On July 11, 2017, the US Coast Guard (USCG) and the Department of Homeland Security (DHS) proposed new cybersecurity draft guidelines for Maritime Transportation Security Act (MTSA) regulated facilities. The guidelines follow the White House’s May 2017 Executive Order to strengthen the cybersecurity of critical infrastructure. The draft guidelines are open for public comment until September 11, 2017. The guidelines outline a position on addressing cybersecurity that is consistent with the National Institute for Standards and Technology (NIST) Cybersecurity Framework and other cybersecurity guidance. Similar to the Executive Order, the draft reflects a growing emphasis on mitigating cyber threats to critical infrastructure.
The guidelines are divided into two sections. One provides draft guidance on existing regulatory requirements and how they relate to cybersecurity. The second advises regulated facilities on how to implement a cyber risk management governance program.
In the first section, USCG advises MTSA regulated facilities to incorporate cybersecurity into facility security assessments (FSAs). The guidelines suggest that officers conducting FSAs review:
- Roles and responsibilities of cybersecurity personnel.
- Cyber security trainings, policies and procedures.
- Testing of cybersecurity response plans.
- Records of trainings, incidents and exercises.
- Physical and cybersecurity communication plans for reporting to key personnel and the USCG.
- Access controls to networks, systems and restricted areas.
- Security measures for protecting cargo.
The guidance recommends that facility owners and operators conduct annual audits of cybersecurity measures.
The second section focuses on enterprise-wide approaches to cyber risk management. This section incorporates concepts from the NIST Cybersecurity Framework on how regulated facilities can identify critical systems and classify risk.
Interestingly, the guidance places significant emphasis on Connective Vector Assessments. Connective Vector Assessments evaluate connections between systems and how these connections may impact or disrupt networks and connected systems. For example, the guidelines expect regulated facilities to evaluate how low risk systems may access and compromise critical systems in the event of a cyberattack.
Our Take
Critical infrastructure operators following developments in this space should not be surprised by the recommendations in the USCG guidance. The document is consistent with the federal government’s concerted effort to increase private sector preparedness for cyberattacks. Much like earlier guidance, the draft guidelines embody a growing trend toward risk and process based approaches to cybersecurity. Further, the guidance leverages existing requirements, such as the FSA process, and frameworks, such as NIST.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.
