issues associated with ``smart''
containers in particular. This final rule focuses on cybersecurity
threats and risks that may impact OT and IT systems on board vessels
and at facilities.
One commenter noted that some ports and ships are becoming
``smart'' with use of artificial intelligence, algorithms, and other IT
solutions. The commenter argued that the proposed regulations fell
short of addressing the cybersecurity risks of more sophisticated
systems by only providing minimum baseline requirements.
These regulations provide minimum baseline requirements that allow
each owner or operator to customize the Cybersecurity Plan to the needs
of their organization. We expect that organizations with more
sophisticated systems, such as those described by the commenter, will
use the Cybersecurity Assessment to identify their specific
cybersecurity needs, which will then be accounted for in the Plan. The
structure of this final rule provides each owner or operator the
flexibility to customize their Plan based on their own needs and also
to add other requirements they deem appropriate for their organization.
Additional Inspections
One commenter recommended that any vessel that visits an
``adversarial controlled shipyard'' for maintenance or repair should
necessitate thorough inspections following the maintenance.
This is outside the scope of this rulemaking. We did not propose
any requirements for such inspections and do not have any plans to
pursue them at this time.
Rulemaking Process
One commenter suggested that issuing an advance notice of proposed
rulemaking (ANPRM) first would have improved the process for crafting
these regulations.
The Coast Guard considered an ANPRM, but ultimately decided that it
was not necessary for this rulemaking project. We received robust
comments on the NPRM that provided useful input on the cybersecurity
regulations we proposed and that we have carefully considered in
developing this final rule.
Several commenters stated that the Coast Guard did not engage with
industry stakeholders before the release of the NPRM.
While we did not engage with industry on the NPRM specifically
prior to its release, the Coast Guard regularly engages with MTS
industry and other stakeholders on cyber and other risks at Government
agency- or industry-hosted conferences and workshops, and other forums.
In these engagements, we
[[Page 6308]]
discuss the Coast Guard's current cyber posture in terms of vessel and
facility compliance with MTSA. Cybersecurity presents challenging
problems, along with a need to address them promptly to implement
critical cybersecurity measures.
Port Security Grant Program
Some commenters requested that the Port Security Grant Program
account for, or even give prioritization to, smaller facilities to
address cybersecurity concerns.
The Coast Guard will seek to work with the Federal Emergency
Management Agency (FEMA) to further highlight cybersecurity through the
FEMA-administered Port Security Grant Program. Because we do not manage
that program, we cannot make any representation about future
prioritization of grant funds. As noted in FEMA's Fiscal Year 2024
Notice of Funding Opportunity for this program, all entities subject to
an Area Maritime Transportation Security Plan, as defined by 46 U.S.C.
70103(b), may apply for program funding.\42\ Eligible applicants
include but are not limited to port authorities, facility operators,
and State, local, and territorial government agencies.\43\ FEMA
identified enhancing cybersecurity as a key priority for Fiscal Year
2024.\44\
---------------------------------------------------------------------------
\42\ See FEMA, ``The U.S. Department of Homeland Security (DHS)
Notice of Funding Opportunity (NOFO) Fiscal Year 2024 Port Security
Grant Program,'' April 16, 2024, <a href="https://www.fema.gov/print/pdf/node/676012">https://www.fema.gov/print/pdf/node/676012</a>, accessed October 23, 2024.
\43\ Id. at 14.
\44\ Id. at 6.
---------------------------------------------------------------------------
Coast Guard Experience With Enforcing Cybersecurity
Some commenters stated that they did not feel that the Coast Guard
had the expertise to enforce these regulations or to conduct
cybersecurity inspections. They also stated that the nature of
personnel rotations among active-duty military meant that members would
constantly require training, and the Coast Guard could not retain the
expertise necessary to review and approve the Cybersecurity Plans. Some
also felt that reviews of the Cybersecurity Plan should be held in a
centralized location, due to the COTP not having enough cybersecurity
expertise.
The Coast Guard maintains a diverse workforce of military and
civilian personnel to balance the need to maintain institutional
knowledge while keeping the ability to flexibly assign personnel to a
wide range of billets and locations. Whether it is knowledge of
commercial vessel safety regulations, hazardous materials regulations,
or these new cybersecurity regulations, the Coast Guard will ensure
adequately trained personnel will be available to enforce these
regulations, including through reviewing Cybersecurity Plans. Although
this final rule addresses training requirements for regulated entities
and not Coast Guard personnel, the Coast Guard will ensure appropriate,
adequate training is available for the personnel conducting associated
work and missions. Additionally, the Coast Guard recognizes the comment
regarding centralized reviews of the Cybersecurity Plans. The Coast
Guard has not yet identified where ownership of initial and subsequent
review of Cybersecurity Plans will reside, but will determine that upon
assessing the process that optimizes resources and expertise. Whatever
the Coast Guard determines, it will not alter the requirements for
developing and submitting such Plans.
In addition, the Coast Guard has significant experience with the
maritime security of vessels, facilities, and OCS facilities. We have
specific cybersecurity units and capabilities dedicated to identifying
threats and risks and to protecting the cybersecurity of the United
States. We work in partnership with the DoD and other DHS components,
specifically CISA and the Transportation Security Administration (TSA).
We are confident that, by leveraging this experience and these
partnerships, along with additional training, we can enforce the
requirements in this final rule.
Some commenters asked if the Coast Guard planned to allow
Recognized Organizations (ROs) to assist with reviewing Cybersecurity
Plans.
The Coast Guard currently does not plan to allow ROs to assist with
reviewing Cybersecurity Plans, but regulated entities may consult with
ROs to ensure compliance with this final rule if they choose.
B. Comments Related to the Applicability of This Final Rule
One commenter asked us to clearly define the scope of the Coast
Guard's jurisdictional authority to regulate cybersecurity as it
applies to marine infrastructure.
As discussed in the legal authority section, the Coast Guard has
statutory authority under MTSA, as amended and codified at 46 U.S.C.
chapter 701, to regulate cybersecurity in the MTS. As already long-
established by the existing regulations in 33 CFR subchapter H, MTSA is
applicable to the vessels, facilities, and OCS facilities that are
subject to this final rule. The authority to regulate ``cybersecurity
risk'' was specifically added to MTSA by the Maritime Security
Improvement Act of 2018.\45\
---------------------------------------------------------------------------
\45\ Pub. L. 115-254, Div. J.
---------------------------------------------------------------------------
One commenter explained that some ports oversee airports under
their jurisdiction and thus, have dual cybersecurity requirements with
the Federal Aviation Administration (FAA). The commenter sought
clarification that new requirements, including incident reporting
requirements, would not apply to systems that are under the port
authority's charge but that are unrelated to maritime port activities.
The commenter expressed concern that, if the Coast Guard rule were to
apply to all systems under a port authority's charge, many ports would
have dual reporting requirements for the same incidents--a significant
inefficiency.
This final rule is applicable to those facilities currently
regulated under existing MTSA regulations. By and large, airport
facilities are not regulated under this rule. If a situation arose
where a MTSA-regulated entity was potentially subject to conflicting
requirements from the Federal Aviation Administration--or any other
agency's requirements--the entity should raise the issue of any
perceived conflicts with the COTP and that agency's respective point of
contact so that each agency is aware of the concern and can evaluate if
there are conflicts for compliance. With respect to incident reporting,
if there are occurrences where a cybersecurity incident affects systems
or equipment falling under multiple regulatory jurisdictions, an owner
or operator will have to ensure all reporting requirements are met. And
with respect to the rule in general, if appropriate, the Coast Guard,
acting through the COTP, may recommend the entity consider a request
for equivalence in order to avoid overlapping requirements.
Some commenters stated that the United States should not impose
specific requirements for the flag state on its vessels without
imposing the same on foreign-flagged vessels. One commenter also
suggested that U.S.-flagged vessels should be subject to requirements
no greater than those applied to foreign-flagged vessels with a safety
management system. The commenter asserted that, once the IMO
establishes international requirements, a new NPRM should be issued to
implement these requirements for U.S.-flagged vessels. Other commenters
said the United States should not impose requirements that deviate from
international standards, including those
[[Page 6309]]
that are presently being negotiated at the IMO.
The Coast Guard believes that protecting U.S. national security and
the nation's sovereign interests is a paramount concern. As the flag
administration, the United States believes that these baseline
requirements for U.S.-flagged vessels are important preventive
measures. Not only will establishing these requirements help protect
the U.S. commercial fleet from cybersecurity threats, but it will also
further establish the United States as a leader in this space and
offers a model for the necessary actions that other flag
administrations should take with respect to the cybersecurity of
vessels.
The Coast Guard acknowledges that this final rule adds new
requirements on U.S.-flagged vessels. However, the Coast Guard believes
that proactive cybersecurity regulations are essential for ensuring the
continued safety, security, and resilience of the domestic MTS.
Consistent with this approach, the United States is actively engaged in
international efforts to address maritime cybersecurity at the IMO. The
Coast Guard believes that extending regulations to foreign-flagged
vessels at this time while these discussions are ongoing would disrupt
the established processes for port state control and possibly
jeopardize U.S. national interests. The Coast Guard may consider
revising this rule at a later date as the threat environment and
international standards develop, including after the IMO speaks to
cybersecurity with additional specificity.
Multiple commenters requested clarification on how these
regulations apply to existing U.S.-flagged vessels, facilities, and OCS
facilities, and stated that it could be difficult for existing vessels
to meet some requirements. Specifically, concerns were raised about the
inability to implement data encryption, the feasibility of compliance
with network segmentation, frequent operator changes, difficulty in
identifying personnel to fill a specialized position, and the presence
of minimal computer networks and electronic systems. One commenter
stated that vessels operating exclusively on inland waters, such as
barges and towing vessels, have a minimal cyber footprint and should be
excluded from this rulemaking.
This final rule is applicable to U.S.-flagged vessels, facilities,
and OCS facilities, and includes both existing U.S.-flagged vessels,
facilities, and OCS facilities, as well as any new or future U.S.-
flagged vessels, facilities, and OCS facilities. The Coast Guard
understands that IT and OT footprints can vary across vessels. As
discussed in Section VII of this preamble, for the reasons indicated
below, the Coast Guard requests public comment on a potential 2-to-5-
year delay for the implementation periods for U.S.-flagged vessels,
which may partially address the commenters' concerns about vessels.
Conducting the required Cybersecurity Assessment allows for regulated
entities to determine and not merely speculate about their specific IT
and OT footprint, including potential vulnerabilities. Even vessels
with a small IT or OT footprint may still face cybersecurity risks that
could impact operations, safety, and security, which must then be
addressed. Some such limitations may be addressed in the Cybersecurity
Plan. When a regulated entity believes that certain requirements are
not applicable or they are unable to comply with specific requirements
within this regulation, they may follow the procedures in Sec. 101.665
to request a waiver or equivalency.
While the Coast Guard recognizes that issues such as frequent
operator changes may result in additional work for a regulated entity,
this final rule is in line with existing requirements applicable to
owner or operator changes. The Coast Guard believes that cybersecurity
training remains crucial for safeguarding the MTS against evolving
cybersecurity threats. Each new operator introduces a potential
vulnerability, and, without adequate training, this could compromise
both IT and OT systems. To mitigate these risks, it is vital that all
operators, regardless of turnover frequency, are equipped with
fundamental cybersecurity knowledge and skills. While formal training
may be appropriate, the Coast Guard is not mandating a format of
training in this final rule. However, the training would have to, at
minimum, cover relevant provisions of the Cybersecurity Plan to include
recognizing, detecting, and preventing cybersecurity threats, and
reporting cyber incidents to the CySO. When a regulated entity believes
they are unable to comply with specific requirements within this
regulation, they may follow the procedures in Sec. 101.665 to request
a waiver or equivalency.
Some commenters suggested that the Coast Guard should create a
separate rulemaking for vessels.
The Coast Guard is not considering a separate rulemaking for
vessels at this time. This final rule is consistent with the Coast
Guard's authority under MTSA as it applies to vessels.
Some commenters asked that this final rule not apply to vessels
such as small passenger vessels, towing vessels, and barges, as well as
to facilities with minimal or no IT and OT footprint. One commenter
stated that the NPRM outlined cybersecurity procedures broadly
applicable to many vessels and facilities but failed to consider those
with minimal computer networks and systems that would not significantly
impact operations, security, or safety if compromised. Another
commenter stated that OT systems on vessels are distinct and should be
assessed separately from shoreside infrastructure, as cyber incidents
typically impact only one vessel at a time due to segmentation. In
contrast, shoreside incidents can have wider repercussions. For inland
vessels, the primary vulnerabilities are personally identifiable
information (PII) and positional data theft. Thus, the commenter
recommended a tiered risk system to determine suitable cybersecurity
measures for vessels.
The Coast Guard does not agree with changing the applicability of
this final rule. Developing a definition or standard for ``little or no
IT and OT footprint'' would be challenging, and the Coast Guard did not
seek comment on such a definition in this rulemaking. Moreover, the
Coast Guard is not aware of a definition for ``little or no IT and OT
footprint'' in other regulations or in other recognized standards.
