ALGOMARINE at Menominee, 2012

ALGOMARINE at Menominee, 2012
ALGOMARINE at Menominee, 2012. Courtesy Dick Lund

Thursday, June 18, 2015

Coast Guard Releases Cyber Strategy

On June 16, 2015, the U.S. Coast Guard issued its Cyber Strategy.  The document may be found at http://www.uscg.mil/seniorleadership/DOCS/cyber.pdf.  

The document opens with a sobering statement of the problem: “Cybersecurity* is one of the most serious economic and national security challenges we face as a Nation. Government systems—including Coast Guard systems—face a mounting array of emerging cyber threats that could severely compromise and limit our Service’s ability to perform our essential missions.” “In the digital age…there is no strategic objective the Coast Guard can adequately meet—or operational mission the Coast Guard can fully perform—without a robust and comprehensive cyber program.*”

The asterisks link to definitions, and this document gives us a good range of definitions of cyber-related terms.  Definitions, so important to the MTSA community, are found in Appendix I, and definitions sources are from a variety of documents and explain many cyber-related terms, including:
Cybersecurity breach – Unauthorized access to data, applications, services, networks and/or devices, by-passing their underlying security mechanisms. A cybersecurity breach that may rise to the level of a reportable Maritime Transportation Security Act (MTSA) security breach occurs when an individual, an entity, or an application illegitimately enters a private or confidential Information Technology perimeter of a MTSA-regulated facility or vessel, Maritime Critical Infrastructure/Key Resources, or industrial control system such as Supervisory Control and Data Acquisition systems, including but not limited to terminal operating systems, global positioning systems, and cargo management systems.

Reproduced in its entirety below is the Executive Summary. Port security stakeholders are encouraged to read the entire document.

The Coast Guard is committed to ensuring the safety, security, and stewardship of our Nation’s waters. This commitment requires a comprehensive cyber strategy that provides a clear framework for our overall mission success.

Cyber technology has fueled great progress and efficiency in our modern world. Coast Guard operations are more effective because of the rapid evolution in cyber technology, and advanced technologies have also led to an unprecedented era of efficiency of the Maritime Transportation System (MTS). However, with these benefits come serious risks. Information and its supporting systems are continually attacked and exploited by hostile actors. Foreign governments, criminal organizations, and other illicit actors attempt to infiltrate critical government and private sector information systems, representing one of the most serious threats we face as a nation.

As the Coast Guard relies on modern digital information and communications systems to execute its missions, the Service must defend against those who threaten them. The Coast Guard must also build and sustain an operational advantage in cyberspace to ensure optimal integration of information and intelligence with our operations. Moreover, the Coast Guard must lead the effort to protect maritime critical infrastructure from a broadening array of cyber threats.

To fully ensure the Coast Guard is able to perform its essential missions in the 21st Century, it must fully embrace cyberspace as an operational domain. To this end, the Coast Guard will focus on three specific strategic priorities in the cyber domain over the next ten years:
•             Defending Cyberspace
•             Enabling Operations
•             Protecting Infrastructure

Defending Cyberspace: Secure and resilient Coast Guard IT systems and networks are essential for overall mission success. To ensure the full scope of Coast Guard capabilities are as effective and efficient as possible, the Coast Guard must serve as a model agency in protecting information infrastructure and building a more resilient Coast Guard network.

Enabling Operations: To operate effectively within the cyber domain, the Coast Guard must
develop and leverage a diverse set of cyber capabilities and authorities. Cyberspace operations, inside and outside Coast Guard information and communications networks and systems, can help detect, deter, disable, and defeat adversaries. Robust intelligence, law enforcement, and maritime and military cyber programs are essential to enhancing the effectiveness of Coast Guard operations, and deterring, preventing, and responding to malicious activity targeting critical maritime infrastructure. Coast Guard leaders must recognize that cyber capabilities are a critical enabler of success across all missions, and ensure that these capabilities are leveraged by commanders and decision-makers at all levels.

Protecting Infrastructure: Maritime critical infrastructure and the MTS are vital to our
economy, national security, and national defense. The MTS includes ocean carriers, coastwise shipping along our shores, the Western Rivers and Great Lakes, and the Nation’s ports and terminals. Cyber systems enable the MTS to operate with unprecedented speed and efficiency. Those same cyber systems also create potential vulnerabilities. As the maritime transportation Sector Specific Agency (as defined by the National Infrastructure Protection Plan), the Coast Guard must lead the unity of effort required to protect maritime critical infrastructure from attacks, accidents, and disasters.

Ensuring Long-term Success: In support of the three strategic priorities, this Strategy
identifies a number of cross-cutting support factors that will ensure the Coast Guard’s long-term success in meeting the Service's strategic goals in the cyber domain. These include:
(1) recognition of cyberspace as an operational domain,
(2) developing cyber guidance and defining mission space,
(3) leveraging partnerships to build knowledge, resource capacity,
and an understanding of MTS cyber vulnerabilities,
(4) sharing of real-time information,
(5) organizing for success,
(6) building a well-trained cyber workforce, and

(7) making thoughtful future cyber investments.

Friday, June 12, 2015

TSA Posts Notice Regarding Resolution of Delays in Processing TWIC Cards, with Caveat

On June 12, 2015, the Transportation Security Administration posted the following notice at http://www.tsa.gov/stakeholders/transportation-worker-identification-credential-twic:

1) UPDATED! TWIC Processing Delays: The previously announced delay in processing some TWIC applications has been resolved.  Most applicants will receive a TWIC within a month of enrolling, and often in about two weeks.  However, despite progress in reducing processing delays for the small number of applicants whose criminal or immigration records indicate that they may not be eligible for a TWIC, those applicants may still experience a two-and-a-half month wait before receiving a TWIC or notification from TSA.
To ensure all eligible applicants receive a new or renewal TWIC before it is needed for work we continue to strongly encourage all applicants to apply for their TWIC at least 10 to 12 weeks prior to when the card will be required to avoid inconvenience or interruption in access to maritime facilities.

