[Federal Register Volume 89, Number 36 (Thursday, February 22, 2024)]
[Proposed Rules]
[Pages 13404-13514]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-03075]



[[Page 13403]]

Vol. 89

Thursday,

No. 36

February 22, 2024

Part II





Department of Homeland Security





-----------------------------------------------------------------------





Coast Guard





-----------------------------------------------------------------------





33 CFR Parts 101 and 160





Cybersecurity in the Marine Transportation System; Proposed Rule

  Federal Register / Vol. 89, No. 36 / Thursday, February 22, 2024 / 
Proposed Rules  

[[Page 13404]]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Coast Guard

33 CFR Parts 101 and 160

[Docket No. USCG-2022-0802]
RIN 1625-AC77


Cybersecurity in the Marine Transportation System

AGENCY: Coast Guard, Department of Homeland Security (DHS).

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Coast Guard proposes to update its maritime security 
regulations by adding regulations specifically focused on establishing 
minimum cybersecurity requirements for U.S.-flagged vessels, Outer 
Continental Shelf facilities, and U.S. facilities subject to the 
Maritime Transportation Security Act of 2002 regulations. This proposed 
rule would help to address current and emerging cybersecurity threats 
in the marine transportation system. We seek your comments on this 
proposed rule and whether we should: use and define the term reportable 
cyber incident to limit cyber incidents that trigger reporting 
requirements, use alternative methods of reporting such incidents, and 
amend the definition of hazardous condition.

DATES: Comments and related material must be received by the Coast 
Guard on or before April 22, 2024.

ADDRESSES: You may submit comments identified by docket number USCG-
2022-0802 using the Federal Decision-Making Portal at 
www.regulations.gov. See the ``Public Participation and Request for 
Comments'' portion of the SUPPLEMENTARY INFORMATION section for further 
instructions on submitting comments. You may also find this notice of 
proposed rulemaking, with its 100-word-or-less summary, in this same 
docket at www.regulations.gov.
    Collection of information. Submit comments on the collection of 
information discussed in section VI.D of this preamble both to the 
Coast Guard's online docket and to the Office of Information and 
Regulatory Affairs (OIRA) in the White House Office of Management and 
Budget (OMB) using their website, www.reginfo.gov/public/do/PRAMain. 
Comments sent to OIRA on the collection of information must reach OIRA 
on or before the comment due date listed on their website.

FOR FURTHER INFORMATION CONTACT: For information about this document, 
email [email protected] or call: Commander Brandon Link, Office of 
Port and Facility Compliance, 202-372-1107, or Commander Frank Strom, 
Office of Design and Engineering Standards, 202-372-1375.

SUPPLEMENTARY INFORMATION:

Table of Contents for Preamble

I. Public Participation and Request for Comments
II. Abbreviations
III. Basis and Purpose
    A. The Problem We Seek To Address
    B. Recent Legislation and Policy
    C. Legal Authority To Address This Problem
IV. Background
    A. The Current State of Cybersecurity in the MTS
    B. Current Cybersecurity Regulations
V. Discussion of Proposed Rule
VI. Regulatory Analyses
    A. Regulatory Planning and Review
    B. Small Entities
    C. Assistance for Small Entities
    D. Collection of Information
    E. Federalism
    F. Unfunded Mandates
    G. Taking of Private Property
    H. Civil Justice Reform
    I. Protection of Children
    J. Indian Tribal Governments
    K. Energy Effects
    L. Technical Standards
    M. Environment

I. Public Participation and Request for Comments

    The Coast Guard views public participation as essential to 
effective rulemaking and will consider all comments and material 
received during the comment period. Your comment can help shape the 
outcome of this rulemaking. If you submit a comment, please include the 
docket number for this rulemaking, indicate the specific section of 
this document to which each comment applies, and provide a reason for 
each suggestion or recommendation.
    Submitting comments. We encourage you to submit comments through 
the Federal Decision-Making Portal at www.regulations.gov. To do so, go 
to www.regulations.gov, type USCG-2022-0802 in the search box and click 
``Search.'' Next, look for this document in the Search Results column, 
and click on it. Then click on the Comment option. If you cannot submit 
your material by using www.regulations.gov, call or email the persons 
in the FOR FURTHER INFORMATION CONTACT section of this proposed rule 
for alternate instructions.
    Viewing material in docket. To view documents mentioned in this 
proposed rule as being available in the docket, find the docket as 
described in the previous paragraph, and then select ``Supporting & 
Related Material'' in the Document Type column. Public comments will 
also be placed in our online docket and can be viewed by following 
instructions on the www.regulations.gov Frequently Asked Questions 
(FAQ) web page. That FAQ page also explains how to subscribe for email 
alerts that will notify you when comments are posted or if a final rule 
is published. We review all comments received, but we will only post 
comments that address the topic of the proposed rule. We may choose not 
to post off-topic, inappropriate, or duplicate comments that we 
receive.
    Personal information. We accept anonymous comments. Comments we 
post to www.regulations.gov will include any personal information you 
have provided. For more about privacy and submissions to the docket in 
response to this document, see the Department of Homeland Security's 
eRulemaking System of Records notice (85 FR 14226, March 11, 2020).
    Public meeting. We do not plan to hold a public meeting, but we 
will consider doing so if we determine from public comments that a 
meeting would be helpful. We would issue a separate Federal Register 
notice to announce the date, time, and location of such a meeting.

II. Abbreviations

AMSC Area Maritime Security Committees
BLS Bureau of Labor Statistics
CEA Council of Economic Advisors
CFR Code of Federal Regulations
CGCSO Coast Guard Cyber Strategic Outlook
CG-CVC Coast Guard Office of Commercial Vessel Compliance
CGCYBER U.S. Coast Guard Cyber Command
CG-ENG Coast Guard Office of Design and Engineering Standards
CG-FAC Coast Guard Office of Port and Facility Compliance
CIRCIA Cyber Incident Reporting for Critical Infrastructure Act of 
2022
CISA Cybersecurity and Infrastructure Security Agency
COTP Captain of the Port
CPG Cybersecurity Performance Goal
CRM Cyber risk management
CSF Cybersecurity framework
CSRC Computer Secure Resource Center
CySO Cybersecurity officer
DHS Department of Homeland Security
FR Federal Register
FSA Facility security assessment
FSP Facility security plan
HMI Human-machine interface
ICR Information collection request
IEc Industrial Economics, Incorporated
IMO International Maritime Organization
IP internet protocol
IRFA Initial Regulatory Flexibility analysis
ISM International Safety Management
IT Information technology
KEV Known exploited vulnerability
MCAAG Maritime Cybersecurity Assessment and Annex Guide

[[Page 13405]]

MISLE Marine Information for Safety and Law Enforcement
MODU Mobile offshore drilling unit
MSC Marine Safety Center
MSC-FAL International Maritime Organization's Marine Safety 
Committee and Facilitation Committee
MTS Marine transportation system
MTSA Maritime Transportation Security Act of 2002
NAICS North American Industry Classification System
NIST National Institute of Standards and Technology
NMSAC National Maritime Security Advisory Committee
NPRM Notice of proposed rulemaking
NRC National Response Center
NVIC Navigation and Vessel Inspection Circular
OCMI Officer in Charge, Marine Inspection
OCS Outer continental shelf
OEWS Occupational Employment and Wage Statistics
OMB Office of Management and Budget
OSV Offshore supply vessel
OT Operational technology
PII Personally identifiable information
QCEW Quarterly Census of Employment and Wages
RIA Regulatory impact analysis
Sec.  Section
SBA Small Business Administration
SME Subject matter expert
SMS Safety management system
TSI Transportation security incident
U.S.C. United States Code
VSA Vessel security assessment
VSP Vessel security plan

III. Basis and Purpose

A. The Problem We Seek To Address

    The maritime industry is undergoing a significant transformation 
that involves increased use of cyber-connected systems. While these 
systems improve commercial vessel and port facility operations, they 
also bring a new set of challenges affecting design, operations, 
safety, security, training, and the workforce.
    Every day, malicious actors (including, but not limited to, 
individuals, groups, and adversary nations posing a threat) attempt 
unauthorized access to control system devices or networks using various 
communication channels. An example of a successful attempt occurred in 
May 2021, when the Colonial Pipeline Company suffered a cyber-attack 
that disrupted the supply of fuel to the east coast of the United 
States. These cybersecurity threats require the maritime community to 
effectively manage constantly changing risks to create a safer cyber 
environment.
    The purpose of this notice of proposed rulemaking (NPRM) is to 
safeguard the marine transportation system (MTS) against current and 
emerging threats associated with cybersecurity by adding minimum 
cybersecurity requirements to part 101 of title 33 of the Code of 
Federal Regulations (CFR) to help detect, respond to, and recover from 
cybersecurity risks that may cause transportation security incidents 
(TSIs). This proposed rule would help address current and emerging 
cybersecurity threats to maritime security in the MTS.
    Cybersecurity risks result from vulnerabilities in the operation of 
vital systems, which increase the likelihood of cyber-attacks on 
facilities, Outer Continental Shelf (OCS) facilities, and vessels. 
Cyber-related risks to the maritime domain are threats to the critical 
infrastructure that citizens and companies depend on to fulfill their 
daily needs. Additionally, the proposed rule is necessary because it 
would create a regulatory environment for cybersecurity in the maritime 
domain to assist facilities, OCS facilities, and vessel firms that may 
not have taken cybersecurity measures on their own, for various 
reasons. In a 2018 report by the Council of Economic Advisors (CEA), 
the CEA stated ``[a] firm with weak cybersecurity imposes negative 
externalities on its customers, employees, and other firms, tied to it 
through partnerships and supply chain relations. In the presence of 
externalities, firms would rationally underinvest in cybersecurity 
relative to the socially optimal level. Therefore, it often falls to 
regulators to devise a series of penalties and incentives to increase 
the level of investment to the desired level.'' \1\
---------------------------------------------------------------------------

    \1\ Economic Report of the President Together with the Annual 
Report of the Council of Economic Advisers (Feb. 2018), https://www.govinfo.gov/content/pkg/ERP-2018/pdf/ERP-2018.pdf (accessed Dec. 
15, 2023). Page 323-324.
---------------------------------------------------------------------------

    In the report, the CEA also emphasized that ``[c]ontinued 
cooperation between the public and private sectors is the key to 
effectively managing cybersecurity risks. . . . The government is 
likewise important in incentivizing cyber protection--for example, by 
disseminating new cybersecurity standards, sharing best practices, 
conducting basic research on cybersecurity, protecting critical 
infrastructures, preparing future employees for the cybersecurity 
workforce, and enforcing the rule of law in cyberspace.'' \2\
---------------------------------------------------------------------------

    \2\ Id. at 324-325.
---------------------------------------------------------------------------

    Furthermore, the CEA acknowledged that ``[f]irms and private 
individuals are often outmatched by sophisticated cyber adversaries. 
Even large firms with substantial resources committed to cybersecurity 
may be helpless against attacks by sophisticated nation-states.'' \3\ 
As an example, the CEA stated, ``firms that own critical infrastructure 
assets, such as parts of the nation's power grid, may generate 
pervasive negative spillover effects for the wider economy.'' \4\
---------------------------------------------------------------------------

    \3\ Id. at 326.
    \4\ Id. at 326.
---------------------------------------------------------------------------

    Lastly, the CEA stated another problem that exists in the 
marketplace is, ``firms' reluctance to share information on cyber 
threats and exposures'', which ``impairs effective cybersecurity.'' \5\ 
The CEA further stated that ``firms remain reluctant to increase their 
exposure to legal and public affairs risks. The lack of information on 
cyberattacks and data breaches suffered by other firms may cause less 
sophisticated small firms to conclude that cybersecurity risk is not a 
pressing problem. . . . [T]he lack of data may be stymying the ability 
of law enforcement and other actors to respond quickly and effectively 
and may be slowing the development of the cyber insurance market.'' \6\
---------------------------------------------------------------------------

    \5\ Id. at 326.
    \6\ Id. at 326.
---------------------------------------------------------------------------

    This proposed rule would apply to the owners and operators of U.S.-
flagged vessels subject to 33 CFR part 104 (Maritime Security: 
Vessels), facilities subject to 33 CFR part 105 (Maritime Security: 
Facilities), and OCS facilities subject to 33 CFR part 106 (Marine 
Security: Outer Continental Shelf (OCS) Facilities). The proposed 
requirements include account security measures, device security 
measures, data security measures, governance and training, risk 
management, supply chain management, resilience, network segmentation, 
reporting, and physical security.
    This NPRM also seeks public comments specifically on defining a 
reportable cyber incident in 33 CFR 101.615 and using that term to 
limit reporting requirements; whether certain reports required under 
proposed Sec. Sec.  101.620 and 101.650 should be sent to the 
Cybersecurity and Infrastructure Security Agency (CISA); and whether to 
amend the definition of hazardous condition in 33 CFR part 160. We will 
consider comments on these three issues in deciding whether to amend 
the regulatory text we have proposed.
    The Coast Guard welcomes comments on all aspects of this 
rulemaking, including the proposed changes to definitions and the 
assumptions and estimates in section VI.A., Regulatory Planning and 
Review. Section VI.A. of this preamble addresses, for instance, 
developing a Cybersecurity Plan and

[[Page 13406]]

cybersecurity drill components, the affected population, device 
security measures, supply chain management, network segmentation, 
physical security, implementing and maintaining multifactor 
authentication, and owners and operators' existing practices on the 
proposed cybersecurity measures.

B. Recent Legislation, Regulations, and Policy

    In the Maritime Transportation Security Act of 2002 (MTSA),\7\ 
Congress provided a framework for the Secretary of Homeland Security 
(``Secretary''), acting through the Coast Guard,\8\ and maritime 
industry to identify, assess, and prevent TSIs in the MTS. MTSA vested 
the Secretary with authorities for broad security assessment, planning, 
prevention, and response activities to address TSIs, including the 
authority to require and set standards for Facility Security Plans 
(FSPs), OCS FSPs, and Vessel Security Plans (VSPs), to review and 
approve such plans, and to conduct inspections and take enforcement 
actions.\9\ The Coast Guard's implementing regulations address a range 
of considerations to deter TSIs to the maximum extent practicable,\10\ 
and require, among other general and specific measures, security 
assessments and measures related to radio and telecommunication 
systems, including computer systems and networks.\11\
---------------------------------------------------------------------------

    \7\ Public Law 107-295, 116 Stat. 2064, November 25, 2002.
    \8\ The Secretary delegated this authority to the Commandant of 
the Coast Guard via Department of Homeland Security (DHS) Delegation 
00170.1(II)(97)(b), Revision No. 01.3.
    \9\ See generally, for example, 46 U.S.C. 70103.
    \10\ See 46 U.S.C. 70103(c)(1).
    \11\ See, for example, 33 CFR 104.300(d)(11), 104.305(d)(2)(v), 
105.300(d)(11), 105.305(c)(1)(v), 106.300(d)(11), 106.305(c)(1)(v), 
and 106.305(d)(2)(v).
---------------------------------------------------------------------------

    The Coast Guard has also issued additional guidance and policies to 
address potential cyber incidents in FSPs, OCS FSPs, and VSPs,\12\ 
including a cybersecurity risk assessment model that was issued in 
January 2023,\13\ and voluntary guidance issued to Area Maritime 
Security Committees (AMSC) in July 2023.\14\ Congress has repeatedly 
reaffirmed the MTSA framework, including through amendments passed in 
2016,\15\ 2018,\16\ and 2021.\17\ In the 2018 amendments, Congress 
amended MTSA to specifically require VSPs and FSPs to include 
provisions for detecting, responding to, and recovering from 
cybersecurity risks that may cause TSIs.\18\ The proposed regulatory 
amendments to 33 CFR part 101 reflect the Coast Guard's view on 
cybersecurity under MTSA, including, but not limited to, recent 
amendments to MTSA (such as Title 46 of the United States Code (U.S.C.) 
Section 70103). The proposed amendments provide more detailed mandatory 
baseline requirements for U.S.-flagged vessels and U.S. facilities 
subject to MTSA.
---------------------------------------------------------------------------

    \12\ One of the Coast Guard's guidance documents is the 
Navigation and Vessel Inspection Circular (NVIC) 01-20, Guidelines 
for Addressing Cyber Risks at Maritime Transportation Security Act 
Regulated Facilities (85 FR 16108). This NVIC outlined Coast Guard's 
view on requirements for FSPs and facility security, including 
cybersecurity. A similar understanding with regard to VSPs was 
expressed in the Coast Guard's Office of Commercial Vessel 
Compliance's (CG-CVC) Vessel CRM Work Instruction CVC-WI-027(2), 
Vessel Cyber Risk Management Work Instruction, October 27, 2020, 
https://www.dco.uscg.mil/Portals/9/CVC-WI-27%282%29.pdf, accessed 
July 18, 2023.
    \13\ See Maritime Cybersecurity Assessment and Annex Guide 
(MCAAG) (January 2023), https://dco.uscg.mil/Portals/9/CG-FAC/Documents/Maritime%20Cyber%20Assessment%20%20Annex%20Guide%20(MCAAG)_released%2
023JAN2023.pdf, accessed Aug. 4, 2023. The MCAAG was developed in 
coordination with the National Maritime Security Advisory Committee, 
AMSCs, and other maritime stakeholders. The guide serves as a 
resource for baseline cybersecurity assessments and plan development 
and helps stakeholders address vulnerabilities that could lead to 
transportation security incidents.
    \14\ NVIC 09-02, Change 6.
    \15\ Public Law 114-120, 130 Stat. 27, February 8, 2016.
    \16\ Public Law 115-254, 132 Stat. 3186, October 5, 2018.
    \17\ Public Law 116-283, 134 Stat. 4754, January 1, 2021.
    \18\ See Public Law 115-254, sec. 1805(d)(2) (codified at 46 
U.S.C. 70103(c)(3)(C)).
---------------------------------------------------------------------------

