News & Events

TSA launches new online Transportation Worker Identification Credential (TWIC) renewal process

National Press Release

Wednesday, August 10, 2022

WASHINGTON – The Transportation Security Administration (TSA) enhanced the renewal process for the Transportation Worker Identification Credential (TWIC®) to help support critical transportation workers. Starting August 11, 2022, TSA enabled the ability for current TWIC holders to renew their credentials online, which eliminates the need to go to an enrollment center and makes the five-year renewal process more convenient.

TWIC is required by the Maritime Transportation Security Act for mariners and workers who need access to secure areas of the nation’s maritime facilities and vessels. Jointly administered by TSA and the U.S. Coast Guard, TSA conducts a background check to determine a person’s eligibility and issues the credential. The Coast Guard regulates the use of TWIC in the maritime environment. U.S. citizens, lawful permanent residents, naturalized citizens, asylum seekers, refugees, and nonimmigrants in lawful status may apply for the TWIC credential.

Nearly 60 percent of TWIC holders renew their card every five years. Renewing online eliminates the need to go to an enrollment center, supports U.S. critical infrastructure and supply chain workers, and saves travel time and expenses associated with being away from work. Most eligible applicants receive their TWIC card in less than 10 days. Those applicants with more complex cases may require 60 days or longer for processing. Applicants may check their TWIC status online at any time.

Most applicants, including U.S. citizens, nationals, and lawful permanent residents, will be able to renew online without the need to visit an enrollment center. Please visit TSA’s enrollment provider website for information on TWIC enrollments and renewals. If applicants encounter difficulty renewing online, they may contact customer service at (855) 347-8371. For more information on the TWIC program, visit the TSA TWIC website or the Coast Guard TWIC website.

U.S. DEPARTMENT OF HOMELAND SECURITY
Office of Public Affairs
DHS Issues National Terrorism Advisory System (NTAS) Bulletin

WASHINGTON – Today, Secretary of Homeland Security Alejandro N. Mayorkas issued a National Terrorism Advisory System (NTAS) Bulletin regarding the continued heightened threat environment across the United States. This is the fifth NTAS Bulletin issued by the Department of Homeland Security since January 2021 and it replaces the current Bulletin that was set to expire tomorrow.

“DHS remains committed to proactively sharing timely information and intelligence about the evolving threat environment with the American public,” said Secretary Alejandro N. Mayorkas. “We also remain committed to working with our partners across every level of government and in the private sector to prevent all forms of terrorism and targeted violence, and to support law enforcement efforts to keep our communities safe. This NTAS Bulletin outlines the key factors that have increased the volatility, unpredictability, and complexity of the current threat environment, and highlights resources for individuals and communities to stay safe.”

The United States remains in a heightened threat environment fueled by several factors, including an online environment filled with false or misleading narratives and conspiracy theories, and other forms of mis- dis- and mal-information (MDM) introduced and/or amplified by foreign and domestic threat actors. These threat actors seek to exacerbate societal friction to sow discord and undermine public trust in government institutions to encourage unrest, which could potentially inspire acts of violence. Mass casualty attacks and other acts of targeted violence conducted by lone offenders and small groups acting in furtherance of ideological beliefs and/or personal grievances pose an ongoing threat to the nation.

While the conditions underlying the heightened threat landscape have not significantly changed over the last year, the convergence of the following factors has increased the volatility, unpredictability, and complexity of the threat environment: (1) the proliferation of false or misleading narratives, which sow discord or undermine public trust in U.S. government institutions; (2) continued calls for violence directed at U.S. critical infrastructure; soft targets and mass gatherings; faith-based institutions, such as churches, synagogues, and mosques; institutions of higher education; racial and religious minorities; government facilities and personnel, including law enforcement and the military; the media; and perceived ideological opponents; and (3) calls by foreign terrorist organizations for attacks on the United States based on recent events.

