Skip links

MARSEC – Maritime Cybersecurity Solutions

Maritime Cyber Security Solutions

MARSEC

Port Security - Houston Port Authority

Partnering with Top Companies to Ensure your data remains private and secure

Requirements for Maritime Transportation Security Act

Due to an increase of cyberthreats and vulnerabilities in the Marine Transportation System, the Coast Guard published Navigation and Vessel Inspection Circular (NVIC) 01-20, Guidelines for Addressing Cyber Risks at MSTA Regulated Facilities in March 2020.

NVIC 01-20 provides guidance on assessing cyber risks when conducting required Facility Security Assessments (FSA) and incorporating cybersecurity within Facility Security Plans (FSP).

Resource Accreditation

https://www.federalregister.gov/documents/2020/03/20/2020-05823/navigation-and-vessel-inspection-circular-nvic-01-20-guidelines-for-addressing-cyber-risks-at
Cyber security is needed FOR COMPLIANCe

Requirement Resources continued

The Coast Guard established an 18-month implementation period which allowed MTSA-regulated facility owners or operators time to incorporate cybersecurity into their FSAs and FSPs.

  • Beginning on Oct. 1, 2021, facility owners and operators who have not already done so should submit FSP cyber amendments or annexes to their local Captain of the Port (COTP) as part of the facility’s annual audit. COTPs will verify that facilities have addressed cybersecurity within the FSA and FSP cyber amendments/annexes. COTPs retain discretion on whether the requirements have been met, and on any potential extension of submission dates.
For questions regarding NVIC 01-20 implementation guidance and FSP/ASP amendment/annex submission, it is recommended that MTSA-regulated facilities owners and operators contact their local Captain of the Port well in advance of their next annual audit date before Oct. 1, 2022.

Additional Requirement Resources

GUIDELINES ON MARITIME CYBER RISK MANAGEMENT

These Guidelines provide high-level recommendations for maritime cyber risk management.

MARITIME CYBER RISK MANAGEMENT IN SAFETY MANAGEMENT SYSTEMS

Maritime Resolution adopted on 16 July 2017

Your Cyber security Solutions Are Here!

How can we help!

CSS will conduct an impact assessment to determine the company cyber risk.

In accordance with paragraph 10.4 of the ISM Code, special attention is given to OT systems.

Evidence backed results for your Facility Security Assessment (FSA)

Assistance with the cyber responsibilities of a Facility Security Plan (FSP).

Development of a custom corrective action plan

Assistance navigating the vendor landscape.

Full Remediation & Management Services

Partner with CSS to ensure your network is secure and resilient.

Our Experience

At CSS there is more to ensuring the security of your most important information, we ensure your privacy. Listed below are a few examples of our methodologies and capabilities.

Proprietary
Security Stack

Work with The
Department of Defense

Experience with IT
and OT networks

Holistic Security &
Compliance Solutions

Hybrid Methodologies
(Cloud to Edge)

24/7/365
Monitoring

Frequently Asked Questions

Facility owners, operators, and FSOs should reach out to the local Captain of the Port (via the Facilities or other Inspection Division as appropriate).
NVIC 01-20 is not a regulation. It is intended only to provide clarity regarding existing requirements under the law. It does not change any legal requirements, and does not impose new requirements on the public. This NVIC provides guidance to facility owners and operators in complying with the existing regulatory requirements to assess, document, and address computer system or network vulnerabilities. Not all recommendations will apply to all facilities, depending on individual facility operations. Facility owners and operators may use a different approach than this NVIC recommends, if that approach satisfies the legal requirements.
In accordance with 33 CFR Parts 105 and 106, which implement the Maritime Transportation Security Act (MTSA) of 2002 as codified in 46 U.S.C. Chapter 701, regulated facilities (including Outer Continental Shelf facilities) are required to assess and document vulnerabilities associated with their computer systems and networks in a Facility Security Assessment (FSA). If vulnerabilities are identified, the applicable sections of the Facility Security Plan (FSP) must address the vulnerabilities in accordance with 33 CFR 105.400 and 106.400. Existing regulations require the owners and operators of MTSA-regulated facilities to analyze vulnerabilities associated with radio and telecommunication equipment, including computer systems and networks. Vulnerabilities in computer systems and networks are commonly referred to as cybersecurity vulnerabilities. Under the MTSA regulations, an FSP must address any cybersecurity vulnerabilities identified in the FSA.
While the Coast Guard does not maintain a list of 3rd parties working on this issue, facilities are welcome to seek out 3rd parties that are working independently to provide training, education, and other services regarding the assessment and implementation of cyber in the FSAs, FSPs, and Alternative Security Programs (ASPs), as well as general facility operations. Additionally, there are numerous cybersecurity standards that may assist in incorporation of cybersecurity and cyber risk management into the FSA, FSP, and operations. Currently there is no CG-approved list of cybersecurity standards, though the NIST Cybersecurity Framework is one example that has been widely utilized.
No. If the FSA identifies a vulnerability to the computer system or network that is not already addressed in the FSP, the FSP needs to be amended to address that vulnerability. The Coast Guard will accept an annex, addendum, or other method identified by the facility owner/operator so long as the requirements within regulation are met. A complete rewrite is not necessary, unless the facility owner/operator prefers that approach.
An updated FSP, or an annex, addendum, or other “attachment,” is acceptable so long as the submission shows that the facility has assessed, and addressed if necessary, vulnerabilities associated with its computer systems and networks.