    Through three administrations, presidential policy has advanced 
cybersecurity in the maritime domain. Executive Order 13636 of February 
12, 2013 (Improving Critical Infrastructure Cybersecurity) recognized 
the Federal Government's efforts to secure our nation's critical 
infrastructure by working with the owners and operators of U.S. 
facilities, OCS facilities, and U.S.-flagged vessels to prepare for, 
prevent, mitigate, and respond to cybersecurity threats.\19\
---------------------------------------------------------------------------

    \19\ 78 FR 11739, February 19, 2013.
---------------------------------------------------------------------------

    To defend against malicious cyber-related activities, Executive 
Order 13694 of April 1, 2015 (Blocking the Property of Certain Persons 
Engaging in Significant Malicious Cyber-Enabled Activities) recognized 
malicious cyber-related activities as an ``extraordinary threat to the 
national security, foreign policy, and economy of the United States,'' 
warranting a national emergency.\20\ The National Emergency with 
Respect to Significant Malicious Cyber-Enabled Activities has been 
extended as of March 30, 2023.\21\
---------------------------------------------------------------------------

    \20\ 80 FR 18077, April 2, 2015. Executive Order 13694 was later 
amended by Executive Order 13757 (82 FR 1, January 3, 2017), which 
outlined additional measures the Federal Government must take to 
address the national emergency identified in Executive Order 13694.
    \21\ 88 FR 19209, March 30, 2023.
---------------------------------------------------------------------------

    Executive Order 14028 of May 12, 2021 (Improving the Nation's 
Cybersecurity) also recognized that ``the private sector must adapt to 
the continuously changing threat environment, ensure its products are 
built and operate securely, and partner with the Federal Government to 
foster a more secure cyberspace.'' \22\
---------------------------------------------------------------------------

    \22\ 86 FR 26633.
---------------------------------------------------------------------------

    On July 28, 2021, the President issued the ``National Security 
Memorandum on Improving Cybersecurity for Critical Infrastructure 
Control Systems,'' \23\ which required the Secretary of Homeland 
Security to coordinate with the Secretary of Commerce (through the 
Director of the National Institute of Standards and Technology (NIST)) 
and other agencies, as appropriate, to develop baseline Cybersecurity 
Performance Goals (CPGs). These baseline CPGs would further a common 
understanding of the baseline security practices that critical 
infrastructure owners and operators should follow to protect national 
and economic security, as well as public health and safety. CISA's 
release of the CPGs in October 2022 was ``intended to help establish a 
common set of fundamental cybersecurity practices for critical 
infrastructure, and especially help small- and medium-sized 
organizations kickstart their cybersecurity efforts.'' \24\ The Coast 
Guard relied on CISA's CPGs as the benchmark for technical requirements 
in this proposed rule.
---------------------------------------------------------------------------

    \23\ The White House, National Security Memorandum on Improving 
Cybersecurity for Critical Infrastructure Control Systems, July 28, 
2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/, last accessed on July 
24, 2023.
    \24\ CISA, ``Cross-Sector Cybersecurity Performance Goals,'' 
https://www.cisa.gov/cross-sector-cybersecurity-performance-goals, 
accessed July 18, 2023.
---------------------------------------------------------------------------

    In 2021, the Coast Guard published its Cyber Strategic Outlook 
(CGCSO) to highlight the importance of managing cybersecurity risks in 
the MTS.\25\ The CGCSO highlighted three lines of effort, or 
priorities, to improve Coast Guard readiness in cyberspace: (1) Defend 
and Operate the Coast Guard Enterprise Mission Platform; (2) Protect 
the MTS; and (3) Operate in and through Cyberspace.\26\ As outlined in 
the

[[Page 13407]]

CGCSO's second line of effort, ``Protect the MTS,'' the Coast Guard 
proposes to implement a risk-based regulatory, compliance, and 
assessment regime. We propose to establish minimum requirements for 
cybersecurity plans that facilitate the use of international and 
industry-recognized cybersecurity standards to manage cybersecurity 
risks by owners and operators of maritime critical infrastructure.\27\ 
Specifically, this proposed rule would promulgate the Coast Guard's 
baseline cybersecurity regulations for U.S.-flagged vessels and U.S. 
facilities (including OCS facilities) subject to MTSA.
---------------------------------------------------------------------------

    \25\ U.S. Coast Guard, ``Cyber Strategic Outlook,'' August 2021, 
https://www.uscg.mil/Portals/0/Images/cyber/2021-Cyber-Strategic-Outlook.pdf, accessed July 18, 2023.
    \26\ These lines of effort evolved from the three ``strategic 
priorities'' introduced in the Coast Guard's Cyber Strategy, June 
2015. As cyber threats and vulnerabilities evolve, so will the Coast 
Guard's posture. https://www.dco.uscg.mil/Portals/10/Cyber/Docs/CG_Cyber_Strategy.pdf?ver=nejX4g9gQdBG29cX1HwFdA%3D%3D, accessed 
July 18, 2023.
    \27\ The Coast Guard is aware that some entities already follow 
industry standards related to cybersecurity. The proposed minimum 
requirements seek to establish a common baseline for all the 
regulated vessels and facilities that would not be incompatible with 
such standards, recognizing that in some instances these proposed 
minimums may increase a requirement, but in other circumstances will 
already be satisfied. The entity would be able to indicate within 
their Cyber Plan that they are following a particular standard and 
highlight how their compliance with that standard satisfies the 
Coast Guard requirements.
---------------------------------------------------------------------------

    As noted, in January 2023, the Coast Guard released the Maritime 
Cybersecurity Assessment and Annex Guide (MCAAG). The MCAAG was 
developed through coordination with the National Maritime Security 
Advisory Committee, Area Maritime Security Committees, and other 
maritime stakeholders, consistent with the activities described in 
section 2(e) of the National Institute of Standards and Technology Act 
(15 U.S.C. 272(e)). The MCAAG provides more detailed recommendations on 
implementing existing MTSA regulations as they relate to computer 
systems and networks. For example, the Coast Guard recommended a Cyber 
Annex Template for stakeholders to address possible cybersecurity 
vulnerabilities and risks.
    This NPRM is meant to expand and clarify the information required 
in security plans to remain consistent with 46 U.S.C. 70103(c)(3), 
including section 70103(c)(3)(C)(v), which requires FSPs, OCS FSPs, and 
VSPs to include provisions for detecting, responding to, and recovering 
from cybersecurity risks that may cause TSIs. Some terms we use in the 
MCAAG, such as cybersecurity vulnerability, may have a set proposed 
definition in this NPRM.

C. Legal Authority To Address This Problem

    The Coast Guard is proposing to promulgate these regulations under 
43 U.S.C. 1333(d); 46 U.S.C. 3306, 3703, 70102 through 70104, 70124; 
and the Department of Homeland Security (DHS) Delegation No. 00170, 
Revision No. 01.3.
    Section 4 of the Outer Continental Shelf Lands Act of 1953, 
codified as amended at 43 U.S.C. 1333(d), authorizes the Secretary to 
promulgate regulations with respect to lights and other warning 
devices, safety equipment, and other matters relating to the promotion 
of safety of life and property on the artificial islands, 
installations, and other devices on the OCS. This authority was 
delegated to the Coast Guard by DHS Delegation No. 00170(II)(90), 
Revision No. 01.3.
    Section 3306 of Title 46 of the United States Code authorizes the 
Secretary to prescribe necessary regulations for the design, 
construction, alteration, repair, equipping, manning and operation of 
vessels and prevention and mitigation of damage to the marine 
environment, propulsion machinery, auxiliary machinery, boilers, 
unfired pressure vessels, piping, electric installations, and 
accommodations for passengers and crew. This authority was delegated to 
the Coast Guard by DHS Delegation No. 00170(II)(92)(b), Revision No. 
01.3.
    Section 3703 of Title 46 of the United States Code authorizes the 
Secretary to prescribe similar regulations relating to tank vessels 
that carry liquid bulk dangerous cargoes, including the design, 
construction, alteration, repair, maintenance, operation, equipping, 
personnel qualification, and manning of the vessels. This authority was 
delegated to the Coast Guard by DHS Delegation No. 00170(II)(92)(b), 
Revision No. 01.3.
    Sections 70102 through 70104 of Title 46 of the United States Code 
authorize the Secretary to evaluate for compliance vessel and facility 
vulnerability assessments, security plans, and response plans. Section 
70124 authorizes the Secretary to promulgate regulations to implement 
Chapter 701, including sections 70102 through 70104, dealing with 
vulnerability assessments for the security of vessels, facilities, and 
OCS facilities; VSPs, FSPs, and OCS FSPs; and response plans for 
vessels, facilities, and OCS facilities. These authorities were 
delegated to the Coast Guard by DHS Delegation No. 00170(II)(97)(a) 
through (c), Revision No. 01.3.

IV. Background

A. The Current State of Cybersecurity in the MTS

    The maritime industry is relying increasingly on digital solutions 
for operational optimization, cost savings, safety improvements, and 
more sustainable business. However, these developments, to a large 
extent, rely on information technology (IT) systems and operational 
technology (OT) systems, which increases potential cyber 
vulnerabilities and risks. Cybersecurity risks result from 
vulnerabilities in secure and safe operation of vital systems, which 
increase the likelihood of cyber-attacks on U.S. facilities, OCS 
facilities, and U.S.-flagged vessels.
    Cyber-attacks on public infrastructure have raised awareness of the 
need to protect systems and equipment that facilitate operations within 
the MTS because cyber-attacks have the potential to disable the IT and 
OT onboard U.S.-flagged vessels, U.S. facilities, and OCS facilities. 
Autonomous vessel technology, automated OT, and remotely operated 
machines provide further opportunities for cyber-attackers. These 
systems and equipment are prime targets for cyber-attacks stemming from 
insider threats, criminal organizations, nation state actors, and 
others.
    Also, the MTS has become increasingly susceptible to cyber-attacks 
due to the growing integration of digital technologies in their 
operations. These types of cyber-attacks can range from altering a 
vessel's navigational systems to disrupting its communication with 
ports, which can lead to delays, accidents, or even potential 
groundings that could potentially disrupt vessel movements and shut 
down port operations, such as loading and unloading cargo. This 
disruption can also negatively affect the MTS by interrupting the 
transportation and commerce of goods, raw resources, and passengers, as 
well as potential military operations when needed.
    An attack that compromises navigational or operational systems can 
pose a serious safety risk. It could result in accidents at sea, 
potential environmental disasters like oil spills, and loss of life. 
The maritime industry is not immune to ransomware attacks where 
cybercriminals are targeting critical systems or data. Given the 
critical nature of marine transportation to global trade, continued 
efforts are being made to improve cybersecurity measures in the sector.
    Maritime stakeholders can better detect, respond to, and recover 
from cybersecurity risks that may cause TSIs by adopting a range of 
cyber risk management (CRM) measures, as described in this proposed 
rule. It is important that the Coast Guard work with the maritime 
community to address both safety and security risks to better 
facilitate operations and to protect

[[Page 13408]]

MTS entities from creating hazardous conditions within ports and 
waterways. Updating regulations to include minimum cybersecurity 
requirements would strengthen the security posture and increase 
resilience against cybersecurity threats in the MTS.
    In 2017, the International Maritime Organization (IMO) took steps 
to address cybersecurity risks in the shipping industry by publishing 
the Marine Safety Committee/Facilitation Committee (MSC-FAL) Circular 
3, Guidelines on Maritime Cyber Risk Management,\28\ and MSC Resolution 
428(98).\29\ The IMO affirmed that an approved Safety Management System 
(SMS) should involve CRM to manage cybersecurity risks in accordance 
with the objectives and functional requirements of the International 
Safety Management (ISM) Code. An SMS is a structured and documented set 
of procedures enabling company and vessel personnel to effectively 
implement safety and environmental protection policies that are 
specific to that company or vessel.
---------------------------------------------------------------------------

    \28\ https://www.cdn.imo.org/localresources/en/OurWork/Facilitation/Facilitation/MSC-FAL.1-Circ.3-Rev.1%20-%20Guidelines%20On%20Maritime%20Cyber%20Risk%20Management%20(Secretar
iat).pdf, accessed July 18, 2023.
    \29\ See the IMO resolution on CRM: Resolution MSC.428(98), 
Annex 10, ``Maritime Cyber Risk Management in Safety Management 
Systems.'' https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/Resolution%20MSC.428(98).pdf, accessed July 18, 
2023.
---------------------------------------------------------------------------

    For applicable U.S.-flagged vessels, this proposed rule would 
establish a baseline level of protection throughout the MTSA-regulated 
vessel fleet. As the flag state, the Coast Guard can ensure these 
proposed cybersecurity regulations are implemented appropriately by 
approving Cybersecurity Plans and conducting routine inspections. This 
proposed rule would also apply to U.S. facilities regulated by 33 CFR 
part 105 and OCS facilities regulated by 33 CFR part 106.

B. Current Regulations Related to Cybersecurity

    The MTSA-implementing regulations in 33 CFR parts 101, 103, 104, 
105, and 106 give the Coast Guard the authority to review and approve 
security assessments and plans that apply broadly to the various 
security threats facing the maritime industry. Through the Navigation 
and Vessel Inspection Circular (NVIC) 01-20 \30\ (85 FR 16108, March 
20, 2020), the Coast Guard interpreted 33 CFR parts 105 and 106 as 
requiring owners and operators of U.S. facilities and OCS facilities to 
address cybersecurity in their facility security assessments (FSAs) and 
OCS FSAs, as well as in their FSPs and OCS FSPs, and provided non-
binding guidance on how regulated entities could address these issues.
---------------------------------------------------------------------------

    \30\ See footnote 12.
---------------------------------------------------------------------------

    This proposed rule would expand upon the agency's prior actions by 
establishing minimum performance-based cybersecurity requirements for 
the MTS within the MTSA regulations. Similar to the existing 
requirements in 33 CFR parts 104, 105 and 106, the Coast Guard would 
allow owners and operators the flexibility to determine the best way to 
implement and comply with these new requirements. The Coast Guard is 
proposing an implementation period of 12 to 18 months following the 
effective date of a final rule to allow sufficient time for the owners 
and operators of applicable U.S.-flagged vessels, U.S. facilities, and 
OCS facilities to comply with the requirements of this proposed 
rule.\31\
---------------------------------------------------------------------------

    \31\ Existing general requirements to address cyber issues in 
security plans will continue to apply during this rulemaking.
---------------------------------------------------------------------------

V. Discussion of Proposed Rule

    This NPRM proposes to add minimum cybersecurity requirements to 33 
CFR part 101. The Coast Guard invites comment on whether any of the 
proposed requirements would overlap, conflict, or duplicate existing 
regulatory requirements from other Federal agencies. The requirements 
would consist of the following sections:

 101.600 Purpose
 101.605 Applicability
 101.610 Federalism
 101.615 Definitions
 101.620 Owner or Operator
 101.625 Cybersecurity Officer
 101.630 Cybersecurity Plan
 101.635 Drills and Exercises
 101.640 Records and Documentation
 101.645 Communications
 101.650 Cybersecurity Measures
 101.655 Cybersecurity Compliance Dates
 101.660 Cybersecurity Compliance Documentation
 101.665 Noncompliance, Waivers, and Equivalents

    In addition, the Coast Guard seeks comments on whether, in this 
rulemaking, we should: define the term reportable cyber incident in 
proposed 33 CFR 101.615 and use that term in the regulatory text to 
limit cyber incidents that trigger reporting requirements; require 
certain reports identified in Sec. Sec.  101.620 and 101.650 to be sent 
to CISA; and amend the definition of hazardous condition in 33 CFR 
160.202.
    A section-by-section explanation of the proposed additions and 
changes follows:

Section 101.600--Purpose

    This proposed section states that the purpose of 33 CFR part 101, 
subpart F, is to set minimum cybersecurity requirements for U.S.-
flagged vessels, U.S. facilities, and OCS facilities to safeguard and 
ensure the security and resilience of the MTS. The proposed 
requirements would help safeguard the MTS from the evolving risks of 
cyber threats and align with the DHS goal of protecting critical U.S. 
infrastructure.

