The U.S. Coast Guard (USCG) has published a draft of Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities. While NVICs do not require public comment, the USCG is requesting comment on NVIC 05-17 through a Federal Register notice, which was published on July 12, 2017. NVIC 05-17 seeks to clarify existing MTSA requirements for incorporating cyber risks and guidance for addressing those risks. The NVIC provides guidance on incorporating cybersecurity risks into a Facility Security Assessment (FSA) and provides additional recommendations for policies and procedures that may reduce cyber risk at MTSA-regulated facilities.
The first part of the NVIC, titled "Cyber Security and MTSA: 33 CFR parts 105 and 106" and labeled enclosure 1, discusses existing MTSA regulatory requirements the USCG views as applicable to cybersecurity related threats. The NVIC explains the USCG's interpretation of these existing requirements as they apply to cybersecurity threats and recommends additions to the MTSA Facility Security Plan (FSP).
This NVIC also contains a set of cybersecurity parameters, labeled as enclosure 2 and titled "Cyber Governance and Cyber Risk Management Program Implementation Guidance." These recommended best practices were derived from a variety of industry practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). NVIC 05-17, enclosure 2 also provides recommendations for developing cybersecurity measures including inventory, access control, acceptable use policies, and network design.