Cybersecurity in the Marine Transportation System

DEPARTMENT OF HOMELAND SECURITY <SUBAGY>Coast Guard</SUBAGY> <CFR>33 CFR Parts 101 and 160</CFR> <DEPDOC>[Docket No. USCG-2022-0802]</DEPDOC> <RIN>RIN 1625-AC77</RIN> <SUBJECT>Cybersecurity in the Marine Transportation System</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Coast Guard, Department of Homeland Security (DHS). <HD SOURCE="HED">ACTION:</HD> Notice of proposed rulemaking. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Coast Guard proposes to update its maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations. This proposed rule would help to address current and emerging cybersecurity threats in the marine transportation system. We seek your comments on this proposed rule and whether we should: use and define the term <E T="03">reportable cyber incident</E> to limit cyber incidents that trigger reporting requirements, use alternative methods of reporting such incidents, and amend the definition of <E T="03">hazardous condition.</E> </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Comments and related material must be received by the Coast Guard on or before April 22, 2024. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> You may submit comments identified by docket number USCG-2022-0802 using the Federal Decision-Making Portal at <E T="03">www.regulations.gov.</E> See the “Public Participation and Request for Comments” portion of the <E T="02">SUPPLEMENTARY INFORMATION</E> section for further instructions on submitting comments. You may also find this notice of proposed rulemaking, with its 100-word-or-less summary, in this same docket at <E T="03">www.regulations.gov.</E> <E T="03">Collection of information.</E> Submit comments on the collection of information discussed in section VI.D of this preamble both to the Coast Guard's online docket and to the Office of Information and Regulatory Affairs (OIRA) in the White House Office of Management and Budget (OMB) using their website, <E T="03">www.reginfo.gov/public/do/PRAMain.</E> Comments sent to OIRA on the collection of information must reach OIRA on or before the comment due date listed on their website. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> For information about this document, email <E T="03">MTSCyberRule@uscg.mil</E> or call: Commander Brandon Link, Office of Port and Facility Compliance, 202-372-1107, or Commander Frank Strom, Office of Design and Engineering Standards, 202-372-1375. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">Table of Contents for Preamble</HD> <EXTRACT> <FP SOURCE="FP-2">I. Public Participation and Request for Comments</FP> <FP SOURCE="FP-2">II. Abbreviations</FP> <FP SOURCE="FP-2">III. Basis and Purpose</FP> <FP SOURCE="FP1-2">A. The Problem We Seek To Address</FP> <FP SOURCE="FP1-2">B. Recent Legislation and Policy</FP> <FP SOURCE="FP1-2">C. Legal Authority To Address This Problem</FP> <FP SOURCE="FP-2">IV. Background</FP> <FP SOURCE="FP1-2">A. The Current State of Cybersecurity in the MTS</FP> <FP SOURCE="FP1-2">B. Current Cybersecurity Regulations</FP> <FP SOURCE="FP-2">V. Discussion of Proposed Rule</FP> <FP SOURCE="FP-2">VI. Regulatory Analyses</FP> <FP SOURCE="FP1-2">A. Regulatory Planning and Review</FP> <FP SOURCE="FP1-2">B. Small Entities</FP> <FP SOURCE="FP1-2">C. Assistance for Small Entities</FP> <FP SOURCE="FP1-2">D. Collection of Information</FP> <FP SOURCE="FP1-2">E. Federalism</FP> <FP SOURCE="FP1-2">F. Unfunded Mandates</FP> <FP SOURCE="FP1-2">G. Taking of Private Property</FP> <FP SOURCE="FP1-2">H. Civil Justice Reform</FP> <FP SOURCE="FP1-2">I. Protection of Children</FP> <FP SOURCE="FP1-2">J. Indian Tribal Governments</FP> <FP SOURCE="FP1-2">K. Energy Effects</FP> <FP SOURCE="FP1-2">L. Technical Standards</FP> <FP SOURCE="FP1-2">M. Environment</FP> </EXTRACT> <HD SOURCE="HD1">I. Public Participation and Request for Comments</HD> The Coast Guard views public participation as essential to effective rulemaking and will consider all comments and material received during the comment period. Your comment can help shape the outcome of this rulemaking. If you submit a comment, please include the docket number for this rulemaking, indicate the specific section of this document to which each comment applies, and provide a reason for each suggestion or recommendation. <E T="03">Submitting comments.</E> We encourage you to submit comments through the Federal Decision-Making Portal at <E T="03">www.regulations.gov.</E> To do so, go to <E T="03">www.regulations.gov,</E> type USCG-2022-0802 in the search box and click “Search.” Next, look for this document in the Search Results column, and click on it. Then click on the Comment option. If you cannot submit your material by using <E T="03">www.regulations.gov,</E> call or email the persons in the <E T="02">FOR FURTHER INFORMATION CONTACT</E> section of this proposed rule for alternate instructions. <E T="03">Viewing material in docket.