On March 1, 2016, the Coast Guard Office of Port and Facility
Compliance (CG-FAC) issued the 2015 Annual Report. It can be found at http://www.uscg.mil/hq/cg5/cg544/docs/CG-FAC%20Year%20In%20Review%202015_Final.pdf.
The MTSA community, especially Facility Security Officers, should read the entire report. Important points are
summarized below, using portions of the report.
FSOs should pay particular attention to 2015 MTSA Facility
Enforcement Actions and What’s Coming in 2016.
Strategy for the
Waterside Security of Especially Hazardous Cargo
On 1 September 2015, the Commandant of the Coast Guard
signed the "Strategy for the Waterside Security of Especially Hazardous
Cargo." It seeks to manage the risk
of an attack on the Maritime Transportation System (MTS) involving EHC by
mitigating the Threat, Vulnerability, and Consequence elements of risk through
the Awareness, Prevention, Protection, Response, and Recovery components of the
security spectrum. Security governance to facilitate and improve communication
between industry and government on incident response/recovery, as well as
maritime transportation infrastructure security, will be incorporated through
an Implementation Plan. CG-FAC is
working an initial action plan with a 5 year execution.
Technology
USCG is deploying IPads to inspection corps who requested to
be part of the program. This dramatically reduces large quantities of
references and materials that inspectors need to carry around. Other devices
which FAC recommends purchasing, at the unit’s expense, are a Bluetooth
keyboard, portable Bluetooth printer, and Apps. The USCG would appreciate any
feedback and recommendation for use of the iPads provided to the CG- Portal
site. https://cg.portal.uscg.mil/units/cgfac2/iPads/SitePages/Home.aspx.
Port Security
Specialist Program
The USCG has conducted a performance planning front end
analysis (FEA) to determine Port Security Specialist and Security Specialist
(Port / Recovery) performance requirements. Ten recommendations were identified
during the FEA. Recommendations from this analysis will help optimize limited
training resources and improve Port Security Specialist and Security Specialist
(Port / Recovery) performance. A 2015 ALCOAST was issued providing an update to
the PSS Program, defining roles and responsibilities of the PSS, and
highlighting accomplishments.
Cybersecurity
Assessment and Risk Management Approach (CARMA) Assessment in Philadelphia
During the week of June 8th, DHS Office of Sector Engagement
Critical Infrastructure Resilience, in conjunction with the Coast Guard, led a
cyber risk assessment in the Port of Philadelphia. Agencies involved were DHS, National
Institute of Standards and Technology (NIST), Federal Energy Regulatory Commission
(FERC), Customs and Border Protection (CBP), Transportation Security
Administration (TSA), USCG Sector Del Bay, LANTAREA, CG-FAC, CG-CVC.
Coast Guard LNG
Workgroup
Both Harvey-Gulf and TOTE have delivered vessels with LNG
fueled engines, and the LNG workgroup worked closely with field units to
interpret regulations and develop implementation strategies for these new
facilities. CG-FAC chairs the LNG Workgroup, and during 2015 the work group
facilitated the development and release of OES Policy letters 01-15 and 02-15
to, among other things, address gaps in 33 CFR 127 for LNG facilities that will
bunker LNG. The report gives a link for USCG units to access the LNG Workgroup
site in CG Portal (USCG restricted).
Alternative Security
Program (ASP)
There are close to 200 facilities operating under ASPs and
thousands of vessels, more than are using vessel-specific security plans. Since
cyber-security is a topic of growing interest to the entire maritime industry
the Coast Guard is exploring options for how to best incorporate cyber risks
into security plans required by the Maritime Transportation Security Act. During
the past year, two ASP Sponsoring Organization’s Workshops were held in
Washington, DC. These workshops are a great forum for information sharing and
discussions of best practices for both facilities and vessels. The workshop,
held on November 18, 2015, provided an opportunity for in-depth discussions on
cyber risks. Many industry groups are developing cyber security best practices
and the Alternative Security Program potentially provides an ideal way of
addressing cyber risks.
