NVIC 05-17 seeks to clarify existing MTSA requirements for incorporating cyber risks and guidance for addressing those risks. The NVIC provides guidance on incorporating cybersecurity risks into a Facility Security Assessment (FSA) and provides additional recommendations for policies and procedures that may reduce cyber risk at MTSA-regulated facilities.
The first part of the NVIC, titled “Cyber Security and MTSA: 33 CFR parts 105 and 106” and labeled enclosure 1, discusses existing MTSA regulatory requirements the USCG views as applicable to cybersecurity related threats. The NVIC explains the U.S. Coast Guard's interpretation of these existing requirements as they apply to cybersecurity threats and recommends additions to the MTSA Facility Security Plan (FSP).
This NVIC also contains a set of cybersecurity parameters, labeled as enclosure 2 and titled “Cyber Governance and Cyber Risk Management Program Implementation Guidance.” These recommended best practices were derived from a variety of industry practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). NVIC 05-17, enclosure 2 also provides recommendations for developing cybersecurity measures including inventory, access control, acceptable use policies, and network design.