Until an Assessment is completed, it would be difficult to know the
full extent of a regulated entity's IT and OT footprint, and even a
smaller IT and OT footprint could still allow cybersecurity threats and
vulnerabilities and could still result in a cyber incident. It is
necessary for all regulated entities under this final rule to first
conduct the required Cybersecurity Assessment to determine the extent
of their IT and OT footprint. Upon completion of that assessment, each
regulated U.S.-flagged vessel, facility, or OCS facility can then
develop a Cybersecurity Plan based on the applicable requirements. Even
if an Assessment identifies only a minimal IT and OT footprint, that
footprint may still represent levels of risk to the owner or operator,
as well as the MTS. If the owner or operator finds there are portions
of these regulations that do not apply to their U.S.-flagged vessel,
facility, or OCS facility, the Coast Guard offers procedures in Sec.
101.665 for an owner or operator to request a waiver or equivalence
determination for the requirements. While an item may be identified by
an owner or operator as not applicable, and therefore requires a waiver
request from the requirement, it is necessary to identify that through
the Cybersecurity Assessment and
[[Page 6310]]
document in a Cybersecurity Plan so that it can be reviewed in the
future as needed.
Multiple commenters recommended the Coast Guard coordinate with the
Bureau of Safety and Environmental Enforcement (BSEE) in the Department
of the Interior before issuing any cybersecurity requirements for OCS
facilities because of the shared authorities in OCSLA.
The Coast Guard and BSEE have a shared mission of ensuring safety
on the OCS. We work closely together to ensure our requirements are not
in conflict with each other. The Coast Guard will continue to work with
BSEE and our other interagency partners to harmonize efforts as
appropriate and according to OCSLA and any other applicable law.
One commenter requested clarity about applicability to Sec. Sec.
104.105(b) and 105.105(b).
The Coast Guard revised the language in Sec. 101.605 to clarify
that these cybersecurity regulations apply to the owners and operators
of U.S.-flagged vessels, facilities, and OCS facilities required to
have a security plan under parts 104, 105, and 106. The text ``required
to have a security plan'' is the clearest means to clarify the
applicability without the loss of legal precision, especially as MTSA
addresses regulated entities in a similar manner at 46 U.S.C 70103.
The Coast Guard received multiple comments suggesting that the
applicability for these requirements should be a risk-based approach
based on the varied levels of IT and OT footprints, or how extensive a
cybersecurity incident would be, based on vessel, facility, or OCS
facility size and type of operation, including a consideration for the
applicability to U.S. domestic vessels. Multiple commenters contended
that prescribing the same requirements for all vessels and not scaling
the applicability of requirements based on risk profile would impose
unfeasible requirements and undue burdens on owners and operators of
vessels. One commenter indicated that this risk-based approach should
also apply to penetration test requirements. Another commenter further
suggested that the Coast Guard add objective criteria for cybersecurity
controls similar to what is currently addressed in NVIC 01-20.
The Coast Guard determined that these cybersecurity requirements
should apply to the same entities to which MTSA currently applies, but
that there are areas where a waiver under Sec. 101.665 could apply.
The Coast Guard would not currently be able to identify the unique
aspects of each vessel and facility to develop a comprehensive risk
factor system and base requirements off that. Additionally, risk
factors could change, so the Coast Guard would either risk developing
factors that become outdated, or otherwise could not keep up with a
changing IT and OT landscape. The Coast Guard feels that the best
approach is to develop a broad range of cybersecurity requirements in
this final rule, which serve as baseline requirements across all
regulated entities rather than a risk-based approach. Since each
individual entity will have unique features, including their IT and OT
footprint, we believe it makes the most sense for them to assess
themselves, and, if needed, identify where they cannot comply or when a
requirement is not applicable.
It is practical to maintain the existing MTSA applicability,
particularly in requiring those regulated stakeholders to complete a
Cybersecurity Assessment to identify the extent of their IT and OT
footprint, so all entities can determine which requirements under these
regulations would apply. In cases when an owner or operator determines,
through their assessment, that certain criteria do not apply, they may
follow the procedures in Sec. 101.665 to request a waiver or
equivalency. NVIC 01-20 serves as general guidance for incorporating
cybersecurity into existing FSA and FSP requirements in 33 CFR part
105. This final rule represents more comprehensive cybersecurity
requirements that go beyond those addressed by NVIC 01-20. An owner or
operator may, however, use the principles of NVIC 01-20 to help inform
their compliance with these regulations.
One commenter suggested that the Coast Guard revise Sec. 101.605
so that this final rule would not apply to a vessel or facility that
has not installed an IT or OT system that, if compromised, could result
in a TSI. The commenter also suggested that the Coast Guard modify 33
CFR 104.305 and 105.305 so that VSAs and FSAs require an analysis of
cybersecurity threats as defined in Sec. 101.615.
The Coast Guard does not agree with this recommendation as we are
not making changes to existing regulatory requirements in 33 CFR parts
104 and 105. In addition, the recommendation to revise 33 CFR part 101
would introduce too much uncertainty into applicability, especially as
it relates to the need for entities to conduct a Cybersecurity
Assessment to evaluate risks as a threshold matter. It would be
premature to carve-out a regulated entity based on an assumption the
regulated entity's IT or OT poses no risk to the MTS or risk of TSI
before such an evaluation is made through a Cybersecurity Assessment.
The function of the Cybersecurity Assessment is to provide the
necessary information to develop the appropriate mitigation measures
within the Cybersecurity Plan and to provide the substance that would
inform any discussions with the COTP or MSC, especially as it may
relate to requests for waivers or equivalencies.
One commenter requested clarification as to the applicability of
these regulations in cases of a landlord port and tenant facilities.
These regulations create new baseline cybersecurity
responsibilities for the owner or operator of an applicable U.S.-
flagged vessel, facility, or OCS facility. ``Owner or operator'' is a
term defined at 46 U.S.C. 70101(5). The applicability of these
regulations may depend on the nature of any specific landlord port and
tenant facility agreements. Therefore, the Coast Guard cannot make a
blanket determination about all landlord-tenant relationships as it
relates to the responsibility for compliance with the requirements of
this final rule.
Some commenters suggested that the Coast Guard incorporate these
rules into the existing 33 CFR parts 104, 105, and 106 requirements, as
opposed to creating 33 CFR subpart F.
The Coast Guard considered this approach but determined that
putting these cybersecurity requirements in a single subpart within 33
CFR part 101, which would then follow the applicability of 33 CFR parts
104, 105, and 106, allowed for the best alignment across regulated
entities. The Coast Guard has chosen to articulate the cybersecurity
requirements within 33 CFR part 101 because these regulations impact
U.S.-flagged vessels, facilities, and OCS facilities collectively. This
format is presented in a more organized and accessible manner to the
maritime partners who are already familiar with the MTSA regulations.
Some commenters asked us to clarify whether 33 CFR subpart F will
supersede NVIC 01-20.
NVIC 01-20 is a guidance document that states the Coast Guard's
policy stance and an interpretation of its existing regulations. NVIC
01-20 itself is not enforceable as a legislative rule. The
cybersecurity guidance provided by NVIC 01-20 relates to the
requirements in 33 CFR part 105 that predate this rulemaking. Upon the
effective date of this final rule, the requirements in these
regulations will have the force of law. This final rule will supersede
NVIC 01-20.
Some commenters raised concerns that some stakeholders will be
affected
[[Page 6311]]
by limited workforce and resources and questioned the cybersecurity
benefits. The commenters asserted that these challenges would be a
significant hindrance to operational effectiveness and urged the Coast
Guard to provide sufficient time and flexibility for operators to
understand and implement the new requirements. The Coast Guard
recognizes that regulated entities will have different workforce
levels, as well as financial and other resources, that affect how they
will comply with this final rule. In many cases, regulated entities
with a smaller workforce and fewer resources will likewise have a
smaller IT and OT footprint to assess and address in a Cybersecurity
Plan. If those entities do have a large IT and OT footprint, then that
reinforces the need to comply with the requirements in this final rule
to prevent, mitigate, and respond to cybersecurity threats,
vulnerabilities, and incidents.
One commenter stated that this final rule had an unclear impact on
marine terminal operators participating in unified port authority
cybersecurity programs.
The Coast Guard encourages participation and collaboration between
stakeholders and maritime entities in addressing cybersecurity and
other security risks throughout a port complex. However, a unified port
authority cybersecurity program or similar higher-level arrangement may
not adequately account for the unique cyber threats and vulnerabilities
for a specific regulated entity. This final rule represents
requirements for each regulated U.S.-flagged vessel, facility, and OCS
facility, consistent with existing security requirements according to
33 CFR parts 104, 105, and 106.
The Coast Guard believes that both this final rule and unified port
authority cybersecurity programs can work in complement to each other,
as they both pursue the same goal of bolstering cybersecurity, where
the port authority program can be viewed as a macro-level plan, rather
than the micro-level, individualized plan specific to the U.S.-flagged
vessel, facility, or OCS facility. This final rule is based on CISA's
CPGs, which themselves are informed by NIST's Cybersecurity Framework
(CSF), and all leverage commonly accepted cybersecurity best practices
that should not conflict with other programs. This final rule
represents minimum baseline standards that a regulated entity can
further build upon in coordination with unified port authority
cybersecurity programs.
Many ports have an active and robust AMSCs, which may include a
Cybersecurity Subcommittee that can address coordination. Since this
final rule and unified port authority cybersecurity programs all share
a common goal of ensuring cybersecurity, the Coast Guard expects that
regulated entities and port authorities will work together to ensure
programs are not in conflict. Additionally, in cases when a unified
port authority cybersecurity program may impact a regulated entity's
specific cybersecurity plan, and owner or operator may be able to
address the impact through the provisions in Sec. 101.665 for
noncompliance, waivers, and equivalents.
C. Comments Related to Definitions
Sources for Definitions Used in This Final Rule
Some commenters suggested using definitions for certain terms used
in this final rule that come from sources such as NIST, DoD's
Cybersecurity Maturity Model Certification program, and other
standards.
The Coast Guard selected the definitions used in this final rule
based on definitions used by our interagency partners to ensure
alignment and harmonization across the interagency. The NPRM \46\
discussed the citations for these definitions. The Coast Guard
recognizes that there are numerous definitions for many of the terms
used in this final rule, and that many might choose other sources, but
these definitions meet the needs of the Coast Guard and are
overwhelmingly accepted by stakeholders. The definitions used here are
standard cybersecurity definitions used across industry and Government
agencies and are listed in NIST's CSF. This common lexicon helps limit
miscommunication.
---------------------------------------------------------------------------
\46\ 89 FR 13404.
---------------------------------------------------------------------------
Harmonizing Definitions
One commenter noted that harmonization of definitions for existing
and proposed cybersecurity requirements is vital.
As discussed in the preamble of the NPRM, the Coast Guard consulted
numerous sources for the definitions used in the NPRM. These sources
include Executive Order 14028, the James M. Inhofe National Defense
Authorization Act for Fiscal Year 2023 (Pub. L. 117-263) (the Act), the
Homeland Security Act of 2002 (Pub. L. 107-296), as amended, CISA's
National Initiative for Cybersecurity Careers and Studies, and NIST's
Computer Security Resource Center (CSRC). We believe that these sources
are reliable and generally accepted by the industry and Government
agencies. Additionally, these terms are appropriate for usage in the
maritime setting. The definitions used here are standard cybersecurity
definitions used across industry and Government agencies and are listed
in NIST's CSF. However, we also recognize that there is some variance
in the cybersecurity terms used by industry and Government sources. For
example, NIST defines a ``cyber incident'' as ``an occurrence that
results in actual or potential jeopardy to the confidentiality,
integrity, or availability of an information system or the information
the system processes, stores, or transmits, or that constitutes a
violation or imminent threat of violation of security policies,
security procedures, or acceptable use policies.'' Part 6 of title 33
of the CFR uses similar, but not identical, language to define a cyber
incident as an occurrence that:
(1) Actually or imminently jeopardizes, without lawful authority,
the integrity, confidentiality, or availability of information or an
information system; or
(2) Constitutes a violation or imminent threat of violation of law,
security policies, security procedures, or acceptable use policies.\47\
---------------------------------------------------------------------------
\47\ 33 CFR 6.01-8 and 44 U.S.C. 3552(b)(2).
---------------------------------------------------------------------------
The Homeland Security Act of 2002 also uses similar language,
defining an incident as ``an occurrence that actually or imminently
jeopardizes, without lawful authority, the integrity, confidentiality,
or availability of information on an information system, or actually or
imminently jeopardizes, without lawful authority, an information
system.'' \48\
---------------------------------------------------------------------------
\48\ 6 U.S.C. 650(12).
---------------------------------------------------------------------------
After reviewing all these definitions, we selected the ones that
best fit the maritime setting and ensured that the regulatory
definitions are consistent with the relevant statutory definitions. The
definitions used here align with standard cybersecurity definitions
used across industry and Government agencies and are listed in NIST's
CSF. These sources provide a common lexicon for everyone to use to
limit miscommunication and do not differ because they are used in a
maritime setting.
Adding New Terms to the Final Rule
Several commenters suggested that we introduce new terms that were
not defined in the NPRM, such as ``Marine Transportation System
(MTS),'' ``Critical Cybersecurity Equipment,'' and ``transportation
security incident.'' In some cases, commenters proposed adding new
definitions to enhance understanding of this final rule. For
[[Page 6312]]
example, they requested definitions for ``key personnel'' as described
in Sec. 101.650(d), Cybersecurity Training for Personnel, and
``sensitive or critical data'' instead of the current requirement that
``all data'' must be protected under Sec. 101.650(c), Data Security
Measures. The commenters noted that these suggestions were made to
clarify specific requirements and improve the overall clarity and
implementation of this final rule.
We did not make changes in response to most of these suggestions.
