News

Understanding the Impact of the Regulatory Freeze Executive Order on the MTSA Cybersecurity Final Rule

January 23, 2025

On January 17, 2025, the MTSA Cybersecurity Final Rule was published in the Federal Register establishing baseline cybersecurity measures for Maritime Transportation Security Act (MTSA) facilities. However, with the issuance of President Trump’s Executive Order (EO) “Regulatory Freeze Pending Review,” questions have arisen about the Rule’s timeline and implementation.

Specifically, Section (3) of the EO encourages federal agencies to delay the effective date of published rules for 60 days to review potential questions of fact, law, or policy. For the MTSA Cybersecurity Final Rule, the 60-day delay would extend to March 20, 2025, without affecting its current July 16, 2025, effective date. During this review period, agencies can open a comment period to evaluate issues and potentially propose further delays if needed.

In the case of the MTSA Cybersecurity Rule, there appear to be no substantial questions of fact, law, or policy:

Fact: Cybersecurity is a recognized security risk for the maritime sector.
Law: The U.S. Coast Guard has longstanding authority to regulate under the MTSA.
Policy: There is no new policy. Existing policy under Navigation and Vessel Inspection Circular remains in place.

Despite this, some stakeholders suggest the Rule may not go far enough. For instance, the exemption for foreign-flagged vessels has drawn scrutiny. It’s also worth noting that regulatory freezes are not new. The Biden Administration issued a similar “freeze” in 2021, with language nearly identical to the Trump Administration’s 2025 order. For now, the MTSA Cybersecurity Final Rule remains on track.

USCG Cybersecurity Final Rule: Key Updates and Compliance Deadlines

January 17, 2025

On January 17, 2025, the United States Coast Guard (USCG) published its Cybersecurity in the Marine Transportation System Final Rule (Final Rule) in the Federal Register. The Final Rule, which was issued less than 11 months following publication of the Notice of Proposed Rulemaking (NPRM) in February 2024, establishes minimum cybersecurity requirements for Maritime Transportation Security Act (MTSA) facilities. These include, among others, Cybersecurity Assessments, Cybersecurity Plans, new cybersecurity training, drills, exercises, and records as well as implementation of technical cybersecurity measures.

The requirements in the Final Rule largely mirror those proposed in the NPRM. However, the USCG made various adjustments and clarifications, including establishing the following compliance dates:

Cybersecurity Training – Cybersecurity training for both personnel with access to the IT or OT systems and key personnel with access to the IT or remotely accessible OT systems must be completed by January 12, 2026.
Cybersecurity Assessment – Facilities must complete a Cybersecurity Assessment no later than July 16, 2027.
Cybersecurity Plan – Facilities must submit a Cybersecurity Plan to the USCG no later than July 16, 2027.

Below is a summary of some of the additional changes the USCG made with the Final Rule:

Cybersecurity Officer (CySO)

Adjusts the definition of “cybersecurity officer” to clarify that facilities may designate one or more Alternate CySOs to assist the primary CySO when the primary CySO is unavailable.

Cybersecurity Plans

Removes the requirement to submit a letter with the Cybersecurity Plan submission certifying that the Cybersecurity Plan meets regulatory requirements. The USCG states that submitting the Cybersecurity Plan itself qualifies as certification that it meets the requirements.
Eliminates the requirement that only “major amendments” to the Cybersecurity Plan be proposed to the USCG prior to implementation (thereby removing any ambiguity about which amendments require resubmission of the Cybersecurity Plan).
States that proposed Cybersecurity Plan amendments must be submitted to the USCG at least 30 days before their effective date. The USCG clarifies that this should not be construed as limiting facilities from implementation of any proposed cybersecurity measures to address exigent circumstances.
Establishes a 96-hour timeframe for submitting Cybersecurity Plan amendments to the USCG resulting from changes to the owner / operator and/or CySO.

Training

Adds a requirement that when personnel must access IT or OT systems, but are unable to receive the required cybersecurity training, personnel must be accompanied or monitored by a person who has completed the cybersecurity training.

Drills and Exercises

Reduces the cybersecurity drill frequency from once every three months to at least two cybersecurity drills each calendar year.

