CG Publishes Marine Cybersecurity NPRM

Today, the Coast Guard published a notice of proposed rulemaking in the Federal Register (89 FR 13404-13514) on “Cybersecurity in the Marine Transportation System”. The proposed regulations would update the maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations. The proposed changes would add a new Subpart F, Cybersecurity, to 33 CFR 101, Maritime Security.

Definitions

Section 101.615 provides the definition for this new Subpart. Terms of interest include:

• Credentials,

• Critical (information or operational) technology,

• Cyber incident,

• Cyber incident response plan,

• Cybersecurity vulnerability,

• Exploitable channel,

• Information system,

• Multifactor authentication,

• Operational technology,

• Principle of least privilege,

Overview

The new Subpart F applies to owners and operators of:

• U.S.-flagged vessels subject to 33 CFR part 104,

• U.S. facilities subject to 33 CFR part 105, and

• Outer Continental Shelf (OCS) facilities subject to 33 CFR part 106.

In general, the new §101.606 requires each owner/operator to:

• Ensure a Cybersecurity Plan is developed, approved, and maintained,

• Ensure that cybersecurity exercises, audits, and inspections, as well as the Cybersecurity Assessment, are conducted,

• Ensure that the vessel, facility, or OCS facility operates in compliance with the approved Cybersecurity Plan,

• Ensure the development, approval, and execution of the Cyber Incident Response Plan, and

• Ensure all cyber incidents are reported to the National Response Center (NRC).

The new§101.650 provides descriptions of the following required security measures:

• Account security measures,

• Device security measures,

• Data security measures,

• Cybersecurity training for personnel,

• Risk management,

• Supply chain,

• Resilience,

• Network segmentation, and

• Physical security.

Public Comments

The Coast Guard is soliciting public comments on the NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2022-0802). Comments should be submitted by April 22^nd, 2024.