Section 101.605--Applicability

    This section proposes to make subpart F apply to the owners and 
operators of the U.S.-flagged vessels listed in 33 CFR 104.105(a), the 
facilities listed in 33 CFR 105.105(a), and the OCS facilities listed 
in 33 CFR 106.105(a). A list of the vessels that would be subject to 
subpart F is as follows:
     U.S. Mobile Offshore Drilling Units (MODUs), cargo 
vessels, or passenger vessels subject to the International Convention 
for Safety of Life at Sea, 1974, (SOLAS), Chapter XI-1 or Chapter XI-2;
     Self-propelled U.S. cargo vessels greater than 100 gross 
register tons subject to 46 CFR chapter I, subchapter I, except 
commercial fishing vessels inspected under 46 CFR part 105;
     U.S. vessels subject to 46 CFR chapter I, subchapter L;
     U.S. passenger vessels subject to 46 CFR chapter I, 
subchapter H;
     U.S. passenger vessels certificated to carry more than 150 
passengers;
     U.S. passenger vessels carrying more than 12 passengers, 
including at least 1 passenger-for-hire, that are engaged on an 
international voyage;
     U.S. barges subject to 46 CFR chapter I, subchapter D or 
O;
     U.S. barges carrying certain dangerous cargo in bulk or 
barges that are subject to 46 CFR chapter I, subchapter I, that are 
engaged on an international voyage;
     U.S. tankships subject to 46 CFR chapter I, subchapter D 
or O; and
     U.S. towing vessels greater than 8 meters (26 feet) in 
registered length inspected under 46 CFR subchapter M that are engaged 
in towing a barge or barges and subject to 33 CFR part 104, except a 
towing vessel that--
    [cir] Temporarily assists another vessel engaged in towing a barge 
or barges subject to 33 CFR part 104;
    [cir] Shifts a barge or barges subject to this part at a facility 
or within a fleeting facility;
    [cir] Assists sections of a tow through a lock; or
    [cir] Provides emergency assistance.
    This proposed rule would not apply to any foreign-flagged vessels 
subject to

[[Page 13409]]

33 CFR part 104. Cyber regulations for foreign-flagged vessels under 
domestic law may create unintended consequences with the ongoing and 
future diplomatic efforts to address maritime cybersecurity in the 
international arena. The IMO addressed cybersecurity measures for 
foreign-flagged vessels through MSC-FAL.1/Circ.3 and MSC Resolution 
428(98). Therefore, based on IMO guidelines and recommendations, an SMS 
approved under the ISM Code should address foreign-flagged vessel 
cybersecurity.
    In addition, the Coast Guard verifies how CRM is incorporated into 
a vessel's SMS via the process described in the October 27, 2020, CVC-
WI-027(2), Vessel Cyber Risk Management Work Instruction.\32\ This 
process would continue to be the Coast Guard's primary means of 
ensuring cybersecurity readiness on foreign-flagged vessels, which are 
exempt from this proposed rule.
---------------------------------------------------------------------------

    \32\ See footnote 12.
---------------------------------------------------------------------------

    If your facility or vessel would be subject to this proposed rule 
and you view a portion of it as redundant with the requirements of 
another Federal agency, please let us know. We seek to eliminate any 
unnecessary redundancies.

Section 101.610--Federalism

    We discuss the purpose and contents of this proposed section in 
section VI.E, Federalism, in this preamble.

Section 101.615--Definitions

    This section lists new cybersecurity related definitions the Coast 
Guard proposes to include in 33 CFR part 101, in addition to the 
maritime security definitions in 33 CFR 101.105. These definitions 
explain concepts relevant to cybersecurity and would help eliminate 
uncertainty in referencing and using these terms in 33 CFR part 101.
    The Coast Guard consulted several authoritative sources for these 
proposed new definitions. These sources include Executive Order 14028, 
6 U.S.C. 148, and the James M. Inhofe National Defense Authorization 
Act for Fiscal Year 2023 (the Act).\33\
---------------------------------------------------------------------------

    \33\ Public Law 117-263, Sec. 11224(a)(1) (2022).
---------------------------------------------------------------------------

    Another source for definitions is the ``Vocabulary'' page on CISA's 
National Initiative for Cybersecurity Careers and Studies website,\34\ 
which is an online Federal resource for cybersecurity training and 
education. The Coast Guard also reviewed NIST's Computer Security 
Resource Center (CSRC).\35\ NIST maintains CSRC to educate the public 
on computer security, cybersecurity, information security, and privacy. 
Definitions from CISA and NIST are authoritative sources in areas 
related to technology and cybersecurity.
---------------------------------------------------------------------------

    \34\ National Initiative for Cybersecurity Careers and Studies, 
Explore Terms: A Glossary of Common Cybersecurity Words and Phrases, 
https://niccs.cisa.gov/cybersecurity-career-resources/glossary, 
accessed September 15, 2023.
    \35\ CSRC, https://csrc.nist.gov/glossary, accessed September 
15, 2023.
---------------------------------------------------------------------------

    In addition, the Coast Guard proposes to define the term 
cybersecurity risk consistent with the definition at section 2200 of 
the Homeland Security Act of 2002 (Pub. L. 107-296), as amended, see 6 
U.S.C. 650(7). The Coast Guard notes, however, that it does not believe 
paragraph (b) of subsection 2200(7), which contains an exception for 
actions that solely involve a ``violation of a consumer term of service 
or a consumer licensing agreement'' is relevant to the facilities and 
vessels that are the subject of this rulemaking. Nevertheless, for 
consistency with the definition found in the Homeland Security Act and 
the sake of completeness, we have elected to include the complete 
definition in this proposal. See also 46 U.S.C. 70101(2); Public Law 
115-254, sec. 1805(b)(2).
    The Coast Guard proposes to include definitions for Cyber incident, 
Cyber risk, Cyber threat, and Cybersecurity vulnerability. Cyber 
incident would relate to Information Systems and would be inclusive of 
both Information Technology and Operational Technology, all of which 
the Coast Guard is also proposing to define. The Coast Guard also 
proposes new defined terms that are applicable to maritime 
cybersecurity, including Critical Information Technology or Operational 
Technology systems, Cyber Incident Response Plan, Cybersecurity Officer 
or CySO, and Cybersecurity Plan. A CySO, for example, would be the 
person(s) responsible for developing, implementing, and maintaining 
cybersecurity portions of the VSP, FSP, or OCS FSP. The CySO would also 
act as a liaison with the Captain of the Port (COTP) and company, 
vessel, and facility security officers.
    In addition, the Coast Guard welcomes comments on whether we should 
define and use the term Reportable cyber incident. The proposed 
definition of a reportable cyber incident would be based on the Cyber 
Incident Reporting Council's model definition in DHS's Report to 
Congress of September 19, 2023.\36\ If adopted, the term reportable 
cyber incident would replace cyber incident in proposed Sec. Sec.  
101.620(b)(7) and 101.650(g)(1). Specifically, a reportable cyber 
incident would mean an incident that leads to, or, if still under 
investigation, could reasonably lead to any of the following:
---------------------------------------------------------------------------

    \36\ See DHS Office of Strategy, Policy, and Plans, 
Harmonization of Cyber Incident Reporting to the Federal Government 
(Sept. 19, 2023), https://www.dhs.gov/publication/harmonization-cyber-incident-reporting-federal-government, accessed Sept. 19, 
2023.
---------------------------------------------------------------------------

    (1) Substantial loss of confidentiality, integrity, or availability 
of a covered information system, network, or OT system;
    (2) Disruption or significant adverse impact on the reporting 
entity's ability to engage in business operations or deliver goods or 
services, including those that have a potential for significant impact 
on public health or safety or may cause serious injury or death;
    (3) Disclosure or unauthorized access directly or indirectly of 
non-public personal information of a significant number of individuals;
    (4) Other potential operational disruption to critical 
infrastructure systems or assets; or
    (5) Incidents that otherwise may lead to a TSI as defined in 33 CFR 
101.105.
    The Coast Guard's existing regulations in 33 CFR part 101 require 
regulated entities to report suspicious activity that may result in a 
TSI, breaches of security, and TSIs involving computer systems and 
networks. See 33 CFR 101.305. The purpose of defining a reportable 
cyber incident in this NPRM is to establish a threshold between the 
cyber incidents that must be reported and the ones that do not. We 
request public comment on the substance of this definition, its 
elements, potential burden on industry, as well as the need and 
effectiveness of including it in this regulation. We also invite 
comments on whether we should define any terms we use in the proposed 
rule that are not defined in proposed Sec.  101.615.
    In this NPRM, the Coast Guard is also seeking comments on two 
alternative potential regulatory measures for reporting cyber 
incidents. In the first alternative, the Coast Guard would require that 
reportable cyber incidents would be reported to the National Response 
Center (NRC) without delay to the telephone number listed in 33 CFR 
101.305(a). Cyber incidents with no physical or pollution effects could 
also be reported directly to CISA via [email protected] or 1-888-282-
0870. All such reports would be shared between the NRC and CISA Central 
and satisfy the requirement to report to the Coast Guard.
    In the second alternative, the Coast Guard seeks comments on 
whether it should require that reportable cyber incidents be reported 
to CISA. While this alternative would be a change from current 
practice, it could allow more

[[Page 13410]]

efficient use of DHS' cybersecurity resources and may advance the 
cybersecurity vision laid out by Congress in the Cyber Incident 
Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which will 
be implemented by regulations that are still under development. 
Information submitted to CISA would be shared with the Coast Guard, 
ensuring continued efficient responses.
    If we were to use either alternative, to the extent that the 
reporting obligation imposed by this NPRM constitutes a requirement to 
report ``substantially similar information . . . within a substantially 
similar timeframe'' when compared to a rule implementing CIRCIA, 
covered entities may be excused from any duplicative reporting 
obligations under the CIRCIA rulemaking.\37\ In line with that 
provision, we invite your comments on whether we should expressly 
require reporting of ransom payments in connection with ransomware 
attacks. We request comment on whether we should use either of these 
two alternatives in a final rule.
---------------------------------------------------------------------------

    \37\ See 6 U.S.C. 681b(a)(5)(B) (exception to reporting 
requirements for certain substantially similar reporting 
requirements ``where the Agency has an agreement in place that 
satisfies the requirements of section 681g(a) of this title'').
---------------------------------------------------------------------------

Section 101.620--Owner or Operator

    This proposed section would require each owner and operator of a 
U.S.-flagged vessel, facility, or OCS facility to assign qualified 
personnel to develop a Cybersecurity Plan and ensure the Cybersecurity 
Plan incorporates detailed preparation, prevention, and response 
activities for cybersecurity threats and vulnerabilities.
    Additional responsibilities of owners and operators of U.S.-flagged 
vessels, facilities, and OCS facilities would include:
     Designating a CySO, in writing, by name and title, and 
identifying how the CySO can be contacted at any time. A CySO would 
have to be accessible to the Coast Guard 24 hours a day, 7 days a week 
(see proposed Sec.  101.620(b)(3));
     Ensuring that a Cybersecurity Assessment is conducted 
annually or sooner, under the circumstances described in this NPRM (see 
proposed Sec. Sec.  101.620(b)(4) and 101.650(e)(1));
     Ensuring that a Cybersecurity Plan is developed and 
submitted for Coast Guard approval, either as a separate document or as 
an addition to an existing FSP, VSP, or OCS FSP (see proposed 
Sec. Sec.  101.620(b)(1) and 101.630(a));
     Operating the U.S.-flagged vessel, facility, or OCS 
facility in accordance with the approved Cybersecurity Plan (see 
proposed Sec.  101.620(b)(5)); and
     Reporting all cyber incidents, including TSIs, to the NRC 
and relevant authorities according to the Cybersecurity Plan (see 
proposed Sec. Sec.  101.305 and 101.620(b)(7)).

Section 101.625--Cybersecurity Officer

    The CySO may be a full-time, collateral, or contracted position. 
The same person may serve as the CySO for more than one vessel, 
facility, or OCS facility. The CySO would need to have general 
knowledge of a range of issues relating to cybersecurity, such as 
cybersecurity administration, relevant laws and regulations, current 
threats and trends, risk assessments, inspections, control procedures, 
and procedures for conducting exercises and drills. When considering 
assignment of the CySO role to the existing security officer, the owner 
or operator should consider the depth and scope of these new 
responsibilities in addition to existing security duties.
    The most important duties a CySO would perform include ensuring 
development, implementation, and finalization of a Cybersecurity Plan; 
auditing and updating the Plan; ensuring adequate training of 
personnel; and ensuring the U.S.-flagged vessel, facility, or OCS 
facility is operating in accordance with the Plan and in continuous 
compliance with this subpart. The CySO would have the authority to 
assign cybersecurity duties to other personnel; however, the CySO would 
remain responsible for the performance of these duties.

Section 101.630--Cybersecurity Plan

    This proposed section contains minimum requirements for the 
Cybersecurity Plan. The Cybersecurity Plan would be maintained 
consistent with the recordkeeping requirements in 33 CFR 104.235 for 
vessels, 33 CFR 105.225 for facilities, and 33 CFR 106.230 for OCS 
facilities. See proposed Sec.  101.640. A Cybersecurity Plan would 
incorporate the results of a Cybersecurity Assessment and consider the 
recommended measures appropriate for the U.S.-flagged vessel, facility, 
or OCS facility. A Cybersecurity Plan could be combined with or 
complement an existing FSP, VSP, or OCS FSP. A Cybersecurity Plan could 
be kept in an electronic format if it can be protected from being 
deleted, destroyed, overwritten, accessed, or disclosed without 
authorization.
    The format of a Cybersecurity Plan required under this proposed 
rule would include the following individual sections:
    (1) Cybersecurity organization and identity of the CySO (see 
proposed Sec.  101.625 Cybersecurity Officer);
    (2) Personnel training (see proposed Sec.  101.625(d)(8), (9) 
Cybersecurity Officer);
    (3) Drills and exercises (see proposed Sec.  101.635 Drills and 
Exercises);
    (4) Records and documentation (see proposed Sec.  101.640 Records 
and Documentation);
    (5) Communications (see proposed Sec.  101.645 Communications);
    (6) Cybersecurity systems and equipment with associated 
maintenance; (see proposed Sec.  101.650(e)(3) Cybersecurity Measures: 
Routine Maintenance);
    (7) Cybersecurity measures for access control, including computer, 
IT, and OT areas (see proposed Sec.  101.650(a) Cybersecurity Measures: 
Account Measures);
    (8) Physical security controls for IT and OT systems (see proposed 
Sec.  101.650(i) Cybersecurity Measures: Physical Security);
    (9) Cybersecurity measures for monitoring (see proposed Sec.  
101.650(f) Cybersecurity Measures: Supply Chain; (h) Network 
Segmentation; (i) Physical Security);
    (10) Audits and amendments to the Cybersecurity Plan (see proposed 
Sec.  101.630(f) Cybersecurity Plan: Audits);
    (11) Cybersecurity audit and inspection reports to include 
documentation of resolution or mitigation of all identified 
vulnerabilities (see proposed Sec.  101.650(e) Cybersecurity Measures: 
Risk Management);
    (12) Documentation of all identified unresolved vulnerabilities to 
include those that are intentionally unresolved due to risk acceptance 
by the owner or operator (see proposed Sec.  101.650(e) Cybersecurity 
Measures: Risk Management);
    (13) Cyber incident reporting procedures in accordance with part 
101 of this subchapter (see proposed Sec.  101.650(g) Cybersecurity 
Measures: Resilience); and
    (14) Cybersecurity Assessment (see proposed Sec.  101.650(e) 
Cybersecurity Measures: Risk Management).
    Depending on operational conditions and cybersecurity risks, the 
owner or operator may develop a Cyber Incident Response Plan as a 
separate document or as an addition to the Cybersecurity Plan.
Submission and Approval of the Cybersecurity Plan
    An owner or operator would submit a Cybersecurity Plan for review 
to the cognizant COTP or the Officer in

[[Page 13411]]

Charge, Marine Inspections (OCMI) for U.S. facilities and OCS 
facilities, or to the U.S. Coast Guard's Marine Safety Center (MSC) for 
U.S.-flagged vessels. See proposed Sec.  101.630(d). A letter 
certifying that the Plan meets the requirements of this subpart must 
accompany the submission. Once the COTP or MSC finds that the Plan 
meets the cybersecurity requirements in Sec.  101.630, they would send 
a letter to the owner or operator approving the Cybersecurity Plan or 
approving the Plan under certain conditions.
    If the cognizant COTP, OCMI, or MSC requires additional time to 
review the Plan, they would have the authority to return a written 
acknowledgement to the owner or operator stating that the Coast Guard 
will review the Cybersecurity Plan submitted for approval, and that the 
U.S.-flagged vessel, facility, or OCS facility may continue to operate 
as long as it remains in compliance with the submitted Cybersecurity 
Plan. See proposed Sec.  101.630(d)(1)(iv).
    If the COTP, OCMI, or MSC finds that the Cybersecurity Plan does 
not meet the requirements in Sec.  101.630, the Plan would be returned 
to the owner or operator with a letter explaining why the Plan did not 
meet the requirements. The owner or operator will have at least 60 days 
to amend the Plan and cure deficiencies outlined in the letter. Until 
the amendments are approved, the owner or operator must ensure 
temporary cybersecurity measures are implemented to the satisfaction of 
the Coast Guard. See proposed Sec.  101.630(e)(1)(ii).
    Deficiencies would have to be corrected, and the Plan would have to 
be resubmitted for approval within the time period specified in the 
letter. If the owner or operator fails to cure those deficiencies 
within 60 days, the Plan would be declared noncompliant with these 
proposed regulations and other relevant regulations in title 33 of the 
CFR. If the owner or operator disagrees with the deficiency 
determination, they would have the right to appeal or submit a petition 
for reconsideration or review to the respective COTP, District 
Commander, OCMI, or MSC per Sec.  101.420.
    Under proposed Sec.  101.650(e)(1), a cybersecurity assessment 
would have to be conducted when one or both of the following situations 
occurs:
     There is a change in ownership of a U.S.-flagged vessel, 
facility, or an OCS facility; or
     There are major amendments to the Cybersecurity Plan.
    Each owner or operator would determine what constitutes a ``major 
amendment'' as appropriate for their organization based on types of 
changes to their security measures and operational risks. When 
submitting proposed amendments to the Coast Guard, either after a 
cybersecurity assessment or at other times, you would not be required 
to submit the Cybersecurity Plan with the proposed amendment. Under 
Sec.  101.630(f)(1), the CySO must ensure that an audit of the 
Cybersecurity Plan and its implementation is performed annually, 
beginning no later than 1 year from the initial date of approval. 
Additional audits would need to be conducted if there is a change in 
ownership or modifications of cybersecurity measures, but such audits 
may be limited to sections of the Plan affected by the modification. 
See proposed Sec.  101.630(f)(2) and (3). Those conducting an internal 
audit must have a level of knowledge and independence specified in 
Sec.  101.630(f)(4). Under Sec.  101.630(f)(5), if the results of the 
audit require the Cybersecurity Plan to be amended, the CySO must 
submit the proposed amendments to the Coast Guard for review within 30 
days of completing the audit.