DHS and the Federal Bureau of Investigation (FBI) continue to share timely and actionable information and intelligence with the broadest audience possible. This includes sharing information and intelligence with our partners across every level of government and in the private sector. Under the Biden-Harris Administration, DHS is prioritizing combating all forms of terrorism and targeted violence, including through its efforts to support the first-ever National Strategy for Countering Domestic Terrorism. Since January 2021, DHS has taken several steps in this regard, including:
established a new domestic terrorism branch within DHS’s Office of Intelligence and Analysis dedicated to producing sound, timely intelligence needed to counter domestic terrorism-related threats;
launched the Center for Prevention Programs and Partnerships (CP3) to provide communities with resources and tools to help prevent individuals from radicalizing to violence;
designated domestic violent extremism as a “National Priority Area” within DHS’s Homeland Security Grant Program for the first time, resulting in at least $77 million being spent on preventing, preparing for, protecting against, and responding to related threats nationwide;
provided $180 million in funding to support target hardening and other physical security enhancements to non-profit organizations at high risk of terrorist attack through DHS’s Nonprofit Security Grant Program (NSGP);
increased efforts to identify and evaluate MDM, including false or misleading narratives and conspiracy theories spread on social media and other online platforms, that endorse violence; and,
enhanced collaboration with public and private sector partners – including U.S. critical infrastructure owners and operators – to better protect our cyber and physical infrastructure and increase the Nation’s cybersecurity through the Department’s Cybersecurity and Infrastructure Security Agency (CISA).
DHS also has renewed its commitment to ensure that all efforts to combat domestic violent extremism are conducted in ways consistent with privacy protections, civil rights and civil liberties, and all applicable laws.

This NTAS Bulletin will expire on June 7, 2022. This NTAS Bulletin provides the public with information about the threat landscape facing the United States, how to stay safe, and resources and tools to help prevent an individual’s radicalization to violence. The public should report any suspicious activity or threats of violence to local law enforcement, FBI Field Offices, or a local Fusion Center.

Read the current NTAS Bulletin here. 

Dear clients, below is a message from the USCG Cyber Command

“As you may be are aware, a critical vulnerability in Java-based software known as “Log4j” (also called Log4Shell) was discovered on December 10, 2021. Log4j is one of the most popular logging libraries used online. Log4j gives software developers a way to build a record of activity to be used for a variety of purposes, such as troubleshooting, auditing and data tracking. Because it is both open-source and free, the library essentially touches every part of the internet. Companies such as Apple, IBM, Oracle, Cisco, Google and Amazon, just to name a few, all run the software

It could present in popular apps and websites, and hundreds of millions of devices around the world that access these services could be exposed to the vulnerability. The vulnerability is actively being exploited. According to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), as of Tuesday, more than 100 hacking attempts were occurring per minute, by nation state actors including China, Iran, North Korea and Turkey. A second Log4j vulnerability was released as well.

With most organizations focusing on identification and remediation of the Log4j vulnerabilities, Advanced Persistence Threat (APT) actors are taking advantage of the opportunity and are increasing attempts and attacks on non Log4j impacted systems. Intelligence received by cyber security researchers as well as other cyber security industry experts are seeing increased attempts to exploit other systems or applications as organizations are focusing on Log4j system and may not be closely monitoring their network or systems for unauthorized access. 

Recommendations: What can we do to help prevent APT actors from a ransomware or other type of attack?

  • Keep systems/software up-to-date – 80% of APT actor attempts are not successful when systems are up-to-date with patching.
  • Stay vigilant – updating to the newest version of any software will not remove accesses gained by adversaries or additional malicious capabilities dropped in victim environments. Remain vigilant in investigating activity in your environment, looking for evidence of unauthorized access, and acting in accordance with incident response best practices to reduce exposure.
  • Know what is on your network – develop an IT hardware and software asset inventory and monitor for devices that should not be allowed to connect.
  • Know who to call for help – you are not alone:  If your organization identifies a vulnerability or has any questions related to this alert, please contact U.S. Coast Guard at: maritimecyber@uscg.mil, or for immediate assistance call the Coast Guard Cyber Command 24×7 Watch at 202-372-2904. Additionally, you can contact Cyber Security and Infrastructure Security (CISA) at central@cisa.gov.”
DOWNLOAD