Cyber Risk Management
On 15 January 2015, CG-FAC held a public meeting to solicit
input on a policy development project to address cyber security risks in the
marine transportation system. In June 2015, the Commandant announced the
promulgation of the Coast Guard’s first Cyber Strategy. This Strategy presents
a ten-year vision for Coast Guard operations in cyberspace, and lays out our
Service’s highest strategic objectives in this rap- idly evolving operational
domain.
With the signing of the Cyber Strategy, CG-FAC became the
lead office for implementing the Protect Infrastructure portion of the
Strategy. The newly formed Protect Infrastructure Cyber Strategy Implementation
Team (CSIT) had representatives from nearly every office within CG-5P and also
representatives from other offices including CG-2, CG-6, and CG- 5R. Other
offices outside of HQ have also pitched in, including National Maritime Center
(NMC), Areas and Districts. The CSIT recently submitted an implementation plan
and continues to work to complete identified initiatives. CG-FAC members were
active in supporting Coast Guard wide research and development related to cyber
risks in the marine transportation system.
Cyber Lexicon
CG-FAC, working within the Transportation System Sec- tor
Cyber Security Working Group, assisted in developing a Common Cyber Language
for the Transportation Sector. The language can be used to assist sub-sectors
such as airlines or rail within the Transportation Sector have a common language
when discussing cyber issues.
The trail to this file in Homeport is Missions>Cybersecurity>Cyber
Information> Transportation Sector Common Cyber Language.
Cybersecurity
Assessment and Risk Management Approach (CARMA)
CARMA is a DHS developed tool that attempts to identify
cyber risks within the port. It is a stakeholder-vetted list of the Port’s
cyber infrastructure, as defined by its critical functions, supporting value
chains, and specific types of cyber systems. What is important is that it
utilizes local stakeholders to derive a port-level understanding of shared
vulnerabilities and with it a prioritized list of strategies for managing the
identified risks. This allows individual owners and operators to prioritize
budget and resource allocations according to common risks. It also uses the
identified cybersecurity risks to help build valid scenarios that could be
leveraged for sector or national-level cyber exercises. Information on CARMA is
accessed via email at ncsd_cipcs@hq.dhs.gov.
Cyber Risk Awareness
and Policy Development
In 2015, the Coast Guard worked with the National Maritime
Security Advisory Council, the National Offshore Safety Advisory Council, and
many individual industry associations to share cyber information.
In June, the U.S. Coast Guard submitted a paper and
introduced cyber risk management as a topic at the International Maritime
Organization. Transport Canada has been a particularly strong partner in cyber.
CG-FAC sent out 12 cyber related notices in 2015. A new resource section was
also added to Homeport that shares over 100 different links to cyber related
sites from advisories to alerts, assessment tools, recovery resources,
supporting documents, tools, and training and education.
2015 Facility
Inspections Program Statistics
Total regulated facilities:
|
8,211
|
MTSA-regulated facilities:
|
3,476
|
Total facility inspections completed:
|
11,856
|
MTSA facility inspections completed:
|
5,937
|
Total container inspections completed:
|
18,053
|
Total transfer monitors conducted:
|
456
|
Total operational controls (COTP Orders)
|
34
|
Security COTP Orders
|
16
|
Safety/Environmental Protection COTP Orders
|
19
|
|
|
2015 MTSA Security
Compliance by District
District
|
FSPs*
|
MTSA Inspections
|
Deficiencies
|
1st
|
298
|
949
|
164
|
5th
|
166
|
451
|
129
|
7th
|
310
|
928
|
241
|
8th
|
905
|
1902
|
570
|
9th
|
304
|
691
|
120
|
11th
|
135
|
326
|
120
|
13th
|
139
|
257
|
106
|
14th
|
77
|
214
|
142
|
17th
|
98
|
219
|
27
|
Total
|
2432
|
5937
|
1619
|
Container Update
CG-FAC continuously seeks to improve the National Container
Inspection Program (NCIP) guidance and streamline the process for both industry
and the field. CG-FAC recently met with Hapag-Lloyd and the National Cargo
Bureau to discuss industry and Coast Guard concerns and issues with the
shipment of containers in an effort to identify ways to mitigate risks. Hapag-Lloyd
has developed a system called “Watchdog”, that analyzes shipping documents
searching for key words to assist in selecting containers for inspection.