Section 101.635--Drills and Exercises

    Under this proposed section, cybersecurity drills and exercises 
would be required to test the proficiency of U.S.-flagged vessel, 
facility, and OCS facility personnel in assigned cybersecurity duties 
and in the effective implementation of the VSP, FSP, OCS FSP, and 
Cybersecurity Plan. Drills and exercises would also enable the CySO to 
identify any related cybersecurity deficiencies that need to be 
addressed.
    Cybersecurity drills would generally test an operational response 
of at least one specific element of the Cybersecurity Plan, as 
determined by the CySO, such as access control for a critical IT or OT 
system, or network scanning. A drill would be required at least once 
every 3 months and may be held in conjunction with other drills, if 
appropriate.
    Cybersecurity exercises are a full test of an organization's 
cybersecurity regime and would include substantial and active 
participation of cybersecurity personnel. The participants may include 
local, State, and Federal Government personnel. Cybersecurity exercises 
would generally test and evaluate the organizational capacity to manage 
a combination of elements in the Cybersecurity Plan, such as detecting, 
responding to, and mitigating a cyber incident.
    The exercises would be required at least once each calendar year, 
with no more than 18 months between exercises. Exercises may be 
specific to a facility, OCS facility, or a U.S.-flagged vessel, or may 
serve as part of a cooperative exercise program or port exercises. The 
exercises for the Cybersecurity Plans could be combined with other 
required security exercises, if appropriate.
    The proposed drill or exercise requirements specified in this 
section may be satisfied by implementing cybersecurity measures 
required by the VSP, FSP, OCS FSP, and Cybersecurity Plan after a cyber 
incident, as long as the vessel, facility, or OCS facility achieves and 
documents the drill and exercise goals for the cognizant COTP or MSC. 
Any corrective action must be addressed and documented as soon as 
possible.

Section 101.640--Records and Documentation

    This proposed section would require owners and operators to follow 
the recordkeeping requirements in 33 CFR 104.235 for vessels, 33 CFR 
105.225 for facilities, and 33 CFR 106.230 for OCS facilities. For 
example, records must be kept for at least 2 years and be made 
available to the Coast Guard upon request. The records can be kept in 
paper or electronic format and must be protected against unauthorized 
access, deletion, destruction, amendment, and disclosure. Records that 
each vessel, facility, or OCS facility keep would vary because each 
organization would maintain records specific to their operations. At a 
minimum, the records would have to capture the following activities: 
training, drills, exercises, cybersecurity threats, incidents, and 
audits of the Cybersecurity Plan as set forth in the cited 
recordkeeping requirements above and made applicable to records under 
this subpart per Sec.  101.640.

Section 101.645--Communications

    This proposed section would require the CySO to maintain an 
effective means of communication to convey changes in cybersecurity 
conditions to the personnel of the U.S.-flagged vessel, facility, or 
OCS facility. In addition, the CySO is required to maintain an 
effective and continuous means of communicating with their security 
personnel, U.S.-flagged vessels interfacing with the facility or OCS 
facility, the cognizant COTP, and national and local authorities with 
security responsibilities.

Section 101.650--Cybersecurity Measures

    This section proposes specific cybersecurity measures to identify 
risks,

[[Page 13412]]

detect threats and vulnerabilities, protect critical systems, and 
recover from cyber incidents. Any intentional gaps in cybersecurity 
measures would be documented as accepted risks under proposed Sec.  
101.630(c)(12). If the owner or operator is unable to comply with the 
requirements of this subpart, they may seek a waiver or an equivalence 
determination under proposed Sec.  101.665.
    A discussion of each component of proposed Sec.  101.650 follows.
Section 101.650 Paragraph (a): Account Security Measures
    This paragraph would identify minimum account measures to protect 
critical IT and OT systems from unauthorized cyber access and limit the 
risk of a cyber incident. Access control is a foundational category and 
is highlighted as a ``Protect'' function of NIST's Cybersecurity 
Framework (CSF).\38\ Existing regulations in Sec. Sec.  104.265, 
105.255 through 105.260, and 106.260 through 106.265 prescribe control 
measures to limit access to restricted areas and detect unauthorized 
introduction of devices capable of damaging U.S.-flagged vessels, U.S. 
facilities, OCS facilities, or ports. This proposed provision is 
derived from NIST's standards mentioned earlier for the cyber domain 
and establish minimum account security measures to manage credentials 
and secure access to critical IT and OT systems. We invite your 
comments on the minimal requirements proposed in Sec.  101.650(a).
---------------------------------------------------------------------------

    \38\ NIST CSF, www.nist.gov/cyberframework/protect, accessed 
July 18, 2023.
---------------------------------------------------------------------------

    Account security measures for cybersecurity would include lockouts 
on repeated failed login attempts, password requirements, multifactor 
authentication, applying the principle of least privilege to 
administrator or otherwise privileged accounts, and removing 
credentials of personnel no longer associated with the organization. 
Numerous consensus standards that are generally accepted employ similar 
requirements.\39\ Together, these provisions would mitigate the risks 
of brute force attacks, unauthorized access, and privilege escalation. 
The owner or operator would be responsible for implementing and 
managing these account security measures, including ensuring that user 
credentials are removed or revoked when a user leaves the organization. 
The CySO would ensure documentation of such measures in Section 7 of 
the Cybersecurity Plan.
---------------------------------------------------------------------------

    \39\ See, for example, NIST CSF: PR.AC, CIS Controls 1, 12, 15, 
16, and COBIT DSS05.04, DSS05.10, DSS06.10, and ISA 62443-2-1.
---------------------------------------------------------------------------

Section 101.650 Paragraph (b): Device Security Measures
    This paragraph would provide specific proposed requirements to 
mitigate risks and vulnerabilities in critical IT and OT systems and 
equipment. With increased connectivity to public internet, networks on 
U.S.-flagged vessels, U.S. facilities, and OCS facilities have an 
expansive attack surface. These provisions would reduce the risks of 
unauthorized access, malware introduction, and service interruption. 
This paragraph would apply the ``Identify'' function of the NIST 
CSF.\40\ Existing regulations in 33 CFR 104.265, 105.255 through 
105.260, and 106.260 through 106.265 are similar. For example, Sec.  
105.260 limits access to areas that require a higher degree of 
protection.
---------------------------------------------------------------------------

    \40\ NIST CSF; Identify, ``NIST Cybersecurity Publication by 
Category,'' Asset Management ID.AM, updated May 3, 2021, 
www.nist.gov/cyberframework/identify, accessed July 18, 2023. NIST 
Special Publication 800-53, Revision 5, ``Security and Privacy 
Controls for Information Systems and Organizations,'' September 
2020, page 107, https://doi.org/10.6028/NIST.SP.800-53r5, accessed 
August 24, 2023.
---------------------------------------------------------------------------

    Proposed paragraph (b) would also require owners and operators to 
designate critical IT and OT systems.\41\ Developing and maintaining an 
accurate inventory and network map would reduce the risk of unknown or 
improperly managed assets. The Cybersecurity Plan would also govern 
device management. The CySO would maintain the network map and develop 
and maintain the list of approved hardware, software, and firmware. In 
addition to identifying risks, these provisions would aid in the proper 
lifecycle management of assets, including patching and end-of-life 
management. These requirements are foundational to many industry 
consensus standards and would reinforce Coast Guard regulations to 
protect communication networks.
---------------------------------------------------------------------------

    \41\ To help CySOs identify which systems are critical, the 
Coast Guard's Office of Port and Facility Compliance (CG-FAC) has 
published maritime specific CSF profiles on its homepage at 
www.dco.uscg.mil/Our-Organization/Assistant-Commandant-for-Prevention-Policy-CG-5P/Inspections-Compliance-CG-5PC-/Office-of-Port-Facility-Compliance/Domestic-Ports-Division/cybersecurity/, 
accessed July 18, 2023 and in pages 20 through 24 of Appendix A, 
Maritime Bulk Liquid Transfer Profile at https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fwww.dco.uscg.mil%2FPortals%2F9%2FCG-FAC%2FDocuments%2FCyber%2520Profiles%2520Overview.docx%3Fver%3D2018-01-10-143126-467&wdOrigin=BROWSELINK, accessed July 18, 2023.
---------------------------------------------------------------------------

Section 101.650 Paragraph (c): Data Security Measures
    This paragraph would prescribe fundamental data security measures 
that stem from the ``Protect'' function of the NIST CSF. Data security 
measures protect personnel, financial, and operational data and are 
consistent with basic risk management activities of the maritime 
industry. The IMO recognizes the importance of risk management related 
to data security on U.S.-flagged vessels,\42\ and the Coast Guard 
previously highlighted data security measures in its policy for MTSA-
regulated U.S. facilities.\43\
---------------------------------------------------------------------------

    \42\ MSC-FAL.1/Circ.3/Rev.1: ``Implement risk control processes 
and measures, and contingency planning to protect against a cyber-
event and ensure continuity of shipping operations.''
    \43\ NVIC 01-20 at page 2: ``Each facility should also determine 
how, and where, its data is stored and, if it is stored offsite, 
whether the data has a critical link to the safety and/or security 
functions of the facility. If such a critical link exists, the 
facility should address any vulnerabilities . . . . ''
---------------------------------------------------------------------------

    Data security measures prevent data loss and aid in detection of 
malicious activity on critical IT and OT systems. The fundamental 
measures proposed here would establish baseline protections upon which 
owners and operators could build. This paragraph would require data 
logs to be securely captured, stored, and protected so that they are 
accessible only by privileged users, and would require encryption for 
data in transit and data at rest. CySOs would rely on generally 
accepted industry standards and risk management principles to determine 
the suitability of specific encryption algorithms for certain purposes, 
such as protecting critical IT and OT data with a more robust algorithm 
than for routine data.\44\ A CySO would establish more detailed data 
security policies in Section 9 of the Cybersecurity Plan. Those 
policies would be adapted to the unique operations of the U.S.-flagged 
vessel, facility, or OCS facility.
---------------------------------------------------------------------------

    \44\ See, for example, ISA 62443-3-3, CIS CSC 13, 14 in the EDM 
NIST Cybersecurity Framework Crosswalks, available at www.cisa.gov/sites/default/files/publications/4_NIST_CSF_EDM_Crosswalk_v3_April_2020.pdf, accessed July 18, 2023.
---------------------------------------------------------------------------

Section 101.650 Paragraph (d): Cybersecurity Training for Personnel
    This paragraph would specify proposed cybersecurity training 
requirements. Security training is a vital aspect of the MTSA. Relevant 
provisions in 33 CFR already require all personnel to have knowledge, 
through training or equivalent job experience, in the ``Recognition and 
detection of dangerous . . . devices.'' \45\ Since 2020, the Coast 
Guard has interpreted this requirement to include relevant 
cybersecurity training.\46\ While formal

[[Page 13413]]

training may be appropriate, the Coast Guard is not proposing to 
mandate a format of training. However, the training would have to, at 
minimum, cover relevant provisions of the Cybersecurity Plan to include 
recognizing, detecting, and preventing cybersecurity threats; and 
reporting cyber incidents to the CySO.
---------------------------------------------------------------------------

    \45\ 33 CFR 104.225(c) (Vessels), 105.215(c) (Facilities), and 
106.220(c) (OCS Facilities).
    \46\ NVIC 01-20 ENCL(1) at page 3: ``Describe how cybersecurity 
is included as part of personnel training, policies, and procedures, 
and how this material will be kept current and monitored for 
effectiveness.''
---------------------------------------------------------------------------

    The types of training would also need to be consistent with the 
roles and responsibilities of personnel, including access to critical 
IT and OT systems and operating network-connected machineries. Key 
cybersecurity personnel and management would need to have current 
knowledge of threats to deal with potential cyber-attacks and 
understand procedures for responding to a cyber incident. The owner, 
operator, or CySO would ensure all personnel designated by the CySO 
complete the core training within 5 days of gaining system access, but 
no later than 30 days after hiring, and annually thereafter, and that 
key personnel receive specialized training annually or more frequently 
as needed. Existing personnel would be required to receive training on 
relevant provisions of the Cybersecurity Plan within 60 days of the 
Plan being approved, and for all other required training within 180 
days of the effective date of a final rule, and annually thereafter. 
(See Sec.  101.650(d)(3)).
Section 101.650 Paragraph (e): Risk Management
    This paragraph would establish three levels of Cybersecurity 
Assessment and risk management: (1) conducting annual Cybersecurity 
Assessments; (2) completing penetration testing upon renewal of a VSP, 
FSP, or OCS FSP; and (3) ensuring ongoing routine system maintenance. 
The CySO would ensure that these activities, which are listed in 
Sections 11 and 12 of the Cybersecurity Plan, are documented and 
completed.
    Following a Cybersecurity Assessment, the CySO would incorporate 
feedback from the assessment into the Cybersecurity Plan through an 
amendment to the Plan. A Cybersecurity Assessment would be conducted 
within 1 year from the effective date of a final rule and annually 
thereafter. The Assessment must be conducted sooner than annually in 
the following circumstances:
     There is a change in ownership of a U.S.-flagged vessel, 
facility, or an OCS facility; or
     There are major events requiring amendments to the 
Cybersecurity Plan.
    While Cybersecurity Assessments provide a valuable picture of 
potential security weaknesses, penetration tests can add additional 
context by demonstrating whether malicious actors could leverage those 
weaknesses. Penetration tests can also help prioritize resources based 
on what poses the most risk. Routine system maintenance requires an 
ongoing effort to identify vulnerabilities and would include scanning 
and reviewing known exploited vulnerabilities (KEVs) by documenting, 
tracking, and monitoring them. These proposed provisions would mirror 
the security system and equipment maintenance requirements in 33 CFR 
104.260 for vessels, 33 CFR 105.250 for facilities, and 33 CFR 106.255 
for OCS facilities, and reflect the Coast Guard's longstanding view on 
cybersecurity. To improve risk management across the maritime sector, 
CySOs would establish, subject to any applicable antitrust law 
limitations,\47\ information-sharing procedures for their 
organizations, which would include procedures to receive and act on 
KEVs, as well as methods for sharing threat and vulnerability 
information.
---------------------------------------------------------------------------

    \47\ The sharing of competitively sensitive information between 
or among competitors raises antitrust concerns. For example, 
information sharing is not exempted under the Cybersecurity 
Information Sharing Act of 2015 if the information shared results in 
price fixing, market allocation, boycotting, monopolistic conduct, 
or other collusive conduct.
---------------------------------------------------------------------------

    The ``Protect'' function of the NIST CSF emphasizes the importance 
of strong processes and procedures for protecting information.\48\ For 
example, organizations would have to ensure information and records 
(data) are managed consistently with the organization's risk strategy 
to protect the confidentiality, integrity, and availability of 
information. Risk management is key in protecting IT and OT components 
that may include cybersecurity vulnerabilities in their design, code, 
or configuration.
---------------------------------------------------------------------------

    \48\ NIST CSF Internal Controls, Appendix A, Table A-1, PR.IP-
12, page 261, link.springer.com/content/pdf/bbm:978-1-4842-3060-2/1.pdf, accessed July 18, 2023.
---------------------------------------------------------------------------