US Coast Guard Cyber Command
Maritime Cyber Alert 02-21

Released: August 17, 2021
Information Sharing Protocol: TLP-White (https://www.us-cert.gov/tlp)
“BADALLOC” CRITICAL VULNERABILITY: BLACKBERRY QNX & MORE


Summary: The recent public disclosure from BlackBerry regarding the “BadAlloc”
vulnerability in their QNX OS versions 6.5 and earlier, should put all organizations on continued alert for threats and vulnerabilities to the cyber landscape. “BadAlloc” is the name assigned to the family of vulnerabilities discovered in embedded Internet of Things (IoT) and Operational Technology (OT) operating systems and software to describe a class of memory overflow vulnerabilities…

…A device with these exploitable vulnerabilities may enable malicious actors to deny system availability, ex-filtrate data, and move laterally within the systems in which they are installed.


These malicious actions can lead to consequences for systems and their users, ranging from loss of data and trust, to physical harm and loss of life.

DOWNLOAD

Man Sentenced To 30 Months Imprisonment for Presenting A Fraudulent Transportation Worker Identification (TWIC) Card

NEW ORLEANS – June 2021 – U.S. Attorney Duane A. Evans announced today that on May 25, 2021, JIMMIE FLORES (“FLORES”), age 58, was sentenced on a one-count indictment for fraudulent use of a TWIC card in violation of Title 18, United States Code, Section 499.  United States District Court Judge Greg Guidry sentenced FLORES to serve 30 months in federal prison. FLORES was placed on 3 years supervised release and ordered to pay a mandatory $100.00 special assessment cost.

According to court documents, FLORES presented a fraudulent Transportation Worker Identification Credential (TWIC) Card to security personnel in Galliano, Louisiana in an attempt to be flown by helicopter to an oil rig in the Gulf of Mexico.  Security personnel questioned the authenticity of the card and ultimately denied FLORES’s admission to the rig.  FLORES admitted to buying the counterfeit card at a Houston, Texas flea market.  The Court ordered FLORES to report to prison on June 28, 2021.

U.S. Attorney Duane Evans praised the work of the United States Coast Guard Investigative Service in investigating this matter.  Assistant U. S. Attorney Carter K. D. Guice, Jr. was in charge of the prosecution.

https://www.justice.gov/usao-edla/pr/man-sentenced-30-months-imprisonment-presenting-fraudulent-transportation-worker

U.S. DEPARTMENT OF HOMELAND SECURITY
Office of Public Affairs

DHS Issues a National Terrorism Advisory System (NTAS) Bulletin
WASHINGTON – Today(5/14/21), Secretary of Homeland Security Alejandro N. Mayorkas issued a National Terrorism Advisory System (NTAS) Bulletin after consultation with the Intelligence Community and law enforcement partners. The NTAS Bulletin advises that the United States is facing threats that have evolved significantly and become increasingly complex and volatile. Specifically, the Bulletin details the threats posed by domestic terrorists, individuals, and groups engaged in grievance-based violence, and those inspired or influenced by foreign terrorists and other malign foreign influences.


Social media and online forums are increasingly exploited by these actors to influence and spread violent extremist narratives and activity. Such threats also are exacerbated by the impacts from the ongoing global pandemic. Today’s Bulletin builds on an earlier Bulletin issued by the Department of Homeland Security in January, and provides more information on the currently heightened threat environment and how Americans can seek help.


“Today’s terrorism-related threat landscape is more complex, more dynamic, and more diversified than it was several years ago. We know that providing timely and useful information to the public is critical as we all work together to secure the homeland. With the issuance of today’s NTAS Bulletin, we are advising the public to be vigilant about ongoing threats to the United States, including those posed by domestic terrorism, grievance-based violence, and those inspired or influenced by foreign terrorists and other malign foreign influences,” said Secretary Mayorkas.

“In this evolving threat environment, DHS is redoubling our efforts to detect and disrupt all forms of foreign and domestic terrorism and targeted violence, while safeguarding privacy protections, civil rights, and civil liberties.”


