Tuesday, February 27, 2024

Review - CG Marine Cybersecurity NPRM – Cybersecurity Plan

Last week, the CG published a notice of proposed rulemaking for “Cybersecurity in the Marine Transportation System”. The proposed regulations would update the maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations. This is part of a continuing series of posts on that rulemaking. The earlier posts included:

NPRM Introduction (short version),

Cybersecurity Officer (short version)

This post looks at the requirements for each vessel/facility to have a Cybersecurity Plan

Before the Cybersecurity Plan is started, each covered vessel or facility is required to conduct a Cybersecurity Assessment. The Cybersecurity Plan is then required to incorporate the results of that Cybersecurity Assessment as well as the cybersecurity measures outlined in the new Subpart F. The Cybersecurity Plan would be marked (and protected) as Sensitive Security Information. The proposed rule would require each Cybersecurity Plan to include 14 specific sections. Once the plan is completed it would be required to be submitted to the Coast Guard official responsible for approving the facility or vessel security plan under the Maritime Transportation Security Act. That official would then approve the plan, request additional information, or disapprove the plan.


I am more than a little disappointed in the lack of detail about the requirements for the Cybersecurity Assessment. I understand that the Coast Guard was trying to write it general enough that it would apply to everyone, but would not unnecessarily burden anyone with unnecessary requirements. Unfortunately, there are some requirements that should have been included.

First and foremost is the absence of any requirement to define the cybersecurity systems that are to covered by the Cybersecurity Plan. Before any assessment can be made the system must be defined by listing all of the electronic components and defining how they are connected to each other and external communications systems, including the internet, perhaps to include a software bill of materials (SBOM) where available. Additionally, there needs to be a definition of how external communications to and from the system will be controlled or restricted, especially personally owned devices. To be sure, the controls of those communications would probably be included in the Cybersecurity Pan, but the communications nodes would have to be identified in the assessment.

For more details about the proposed regulatory requirements for Cybersecurity Plans, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cg-marine-cybersecurity-nprm-9c8 - subscription required.

No comments:

/* Use this with templates/template-twocol.html */