Watchdog has enabled Hapag-Lloyd to inspect 20% of all containers shipped by
the company.
Mis-declared cargo and leakage are the most prominent issues
ailing the shipment of containers and account for 86% of deficiencies according
to the Cargo Incident Notification System website. According to the same
website, over 70% of those deficiencies involve general cargo shipments, which
point to the success of inspection programs focused on declared Hazardous
Materials (HAZMAT).
Higher national compliance rates in declared HAZMAT shipments
led to a shift for inspections rates of declared HAZMAT and general cargo
container shipments. Previous guidance prioritized HAZMAT over general cargo shipments
at a 90% to 10% inspection goal respectively. On average, of the total
containers inspected nationally the Coast Guard has achieved roughly 60% to 40%
HAZMAT to general cargo annually.
Transportation Worker
Identification Credential (TWIC) Verifications
As part of the MTSA security program, Facility Inspectors
conducted a combined 48,289 visual and electronic inspections of TWIC cards in
2015, and identified 970 instances of non-compliance with TWIC
requirements. CG-FAC is currently
conducting market research for replacement readers; current hand-helds are
reaching the end of their service life. There are currently a few USCG units conducting
field testing for iPad based reader applications.
USCG TWIC Implementation branch members worked directly with
counterparts at TSA to discuss and address TWIC program improvements and
issues. TSA has recently begun implementation of a civil enforcement program
for individual TWIC holders violating regulatory requirements. Many
Transportation Security Inspectors – Surface (TSI-S) personnel have reached out
to Districts and Sectors to coordinate implementation of this inspection
program.
2015 MTSA Facility
Enforcement Actions
In 2015, the Coast Guard completed 4,717 security-related
MTSA annual and spot check ex- aminations and recorded 131 enforcement
activities against MTSA-regulated facility owners or operators for
noncompliance with MTSA regulations. The
131 enforcement activities executed in 2015 took place at 115 MTSA-regulated
facilities and included official letters of warning or administrative civil
penalties.
Citation
|
Citation Title
|
Enforcement Activities Executed
|
33 CFR 101.305
|
Reporting, Breach of Security
|
3
|
33 CFR 105.125
|
Noncompliance
|
3
|
33 CFR 105.140
|
Alternative Security Program
|
1
|
33 CFR 105.200
|
Owner or operator requirements
|
27
|
33 CFR 105.205
|
Facility Security Officer requirements
|
7
|
33 CFR 105.210
|
Facility personnel with security duties
|
13
|
33 CFR 105.220
|
Drill and exercise requirements
|
15
|
33 CFR 105.225
|
Facility recordkeeping requirements
|
4
|
33 CFR 105.255
|
Security measures for access control
|
29
|
33 CFR 105.260
|
Security measures for restricted areas
|
8
|
33 CFR 105.275
|
Security measures for monitoring
|
3
|
33 CFR 105.290
|
Additional cruise ship terminal requirements
|
2
|
33 CFR 105.305
|
Requirements for facility security assessments
|
1
|
33 CFR 105.400
|
Facility Security Plans
|
5
|
33 CFR 105.410
|
Facility
Security Plans – Submission and approval
|
7
|
33 CFR 105.415
|
Facility
Security Plans – Amendment and audit
|
3
|
Total
|
131
|
As noted on the previous page, as in 2014, almost 50% of
Coast Guard enforcement actions at regulated facilities were for 33CFR105.200
and 105.255 violations.
Rulemakings
Seafarer’s Access to Maritime Facilities - On July 27, 2015,
the public comment period for the Seafarer’s Access to Maritime Facilities
Notice of Proposed Rulemaking (NPRM) officially closed. The 162 comments have
been adjudicated and the Final Rule is being developed. This proposed rule
would implement section 811 of the Coast Guard Authorization Act of 2010, and
requires each owner or operator of a facility regulated by the Coast Guard to
implement a system that provides seafarers and other individuals with access
between vessels moored at the facility and the facility gate, in a timely
manner and at no cost to the seafarer or other individual.