Cybersecurity Measures

Account Security Measures

Revises requirements involving automatic lockouts after repeated failed login attempts to state that such lockouts must be enabled only on password-protected IT systems – and not on OT systems as originally proposed.

Device Security Measures

Clarifies that the device security measures required by 33 CFR § 101.650(b), including the network map and OT device configuration information, must only be addressed in Section 6 of the Cybersecurity Plan and made available to the USCG upon request (and not documented and submitted with the Cybersecurity Plan as originally proposed).

Data Security Measures

Revises requirements involving data encryption to provide that effective encryption must be deployed to maintain confidentiality of sensitive data and integrity of IT and OT traffic, when technically feasible (rather than requiring “all data, both in transit and at rest,” be encrypted “using a suitably strong algorithm” as originally proposed).

Risk Management

Adjusts select requirements for Cybersecurity Assessments, including: (1) limiting the identification of vulnerabilities to only “critical” OT and IT systems (rather than to all OT and IT systems); and (2) replacing the expectation that facilities “mitigate any unresolved vulnerabilities” with a requirement that facilities ensure patching or implementation of documented compensating controls for all Known Exploited Vulnerabilities in critical IT or OT systems without delay.
Clarifies that penetration testing must be completed in conjunction with renewal of the Cybersecurity Plan – rather than in conjunction with renewal of the Facility Security Plan. Following completion of the penetration test, the CySO must maintain a letter with the Facility Security Assessment, required under 33 CFR § 105.305, certifying that test was conducted and listing all identified vulnerabilities

Resilience

Adds the term “reportable cybersecurity incident” and clarifies that such incidents must be reported to the National Response Center without delay if they are not otherwise reported to the USCG under its 33 CFR Part 6 regulation.
Adjusts the definition of “backup” to remove the implication that the backups of critical IT and OT systems must be stored off-site.

Noncompliance, Waivers, and Equivalents

Clarifies that after completing a Cybersecurity Assessment, facilities that believe certain requirements are not applicable to their operations, or are technically not achievable, may seek a waiver or equivalence determination from the USCG.

Ready to ensure your facility complies with the new USCG Cybersecurity Final Rule? Contact us today to schedule a consultation and receive expert guidance on navigating these requirements and deadlines.

TWIC Reader Rule Further Delayed Until 2029: What You Need to Know

January 15, 2025

On October 31, 2024, the U.S. Coast Guard (USCG) announced a significant update regarding the enforcement of the TWIC Reader Rule in its Federal Register notice titled “TWIC–Reader Requirements; Second Delay of Effective Date.” This rulemaking delays the enforcement of TWIC Reader requirements for specific categories of facilities until May 8, 2029.

Who Is Affected by the TWIC Reader Rule Delay?

The delayed enforcement applies to the following three categories of facilities:

Facilities that handle Certain Dangerous Cargoes (CDC) in bulk and transfer such cargoes from or to a vessel.
Facilities that handle CDC in bulk but do not transfer it from or to a vessel.
Facilities that receive vessels carrying CDC in bulk but, during the vessel-to-facility interface, do not transfer it from or to the vessel.

Why the Delay?

The USCG’s decision to delay enforcement stems from the need to review the 2022 TWIC Reader assessment report conducted by the Homeland Security Operational Analysis Center (HSOAC). The report analyzed key factors, including:

Types of CDC;
Population density within proximity to facilities handling CDC; and
Broader consequences of CDC-related risks.

This delay allows the USCG to fully consider the findings and explore a more risk-based approach to TWIC Reader applicability.

New Pilot Project for TWIC Reader Applicability

In addition to reviewing the HSOAC report, the USCG will initiate a pilot project in 2025 to evaluate a proposed tiering process for determining TWIC Reader applicability.

What Is the Tiering Process?

The proposed process leverages the Chemical Security Assessment Tool (CSAT) tiering engine, previously used under the Chemical Facility Anti-Terrorism Standards (CFATS) regulation. By considering the CSAT’s risk assessment methodology, the USCG aims to identify more precise criteria for determining which facilities require TWIC Reader enforcement.

How the Delay Affects Your Facility

The delayed enforcement provides additional time for facilities to prepare for potential changes to TWIC Reader requirements.