DHS and the Federal Bureau of Investigation (FBI) will continue to provide guidance to state, local, tribal, and territorial partners about the current threat environment. DHS is collaborating with industry partners to identify and respond to the radicalization that results from the spread of disinformation, conspiracy theories, and false narratives on social media and other online platforms.

DHS does not have any information to indicate a specific, credible plot; however, DHS asks all Americans to report any suspicious activity and threats of violence to local law enforcement, FBI Field Offices, or a local Fusion Center. Since January 20, 2021, DHS has increased the development, production, and sharing of intelligence and other actionable information central to countering domestic terrorism, which now poses the most significant and immediate terrorism-related threat to the United States.

DHS has established a new, dedicated domestic terrorism branch within the Department’s Office of Intelligence and Analysis (I&A). Further, DHS is increasing training opportunities for law enforcement partners, including through threat assessment and management programs related to domestic violent extremism.


In February, Secretary Mayorkas designated combating domestic violent extremism as a National Priority Area for the first time in FEMA grant programs. As a result, state, local, tribal, and territorial governments are required to spend at least 7.5 percent, or a minimum of $77 million, of their DHS grant awards toward combating this threat.
The Department is committed to building trust, partnerships, and collaboration across government, civil society, and communities to combat all forms of targeted violence and terrorism.
For additional information, view the entire NTAS Bulletin.

MARINER MENTAL HEALTH NEEDS DURING COVID-19: Anonymous Survey

“Your voice is very important to helping improve mental health access and outcomes for your fellow mariners, particularly during the COVID-19 pandemic.

Purpose: Your input is critical to understanding how the COVID-19 pandemic has affected mariners, particularly the mental health of mariners.

Process: In this 10-minute survey you will be asked a variety of questions about COVID-19, mental health, and your experiences and feelings when you are on a vessel.

-The electronic survey will take about 10 minutes to complete.
-The survey is anonymous, and all results will be kept confidential at the University of Washington.
-You don’t have to answer any questions you don’t want to.

Payoff: Results from this survey will be used by federal agencies, vessel owners/operators, mariner unions, maritime training institutions, seafarer welfare organizations and MTS stakeholders to develop effective solutions that benefit our mariners’ mental health.”

Link to Survey: https://redcap.iths.org/surveys/?s=RR933YTPKK

MSIB 01-21 Vessel Cyber-Security ALERT

“The Los Angeles-Long Beach maritime community should be on high alert for phishing emails from malicious actors impersonating USCG email addresses, specifically emails containing COVID-19 screening forms for vessels entering port. Sector Los Angeles – Long Beach responded to a report of a container vessel that received a suspicious email appearing to originate from a legitimate USCG Port State Control (PSC) Officer. The e-mail contained several links as well as an attachment. The recipient was encouraged to open the attachment or click on the links prior to authorization to enter the port. The vessel’s master
contacted the USCG to verify the validity of the e-mail. The email was not authentic and did not originate from the Coast Guard.”

To download the full bulletin & read more, click HERE

MSIB 13-20 CH. 2- TWIC® Operations

COVID 19 – Transportation Worker Identification Credential (TWIC®) Operations – Change 2

Maritime Facilities and Vessels:
TWIC Readers – the Coast Guard is not changing or delaying the TWIC Reader Rule implementation date of June 7, 2020 for facilities that receive vessels certificated to carry more than 1,000 passengers and vessels certificated to carry more than 1,000 passengers. However, the Coast Guard will delay enforcement until April 30, 2021. Applicable facilities and vessels are not required to update facility security plans (FSP)/vessel security plans (VSP) or install readers until the revised enforcement date.

