“Integrity Matters”
By David E. Majors, CWO4, MSSE, USCG, Ret.
The Coast Guard has recently released several pieces of guidance over the past few years to industry. Upon which I will comment in more technically useful detail in future articles. In at least two of these I have noticed a disturbing lack of the openness I had long come to expect from the organization where I spent twenty-eight plus years in service. Loving that organization as I long have, I have been known to wear the proverbial “rose-tinted glasses” in my view of this agency, upon more than one occasion. So I find the tactics and rationale used as justifications for putting additional burdens on industry in both cases are worthy of notice and if my poor comments can make any difference in the direction of that usually very honorable organization, I must try. If for no other reason, so that those in service today, too, can one day feel largely justified in wearing those same glasses.
My comments here are strictly my own and not those of Marsec Corporation or any other person or entity. I also do not dispute the value or lack of value of either the TWIC Reader and accompanying guidelines for its use or the value or lack of value of performing an analysis of cyber-security vulnerabilities and accompanying guidelines. I only question the way some of this has been accomplished.
The two items in question are the Coast Guard’s comments in two Federal Registers,the first regarding the Transportation Worker Identification Credential (TWIC) Reader Requirements; Delay of Effective Date (85 Federal Register 13493) dated 03/09/2020, the second regarding NVIC 01-20 Guidelines for Addressing Cyber-Risks at MTSA Regulated Facilities, (85 Federal Register 16108) dated 03/20/2020.
Commencing in 2007, with the “Transportation Worker Identification Credential Implementation in the Maritime Sector; Hazardous Materials Endorsement for a Commercial Driver’s License; Correction” (72 Federal Register 14049) the Coast Guard began a rule-making process eventually requiring that all persons requiring unescorted access to a Secure Area on a regulated facility or vessel, as well as all U.S. licensed and credentialed mariners hold a valid TWIC. All others would require escorting when within such Areas. The justification at that time, while somewhat controversial, was that this would enhance security in the maritime industry, something that the Congress had mandated within the SAFE Port Act of 2006, be performed in the wake of the 9-11 terrorist attacks. This was succeeded by NVIC 03-07 Guidance for the Implementation of the Transportation Worker Identification Credential (TWIC) Program in the Maritime Sector dated July 02, 2007.
After several years of slow progress in working out how it might come to fruition, the Coast Guard issued the long awaited 81 Federal Register 57651dated August 23, 2016, also known as the TWIC Reader Final Rule. This rule required the use of electronic access systems capable of denying entry for persons whose cards were on the (TWIC) Cancelled Card List into Secure Areas on certain vessels, specifically, those U.S. flagged vessels carrying in excess of 1000 passengers, of which there is only one, Norwegian Cruise Lines, Pride of America sailing out of Honolulu. It also required those facilities accepting vessels carrying more than 1000 passengers and all facilities handling Certain Dangerous Cargoes, to utilize these electronic means of access. And here is where things get questionable.
The main issue here has been the difference between the treatment of CDC facilities within Policy Advisory Council (PAC 20-04) and the Coast Guards NEW and at the time of issuance of 81 Federal Register 57651,clearlyunder emphasizedre-interpretation of the definition of such facilities coming as a complete SURPRISE to industry. See Enclosure 2 to the case file for US District Court for the Eastern District of Virginia at the above link.
Excerpts from the Coast Guard’s responses in 85 Federal Register 13493 describe their view of the situation best; “This requirement wasestablished in 2003, and, while the term‘‘CDC Facility’’ was not defined inregulation, a subsequently-issued policydocument from the Policy AdvisoryCouncil (PAC 20–04) stated that ‘‘inorder for a facility to classify as a CDCFacility, a vessel-to-facility interfacemust occur, or be capable of occurring,and involve the transfer of CDC’s inbulk.’’ 22 PAC 20–04 also stated thatfacilities receiving CDC from entitiesother than vessels, such as rail cars andtanker trucks, would not be consideredCDC Facilities, but that the FacilitySecurity Plan (FSP) for these facilities‘‘must address the fact that they handlesuch cargoes.’’ 23 This explanation of themeaning of ‘‘CDC Facility’’ contrastedmarkedly with the elucidation of thephrase ‘‘facilities that handle CertainDangerous Cargoes in bulk’’ provided inthe 2016 TWIC Reader final rule. In thatdocument, we stated that, in thesituation where a facility stored or usedCDC, or the facility was used to transferCDC in bulk through rail or other nonmaritimemeans, ‘‘such a facility wouldbe considered to ‘handle CDC in bulk’and would be classified as Risk GroupA.’’ 24 We went on to say that ‘‘this isbecause the bulk CDC would be on thepremises of a MTSA-regulated facility,and thus the facility’s access controlsystem would need to be used tomitigate the risk of a TSI.’’ 25While the terms ‘‘CDC Facilities’’ and‘‘facilities that handle CDC in bulk’’sound similar, they are not identical,and the Coast Guard did not intend toconflate the two terms or use theminterchangeably. The Coast Guard neverused the term ‘‘CDC Facilities’’ in anyof the TWIC Reader rulemakingdocuments and has been usingconsistent language since thepublication of the Advance Notice ofProposed Rulemaking (ANPRM) in 2009(74 FR 13360).”