_______________________________________________________

Takeaways from this notice: applicants with anything in their background that might result in a application refusal on criminal history or immigration grounds may still experience a lengthy delay.  It remains to be seen if persons with clean backgrounds continue to experience lengthy delays.  Employers would be well-served to take TSA’s advice and assume that the application process will take 10 – 12 weeks.


The only way to find out if anything new has been posted on the TSA TWIC website is to check it daily.  At the bottom of the site is a revision date.  If this date has changed, new material has been added.  Do not rely on the NEW!  verbiage on notices because TSA does not remove this on a timely basis.

Friday, May 29, 2015

MTSA Training Course Update from Maritime Commons

Maritime transportation security act training course update -

On May 28, 2015, the following was posted on the Coast Guard’s Maritime Commons blog, at http://mariners.coastguard.dodlive.mil/2015/05/28/5282015-maritime-transportation-security-act-training-course-update/:

“The Coast Guard is pleased to see the large number of maritime industry employees who choose to take part in the voluntary Maritime Transportation Security Act Training Course Program, choosing to attend courses reviewed and approved via a Coast Guard accepted Quality Standard System, or QSS.

The Coast Guard was informed that one of the accepted QSSs, Det Norske Veritas – Germanischer Lloyd, has withdrawn from certifying FSO, CSO, MSLEP and FPSSD courses. The American Bureau of Shipping is a QSS organization accepted by the Coast Guard and continues to participate in the certification process of these courses.
Additional information can be found on the Coast Guard’s facilities webpage.

Effective security training for maritime industry professionals is critical to the success of the nation’s security efforts. As the Coast Guard continues to develop regulations to establish comprehensive FSO training requirements, maritime industry employees with security duties are strongly encouraged to take approved courses.”

Here are some take-aways from this post:
1.  At this point, ABS is the sole course certifier for FSO, CSO, MSLEP and FPSSD.
2.  The Coast Guard continues to “strongly encourage” maritime industry employees with security duties to take approved courses. Because the new regulation mandating training is not yet in effect, strongly encourage is all they can do, but a word to the wise ought to be sufficient.

Persons who are hoping  that the Coast Guard may grandfather any FSO currently serving or who has received any sort of FSO training (4 hours? 2 hours?), and only require new FSOs to become certified under the new regulations, should probably take a look at the communications that have come out from CG-FAC supporting approved courses.

Monday, March 23, 2015

TSA Notice Concerning Reporting Non-Receipt of Mailed TWICs

Today the Transportation Security Administration posted a notice concerning persons who have enrolled for a TWIC card, received notification that the card has been mailed, and then fail to receive the card through the mail. The notice is at http://www.tsa.gov/stakeholders/transportation-worker-identification-credential-twic. This is the "down side" of the TSA one-visit program. It remains to be seen how many of the cards will fail to reach the end receiver.  Persons who have received the card through the mail tell me that the envelope is clearly marked "Transportation Security Administration".

The notice is printed in its entirety below.

NEW! Reporting Non-Receipt of Mailed TWICs: TWIC applicants who request to receive their TWIC card by mail will receive a phone or email notification that the card has been mailed.  After notification that the card has been mailed, applicants have 60 days to report non-receipt of the card by contacting the Universal Enrollment Services (UES) Call Center at: (855) 347-8371. Failure to report non-receipt of the card within 60 days will result in a $60 fee to replace the lost card.

Monday, February 9, 2015

From Coast Guard Maritime Commons blog today, a reminder that USCG has not yet made final decision on transportation of fracking water (Shale Gas Extraction Waste Water, or SGEWW, in bulk) by barge

From Coast Guard Maritime Commons today, a reminder that USCG has not yet made final decision on transportation of fracking water (Shale Gas Extraction Waste Water, or SGEWW, in bulk) by barge, at http://mariners.coastguard.dodlive.mil/2015/02/06/262015-coast-guard-has-not-taken-final-action-on-proposed-policy-letter-for-carriage-of-cargo/

This blog, Coast Guard Maritime Commons, is a wonderful source of information on many maritime topics, including security.  It should be required reading for FSOs. FSOs can sign up at the blog site to be notified of new postings. The posting on fracking water is reproduced below:

The Coast Guard reiterated Thursday that it has not taken final agency action or approved requests for the carriage of Shale Gas Extraction Waste Water, or SGEWW, in bulk.

“The Coast Guard has not taken final agency action on the June 2012 request to carry Shale Gas Extraction Waste Water,” stated CAPT John Mauger, Chief of the Office of Design Engineering Standards at Coast Guard Headquarters. “Our action on this request is still pending our analysis of the comments received during the public review of our proposed policy.”

In June 2012, the Coast Guard received a request to classify and carry SGEWW for bulk transportation via barge. The regulations in 46 CFR 153, require the Coast Guard’s Office of Design and Engineering Standards to assess the hazards and classify a cargo before it can be carried in bulk.

In October 2013, the Coast Guard published a draft policy that proposed conditions for carriage of this cargo. No decision regarding the carriage of this cargo has been made.

As described in the draft policy, the proposed standards would not supersede existing allowances for oil field wastes to be shipped as hazardous wastes under long-standing Coast Guard policy in Navigation and Vessel Inspection Circular 7-8 7, Guidance on Waterborne Transport of Oil Field Wastes. This policy describes the oil field wastes and provides several examples. Under this policy, vessels carrying hazardous waste are subject to inspection. Further, waterfront facilities involved in the handling, storage or transfer of hazardous waste are regulated by the Coast Guard under 33 CFR, Part 126.


