The NVIC provides guidance to MTSA facilities regarding complying with requirements to assess, document, and address computer system and network vulnerabilities. Specifically, the NVIC clarifies that facilities are required to assess and document vulnerabilities associated with their computer systems and networks (i.e., cybersecurity vulnerabilities) in their Facility Security Assessments (FSAs). Any cybersecurity vulnerabilities identified in an FSA must then be addressed in the Facility Security Plan (FSP) (i.e., mitigation measures, procedures, etc.).
These mitigation measures may be outlined in a stand-alone “cyber annex” to the FSP or incorporated into the FSP itself in appropriate areas. The NVIC notes that it is not necessary to identify specific technology or business models. Rather, facilities may provide a general description as well as documentation explaining how they are addressing any facility-specific cybersecurity vulnerabilities.
USCG guidance published following the release of the NVIC indicates that facilities which have not already addressed cybersecurity vulnerabilities in their FSAs/FSPs are required to submit cybersecurity FSA/FSP amendments (or annexes) to the USCG during a one-year period beginning on October 1, 2021, with all FSA/FSP amendments submitted no later than October 1, 2022.