    Owners and operators may use information-sharing services or 
organizations such as an Information Sharing and Analysis Center or an 
Information Sharing and Analysis Organization. The Coast Guard would 
not endorse specific information-sharing organizations, so owners and 
operators would be free to use information-sharing organizations to 
suit their needs.\49\ Industry consensus standards provide generally 
accepted techniques that sanitize and reduce attribution to information 
to ensure information sharing does not compromise proprietary business 
information.\50\ In addition, regardless of the services or 
organizations used, owners and operators should comply with applicable 
antitrust laws and should not share competitively sensitive 
information, such as price or cost data, that can result in unlawful 
price-fixing, market allocation, or other forms of competitor 
collusion. Use of any information-sharing services or organizations 
would not meet or replace reporting requirements under 33 CFR 101.305.
---------------------------------------------------------------------------

    \49\ The Coast Guard encourages CySOs to explore resources 
through CGCYBER Maritime Cyber Readiness Branch, available at 
https://www.uscg.mil/MaritimeCyber/; see also CISA's ``Information 
Sharing and Awareness,'' available at https://www.cisa.gov/information-sharing-and-awareness, accessed July 18, 2023.
    \50\ See, e.g., NIST Special Publication 800-150, ``Guide to 
Cyber Threat Information Sharing,'' Johnson et al., October 2016, 
nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-150.pdf, 
accessed July 18, 2023.
---------------------------------------------------------------------------

    The Coast Guard emphasized its commitment to helping maritime 
industry stakeholders identify and address vulnerabilities in its 2021 
Cyber Trends and Insights in the Marine Environment report.\51\ In that 
report, the Coast Guard highlighted additional resources that CySOs 
should leverage to manage cybersecurity vulnerabilities.
---------------------------------------------------------------------------

    \51\ ``2021 Cyber Trends and Insights in the Marine 
Environment,'' August 5, 2022, https://www.dco.uscg.mil/Portals/9/2021CyberTrendsInsightsMarineEnvironmentReport.pdf.
---------------------------------------------------------------------------

Section 101.650 Paragraph (f): Supply Chain
    This proposed paragraph would include provisions to specify 
measures to manage cybersecurity risks in the supply chain. Legitimate 
third-party contractors and vendors may inadvertently provide a means 
of attack or vectors that allow malicious actors to exploit 
vulnerabilities within the supply chain. Section 1.1 of the NIST CSF 
emphasizes managing cybersecurity risks in the supply chain as part of 
the ``Identify'' function.\52\
---------------------------------------------------------------------------

    \52\ NIST CSF, Version 1.1, ``ID.SC: Supply Chain Risk 
Management,'' https://csf.tools/reference/nist-cybersecurity-framework/v1-1/id/id-sc/, accessed July 18, 2023.
---------------------------------------------------------------------------

    Under this proposed paragraph, the owner, operator, or CySO would 
ensure that measures to manage cybersecurity risks in the supply chain 
are in place to mitigate the risks associated with external parties. 
These measures would include considering cybersecurity capabilities in 
selecting vendors,

[[Page 13414]]

establishing procedures for information sharing and notifying relevant 
parties, and monitoring third-party connections.
    Through their contractual agreements, vendors would ensure the 
integrity and security of software and hardware, such as software 
releases and updates, notifications, and mitigations of 
vulnerabilities. These provisions would establish a minimum level of 
CRM within the supply chain. Industry standards provide additional 
measures.\53\ The IMO also recognizes that cybersecurity risks in the 
supply chain, and these provisions would align with the guidelines and 
recommendations referenced in MSC-FAL Circ. 3/Rev.1.\54\
---------------------------------------------------------------------------

    \53\ See, for example, NIST Special Publication 800-161, 
``Supply Chain Risk Management Practices for Federal Information 
Systems and Organizations,'' May 2022, https://doi.org/10.6028/NIST.SP.800-161r1, accessed July 18, 2023.
    \54\ MSC-FAL.1/Circ.3/Rev.1, 2.1.6 and 4.2; see footnote 28.
---------------------------------------------------------------------------

Section 101.650 Paragraph (g): Resilience
    This paragraph proposes a few key activities to ensure that U.S.-
flagged vessels, facilities, and OCS facilities can recover from major 
cyber incidents with minimal impact to critical operations. Provisions 
under response and recovery can help an organization recover from a 
cyber-attack and restore capabilities and services.
    This proposed rule would require the owner, operator, or CySO to 
ensure the following response and recovery activities: report any cyber 
incidents to the Coast Guard; develop, implement, maintain, and 
exercise the Cyber Incident Response Plan; periodically validate the 
effectiveness of the Cybersecurity Plan; and perform backups of 
critical IT and OT systems. The Coast Guard would accept review of a 
cyber incident as meeting the periodic validation requirement in Sec.  
101.650(g).
    In addition, the NIST CSF describes numerous provisions within the 
``Recover'' function aimed at improving response and recovery.\55\ The 
IMO also notes resilience.\56\
---------------------------------------------------------------------------

    \55\ NIST CSF, Version 1.1 ``RC: Recover,'' https://csf.tools/reference/nist-cybersecurity-framework/v1-1/rc/, accessed July 19, 
2023.
    \56\ MSC-FAL Circ. 3/Rev. 1, 3.5.5; see footnote 28.
---------------------------------------------------------------------------

Section 101.650 Paragraph (h): Network Segmentation
    This paragraph would require a CySO to ensure the network is 
segmented and to document those activities in the Cybersecurity Plan. 
Network integrity is a key provision under the ``Protect'' function of 
the NIST CSF.\57\ Network architectures vary widely based on the 
operations of a vessel or facility. Separating IT and OT networks is 
challenging, and it becomes increasingly difficult with an increase in 
the various devices connected to the network. Network segmentation 
ensures valuable information is not shared with unauthorized users and 
decreases damage that can be caused by malicious actors. Nonetheless, 
the Coast Guard recognizes that the IT and OT interface represents a 
weak link. Industry standards in this area are evolving, and it is an 
area that NIST continues to research.\58\
---------------------------------------------------------------------------

    \57\ NIST CSF, Version 1.1, ``PR.AC-5: Network integrity is 
protected (e.g., network segregation, network segmentation).'' 
csf.tools/reference/nist-cybersecurity-framework/v1-1/pr/pr-ac/pr-
ac-5/, accessed July 19, 2023.
    \58\ See NIST Special Publication 800-82r3,'' Guide to 
Operational Technology (OT) Security,'' draft published April 26, 
2022; doi.org/10.6028/NIST.SP.800-82r3.ipd, accessed July 19, 2023.
---------------------------------------------------------------------------

Section 101.650 Paragraph (i): Physical Security
    This paragraph would specify that, along with the cybersecurity 
provisions proposed for inclusion in this part, owners, operators, and 
CySOs would manage physical access to IT and OT systems. As described 
in the ``Protect'' function of the NIST CSF, physical security protects 
critical IT and OT systems by limiting access to the human-machine 
interface (HMI).\59\ Physical security measures proposed here would 
supplement the existing vessel security assessment (VSA), FSA, and OCS 
FSA requirements in 33 CFR 104.270 for vessels, 33 CFR 105.260 for 
facilities, and 33 CFR 106.260 for OCS facilities. Similarly, under 
this proposed paragraph, the CySO would designate areas restricted to 
authorized personnel and secure HMIs and other hardware. Also under 
this proposed paragraph, the CySO would establish policies to restrict 
the use of unauthorized media and hardware. These proposed provisions 
would mirror existing Coast Guard policy outlined in NVIC 01-20.\60\
---------------------------------------------------------------------------

    \59\ NIST CSF, Version 1.1, ``PR.AC-2: Physical Access to Assets 
is Managed and Protected.'' csf.tools/reference/nist-cybersecurity-
framework/v1-1/pr/pr-ac/pr-ac-2/, accessed July 19, 2023.
    \60\ NVIC 01-20, enclosure (1), at page 4: ``Security measures 
for access control 33 CFR 105.255 and 106.260 Establish security 
measures to control access to the facility. This includes cyber 
systems that control physical access devices such as gates and 
cameras, as well as cyber systems within secure or restricted areas, 
such as cargo or industrial control systems. Describe the security 
measures for access control.'' (85 FR 16108).
---------------------------------------------------------------------------

Section 101.655--Cybersecurity Compliance Dates

    This proposed section would state that a Cybersecurity Plan as 
required by this proposed rule would be made available to the Coast 
Guard for review during the second annual audit of the existing, 
approved VSP, OCS FSP, or FSP after the effective date of a final rule, 
as required by 33 CFR 104.415 for vessels, 33 CFR 105.415 for 
facilities, and 33 CFR 106.415 for OCS facilities. The intent of this 
proposed implementation period is to allow adequate time for owners and 
operators to develop a Cybersecurity Plan.

Section 101.660--Cybersecurity Compliance Documentation

    This proposed section would allow the Coast Guard to verify an 
approved Cybersecurity Plan for U.S.-flagged vessels, facilities, and 
OCS facilities. Each owner or operator would ensure that the 
cybersecurity portion of their Plan and penetration test results are 
available to the Coast Guard upon request.

Section 101.665--Noncompliance, Waivers, and Equivalents

    This proposed section would provide the opportunity for waiver and 
equivalence determinations for owners and operators when they are 
unable to meet the requirements in subpart F, as outlined in 33 CFR 
104.130, 104.135, 105.130, 105.135, and 106.130, to include the 
cybersecurity regulations proposed in this NPRM. It would also expand 
temporary permission provisions in 33 CFR 104.125, 105.125, and 
106.120.

Section 101.670--Severability

    This proposed section would reflect the Coast Guard's intent that 
the provisions of subpart F be considered severable from each other to 
the greatest extent possible. For instance, if a court of competent 
jurisdiction were to hold that the rule or a portion thereof may not be 
applied to a particular owner or operator or in a particular 
circumstance, the Coast Guard would intend for the court to leave the 
remainder of the rule in place with respect to all other covered 
persons and circumstances. The inclusion of a severability clause in 
subpart F would not be intended to imply a position on severability in 
other Coast Guard regulations.

Inviting Comments on Regulatory Harmonization

    As noted by the Office of the National Cyber Director in an August 
2023 Request for Information,\61\ the National Cybersecurity Strategy 
\62\ calls for

[[Page 13415]]

establishing cybersecurity regulations to secure critical 
infrastructure where existing measures are insufficient, harmonizing 
\63\ and streamlining new and existing regulations, and enabling 
regulated entities to afford to achieve security.
---------------------------------------------------------------------------

    \61\ See 88 FR 55694 (Aug. 16, 2023).
    \62\ See The White House, National Cybersecurity Strategy (Mar. 
2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf. (accessed Sept. 19, 2023).
    \63\ As used in this context, ``harmonization'' refers to a 
common set of updated baseline regulatory requirements that would 
apply across sectors. Sector regulators such as the Coast Guard may 
appropriately go beyond the harmonized baseline to address 
cybersecurity risks specific to their sectors. See 88 FR at 55694.
---------------------------------------------------------------------------

    The Coast Guard emphasizes its commitment to regulatory 
harmonization and streamlining, and notes that this proposed rule, 
which is grounded in NIST's Framework for Improving Critical 
Infrastructure Cybersecurity, NIST's standards and best practices, and 
CISA's CPGs, is consistent with such priorities. The Coast Guard also 
acknowledges the ongoing rulemakings of other DHS components, including 
ongoing rulemakings on cybersecurity in surface transportation modes 
\64\ and implementation of CIRCIA.\65\ The Coast Guard notes potential 
differences in terminology and policy as compared to those rulemakings; 
although the Coast Guard views such differences as intentional and 
based on sector-specific distinctions, we welcome comments on 
opportunities to harmonize and streamline regulations where feasible 
and appropriate. Note that proposed Sec.  101.665, Noncompliance, 
Waivers, and Equivalents, could offer stakeholders an option for 
requesting compliance that is harmonized with similar requirements.
---------------------------------------------------------------------------

    \64\ See TSA, Fall 2023 Unified Agenda, RIN 1652-AA74: Enhancing 
Surface Cyber Risk Management, https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=1652-AA74 (accessed Jan. 19, 2024).
    \65\ See CISA, Fall 2023 Unified Agenda, RIN 1670-AA04: 
Cybersecurity Incident Reporting for Critical Infrastructure Act 
Regulations, https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=1670-AA04 (accessed Jan. 19, 2024).
---------------------------------------------------------------------------

Inviting Comments on Whether To Amend 33 CFR 160.202--Definitions

    The Coast Guard invites comments on whether we should amend the 
definition of hazardous condition in 33 CFR 160.202 to help address 
current and emerging cybersecurity threats to the MTS. The amendment 
would likely add ``cyber incident (as defined in Sec.  101.615 of this 
chapter),'' to other existing examples of hazardous conditions--such as 
collision, allision, fire, explosion, grounding, leaking, damage, and 
personnel injury. Although a hazardous condition as currently defined 
can already involve a cyber incident, this amendment would clearly link 
the definition of a hazardous condition to the concept of a cyber 
incident.
    Under 33 CFR 160.216, the owner, agent, master, operator, or person 
in charge of a vessel must immediately notify the Coast Guard of 
certain hazardous conditions. A hazardous condition either on board the 
vessel or caused by the vessel or its operation would be reported by 
the vessels listed in 33 CFR 160.203. Under the existing regulations, 
this reporting requirement already applies to U.S. commercial service 
vessels and all foreign vessels that are bound for or departing from 
ports or places within the navigable waters of the United States.
    If we amend the definition of hazardous condition in Sec.  160.202, 
we would consider a cyber incident report under part 160 satisfied by 
those subject to 33 CFR part 101, subpart F, who report the incident 
consistent with Sec.  101.620(b)(7). Given the variety of hazardous 
conditions, for response purposes, it is best that such conditions be 
reported to the nearest Coast Guard Sector Office or Group Office. The 
Coast Guard would ensure that such officials are advised of relevant 
cyber incidents reported by vessels subject to 33 CFR part 101, subpart 
F.

VI. Regulatory Analyses

    We developed this proposed rule after considering numerous statutes 
and Executive orders related to rulemaking. A summary of our analyses 
based on these statutes or Executive orders follows.

A. Regulatory Planning and Review

    Executive Order 12866 (Regulatory Planning and Review), as amended 
by Executive Order 14094 (Modernizing Regulatory Review), and Executive 
Order 13563 (Improving Regulation and Regulatory Review), direct 
agencies to assess the costs and benefits of available regulatory 
alternatives and, if regulation is necessary, to select regulatory 
approaches that maximize net benefits (including potential economic, 
environmental, public health and safety effects, distributive impacts, 
and equity). Executive Order 13563 emphasizes the importance of 
quantifying costs and benefits, reducing costs, harmonizing rules, and 
promoting flexibility.
    This proposed rule is a significant regulatory action under section 
3(f) of Executive Order 12866, as amended by Executive Order 14094, but 
it is not significant under section 3(f)(1) because its annual effects 
on the economy do not exceed $200 million in any year of the analysis. 
Accordingly, OMB has reviewed this proposed rule. A regulatory impact 
analysis (RIA) follows.
    In accordance with OMB Circular A-4 (available at 
www.whitehouse.gov/omb/circulars/), we have prepared an accounting 
statement showing the classification of impacts associated with this 
proposed rule.\66\
---------------------------------------------------------------------------

    \66\ The version of Circular A-4 issued November 9, 2023, is not 
effective until March 24, 2024. Therefore, this new version does not 
apply to this NPRM because this proposed rule was submitted to OIRA 
on November 13, 2023.
---------------------------------------------------------------------------

    Agency/Program Office: U.S. Coast Guard.
    Rule Title: Cybersecurity in the Marine Transportation System.
    RIN#: 1625-AC77.
    Date: July 2023 (millions, 2022 dollars).
BILLING CODE

[[Page 13416]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.000

    The Coast Guard proposes to update its maritime security 
regulations by adding minimum cybersecurity requirements to 33 CFR part 
101 for U.S.-flagged vessels subject to part 104, facilities subject to 
part 105, and OCS