To download the full bulletin & read more, click HERE

MSIB 05-20: TWIC Reader Requirements; Delay of Effective Date

“The Coast Guard delayed the effective date for three categories of CDC facilities affected by the final rule entitled, “Transportation Worker Identification Credential (TWIC) – Reader Requirements,” which published in the Federal Register on August 23, 2016. The three categories are: facilities that handle certain dangerous cargoes in bulk, but do not transfer these cargoes to or from a vessel; facilities that handle certain dangerous cargoes in bulk, and do transfer these cargoes to or from a vessel; and facilities that receive vessels carrying certain dangerous cargoes in bulk, but do not, during that vessel-to-facility interface, transfer these bulk cargoes to or from those vessels. Facilities that receive passenger vessels certificated to carry 1,000 passengers or more and one large passenger vessel will have to meet the regulations of the 2016 Reader Requirements.”

Download the full MSIB 05-20: TWIC Reader Requirements; Delay of Effective Date

MSIB 13-20 CH. 1 – TWIC® Operations

COVID 19 – Transportation Worker Identification Credential (TWIC®) Operations – Change 1

“The uninterrupted flow of commerce on our Marine Transportation System (MTS) is critical to both National Security and National economic well-being. During this National emergency for COVID-19 it is paramount that the Coast Guard safeguards the continued operation of the MTS. The regulations outlined throughout 33 and 46 Code of Federal Regulations remain in force, and maritime operators are expected to continue to comply with these requirements. However, when compliance with these regulations cannot reasonably be met as a result of COVID-19, the Coast Guard will exercise flexibility to prevent undue delays. The following clarification is provided regarding the Transportation Worker Identification Credential (TWIC®), which is jointly managed by the Coast Guard and the Transportation Security Administration (TSA).”

Download the full MSIB 13-20 TWIC® Operations – CH.1 Bulletin

“Qualifying Transportation Worker Identification Credential (TWIC®) holders are now eligible for TSA PreCheck™ at no cost and no extra enrollment..”

“The Transportation Security Administration (TSA) has identified efficiencies across vetting programs, eliminating redundancies, and reducing the administrative and cost burdens to applicants for vetting and credentialing. The TWIC® Program is a regulated vetting program that requires TSA to conduct a Security Threat Assessment (STA) to determine if an individual requiring specific transportation-related access poses a threat to national or transportation security. Given the similarity to the threat assessment performed on TSA PreCheck members, many TWIC® applicants meet the criteria for the TSA PreCheck Application Program and may be eligible for expedited security screening. In addition to having a valid STA, the credential holder must meet citizenship and residency requirements, and the credential must have been approved without a waiver. TWIC® cardholders must use an active TWIC® Credential Identification Number (CIN) that has not been canceled. The CIN is printed on the back lower left-hand corner of the
TWIC® card. TSA will notify eligible TWIC® holders via the TSA public website; stakeholder events; TWIC® mailing documents; customer service representatives; and Federal, State, and local partners. TSA developed the following FAQ’s to initiate outreach to eligible transportation workers..”

 FAQ’s

For TSA PreCheck™ information, please visit: https://www.tsa.gov/precheck

NVIC 01-20, CG-5P Policy Letter 08-16
& the Facility Inspector – Cyber Security Job Aid (updated)

By David E. Majors, V.P., MARSEC Corp.

Download a PDF version of this write-up HERE

The Coast Guard has become extremely concerned about threats from the
cyber world and how they affect your facility or vessel. The bulk of the interest is in regard to facilities, so that is the audience I will primarily address in this article.

The Coast Guard’s interest became particularly piqued following the June
2017 NotPetya Ransom-ware attack on A.P. Moller-Maersk, which moves
approximately one-fifth of the world’s freight. By the time the situation was
resolved, the company suffered losses in the range of $350 million. And at that,
considered themselves lucky as it turned out that their data had not actually been
taken but “only” blocked so that they could not access it.

