Tuesday, March 1, 2016

Summary of Coast Guard Office of Port and Facility Compliance (CG-FAC) 2015 Annual Report

On March 1, 2016, the Coast Guard Office of Port and Facility Compliance (CG-FAC) issued the 2015 Annual Report.  It can be found at http://www.uscg.mil/hq/cg5/cg544/docs/CG-FAC%20Year%20In%20Review%202015_Final.pdf. The MTSA community, especially Facility Security Officers, should read the entire report. Important points are summarized below, using portions of the report.

FSOs should pay particular attention to 2015 MTSA Facility Enforcement Actions and What’s Coming in 2016.

Strategy for the Waterside Security of Especially Hazardous Cargo
On 1 September 2015, the Commandant of the Coast Guard signed the "Strategy for the Waterside Security of Especially Hazardous Cargo."  It seeks to manage the risk of an attack on the Maritime Transportation System (MTS) involving EHC by mitigating the Threat, Vulnerability, and Consequence elements of risk through the Awareness, Prevention, Protection, Response, and Recovery components of the security spectrum. Security governance to facilitate and improve communication between industry and government on incident response/recovery, as well as maritime transportation infrastructure security, will be incorporated through an Implementation Plan.  CG-FAC is working an initial action plan with a 5 year execution.

USCG is deploying IPads to inspection corps who requested to be part of the program. This dramatically reduces large quantities of references and materials that inspectors need to carry around. Other devices which FAC recommends purchasing, at the unit’s expense, are a Bluetooth keyboard, portable Bluetooth printer, and Apps. The USCG would appreciate any feedback and recommendation for use of the iPads provided to the CG- Portal site. https://cg.portal.uscg.mil/units/cgfac2/iPads/SitePages/Home.aspx.

Port Security Specialist Program
The USCG has conducted a performance planning front end analysis (FEA) to determine Port Security Specialist and Security Specialist (Port / Recovery) performance requirements. Ten recommendations were identified during the FEA. Recommendations from this analysis will help optimize limited training resources and improve Port Security Specialist and Security Specialist (Port / Recovery) performance. A 2015 ALCOAST was issued providing an update to the PSS Program, defining roles and responsibilities of the PSS, and highlighting accomplishments.

Cybersecurity Assessment and Risk Management Approach (CARMA) Assessment in Philadelphia
During the week of June 8th, DHS Office of Sector Engagement Critical Infrastructure Resilience, in conjunction with the Coast Guard, led a cyber risk assessment in the Port of Philadelphia. Agencies involved were DHS, National Institute of Standards and Technology (NIST), Federal Energy Regulatory Commission (FERC), Customs and Border Protection (CBP), Transportation Security Administration (TSA), USCG Sector Del Bay, LANTAREA, CG-FAC, CG-CVC.

Coast Guard LNG Workgroup
Both Harvey-Gulf and TOTE have delivered vessels with LNG fueled engines, and the LNG workgroup worked closely with field units to interpret regulations and develop implementation strategies for these new facilities. CG-FAC chairs the LNG Workgroup, and during 2015 the work group facilitated the development and release of OES Policy letters 01-15 and 02-15 to, among other things, address gaps in 33 CFR 127 for LNG facilities that will bunker LNG. The report gives a link for USCG units to access the LNG Workgroup site in CG Portal (USCG restricted).

Alternative Security Program (ASP)
There are close to 200 facilities operating under ASPs and thousands of vessels, more than are using vessel-specific security plans. Since cyber-security is a topic of growing interest to the entire maritime industry the Coast Guard is exploring options for how to best incorporate cyber risks into security plans required by the Maritime Transportation Security Act. During the past year, two ASP Sponsoring Organization’s Workshops were held in Washington, DC. These workshops are a great forum for information sharing and discussions of best practices for both facilities and vessels. The workshop, held on November 18, 2015, provided an opportunity for in-depth discussions on cyber risks. Many industry groups are developing cyber security best practices and the Alternative Security Program potentially provides an ideal way of addressing cyber risks.

Cyber Risk Management
On 15 January 2015, CG-FAC held a public meeting to solicit input on a policy development project to address cyber security risks in the marine transportation system. In June 2015, the Commandant announced the promulgation of the Coast Guard’s first Cyber Strategy. This Strategy presents a ten-year vision for Coast Guard operations in cyberspace, and lays out our Service’s highest strategic objectives in this rap- idly evolving operational domain.

With the signing of the Cyber Strategy, CG-FAC became the lead office for implementing the Protect Infrastructure portion of the Strategy. The newly formed Protect Infrastructure Cyber Strategy Implementation Team (CSIT) had representatives from nearly every office within CG-5P and also representatives from other offices including CG-2, CG-6, and CG- 5R. Other offices outside of HQ have also pitched in, including National Maritime Center (NMC), Areas and Districts. The CSIT recently submitted an implementation plan and continues to work to complete identified initiatives. CG-FAC members were active in supporting Coast Guard wide research and development related to cyber risks in the marine transportation system.

