The U.S. Coast Guard (USCG) published Navigation and Vessel Inspection Circular (NVIC) 01-20 (Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities). The NVIC provides guidance to MTSA facilities regarding complying with requirements to assess, document, and address computer system and network vulnerabilities. Specifically, the NVIC clarifies that facilities are required to assess and document vulnerabilities associated with their computer systems and networks (i.e., cybersecurity vulnerabilities) in their Facility Security Assessments (FSAs). Any cybersecurity vulnerabilities identified in an FSA must then be addressed in the Facility Security Plan (FSP) (i.e., mitigation measures, procedures, etc.).
USCG guidance published following the release of the NVIC indicates that facilities which have not already addressed cybersecurity vulnerabilities in their FSAs/FSPs will be required to submit cybersecurity FSA/FSP amendments (or annexes) to the USCG during a one-year period beginning on October 1, 2021, with all FSA/FSP amendments submitted no later than October 1, 2022.