Adding these terms is unnecessary, as many of them are already well-
defined and have been commonly used in the maritime sector for many
years. For example, ``Marine Transportation System'' or ``Maritime
Transportation System'' are terms that are widely recognized and
understood by industry and Government agencies.\49\ Similarly,
transportation security incident is a term that, although mentioned
several times in the NPRM, was not defined because it is already
defined at 46 U.S.C. 70101 and in 33 CFR 101.105. This definition has
been in place for over 20 years under the MTSA regulations. Therefore,
we do not see the need to introduce additional definitions for these
terms.
---------------------------------------------------------------------------
\49\ See for example, 46 U.S.C. 50401.
---------------------------------------------------------------------------
Some commenters suggested that the Coast Guard define what is a
``significant number'' when disclosure or unauthorized access directly
or indirectly of nonpublic personal information of individuals
information requires reporting in the proposed definition for
reportable cyber incident.
The Coast Guard did not make changes in response to these requests.
We recognize that we use several terms, such as ``significant number,''
in this final rule without defining them. We intentionally left this
and other terms undefined because their meanings can vary significantly
depending on an organization's operational conditions and cybersecurity
risks. This approach ensures that the definition is appropriately
tailored to the unique context and needs of each organization. By
allowing organizations to define these terms themselves, we aim to
provide a more flexible approach to meet the requirements in the
evolving cybersecurity environment in the maritime sector.
Defining the Term ``Reportable Cyber Incident''
Numerous commenters responded affirmatively to our request for
comments on whether we should define and use the term ``reportable
cyber incident'' in this rulemaking to clarify what incidents trigger
reporting obligations. Some commenters offered suggestions on edits to
this proposed definition, including reordering subparagraphs. One
commenter suggested limiting the definition to known incidents and not
including those still under investigation considering the DHS report,
informed by the work of the Cyber Incident Reporting Council (CIRC),
which advises that the Federal Government should adopt a consistent
model definition of a ``reportable cyber incident'' wherever
practicable. Another commenter noted that establishing a threshold for
reportable cyber incidents based on the potential that the incident
could result in a TSI would clarify what does and does not need to be
reported. Another commenter recommended that the Coast Guard should
narrowly tailor ``reportable cyber incident'' to align with the Coast
Guard's mission and the underlying purpose of the MTSA.
The Coast Guard agrees with the suggestion to define and use the
term reportable cyber incident. We have included the term reportable
cyber incident in this final rule. The Coast Guard's definition of
reportable cyber incident is based on the model definition proposed in
the CIRC-informed DHS Report (the ``CIRC Model Definition'').\50\
Interagency stakeholders reviewed this term and its definition to
ensure alignment and harmonization to the extent practical. The Coast
Guard did not adopt the suggested edits to the proposed definition. We
are maintaining the definition we included in the preamble to the NPRM,
based on other public comments and discussion with interagency partners
on harmonization.
---------------------------------------------------------------------------
\50\ See DHS Office of Strategy, Policy, and Plans,
Harmonization of Cyber Incident Reporting to the Federal Government
(Sept. 19, 2023), <a href="https://www.dhs.gov/publication/harmonization-cyber-incident-reporting-federal-government">https://www.dhs.gov/publication/harmonization-cyber-incident-reporting-federal-government</a>, accessed August 13,
2024.
---------------------------------------------------------------------------
One commenter stated that the definition for reportable cyber
incident should include clearly defined thresholds for such incidents.
The Coast Guard does not agree. The definition for a reportable
cyber incident provides sufficient detail to allow owners, operators,
or CySOs to determine what constitutes such an incident and reflects
harmonization among the interagency on the substance of this
definition.
As noted previously, after considering all public input, we have
decided to include the term reportable cyber incident as defined in the
NPRM. We concur with the many comments that this term is sufficiently
well-defined to provide clear guidance on when and under what
conditions cyber incidents must be reported to the NRC. This clarity
will help eliminate the need to report minor cyber incidents, which
will reduce the administrative burden on owners and operators as a
result.
One commenter suggested that the Coast Guard include the definition
for a reportable cyber incident, but to allow for a threshold that
would include unauthorized attempts by third-party actors to access
sensitive information. The commenter also stated that these incidents
should include phishing attempts, attempts to gain access to terminal
operating systems, and unsuccessful malware attacks, as well as loss of
network availability, exposure of sensitive data, and disruption of
business operations as a result of unauthorized access by third
parties.
We did not adopt this suggestion. The Coast Guard's definition
allows for the owner, operator, or CySO to determine if an incident
meets the criteria for reporting. Further, the Coast Guard encourages
stakeholders to report any situation or incident out of the ordinary if
there is doubt or if they question whether it meets the definition of
reportable cyber incident.
We acknowledge the concerns raised by some commenters about
redundancy and the need for interagency coordination. The Coast Guard
will continue to work with other Government agencies to ensure our
language aligns among all regulations and ensure harmonization of
efforts to the extent practicable.
The Coast Guard emphasizes information sharing among its
interagency partners. The Coast Guard shares information with other
Federal agencies through multiple channels: NRC reports of incidents
are shared with DHS, CISA, and other relevant agencies. As a Co-Sector
Risk Management Agency for the Transportation Systems Sector, the Coast
Guard regularly communicates with the U.S. Department of
Transportation, the Maritime Administration, TSA, and CISA.\51\ The
Coast Guard is a participant on numerous National Security Council-led
Interagency Policy Committees. Engagement among local, State, Federal,
and Tribal agencies also occurs through AMSCs. The Coast Guard shares
cyber-focused products such as marine safety
[[Page 6313]]
information bulletins, cyber advisories, and other products across
interagency partners.
---------------------------------------------------------------------------
\51\ The White House, National Security Memorandum on Critical
Infrastructure Security and Resilience, Apr. 30, 2024, <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/">https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/</a>, accessed on December 20, 2024.
---------------------------------------------------------------------------
One commenter noted that they support defining reportable cyber
incident to distinguish between incidents that must be reported and
those that do not; however, they find the current definition of ``cyber
incident'' in Sec. 101.615 is too broad and overly focused on IT. The
commenter also noted that they have concerns with the proposed
definition of reportable cyber incident and its alignment, or lack
thereof, with other definitions for reportable cyber incidents in
regulation and policy.
The Coast Guard definition of cyber incident is based on the
existing definition of incident in Title XXII of the Homeland Security
Act of 2002,\52\ which is not textually identical, but is substantively
similar in relevant part to, the definition of ``cyber incident'' in
Executive Order 14116. An incident in the Homeland Security Act of 2002
is ``an occurrence that actually jeopardizes, without lawful authority,
the integrity, confidentiality, or availability of information or an
information system, or actually jeopardizes, without lawful authority,
an information system.'' Although the Coast Guard recognizes that not
all commenters may agree with our chosen definition, the Coast Guard
values alignment with these established terms to minimize potential
conflicts that could be created by significant deviations between
definitions in these regulations and existing statutes.
---------------------------------------------------------------------------
\52\ Public Law 107-296, as added by Public Law 117-263, section
7143, classified to 6 U.S.C. 650.
---------------------------------------------------------------------------
``Information system'' is defined in this final rule as an
interconnected set of information resources under the same direct
management control that shares common functionality. Typically, a
system includes hardware, software data, applications, communications,
and people. It includes the application of IT, OT, or a combination of
both. The definition of information system clearly covers both IT and
OT systems.
The Coast Guard's definition of reportable cyber incident is based
on the model definition proposed in the CIRC Model Definition. However,
in CISA's proposed rule implementing the Cyber Incident Reporting for
Critical Infrastructure Act of 2022 (CIRCIA) (Pub. L. 117-103), the
proposed definition of ``substantial cyber incident'' (which is used
within the definition of ``covered cyber incident,'' the term that
describes what cyber incidents are required to be reported under
CIRCIA) does not include the CIRC Model definition's phrase ``or, if
still under the covered entity's investigation, could reasonably lead
to any of the following,'' as CISA interprets CIRCIA to require an
incident to actually result in one of the impacts listed in the
definition of substantial (in this case, reportable) cyber incident
under CIRCIA.\53\ For similar reasons, CISA did not propose including
in the definition of ``substantial cyber incident,'' the CIRC Model
Definition's fourth threshold prong, ``potential operational
disruption.'' A ``reportable cyber incident'' is a type of ``cyber
incident'' as these terms are defined in this final rule. A
``reportable cyber incident'' as defined in this final rule would also
trigger a reporting obligation under 33 CFR 6.16-1 for entities
required to report a cyber incident as such term is defined in 33 CFR
part 6.
---------------------------------------------------------------------------
\53\ 89 FR 23644.
---------------------------------------------------------------------------
Revising the Definition of ``Breach''
One commenter noted that the term ``breach,'' when used by the
Coast Guard to discuss a breach of security, could have serious,
significant legal and financial impacts in reference to cybersecurity.
We revised Sec. 101.625(d)(10) in this final rule to refer to
``reportable cyber incidents'' rather than ``breaches of security,
suspicious activity that may result in TSIs, TSIs, and cyber
incidents.'' This is also consistent with our decision to define and
include the term reportable cyber incident.
Adding a Definition for ``Cybersecurity Threat''
One commenter recommended adding the definition of ``cybersecurity
threats'' to 33 CFR parts 104 and 105.
The Coast Guard does not agree to add the definition of
``cybersecurity threat'' because it is already encompassed by the
defined term ``cyber threat'' the Coast Guard uses in this final rule.
Cyber threat is the term used in CIRCIA, which amended the Homeland
Security Act of 2002 (Pub. L. 107-296). CIRCIA defined cyber threat by
cross-referencing to the term cybersecurity threat as it was already
defined in the Homeland Security Act of 2002. The two statutory terms
share the same definition, which is substantively repeated in this
final rule. For the sake of consistency in this final rule, the Coast
Guard has chosen cyber threat as the term-of-art for these regulations.
Furthermore, the Coast Guard does not concur with the suggestion to
amend 33 CFR parts 104 and 105 because, except for amending 33 CFR
160.202, this final rule is limited to establishing requirements in 33
CFR part 101. Adding or removing requirements in parts 104, 105, or 106
is outside the scope of this final rule. The new definitions in Sec.
101.615 are sufficient for this final rule.
Revising the Definition of ``Backup''
One commenter raised a concern that the primary issue with the
concept of ``backup'' is that it lacks the flexibility to rebuild or
re-instantiate a system from something other than a backup. When
restoring from backups, time can be a critical factor. Therefore, the
commenter recommended that the Coast Guard expand this definition and
eliminate the requirement for all backups to be stored offsite.
The Coast Guard agrees with this commenter. We revised the
definition of backup in Sec. 101.615 to remove the phrase ``in a
secondary location'' and the implication that backups must be stored
``offsite.'' Instead, we added language to clarify our definition of
backup. In this final rule, backups refer to ``copies being stored
separately for preservation and recovery.'' With these changes, the
revised definition is sufficient for the requirements in these
regulations. If an owner or operator of a U.S.-flagged vessel,
facility, or OCS facility identifies a method that they feel falls
outside of that definition, they may follow the process to request a
waiver according to Sec. 101.665.
Defining the Term ``Transportation Security Incident''
One commenter questioned the clarity of the definition of a
``transportation security incident,'' while another suggested a
definition of ``security incident.''
Transportation security incident is defined by the MTSA, codified
at 46 U.S.C. 70101, and in 33 CFR 101.105. Further guidance on what
constitutes a TSI (as well as a ``breach of security'' or ``suspicious
activity'') is provided in NVIC 02-24.
Revising the Definition of ``Hazardous Condition''
Multiple commenters addressed our request for input on whether we
should amend the definition of ``hazardous condition'' in 33 CFR
160.202 by adding ``cyber incidents.'' The Coast Guard received several
comments in favor of amending the definition of hazardous condition to
include cyber incidents. Conversely, one commenter advised against
including cyber incidents under the definition of hazardous condition
in Sec. 160.202. The commenter warned that doing so could lead to
unnecessary sharing of sensitive information during
[[Page 6314]]
cyber incidents, such as losing confidential data, that do not impact
marine operations. The commenter recommended against additional
reporting requirements beyond those mandated by CISA if cyber incidents
are added to the definition of hazardous condition. Other commenters
also suggested that the Coast Guard clarify the application of this
definition to marine terminals and OCS facilities, as much of this
section pertains to vessel requirements and may cause confusion.
The Coast Guard concurs with the recommendations to include the
term. Accordingly, we amended the definition of hazardous condition in
that section to include the term cyber incident. Including the term
cyber incident is a helpful example that adds clarity to the existing
regulation in 33 CFR 160.202, which applies only to vessels. The Coast
Guard recognizes that not all occurrences with a cyber aspect will
create a hazardous condition, but believes the term's inclusion in the
list of examples will be beneficial by highlighting that cybersecurity
is an important consideration that operators should be cognizant of
when assessing hazardous conditions.
As discussed elsewhere in this preamble, the Coast Guard amended
the definition of hazardous condition to include cyber incidents. The
Coast Guard is not changing the applicability of Sec. 160.203 to
include facilities or OCS facilities because Sec. 160.203 relates to
the Notice of Arrival and Departure regulations for vessels. This
clarification to the definition of hazardous condition is distinct from
the new baseline cybersecurity requirements for MTSA-regulated
entities.
One commenter expressed concern with the NPRM's approach to
requesting input on whether to define and use reportable cyber
incident, and whether to amend the definition of ``hazardous
condition.'' The commenter strongly advocated for harmonizing the
reporting process, noting that owners and operators of U.S.-flagged
vessels are already familiar with reporting to the NRC. They suggested
that all cyber incidents should be reported through this channel,
allowing the NRC to relay information to other Federal agencies as
needed.
