b'FOGHORN FOCUSMARINE TRANSPORTATION SYSTEM CYBER SPOTLIGHT:Facility Security Assessments/Plans/Deadlines and Recovery and Reporting Requirements for MTSA-Regulated FacilitiesEditorsNote:TheimpactoftheransomwareattackofthePrincess Cruises, according to a report by The Associated Press. In Colonial Pipeline that crippled nearly half of the nations abilitya letter to customers, the company indicated that outsiders might to purchase petroleum products, including gasoline, for severalhave gained access to Social Security numbers, passport numbers, daysinMayhighlightedvulnerabilitiesfromaseriouscyberdates of birth, addresses and health information of people. While attack. The risk is great and anyoneor any business entitycanCarnival Corp., a large, international cruise ship company, is NOTa PVA member, this incident demonstrates that cyber attacks cannd themselves subjected to nefarious acts from cyber criminals. Passenger vessel operators are not immune. In fact, a recent cyberimpact vessel operators of any size or scope. attack upon a PVA Vessel member has proven that vessel operators must prepare for the possibility that criminal activities can impactThefollowingarticles rstappearedintheU.S.CoastGuard your operation. Maritime Commons on May 9 and 26, 2021 with a warning: The maritime community is facing daily threats to their information Another, highly publicized incident occurred when Carnival Corp.and operational technology systems, whether through malicious announced a data breach that impacted its crew and customers.actors, antiquated systems, or lack of emphasis on securing the This breach, which happened in March but was only reported incyber landscape. Cyber threats are constantly evolving, and it is June, might have exposed personal information about customerscrucial that our stakeholders have the guidance, resources, and and employees on Carnival Cruise Line, Holland America Line andawareness to mitigate these risks.INCORPORATING CYBER INTO FACILITY SECURITYInannouncingthisguidance,theCoastGuardunderstoodthat ASSESSMENTS (FSA) AND FACILITY SECURITYfacilities would require time to properly assess their cyber risks and PLANS (FSP) vulnerabilities and establish a plan for documenting those as part of As evidenced by news of cyber incidents aff ecting critical infrastructuretheir FSAs and FSPs. The Coast Guard advised that facilities shall and the maritime environment, we are reminded that cyber threatsprovide that cyber documentation, whether as an annex, addendum, to, and vulnerabilities of the marine transportation system (MTS) areenclosure, or other form as appropriate, to their local Captain of constantly evolving. With a clear need to mitigate these risks, the U.S.the Port (COTP) at the time of their annual audit date, beginning Coast Guard is reminding MTS stakeholders, but specifi cally thoseOctober 1st, 2021. COTPs will still have the fl based on facilities regulated under the Maritime Transportation Security Act of exibility, 2002 (MTSA), that the timeframe for incorporating cyber into FSAsresourcedemandsorupondiscussionwithfacilitypersonnel,to and FSPs is rapidly approaching. adjust when submissions are received, as long as all facility FSA and FSP (Headquarters for ASPs) submissions are received by the end of a NavigationandVesselInspectionCircular(NVIC)No.01-20:one-year period, no later than October 1, 2022. Guidelines for Addressing Cyber at MTSA Regulated Facilities wasThe Coast Guard continues to stress the importance of engaging early issued in March of 2020. This NVIC provides guidance to facilityand often with respective COTPs to ensure alignment of expectations ownersandoperatorsoncomplyingwithrequirementstoassess,for achieving compliance. The Coast Guard is continually reviewing document, and address computer system and network vulnerabilities.andupdatingguidancetobothindustryandCoastGuardfi eld In accordance with 33 CFR parts 105 and 106, which implementpersonnel,includingfrequentlyaskedquestionsandjobaids,for MTSA,regulatedfacilities(includingOuterContinentalShelfadded awareness. facilities)arerequiredtoassessanddocumentvulnerabilities associated with their computer systems and networks in a FSA and FSP.FOGHORN FOCUS: OPERATIONS 8 FOGHORN'