b'vessels and facilities that must have se- (d)Potential operational disrup- not be required to implement the reg-curity plans, including PVA memberstion to other critical infra- ulations once they are final.that use the PVA Alternative Securitystructure systems or assets.Program (ASP). In general, the NVICSome of the minimum cybersecurity addscyberspecificlanguageregard- When in doubt as to whether an in- requirements where the Coast Guard ingreportingincidentsofunautho- cident or situation meets any of therequests input include:rized access to computer networks andrequirements of a breach of security, systems that are connected to securitysuspiciousactivity,transportation Proposed definitions for featuresincludingcameras,accesssecurityincident,orcyberincident,reportable cyber incident, cyber control, etc. Denial of service attacksmaritimestakeholdersareencour- risk, cyber threat, andand introduction of viruses impactingaged to report an incident or occur- cybersecurity vulnerabilitycritical services and security featuresrence to the Coast Guards National are also required to be reported.ResponseCenterwithoutdelayatWhich federal agencies should1-800-424-8802.receive reports of cybersecurity The reporting of cyber incidents in theincidents?NVIC has a more board applicabilityNote:Thereisanacknowledgment in that it applies to any vessel, harbor,intheNVICthatroutinespam, Designation of a company port,orwaterfrontfacility,notjustphishing attempts, and other nuisancecybersecurity officer (CySO)those covered under the MTSA. Theevents that do not breach a systems Coast Guard refers to this populationdefenses may not need to be reported. Development and implementationas MTS stakeholders. MTS refers toof a cybersecurity planthe Maritime Transportation System.The new NVIC (02-24) can be found This is the most significant change tohere. Page five has most of the newCybersecurity training forcybersecurity requirements. As statedcontent related to cyber incidents. company personnelin the NVIC:The PVA Safety & Security Commit-Conducting cybersecurity drills,MTSstakeholdersshouldreporttee will review the NVIC against ourexercises, and auditsthose incidents that lead to or, if stillcurrentcybersecurityguidanceto under investigation, could reason- see where revisions need to be madeThe PVA Regulatory Committee will ably lead to any of the following: beyondtheadditionofreportingbe reviewing the NPRM and provid-cyber incidents. ing comments; however, all members (a) A substantial loss of confiden- potentially impacted by the proposedtiality, integrity, or availabil- NOTICE OF cybersecurityregulationsshould ity of information systems,PROPOSED RULEMAKING comment to the rulemaking. networks, or operationalThe final element in the cybersecu-technology;rity trifecta was the publication of aComments and related material must NPRM in the Federal Register. Thebe received by the Coast Guard on or (b) A disruption or significantpurpose of the NPRM is to set min- before April 22, 2024. The NPRM isadverse impact on the MTSimum cybersecurity requirements foravailable here.stakeholders or MTSA-regu- U.S.-flaggedvessels,U.S.facilities, lated entitys ability to engageand outer continental shelf facilitiesAuthors Note:in business operations orto safeguard and ensure the securityThere has been no order to update deliver goods, or services;and resilience of the MTS. existingvesselorfacilitysecurity plans or the PVA ASP at this time. (c) Disclosure or unauthorizedThe NPRMs applicability is limitedIfthatchangesbetweennowand access directly or indirectly totovesselsandfacilitiesrequiredtothe issuance of the Final Rule, the non-public personal informa- meet MTSA requirements, so vesselsCoast Guard will notify all impact-tion; orinspected under Subchapter T woulded stakeholders.35 MARCH 2024'