The Administrative Procedure Act requires that we provide general
notice of a proposed rulemaking, including notice of the terms or
substance of a proposed rule or a description of the subjects and
issues involved.\54\ Asking the public to comment on specific items, in
addition to the NPRM as whole, is a commonly accepted way to seek
public participation in the rulemaking process. In fact, as discussed
above, we received numerous comments responsive to our request.
---------------------------------------------------------------------------
\54\ 5 U.S.C. 553(b)(3).
---------------------------------------------------------------------------
D. Comments Related to Owner or Operator
We received a series of comments about the responsibilities of the
owner or operator for managing the Cybersecurity Plan.
One commenter recommended assigning responsibilities to the
operator to ensure compliance with applicable regulations for regulated
facilities. One commenter recommended assigning overall responsibility
for vessels to the company or organization (in this case, a Document of
Compliance (DOC) holder) if the owner and operator of a vessel are
separate entities. Another commenter recommended the term ``owner and
operator'' be clarified to signify a single responsibility for the
vessel (in this case, a DOC holder), OCS facility, or other facility
owned or operated, based on IMO practice.
We did not make changes in response to these recommendations. The
Coast Guard desires consistency with the existing regulations and uses
the term ``owner or operator'' as defined in Sec. 101.105 throughout
this final rule. The Coast Guard does not agree that further
clarification of the term ``owner or operator'' is needed. The term
owner or operator in this final rule is consistent with existing MTSA
regulations, and it is unnecessary to specify further criteria for the
entity with overall responsibility (such as requiring them to be
holding a DOC).
One commenter requested clarification of the differences between
the roles and responsibilities of the owner or operator and the CySO as
there are similar or overlapping roles to both.
The roles and responsibilities of the CySO and owner or operator
are clearly outlined in this final rule in Sec. Sec. 101.625 and
101.620, respectively, and are in line with the existing relationships
between the owner or operator, Vessel Security Officer (VSO), and
Facility Security Officer (FSO) in existing regulations. While there is
some overlap between the roles, any redundancy or overlap does not take
away from the responsibilities of the CySO and owner or operator and
enables the owner or operator to maintain oversight over the CySO
position.
One commenter recommended that the Coast Guard change the phrase
``responsible for'' to ``accountable for'' in Sec. 101.620(a) when
referring to owners and operators assigning security duties to other
personnel. According to the commenter, this change would highlight the
importance of how these roles will be staffed and implemented,
indicating a more structured approach to accountability within the
organization.
The Coast Guard declined to make this change, as the term
``responsible for'' is consistent with existing language for VSOs,
FSOs, and OCS FSOs in current regulations and is long-standing industry
practice.
One commenter questioned whether ``person'' as stated in Sec.
101.620(b)(2) is synonymous with ``role.''
An owner or operator subject to this final rule is required to
identify each person exercising cybersecurity duties and
responsibilities. Any person having such duties and responsibilities
would likewise have a ``role.'' Owners and operators should focus on
the language of this final rule and identify each person, as stated.
The Coast Guard is concerned that the necessary duties are properly
assigned and performed. The particular manner which an entity
identifies and assign those duties, whether by individual name or by
role, is left to the entity's discretion. The Coast Guard encourages
owners and operators to comply with the requirements under Sec.
101.620(b)(2) consistent with how their U.S.-flagged, facility, OCS
facility, or organization addresses similar requirements in their VSP,
FSP, or OCS FSP.
E. Comments Related to Cybersecurity Officer
Some commenters stated that they did not believe that cybersecurity
warrants another designation for security personnel, in this case a
CySO, and felt that a specific cybersecurity plan was not needed. They
recommended adding cybersecurity duties to existing responsibilities of
the Company Security Officer (CSO) and VSO. Another commenter felt that
the CySO position might be unnecessary and requested a process for
waiving this requirement. Another commenter believed that this final
rule should state the actions that an organization must take, rather
than specifying the individual role that needs to accomplish those
actions. They felt that organizations should be able to identify who
that person would be for their organization, which may align to other
positions or titles within their organization.
The Coast Guard strongly believes that the present and evolving
cybersecurity threats in the MTS require specific regulations to help
prevent, mitigate, and respond to cybersecurity incidents and
vulnerabilities. This final rule provides minimum cybersecurity
[[Page 6315]]
requirements for a common cybersecurity baseline for regulated maritime
entities. The threats and vulnerabilities addressed are not adequately
covered by existing regulations. The requirements to designate a CySO
and to develop a Cybersecurity Plan reflect the reality that
cybersecurity threats, risks, and vulnerabilities exist in the MTS, and
have the potential to significantly affect the safety and security of
individual entities, as well as the MTS and other transportation
critical infrastructure. The Coast Guard has determined that it is
necessary to identify a specific CySO, similar to the identification of
a VSO or FSO, that serves as the primary lead to organize these efforts
within their U.S.-flagged vessel, facility, or OCS facility, to ensure
that there is at least one representative focusing on and addressing
the relevant requirements. Consistent with Sec. 101.625, the CySO may
perform other duties such as CSO, FSO, or VSO. It will be up to owners
and operators of U.S.-flagged vessels, facilities, and OCS facilities
to decide whether they need to designate a sole security officer that
focuses exclusively on cybersecurity.
One commenter stated that the requirements for cybersecurity should
be directed at the executive level, and not create a CySO position to
handle many of these requirements.
The owner or operator has ultimate responsibility for compliance
with this final rule. This includes the designating a CySO, as required
by Sec. 101.620(b)(3). It is the responsibility of each regulated
entity to ensure their executive leadership is aligned with the CySO
and other cybersecurity professionals. Placing full ownership of
cybersecurity requirements on the owner or operator, without the
designation of a CySO, would be burdensome to the owner or operator.
The position of CySO ensures the regulated entity has personnel with
the necessary professional expertise to address cybersecurity.
Several commenters stated that the qualifications listed in these
regulations did not fully encompass what would be required for a
successful CySO position. Additionally, a commenter questioned the
qualifications of the Coast Guard or a third-party organization to
evaluate what is required of a specific organization's CySO. The
commenter also suggested that either the Coast Guard or a third-party
organization would be in a poor position to evaluate whether they meet
the necessary qualifications. Another commenter stated that it could be
difficult for small organizations to have someone on staff with these
qualifications.
This final rule presents minimum baseline requirements, including
the requirements of a CySO for a U.S.-flagged vessel, facility, or OCS
facility. The qualifications required serve as a baseline that should
be attainable and easily evaluated by organizations of any size or
complexity. Organizations are welcome to identify additional
requirements, such as additional qualifications, that they would
require of their CySO position as best suits their individual needs, so
long as the minimum requirements of this final rule are met. It is up
to the owner or operator of a U.S.-flagged vessel, facility, or OCS
facility to determine that their candidate meets these requirements,
and for the Coast Guard to evaluate whether the owner or operator met
their required responsibilities in their review of the Cybersecurity
Plan.
The Coast Guard does not, and will not, have a role in an
organization's hiring of new personnel or designation of new roles and
responsibilities to existing personnel. These decisions are left up to
the owner or operator. The Coast Guard has stated that the CySO can be
an existing employee at a U.S.-flagged vessel, facility, or OCS
facility. The Coast Guard will verify that a qualified CySO has been
designated by the owner or operator according to this final rule. The
Coast Guard recognizes that this final rule will result in costs
incurred by industry. Failure to designate a CySO, as well as failure
to comply with any other aspect of this final rule, would be subject to
actions as determined by the COTP or other appropriate Coast Guard
representative.
One commenter asked the Coast Guard to clarify if the CySO must be
a U.S. citizen.
The Coast Guard does not impose citizenship requirements for the
CySO position in this final rule. The Coast Guard may consider this
issue in a subsequent rulemaking, as appropriate.
Some commenters noted that for small operators, or those with
limited resources, the CySO would likely be a collateral duty. Another
commenter similarly commented that it was not reasonable to expect
every owner or operator of a vessel to employ a cybersecurity expert,
and that the CySO position requires too much specialized knowledge and
too much time to be added to an existing position. Many small companies
without an in-house IT department might have to rely on a third-party
provider for all cybersecurity needs and protections. Consequently, the
commenters were concerned that this final rule would impose unrealistic
requirements and undue burdens on small operators. Some commenters
requested that the Coast Guard clarify that a CySO could be someone
designated at the corporate level.
The Coast Guard notes in this final rule that the CySO designation
may be given to an employee with other responsibilities consistent with
Sec. 101.625. The CySO role may be a collateral duty so long as all
the requirements and responsibilities of the position are met. It is
the responsibility of owners and operators to ensure that cybersecurity
risks are managed and addressed, whether through in-house resources or
through third-party services. While we understand the concerns
regarding the potential burden of compliance, it is essential that
cybersecurity requirements are met to safeguard the organization's
assets and ultimately, maritime critical infrastructure and the MTS.
Ensuring robust cybersecurity defenses is critical to protecting
against potential threats and maintaining operational integrity.
The Coast Guard developed these regulations, including the
cybersecurity requirements, to enable owners and operators to identify
a person who can manage the requirements, even if they must rely on
other cybersecurity, IT, or OT professionals for more technical items
in the rule. Regardless of the size of an organization itself, the size
of their IT and OT footprint dictates how much a CySO will have to
address. A company with a small IT or OT footprint would likewise be
scaled towards fewer items that the CySO would be responsible for. A
company with a larger IT or OT footprint would similarly require more
of the CySO position, commensurate to the level of risk posed. The
Coast Guard believes, therefore, that there would be little to no undue
burden or unrealistic requirement of any regulated entity, as the level
of cybersecurity actions required of the CySO directly correlates to
their cyber footprint. The Coast Guard reiterates that this final rule
allows for the designation of the CySO role to an existing employee at
any level of the organization, so long as the requirements and
responsibilities are met for each individual U.S.-flagged vessel,
facility, or OCS facility.
Some commenters requested that the Coast Guard recognize that a
facility may designate an alternate CySO. Their concern is that, for a
company with multiple facilities, one CySO may not have the knowledge
or practical capability to effectively manage all of them.
The Coast Guard revised the definition for Cybersecurity Officer in
Sec. 101.615 to clarify that the owner or operator must designate a
CySO, but
[[Page 6316]]
they also may designate an alternate CySO to assist in the duties and
responsibilities at all times, including at times when the CySO may be
away from the U.S.-flagged vessel, facility, or OCS facility.
One commenter supports including the phrase ``or equivalent job
experience'' to the CySO requirements.
The Coast Guard agrees that the ``or equivalent job experience'' is
an important phrase and maintains it as part of the final rule in Sec.
101.625(e).
Some commenters requested that we rename the CySO position from
``CySO'' to ``Facility Cybersecurity Officer'' due to potential
confusion with other positions and titles, such as the Chief
Information Security Officer (CISO) or other ``C-Suite'' personnel.
These commenters expressed concern that the Coast Guard was introducing
a term that has not previously been used by other agencies and offered
alternative titles for the role.
This final rule clearly defines the CySO position and
differentiates it from other positions and titles at a U.S.-flagged
vessel, facility, OCS facility, or organization. We do not agree with
changing the name of the position in this final rule, especially as
this applies specifically to U.S.-flagged vessels, facilities, and OCS
facilities. We selected this term to differentiate from other roles
identified in existing regulations, while clearly outlining the
requirements of the position. If an owner or operator prefers to refer
to the position by a different title within the organization, then they
are free to do so as long as they explain the different title in their
Cybersecurity Plan.
One commenter expressed concern that this final rule does not
address how the CySO is expected to interact with the CSO, and that the
relationship between these two positions should be clearly defined.
They stated that the CSO should have ultimate responsibility on all
security-related matters, including cybersecurity, and that the CSO
should approve the Cybersecurity Plan.
The Coast Guard notes that the roles and responsibilities of the
CSO are clearly outlined in existing regulations, and the roles and
responsibilities of the CySO are clearly outlined in this final rule.
Any interaction between the CySO and other security positions should be
determined by the owner or operator at the U.S.-flagged vessel,
facility, OCS facility, or organizational level, as appropriate. As
long as statutory and regulatory requirements are met, it is the
discretion of each owner or operator of U.S.-flagged vessel, facility,
or OCS facility to determine how their employees interact.
One commenter requested that specific criteria be developed for the
CySO position to develop training programs. The commenter requested
that Government-funded training courses be considered for existing CSOs
to be trained for the CySO designation. This commenter also requested
that third-party training programs be eligible for Federal grant
programs, such as FEMA's Port Security Grant Program.
The Coast Guard notes that the criteria in Sec. 101.625 is
sufficient as baseline requirements for the CySO position. When
determining the baseline requirements for the CySO, we looked at
similar jobs and pulled those requirements that suited the need. The
Coast Guard does not currently have plans to develop and fund training
programs for the CySO position. We advise affected entities that they
are welcome to work with FEMA, local port partners, their Area Maritime
Security Committee, and others, as appropriate, in requesting support
through any Federal grant program in support of maritime security. The
decision on what is eligible for, and would receive such grant funding,
is not made by the Coast Guard.
One commenter requested clarification on the specifics of
cybersecurity inspections that are the responsibility of the CySO,
including how they will be conducted.
