b'SAFETY MATTERSNew Coast Guard CybersecuritySAFETY Training RequirementsERIC CHRISTENSEN // PVA DIRECTOR OF REGULATORY AFFAIRS & RISK MANAGEMENTO nJuly16,2025,theU.S.in 33 CFR 101 Subpart F when PVAAccess means the ability and means CoastGuardupdateditssubmits the sixth revision of the PVAtocommunicatewithorotherwise maritimesecurityregula- ASP for Coast Guard approval. Theinteract with a system, to use system tions contained in 33 Code of Federalfifth revision of the PVA ASP remainsresourcestohandleinformation,to Regulations (CFR) 101 Subpart F byin effect until Sept. 12, 2027, unlessgainknowledgeoftheinformation establishingminimumcybersecu- amended and approved by the Coastthesystemcontains,ortocontrol rityrequirementsforU.S.-flaggedGuard earlier. systemcomponentsandfunctions. vessels and facilities required to haveAccessistypicallygrantedbasedon a security plan under 33 CFR partsAs part of the fifth revision to the PVAusercredentialsandpermissions, 104 and 105, respectively. The regu- ASP members were required to assessensuring only authorized individuals lations will be phased in over the nexttheir cybersecurity and identify opera- can interact with the system. Access twoyearstofacilitatecompliance.tional technology (OT) systems. Thiscan be gained through physical access The first requirements to be phasedinformation can be used when deter- to a device (for example, plugging in a inmandatespecificcybersecuritymining the level of training requiredUSB drive) or logical access (for exam-trainingforpersonnelatregulatedby company personnel. Member thatple, logging into a network). Personnel facilitiesandonU.S.-flagvessels.operateMTSA-regulatedfacilitieswithunrestrictedphysicalaccessto Thistrainingrequirementinvolvesshouldhavealreadybeeninspectedspacesorareashousinginformation bothgeneralawarenesstrainingforby the Coast Guard using the Facilitytechnology(IT)and/orOTequip-all staff with system access, and spe- Inspector Cyber Job-Aid. ment, regardless of logical access, are cializedrole-basedtrainingforkeyconsidered to have access for the pur-personnel, emphasizing threat detec- OVERVIEW OF TRAININGposes of this section. [CG-5PC Policy tion,incidentreporting,andbasicREQUIREMENTSLetter 01-25]cyber hygiene. PVA has developed aTheprimarygoalofthetrainingis cybersecurity training framework totoensureaworkforcethatcanrec- Informationtechnology,(IT), assistmembersinmeetingtheup- ognizepotentialthreats,takebasicmeansanyequipmentorinter-coming deadline.precautions,andfollowestablishedconnectedsystemorsubsystemof procedures to protect critical facilityequipment, used in the acquisition, CURRENT PVAand vessel systems. The rule does notstorage, analysis, evaluation, manip-CYBERSECURITY GUIDANCEmandateaspecifictrainingformatulation,management,movement, Cybersecurityguidanceandtools(e.g.,classroom,virtual,self-paced)control,display,switching,inter-developed for the fifth revision to thebut requires that the content be appli- change,transmission,orreception Coast Guard-approved PVA Alterna- cable to the vessel or facilitys specificofdataorinformation.Examples tiveSecurityProgramandbasedoncybersecuritypoliciesuntilaformalincludePCs,laptops,AIS,etc.[33 theNationalInstituteofStandardscybersecurity plan can be developed. CFR 101.615]andTechnology(NIST)Cyberse-curityFrameworkremainrelevant.General Training for All PersonnelOperationaltechnology,(OT), That said, the NIST framework haswith IT/OT Accessmeans programmable systems or de-been updated to NIST 2.0 and thatBefore any discussion of training, wevicesthatinteractwiththephysical will be used in addition to the specificneed to define a couple terms used inenvironment (or manage devices that regulatoryrequirementscontainedthe regulations and policy:interactwiththephysicalenviron-51 DECEMBER 2025'