CG Marine Cybersecurity NPRM
Cybersecurity Plan
Last week, the CG published a notice of proposed rulemaking for “Cybersecurity in the Marine Transportation System”. The proposed regulations would update the maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations. This is part of a continuing series of posts on the rulemaking. The earlier posts included:
This post looks at the requirements for each vessel/facility to have a Cybersecurity Plan
Definitions
The following terms that are defined in §101.615 are used in this discussion:
Cybersecurity Assessment
Section 101.160(a) requires that: “The Cybersecurity Plan must reflect all cybersecurity measures required in this subpart, as appropriate, to mitigate risks identified during the Cybersecurity Assessment.” The term ‘Cybersecurity Assessment’ is defined in §101.115:
“Cybersecurity Assessment means the appraisal of the risks facing an entity, asset, system, or network, organizational operations, individuals, geographic area, other organizations, or society, and includes identification of relevant vulnerabilities and threats and determining the extent to which adverse circumstances or events could result in operational disruption and other harmful consequences.”
The Cybersecurity Officer is responsible for ensuring that the Cybersecurity Assessment is conducted as required by this part. The owner/operator is ultimately responsible for ensuring that the Cybersecurity Assessment is conducted.
Cybersecurity Plan Overview
The preamble outlines the general requirements for the Cybersecurity Plans required under §101.630 that are not specifically listed in that subsection. These include:
The Plan will be maintained consistent with the recordkeeping requirements in 33 CFR 104.235 for vessels, 33 CFR 105.225 for facilities, and 33 CFR 106.230 for OCS facilities,
Reiterates that the plan will address the finding of the cybersecurity assessment and would consider the recommended measures appropriate for the U.S.-flagged vessel, facility, or OCS facility,
The Plan could be incorporated into exiting vessel or facility security plans under sections 104, 105, or 106 of 33 CFR, and
The Plan could be stored electronically, but only “if it can be protected from being deleted, destroyed, overwritten, accessed, or disclosed without authorization”; interestingly it does not include ‘changed’.
Section 101.630(b) notes that: “The Cybersecurity Plan is Sensitive Security Information and must be protected in accordance with 49 CFR part 1520.” Not mentioned in this rulemaking is the fact that Sensitive Security Information is a ‘specified’ controlled unclassified information category which is further controlled under 32 CFR 2002, including electronic control measures under §2002.14(c)(4) which incorporates by reference NIST SP 800–53.
Plan Format
Section 101.630(c) requires that the following sections must be included in the Cybersecurity Plan. If the order outlined in paragraph (c) is not used, the plan must include an index outlining where each of the required sections can be found. The required sections are:
(1) Cybersecurity organization and identity of the CySO,
(2) Personnel training,
(3) Drills and exercises,
(4) Records and documentation,
(5) Communications,
(6) Cybersecurity systems and equipment, with associated maintenance,
(7) Cybersecurity measures for access control, including the computer, IT, and OT access areas,
(8) Physical security controls for IT and OT systems,
(9) Cybersecurity measures for monitoring,
(10) Audits and amendments to the Cybersecurity Plan,
(11) Reports of all cybersecurity audits and inspections, to include documentation of resolution or mitigation of all identified vulnerabilities,
(12) Documentation of all identified, unresolved vulnerabilities, to include those that are intentionally unresolved due to owner or operator risk acceptance,
(13) Cyber incident reporting procedures in accordance with part 101 of this subchapter, and
(14) Cybersecurity Assessment.
Plan Submission and Approval
Section 101.630(d) requires the owner or operator to submit one copy of the Cybersecurity Plan to the cognizant COTP or the OCMI for the facility or OCS facility, or to the MSC for the vessel, accompanied by a letter certifying that the Cybersecurity Plan meets the requirements of Subpart F. The COTP, OCMI, or MSC will evaluate each submission and either:
Approve the Cybersecurity Plan,
Require additional information or changes, or
Disapprove the Cybersecurity Plan.
Approved plans are good for five years. Changes to the plan must be similarly approved by the appropriate COTP, OCMI, or MSC.
Commentary
I am more than a little disappointed in the lack of detail about the requirements for the Cybersecurity Assessment. I understand that the Coast Guard was trying to write it general enough that it would apply to everyone, but would not unnecessarily burden anyone with unnecessary requirements. Unfortunately, there are some requirements that should have been included.
First and foremost is the absence of any requirement to define the cybersecurity systems that are to covered by the cybersecurity plan. Before any assessment can be made the system must be defined by listing all of the electronic components and defining how they are connected to each other and external communications systems, including the internet, perhaps to include a software bill of materials (SBOM) where available. Additionally, there needs to be a definition of how external communications to and from the system will be controlled or restricted, especially personally owned devices. To be sure, the controls of those communications would probably be included in the Cybersecurity Pan, but the communications nodes would have to be identified in the assessment.