Consolidated Cruise Ship Security - On June 1, 2015, the
public comment period for the Consolidated Cruise Ship Security Notice of
Proposed Rulemaking (NPRM) officially closed. The 115 comments have been
adjudicated and the Final Rule is being developed. The Coast Guard proposes to
amend its regulations on cruise ship terminal security and the proposed
regulations would provide detailed, flexible requirements for the screening of
all baggage, personal items, and persons—including passengers, crew, and
visitors—intended for carriage on a cruise ship. The proposed regulations would
standardize security of cruise ship terminals and eliminate redundancies in the
regulations that govern the security of cruise ship terminals.
Training
This year, CG-FAC traveled to each District to meet with a
number of Facility Inspectors and Port Security Specialists during the FAC road
show. Program staff covered certain topics specific to the Unit, District, or
Area’s request. Hot topics were LNG as
Fuel, TWIC, MTSAII, and Cyber.
Area Maritime
Security Committees
In April 2015, the Delaware Bay Area Maritime Security
Committee was recognized as the 2014 Area Maritime Security Committee of the
Year. This AMSC has developed a Regional Business Continuity Planning Template
which was developed by taking an all hazards approach to include commercial
risks. The template document serves as a readily implementable tool for use by
Port Stakeholders in developing their own Business Continuity Plans. Widespread
use of this template will lead to facilities better suited to maintain critical business functions
throughout our port and the nation, leading to a more secure, resilient port and the ability to
continue to contribute to the regional economy through unforeseen
circumstances.
Trending Issues in
Port Safety, Security, and Resilience
MTSRU - In order to build system continuity and maintain
effective levels of program readiness, CG-FAC Senior Leadership developed and
incorporated a strategy with the office business plan to host a National MTSRU
Workshop every two years, to review and update program policies, guidance and
analyze lessons learned from real events to improve response effectiveness and
enhance program visibility.
Cooperation with Transport Canada - increased cooperation in
2016.
What to Expect in
2016
Facility Security - A policy letter encouraging facilities
to submit their FSP/VSP/ASP renewals to the Coast Guard 60 days prior to the
expiration date will be signed and disseminated to the field in CY16. Also, the
Breach of Security Instruction has been updated to include suspicious activity
response. The instruction will be published mid- 2016 and will address network
security in addition to physical security incidents. Finally, be on the lookout
for NVIC 03-03, Change 3 as well as an Alternative Security Plan NVIC in CY16.
EHC Strategy - CG-FAC will be working with other offices to
create an Implementation Working Group for the EHC Strategy. This working group
will look to implement the four goals of the EHC Strategy including awareness,
prevention, response, and recovery.
Cyber - CG-FAC is working on several policy updates
concerning cyber risk management. In cooperation with NIST, CG-FAC is drafting
a Cyber Framework Implementation Guide for bulk liquid facilities. This will
help facility operators identify the components of the NIST Cybersecurity
Framework most applicable to their operations. CG-FAC is also developing a NVIC
that will provide cyber risk management guidance to facility and vessel
operators. CG-FAC will continue to support the Areas on conducting Cyber
Awareness Training for CG Units.
Exercise requirements: CG-FAC is working on policy to
clarify the definition for annual, and other time periods, as it is used in the
33 CFR 154 for exercise requirements.
Pipeline testing: CG-FAC is updating current policy and
incorporating that into a pipeline testing policy NVIC that will guidance on
alternate testing methods.
HOMEPORT— CG FAC is working with other Coast Guard
Headquarters Offices to complete a long overdue technical refresh of
Homeport. This update will improve reliability
and cyber security for the system and provide a better user interface.
Regulatory Projects:
Consolidated Cruise Ship Security - The public comment
period for this NPRM ended on June 1, 2015. The anticipated final rule
publication date is in 2016.
Seafarer’s Access to Maritime Facilities - The public
comment period for this NPRM ended July 27, 2015. The anticipated final rule
publication date is in 2016.
Transportation Worker Identification Credential (TWIC)
Reader Requirements - The Final Rule is in final agency clearance.