Coast Guard inspections are intended to verify compliance with an
approved Cybersecurity Plan. When arranging for and during the
inspection, it is the responsibility of the CySO to ensure that any
disruptions to operations are minimized. The cybersecurity portion of
the inspection will follow standard inspections procedures, similar in
methodology to physical facility inspections, in verifying compliance
with the regulations. The Coast Guard may consider future policy
development, if needed, on the conduct of cybersecurity inspections.
One commenter recommended mandatory training and certification for
the position of the CySO. For vessel CySOs, one commenter suggested
implementing a certificate of proficiency similar to those required for
other roles under the International Convention on Standards of
Training, Certification, and Watchkeeping for Seafarers.
After reviewing the requirements for designating a CySO, the Coast
Guard is not including additional requirements or certifications at
this time. This final rule provides minimum baseline requirements
necessary for the identification of this role, and the Coast Guard does
not intend to place too prescriptive requirements that could impede
stakeholders' ability to identify suitable candidates. Owners and
operators are welcome to add additional requirements on their own, so
long as they meet compliance with these regulations.
Some commenters questioned why there are physical security controls
under the CySO when these are under the existing purview of VSOs, FSOs,
and OCS FSOs.
The Coast Guard notes that physical security controls for IT and OT
systems are listed in Sec. 101.630(c)(8) as being part of the
Cybersecurity Plan, which is developed and implemented by the CySO.
These regulations do not preclude the VSO, FSO, or OCS FSO from
performing their required roles and responsibilities and helping to
inform the Cybersecurity Plan, or otherwise working with the CySO in
the completion of security-related requirements.
One commenter expressed concern that the roles and responsibilities
of the CySO are too complex for just one person, and often these
functions are performed by a team or multiple employees.
The Coast Guard notes that the CySO is required to ``ensure'' that
certain actions are conducted and allows for them to work with the team
and others who assist in carrying out those functions. The CySO is also
able to assign security duties as needed.
One commenter stated that the requirements under Sec. Sec.
101.625(d)(8) and 101.625(d)(9) were very similar and could be
combined. The requirements in question are to ensure the cybersecurity
awareness and vigilance of personnel through briefings, drills,
exercises, and training and to ensure adequate cybersecurity training
of personnel.
The Coast Guard agrees with this comment and removed ``through
briefings, drills, exercises, and training'' from Sec. 101.625(d)(8)
to provide CySOs with more flexibility, and less prescriptive measures,
on how they would meet the requirements, and also alleviate redundancy
in the language between paragraphs (d)(8) and (d)(9).
Several commenters requested that the Coast Guard remove the
requirement for cybersecurity inspections to be arranged in conjunction
with U.S.-flagged vessel, facility, and OCS facility inspections, as a
U.S.-flagged vessel, facility, or OCS facility might feel that they
need to conduct the cybersecurity inspection separately due to factors
such as availability of the CySO.
[[Page 6317]]
In this final rule, the Coast Guard revised Sec. 101.625(d)(6),
which requires the CySO to arrange for the cybersecurity inspection to
reflect that cybersecurity inspections may be held in conjunction with
physical security inspections, to increase flexibility and decrease
burden, for the U.S.-flagged vessel, facility, or OCS facility. The
Coast Guard notes that scheduling inspections is ultimately up to the
local COTP or the Officer in Charge, Marine Inspections (OCMI) in
working with the regulated U.S.-flagged vessel, facility, or OCS
facility.
F. Comments Related to the Cybersecurity Plan
Several commenters noted that there is a lack of clarity whether
one Cybersecurity Plan for a fleet is acceptable, or if each vessel and
facility requires its own Plan.
Each regulated U.S.-flagged vessel, facility, and OCS facility is
required to develop and maintain a Cybersecurity Plan.
Multiple commenters noted a lack of reference to ASPs. One
commenter also recommended that the Coast Guard allow the Passenger
Vessel Association (PVA) specific ASP. As noted in Sec. 101.660 of
this final rule, the Coast Guard will allow owners and operators to use
ASPs to comply with this final rule. We added additional text to Sec.
101.660 to clarify that ASP provisions apply to cybersecurity
compliance documentation. Given the unique nature of cybersecurity
threats, vulnerabilities, and mitigation strategies, owners and
operators must ensure that use of ASPs includes those items specific to
each U.S.-flagged vessel, facility, and OCS facility. The Coast Guard
will evaluate each ASP's cybersecurity component to ensure full
regulatory compliance with each applicable requirement, including the
PVA-specific ASP.
One commenter recommended that Sec. 101.630(a) be amended to add
ASPs and OCS FSPs to the requirement for CySOs.
The Coast Guard partially concurs with the recommendation and added
references to OCS FSPs in Sec. 101.630(a) to clarify that OCS FSPs
follow the same requirements as VSPs and FSPs. However, we do not find
it necessary to add the term ``Alternative Security Program'' because
ASPs are already included as an option in Sec. 101.660 and are also
expressly addressed in 33 CFR parts 104, 105, and 106.
Some commenters stated that the Cybersecurity Plan should include
additional security measures for the vessel, facility, or OCS facility
to take in cases of increased MARSEC levels. For instance, MARSEC Level
3 Cybersecurity Controls may involve reviewing and authorizing all
remote access sessions; removing unpatched systems from direct internet
access; isolating or shutting down nonessential systems; requiring
multifactor authentication for all accounts; and reporting suspicious
activity to stakeholders, ISACs, CISA, and the Coast Guard.
Cybersecurity MARSEC actions should be specific, achievable, and
deliver meaningful security benefits. This enables the vessel or
facility to reduce vulnerabilities and enhance resilience, even for
short periods. They also suggested that the Cybersecurity Plan should
encourage owners or operators to implement additional measures anytime
credible threat information is known.
This final rule does not prevent a U.S.-flagged vessel, facility,
or OCS facility from adding such language or additional measures to
their Cybersecurity Plan, should they desire. However, the Coast Guard
did not add requirements for increased MARSEC levels in this final rule
and will not mandate this language because of multiple factors. First,
it is difficult to set MARSEC conditions solely based on cybersecurity
threats. Cybersecurity threats are constantly evolving, with new
vulnerabilities, attack vectors, and tactics emerging regularly. This
makes it challenging to establish static threat conditions that can
effectively address all potential scenarios. Additionally,
cybersecurity threats can originate from various sources, including
nation-states, cybercriminals, insiders, hacktivists, and others. Each
source has different capabilities, motivations, and methods, requiring
tailored threat conditions that are difficult to generalize. Even if we
were to set MARSEC conditions based on cybersecurity threats, it would
be challenging to list one-size-fits-all requirements that would work
for a wide array of vessels and port facilities, each with different
risk profiles and operational conditions. For example, vessels may face
different types of cyber-attacks depending on their routes, locations,
cargoes, and onboard technologies. Imposing blanket cybersecurity
requirements based on MARSEC conditions may not be practical in these
cases.
Furthermore, creating specific requirements for each MARSEC level
would necessitate constant updates and adjustments to keep pace with
the dynamic nature of cyber threats. This would place a significant
administrative burden on both the Coast Guard and the maritime
industry. Instead, we are maintaining a flexible and adaptive approach
to cybersecurity in this final rule that allows for tailored responses
based on the unique circumstances of each U.S.-flagged vessel,
facility, and OCS facility.
One commenter inquired about how a CySO would respond to elevations
in MARSEC levels.
The regulations in this final rule do not tie these minimum
baseline requirements to elevation in enforcement due to MARSEC level.
Guidance on responding to elevated MARSEC levels would come in a
separate Coast Guard directive.
One commenter questioned the use of ``major amendment'' when
requiring a resubmission of a Cybersecurity Plan in the regulations and
suggested further clarification or definition would be needed. Another
commenter expressed appreciation for the flexibility for each owner or
operator to determine what constitutes a ``major amendment'' as
appropriate for their organization based on types of changes to their
security measures and operational risks,'' but cautioned that this
creates its own uncertainty. The commenter requested that in the final
rule, the Coast Guard be more explicit or provide thresholds or
examples of what it considers ``major.'' The commenter also suggested
that factors such as cost and operational burden should be considered
(for example, more operators and employees or more equipment), and that
the threshold may be a percent of the current budget for cybersecurity
since each company will be different. The commenter reasoned that this
threshold would also provide clarity for Coast Guard personnel. Another
commenter suggested that such further clarification would be similar to
the Coast Guard's clarification of ``major conversion'' for materiel
requirements. Similarly, a commenter stated that the proposed 30-day
notice to the Coast Guard for approval of any proposed major amendments
to the Cybersecurity Plan would be overly burdensome and would likely
cause the Cybersecurity Plan to be in a constant state of flux because
of waiting for approvals and revisions, or could unnecessarily delay
security enhancements that may trigger a required audit or approval
cycle.
The Coast Guard recognizes these concerns. The Coast Guard
considered the suggestion to define ``major amendment'' much like the
Coast Guard has done with ``major conversion'' for materiel
requirements but does not agree with it. Rather than define the term
``major amendment,'' we removed it from Sec. Sec. 101.625(d)(13) and
101.630(e)(2) in this final rule. This removes any ambiguity about
which
[[Page 6318]]
amendments require resubmission of the Cybersecurity Plan. It is also
consistent with our physical security requirements in 33 CFR parts 104,
105, and 106, which do not specify that only ``major'' amendments must
be sent to the Coast Guard for approval. See 33 CFR 104.415(a)(2),
105.415(a)(2), 106.415(a)(2). Removing the term ``major'' allows
stakeholders to address amendments uniformly across both physical
security and cybersecurity requirements. We retained the requirement to
submit proposed amendments within 30 days but note that Sec.
101.630(e)(2)(i) provides that nothing in this section should be
construed as limiting the owner or operator of the U.S.-flagged vessel,
facility, or OCS facility from the timely implementation of such
additional security measures not enumerated in the approved VSP, FSP,
or OCS FSP as necessary to address exigent security situations.
Some commenters recommended that the Coast Guard strike the
requirements, or make modifications to the requirements, related to an
owner or operator's submission of proposed amendments to the
Cybersecurity Plan. Some commenters suggested tailoring this to
``material'' or ``significant'' changes.
In this final rule, the Coast Guard did not remove this
requirement, as it is consistent with existing practice and 33 CFR
parts 104, 105, and 106. However, we revised Sec. 101.630 to remove
ambiguity by eliminating the term ``major amendment,'' as well as the
associated requirement that changes to the Cybersecurity Plan must be
proposed to the Coast Guard before implementation, as discussed above.
We added language to Sec. 101.630(e)(2)(i) to address situations when
an owner or operator may feel that security measures are needed while
an amendment is under review by the Coast Guard.
One commenter stated that it was not clear to the owner, operator,
or CySO whether they submit their Cybersecurity Plan to the COTP or
OCMI, or to the U.S. Coast Guard's MSC.
Under Sec. 101.625(d)(13), and according to Sec. 101.630(d), the
CySO must ensure the owner or operator submits the Cybersecurity Plan
for approval to the cognizant COTP or OCMI for facilities or OCS
facilities, or to the MSC for U.S.-flagged vessels.
One commenter suggested removing the requirement that the CySO
include ``a letter certifying that the plan meets the requirements of
this subpart must accompany the submission'' under Sec. 101.630(d).
The Coast Guard agrees with this recommendation, as submitting the
Cybersecurity Plan itself qualifies as certification that the Plan
meets all the requirements. The Coast Guard revised Sec. 101.630(d) to
remove the requirement to send this letter.
One commenter requested clarification on whether the Cybersecurity
Assessment and Cybersecurity Plan could be done separately from the
existing requirements for conducting an Assessment and Plan according
to 33 CFR parts 104, 105, and 106. Additionally, they sought
clarification on how this final rule affects Sec. 105.305(c)(1)(iv)
for existing security measures and procedures relating to services and
utilities, and Sec. 105.305(d)(2)(v) for radio and telecommunication
systems, including computer systems and networks.
This final rule allows for regulated U.S.-flagged vessels,
facilities, and OCS facilities to choose whether to incorporate
Cybersecurity Assessments and Cybersecurity Plans into their existing
assessments and plan submissions, or to submit them as separate
documents. Nothing in this final rule is meant to replace existing
regulations, and regulated entities should ensure compliance with all
applicable regulations. In the event there is overlap, entities may
identify where requirements are being simultaneously satisfied. We
revised the definition in Sec. 101.615 of Cybersecurity Plan and the
reference to Plan submission in Sec. 101.630(a) to clarify that
separate submissions are acceptable.
Several commenters recommended adopting various specific standards,
such as the NIST CSF, NIST's special publications, the Defense
Counterintelligence and Security Agency's National Industrial Security
Program, DoD's Cybersecurity Maturity Model Certification program 2.0,
IEc 62443, IMO, ISO/IEc 17020, the International Association of Ports
and Harbors' Cybersecurity Guidelines for Ports and Port Authorities,
the International Association of Classification Societies' (IACS)
Unified Requirements (UR) E26 and E27, the North American Electric
Reliability Corporation's CIP-013, and the American Bureau of
Shipping's (ABS) Cyber Resilience Program for vessels. Other commenters
inquired about leveraging third-party inspection standards, such as
ISO/IEc 17020. One commenter stated that this final rule's minimum
cybersecurity requirements and the ABS' Cyber Resilience Program for
vessels both leverage the NIST CSF and IEc 62443 and appear to be
directing the same efforts under the same framework. They inquired
about ABS and Coast Guard collaboration and alignment on these efforts.