- See more at: http://mariners.coastguard.dodlive.mil/2015/02/06/262015-coast-guard-has-not-taken-final-action-on-proposed-policy-letter-for-carriage-of-cargo/#sthash.WWyTbfcS.dpuf

Update to TSA TWIC NEWS Posting on Truncated Last Name on TWIC Card

TSA has posted an update to the issue concerning persons with last names of more than 14 characters who have enrolled for a TWIC.  The take-away for FSOs is, "TSA is exploring ways to print the full last name on the card regardless of the number of characters.  Security personnel should be aware that some TWIC holders will have authentic cards although their full last name, as printed on the card, may be truncated." 
(Off topic: I made a request to John Schwartz that updated and new items on this website be posted with a date so we can figure out what was posted when.  He advised that that was already being considered.  I see that they are still considering it.) 
Truncated Last Name on TWIC Card: TWIC cards issued since May 2014 truncated the number of characters printed on cards for individuals with long last names.  Version 2.3 TWIC® cards printed prior to 12/12/2014 printed only the first 14 characters of a person’s last name.  The number of characters includes spaces, hyphens, and apostrophes in the person’s last name.  The printed last name is always followed by a comma. If a person’s last name exceeds 14 characters, all characters after the 14th are not printed.  A comma follows immediately after the 14th character.
Version 2.3 TWIC cards printed on or later than 12/12/2014 are printed with a maximum of last name 19 characters, followed by a comma.
Despite the limited space available on the card, TSA is exploring ways to print the full last name on the card regardless of the number of characters.  Security personnel should be aware that some TWIC holders will have authentic cards although their full last name, as printed on the card, may be truncated.

Tuesday, January 27, 2015

TSA Notice Concerning TWIC Card Delay

Today, January 27, 2015, the Transportation Security Adminstration posted the following notice on its website at http://www.tsa.gov/stakeholders/transportation-worker-identification-credential-twic

NEW!  TWIC Processing Delays: Currently, some TWIC applicants are experiencing delays of more than 75 days to receive their TWIC.  We regret any inconvenience or difficulty this may be causing, and are working diligently to reduce the time it takes to process all TWIC applications.  The delay mentioned above applies to applications that involve criminal history records or immigration status that must be verified, although others may also experience a delay.  We strongly encourage all applicants to apply for their TWIC at least 10 to 12 weeks prior to when the card will be required to avoid inconvenience or interruption in access to maritime facilities.

Monday, January 5, 2015

New TWIC Enrollment Requirements for U.S.-Born TWIC Applicants

Sometime over the holidays, TSA posted the following on the TSA TWIC website:

NEW!  NEW ENROLLMENT REQUIREMENTS FOR U.S.-BORN TWIC APPLICANTS:

Starting on July 1, 2015 Transportation Worker Identification Credential (TWIC®) applicants who were born in the United States, and who claim U.S. citizenship, must provide documents to prove their citizenship.  Applicants need to bring one document from List A, or two documents from List B as shown below.

Until July 1, 2015 TWIC applicants who were born in the U.S. may continue to certify that they are U.S. citizens by checking the box on the electronically signed TWIC application and bring documents as listed on the UES website here.

TSA is making this change to align TWIC proof-of-citizenship requirements with those of other TSA programs such as the Hazardous Material Endorsement and TSA Pre✓ programs.  Requiring proof of citizenship at the time of enrollment will ensure that all TWIC applicants meet eligibility requirements for the credential.

Acceptable Documentation Providing Proof of U.S. Citizenship

List A:  Bring one of the following:
• Unexpired U.S. Passport (book or card) – demonstrates U.S. Citizenship
• Unexpired U.S. Enhanced Driver’s License (EDL) – demonstrates U.S. Citizenship if indicated on card
• Unexpired Enhanced Tribal Card (ETC) – demonstrates U.S. Citizenship
• Unexpired Free and Secure Trade (FAST) Card – demonstrates U.S. Citizenship if indicated on the card
• Unexpired NEXUS Card – demonstrates U.S. Citizenship if indicated on the card
• Unexpired Secure Electronic Network for Travelers Rapid Inspection (SENTRI) Card -- demonstrates U.S. Citizenship if indicated on the card
• Unexpired Global Entry Card -- demonstrates U.S. Citizenship if indicated on the card

List B:  Or, bring one of the following plus a government-issued photo ID:
• Original or certified copy of birth certificate issued by a State, county, municipal authority, or outlying possession of the U.S. bearing an official seal
• U.S. Certificate of Citizenship (N-560 or 561)
• U.S. Certificate of Naturalization (N-550 or 570)
• U.S. Citizen Identification Card (I-179 or I-197)
• Consular Report of Birth Abroad (FS-240)
• Certification of Report of Birth (DS-1350)
• Certification of Birth Abroad (FS-545)
• Expired U.S. passport within 12 months of expiration*

*An expired U.S. passport may not be presented by itself. It must be presented with at least one other document (and a name change document if needed).

Friday, December 26, 2014

More Detailed Analysis of NPRM on Seafarer Access

Below is a more detailed analysis of the Notice of Proposed Rulemaking that will be published in Monday Dec. 29 2014’s Federal Register, at www.gpo.gov/fdsys/pkg/FR-2014-12-29/pdf/2014-30013.pdf. For the record, my comments are based on 10 years’ work with MTSA facilities.  Some of that experience was obtained while employed in the job capacity of Facility Security Officer. My opinions are also informed by experience working for and with federal, state, and local public safety and security agencies beginning in 1976 and continuing until 2003. The comments are my own and do not reflect the opinions of the University of Findlay. 

The proposed rule will “require each owner or operator of a MTSA-regulated facility to implement a system for providing seafarers and other individuals with access between vessels moored at the facility and the facility gate. Each owner or operator would be required to implement a system, within 1 year after publication of the final rule, that incorporates specific methods of providing access in a timely manner, at no cost to the individual, and in accordance with existing access control provisions in 33 CFR part 105. We also propose to require each owner or operator to ensure that the FSP includes a section describing the system for seafarers’ access.

This rule would not affect the authority of the U.S. Customs and Border Protection (CBP) to inspect and process individuals seeking entry to the U.S. For those seafarers and other individuals subject to CBP’s authority, this rule would apply to facility owners and operators only after such seafarers and other individuals have been inspected, processed, and admitted to the U.S. by CBP.”

