The Coast Guard is proud to release the Maritime Cybersecurity Assessment & Annex Guide (MCAAG), which will help Maritime Transportation Security Act (MTSA)-regulated facilities and other Marine Transportation System (MTS) stakeholders address cyber risks. This voluntary guide serves as a resource for baseline cybersecurity assessments and plan development, particularly the Facility Security Assessments (FSA) and Facility Security Plans (FSP) required by MTSA.
Previously, the Coast Guard released Navigation and Vessel Inspection Circular (NVIC) 01-20: Guidelines for Addressing Cyber Risks at Maritime Transportation System Act (MTSA) Regulated Facilities, which provided voluntary guidance to MTSA-regulated facility owners and operators on complying with requirements to assess, document and address computer system and network vulnerabilities. The initial incorporation of cybersecurity into required FSAs and FSPs was due by October 1st, 2022. During the implementation phase, stakeholder feedback reflected a desire for continued development of guidance and support from the Coast Guard. MCAAG offers an additional resource for MTSA-regulated facilities to enhance and expand on their current efforts as they continually assess cyber risks and vulnerabilities.
This guide will not influence Captain of the Port (COTP) review of FSPs submitted for approval. MTSA regulated facilities who have already submitted their FSP cyber annex or addendum to the Coast Guard may decide to use the MCAAG to help review effectiveness of their FSA, confirm identified vulnerabilities, and make further enhancements to their FSP.
The MCAAG may be also a resource for Area Maritime Security Committees in assessing overall port area cybersecurity risk and development of cyber annexes of Area Maritime Security Plans, and is useful for any other MTS stakeholders interested in conducting a baseline cybersecurity risk assessment, developing plans, as well as continued improvement of existing plans.
The MCAAG was developed in collaboration with maritime industry stakeholders, MTS and Coast Guard subject matter experts. The information in this guide is intended to assist stakeholders in meeting requirements, but the authority to accept and/or approve an FSA and/or FSP remains with the respective COTP. Likewise, facility owners and operators are not required to adhere to any specific guidance and may use whatever guidance or tools best meet their needs, so long as the regulatory requirements are met.
The MCAAG can be found on the Coast Guard’s Office of Port and Facility Compliance page.
The Maritime Cybersecurity Assessment & Annex Guide (MCAAG) Frequently Asked Questions (FAQs) is a dynamic document and will be updated based on questions and feedback received.
Additional resources associated with cybersecurity within the MTS can also be found on the CG Office of Port and Facility Compliance page, such as the newly revised Facility Inspector Cyber Job Aid, as well as on the CG CYBER Maritime Cyber Readiness Branch page. For more local guidance, stakeholders should engage via their COTP with their closest CG Area, District, or Sector MTS Specialist – Cyber (MTSS-C).
To submit feedback on the Maritime Cyber Assessment & Annex Guide (MCAAG), or questions related to cybersecurity pertaining to MTSA-regulated facilities or the MTS at large, please contact LCDR Kelley Edwards, (202) 795-6908, email: Kelley.C.Edwards@uscg.mil.