The Coast Guard intentionally created this final rule to allow
flexibility in implementing a CSF. In developing this final rule, the
Coast Guard leveraged CISA's Cyber Performance Goals, which themselves
are mapped to NIST's CSF, but this does not preclude owners and
operators of U.S.-flagged vessels, facilities, and OCS facilities from
using other resources. Owners and operators may use NIST's standards or
other standards and frameworks to help inform how they comply with the
mandatory requirements in this final rule. This final rule provides
minimum baseline requirements, but we encourage affected entities to
include items in their Cybersecurity Plan that they deem in their best
interest to enhance cybersecurity. Each Plan will be evaluated by the
cognizant COTP or the OCMI for facilities and OCS facilities, and the
MSC for U.S.-flagged vessels to ensure it meets the Coast Guard
requirements.
The Coast Guard acknowledges that there are many third party and
international standards and frameworks that could be used to meet the
regulations. The owner or operator may use ABS or other third-party
frameworks to assist them in meeting the Coast Guard's requirements,
though this approach does not guarantee automatic acceptance or
approval by the Coast Guard. However, the Coast Guard retains all
statutory functions under MTSA and international responsibilities under
the International Ship and Port Facility Security Code. At this time,
we do not intend to delegate any functions to third parties under this
final rule.
One commenter stated that the current format, which closely follows
the regulatory format of 33 CFR parts 104, 105, and 106, was not well-
suited for cybersecurity requirements, and that something more in line
with NIST's Framework would be better.
The Coast Guard has chosen to articulate the cybersecurity
requirements within 33 CFR part 101 because these regulations impact
U.S.-flagged vessels, facilities, and OCS facilities collectively. This
format is presented in a more organized and accessible manner to the
maritime partners who are familiar with the MTSA regulations.
Additionally, Sec. 101.650 lists cybersecurity measures that are based
on CISA's CPGs, which are aligned with NIST's CSF. This approach
ensures clarity and facilitates easier compliance, allowing
stakeholders to view all pertinent
[[Page 6319]]
cybersecurity regulations in a single, consolidated section.
One commenter felt that certain areas of the NPRM were too
prescriptive, and that the Coast Guard should take an outcome-based
approach of the appropriate NIST CSF function.
Pursuing an outcome-based approach was not feasible based on
necessary timelines to develop and implement cybersecurity measures,
and the Coast Guard feels that its rules strike the best balance of
prescriptiveness because they are based on existing MTSA regulations
and existing interagency guidelines generally accepted by industry. We
recognize that some stakeholders may feel the requirements are too
prescriptive, while others commented that the requirements were not
prescriptive enough. The cybersecurity measures listed in Sec. 101.650
are based on CISA's CPGs, which are performance-based goals and
recommended actions and align with the NIST CSF. This approach ensures
clarity and facilitates easier compliance, allowing stakeholders to
view all pertinent cybersecurity regulations in a single, consolidated
section. The Coast Guard acknowledges that there are many third-party
and international standards and frameworks that could be used to meet
the regulations. Owners and operators of U.S.-flagged vessels,
facilities, and OCS facilities may base their Cybersecurity Plan on a
standard or framework that they prefer and explain how the requirements
of this final rule are met.
One commenter requested that the Coast Guard update language in the
regulations to clarify that the CySO does not conduct audits but is
limited to ensuring audits are conducted. Another commenter asked for
clarification on the scope of the audit the CySO must perform.
The Coast Guard agrees with this suggestion and revised Sec.
101.630(f)(2) in this final rule to clarify that the CySO does not
conduct the audit themselves and that the CySO must only ensure that an
audit is conducted. The Coast Guard did not add the additional language
to the regulatory text defining the term audit as it allows for
flexibility in how the regulated entity conducts their audit. The
regulatory text in Sec. 101.630(f) is in line with existing audit
requirements in 33 CFR parts 104, 105, and 106.
One commenter expressed support for Cybersecurity Assessments being
part of the Cybersecurity Plan renewal every 5 years when there is a
change in vessel or facility ownership, or there are major amendments
to the Cybersecurity Plan. However, they disagreed with requiring a
Cybersecurity Assessment annually, citing that annual Cybersecurity
Assessments are excessive for small businesses.
The Coast Guard did not make changes to the frequency required for
Cybersecurity Assessments. We believe that annual Cybersecurity
Assessments are important for regulated entities to continually monitor
for cybersecurity developments pursuant to Sec. 101.650(e). The
cybersecurity environment can change so rapidly that conducting a
Cybersecurity Assessment less frequently than annually could lead to
vulnerabilities going unnoticed, with potentially drastic consequences.
Moreover, the NIST guidelines state that risk assessments such as this
should be conducted no less than annually. We expect that entities with
a smaller or less complex IT and OT footprint will have shorter
Cybersecurity Assessments with annual assessments.
G. Comments Related to Drills and Exercises
We received many comments about requirements for drills and
exercises. Several commenters asked about the frequency and scope of
drills and exercises. Some commenters from regulated entities noted
that quarterly drills and annual exercises seemed excessive for
smaller, seasonal operators and low-risk MTSA-regulated entities. These
commenters suggested that quarterly drills and annual exercises would
create an excessive time and resource burden on those entities,
especially those with limited cyber exposure. One commenter noted that
the biggest security threats facing a domestic passenger vessel remain
a physical breach of security and suspicious individuals or activities
associated with criminal activity and not cyber activities.
Other commenters referenced existing drills and exercise
requirements for MTSA-regulated entities and recommended that the Coast
Guard allow for overlap with new cybersecurity drills and exercises and
existing required drills and exercises. Commenters also suggested that
drills should be conducted at the organizational level rather than at
the vessel or facility level. One commenter asked if drills are
expected to be a comprehensive test of the Cybersecurity Plan, meaning
the entirety of cybersecurity capabilities outlined in the
Cybersecurity Plan. Another commenter expressed confusion regarding
exercise requirements and tabletop simulation. One commenter stated
that separate drill requirements were excessive and unnecessary.
Another commenter requested further explanation on required crew
involvement. The commenter explained that onboard personnel have little
to no involvement in cyber-specific drills and recommended the Coast
Guard provide further explanation on the intent and extent of crew
involvement with these drills.
The Coast Guard believes that, while different stakeholders have
varying IT and OT footprints, it remains critical to incorporate some
level of drills and exercises to ensure that owners, operators, and
regulated entities are prepared to prevent and respond to increasing
cybersecurity threats. After considering these comments, in this final
rule, we have adjusted the frequency of conducting drills from
quarterly to twice each calendar year. We believe that two drills
annually will ensure sufficient proficiency with the procedures, while
allowing for a regulated entity to conduct additional drills if they
choose to, and we understand how quarterly drills and exercises could
be too frequent for some vessel operations, as noted by some
commenters. The Coast Guard felt that one drill annually would not be
sufficient, while requiring three drills annually would not be a
significant decrease from the original requirement of four drills
annually. We also clarified that cybersecurity drills required under
this part may be performed in conjunction with existing MTSA-required
drills and exercises. We decided to maintain annual exercises but will
also similarly allow exercises to be performed in combination with
existing MTSA-required exercises.
While owners and operators are authorized to conduct drills at the
organization level, each vessel, facility, and OCS facility has unique
risks and operators at the vessel, facility, and OCS facility level
should be experienced in addressing those unique vulnerabilities and
prepared to respond to such incidents appropriately. This final rule
states that drills should test individual elements of the Cybersecurity
Plan and, therefore, are not a comprehensive test of the entirety of
cybersecurity capabilities. The Coast Guard feels that tabletop
exercises, if selected by the regulated entity to comply with our
requirements, can serve as a full test of the CSF. This is similar to
tabletop exercises under Sec. Sec. 104.230(c)(2)(ii),
105.220(c)(2)(ii), and 106.225(c)(2)(ii), as participants can discuss
and simulate the implementation of specific measures found within the
Cybersecurity Plan.
The Coast Guard believes that this final rule provides the
necessary level of detail on the requirements on the
[[Page 6320]]
conduct and elements of drills and exercises. This final rule allows
each regulated entity the flexibility to determine the specific drills
and exercises they wish to conduct. Additionally, individual
stakeholders can determine the level of crew involvement in drills and
exercises based on individual crew and employee roles and
responsibilities within the organization.
Furthermore, the Coast Guard understands that each U.S.-flagged
vessel, facility, and OCS facility operates facing different
cybersecurity risks. Owners and operators may seek an exemption or
waiver using the procedures in Sec. 101.665. This flexibility is
intended to accommodate varying levels of risk and operational needs
across different U.S.-flagged vessels, facilities, and OCS facilities.
H. Comments Related to Records and Documentation
One commenter noted that the 2-year recordkeeping mandate could be
quite costly compared to its value proposition.
The 2-year recordkeeping requirement is consistent with the
existing regulations and aligns with incorporating the Cybersecurity
Plan into a VSP, FSP, or OCS FSP if a regulated entity chooses to
include the Cybersecurity Plan as part of their VSP, FSP, or OCS FSP.
The Coast Guard recognizes that there may be varied costs associated
with record keeping but expects that these additional records would be
maintained similar to the existing records and could prove important in
the event of a future cyber incident.
One commenter requested clarification on what the Coast Guard was
not obtaining from covered entities' use of the Cyber Annex--which
supports an FSP and OCS FSP--under the MCAAG.
The Cyber Annex was intended to provide only initial cyber guidance
based on the regulations available at the time. Moreover, the MCAAG is
only a voluntary ``how-to'' guide and is not, itself, a regulation. The
Coast Guard recognizes that further actions are needed to better secure
the MTS from cyber threats and vulnerabilities. This final rule is the
next step for a new suite of baseline requirements specific to
cybersecurity that go beyond what was addressed previously in the
regulations and earlier guidance documents.
Some commenters expressed concerns over omitting FSP and OCS FSP
Cyber Annexes in the new regulatory framework and the implications for
companies that have already invested resources in developing these
annexes.
The existing requirement for the owners and operators of MTSA-
regulated facilities and OCS facilities to analyze vulnerabilities
associated with radio and telecommunication equipment, including
computer systems and networks, allows an owner or operator to
demonstrate compliance in a variety of formats. The information may be
provided in a separate Cyber Annex to the FSP or OCS FSP, or
incorporated into the FSP or OCS FSP together with the physical
security measures. Regulated entities who chose to create a separate
Cyber Annex may use the content of the existing Cyber Annex to help
develop a Cybersecurity Plan that reflects all cybersecurity measures
required in subpart F, as appropriate, to mitigate risks identified
during the Cybersecurity Assessment. As noted in Sec. 101.630(a), the
Cybersecurity Plan may be included in an existing VSP or FSP or VSP or
FSP annex. This final rule amended Sec. 101.630(a) to clarify that the
Cybersecurity Plan may also be included in an OCS FSP, part of an
approved ASP, annex to the OCS FSP, or may be provided in a separate
submission (but is still considered a part of the VSP, FSP, or OCS
FSP).
The Coast Guard believes that this final rule provides sufficient
information for regulated entities to comply with requirements for a
Cyber Incident Response Plan. The term is defined in Sec. 101.615, and
the requirements for inclusion are described in Sec. Sec.
101.620(b)(6), 101.625(d)(4), and 101.650(g)(2).
One commenter noted that some ship OT systems have cybersecurity
requirements as mandated by the DoD and noted that some required
compliance elements pose a documentation duplication effort. They asked
what exceptions would be considered for those having to meet DoD
requirements.
The Coast Guard recognizes that cybersecurity requirements of other
Federal agencies may be similar to these requirements. However, due to
the specific nature of maritime cybersecurity considerations while
operating in the MTS, the Coast Guard requires documentation
specifically showing compliance with these regulations. At this time,
we are not considering blanket compliance exemptions for regulations of
other Federal agencies. Owners or operators may use this similar, but
separate, compliance to inform their compliance with Coast Guard
regulations.
I. Comments Related to Communications
One commenter noted that it was important to foster open
communication and explore diverse solutions for information sharing and
collaboration across stakeholders.
The Coast Guard agrees and encourages interested stakeholders to
communicate and explore information-sharing solutions. These
regulations are intended to establish certain baseline requirements
that establish a common regulatory framework for all stakeholders to
have those discussions.
J. Comments Related to Incident Reporting
The Coast Guard received numerous comments in response to our
request for input on the reporting of cybersecurity incidents and
whether those reports should be made to the Coast Guard through the NRC
or to CISA. Commenters were split between the two options, with some
citing the existing requirement to report security incidents to the NRC
as a reason to maintain this process, while others cited the proposed
requirements of CISA's CIRCIA rulemaking project. One commenter
suggested that reporting to CISA be updated to a 72-hour requirement,
whereas other comments suggested that the reporting be delayed until a
cybersecurity incident has been investigated by an entity. Another
commenter suggested that Global Positioning System (GPS) jamming and
spoofing should be included as incidents that require mandatory
reporting. One commenter suggested reporting to the Defense Cyber
Crimes Center (DC3)/DoD-Defense Industrial Base Collaborative
Information Sharing Environment (DCISE). One commenter suggested that
reporting should not be directed to the NRC due to the NRC being short-
staffed and not suited to receive the incident reports. One commenter
noted that CISA is already in a position to catalog such reports and
share critical information with those impacted in both private industry
and Government sectors, as this is part of their current mission.