See this:
ComputerWeekly.com article for details and lessons learned, “NotPetya offers
industry-wide lessons, says Maersk’s tech chief.”
When the Coast Guard gets interested in something, we get new guidance
and thus we have received three recent such pieces. The first was CG-5P Policy
Letter 08-16. It is entitled “Reporting Suspicious Activity and Breaches of
Security.” My personal view of this document is that it is extremely useful, even if
you have NO cyber-security related equipment on your facility.
Having been in the maritime security consulting business for quite some
time, I have been asked, more times than I can count, about some particular
event that had occurred at a facility and whether it needed to be reported to
either the local Coast Guard Captain of the Port (COTP) or the National Response
Center (NRC). PAC 08-16 will help you to answer that question should such an
unusual event occur at your facility as it gives guidance not just for cyber-related
incidents, but for both Suspicious Activity (SA) and Breaches of Security (BoS) and
how the Coast Guard views a variety of such events.
PAC 08-16 also introduces a new office that you should be aware of, the
National Cybersecurity and Communications Integration Center (NCCIC). Its
function is “as a national nexus of cyber and communications integration for theFederal Government, intelligence community, and law enforcement. For cyber
incidents that do not also involve physical or pollution effects, the Coast Guard
allows reporting parties to call and report the incident to the NCCIC in lieu of the
NRC, as the NCCIC may be able to provide technical assistance to the reporting
party.” The PAC goes on to state that, “It is imperative that the reporting party
inform the NCCIC that they are a Coast Guard regulated entity in order to satisfy
the reporting requirements of 33 CFR 101.305. The NCCIC will forward the report
electronically to the NRC, who will notify the appropriate COTP.” In my opinion
you are best off if you continue to make such reports directly to the NRC, so you
do not have to worry about whether such notification has occurred. If you do it
yourself, then you are CERTAIN. Then, if you believe that NCCIC may be of
assistance, contact them at (888) 282-0870.
You should also be aware of their sub-unit, ICS-CERT, which is apparently at
least partially staffed with USCG members, and who may be able to offer
assistance, particularly in any case you may experience that involves hacking of
industrial control systems.
If you have a Marsec® Corporation written Facility Security Plan (FSP) dating
from November 29, 2017 or later, your Plan should already have excerpts from
PAC 08-16 included within Section 15 Security Incident Procedures. Again, these
are mostly concerned with reporting procedures and as such do not impose any
significant additional burden on facilities.
On February 26, 2020, NVIC 01-20 Guidelines for Addressing Cyber Risks at
Maritime Transportation Security Act (MTSA) Regulated Facilities was released.
While the NVIC is described as not changing any legal requirements, and not
imposing any new requirements on the public, it will most certainly require
considerable additional work on your part. Essentially, this NVIC requires facilities
to assess their level of cyber-security, identify any vulnerabilities and identify
measures to mitigate those vulnerabilities. Regulations require that any
cybersecurity vulnerabilities identified in the Facility Security Assessment (FSA)
must be addressed in the Facility Security Plan (FSP) or Alternative Security
Program (ASP).
As is always the case, “mitigate” does NOT necessarily mean “eliminate”. In
an ideal world that would be the case, but in the real world, with an ever-evolvingcyber threat picture, a threat eliminated on one day is often replaced by another
soon thereafter.
Due dates for this assessment are described by this statement in the March
25, 2020 USCG Maritime Commons, “Beginning 10/01/2021, facilities that need to
submit cyber FSA and FSP/ASP amendments or annexes should do so by the
facility’s annual audit date, which is based on the facility’s FSP/ASP approval date.
COTPs will still have the flexibility based on resource demands, or based upon
request from a facility, to adjust when submissions are received, as long as all
facility FSA and FSP (Headquarters for ASPs) submissions are received by the end
of the one year period, no later than 10/01/2022.” It goes on to state that
whoever conducts the cyber portion of this audit should also be a signatory on
the audit letter and list their qualifications. Your IT Department, if you have one,
should certainly be made aware of this fact. I HIGHLY recommend that this cyber
assessment be completed PRIOR to your usual annual audit as it is otherwise
HIGHLY likely to impose significant delays on audit completion.
