USCG has issued NVIC 02/2024 providing guidance for complying with reporting requirements for Breaches of Security (BOS), Suspicious Activity (SA), Transportation Security Incidents (TSI), and Cyber Incidents. The cyber incident guidance in this NVIC supports the reporting requirements in Part 6 of Title 33 of the Code of Federal Regulations (33 CFR Part 6) that applies to any vessel, harbor, port, or waterfront facility (hereafter referred to as MTS stakeholders). The BOS, SA, and TSI guidance in this
NVIC supports the reporting requirements applicable to Maritime Transportation Security Act (MTSA)-regulated entities subject to 33 CFR Part 101.305.
Under MTSA and MTSA-implementing regulations, MTSA-regulated entities are required to report BOS, SA, and TSI to the Coast Guard. CG-5P Policy Letter 08-16 provided guidance as well as specific examples of BOS and SA, including those involving computer systems and networks, to help industry meet MTSA reporting requirements.
On February 21, 2024, the Executive Order on Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports, and Waterfront Facilities of the United States amended 33 CFR Part 6. Among other provisions, it added a definition for “cyber incident” and created a requirement to report evidence of an actual or threatened cyber incident involving or endangering any vessel, harbor, port, or waterfront facility to the Coast Guard, the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA). The broad applicability of 33 CFR Part 6 and the new definition of a cyber incident created an overlap with existing MTSA reporting requirements. This NVIC provides clarification on the reporting requirements identified in 33 CFR Part 101 and 33 CFR Part 6.