[[Page 13417]]

facilities subject to part 106. Specifically, this proposed rule would 
require owners or operators of U.S.-flagged vessels, facilities, and 
OCS facilities to develop an effective Cybersecurity Plan, which 
includes actions to prepare for, prevent, and respond to threats and 
vulnerabilities. One of these actions is to assign qualified personnel 
to implement the Cybersecurity Plan and all activities within the Plan. 
The Cybersecurity Plan would include: designating a CySO; conducting a 
Cybersecurity Assessment; developing and submitting the Plan to the 
Coast Guard for approval; operating a U.S.-flagged vessel, facility, 
and OCS facility in accordance with the Plan; implementing security 
measures based on new cybersecurity vulnerabilities; and reporting 
cyber incidents to the NRC, as defined in this preamble.
    This proposed rule would further require owners and operators of 
U.S.-flagged vessels, U.S. facilities, and OCS facilities to perform 
cybersecurity drills and exercises in accordance with their VSP, FSP, 
and OCS FSP. Owners and operators of U.S.-flagged vessels, facilities, 
and OCS facilities would also be required to maintain records of 
cybersecurity related information in paper or electronic format.
    Lastly, this proposed rule would require certain cybersecurity 
measures to identify risks, detect threats and vulnerabilities, protect 
critical systems, and to recover from cyber incidents. These measures 
include account security measures, device security measures, data 
security measures, cybersecurity training for personnel, risk 
management, supply chain risk measures, penetration testing, resilience 
measures, network segmentation, and physical security.
Baseline Summary
    The Coast Guard is not codifying existing guidance in this NPRM. 
The requirements of this proposed rule and the costs and benefits we 
estimate in this RIA would be new. The Coast Guard drafted the 
requirements of this proposed rule based on NIST's Framework for 
Improving Critical Infrastructure Cybersecurity, NIST's standards and 
best practices, and CISA's CPGs.
    In February 2020, the Coast Guard issued NVIC 01-20, which provided 
clarity and guidance for MTSA-regulated facility and OCS facility 
owners and operators regarding existing requirements in the MTSA for 
computer systems and network vulnerabilities. However, the NVIC does 
not contain cybersecurity requirements for facility and OCS facility 
owners. Furthermore, the NVIC does not address the topic of 
cybersecurity for vessel owners and operators.
    The IMO has issued other guidance on Cybersecurity in the past 6 
years. In 2017, the IMO adopted resolution MSC.428(98) to the ISM Code 
on ``Maritime Cyber Risk Management in Safety Management Systems 
(SMS).'' Generally, this resolution states that an SMS should consider 
CRM and encourages Administrations to appropriately address cyber risks 
in an SMS by a certain date, in accordance with the ISM Code. In 2022, 
the IMO provided further guidance on maritime CRM in MSC-FAL.1/Circ.3-
Rev.2, Guidelines on Maritime Cyber Risk Management, in an effort to 
raise the awareness about cybersecurity risks.
    In addition, survey data indicates that some portions of the 
affected population of facility and OCS facility owners and operators 
are already implementing cybersecurity measures consistent with select 
provisions of the proposed rule, including 87 percent who have 
implemented account security measures, 83 percent who have implemented 
multifactor authentication, 25 percent who have implemented annual 
cybersecurity training, and 68 percent who conduct penetration 
tests.\67\ While we lack similar data on cybersecurity activities in 
the affected population of U.S.-flagged vessels, we acknowledge that it 
is likely that many owners and operators have implemented cybersecurity 
measures in response to private incentives and increasing cybersecurity 
risks over time. For the purposes of this analysis, however, we assume 
that owners and operators have no baseline cybersecurity activity, in 
the areas in which we lack data.
---------------------------------------------------------------------------

    \67\ In this analysis, the Coast Guard references a survey 
conducted by Jones Walker, a limited liability partnership (Jones 
Walker LLP). The title of the survey is ``Ports and Terminals 
Cybersecurity Survey,'' which they conducted in 2022. This survey 
helped the Coast Guard to gain an understanding of the cybersecurity 
measures that are currently in place at facilities and OCS 
facilities in the United States. We cite relevant data from the 
survey when calculating industry costs throughout the regulatory 
analysis. Readers can access the survey at https://www.joneswalker.com/en/insights/2022-Jones-Walker-LLP-Ports-and-Terminals-Cybersecurity-Survey-Report.html; accessed July 19, 2023.
---------------------------------------------------------------------------

Estimated Costs of the Proposed Rule
    We estimate the total discounted costs of this proposed rule to 
industry and the Federal Government to be approximately $562,740,969 
over a 10-year period of analysis, using a 7-percent discount rate. We 
estimate the annualized cost to be approximately $80,121,654, using a 
7-percent discount rate. See table 2.
BILLING CODE

[[Page 13418]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.001

    We present a summary of the impacts of this proposed rule in table 
3.
[GRAPHIC] [TIFF OMITTED] TP22FE24.002


[[Page 13419]]


[GRAPHIC] [TIFF OMITTED] TP22FE24.003


[[Page 13420]]


Affected Population
    This proposed rule would affect owners and operators of U.S.-
flagged vessels subject to 33 CFR part 104 (Maritime Security: 
Vessels), facilities subject to 33 CFR part 105 (Maritime Security: 
Facilities), and OCS facilities subject to 33 CFR part 106 (Marine 
Security: Outer Continental Shelf (OCS) Facilities). The Coast Guard 
estimates this proposed rule would affect approximately 10,286 vessels 
and 3,411 facilities (including OCS facilities).
    The affected U.S.-flagged vessel population includes:
     U.S. towing vessels greater than 8 meters (26 feet) in 
registered length inspected under 46 CFR, subchapter M that are engaged 
in towing a barge or barges inspected under 46 CFR, subchapters D and 
O;
     U.S. tankships inspected under 46 CFR, subchapters D and 
O;
     U.S. barges inspected under 46 CFR, subchapters I 
(includes combination barges), D, and O, carrying certain dangerous 
cargo in bulk or barges and engaged on international voyages;
     Small U.S. passenger vessels carrying more than 12 
passengers, including at least 1 passenger-for-hire, that are engaged 
on international voyages;
     Small U.S. passenger vessels inspected under 46 CFR, 
subchapter K that are certificated to carry more than 150 passengers;
     Large U.S. passenger vessels inspected under 46 CFR, 
subchapter H;
     Offshore supply vessels (OSVs) inspected under 46 CFR, 
subchapter L;
     Self-propelled U.S. cargo vessels greater than 100 gross 
register tons inspected under 46 CFR, subchapter I, except for 
commercial fishing vessels inspected under 46 CFR part 105; and
     U.S. MODUs and cargo or passenger vessels subject to SOLAS 
(1974), Chapter XI-1 or Chapter XI-2.
    The affected facility population includes:
     Facilities subject to 33 CFR parts 126 (Handling of 
Dangerous Cargo at Waterfront Facilities) and 127 (Waterfront 
Facilities Handling Liquefied Natural Gas and Liquefied Hazardous Gas);
     Facilities that receive vessels certificated to carry more 
than 150 passengers, except vessels not carrying and not embarking or 
disembarking passengers at the facility;
     Facilities that receive vessels subject to SOLAS (1974), 
Chapter XI;
     Facilities that receive foreign cargo vessels greater than 
100 gross register tons;
     Facilities that receive U.S. cargo vessels, greater than 
100 gross register tons, inspected under 46 CFR, subchapter I, except 
facilities that receive only commercial fishing vessels inspected under 
46 CFR part 105; and
     Barge fleeting facilities that receive barges carrying, in 
bulk, cargoes regulated by 46 CFR subchapter I, inspected under 46 CFR, 
subchapters D or O, or certain dangerous cargoes.
    Table 4 presents the affected population of U.S.-flagged vessels, 
facilities, and OCS facilities of this proposed rule.\68\ For the 
vessel population, the Coast Guard assumes the same number of vessels 
that leave and enter service. Therefore, we assume the population to be 
constant over the 10-year period of analysis. We also make the same 
assumption for facilities and OCS facilities. Additionally, we assume 
that changes in the ownership of vessels and facilities would be very 
rare and any audits that would result from a change in ownership would 
be accounted for by the annual audit requirements. We request public 
comments on these assumptions, and generally, on the affected 
population.
---------------------------------------------------------------------------

    \68\ This data was retrieved from the Coast Guard's Marine 
Information for Safety and Law Enforcement (MISLE) database in 
September 2022.

---------------------------------------------------------------------------

[[Page 13421]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.004


[[Page 13422]]


Cost Analysis of the Proposed Rule
    This proposed rule would impose costs on the U.S. maritime industry 
for cybersecurity requirements that include:
     Developing a Cybersecurity Plan, which includes 
designating a CySO, in proposed 33 CFR 101.630;
     Performing drills and exercises in proposed 33 CFR 
101.635; and
     Ensuring and implementing cybersecurity measures in 
proposed 33 CFR 101.650, such as account security measures, device 
security measures, data security measures, cybersecurity training for 
personnel, training for reporting an incident, risk management, supply 
chain management, resilience, network segmentation, and physical 
security.
    We present the costs associated with some of the regulatory 
provisions in the following analysis; however, we are not able to 
estimate the costs fully for certain provisions because of the lack of 
data and the uncertainty associated with these provisions. Also, some 
regulatory provisions may be included in developing the Cybersecurity 
Plan and maintaining it on an annual basis; therefore, we may not have 
estimated a cost for these specific provisions in this analysis. We 
clarify this in the analysis where applicable and request public 
comment regarding these analyses.
    In addition, U.S. barges inspected under 46 CFR, subchapters D, O, 
or I (including combination barges), carrying certain dangerous cargo 
in bulk or barges engaged on international voyages, represent a special 
case in our analysis of cybersecurity-related costs. Unlike other 
vessels in the affected population of this NPRM, in most cases, barges 
do not have IT or OT systems onboard. Many types of barges rely on the 
IT and OT systems onboard their associated towing vessels or the 
facilities where they deliver their cargo. This also means that barges 
are typically unmanned, making the costs associated with provisions 
such as cybersecurity training difficult to estimate. While we 
acknowledge that there are some barges with IT or OT systems onboard, 
for the purposes of this analysis, we calculate costs only for the 
affected population of barges related to developing, resubmitting, 
maintaining, and auditing the Cybersecurity Plan, as well as developing 
cybersecurity-related drill and exercise components.
    We believe that the hour-burden estimates associated with the 
components of the Cybersecurity Plan should still be sufficient to 
capture the implementation of any cybersecurity measures identified as 
necessary by the owner or operator of a barge. In addition, we believe 
it should capture any burden associated with requests for waivers or 
equivalents for provisions that would not apply to a vessel or vessel 
company lacking significant IT or OT systems. The Coast Guard requests 
comment on our assumptions and cost estimates related to barges and 
their cybersecurity activities.
Cybersecurity Plan Costs
    Each owner and operator of a U.S.-flagged vessel, facility, or OCS 
facility would be required to develop and submit a Cybersecurity Plan 
to the Coast Guard. The CySO would develop, implement, and verify a 
Cybersecurity Plan for each U.S.-flagged vessel, facility, or OCS 
facility. The owner or operator would submit the Plan for approval to 
the cognizant COTP or the OCMI for a facility or OCS facility, or to 
the MSC for a U.S.-flagged vessel. The contents of the Cybersecurity 
Plan are detailed in proposed Sec.  101.630.
    Unless otherwise stated, we used information and obtained estimates 
in this RIA from subject matter experts (SMEs) in the Coast Guard's 
offices of Design and Engineering Standards (CG-ENG), Commercial Vessel 
Compliance (CG-CVC), and Port and Facility Compliance (CG-FAC). We also 
obtained information from the U.S. Coast Guard Cyber Command (CGCYBER) 
and the National Maritime Security Advisory Committee (NMSAC).
    The Coast Guard acknowledges that some owners and operators of 
medium-sized and larger facilities, OCS facilities, and U.S.-flagged 
vessels may have already adopted a cybersecurity posture and 
implemented measures to counter and prevent a cyber incident. We also 
acknowledge that owners and operators of smaller facilities, OCS 
facilities, and U.S.-flagged vessels may not have any cybersecurity 
measures in place. For the purpose of this analysis, we assume that all 
owners or operators of facilities, OCS facilities, and U.S.-flagged 
vessels would be required to comply with the full extent of the 
requirements of this proposed rule. However, we have survey data 
indicating that a portion of owners and operators of affected 
facilities and OCS facilities already have some cybersecurity measures 
in place.\69\ We present this survey data in the applicable sections of 
the cost analysis. For other regulatory provisions, we do not estimate 
regulatory costs for industry because the Coast Guard does not have 
data on the extent of cybersecurity measures currently in the industry 
for these provisions. The Coast Guard requests owners and operators of 
facilities, OCS facilities, and U.S.-flagged vessels who have some or 
most of the required cybersecurity processes and procedures in their 
current operations to provide comments on the outlining processes and 
procedures they have implemented.
---------------------------------------------------------------------------

    \69\ Readers can access the survey at https://www.joneswalker.com/en/insights/2022-Jones-Walker-LLP-Ports-and-Terminals-Cybersecurity-Survey-Report.html; accessed July 19, 2023.
---------------------------------------------------------------------------

    We list the regulatory provisions included in developing and 
maintaining a Cybersecurity Plan that we did not estimate costs for in 
other sections of this RIA:
     Device security measures in Sec.  101.650(b)(1) through 
(4);
     Supply chain management in Sec.  101.650(f)(1) through 
(3);
     Cybersecurity Assessment in Sec.  101.650(e)(1);
     Documentation of penetration testing results and 
identified vulnerabilities in Sec.  101.650(e)(2);
     Routine system maintenance measures in Sec.  
101.650(e)(3)(i) through (v); and
     Development and maintenance of a Cyber Incident Response 
Plan in Sec.  101.650(g)(2).
    Developing a Cybersecurity Plan has five cost components: the 
initial development of the Plan; annual maintenance of the Plan 
(including amendments); revision and resubmission of the Plan as 
needed; renewal of the Plan after 5 years; and the cost for annual 
audits. Owners and operators of U.S.-flagged vessels, facilities, and 
OCS facilities would be required to submit their Cybersecurity Plan to 
the Coast Guard during the second annual audit of the currently 
approved VSP, FSP, or OCS FSP following the effective date of this 
proposed rule; therefore, submitting a Cybersecurity Plan for approval 
would likely not occur until the second year of the 10-year period of 
analysis.
    The CySO would be responsible for all aspects of developing and 
maintaining the Cybersecurity Plan. The Coast Guard does not have data 
on whether owners and operators of facilities, OCS facilities, and 
vessels would hire a dedicated, salaried employee to serve as a CySO. 
Proposed Sec.  101.625 states that a CySO may perform other duties 
within an owner or operator's organization, and that a person may serve 
as a CySO for more than one U.S.-flagged vessel, facility, or OCS 
facility. For facilities and OCS facilities, this person may be the 
Facility Security Officer. For vessels, this person may be the Vessel 
Security Officer. When considering assigning the CySO role to the 
existing security officer, the owner or operator should consider the

[[Page 13423]]

depth and scope of these new responsibilities in addition to existing 
security duties. For the purpose of this analysis, we assume that an 
existing person in a facility, OCS facility, or U.S.-flagged vessel 
company or organization would assume the duties and responsibilities of 
a CySO, and that owners and operators would not have to hire an 
individual to fill this position. This means that any costs associated 
with obtaining security credentials (including a Transportation Worker 
Identification Card) would already be incurred prior to the 
implementation of this proposed rule. Additionally, in the event that 
the designated CySO has security responsibilities that overlap with an 
existing Vessel, Facility, or Company Security Officer, we assume that 
those individuals will work together to handle those duties.
    We use the Bureau of Labor Statistics' (BLS) ``National 
Occupational Employment and Wage Estimates'' for the United States for 
May 2022. A CySO would be comparable to the occupational category of 
``Information Security Analysts'' according to BLS's labor categories 
with an occupational code of 15-1212 and an unloaded mean hourly wage 
rate of $57.63.\70\ In order to obtain a loaded mean hourly wage rate, 
we use BLS's ``Employer Costs for Employee Compensation'' database to 
calculate the load factor, which we applied to the unloaded mean hourly 
wage rate using fourth quarter data from 2022.\71\ We determine the 
load factor for this occupational category to be about 1.46, rounded. 
We then multiply this load factor by the unloaded mean hourly wage rate 
of $57.63 to obtain a loaded mean hourly wage rate of about $84.14, 
rounded ($57.63 x 1.46).
---------------------------------------------------------------------------

    \70\ Readers can access BLS's website at https://www.bls.gov/oes/2022/may/oes151212.htm to obtain information about the wage we 
used in this analysis; accessed May 5, 2023.
    \71\ A loaded mean hourly wage rate is what a company pays per 
hour to employ a person, not the hourly wage an employee receives. 
The loaded mean hourly wage rate includes the cost of non-wage 
benefits (health insurance, vacation, etc.). We calculated the load 
factor by accessing BLS's website at https://www.bls.gov/ and 
selecting the topic ``Subjects'' from the menu on this web page. 
From the categories listed on this page, under the category titled 
``Pay and Benefits,'' we then selected the category of ``Employment 
Costs.'' The next page is titled ``Employment Cost Trends;'' in the 
left margin, we selected the category ``ECT Databases'' at https://www.bls.gov/ncs/ect/data.htm. At this page, we selected the database 
titled ``Employer Costs for Employee Compensation'' using the 
``Multi-Screen'' feature at https://data.bls.gov/cgi-bin/dsrv?cm. We 
then selected the category of ``Private Industry Workers'' at screen 
1. At screen 2, we first selected the category ``Total 
Compensation,'' then we continued to select ``Transportation and 
Materials Moving Occupations'' at screen 3, then ``All Workers'' at 
screens 4 and 5, and then for ``Area,'' we selected ``United 
States'' at screen 6. At screen 7, we selected the category 
``Employer Cost for Employee Compensation.'' At screen 8, we 
selected the category ``not seasonally adjusted.'' At screen 9, we 
selected the series ID, CMU2010000520000D. We used the ``Cost of 
Compensation'' for quarter 4 of 2022, or $33.07. We performed this 
process again to obtain the value for ``Wages and Salaries,'' which 
we selected on screen 2. On screen 9, we selected the series ID 
CMU2020000520000D and obtained a value of $22.64. We divided $33.07 
by $22.64 and obtained a load factor of 1.46, rounded; accessed May 
3, 2023.
---------------------------------------------------------------------------