Cyber Lexicon
CG-FAC, working within the Transportation System Sec- tor Cyber Security Working Group, assisted in developing a Common Cyber Language for the Transportation Sector. The language can be used to assist sub-sectors such as airlines or rail within the Transportation Sector have a common language when discussing cyber issues. The trail to this file in Homeport is Missions>Cybersecurity>Cyber Information> Transportation Sector Common Cyber Language.

Cybersecurity Assessment and Risk Management Approach (CARMA)
CARMA is a DHS developed tool that attempts to identify cyber risks within the port. It is a stakeholder-vetted list of the Port’s cyber infrastructure, as defined by its critical functions, supporting value chains, and specific types of cyber systems. What is important is that it utilizes local stakeholders to derive a port-level understanding of shared vulnerabilities and with it a prioritized list of strategies for managing the identified risks. This allows individual owners and operators to prioritize budget and resource allocations according to common risks. It also uses the identified cybersecurity risks to help build valid scenarios that could be leveraged for sector or national-level cyber exercises. Information on CARMA is accessed via email at ncsd_cipcs@hq.dhs.gov.

Cyber Risk Awareness and Policy Development
In 2015, the Coast Guard worked with the National Maritime Security Advisory Council, the National Offshore Safety Advisory Council, and many individual industry associations to share cyber information.

In June, the U.S. Coast Guard submitted a paper and introduced cyber risk management as a topic at the International Maritime Organization. Transport Canada has been a particularly strong partner in cyber. CG-FAC sent out 12 cyber related notices in 2015. A new resource section was also added to Homeport that shares over 100 different links to cyber related sites from advisories to alerts, assessment tools, recovery resources, supporting documents, tools, and training and education.

2015 Facility Inspections Program Statistics
Total regulated facilities:
MTSA-regulated facilities:
Total facility inspections completed:
MTSA facility inspections completed:
Total container inspections completed:
Total transfer monitors conducted:
Total operational controls (COTP Orders)
Security COTP Orders
Safety/Environmental Protection COTP Orders

2015 MTSA Security Compliance by District
MTSA Inspections

Container Update
CG-FAC continuously seeks to improve the National Container Inspection Program (NCIP) guidance and streamline the process for both industry and the field. CG-FAC recently met with Hapag-Lloyd and the National Cargo Bureau to discuss industry and Coast Guard concerns and issues with the shipment of containers in an effort to identify ways to mitigate risks. Hapag-Lloyd has developed a system called “Watchdog”, that analyzes shipping documents searching for key words to assist in selecting containers for inspection. Watchdog has enabled Hapag-Lloyd to inspect 20% of all containers shipped by the company.

Mis-declared cargo and leakage are the most prominent issues ailing the shipment of containers and account for 86% of deficiencies according to the Cargo Incident Notification System website. According to the same website, over 70% of those deficiencies involve general cargo shipments, which point to the success of inspection programs focused on declared Hazardous Materials (HAZMAT).

Higher national compliance rates in declared HAZMAT shipments led to a shift for inspections rates of declared HAZMAT and general cargo container shipments. Previous guidance prioritized HAZMAT over general cargo shipments at a 90% to 10% inspection goal respectively. On average, of the total containers inspected nationally the Coast Guard has achieved roughly 60% to 40% HAZMAT to general cargo annually.

Transportation Worker Identification Credential (TWIC) Verifications
As part of the MTSA security program, Facility Inspectors conducted a combined 48,289 visual and electronic inspections of TWIC cards in 2015, and identified 970 instances of non-compliance with TWIC requirements.  CG-FAC is currently conducting market research for replacement readers; current hand-helds are reaching the end of their service life. There are currently a few USCG units conducting field testing for iPad based reader applications. 

USCG TWIC Implementation branch members worked directly with counterparts at TSA to discuss and address TWIC program improvements and issues. TSA has recently begun implementation of a civil enforcement program for individual TWIC holders violating regulatory requirements. Many Transportation Security Inspectors – Surface (TSI-S) personnel have reached out to Districts and Sectors to coordinate implementation of this inspection program.

2015 MTSA Facility Enforcement Actions
In 2015, the Coast Guard completed 4,717 security-related MTSA annual and spot check ex- aminations and recorded 131 enforcement activities against MTSA-regulated facility owners or operators for noncompliance with MTSA regulations.  The 131 enforcement activities executed in 2015 took place at 115 MTSA-regulated facilities and included official letters of warning or administrative civil penalties.


Citation Title
Enforcement Activities Executed
33 CFR 101.305
Reporting, Breach of Security
33 CFR 105.125
33 CFR 105.140
Alternative Security Program
33 CFR 105.200
Owner or operator requirements
33 CFR 105.205
Facility Security Officer requirements
33 CFR 105.210
Facility personnel with security duties
33 CFR 105.220
Drill and exercise requirements
33 CFR 105.225
Facility recordkeeping requirements
33 CFR 105.255
Security measures for access control
33 CFR 105.260
Security measures for restricted areas
33 CFR 105.275
Security measures for monitoring
33 CFR 105.290
Additional cruise ship terminal requirements
33 CFR 105.305
Requirements for facility security assessments
33 CFR 105.400
Facility Security Plans
33 CFR 105.410
Facility Security Plans – Submission and approval
33 CFR 105.415
Facility Security Plans – Amendment and audit

As noted on the previous page, as in 2014, almost 50% of Coast Guard enforcement actions at regulated facilities were for 33CFR105.200 and 105.255 violations.