What does the NPRM contain?
Section 811 of the Coast Guard Authorization Act of 2010 (Pub. L. 111–281) (CGAA 2010), requires facility owners and operators to ensure shore access for seafarers and other individuals. Specifically, section 811 requires each MTSA-regulated facility to ‘‘provide a system for seamen assigned to a vessel at that facility, pilots, and representatives of seamen’s welfare and labor organizations to board and depart the vessel through the facility in a timely manner at no cost to the individual.’’ This new rule implements that section. The shore leave initiative is largely the work of the Seamen’s Church Institute. SCI has been conducting annual surveys of seafarers’ shore leave detentions and restrictions on seafarers’ and chaplains’ access through terminals in United States ports since 2002. For more information, see http://seamenschurch.org/primary-category/shore-leave.

This regulation requires owner/operators to provide timely access without unreasonable delay through the facility at no cost to the individual to seafarers and other individuals. Certain factors are specified to be used in determining whether the access is timely. Certain methods are to be used in granting access. A new FSP section on seafarer access is created, and the contents of the section are detailed.

Specifically, the proposed new rule:

Inserts a new federalism section into 33 CFR 101, 101.112, stating that 33 CFR 105 preempts State or local regulations if there is a conflict between 33 CFR 105 and State and local regulations.

Amends 105.200. Clarifies acronyms, clarifies wording.  Major changes:

CHANGES (b)(1) (1) Define the security organizational structure and provide each person exercising security duties and responsibilities within that structure the support needed to fulfill those obligations;

TO (b)(1)(1) Define the organizational structure of the security personnel and provide each person exercising security duties and responsibilities the support needed to fulfill those obligations;

CHANGES 105.200, (b)(9) ,  “Ensure coordination of shore leave for vessel personnel or crew change-out, as well as access through the facility for visitors to the vessel (including representatives of seafarers' welfare and labor organizations), with vessel operators in advance of a vessel's arrival. In coordinating such leave, facility owners or operators may refer to treaties of friendship, commerce, and navigation between the U.S. and other nations;”

TO “Ensure implementation of a system, in accordance with § 105.237 of this subpart, coordinating shore leave for vessel personnel or crew change-out, as well as access through the facility for visitors to the vessel, as described in § 105.237(b)(4) of this subpart, with vessel operators in advance of a vessel's arrival. In coordinating such leave, facility owners or operators may refer to treaties of friendship, commerce, and navigation between the U.S. and other nations;”

Inserts new section 105.237, System for seafarers access. This section has 6 subsections. (a) sets out the requirement that the facility must provide seafarers timely access at no cost to the individual, complying with the requirements of the TWIC program.  Access must be by a method specified in this section. (b) gives a list of the types of individuals who needs to be given this access. It is an expansion of the list given in the current version of 105.200 (b)(9), and includes a “catch-all” “other authorized individuals classification. (c) gives a list of factors that the owner/operator must consider when deciding the issue of “timeliness”. Owner/operators must provide the access in a timely manner without unreasonable delay, subject to review by the Coast Guard. The Coast Guard will review each FSP to ensure that the facility owner/operator has “appropriately considered” the factors listed in (c). (d) is a list of the 6 methods that may be used to perform the access. Methods allowed include types of escorting, use of third parties, monitoring, or some other arrangement with the permission of the Coast Guard. The method(s) included in the FSP will be subject to Coast Guard review and approval. The Coast Guard states that “We assume that most facilities would choose monitoring (Method 5) since the majority of them are small enough that existing security guards and/or monitoring equipment in place would be sufficient. However, if facilities choose this method, we anticipate 1 hour of training annually to review security protocol in the event that a seafarer leaves the designated passageway.” If a third party is used, a back-up method must be specified in case the third party is unable to or does not provide the required access. (e) sets out the requirement for “at no cost to the individual.” (f) describes the content of the new FSP section This is the new Section 9, System for seafarer access, which is the documentation of the facility’s system for providing the access as described in 105.237.

Complete text of this new section 105.237:
(a) Access Required. Each facility owner or operator must implement a system by (365 DAYS AFTER DATE OF PUBLICATION OF FINAL RULE) for providing access through the facility that enables individuals to transit to and from a vessel moored at the facility and the facility gate in accordance with the requirements in this section. The system must provide timely access as described in paragraph (c) of this section and incorporate the access methods described in paragraph (d) of this section at no cost to the individuals covered. The system must comply with the Transportation Worker Identification Credential provisions of this part.
(b) Individuals Covered. The individuals to whom the facility owner or operator must provide the access described in this section include—
(1) The seafarers assigned to a vessel moored at the facility;
(2) The pilots and other authorized personnel performing work for a vessel moored at the facility;
(3) Representatives of seafarers’ welfare and labor organizations; and
(4) Other authorized individuals in accordance with the Declaration of Security (DoS) or other arrangement between the vessel and facility.
(c) Timely Access. The facility owner or operator must provide the access described in this section without unreasonable delay, subject to review by the Captain of the Port (COTP). The facility owner or operator must consider the following when establishing timely access without unreasonable delay:
(1) Length of time the vessel is in port.
(2) Distance of egress/ingress between the vessel and facility gate.
(3) The vessel watch schedules.
(4) The facility’s safety and security procedures as required by law.
(5) Any other factors specific to the vessel or facility that could affect access to and from the vessel.
(d) Access Methods. The facility owner or operator must ensure that the access described in this section is provided through one or more of the following methods:
(1) Regularly scheduled escort between the vessel and the facility gate that conforms to the vessel’s watch schedule as agreed upon between the vessel and facility.
(2) An on-call escort between the vessel and the facility gate.
(3) Arrangements with taxi services, ensuring that any costs for providing the access described in this section, above the taxi’s standard fees charged to any customer, are not charged to the individual to whom such access is provided. If a facility provides arrangements with taxi services as the only method for providing the access described in this section, the facility is responsible to pay the taxi fees for
transit within the facility.
(4) Arrangements with seafarers’ welfare organizations to facilitate the access described in this section.
(5) Monitored pedestrian access routes between the vessel and facility gate.
(6) A method, other than those in paragraphs (d)(1) through (d)(5) of this section, approved by the COTP.
(7) If an access method relies on a third party, a back-up access method that will be used if the third-party is unable to or does not provide the required access in any instance. An owner or operator must ensure that the access required in paragraph (a) of this section is actually provided in all instances.
(e) No cost to individuals. The facility owner or operator must provide the access described in this section at no cost to the individual to whom such access is provided.
(f) Described in the Facility Security Plan (FSP). On or before [INSERT DATE 10 MONTHS AFTER PUBLICATION OF THE FINAL RULE], the facility owner or operator must document the facility’s system for providing the access described in this section in the approved FSP in accordance with 33
CFR 105.410 or 33 CFR 105.415. The description of the facility’s system must include.
(1) Location of transit area(s) used for providing the access described in this section;
(2) Duties and number of facility personnel assigned to each duty associated with providing the access described in this section;
(3) Methods of escorting and/or monitoring individuals transiting through the facility;
(4) Agreements or arrangements between the facility and private parties, nonprofit organizations, or other parties, to facilitate the access described in this section; and
(5) Maximum length of time an individual would wait for the access described in this section, based on the provided access method(s).

