CFSN Detailed Analysis

Share this post

CFSN Detailed Analysis
CG Marine Cybersecurity NPRM –
Copy link
Facebook
Email
Notes
More

CG Marine Cybersecurity NPRM –

Cybersecurity Officer

Patrick Coyle
Feb 23, 2024

Share this post

CFSN Detailed Analysis
CG Marine Cybersecurity NPRM –
Copy link
Facebook
Email
Notes
More
1
Share

Yesterday, the CG published a notice of proposed rulemaking for “Cybersecurity in the Marine Transportation System”. The proposed regulations would update the maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations. This is the second in a series of posts about the provisions of that rule.

Definitions

In this post I will be looking at the requirements in the rulemaking for cybersecurity officers. The proposed §101.615 provides definitions for key terms used in this discussion.

  • Cyber Incident Response Plan

  • Cybersecurity Assessment,

  • Cybersecurity Officer (CySO),

  • Cybersecurity Plan,

  • Known exploited vulnerabilities (KEV),

Owner Responsibilities

Section 106.620 provides that the owner-operator of any covered vessel or facility has primary responsibility for the implementation of the requirements of this new Subpart F. One of the enumerated responsibilities §106.620(b) is the requirement to designate in writing the Cybersecurity Officer for each covered vessel of facility. Subparagraph (b)(3) requires that the CySO be “accessible to the Coast Guard 24 hours a day, 7 days a week”. It also requires that the appointment document specify how the CG can contact the CySO.

CySO Responsibilities

Section 106.625 spells out the requirements and responsibilities of the Cybersecurity Officer. In the preamble to the rule, the CG notes that there is broad latitude on who may be appointed to this role;

“The CySO may be a full-time, collateral, or contracted position. The same person may serve as the CySO for more than one [US flagged] vessel, [MTSA covered] facility, or OCS [Outer Continental Shelf] facility.”

Paragraph (c) specifically allows the CySO to “assign security duties to other vessel, facility, or OCS facility personnel” while maintaining that the CySO would still maintain ultimate responsibility for those details.

Paragraph (d) specifies the responsibilities of the CySO for ‘each vessel, facility, or OCS facility for which they are designated’:

  • Ensure that the Cybersecurity Assessment is conducted,

  • Ensure the cybersecurity measures in the Cybersecurity Plan are developed, implemented, and operating as intended,

  • Ensure that an annual audit of the Cybersecurity Plan and its implementation is conducted and, if necessary, ensure that the Cybersecurity Plan is updated,

  • Ensure the Cyber Incident Response Plan is executed and exercised,

  • Ensure the Cybersecurity Plan is exercised in accordance with § 101.635(c) of this part.

  • Arrange for cybersecurity inspections in conjunction with vessel, facility and OCS facility inspections.

  • Ensure the prompt correction of problems identified by exercises, audits, or inspections,

  • Ensure the cybersecurity awareness and vigilance of personnel through briefings, drills, exercises, and training,

  • Ensure adequate cybersecurity training of personnel,

  • Ensure all breaches of security, suspicious activity that may result in Transportation security incidents (TSI), TSIs, and cyber incidents are recorded and reported to the owner or operator,

  • Ensure that records required by this part are maintained in accordance with § 101.640 of this part,

  • Ensure any reports as required by this part have been prepared and submitted,

  • Ensure that the Cybersecurity Plan, as well as proposed substantive changes (or major amendments) to cybersecurity measures included therein, are submitted for approval to the cognizant COTP or the Officer in Charge, Marine Inspections (OCMI) for facilities or OCS facilities, or to the Marine Safety Center (MSC) for vessels, prior to amending the Cybersecurity Plan, in accordance with § 101.630 of this part,

  • Ensure relevant security and management personnel are briefed regarding changes in cybersecurity conditions on board the vessel, facility, or OCS facility, and

  • Ensure identification and mitigation of all KEVs in critical IT or OT systems, without delay.

Qualifications

Paragraph (e) outlines the qualifications for Cybersecurity Officers. It requires that the appointed CySO will have general knowledge, through training or equivalent job experience, in the following:

  • General vessel, facility, or OCS facility operations and conditions,

  • General cybersecurity guidance and best practices,

  • The vessel, facility, or OCS facility's Cyber Incident Response Plan,

  • The vessel, facility, or OCS facility's Cybersecurity Plan,

  • Cybersecurity equipment and systems,

  • Methods of conducting cybersecurity audits, inspections, control, and monitoring techniques,

  • Relevant laws and regulations pertaining to cybersecurity,

  • Instruction techniques for cybersecurity training and education,

  • Handling of Sensitive Security Information and security related communications,

  • Current cybersecurity threat patterns and KEVs,

  • Recognizing characteristics and behavioral patterns of persons who are likely to threaten security, and

  • Conducting and assessing cybersecurity drills and exercises.

Share this post

CFSN Detailed Analysis
CG Marine Cybersecurity NPRM –
Copy link
Facebook
Email
Notes
More
1
Share

Discussion about this post

No posts

Ready for more?

© 2025 Patrick Coyle
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More