The NVIC also stipulates that you need not provide the names of products,
such as anti-virus programs, that you are using at the time of the cyber
assessment. You should however supply enough information that your Plan
reviewer can see that the measures you take for mitigation are appropriate for
the identified vulnerabilities.
A Frequently Asked Questions (FAQ) page has been developed and is
expected to be updated based on questions and feedback received. The FAQ can
be accessed at 01-20 FAQ. Additional information that may be useful in
performing these assessments is included on this same page as a list of sector
specific Maritime Specific Cybersecurity Framework Profiles. The tool used to
develop them is apparently the NIST Framework. This guidance includes an
Overview and guidance for specific sectors including; Maritime Bulk Liquid
Transfer, Offshore Operations, Passenger Vessel, and one entitled, “Industry
Cybersecurity Processes and Profile Mappings” that appears to be focused on the
energy industry.
The third piece of guidance released is called the Facility Inspector Cyber
Job Aid. Like the twenty-six page checklist in NVIC 03-03 CH 2 that has been in use
for some time to review your Plan, it contains a fourteen-page checklist for the
Coast Guard’s Plan reviewers to use when reviewing the cyber aspects of your
FSP.SO WHAT DOES THAT MEAN FOR MY FACILITY?
For a very few small facilities with little computerized equipment, it may
not mean much. If you can answer “No” to the following three questions, it may
not be a stretch to describe the vast bulk of the listed items in the checklist as
being N/A;
1. Is data stored off-site (or both on and off-site)?
2. Does data have a critical link to safety or security functions?
3. Could a computer or other cyber-system failure result in a
Transportation Security Incident?
Please note that Transportation security incident (TSI) means “a security incident
resulting in a significant loss of life, environmental damage, transportation system
disruption, or economic disruption in a particular area”.
It will be more complicated if you do not fall into this category. In the
comments within the Federal Register discussing NVIC 01-20, several questions
were raised (some of them by Marsec Corporation) and answered by the Coast
Guard. Below are a selection of those most critical along with other issues of
which you should be aware;
1. Doubt was expressed about the Coast Guard’s capability to perform Plan
Review of cyber assessments at the unit level. The downside being that
if this is too complex to task to the usual Plan Reviewers, then all FSPs
would have to be funneled through a higher echelon office, slowing the
process to a near grinding halt. In response, the Coast Guard replies that
among other things, the time preceding 10-01-21 will be used to
familiarize their reviewers with these processes. The Facility Inspector
Cyber Job Aid is designed to resolve this issue.
2. While the Coast Guard encourages the use of the Institute of Standards
and Technology’s Cyber Security Framework (NIST CSF) to improve the
facility’s cyber posture above what is outlined in the (sample
procedures) outlined in the NVIC, and provides links on the FAQ page, to
the Framework, guidance is flexible allowing each facility to create
solutions that fit its specific needs and changing risks. The NVIC
therefore should not be viewed as a checklist of prescribed cybersecurity solutions. (Author’s note): The “Framework” itself as well as anadditional link with a short PowerPoint (described as Framework V1.1
Downloadable Presentation) is available at
https://www.nist.gov/cyberframework/framework
3. The comments stress that this is not “new” regulation, but instead is an
integral part of a Facility Security Assessment (FSA). The reasoning was
the following wording from 33 CFR 105.300(d) which states that “Those
involved in a FSA must be able to draw upon expert assistance in the
following areas, as appropriate: (long list of qualifications follows, but
included among them are:) (11) Radio and telecommunications systems,
including computer systems and networks”. “The Coast Guard believes
this includes the expertise needed to self-assess risk and establish
security measures to counter the risks involved with a MTSA-regulated
facility’s computer systems and networks.” (Author’s Note: QUITE the
reinterpretation in my humble opinion).
4. Recommends viewing an American Bureau of Shipping webinar entitled
“Marine Transportation System Cyber Awareness”. The focus is on
identifying cyber systems that are related to MTSA regulatory functions
or that could cause or contribute to a Transportation Security Incident
(TSI). (Author’s note: I also recommend viewing this as it covers the
differences and interfaces between Information Technology (IT), (often
handled at corporate level) and Operational Technology (OT), (often