CHANGES 105.405   Format and content of the Facility Security Plan (FSP).
(a) A facility owner or operator must ensure that the FSP consists of the individual sections listed in this paragraph (a). If the FSP does not follow the order as it appears in the list, the facility owner or operator must ensure that the FSP contains an index identifying the location of each of the following sections:
(1) Security administration and organization of the facility;
(2) Personnel training;
(3) Drills and exercises;
(4) Records and documentation;
(5) Response to change in MARSEC Level;
(6) Procedures for interfacing with vessels;
(7) Declaration of Security (DoS);
(8) Communications;
(9) Security systems and equipment maintenance;
(10) Security measures for access control, including designated public access areas;
(11) Security measures for restricted areas;
(12) Security measures for handling cargo;
(13) Security measures for delivery of vessel stores and bunkers;
(14) Security measures for monitoring;
(15) Security incident procedures;
(16) Audits and security plan amendments;
(17) Facility Security Assessment (FSA) report; and
(18) Facility Vulnerability and Security Measures Summary (Form CG-6025) in appendix A to part 105-Facility Vulnerability and Security Measures Summary (CG-6025).

TO: 105.405   Format and content of the Facility Security Plan (FSP).
(a) A facility owner or operator must ensure that the FSP consists of the individual sections listed in this paragraph. If the FSP does not follow the order as it appears in the list, the facility owner or operator must ensure that the FSP contains an index identifying the location of each of the following sections:
1) Security administration and organization of the facility;
(2) Personnel training;
(3) Drills and exercises;
(4) Records and documentation;
(5) Response to change in MARSEC Level;
(6) Procedures for interfacing with vessels;
(7) Declaration of Security (DoS);
(8) Communications;
(9) System for seafarers access;
(10) Security systems and equipment maintenance;
(11) Security measures for access control, including designated public access areas;
(12) Security measures for restricted areas;
(13) Security measures for handling cargo;
(14) Security measures for delivery of vessel stores and bunkers;
(15) Security measures for monitoring;
(16) Security incident procedures;
(17) Audits and security plan amendments;
(18) The Facility Security Assessment (FSA) report; and
(19) The Facility Vulnerability and Security Measures Summary (Form CG-6025) in appendix A to part 105-Facility Vulnerability and Security Measures Summary (CG-6025).

Who will be affected by the NPRM?
The individuals granted access and the 2,498 facilities subject to MTSA.

Why does the USCG consider that a regulation is necessary?
Section 811 of the Coast Guard Authorization Act of 2010 (Pub. L. 111–281) (CGAA 2010) “requires facility owners and operators to ensure shore access for seafarers and other individuals. Specifically, section 11 requires each MTSA-regulated facility to ‘‘provide a system for seamen assigned to a vessel at that facility, pilots, and representatives of seamen’s welfare and labor organizations to board and depart the vessel through the facility in a timely manner at no cost to the individual.’’ The Coast Guard has decided that the provisions of this NPRM satisfy the requirements of the CGAA 2010 through a regulatory flexibility that offers the least costly of any alternative.

What are the costs of this proposed regulation?
There is a detailed cost break-down in the introductory material in the Federal Register notice. Some factors that I noticed when looking at the Coast Guard’s estimates of who will be affected by regulation, which will affect cost.  The Coast Guard states that in January 2010, 62% of all FSPs had been reviewed and only 4% lacked adequate seafarers access provisions, while stating elsewhere that 33 CFR does not require seafarer access measures that are “adequate” for the purposes of the CGAA 2010.  There is a huge difference between placing a sentence in an FSP to the effect, “The facility has procedures in place to ensure timely access of seafarers at no cost to the individual” and actually having a program in effect that meets the standards of the CGAA2010 and can be described out to that standard. I have looked at many FSPs and I don’t see what the Coast Guard is apparently seeing. It is not in the current plans because aside from the brief mention in the list of owner/operator responsibilities, shore leave or seafarers access is not covered in 33 CFR 105. I think the figure of facilities whose plans and programs will be affected is much higher than 10% and the corresponding cost of this regulation will be much higher.

What are the benefits of this proposed regulation?
The regulation will grant access to around 907 seafarers annually.  It will put into action a section of law passed in 2010. It will align us more closely with the Intent of the International Ship and Port Facility Security Code.

What timelines are involved?
The Coast Guard intends to hold a public meeting on this regulation in Washington, DC January 23, 2015 from 9:00 a.m. to 12:00 p.m. The deadline to reserve a seat is January 16, 2015. Comments need to be submitted by February 27, 2015.  FSPs would need to be updated within 10 months after publication of the final rule.