Next Steps for Facilities

The USCG plans to use data from the pilot project and the HSOAC analysis to evaluate potential changes to TWIC Reader applicability. These efforts reflect a move toward a more risk-based approach to chemical facility security. Please do not hesitate to contact us with any questions or additional information.

New TSA Cyber Risk Management Rules: What Pipeline, Rail, and Bus Operators Need to Know

January 10, 2025

On November 7, 2024, the Transportation Security Administration (TSA) issued its Enhancing Surface Cyber Risk Management Notice of Proposed Rulemaking (NPRM), a significant development for certain pipeline, rail, and over-the-road bus operators. The NPRM, which is open for public comment until February 5, 2025, proposes comprehensive cyber risk management requirements designed to enhance operational security and mitigate the risk of cyberattacks.

Key Requirements of the NPRM

The proposed regulations include the following mandates:

Physical Security Coordinator: Operators subject to the rule would be required to designate a Physical Security Coordinator at the corporate level to function as an administrator for sharing security-related activities and information with TSA.
Incident Reporting: The NPRM distinguishes between physical and cybersecurity incident reporting. Certain pipeline, freight railroad, passenger railroad, and rail transit owners and operators would be required to report cybersecurity incidents to CISA and physical security concerns to TSA, within 24 hours.
Documentation and Verification: The NPRM proposes enhanced requirements for maintaining compliance records and conducting independent assessments and audits.
Cyber Risk Management Program: Operators subject to the rule would be required to establish and maintain a comprehensive program to manage cyber risks effectively. This would include, among other things, annual cybersecurity evaluations, creation of a TSA-approved Cybersecurity Operational Implementation Plan (COIP), and development of a Cybersecurity Assessment Plan (“CAP”) to identify unaddressed vulnerabilities.
Broader Classification of Sensitive Security Information (SSI): The NPRM expands SSI classification to include transportation-related cybersecurity materials, heightening the need for confidentiality and data protection.

The NPRM would effectively codify and expand upon existing TSA requirements established through Security Directives issued in 2021 following the Colonial Pipeline cyber-attack. Navigating these evolving requirements can be challenging. Please do not hesitate to contact us with additional questions or for more information.

Congressional Efforts to Restore Chemical Facility Anti-Terrorism Standards (CFATS) Continue

May 6, 2024

On April 18, 2024, a bipartisan group of Representatives in the U.S. House, led by Laurel Lee (R-FL), redoubled efforts to restore CFATS by offering an amendment to H.R. 8035 (“Ukraine Security Supplemental Appropriations Act, 2024”). The amendment would have reauthorized CFATS for two years, but it was not included in the final bill that passed the House of Representatives (and eventually became law). Industry continues to look for ways to restore CFATS using other legislative vehicles.

Risk-Informed Analysis of Transportation Worker Identification Credential Reader Requirements

November 11, 2022

The RAND Corporation published its long-awaited assessment of the Transportation Worker Identification Credential (TWIC) Reader Rule. The purpose of the assessment is to further consider the costs versus benefits of the TWIC Reader Rule, including the scope of affected facilities.

As an initial matter RAND has concluded:

Between 471 and 711 Maritime Transportation Security Act–regulated facilities handle Certain Dangerous Cargo (CDC) in bulk and are therefore likely to be subject to the reader rule delay.
Among the facilities observed to handle CDCs, anhydrous ammonia was the most common CDC, although many facilities handle more than one type of CDC.
The consequence distribution of facilities that handle CDCs in bulk was highly skewed (i.e., many facilities with relatively low consequences and few facilities with extremely high consequences).
The TWIC reader rule would have to avert a Transportation Security Incident (TSI) approximately every 60 to 90 years, at a minimum, to be cost-effective.
Although the final reader rule is potentially cost-effective even in its current form, reasons exist to consider a more-targeted approach that excludes low-quantity or low–population density facilities, or both. Under hypothetical regulatory options, a more-targeted approach affecting only higher-consequence facilities would need to avert only one TSI approximately every 200 to 600 years to be cost-effective.
The decision to use a wide net or a more-targeted approach could depend largely on policymakers’ preferences and relative risk tolerance considering trade-offs among several competing factors.

https://www.rand.org/pubs/research_reports/RRA1687-1.html