handled locally) and how they are being more frequently linked. It
certainly helps clarify what equipment should be considered when
performing this assessment.
5. The Federal Register comments stress that this applies to MTSAregulated facilities but not to Ports, except those Ports that are MTSAregulated.
6. While the due dates are not included in the Federal Register, (see the
linked Maritime Commons article above for those), the comments state
that the assessment must be completed, and that Plans must be
amended by either revising current FSPs or attaching a cyber-annex to
the FSP. In either case, those would be the only portions of the FSP to be
reviewed and re-approved.I anticipate that in Marsec® Corporation drafted Plans, this will actually
result in a blend of the two with short inputs into several Sections of our
Plans to deal with Section-specific suggested items listed in the NVIC
plus a new Appendix composed of a report supplied by the client’s IT
Department showing the vulnerabilities noted and security measures in
place to deal with them. It is our intention to scan these reports into this
Appendix in their entirety.
FSOs should ensure that the company’s IT department is provided
access to all of the guidance linked within this article so they are fully
aware of both the guidelines and the tools that the Coast Guard will be
using to assess their reports (i.e. the Facility Inspector Cyber Job Aid).
“Writing to the Job Aid”, is highly encouraged. Especially in terms of
aligning the report to the checklist in the Job Aid so that the things that
the CG’s reviewers are looking for fall in the same order as shown in that
Aid. The cyber-Amendments included within your Plan are MUCH more
likely to be approved on the first try if the reviewers can easily relate the
line items in the job aid with the information in your report. Remember,
these reviewers are UNLIKELY to be full-time IT professionals. On the
contrary, they will likely be the same Coast Guard Petty Officers who
have reviewed the rest of the Plan dealing with the usual physical
concerns. So PLEASE make it easy for them to find what they are looking
for in the order they expect to find it.
7. Procedures for managing software updates and patch installations
should be described in the FSP.
8. The burden for conducting cyber-security assessment falls on the
facility. The good news is that how it is achieved is not limited unlike
those for physical security audits. In short you may use your own IT
department staff to conduct the assessment, should you wish. In most
cases, this is likely to be the desired approach due to the fact that there
is probably no one more familiar with your systems than your own staff members managing them.
Within NVIC 01-20 itself, descriptive recommendations of wording to include
within the FSP, applying to particular Sections within your Plan are shown in italics following citations describing that Section. Below is one for Section 3, Drills &
Exercises;
“Drills and Exercises”
33 CFR 105.220
33 CFR 106.225
Describe how drills and exercises will test cyber security vulnerabilities of the FSP.
Facility owners and operators may wish to meet this requirement by employing
combined cyber-physical scenarios. In general, drills and exercises must test the
proficiency of personnel assigned to security duties and enable the Facility Security
Officer (FSO) to identify any related security deficiencies that need to be
addressed.”
As noted in paragraph 6 above, Marsec Corporation has drafted language to cover
all of these within our sample FSP (and which we intend to use within our client’s
Plans, with their approval).
Our foremost concerns in doing so, were that the procedures be;
(1). Reasonably easy to understand and achieve
(2). Minimally consuming of the security department’s time and resources
(3). Meet the Coast Guard’s concerns
In this particular case, the wording we used stipulated that at least one of the
facility’s four required drills each year would involve a cyber-security aspect.
It has also come to our notice that certain Captains of the Port are requiring that
this be performed on all “new” or “renewed” Plans being submitted as of now.
And that is all we have for you at this time. There is a fair chance that additional
guidance will appear prior to October 1, 2021. If so, it is our intention to add it to
this page

Please contact BgMarsec@aol.com or call us at one of the following numbers should you have any questions or for more information: 

Gulf Coast Office: (225) 295-5648

Bob Gobert: (630) 399-3962  | Kent Lirette : (985) 278-2259.

Mid-West Office: (219) 326-6460

David Majors: (630) 759-3962

————————————————————–

2021 Security Officer Training Schedule:

Upcoming Virtual Training Dates:

July 14-15th, 2021 (Closing Soon)

August 10th-11th, 2021

September 14th-15th, 2021

October 12th-13th, 2021

ADDITIONAL DATES AVAILABLE UPON REQUEST!!