What will the average MTSA facility need to do to comply with this new regulation, if the final rule closely resembles this NPRM?
1. Codify the existing shore leave procedures if they have not been captured in policy or post orders. The vessel agents who service your dock are always a good source of information and advice. For example, if your policy states that the vessel needs to contact the security detail via cell phone to arrange for the on-call escort, the vessel agent will know or be able to find out the availability of cell phones on the vessels.
2.  Decide which of the 6 methods of providing access is right for your operation. If a third-party escort service will be utilized, be sure to provide a back-up method. If you have a method that is not mentioned in the new rule that you wish the Coast Guard to consider, you should get the Coast Guard approval for this method in advance of FSP submission. Contact your petty officer to see how he/she wants you to handle this issue.
3.  Absent any further policy on the subject, use the format in 105.237 (f) for the FSP Section. You can add anything you like to this section but these 5 elements (or however many survive in the final rule) must be included in the section.
3. Don’t wait til the very end of the 10-month period to submit your amended FSP! Depending on your location, the inspection corps may have a heavy lift at this time.

What does the Notice say about submitting comments?
The Notice gives the procedure for submitting comments.  The docket number is USCG–2013–1087. In the Notice, on pp.77987-77988, the Coast Guard has a list of topics on which they specifically request comments. From past presentations on the comment process, the Coast Guard has advised:
1. Don’t include comments about unrelated topics
2. Form letters aren’t particularly effective

3.  Suggest solutions to identified problems or criticisms

NPRM and Public Meeting on Seafarer Access in Monday Dec. 29 Federal Register

In Monday Dec. 29 2014’s  Federal Register, the Coast Guard issues a notice of proposed rulemaking, and a notice of public meeting, on seafarer access, at www.gpo.gov/fdsys/pkg/FR-2014-12-29/pdf/2014-30013.pdf.

The proposed rule will “require each owner or operator of a MTSA-regulated facility to implement a system for providing seafarers and other individuals with access between vessels moored at thefacility and the facility gate. Each owner or operator would be required to implement a system, within 1 year after publication of the final rule, that incorporates specific methods of providing access in a timely manner, at no cost to the individual, and in accordance with existing access control provisions in 33 CFR part 105. We also propose to require each owner or operator to ensure that the FSP includes a section describing the system for seafarers’ access.


This rule would not affect the authority of the U.S. Customs and Border Protection (CBP) to inspect and process individuals seeking entry to the U.S. For those seafarers and other individuals subject to CBP’s authority, this rule would apply to facility owners and operators only after such seafarers and other individuals have been inspected, processed, and admitted to the U.S. by CBP.”

The Coast Guard will hold a public meeting in Washington, DC to solicit comments on the proposals in this notice on January 23, 2015 from 9:00 a.m. to 12:00 p.m. The deadline to reserve a seat is January 16, 2015.

Thursday, December 18, 2014

Coast Guard Publishes Request for Comments on How to Identify Vulnerabilities to Cyber-Dependent Systems

In today's Federal Register, the Coast Guard published a notice, requesting public input from the maritime industry and other interested parties on how to identify and mitigate potential vulnerabilities to cyber-dependent systems. Information on how to comment is included in the notice.  The text of the notice can be found at http://www.gpo.gov/fdsys/pkg/FR-2014-12-18/pdf/2014-29658.pdf. The text of the notice is reprinted below.Two things should be abundantly clear to all maritime security stakeholders. #1, the Coast Guard is very serious about listening to our voice on this issue. #2, the Coast Guard takes the issue of cyber security vulnerability very seriously and has moved it up the queue of security worries. If we don't participate in this process (help drive the train) we may find ourselves being the subject of a regulatory process that could have been managed another way (grit beneath the wheels).
________________________________________________________

Coast Guard

[Docket No. USCG–2014–1020]

Guidance on Maritime Cybersecurity Standards

AGENCY: Coast Guard, DHS.

ACTION: Notice with request for comments.

