The U.S. Coast Guard on March 20 issued its Cyber - Navigation and Vessel Inspection Circular to establish cyber expectations for Maritime Transportation Security Act (MTSA) facilities. ILTA commented on the draft NVIC in July 2017.
While the MTSA regulation has always required facilities to address “measures to protect radio and telecommunication equipment, including computer systems and networks” in their Facility Security Assessments and Facility Security Plans, the Cyber NVIC “updates” the USCG’s compliance expectations to align to changing cybersecurity risk. To assist the MTSA-regulated community understand these broad expectations, the Cyber NVIC identifies specific FSP sections that may be applicable in the cyber context, including, among others, training, access control, and drills and exercises.
A facility may complete its cyber FSA and FSP updates at any time – but required updates do not begin until October 1, 2021. After this date, “facilities should submit cyber FSA and [FSP] amendments or annexes by the facility’s annual audit date, which is based on the facility’s [FSP] approval date.” In other words, the USCG expects cyber FSA and FSP updates to occur between the third quarter of 2021 and the third quarter of 2022, as long as the updates are received prior to the FSP audit for that period.