Tuesday, May 2, 2017

Draft NVIC on Cybersecurity Coming Soon

During the April 25-26 2017 meeting of the National Maritime Security Advisory Committee (NMSAC), the Committee was given a regulatory update by U.S. Coast Guard personnel. During this update, the Committee was advised that the draft Navigation and Vessel Inspection Circular (NVIC) on cybersecurity would soon be published. Below are some thoughts on this NVIC and what the Coast Guard has said about the need for a proactive approach to cybersecurity.

During the Maritime Cyber Security Standards Public Meeting on January 15, 2015, discussing the need for voluntary cyber standards, Rear Admiral Paul Thomas, Assistant Commandant for Prevention Policy, stated, “The Coast Guard just recently conducted a study about the cost burden to industry of all the regulations that we have published since 1973. We found that 88% of the entire cost burdens of all regulations, over all those years, were due to two regulations, OPA 90 and MTSA. Both of these regulations followed predictable disasters.  The lesson learned should be that we should not wait for an incident to occur that will make us move forward on reactive, more expensive, regulations; we need to be proactive in approaching this. We are here to have a discussion with industry so we can develop a standard together, one that works and is reasonable in terms of the cost benefit.  If we wait until an incident occurs, that opportunity goes away.” (as quoted in Cyber Risk Management, by LCDR Josh Rose & LT Josie Long, http://aapa.files.cms-plus.com/SeminarPresentations/2015Seminars/2015Cybersecurity/Rose%20USCG%20CYBER.pdf)

In the Rose/Long AAPA presentation, there was a slide concerning the cybersecurity NVIC. Bullet points about this NVIC content include:
• How do we incorporate cyber into risk assessments?
•What tools are available for industry to use for risk assessments?
•MTS standard terms (definitions)
•What are examples of industrial control systems in the maritime environment (what is the scope of NVIC)?

I think one issue that may be addressed in the NVIC is the link between the NIST framework and the Facility Security Plan (FSP) – incorporation of cyber into facility security assessments; guidance for construction of a possible voluntary cyber annex or new FSP section that directly addresses the Framework elements of identify, protect, detect, respond, and recover; guidance for inspectors who encounter these new sections or annexes in annual compliance inspections or during incident post-review. (We'll see how well my crystal ball is functioning.)

This will be a draft NVIC, probably titled “For review and comment only. Not to be used as final guidance.” As a draft NVIC, it will probably be numbered 17-XX, rather than receiving two numbers as the terminal designation. In the Federal Register notice of its publication, there will probably be a section titled Public Participation and Request for Comments.  In this section, there will probably be sub-sections explaining how to submit comments ad how to view comments and documents. (Lots of probably’s!)