SUMMARY: The Coast Guard is developing policy to help vessel and facility operators identify and address cyber-related vulnerabilities that could contribute to a Transportation Security Incident. Coast Guard regulations require certain vessel and facility operators to conduct security assessments, and to develop security plans that address vulnerabilities identified by the security assessment. The Coast Guard is seeking public input from the maritime industry and other interested parties on how to identify and mitigate potential vulnerabilities to cyber-dependent systems. The Coast Guard will consider these public comments in developing relevant guidance, which may include standards, guidelines, and best practices to protect maritime critical infrastructure.
DATES: Comments must be submitted to the online docket via http://www.regulations.gov, or reach the Docket Management Facility, on or before February 17, 2015.
ADDRESSES: Submit comments using one of the listed methods, and see SUPPLEMENTARY  INFORMATION for more information on public comments.
• Online—http://www.regulations.gov following Web site instructions.
• Fax—202–493–2251.
• Mail or hand deliver—Docket Management Facility (M–30), U.S. Department of Transportation, West Building Ground Floor, Room W12–140, 1200 New Jersey Avenue SE., Washington, DC 20590–0001. Hours for hand delivery are 9 a.m. to 5 p.m., Monday through Friday, except Federal holidays (telephone 202–366–9329).
FOR FURTHER INFORMATION CONTACT: For information about this document call or email LT Josephine Long, Coast Guard; telephone 202–372–1109, email Josephine.A.Long@uscg.mil or LCDR Joshua Rose, Coast Guard; 202–372–1106, email Joshua.D.Rose@uscg.mil.
For information about viewing or submitting material to the docket, call Cheryl Collins, Program Manager, Docket Operations, telephone 202–366–9826, toll free 1–800–647–5527.
SUPPLEMENTARY INFORMATION:
Public Participation and Comments
We encourage you to submit comments (or related material) on the questions listed below. We will consider all submissions and may adjust our final policy actions based on your comments.
Comments should be marked with docket number USCG–2014–1020, and should provide a reason for each suggestion or recommendation. You should provide personal contact information so that we can contact you if we have questions regarding your comments; but please note that all comments will be posted to the online docket without change and that any personal information you include can be searchable online (see the Federal Register Privacy Act notice regarding our public dockets, 73 FR 3316, Jan. 17, 2008).
Mailed or hand-delivered comments should be in an unbound 81⁄2 x 11 inch format suitable for reproduction. The Docket Management Facility will acknowledge receipt of mailed comments if you enclose a stamped, self-addressed postcard or envelope with your submission.
Documents mentioned in this notice, and all public comments, are in our online docket at http://
www.regulations.gov and can be viewed by following the Web site’s instructions.
You can also view the docket at the Docket Management Facility (see the mailing address under ADDRESSES) between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays.
Discussion
The Coast Guard is developing policy to help vessel and facility operators identify and address cyber-related vulnerabilities that could contribute to a Transportation Security Incident (TSI).1 Coast Guard regulations require certain vessel and facility operators to conduct security assessments, and to develop security plans that address vulnerabilities identified by the security assessment.2 Vessel and facility security plans must also address specific security functions, including the following:
• Communications
• Security Training Requirements
• Procedures for vessel/facility interfacing
• Declaration of Security
• Security Systems and Equipment Maintenance
• Security Measures for Access Control
• Security Measures for Handling Cargo
• Security Measures for Monitoring
• Security Incident Procedures
The Coast Guard is seeking public input on the following questions:
(1) What cyber-dependent systems, commonly used in the maritime industry, could lead or contribute to a TSI if they failed, or were exploited by an adversary?
(2) What procedures or standards do vessel and facility operators now employ to identify potential cybersecurity vulnerabilities to their operations?
(3) Are there existing cybersecurity assurance programs in use by industry that the Coast Guard could recognize? If so, to what extent do these programs address vessel or facility systems that could lead to a TSI?
(4) To what extent do current security training programs for vessel and facility personnel address cybersecurity risks and best practices?
(5) What factors should determine when manual backups or other nontechnical approaches are sufficient toaddress cybersecurity vulnerabilities?
(6) How can the Coast Guard leverage Alternative Security Programs 3 to help vessel and facility operators address cybersecurity risks?
(7) How can vessel and facility operators reliably demonstrate to the Coast Guard that critical cyber-systems meet appropriate technical or procedural standards?
(8) Do classification societies, protection and indemnity clubs, or insurers recognize cybersecurity best practices that could help the maritime industry and the Coast Guard address cybersecurity risks? (See also http://www.dhs.gov/publication/cybersecurityinsurance.)
Authority
This notice is issued under the authority of 5 U.S.C. 552(a).
Dated: December 12, 2014.
Captain Andrew Tucci,
Chief, Office of Port & Facility Compliance, U.S. Coast Guard.
[FR Doc. 2014–29658 Filed 12–17–14; 8:45 am]
1 A Transportation Security Incident is defined in 33 CFR 101.105 to mean ‘‘a security incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area.’’
2 33 CFR parts 104 and 105, subparts C and D.
3 An Alternative Security Program is defined in 33 CFR 101.105 to mean ‘‘a third-party or industry organization developed standard that the Commandant [of the Coast Guard] has determined provides an equivalent level of security to that established by [33 CFR Chapter I, Subchapter H].’’


Monday, December 15, 2014

Jan. 15 2015 USCG Public Meeting In Washington DC to Receive Comments on the Development of Cybersecurity Assessment Methods for Vessels and Facilities Regulated by the Coast Guard

On Friday, December 12, 2014, the United Stated Coast Guard posted a notice of a January 15 2015 public meeting in Washington DC to receive comments on the development of cybersecurity assessment methods for vessels and facilities regulated by the Coast Guard. The docket number for submitting comments prior to this meeting is USCG-2014-1020.  Comments may be submitted both before and after the meeting.  There are several deadlines for persons interested in participating.  For attendance in person, the Coast Guard advises that seating is limited and should be reserved by the method specified in the notice NLT January 05, 2014. There will be a live video feed of the meeting.  To access the video feed, the request must be made by the means specified in the notice NLT January 13, 2015. Persons who wish to attend the meeting in person are advised of transportation and identification requirements.

My memory may be failing me but it seems to me like the last time I tried to access this building (Department of Transportation Headquarters building) two government-issued photo IDs were required, not one, as the notice specifies.  Below is the text of the notice from regulations.gov.  The supplemental documents referenced in the notice have not been posted as of noon 12/15/14.

Action

Notice of public meeting and request for comments.

Summary

The U.S. Coast Guard announces a public meeting to be held in Washington, DC, to receive comments on the development of cybersecurity assessment methods for vessels and facilities regulated by the Coast Guard. This meeting will provide an opportunity for the public to comment on development of security assessment methods that assist vessel and facility owners and operators identify and address cybersecurity vulnerabilities that could cause or contribute to a Transportation Security Incident. The Coast Guard will consider these public comments in developing relevant guidance, which may include standards, guidelines, and best practices to protect maritime critical infrastructure.

Dates

The meeting will be held on Thursday, January 15, 2015 from 9:00 a.m. to 12:00 p.m. The deadline to reserve a seat is Monday, January 5, 2015. All written comments and related material must either be submitted to the online docket via http://www.regulations.gov on or before January 29, 2015 or reach the Docket Management Facility by that date.

Addresses

The public meeting will be held at the Department of Transportation Headquarters, Oklahoma Room, 1200 New Jersey Avenue SE., Washington, DC 20590; the building telephone number is 202-366-1035. The building is accessible by taxi, public transit, and privately-owned conveyance. However, public parking in the vicinity of the building is extremely limited. Meeting participants are encouraged to use mass transit.
Seating is limited, so please reserve a seat as soon as possible, but no later than January 5, 2015. To reserve a seat, please email Josephine.A.Long@uscg.mil with the participant's first and last name for all U.S. Citizens, and additionally, official title, date of birth, country of citizenship, and passport number with expiration date for non-U.S. Citizens. To gain entrance to the Department of Transportation Headquarters building, all meeting participants must present government-issued photo identification (e.g., state-issued driver's license). If a visitor does not have a photo ID, that person will not be permitted to enter the facility. All visitors and any items brought into the facility will be required to go through security screening each time they enter the building.

