The NVIC provides guidance to MTSA facilities regarding complying with requirements to assess, document, and address computer system and network vulnerabilities. Specifically, the NVIC clarifies that facilities are required to assess and document vulnerabilities associated with their computer systems and networks (i.e., cybersecurity vulnerabilities) in their Facility Security Assessments (FSAs). Any cybersecurity vulnerabilities identified in an FSA must then be addressed in the Facility Security Plan (FSP) (i.e., mitigation measures, procedures, etc.).
These mitigation measures may be outlined in a stand-alone “cyber annex” to the FSP or incorporated into the FSP itself in appropriate areas. The NVIC notes that it is not necessary to identify specific technology or business models. Rather, facilities may provide a general description as well as documentation explaining how they are addressing any facility-specific cybersecurity vulnerabilities.