The Coast Guard is allowing a 1.5 year long implementation period of the cybersecurity requirement, ending on 09/30/2021. This initial implementation period will allow MTSA-regulated facility owners/operators time to address cybersecurity vulnerabilities in their FSA and FSP or ASP by incorporating this guidance, or an alternative as best fits their needs. Facility owners and operators who already address cybersecurity in their FSAs and FSPs or ASPs should continue doing so, while considering whether the guidance in NVIC 01-20 can improve their ongoing practices.

Once this implementation period is over (beginning 10/01/2021), facilities should submit cybersecurity FSA and FSP/ASP amendments or annexes by the facility’s annual audit date, which is based on the facility’s FSP/ASP approval date. Captains of the Port (COTPs) will still have the flexibility based on resource demands, or based upon request from a facility, to adjust when submissions are received, as long as all facility FSA and FSP submissions are received by the end of the one year period, no later than 10/01/2022. The same flexibility is available to facilities using ASPs, except they should communicate with Coast Guard Headquarters rather than a COTP.

The FSP should document items as required in the CFR. Whatever has been covered previously should continue to be included, but with the addition of any applicable cybersecurity risks.
The Coast Guard is allowing a 1.5 year long implementation period of the cybersecurity requirement, ending on 09/30/2021. This initial implementation period will allow MTSA-regulated facility owners/operators time to address cybersecurity vulnerabilities in their FSA and FSP or ASP by incorporating this guidance, or an alternative as best fits their needs. Facility owners and operators who already address cybersecurity in their FSAs and FSPs or ASPs should continue doing so, while considering whether the guidance in NVIC 01-20 can improve their ongoing practices. Once this implementation period is over (beginning 10/01/2021), facilities should submit cybersecurity FSA and FSP/ASP amendments or annexes by the facility’s annual audit date, which is based on the facility’s FSP/ASP approval date. Captains of the Port (COTPs) will still have the flexibility based on resource demands, or based upon request from a facility, to adjust when submissions are received, as long as all facility FSA and FSP submissions are received by the end of the one year period, no later than 10/01/2022. The same flexibility is available to facilities using ASPs, except they should communicate with Coast Guard Headquarters rather than a COTP.
There is no Coast Guard-developed or approved training for industry related to cybersecurity requirements. Facility owners/operators are welcome to seek out 3rd parties that are working independently to develop training in this space, but are not required to do so.
The review level of FSA and FSP amendments or annexes will remain at the COTP level, and at Headquarters for ASPs. The review should follow the same self-evaluation methodology and review process already in use. Facility Inspectors will simply be asked to receive cybersecurity amendments and confirm that the facility did make a reasonable attempt to address any cyber systems affecting what is covered under the FSP, and that the facility feels that they have appropriately addressed their cybersecurity vulnerabilities.
Per the National Cyber Strategy (September 2018), maritime cybersecurity is of particular concern because lost or delayed shipments can result in strategic economic disruptions and potential spillover effects on downstream industries. Given the criticality of maritime transportation to the United States and global economy, the United States will move quickly to clarify maritime cybersecurity roles and responsibilities; promote and enhance mechanisms for international coordination and information sharing; and accelerate the development of next-generation cyber-resilient maritime infrastructure. To this end, the Coast Guard worked closely with industry and other government agencies to provide guidance on complying with cybersecurity requirements for MTSA regulated facilities.
This NVIC addresses MTSA-regulated facilities, though other maritime facilities are welcome to utilize the guidance for their own efforts. The Coast Guard is currently developing separate guidance to address cybersecurity on board vessels.