</E> To view documents mentioned in this proposed rule as being available in the docket, find the docket as described in the previous paragraph, and then select “Supporting & Related Material” in the Document Type column. Public comments will also be placed in our online docket and can be viewed by following instructions on the <E T="03">www.regulations.gov</E> Frequently Asked Questions (FAQ) web page. That FAQ page also explains how to subscribe for email alerts that will notify you when comments are posted or if a final rule is published. We review all comments received, but we will only post comments that address the topic of the proposed rule. We may choose not to post off-topic, inappropriate, or duplicate comments that we receive. <E T="03">Personal information.</E> We accept anonymous comments. Comments we post to <E T="03">www.regulations.gov</E> will include any personal information you have provided. For more about privacy and submissions to the docket in response to this document, see the Department of Homeland Security's eRulemaking System of Records notice (85 FR 14226, March 11, 2020). <E T="03">Public meeting.</E> We do not plan to hold a public meeting, but we will consider doing so if we determine from public comments that a meeting would be helpful. We would issue a separate <E T="04">Federal Register</E> notice to announce the date, time, and location of such a meeting. <HD SOURCE="HD1">II. Abbreviations </HD> <EXTRACT> <FP SOURCE="FP-1">AMSC Area Maritime Security Committees</FP> <FP SOURCE="FP-1">BLS Bureau of Labor Statistics</FP> <FP SOURCE="FP-1">CEA Council of Economic Advisors</FP> <FP SOURCE="FP-1">CFR Code of Federal Regulations</FP> <FP SOURCE="FP-1">CGCSO Coast Guard Cyber Strategic Outlook</FP> <FP SOURCE="FP-1">CG-CVC Coast Guard Office of Commercial Vessel Compliance</FP> <FP SOURCE="FP-1">CGCYBER U.S. Coast Guard Cyber Command</FP> <FP SOURCE="FP-1">CG-ENG Coast Guard Office of Design and Engineering Standards</FP> <FP SOURCE="FP-1">CG-FAC Coast Guard Office of Port and Facility Compliance</FP> <FP SOURCE="FP-1">CIRCIA Cyber Incident Reporting for Critical Infrastructure Act of 2022</FP> <FP SOURCE="FP-1">CISA Cybersecurity and Infrastructure Security Agency</FP> <FP SOURCE="FP-1">COTP Captain of the Port</FP> <FP SOURCE="FP-1">CPG Cybersecurity Performance Goal</FP> <FP SOURCE="FP-1">CRM Cyber risk management</FP> <FP SOURCE="FP-1">CSF Cybersecurity framework</FP> <FP SOURCE="FP-1">CSRC Computer Secure Resource Center</FP> <FP SOURCE="FP-1">CySO Cybersecurity officer</FP> <FP SOURCE="FP-1">DHS Department of Homeland Security</FP> <FP SOURCE="FP-1">FR Federal Register</FP> <FP SOURCE="FP-1">FSA Facility security assessment</FP> <FP SOURCE="FP-1">FSP Facility security plan</FP> <FP SOURCE="FP-1">HMI Human-machine interface</FP> <FP SOURCE="FP-1">ICR Information collection request</FP> <FP SOURCE="FP-1">IEc Industrial Economics, Incorporated</FP> <FP SOURCE="FP-1">IMO International Maritime Organization</FP> <FP SOURCE="FP-1">IP internet protocol</FP> <FP SOURCE="FP-1">IRFA Initial Regulatory Flexibility analysis</FP> <FP SOURCE="FP-1">ISM International Safety Management</FP> <FP SOURCE="FP-1">IT Information technology</FP> <FP SOURCE="FP-1">KEV Known exploited vulnerability</FP> <FP SOURCE="FP-1"> MCAAG Maritime Cybersecurity Assessment and Annex Guide </FP> <FP SOURCE="FP-1">MISLE Marine Information for Safety and Law Enforcement</FP> <FP SOURCE="FP-1">MODU Mobile offshore drilling unit</FP> <FP SOURCE="FP-1">MSC Marine Safety Center</FP> <FP SOURCE="FP-1">MSC-FAL International Maritime Organization's Marine Safety Committee and Facilitation Committee</FP> <FP SOURCE="FP-1">MTS Marine transportation system</FP> <FP SOURCE="FP-1">MTSA Maritime Transportation Security Act of 2002</FP> <FP SOURCE="FP-1">NAICS North American Industry Classification System</FP> <FP SOURCE="FP-1">NIST National Institute of Standards and Technology</FP> <FP SOURCE="FP-1">NMSAC National Maritime Security Advisory Committee</FP> <FP SOURCE="FP-1">NPRM Notice of proposed rulemaking</FP> <FP SOURCE="FP-1">NRC National Response Center</FP> <FP SOURCE="FP-1">NVIC Navigation and Vessel Inspection Circular</FP> <FP SOURCE="FP-1">OCMI Officer in Charge, Marine Inspection</FP> <FP SOURCE="FP-1">OCS Outer continental shelf</FP> <FP SOURCE="FP-1">OEWS Occupational Employment and Wage Statistics</FP> <FP SOURCE="FP-1">OMB Office of Management and Budget</FP> <FP SOURCE="FP-1">OSV Offshore supply vessel</FP> <FP SOURCE="FP-1">OT Operational technology</FP> <FP SOURCE="FP-1">PII Personally identifiable information</FP> <FP SOURCE="FP-1">QCEW Quarterly Census of Employment a ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 392k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━