Coast Guard seeks input on cybersecurity policy

Coast Guard 112On December 12, the US Coast Guard issued the following notice and request for comments:

The Coast Guard is developing policy to help vessel and facility operators identify and address cyber-related vulnerabilities that could contribute to a Transportation Security Incident (TSI). Coast Guard regulations require certain vessel and facility operators to conduct security assessments, and to develop security plans that address vulnerabilities identified by the security assessment. The Coast Guard is seeking public input from the maritime industry and other interested parties on how to identify and mitigate potential vulnerabilities to cyber-dependent systems. The Coast Guard will consider these public comments in developing relevant guidance, which may include standards, guidelines, and best practices to protect maritime critical infrastructure.

The Coast Guard is seeking public input on the following questions:

(1) What cyber-dependent systems, commonly used in the maritime industry, could lead or contribute to a TSI if they failed, or were exploited by an adversary?

(2) What procedures or standards do vessel and facility operators now employ to identify potential cybersecurity vulnerabilities to their operations?

(3) Are there existing cybersecurity assurance programs in use by industry that the Coast Guard could recognize? If so, to what extent do these programs address vessel or facility systems that could lead to a TSI?

(4) To what extent do current security training programs for vessel and facility personnel address cybersecurity risks and best practices?

(5) What factors should determine when manual backups or other non-technical approaches are sufficient to address cybersecurity vulnerabilities?

(6) How can the Coast Guard leverage Alternative Security Programs to help vessel and facility operators address cybersecurity risks?

(7) How can vessel and facility operators reliably demonstrate to the Coast Guard that critical cyber-systems meet appropriate technical or procedural standards?

(8) Do classification societies, protection and indemnity clubs, or insurers recognize cybersecurity best practices that could help the maritime industry and the Coast Guard address cybersecurity risks?

Comments must be submitted to the online docket via http://www.regulations.gov, or reach the Docket Management Facility, on or before February 17, 2015. Comments should be marked with docket number USCG-2014-1020.

Source: Federal Register Volume 79, Number 243