Cybersecurity Plan Cost for Facilities and OCS Facilities
    This proposed rule would require owners and operators of facilities 
and OCS facilities to create a Cybersecurity Plan for each facility 
within a company. For the purpose of this analysis, the cost to develop 
a Cybersecurity Plan is a function of the number of facilities, not the 
number of owners and operators, because an owner or operator may own 
more than one facility. Based on data obtained from the Coast Guard's 
Marine Information for Safety and Law Enforcement (MISLE) database, we 
estimate this NPRM would affect about 3,411 facilities and OCS 
facilities (including MTSA-regulated facilities), and about 1,708 
owners and operators of these facilities. MISLE data contains 
incomplete information on owners and operators for 748 of the 3,411 
facilities and OCS facilities included in the affected population. Of 
the 2,663 facilities and OCS facilities with complete information for 
owners and operators, we found 1,334 unique owners. This means that, on 
average, each owner owns approximately 2 facilities (2,663 / 1,334 = 
2.0, rounded). We apply this rate of ownership to the remaining 
facilities and OCS facilities without complete ownership information to 
arrive at our total of 1,708 owners [1,334 + (748 / 2)].
    We use hour-burden estimates from Coast Guard SMEs and the 
currently approved OMB Information Collection Request (ICR), Control 
Number 1625-0077, titled, ``Security Plans for Ports, Vessels, 
Facilities, and Outer Continental Shelf Facilities and other Security-
Related Requirements.'' The hour-burden estimates are 100 hours for 
developing the Cybersecurity Plan (average hour burden), 10 hours for 
annual maintenance of the Cybersecurity Plan (which would include 
amendments), 15 hours to resubmit Cybersecurity Plans every 5 years, 
and 40 hours to conduct annual audits of Cybersecurity Plans.
    While the Cybersecurity Plan can be incorporated into an existing 
FSP for a facility or OCS facility, this does not mean that the 
Cybersecurity Plan is expected to be less complex to develop or 
maintain than an FSP. In general, the provisions outlined in this 
proposed rule are meant to reflect the depth and scope of the physical 
security provisions established by MTSA. As a result, we feel the hour-
burden estimates for developing and maintaining the FSP represents a 
fair proxy for what is expected with respect to a Cybersecurity Plan. 
Nevertheless, the Coast Guard requests comment on the accuracy of these 
hour-burden estimates as they relate to developing a Cybersecurity 
Plan.
    Based on estimates from the Coast Guard's FSP reviewers at local 
inspections offices, approximately 10 percent of Plans would need to be 
revised and resubmitted in the second year, which is consistent with 
the current resubmission rate for FSPs. Plans must be renewed after 5 
years (occurring in the seventh year of the analysis period), and we 
estimate that 10 percent of renewals would also require revision and 
resubmission. We estimate the time to revise and resubmit the 
Cybersecurity Plan to be about half the time to develop the Plan 
itself, or 50 hours in the second year of submission, and 7.5 hours 
after 5 years (in the seventh year of the analysis period).
    Because we include the annual Cybersecurity Assessment in the cost 
to develop Cybersecurity Plans, and we do not assume that owners and 
operators will wait until the second year of analysis to begin 
developing the Plan or implementing related cybersecurity measures, we 
divide the estimated 100 hours to develop Plans equally across the 
first and second years of analysis. We estimate the first- and second-
year (the first year of Plan submission) undiscounted cost to develop a 
Cybersecurity Plan for owners and operators of U.S. facilities and OCS 
facilities to be about $28,700,154 (3,411 Plans x 100 hours x $84.14). 
We estimate the second-year undiscounted cost for owners and operators 
to resubmit Plans for facilities or OCS facilities (or to send 
amendments) for corrections to be about $1,434,587 (341 Plans or 
amendments x 50 hours x $84.14). Therefore, we estimate the total 
undiscounted first- and second-year cost to facility and OCS facility 
owners and operators to develop, submit, and resubmit a Cybersecurity 
Plan to be approximately $30,134,741 ($28,700,154 + $1,434,587)).
    In years 3 through 6 and years 8 through 10 of the analysis period, 
owners and operators of U.S. facilities and OCS facilities would be 
required to maintain their Cybersecurity Plans. This may include 
recordkeeping and

[[Page 13424]]

documenting cybersecurity items at a facility or OCS facility, as well 
as amending the Plan. The CySO would be required to maintain each Plan 
for each facility or OCS facility. Maintaining the Plan does not occur 
in the second year (initial year of Plan submission) or in the renewal 
year, year 7 of the analysis period. We again obtain the hour-burden 
estimate for the annual maintenance of Plans from ICR 1625-0077, which 
is 10 hours.
    In the same years of the analysis period, this proposed rule would 
also require owners and operators of facilities and OCS facilities to 
conduct annual audits. The audits would be necessary for owners and 
operators of facilities and OCS facilities to identify vulnerabilities 
(via the Cybersecurity Assessment) and to mitigate them.\72\ Audits 
would also be necessary if there is a change in the ownership of a 
facility, but because the costs for audits are estimated annually, this 
should capture audits as a result of very rare changes in ownership 
each year as well. The CySO would be responsible for ensuring the audit 
of a Cybersecurity Plan. Based on input provided by Coast Guard SMEs 
who review Plans at the Coast Guard, we estimate the time to conduct an 
audit to be about 40 hours for each Plan. We estimate the undiscounted 
cost for the annual maintenance of Cybersecurity Plans for facility and 
OCS facility owners and operators to be approximately $2,870,015 (3,411 
facility Plans x 10 hours x $84.14). We estimate the undiscounted cost 
for annual audits of Cybersecurity Plans to be approximately 
$11,480,062 (3,411 facility Plans x 40 hours x $84.14). We estimate the 
total undiscounted annual cost each year in years 3 through 6 and 8 
through 10 for Cybersecurity Plans to be approximately $14,350,077 
($2,870,015 + $11,480,062).
---------------------------------------------------------------------------

    \72\ The Jones Walker survey (see footnote 69) reports about 72 
percent of ports and terminals conduct a risk assessment at least 
once a year. We did not estimate a separate cost for this item 
because the Coast Guard believes that a risk assessment can be a 
part of an annual audit. Readers can access the survey at https://www.joneswalker.com/en/insights/2022-Jones-Walker-LLP-Ports-and-Terminals-Cybersecurity-Survey-Report.html; accessed July 19, 2023.
---------------------------------------------------------------------------

    Because a Cybersecurity Plan approved by the Coast Guard is valid 
for 5 years, in year 7 of the analysis period, owners and operators of 
facilities and OCS facilities would be required to renew the approval 
of their Plans with the Coast Guard. We use the hour-burden estimate in 
ICR 1625-0077for renewing the Plan, which is 15 hours. The hour-burden 
estimate for revision and resubmission of renewals is half of the 
original hour-burden for renewals, or 7.5 hours. The CySO would be 
responsible for resubmitting the Cybersecurity Plan to the Coast Guard 
for renewal, including additional resubmissions because of corrections. 
We estimate the undiscounted cost for renewing and resubmitting a 
Cybersecurity Plan due to corrections to be approximately $4,520,211 
[(3,411 facility Plans x 15 hours x $84.14) + (341 resubmitted facility 
Plans x 7.5 hours x $84.14)].
    We estimate the total discounted cost of this proposed rule for 
developing Cybersecurity Plans for facility and OCS facility owners and 
operators to be approximately $95,920,412 over a 10-year period of 
analysis, using a 7-percent discount rate. We estimate the annualized 
cost to be approximately $13,656,909, using a 7-percent discount rate. 
See table 5.

[[Page 13425]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.005


[[Page 13426]]


Cybersecurity Plan Cost for U.S.-Flagged Vessels
    The methodology for owners and operators of U.S.-flagged vessels to 
develop a Cybersecurity Plan is the same as for U.S. facilities and OCS 
facilities. We estimate the affected vessel population to be about 
10,286. We estimate the number of owners and operators of these vessels 
to be about 1,775.
    We use estimates provided by Coast Guard SMEs and ICR 1625-0077 for 
the hour-burden estimates for vessels as we did for facilities and OCS 
facilities. The hour-burden estimates are 80 hours for developing the 
Cybersecurity Plan, 8 hours for annual Plan maintenance, 12 hours to 
renew the Plan every 5 years, and 40 hours to conduct annual audits of 
Plans for vessels. Similar to facilities, 10 percent of all 
Cybersecurity Plans for vessels would need to be resubmitted for 
corrections in the second year (initial year of Plan submission), and 
10 percent of Cybersecurity Plans for vessels would need to be revised 
and resubmitted in the seventh year of the analysis period. Based on 
information from Coast Guard SMEs, we estimate the time to make 
corrections to the Plan in the second year would be about half of the 
initial time to develop the Plan, or 40 hours in the second year, and 6 
hours in the seventh year. We include the annual Cybersecurity 
Assessment in the cost to develop Plans, and we do not assume that 
owners and operators will wait until the second year of analysis to 
begin developing the Cybersecurity Plan or implementing related 
cybersecurity measures. Therefore, we divide the estimated 80 hours to 
develop Plans equally across the first and second years of analysis.
    The methodology to determine the cost to develop a Cybersecurity 
Plan for U.S.-flagged vessels is slightly different than the 
methodology for facilities and OCS facilities. The Coast Guard does not 
believe that a CySO for U.S.-flagged vessels would expend 80 hours 
developing a Plan for each vessel in a company's fleet. For example, if 
a vessel owner or operator has 10 vessels, it would take a CySO 800 
hours of time to develop Plans for all 10 vessels, which is nearly 40 
percent of the total hours of work in a calendar year. It is more 
likely that the CySO would create a master Cybersecurity Plan for all 
the vessels in the fleet, and then tailor each Plan according to a 
specific vessel, as necessary.
    Because a large portion of the provisions required under this 
proposed rule would impact company-wide policies regarding network, 
account, and data security practices, as well as company-wide 
cybersecurity training, reporting procedures, and testing, we do not 
believe there will be much variation in how these provisions are 
implemented between specific vessels owned by the same owner or 
operator. Therefore, the cost to develop a Cybersecurity Plan for 
vessels becomes a function of the number of vessel owners and operators 
and not a function of the number of vessels.
    When a vessel owner or operator submits a Plan to the Coast Guard 
for approval, the owner or operator would send the master Cybersecurity 
Plan, which might include a more tailored or abbreviated Plan for each 
vessel. For example, the owner or operator of 10 vessels would send the 
master Cybersecurity Plan along with the tailored Plans for each vessel 
in one submission to the Coast Guard for approval, instead of 10 
separate documents. The Coast Guard requests comments on these 
assumptions related to master and tailored vessel Cybersecurity Plans.
    We estimate the first- and second-year (initial year of Plan 
submission) undiscounted cost for owners and operators of U.S.-flagged 
vessels to develop a Cybersecurity Plan to be approximately $11,947,880 
(1,775 Plans x 80 hours x $84.14) split over the first two years of 
analysis. We estimate the second-year undiscounted cost for owners and 
operators to resubmit vessel Plans (or send amendments) for corrections 
to be approximately $599,077 (178 Plans or amendments x 40 hours x 
$84.14). Therefore, we estimate the total undiscounted first- and 
second-year cost to the owners and operators of U.S.-flagged vessels to 
develop a Cybersecurity Plan to be approximately $12,546,957 
($11,947,880 + $599,077).
    As with facilities and OCS facilities, in years 3 through 6 and 
years 8 through 10 of the analysis period, CySOs, on behalf of owners 
and operators of U.S.-flagged vessels, would be required to maintain 
their Cybersecurity Plans. We again obtain the hour-burden estimate for 
annual maintenance of Plans from ICR 1625-0077, which is 8 hours. In 
the same years of the analysis period, this proposed rule would also 
require owners and operators of U.S.-flagged vessels to conduct annual 
audits. The audits would be necessary for owners and operators of U.S.-
flagged vessels to identify vulnerabilities through the Cybersecurity 
Assessment and to mitigate them. Audits would also be necessary if 
there is a change in the ownership of a vessel. The CySO would likely 
conduct an audit of the master Cybersecurity Plan, which would include 
each vessel, instead of conducting a separate audit for each individual 
vessel.
    The time estimate for a CySO to conduct an audit for U.S.-flagged 
vessels in a fleet is the same as it is for facilities and OCS 
facilities, or 40 hours per Plan. We estimate the undiscounted cost for 
the annual maintenance of Cybersecurity Plans for the owners and 
operators of U.S.-flagged vessels to be about $1,194,788 (1,775 Plans x 
8 hours x $84.14). We estimate the undiscounted cost for annual audits 
of Cybersecurity Plans to be approximately $5,973,940 (1,775 Plans x 40 
hours x $84.14). We estimate the total undiscounted annual cost each 
year in years 3 through 6 and 8 through 10 for Cybersecurity Plans to 
be approximately $7,168,728 ($1,194,788 + $5,973,940).
    Again, as with facilities and OCS facilities, Coast Guard approval 
for the Cybersecurity Plan is valid for 5 years. Therefore, in year 7 
of the analysis period, owners and operators of U.S.-flagged vessels 
would be required to renew their Plans with the Coast Guard. We use the 
hour-burden estimate in ICR 1625-0077 for Plan renewal, which is 12 
hours. The CySO would be responsible for resubmitting the Cybersecurity 
Plan to the Coast Guard for renewal. We estimate the undiscounted cost 
for owners and operators of U.S.-flagged vessels to renew the Plan to 
be approximately $1,882,044 [(1,775 Plans x 12 hours x $84.14) + (178 
resubmitted vessel Plans x 6 hours x $84.14)].
    We estimate the total discounted cost of this proposed rule for 
owners and operators of U.S.-flagged vessels to develop Cybersecurity 
Plans to be approximately $45,420,922 over a 10-year period of 
analysis, using a 7-percent discount rate. We estimate the annualized 
cost to be approximately $6,466,917, using a 7-percent discount rate. 
See table 6.

[[Page 13427]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.006


[[Page 13428]]


Drills
    In proposed Sec.  101.635(b), this NPRM would require drills that 
test the proficiency of U.S.-flagged vessel, facility, and OCS facility 
personnel who have assigned cybersecurity duties. The drills would 
enable the CySO to identify any cybersecurity deficiencies that need to 
be addressed. The CySO would need to conduct the drills every 3 months 
or quarterly, (which is consistent with the MTSA regulations for drills 
for vessels, facilities, and OCS facilities in 33 CFR parts 104, 105 
and 106, respectively), and they may be held in conjunction with other 
security or non-security-related drills, as appropriate. The drills 
would test individual elements of the Plan, including responses to 
cybersecurity threats and incidents.
    The Coast Guard does not have data on who is currently conducting 
cybersecurity drills in either the population of facilities and OCS 
facilities or the population of U.S.-flagged vessels. Therefore, we 
assume that the entire population of facilities and U.S.-flagged 
vessels would need to develop new cybersecurity related drills to 
comply with the proposed requirements. However, because the affected 
populations are already required to conduct drills in accordance with 
33 CFR parts 104, 105, and 106, and the proposed rule allows for owners 
and operators to hold cybersecurity drills in conjunction with other 
security and non-security related drills, we assume that owners and 
operators will hold these new drills in conjunction with existing 
drills and will not require additional time from participants. This 
means that the only new cost associated with the proposed cybersecurity 
drills is the development of cybersecurity components to add to 
existing drills. Coast Guard SMEs who are familiar with MTSA's 
requirements and practices for drills and exercises estimate that it 
would take a CySO 0.5 hours (30 minutes) to develop new cybersecurity 
components to add to existing drills. This time estimate is based on 
the expected ease with which a CySO can access widely available 
resources and planning materials for developing cybersecurity drills 
online. The Coast Guard requests the public to comment on the accuracy 
of our estimates related to the development of cybersecurity drill 
components.
    The CySO would be the person who develops cybersecurity components 
to add to existing drills. Each CySO, on behalf of the owner or 
operator of a facility or OCS facility, would be required to develop 
the drill's components beginning in the first year of the analysis 
period and document procedures in the Cybersecurity Plan.
    Using the number of facilities owners and operators we presented 
earlier--or 1,708--the CySO's loaded mean hourly wage rate, the 
estimated time to develop the drill's components or 0.5 hours (30 
minutes), and the frequency of the drill, or every 3 months, we 
estimate the cost for facilities to develop cybersecurity components 
for drills. We estimate the undiscounted annual cost of drills for 
facility and OCS facility owners and operators to be approximately 
$287,422 (1,708 facility CySOs x 4 drills per year x 0.5 hours per 
drill x $84.14. We estimate the total discounted cost of drills for 
owners and operators of facilities and OCS facilities to be 
approximately $2,018,733 over a 10-year period of analysis, using a 7-
percent discount rate. We estimate the annualized cost to be 
approximately $287,422, using a 7-percent discount rate. See table 7.
[GRAPHIC] [TIFF OMITTED] TP22FE24.007

    We use the same methodology and estimates for U.S.-flagged vessel 
drills. As we presented previously, there are about 1,775 CySOs, on 
behalf of owners and operators of U.S.-flagged vessels, who would be 
required to develop drills with this proposed rule. We estimate the 
undiscounted annual cost of drills for the owners and operators of 
U.S.-flagged vessels to be approximately $298,697 (1,775 vessel CySOs x 
4 drills per year x 0.5 hours per drill x $84.14). We

[[Page 13429]]

estimate the total discounted cost of drills for U.S.-flagged vessels 
to be approximately $2,097,922 over a 10-year period of analysis, using 
a 7-percent discount rate. We estimate the annualized cost to be 
approximately $298,697, using a 7-percent discount rate. See table 8.
[GRAPHIC] [TIFF OMITTED] TP22FE24.008

    We estimate the total discounted cost of this proposed rule for 
drills for the owners and operators of facilities, OCS facilities, and 
U.S.-flagged vessels to be approximately $4,116,655 over a 10-year 
period of analysis, using a 7-percent discount rate. We estimate the 
annualized cost to be approximately $586,119, using a 7-percent 
discount rate. See table 9.