The Coast Guard will provide a live video feed of the meeting. To access the video feed, email a request to LT Josephine Long at Josephine.A.Long@uscg.mil no later than January 13, 2015.

The docket for this notice is available for inspection or copying at the Docket Management Facility (M-30, U.S. Department of Transportation, West Building Ground Floor, Room W12-140, 1200 New Jersey Avenue SE., Washington, DC 20590, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. You may also find this docket on the Internet by going to http://www.regulations.gov, entering USCG-2014-1020 in the search box and following the instructions.

Written comments may also be submitted in response to this notice. All written comments and related material submitted before or after the meeting must either be submitted to the online docket via http://www.regulations.gov on or before January 29, 2015 or reach the Docket Management Facility by that date. You may submit written comments identified by docket number USCG-2014-1020 before or after the meeting using any one of the following methods:
(1) Federal eRulemaking Portal: http://www.regulations.gov.
(2) Fax: 202-372-1990.
(3) Mail: Docket Management Facility (M-30), U.S. Department of Transportation, West Building Ground Floor, Room W12-140, 1200 New Jersey Avenue SE., Washington, DC 20590-0001.
(4) Hand delivery: Same as mail address above, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. The telephone number is 202-366-9329.
To avoid duplication, please use only one of these four methods.

The Coast Guard will post a video recording and written summary of the meeting to the docket.

For Further Information Contact

If there are questions concerning this meeting, please call or email LT Josephine Long, Coast Guard at 202-372-1109 or via email at Josephine.A.Long@uscg.mil or LCDR Joshua Rose, Coast Guard; at 202-372-1106 or via email at Joshua.D.Rose@uscg.mil. If there are questions on viewing or submitting material to the docket, call Ms. Cheryl Collins, Program Manager, Docket Operations, telephone 202-366-9826.

Supplementary Information

Background and Purpose

On February 12, 2013, the President signed Executive Order (E.O.) 13636 “Improving Critical Infrastructure Cybersecurity.” The E.O. provided the national approach to protecting critical infrastructure cybersecurity and directed federal agencies to assess cyber risk to critical infrastructure. Pursuant to E.O. 13636, the National Institute of Standards and Technology (NIST) developed a voluntary Preliminary Cybersecurity Framework, (1) followed by the February 12, 2014 publication of a Framework for Improving Critical Infrastructure Cybersecurity (2) (Cybersecurity Framework). The Cybersecurity Framework serves to help industry stakeholders reduce their cyber risk and vulnerabilities. The Coast Guard encourages vessel and facility owners and operators to adopt the Cybersecurity Framework voluntarily to achieve a minimum standard of cybersecurity protection.
Section 7(d) of E.O. 13636 states that in developing the Cybersecurity Framework, the Director of NIST “shall engage in an open public review and comment process” and consult with stakeholders including owners and operators of critical infrastructure. Similarly, the Coast Guard will host this public meeting to engage the public and obtain comments to assist in the drafting of procedures to enable operators of vessels and facilities regulated pursuant to the Maritime Transportation Security Act of 2002 (MTSA) to identify and address cybersecurity risks that could result in a Transportation Security Incident (TSI). (3) This may include standards, guidelines, and best practices to protect maritime critical infrastructure. 

The meeting will include the following topics:

(1) Identify: What cyber dependent systems perform vital functions that are addressed in MTSA requirements, such as access control, cargo control, and communications?
(2) Protect: What standards are suitable to ensure the integrity of these systems?
(3) Detect: What procedures are available to owners and operators to detect cyber intrusions that could compromise the integrity of vital systems or contribute to a TSI?
(4) Respond: What response and notification procedures can minimize the consequences of cyber events?
(5) Recover: What procedures can owners and operators take to promote rapid maritime transportation system recovery after a cyber incident?

In addition to the topics outlined above, the Coast Guard is posting several supplemental documents to the online docket for this notice. The supplemental documents provide additional background information that may be useful for the public to consider in formulating comments. We encourage individuals interested in participating in the public meeting and/or submitting comments to the docket to review the supplemental documents. To view the supplemental documents and other documents mentioned in this notice as available in the docket, please follow the instructions described above in the ADDRESSES section. If you do not have access to the Internet, you may view the docket online by visiting the Docket Management Facility in Room W12-140 on the ground floor of the Department of Transportation West Building, 1200 New Jersey Avenue SE., Washington, DC 20590, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. The Coast Guard has an agreement with the Department of Transportation to use the Docket Management Facility.

The Coast Guard encourages the public to participate by submitting comments either in person at the meeting or in writing. The public may submit written comments to Coast Guard personnel at the meeting. The Coast Guard will post these comments to the online public docket. All comments received will be posted without change to http://www.regulations.gov and will include any personal information you have provided.

Privacy Act

Anyone can search the electronic form of comments received into any of the dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). There is a Privacy Act notice regarding the public dockets for review in the January 17, 2008, issue of the Federal Register(73 FR 3316).

Information on Services for Individuals With Disabilities

For information on facilities or services for individuals with disabilities or to request special assistance at the public meeting, contact LT Josephine Long at the telephone number or email address indicated under the FOR FURTHER INFORMATION CONTACT section of this notice.

Authority
This notice is issued under the authority of 5 U.S.C. 552(a).
Dated: December 3, 2014.
Andrew Tucci,
Chief, Office of Port & Facility Compliance, U.S. Coast Guard.
[FR Doc. 2014-29205 Filed 12-11-14; 8:45 am]

BILLING CODE 9110-04-P