Seafarer’s Access to Maritime Facilities - On July 27, 2015, the public comment period for the Seafarer’s Access to Maritime Facilities Notice of Proposed Rulemaking (NPRM) officially closed. The 162 comments have been adjudicated and the Final Rule is being developed. This proposed rule would implement section 811 of the Coast Guard Authorization Act of 2010, and requires each owner or operator of a facility regulated by the Coast Guard to implement a system that provides seafarers and other individuals with access between vessels moored at the facility and the facility gate, in a timely manner and at no cost to the seafarer or other individual.

Consolidated Cruise Ship Security - On June 1, 2015, the public comment period for the Consolidated Cruise Ship Security Notice of Proposed Rulemaking (NPRM) officially closed. The 115 comments have been adjudicated and the Final Rule is being developed. The Coast Guard proposes to amend its regulations on cruise ship terminal security and the proposed regulations would provide detailed, flexible requirements for the screening of all baggage, personal items, and persons—including passengers, crew, and visitors—intended for carriage on a cruise ship. The proposed regulations would standardize security of cruise ship terminals and eliminate redundancies in the regulations that govern the security of cruise ship terminals.

This year, CG-FAC traveled to each District to meet with a number of Facility Inspectors and Port Security Specialists during the FAC road show. Program staff covered certain topics specific to the Unit, District, or Area’s request.  Hot topics were LNG as Fuel, TWIC, MTSAII, and Cyber.

Area Maritime Security Committees
In April 2015, the Delaware Bay Area Maritime Security Committee was recognized as the 2014 Area Maritime Security Committee of the Year. This AMSC has developed a Regional Business Continuity Planning Template which was developed by taking an all hazards approach to include commercial risks. The template document serves as a readily implementable tool for use by Port Stakeholders in developing their own Business Continuity Plans. Widespread use of this template will lead to facilities better suited  to maintain critical business functions throughout our port and the nation, leading to a more  secure, resilient port and the ability to continue to contribute to the regional economy through unforeseen circumstances.

Trending Issues in Port Safety, Security, and Resilience
MTSRU - In order to build system continuity and maintain effective levels of program readiness, CG-FAC Senior Leadership developed and incorporated a strategy with the office business plan to host a National MTSRU Workshop every two years, to review and update program policies, guidance and analyze lessons learned from real events to improve response effectiveness and enhance program visibility.

Cooperation with Transport Canada - increased cooperation in 2016.

What to Expect in 2016
Facility Security - A policy letter encouraging facilities to submit their FSP/VSP/ASP renewals to the Coast Guard 60 days prior to the expiration date will be signed and disseminated to the field in CY16. Also, the Breach of Security Instruction has been updated to include suspicious activity response. The instruction will be published mid- 2016 and will address network security in addition to physical security incidents. Finally, be on the lookout for NVIC 03-03, Change 3 as well as an Alternative Security Plan NVIC in CY16.

EHC Strategy - CG-FAC will be working with other offices to create an Implementation Working Group for the EHC Strategy. This working group will look to implement the four goals of the EHC Strategy including awareness, prevention, response, and recovery.

Cyber - CG-FAC is working on several policy updates concerning cyber risk management. In cooperation with NIST, CG-FAC is drafting a Cyber Framework Implementation Guide for bulk liquid facilities. This will help facility operators identify the components of the NIST Cybersecurity Framework most applicable to their operations. CG-FAC is also developing a NVIC that will provide cyber risk management guidance to facility and vessel operators. CG-FAC will continue to support the Areas on conducting Cyber Awareness Training for CG Units.

Exercise requirements: CG-FAC is working on policy to clarify the definition for annual, and other time periods, as it is used in the 33 CFR 154 for exercise requirements.

Pipeline testing: CG-FAC is updating current policy and incorporating that into a pipeline testing policy NVIC that will guidance on alternate testing methods.

HOMEPORT— CG FAC is working with other Coast Guard Headquarters Offices to complete a long overdue technical refresh of Homeport.  This update will improve reliability and cyber security for the system and provide a better user interface.

Regulatory Projects:
Consolidated Cruise Ship Security - The public comment period for this NPRM ended on June 1, 2015. The anticipated final rule publication date is in 2016.

Seafarer’s Access to Maritime Facilities - The public comment period for this NPRM ended July 27, 2015. The anticipated final rule publication date is in 2016.

Transportation Worker Identification Credential (TWIC) Reader Requirements - The Final Rule is in final agency clearance.

No comments:

Post a Comment