ACN 096/21 - OCT 2021 IMPLEMENTATION GUIDANCE FOR INCORPORATION OF CYBERSECURITY INTO FACILITY SECURITY ASSESSMENTS AND FACILITY SECURITY PLANS FOR MTSA-REGULATED FACILITIES

R 141633Z OCT 21
FM COMDT COGARD WASHINGTON DC
TO ALCOAST COMDT NOTICE
BT
UNCLAS
ACN 096/21
SSIC 16000
SUBJ: IMPLEMENTATION GUIDANCE FOR INCORPORATION OF CYBERSECURITY
INTO FACILITY SECURITY ASSESSMENTS AND FACILITY SECURITY PLANS FOR
MTSA-REGULATED FACILITIES
A. Navigation and Vessel Inspection Circular (NVIC) 01-20,
Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities
B. Marine Safety Manual Volume VII, Port Security Compliance Manual,
COMDTINST M16000.12A
C. NVIC 03-03, Change 2, Implementation Guidance for the Regulations
Mandated by MTSA for Facilities
1. In March of 2020, the Coast Guard promulgated REF (A) to provide
guidance to MTSA-regulated facilities on addressing cybersecurity
when conducting required Facility Security Assessments (FSA) and
Facility Security Plans (FSP).
2. Recognizing that REF (A) represented first-of-its-kind guidance,
the Coast Guard established an implementation period through
30 SEP 21. Beginning 1 OCT 21, Captains of the Port (COTPs) should
verify that cybersecurity is properly reflected in FSAs and FSPs by
each facility's annual audit date.
3. Implementation Guidance. COTPs should use REF (A) and the
Facility Inspector Cyber Job Aid to guide FSA and FSP amendment
reviews. COTPs may adjust when submissions are received based on
resource demands or upon request from a facility, as long as all
facility FSA and FSP submissions are received by 1 OCT 22.
COMDT (CG-FAC) will maintain review and approval responsibilities
for Alternative Security Plans.
4. Enforcement Guidance. COTPs should refer to REFs (B) and (C) for
enforcement guidance. Although the MTSA regulations in 33 CFR parts
105 and 106 are mandatory, it is up to each facility to determine
how to identify, assess, and address the vulnerabilities of their
computer systems and networks. REF (A) does not change the existing
requirements found in regulation, but it does provide guidance on
how facility owners or operators may meet those requirements.
Owners and operators may choose alternatives to the guidance in the
NVIC if those alternatives meet the regulatory requirements. COTPs
should continue to discuss REF (A), the COTP review process, and
the submission timelines with all facilities in their area of
responsibility.
5. MISLE Guidance. COTPs should use existing MISLE data entry
guidance found within MISLE 5.0 Guides located on COMDT (CG-FAC)'s
portal page at:
(Copy and Paste URL into Browser)

https://cg.portal.uscg.mil/units/cgfac/SitePages/Home.aspx

IMPORTANT NOTE: In order to track amendment approval progress, COTPs
shall use the FSP Amendment Activity and title their activities:
Facility Security Plan Cyber Amendment Review.
6. Job Aid and Frequently Asked Questions (FAQs): COMDT (CG-FAC) has
released a cyber-focused job aid and FAQs to assist facility
inspectors and industry. FAQs are located on the COMDT (CG-FAC)
website at:
(Copy and Paste URL into Browser)

https://www.dco.uscg.mil/Our-Organization/Assistant-Commandant-for-
Prevention-Policy-CG-5P/Inspections-Compliance-CG-5PC-/Office-of-
Port-Facility-Compliance/Domestic-Ports-Division/cybersecurity/

The Job Aid can be found at:
(Copy and Paste URL into Browser)

https://www.dco.uscg.mil/Our-Organization/Assistant-Commandant-for-
Prevention-Policy-CG-5P/Inspections-Compliance-CG-5PC-/Port-and-
Facility-Compliance-CG-FAC/Cargo-and-Facilities-Division/Job-Aids/

Units are encouraged to submit requests for updates to the Job Aid
or FAQs based on their experiences, so that COMDT (CG-FAC) can
ensure the most up-to-date guidance.
7. For questions regarding the NVIC and related implementation
guidance, units are directed to first contact their District or
Area Prevention Office. The COMDT (CG-FAC) POCs:
    a. LCDR Leslie Downing: Leslie.M.Downing@uscg.mil, 202-372-1160.
    b. LCDR Kelley Edwards: Kelley.C.Edwards@uscg.mil, 202-795-6908.
8. Released by RADM J. W. Mauger, Assistant Commandant for
Prevention Policy (CG-5P).
9. Internet release is authorized.