The bottom line being, that whoever at the Coast Guard drafted the Federal Register either DIDN’T know that PAC 20-04 existed and how it interpreted the term “CDC facility” (while industry was VERY aware of it) or the drafter of theproposed TWIC Reader Final Rule should have taken it into account and CLEARLY explained that a new interpretation was being pursued, but failed to do so, denying industry their opportunity for comment. And now, being unwilling to simply admit to their error, while in pursuit of their goal to expand the scope of the requirement for these readers at such facilities, they are attempting to claim that industry SHOULD have understood that there was a difference between the terminology used in PAC 20-04 and that used within the various TWIC Reader rulemakings. To make matters worse, after multiple requests from industry throughout the period following August 23, 2016 industry made numerous attempts to obtain clarification from the Coast Guard. Yet none was forthcoming until June 1, 2018 with the deadline for submission of Amendment Facility Security Plans being August 23, 2018. My response to all of this is, “COME ON COAST GUARD…YOU’RE BETTER THAN THAT!”
Which brings us to the comments within the rulemaking for NVIC 01-20. Wherein the statement is made that “This NVIC does not impose any new burdens or requirements on MTSA-regulated facilities. As discussed above, current Coast Guard regulatory authority in 33 CFR parts 105 and 106 already requires MTSA-regulated facilities to evaluate their computer system and network vulnerabilities in their FSAs and address them in the FSPs.” I disagree. Vehemently. My fourteen years of successfully drafting Facility Security Plans and having them Approved by a variety of Coast Guard Captains of the Port (COTPs) clearly shows that this has NEVER been a Coast Guard wide policy, although certain COTPs did occasionally request it be considered, or at least it was not widely known to be so by the field offices. Again, I do not dispute the VALUE of considering cyber-security as being within the realm of facility vulnerabilities. But I DO dispute this statement which boils down to “it has always BEEN a requirement”. It most assuredly, has NOT. Or at least had not been understood by the bulk of COTPs over a period of many years to have been one.This is not what I consider to be an honest statement of the facts. And it was not even needful that it be made this way.
At times like this, I am reminded of one of those individuals I most admire. Sadly, he is no longer with us. A man who lived and breathed INTEGRITY. Something I have long also believed to be a primary characteristic of my beloved Coast Guard. This man I first came to know something about when a very unusual act of his showed up in the newspapers.
It seems that there was a large gathering of his U.S. Navy juniors. And at that gathering a young sailor whose wife had died and left him a single parent, had requested a “hardship discharge” but was denied by the Navy’s Personnel Branch, and was wanting to know whether there was anything else he could do to get one.
On the spot, this Admiral replied simply, “Your request is granted”. Leaving the young sailor absolutely, SPEECHLESS, as this NEVER happens in a military setting! (Because the leader who did so would have to deal with making it happen). This resulted in an entire room full of some of the toughest men and women on the planet standing there stunned and in tears that one of their top leaders SO cared about his (and their) junior people that he would inconvenience himself to look after one in need.
This leader among leaders was the first American sailor to have risen through the enlisted and then the officer ranks, to reach the exalted position of the Chief of Naval Operations, Admiral Jeremy Boorda, US Navy.
In 1995, Admiral Boorda realized that he had made a mistake in following the directions of his senior, Admiral Elmo Zumwalt, to wear two combat “V”s on his military ribbons for his service in Vietnam. He immediately removed them, after finding out that the paperwork did not support this.
When it became public in 1996 that he had worn these in a newspaper article describing it in terms that implied it was an act of “stolen valor” despite there being no indication that it had been anything but an honest mistake, he could not withstand the shame he felt it brought on the Navyand committed suicide.
While I would NEVER suggest taking things to that level, there is little doubt that he PERSONIFIED integrity. At a level few of us will ever meet. He remains to this day, a very beloved figure within the U.S. Navy and a prime example of what every leader in any organization should strive to be.
Integrity MATTERS. And is an area where regarding these two pieces of guidance I sincerely wish my alma matter would have been less tone deaf.