On Wednesday, February 21, 2024, the Biden-Harris administration signed an Executive Order (EO) to strengthen the security of the nation’s ports, alongside a series of additional actions that will fortify maritime cybersecurity, reinforce supply chains, and strengthen the US industrial base.
In the EO, among other things, Biden imposes mandatory reporting of actual or threatened cyber incidents at ports to the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Captain of the Port.
In addition to the EO, the US Coast Guard (USCG) today (February 22) published its long-awaited Notice of Proposed Rulemaking (NPRM), “Cybersecurity in the Marine Transportation System.”
The proposed USCG rule applies well beyond ports to virtually all Marine Transportation System (MTS) stakeholders. Several highlights of the proposed rule include:
- Cybersecurity plan:
- Owners and operators of US-flagged vessels and facilities and Outer Continental Shelf (OCS) facilities must develop and submit a Cybersecurity Plan for review and approval by the USCG.
- Drills and exercises: Owners and operators must conduct cybersecurity drills and exercises to test their ability to respond to and recover from cyber incidents.
- Cybersecurity measures: Owners and operators must implement cybersecurity measures such as account security, device security, data security, cybersecurity training, risk and supply chain management, and other measures related to cyber resilience.
- Reporting of cyber incidents: MTS stakeholders must report cyber incidents to the USCG within 24 hours of discovery.
- Compliance dates: The cybersecurity requirements will be phased in over a period of time. The first compliance date will be the second annual audit of the existing approved Vessel Security Plan, OCS Facility Security Plan, or Facility Security Plan after the effective date of the final rule.
The proposed USCG rule extends more than 200 pages and is out for a 60-day comment period beginning today.