One commenter cited the various reporting requirements of CIRCIA's
proposed rulemaking,\55\ the Coast Guard's NPRM, Executive Order 14116
(Amending Regulations Relating to the Safeguarding of Vessels, Harbors,
and Waterfront Facilities of the United States), along with the Coast
Guard's NVIC 02-24 and Policy Letter 08-16. The commenter requested
that the Coast
[[Page 6321]]
Guard work with CISA, who is less familiar with the maritime industry,
and deconflict the reporting requirements. In response to whether the
Coast Guard should require reporting of ransomware payments, one
commenter stated that they did not feel this would be wise. Other
commenters stated that they felt that ransomware and related payments
should indeed be reported. One commenter expressed concern with
reporting of incidents or KEVs between CySOs, noting that information
specific to a company should not be shared with other companies.
---------------------------------------------------------------------------
\55\ 89 FR 23644, April 4, 2024.
---------------------------------------------------------------------------
One commenter asked how the Coast Guard intended to share reported
information with all regulated entities. Another commenter similarly
suggested that the Coast Guard establish procedures within these
regulations for the reporting of Government incidents to other parties.
One commenter expressed concern that NRC personnel who will take
reports of cybersecurity incidents might not be specialized in
cybersecurity or have the appropriate knowledge and experience;
therefore, NRC personnel would be unequipped to take reports of
cybersecurity incidents. One commenter expressed concern about the
limitations for vessels when reporting an incident to the NRC via
telephone. The commenter noted that vessels might have limited internet
connections and requested that the Coast Guard allow alternative
communication methods such as very high frequency (VHF) or
International Maritime Satellite (INMARSAT) as options for reporting to
the NRC.
With this final rule, the Coast Guard is expecting reportable cyber
incidents be reported to the NRC only by those entities not already
required to report cyber incidents under 33 CFR 6.16-1, as amended by
Executive Order 14116. Title 33 of the CFR, part 6.16-1, requires the
reporting of evidence of sabotage, subversive activity, or an actual or
threatened cyber incident involving or endangering any vessel, harbor,
port, or waterfront facility, which includes all current MTSA-regulated
U.S. vessels and facilities regulated by this rule. 33 CFR part 6.16-1
does not apply to OCS facilities regulated under 33 CFR part 106.
Therefore, those OCS facilities are subject to the reporting
requirements of this rule. Reporting to the NRC by these entities is in
line with established requirements and timelines, including under Sec.
101.305. It also enables a timely response to incidents by the Coast
Guard, as well as partner agencies with whom the NRC shares incident
reports immediately upon receipt. To minimize duplicative reporting
from the same entity, the requirement to report under this final rule
does not apply if the entity has reported the cybersecurity incident to
the Coast Guard pursuant to 33 CFR 6.16-1, highlighting that because
OCS facilities are not subject to the reporting requirements in 33 CFR
part 6, OCS facilities must report cyber incidents to the NRC under
this final rule.
Entities subject to reporting cybersecurity incidents under 33 CFR
6.16-1 must also report to the FBI and CISA, and they may also be
subject to reporting to CISA under CIRCIA once the final rule is
published and effective. The Coast Guard and CISA are committed to
minimizing the burden on entities and will assess the need for
additional policy guidance regarding the content of reports and the
mechanism for reporting to satisfy applicable requirements in this
part, Sec. 101.305, 33 CFR part 6, and the CIRCIA final rule to be
issued by CISA. The Coast Guard and CISA are committed to proactively
collaborating and issuing guidance to entities to harmonize cyber
reporting requirements to the extent possible and to clarify procedures
for reporting cyber incidents to the Coast Guard and to CISA,
respectively under current regulations, as well as in the future once
CIRCIA's regulations take effect.
Cyber incident reports to the Coast Guard and CISA serve
complementary but distinct operational purposes that are consistent
with each agency's respective missions and authorities. Reports to the
Coast Guard ``without delay'' under this part, Sec. 101.305, and 33
CFR part 6 serve as an immediate notification to support the rapid
response to events that may result in a TSI. Notifications to the NRC
are immediately shared with CISA, FBI, and other relevant agencies to
allow for the earliest mobilization of response and resources. Cyber
incidents can quickly escalate and evolve, and any delays to the
reporting can affect the ability to successfully respond to an
incident. Reporting to the NRC without delay allows the Coast Guard
COTPs to understand the potential risks of an incident and apply their
authority to protect the MTS, including the use control and compliance
measures as provided at Sec. 101.410. In many cases, the goal of the
initial response is to ensure public safety, mitigate the consequences
of disastrous events, or prevent cascading impacts on critical
infrastructure or the public. This includes but is not limited to
minimizing loss of life and property, preventing environmental
disasters or other accidents at sea, assisting in the recovery of
critical IT or OT systems at ports or other facilities, defending the
sovereignty of the United States, and facilitating legitimate use of
maritime waterways. After the initial response, the notifications
enable the Coast Guard to evaluate the broader risks to the MTS based
on the specific vulnerability.
Separate from the Coast Guard's authorities under MTSA, but
consistent with what Congress has envisioned in CIRCIA, reporting
``covered cyber incidents'' to CISA under its future regulation within
72 hours of having a reasonable belief that such an incident occurred
(and ransom payments resulting from a ransomware attack within 24 hours
of the payment being made) serves a complementary but distinct
operational purpose from Coast Guard reporting requirements. As the
lead agency for Federal cybersecurity and the national coordinator for
critical infrastructure risk and resilience, CISA is well-positioned to
support Coast Guard cyber related operations and address cross-sector
cyber risk more broadly under its forthcoming CIRCIA regulations. By
collecting more technical information via the CISA incident report then
was collected by the NRC in the initial report and cross-referencing
that information with other incidents reported in other critical
infrastructure sectors, CISA can support the Coast Guard's operations,
assist other entities in the MTS in mitigating exploited
vulnerabilities, quickly identify other entities that may be at risk
across critical infrastructure sectors, automate sharing information
across the public and private sectors to protect against similar
incidents in the future, and counter sophisticated cyber campaigns
earlier.
CISA's further sharing of reported threat activity and impact
information (for example, techniques, tactics, and procedures used to
cause physical, functional, or informational impacts) will enable other
Federal and non-Federal stakeholders to more effectively allocate
resources and inform the development of more secure products.
Furthermore, reporting incidents to CISA under the CIRCIA final rule
will improve the U.S. Government's collective visibility into the
national cyber threat landscape and close critical information gaps.
The Coast Guard does not specify specific incident types in this
final rule but relies on the definition of reportable cyber incidents,
as well as existing definitions for breaches of security and
transportation security incidents, as defined in Sec. 101.105, and
suspicious activity as described in Sec. 101.305.
The Coast Guard through this final rule is not requiring reporting
to any entity outside of the NRC, such as DC3
[[Page 6322]]
or DCISE, as the NRC already has an established process and
relationship with the regulated entities affected by this final rule.
The Coast Guard disagrees that the NRC would be unable to
accommodate reported cybersecurity incidents. The NRC already receives
reports of cybersecurity incidents according to the reporting
requirements of Sec. 101.305, which includes cybersecurity.
The Coast Guard agrees that reporting requirements, including those
of existing MTSA regulations, this final rule, and the recent Executive
Order 14116 updating 33 CFR 6.16-1 on cybersecurity, should be
harmonized to the extent practicable and in accordance with the law.
Policy Letter 08-16 was superseded by NVIC 02-24, which provides
guidance on existing MTSA reporting requirements as well as those
addressed by the recent Executive Order. The Coast Guard will work with
partner agencies to maximize harmonization and alignment with this
final rule to the extent practicable by assessing the need for new
policy guidance regarding reporting requirements under this final rule,
33 CFR 6.16-1, and the CIRCIA final rule to be issued to CISA.
The definition for a reportable cyber incident provides regulated
entities with sufficient information to determine when to report a
ransomware incident. The Coast Guard did not add a requirement for the
reporting of a ransomware payment. Note that a separate requirement to
report ransom payments to CISA may be included in the forthcoming
CIRCIA final rule issued by CISA.
In Sec. 101.650(e)(3)(iii), this final rule requires each owner or
operator of a regulated entity to maintain a method to share threat and
vulnerability information with external stakeholders, but does not
require sharing information with private companies that have no
relationship with the regulated entity or do not have a role in
facilitating cybersecurity response or the cybersecurity posture of the
regulated entity.
The requirements in this final rule for reporting cybersecurity
incidents apply to U.S.-flagged vessels, facilities, and OCS facilities
and detail how to report to the Government. This final rule does not
establish requirements for the Government to share information with the
public, and the Coast Guard does not intend to immediately share
cybersecurity incident reports from a regulated entity with other
private stakeholders. If needed, the Coast Guard or other agencies can
develop bulletins, advisories, or other guidance to address
cybersecurity threats, risks, and vulnerabilities that may be
discovered. Similarly, this final rule does not establish processes or
procedures for the Government to report its own incidents to the
public, as this final rule only addresses requirements for those
entities addressed under the Applicability section in Sec. 101.605.
The Coast Guard disagrees with any suggestion that NRC personnel
would be unable to take a report of a cybersecurity incident. NRC
personnel stand watch 24 hours a day, 7 days a week, receive
cybersecurity incident reports according to Sec. 101.305, and have
demonstrated the capability to collect the necessary required
information made in an initial incident report. Upon receipt of the
incident report, the NRC immediately shares the information with the
Coast Guard Cyber Command (CGCYBER), DHS, CISA and other relevant
Government agencies that have the specialization, knowledge, and
experience to conduct any further follow up after the initial report.
The Coast Guard is not prescribing an alternative reporting process
through VHF or INMARSAT, but this final rule does not limit the
reporting of reportable cyber incidents by telephone only and affirms
reports can be made by any means necessary. Vessels without
connectivity are encouraged to use alternative methods to contact their
designated person ashore to assist with reporting the incident without
delay.
One commenter suggested that a vessel's RO be the one to report
cyber issues to the Coast Guard.
The Coast Guard disagrees with this suggestion. This final rule
provides sufficient clarification as to which entities should be
reporting in each situation (for example, an assessment, audit, or a
reportable cyber incident), and is consistent with existing MTSA
regulations.
One commenter recommended that organizations develop tiered levels
of cyber incident events and incidents in their Cyber Incident Response
Plan.
The Coast Guard agrees that owners and operators of U.S.-flagged
vessels, facilities, and OCS facilities should take the approach that
best suits their needs when developing their Cyber Incident Response
Plan. However, the Coast Guard does not prescribe any specific
requirements in this final rule. While a tiered approach to cyber
incident reporting can provide structure, it may inhibit the
adaptability and responsiveness that are crucial for effectively
managing cyber incidents in a rapidly evolving threat landscape. The
Coast Guard prefers owners and operators to customize their incident
response plans to meet their unique needs and requirements.
K. Comments Related to Cybersecurity Measures (Sec. 101.650)
One commenter requested that Sec. 101.650 for cybersecurity
measures include a caveat that, in situations when security measures
might create safety risks, then the safety concern is to be
prioritized.
The Coast Guard appreciates the concern for safety, and we do not
intend for these regulations to conflict with other Coast Guard
regulations for safety. The Coast Guard does not foresee a degradation
in physical safety caused by these cybersecurity regulations and
believes it would generate confusion if an undefined safety-based
caveat were included. If owners or operators have concerns with
specific application of the cybersecurity regulations, the Coast Guard
encourages those owners and operators to discuss with the cognizant
COTP, OCMI, or MSC, as appropriate. This final rule provides procedures
for requesting equivalencies or waiver from the Coast Guard, if
appropriate, in Sec. 101.665.
One commenter suggested that cybersecurity measures be incorporated
for heightened threat periods.
The Coast Guard has issued these regulations as baseline
cybersecurity requirements, as cybersecurity can pose a risk at all
times, even under normal threat periods. The Coast Guard encourages
owners or operators of U.S.-flagged vessels, facilities, and OCS
facilities to address and incorporate cybersecurity measures for
heightened threat periods, if desired and as best fits their needs. The
Coast Guard is also able to issue cybersecurity guidance or directives
as needed, if there are specific threats and incidents. At this time,
we do not believe that any specific and standing requirements for
heightened threat periods should be added to this final rule.
One commenter requested that the Coast Guard add language specific
to GPS denial and spoofing, and Automatic Identification System (AIS)
and timing concerns.
The Coast Guard is not including a definitive list of systems and
equipment in this final rule. We encourage affected entities to address
those vulnerabilities which they identify in their own Assessments, or
are otherwise concerned about, and to tailor drills and exercises to
those areas where they have the most concern, which may include GPS
denial and AIS spoofing. We also do not mandate training or drills on
specific vulnerabilities or threats.
[[Page 6323]]
One commenter asked why outdated CPGs were used for the NPRM.
At the time the Coast Guard initially developed these regulations,
Version 1.0 of CISA's CPGs were the most recent. The Coast Guard
conducted an analysis to identify any significant changes between
versions 1.0 and 2.0 and made changes to the regulatory text where
appropriate. Only minor changes were needed. The Coast Guard will
continue to monitor CISA's efforts related to CPGs to determine whether
a subsequent rulemaking will be needed in the future.
One commenter suggested that the Coast Guard should clarify how
this final rule applies to facilities already regulated by other
authorities, particularly TSA's Security Directives. The commenter also
suggested that docking ship connections be limited to systems essential
for mooring, emergency operations, and ship-to-shore communications.
If an owner or operator is concerned that it may be subject to
TSA's requirements and needs clarification on harmonizing compliance
between TSA and Coast Guard requirements, they should notify the
cognizant COTP or OCMI. If appropriate, the Coast Guard will consider
procedures for waivers or equivalents in Sec. 101.665 or have
additional conversations with TSA. The Coast Guard is not placing
specific requirements on what docking ship connections are allowed, and
instead leaves this determination to the owner or operator.
One commenter recommended inclusion of additional requirements for
logs, as well as a Shipboard Security Information and Event Management.
They further recommended requirements for post-shipyard inspections and
maintenance, particularly after a vessel departs an adversarial port.
The Coast Guard seeks to strike a balance and chose not to impose
requirements that would be so prescriptive that compliance would be too
difficult for some segments of the regulated industry. These
requirements generally provide latitude for owners, operators, or CySOs
to determine the specific means needed to comply with the regulatory
requirements. These regulations represent minimum baseline
requirements, but the Coast Guard encourages regulated entities to take
any additional actions they feel are necessary to address their
cybersecurity needs, so long as such additional cybersecurity measures
are documented in their Cybersecurity Plans.
L. Comments Related to Account Security Measures (Sec. 101.650(a))
Some commenters requested changes to the section on account
security measures, seeking to modify requirements for account lockout,
multifactor authentication, and user credentials as they relate to
certain OT systems. They expressed concerns that these measures could
disrupt critical operations, deny access during emergency situations,
and potentially be exploited by malicious actors to halt operations.
One commenter suggested an outcome-based requirement for OT systems
because the prescriptive approach may not suit many organizations and
could quickly become outdated due to advancing technology.
The Coast Guard reviewed Sec. 101.650(a) and revised specific
requirements as appropriate, as they relate to OT systems. In some
cases, we maintained the proposed text in line with CISA's CPGs,
recognizing what provided the best level of cyber protection. The Coast
Guard recognizes that OT systems may have unique considerations that
are different from IT systems. The Coast Guard agrees that automatic
account lockout in OT systems could have catastrophic consequences in
emergency situations. We adjusted these requirements to reflect updates
that CISA provided to its CPGs based on public comments they received.
These updated requirements took into consideration the concerns noted
in public comments that certain items, such as account lockout and
multifactor authentication when applied to OT systems, could result in
the concerns noted by the public comments.\56\ Based on this review, we
revised Sec. 101.650(a)(1) to remove the references to OT systems and
automatic account lockout due to failed logins.
---------------------------------------------------------------------------
\56\ See <a href="https://www.cisa.gov/cybersecurity-performance-goals">https://www.cisa.gov/cybersecurity-performance-goals</a>,
accessed November 12, 2024.
---------------------------------------------------------------------------
The Coast Guard disagrees that these requirements are too
prescriptive. The Coast Guard reiterates that these regulations
represent minimum baseline requirements, and owners and operators are
welcome to take additional actions and measures as they deem necessary
or appropriate to best protect their systems and equipment. In cases
when owners or operators do not feel that they can comply with account
security measures, or that they feel a requirement is unnecessary, they
may submit a request for a waiver or equivalent using the procedures in
Sec. 101.665.
One commenter noted the benefits of zero-trust architecture. Some
commenters noted the importance of logs in detecting and responding to
cyber-attacks and recommended that we accept next-generation logging
capabilities. One commenter offered an example of one such system.
The Coast Guard notes that zero-trust architecture is one of many
solutions that organizations may choose to use to comply with this
final rule. The Coast Guard does not prescribe specific systems or
equipment or ways to comply with these requirements. The Coast Guard
recognizes that there are multiple systems, equipment, and products
available, and it is up to the owner or operator to identify the option
that best suits their needs while ensuring they meet the requirements
of this final rule.
Some commenters expressed concern with multifactor authentication
on vessels. They stated that the owner or operator should have
flexibility to adequately and specifically address this, rather than a
prescriptive approach. These commenters noted it is challenging
especially for internationally operating vessels with a constantly
changing crew and limited or no access to internet while in transit.
They also stated that providing mobile phones to the crew is not
advisable, noting that encouraging the use of personal devices may lead
to significant resistance. The commenters believed that an alternative,
such as hardware tokens for two-factor authentication, presents
challenges, including distribution, configuration, and the risk of
tokens being misplaced. Another commenter requested that multifactor
authentication only be in place for remote access from untrusted
networks into OT systems according to IACS UR E27 \57\ for new ships,
and with an implementation period for existing ships.
---------------------------------------------------------------------------
\57\ IACS UR E27, Cyber Resilience of On-Board Systems and
Equipment, press release information available at: <a href="https://iacs.org.uk/news/iacs-ur-e26-and-e27-press-release">https://iacs.org.uk/news/iacs-ur-e26-and-e27-press-release</a>, accessed August
16, 2024.
---------------------------------------------------------------------------
The Coast Guard recognizes that measures such as two-factor
authentication may pose unique challenges to vessels, but also notes
that there are multiple ways to implement multifactor authentication
that do not require internet access. While carriers may not currently
provide phones or other devices for this purpose, the nature of this
being new rulemaking lends itself to the realization that owners and
operators may have to take actions and steps that were not previously
done, if that is how they determine they can best comply with the
regulations. It is up the owner or operator to implement appropriate
multifactor authentication given their
[[Page 6324]]
business operations and accessibility to internet connectivity. Such
multifactor authentication may include a variety of methods, including
passwords, physical devices such as security tokens or access cards, or
biometrics. Additionally, as is the case for all requirements in this
final rule, if an owner or operator has reviewed all possible options
and determines that they cannot comply with any aspect of the
regulations, they may follow the process for requesting a waiver or
equivalence. The Coast Guard is not relaxing the requirements further
for U.S.-flagged vessels. If owners or operators do not feel that they
can comply with account security measures, they may submit a request
for a waiver or equivalent using the procedures in Sec. 101.665.
One commenter requested clarification on the use of passwords; if
they are required, and, if so, what the requirements for them would be.
The Coast Guard does not mandate the use of a password, only that
if passwords are used or if a system is capable of password protection,
the passwords are of sufficient strength and meet certain criteria to
help defend against cyber-attacks based on the criticality of the
system as described in Sec. 101.650(a).
M. Comments Related to Device Security Measures (Sec. 101.650(b))
One commenter expressed concern about including a network map in
the Cybersecurity Plan.
The Coast Guard recognizes the sensitivity of network maps. We
revised Sec. 101.650(b) to clarify that each owner or operator or
designated CySO of a U.S.-flagged vessel, facility, or OCS facility
must ensure the device security measures are in place, addressed in
Section 6 of the Cybersecurity Plan, and made available to the Coast
Guard upon request. Therefore, network maps do not need to be submitted
with the Plan, but they must be maintained by the regulated entity and
made available to the Coast Guard upon request.
One commenter noted that far too few entities have inventoried
their IT and OT assets and supported the requirement to maintain an up-
to-date asset inventory. The commenter also noted that recognizing the
unique needs and limitations of OT environments is essential for
effective cybersecurity regulation and implementation. Finally, the
commenter strongly supported the requirement for owners and operators
of covered infrastructure to designate and inventory critical IT and OT
systems. The commenter noted, however, that frequent IT patches and
updates are impractical in OT environments, as they can disrupt
critical operations and complicate compatibility testing due to real-
time demands.
The Coast Guard appreciates the support for an IT and OT system
inventory. It is up to the owner or operator to determine the frequency
at which OT patches and updates are conducted according to their
Cybersecurity Plan to mitigate the risks identified in their
Cybersecurity Assessment.
Several commenters indicated concerns regarding requirements
relating to OT systems. Paragraph (e)(3)(v) of Sec. 101.650 indicates
that no OT system is to be connected to the publicly accessible
internet unless explicitly required for operation, if there is
documented justification. However, the commenters noted that an OT
system connected to the internet can transmit machine data to the
manufacturer, enabling the manufacturer to offer Smart Planned
Maintenance decision support to the owner.
The Coast Guard appreciates these concerns and notes that each
situation will be evaluated on its own merits on a case-by-case basis.
Regulated entities may discuss specific concerns with the cognizant
COTP, OCMI, or the MSC as appropriate. An owner or operator may also
request a waiver or equivalence determination for the requirements
according to the procedures in Sec. 101.665.
Several commenters indicated concern regarding creating and
maintaining an approved list of hardware, software, and firmware.
The Coast Guard acknowledges the potential burden in creating an
approved list of hardware, software, and firmware; however, it is
necessary to increase visibility into deployed technology assets and
reduce the likelihood of breach by users installing unapproved
hardware, firmware, or software. The Coast Guard anticipates that after
developing the initial list, it will be easier for owners and operators
to update the list in the future. Owners and operators may also find
that their list is similar across multiple vessels or facilities within
their organization. The Coast Guard does acknowledge that this will
rely on coordination and cooperation of vendors and managed service
providers.
One commenter requested clarification whether the proposed
requirements are applicable only to mission critical IT and OT systems,
or, applicable to all onboard IT and OT systems.
The Coast Guard revised this final rule to clarify where the
regulations apply to all IT and OT systems and where they apply to the
critical IT and OT systems. For example, we removed reference to OT
systems in Sec. 101.650(a)(1) and specified that the requirements in
Sec. 101.650(e)(1)(i) and (iv) are for critical IT and OT systems.
One commenter stated that the requirement in Sec. 101.650(b)(2) to
ensure applications running executable code must be disabled by default
on critical IT and OT systems is unclear and requested adjustment to
the text.
The Coast Guard disagrees that this text is unclear. The text
requires entities to disable applications running executable code on
critical IT and OT systems. The primary vulnerability associated with
executable code is the potential for malicious code to be embedded
within them, allowing attackers to exploit vulnerable systems when
users open certain programs without being aware what is being done in
the background. This essentially turns the device into a vehicle for
launching cyberattacks or can lead to data theft, unauthorized system
access, and other harmful actions. Executable code technologies include
Java applets, JavaScript, HTML5, WebGL, and VBScript as well as macros
used within products like Microsoft Office. IT and OT personnel will be
familiar with the vulnerabilities associated with executable code and
will understand the requirements of this provision.
N. Comments Related to Data Security Measures (Sec. 101.650(c))
One commenter stated that the phrase ``document and mitigate any
vulnerabilities'' in Sec. 101.650(e)(1)(iv) caused concern with the
use of the word ``any,'' as there may not be mitigations or patches
available.
The Coast Guard revised paragraph (e)(1)(iv) in Sec. 101.650 to
clarify that the regulated entity will ensure patching or
implementation of documented compensating controls for all KEVs in
critical IT or OT systems, without delay, at the time of their annual
assessment, as well as part of routine maintenance.
One commenter expressed concern about the lack of specificity in
the level and type of logging and monitoring of IT and OT systems for
breaches of security, suspicious activity, TSIs, and cyber incidents.
Given the wide array of IT and OT systems, mandating a one-size-
fits-all level of logging is not practical. Each U.S.-flagged vessel,
facility, and OCS facility should customize its logging system to best
address its specific risks
[[Page 6325]]
and technologies and document the customization in the Plan.
Some commenters expressed concern about encrypting data, at transit
and at rest, on IT and OT systems, as it may be difficult to do on OT
systems, or other legacy systems.
The Coast Guard revised Sec. 101.650(c)(2) to better describe our
expectations regarding data encryption. The revised text specifies that
effective encryption must be deployed to maintain confidentiality of
sensitive data and integrity of IT and OT traffic, when technically
feasible. Encrypting data, at transit and at rest, is an example of
when a requirement may not be technically feasible. In this case, the
regulated entity should describe the aspects that they can comply with
in their Cybersecurity Plan. Additionally, if an owner or operator has
further concerns about how they can comply with these requirements,
they can follow the process for requesting a waiver or equivalent
according to Sec. 101.665.
One commenter recommended that the Coast Guard add specific
requirements for wireless communications as noted in IACS UR E26
4.2.5.3.\58\
---------------------------------------------------------------------------
\58\ IACS (UR E26 4.2.5.3) Cyber Resilience of Ships: <a href="https://www.american-club.com/files/files/ur-e26-new-apr-2022.pdf">https://www.american-club.com/files/files/ur-e26-new-apr-2022.pdf</a>, accessed
November 13, 2024.
---------------------------------------------------------------------------
The Coast Guard has not added specific requirements for wireless
communications. During their Cybersecurity Assessment, each owner or
operator of a regulated U.S.-flagged vessel, facility, or OCS facility
may identify wireless communications as part of their IT and OT systems
and equipment being assessed, as applicable.
One commenter suggested adding the requirement that remote
connections to OT systems be made with secure connection and endpoint
authentication, protection of integrity and authentication, and
encryption at network or transport layer.
The Coast Guard disagrees that additional requirements are
necessary. This final rule's requirements for remote connections are
sufficient as minimum baseline requirements as noted in Sec.
101.650(a)(4). Owners or operators of U.S.-flagged vessels, facilities,
and OCS facilities are welcome to take additional measures as
appropriate to their systems, equipment, and operations.
Some commenters questioned the requirements for all data requiring
encryption. Another commenter suggested that data security should
include PII, to include employee records and access control data, such
as access control databases used for physical access, which could
include information on Transportation Worker Identification
Credentials, other PII, etc. Physical Access Control Systems (PACS) log
physical entries into a facility, and this should likewise be treated
as PII and sensitive security information. When practical, PACS
servers, networks, devices, applications, and software should be air-
gapped or isolated from IT and OT networks to prevent intrusion or
alteration of data to allow unauthorized physical access.
The Coast Guard revised Sec. 101.650(c)(2) to clarify that only
sensitive data be encrypted. The Coast Guard has not, however, added
these specific items to the requirements, but, rather, allow
[…truncated; see source link]Indexed from Federal Register on January 17, 2025.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.