[[Page 13430]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.009

Exercises
    In proposed Sec.  101.635(c), this NPRM would require exercises 
that test the communication and notification procedures of U.S.-flagged 
vessels, facilities, and OCS facilities. These exercises may be vessel- 
or facility-specific, or part of a cooperative exercise program or 
comprehensive port exercises. The exercises would be a full test of the 
cybersecurity program with active participation by the CySO and may 
include Government authorities and vessels visiting a facility. The 
exercises would have to be conducted at least once each calendar year, 
with no more than 18 months between exercises. As with drills, we 
assume that exercises will begin in the first year of the analysis 
period as CySOs develop Cybersecurity Plans. We also assume that the 
exercises developed to satisfy Sec.  101.635(c) would also satisfy the 
exercise requirements outlined in Sec.  101.650 (g)(2) and (3), which 
requires the exercise of the Cybersecurity Plan and Cyber Incident 
Response Plan.
    The Coast Guard does not have data on who is currently conducting 
cybersecurity exercises in either the population of facilities and OCS 
facilities or the population of U.S.-flagged vessels. Therefore, we 
assume that the entire populations would need to develop new 
cybersecurity-related exercises to comply with the proposed 
requirements. However, because the affected populations are already 
required to conduct exercises in accordance with 33 CFR parts 104, 105, 
and 106, and because this proposed rule allows for owners and operators 
to hold cybersecurity exercises in conjunction with other exercises, we 
assume that owners and operators will hold these new exercises in 
conjunction with existing exercises. This will not require any 
additional time from participants, which means that the only new cost 
associated with the proposed cybersecurity exercises is the development 
of cybersecurity components to add to existing exercises.
    Coast Guard SMEs familiar with MTSA's requirements and practices 
for drills and exercises estimate that it would take a CySO 8 hours to 
develop new cybersecurity components to add to existing exercises. This 
time estimate is based on the expected ease with which a CySO can 
access widely available resources and planning materials for developing 
cybersecurity exercises online \73\ and the proliferation of 
cybersecurity components already being added to AMSC exercises around 
the United States.\74\ The Coast Guard requests comment on the accuracy 
of our estimates related to the development of cybersecurity exercise 
components.
---------------------------------------------------------------------------

    \73\ For example, CISA offers free resources on cybersecurity 
scenarios and cybersecurity exercises on their website. See https://www.cisa.gov/cybersecurity-training-exercises, accessed July 19, 
2023.
    \74\ See https://digitaleditions.walsworthprintgroup.com/publication/?i=459304&article_id=2956672&view=articleBrowser for 
just one example of AMSC cyber exercises in recent years; accessed 
July 19, 2023.
---------------------------------------------------------------------------

    We assume each CySO, on behalf of the owner and operator of a 
facility or OCS facility, would develop the exercises specified in the 
proposed rule. Using the 1,708 facility owners and operators we 
presented earlier, the CySO's loaded mean hourly wage rate, the 8-hour 
estimate for developing the exercise components, and one annual 
exercise, we estimate the cost for facilities to develop cybersecurity 
exercise components. We estimate the undiscounted annual cost of 
exercises for owners and operators of facilities and OCS facilities to 
be approximately $1,149,689 (1,708 facility CySOs x 8 hours per 
exercise x $84.14). We estimate the total discounted cost of exercises 
for facility owners and operators to be about $8,074,935 over a 10-year 
period of analysis, using a 7-percent discount rate. We estimate the 
annualized cost to be approximately $1,149,689, using a 7-percent 
discount rate. See table 10.

[[Page 13431]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.010

    We use the same methodology and estimates for vessel exercises that 
we use for facilities. About 1,775 CySOs, on behalf of vessel owners 
and operators, would be required to conduct exercises with this 
proposed rule. We estimate the undiscounted annual cost of exercises 
for the owners and operators of U.S.-flagged vessels to be 
approximately $1,194,788 (1,775 vessel CySOs x 8 hours per exercise x 
$84.14). We estimate the total discounted cost of exercises for U.S.-
flagged vessels to be approximately $8,391,691 over a 10-year period of 
analysis, using a 7-percent discount rate. We estimate the annualized 
cost to be approximately $1,194,788, using a 7-percent discount rate. 
See table 11.
[GRAPHIC] [TIFF OMITTED] TP22FE24.011


[[Page 13432]]


    We estimate the total discounted cost of this proposed rule for the 
owners and operators of U.S. facilities, OCS facilities, and U.S.-
flagged vessels for exercises to be approximately $16,466,625 over a 
10-year period of analysis, using a 7-percent discount rate. We 
estimate the annualized cost to be approximately $2,344,477, using a 7-
percent discount rate. See table 12.
[GRAPHIC] [TIFF OMITTED] TP22FE24.073

    We estimate the total discounted cost of this proposed rule for the 
owners and operators of facilities, OCS facilities, and U.S.-flagged 
vessels, to conduct annual drills and exercises to be approximately 
$20,583,281 over a 10-year period of analysis, using a 7-percent 
discount rate. We estimate the annualized cost to be approximately 
$2,930,596, using a 7-percent discount rate. See table 13.
[GRAPHIC] [TIFF OMITTED] TP22FE24.012

Cybersecurity Measure Costs
    The remaining regulatory provisions with associated costs are the 
cybersecurity measures in proposed Sec.  101.650. There are five cost 
provisions associated with cybersecurity measures: account security 
measures; cybersecurity training for personnel; penetration testing; 
resilience; and risk management.
    The first provision is account security measures in proposed Sec.  
101.650(a). The owners and operators of each U.S.-flagged vessel, 
facility, and OCS facility would ensure that account security measures 
are implemented and documented. This includes general account security 
measures in proposed Sec.  101.650(a)(1) through (3) and (5) through 
(7) and multifactor authentication for end users in proposed Sec.  
101.650(a)(4). Based on the Jones Walker ``Ports and Terminals 
Cybersecurity Survey,'' (see footnote 69), 87 percent of facilities 
currently have account security measures, and 83 percent of facilities 
currently use multifactor authentication software. Using the total 
number of 1,708 facility and OCS facility owners and operators, we 
multiply this number by 0.13 and 0.17, respectively, to obtain the 
number

[[Page 13433]]

of facility owners and operators who would need to implement security 
measures and have multifactor authentication software under this 
proposed rule, or about 222 and 290, respectively. The Coast Guard 
acknowledges that the survey data used here may lead us to 
underestimate the costs incurred by the population of facilities and 
OCS facilities, given the high rate of respondents who indicated that 
they have these measures in place. Accordingly, we request comments on 
the accuracy of these rates of implementation in the population of 
facilities and OCS facilities.
    We obtain the hour estimates and the labor category for these 
security measures for implementing and managing account security from 
NMSAC members with extensive experience in contracting to implement 
similar account security measures for facilities and OCS facilities in 
the affected population. A Database Administrator would ensure that 
account security measures are implemented. Using wage data from BLS's 
Occupational Employment and Wage Statistics (OEWS) program as 
previously referenced, the unloaded mean hourly wage rate for this 
labor category, occupational code of 15-1242, is $49.29.\75\ Using 
Employer Costs for Employee Compensation data from BLS, we apply the 
same load factor of 1.46 to the aforementioned wage rate to obtain a 
loaded mean hourly wage rate of approximately $71.96.
---------------------------------------------------------------------------

    \75\ See https://www.bls.gov/oes/2022/may/oes151242.htm, 
accessed July 12, 2023.
---------------------------------------------------------------------------

    It would take a Database Administrator about 8 hours to implement 
the account security measures and 8 hours for account security 
management annually thereafter for 222 U.S. facility and OCS facility 
companies. We estimate the undiscounted initial-year cost to implement 
account security for 222 facilities and OCS facilities and the annually 
recurring cost of account security management to be approximately 
$127,801, rounded [(222 facilities x ($71.96 x 8 hours)].
    The number of facility and OCS facility companies that would need 
multifactor authentication security is about 290. Based on estimates 
from CG-FAC SMEs with experience implementing multifactor 
authentication at other Government agencies, implementation of 
multifactor authentication would cost each facility anywhere from 
$3,000 to $15,000 in the initial year for setup and configuration. For 
the purposes of this analysis, we use the average of approximately 
$9,000 for the costs of initial setup and configuration. It would also 
cost each facility approximately $150 per end user for annual 
maintenance and support of the implemented multifactor authentication 
system. These costs represent the average costs for implementing and 
maintaining a multifactor authentication system across different 
organization and company sizes based on the SMEs' experience.
    We use the total number of estimated employees at an affected 
facility company in our analysis of costs because the Coast Guard 
currently lacks data on (1) which systems in use at a facility or OCS 
facility would need multifactor authentication, and (2) whether only a 
subset of the total employees would require access. This is largely 
because owners and operators have the discretion to designate both 
critical IT and OT systems as well as the number of employees needing 
access. Therefore, for the purpose of this analysis, we assume all 
employees would need multifactor authentication access. The Coast Guard 
requests comment on the accuracy of our cost estimates for implementing 
and maintaining multifactor authentication, and if only select systems 
or certain employees would require multifactor authentication access in 
most cases.
    We obtain the average number of facility employees from a Coast 
Guard contract that uses D&B Hoovers' database for company employee 
data (available in the docket for this rulemaking, see the Public 
Participation and Request for Comments section of this preamble.) The 
average number of employees at a facility company is 74. We estimate 
the undiscounted initial-year cost to implement multifactor 
authentication for 290 facility and OCS facility companies to be 
approximately $2,610,000 (290 facilities x $9,000). We estimate the 
undiscounted initial-year and annual cost for multifactor 
authentication support and maintenance at facilities and OCS facilities 
to be approximately $3,219,000 (290 facility companies x 74 employees x 
$150).
    We estimate the total undiscounted initial-year cost to implement 
account security measures for facilities and OCS facilities to be 
approximately $5,956,801 ($127,801 cost to implement account security 
measures + $2,610,000 cost to set up and configure multifactor 
authentication + $3,219,000 cost for multifactor authentication 
support). We estimate the undiscounted annual cost in years 2 through 
10 to be approximately $3,346,801 ($127,801 cost to manage account 
security + $3,219,000 cost to maintain and provide multifactor 
authentication support).
    We estimate the total discounted cost to implement account security 
measures for (1) 222 facilities and OCS facilities that would need to 
implement general account security measures and (2) 290 facilities and 
OCS facilities that would need to implement multifactor authentication 
to be approximately $25,945,783 over a 10-year period of analysis, 
using a 7-percent discount rate. We estimate the annualized cost to be 
approximately $3,694,096, using a 7-percent discount rate. See table 
14.

[[Page 13434]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.013

    Owners and operators of U.S.-flagged vessels would need to 
implement the same account security measures as facilities. The 
population of vessels affected, where applicable, would be about 5,473, 
rather than 10,286, because we subtract the barge population of 4,813 
from 10,286, the total number of affected vessels. Because barges are 
unmanned, we assume they do not have computer systems onboard and, 
therefore, may not require account security measure implementation.
    The number of affected vessel owners and operators would be about 
1,602, excluding 173 barge owners and operators that do not own or 
operate other affected vessels. Based on the NMSAC estimates detailed 
above, it would take a Database Administrator about 8 hours to 
implement the account security measures and 8 hours to manage account 
security annually thereafter on behalf of each owner and operator of a 
vessel. We estimate the undiscounted initial-year cost to implement and 
annually recurring cost to manage account security measures for owners 
and operators of U.S.-flagged vessels, excluding barge owners and 
operators, to be approximately $922,239 [(1,602 vessel owners and 
operators x (8 hours x $71.96)].
    The number of owners and operators who would require multifactor 
authentication security is about 1,602, for approximately 5,473 
vessels. Based on Coast Guard information, multifactor authentication 
systems would be implemented at the company level because networks and 
account security policies would be managed at the company level, and 
not for each individual vessel. Any security updates or multifactor 
authentication programs implemented at the company level could be 
pushed out to devices located on board vessels owned or operated by the 
company. We use the same cost estimate from CG-FAC that we use for 
facilities. It would cost the owner or operator of a vessel 
approximately $9,000 to implement multifactor authentication in the 
first year and about $150 annually for multifactor authentication 
support and maintenance per end user. To determine the number of 
employees for each vessel company, we use data from the certificate of 
inspection manning requirements in MISLE for each vessel 
subpopulation.\76\ We assume 2 crews and multiply the total number of 
seafaring crew by 1.33 to account for shoreside staff in order to 
obtain an estimate of total company employees per vessel.\77\ We 
estimate the total undiscounted initial-year cost to implement 
multifactor authentication for 1,602 vessel owners and operators to be 
approximately $14,418,000 (1,602 vessel owners and operators x $9,000).
---------------------------------------------------------------------------

    \76\ Manning requirements for U.S.-flagged vessels were 
established by regulation in 46 CFR part 15.
    \77\ To estimate the average number of mariners and shoreside 
employees for each company, Coast Guard conducted an internet search 
for publicly available employment data for the owners and operators 
of MTSA-regulated vessels. In total, Coast Guard was able to 
identify eight MTSA-regulated vessel owners and operators that 
publicly provided their shoreside and seafarer employment numbers. 
Using this data, we calculated the percentage of total employees 
working shoreside for each vessel. We then took an average of these 
percentages and applied that average to the population of MTSA 
vessel owners and operators. The percentage of shoreside employees 
ranged from 8 to 87 percent, with an average of 33 percent, which we 
used for each subpopulation of vessels.
---------------------------------------------------------------------------

    To calculate the annual cost per end user, we multiply the number 
of vessels for a given vessel type by the average number of employees 
per vessel and the $150 annual cost of support and maintenance. For 
example, there are about 426 OSVs in the affected population, with an 
average number of 16 employees for each OSV. Therefore, the 
undiscounted annual cost of support and maintenance for OSV owners and 
operators would be approximately $1,022,400 (16 employees per each OSV 
(including shoreside) x $150 x 426 OSVs). We perform this calculation 
for each vessel type in the affected population and add the costs 
together to obtain the total initial-year cost and annual cost 
thereafter. We estimate the total undiscounted annual cost for 
multifactor authentication maintenance

[[Page 13435]]

and support on vessels to be about $18,938,100 (number of employees for 
each vessel type x $150 x number of vessels for each vessel type). See 
table 15. We add these costs to the previously calculated 
implementation costs to obtain the initial-year costs associated with 
multifactor authentication of $33,356,100 ($14,418,000 implementation 
costs + $18,938,100 annual support and maintenance costs) as seen in 
column 3 of table 15.
[GRAPHIC] [TIFF OMITTED] TP22FE24.014

    We estimate the total undiscounted initial-year cost to implement 
account security measures in proposed Sec.  101.650(a)(1) through (3), 
and (5) through (7) and multifactor authentication for end users in 
proposed Sec.  101.650(a)(4) for 1,602 U.S.-flagged vessels to be 
approximately $34,278,339 ($922,239 cost to implement account security 
+ $33,356,100 cost to implement and provide multifactor support costs). 
We estimate the total undiscounted annual cost in years 2 through 10 to 
be approximately $19,860,339 ($922,239 cost to manage account security 
+ $18,938,100 cost to maintain and provide multifactor authentication).
    We estimate the total discounted cost to implement all the account 
security measures in proposed Sec.  101.650(a)(1) through (3), and (5) 
through (7) and multifactor authentication for end users in proposed 
Sec.  101.650(a)(4) for 1,602 U.S.-flagged vessels to be approximately 
$152,965,477 over a 10-year period of analysis, using a 7-percent 
discount rate. We estimate the annualized cost to be approximately 
$21,778,843 using a 7-percent discount rate. See table 16.

[[Page 13436]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.015

    We estimate the total discounted cost to implement account security 
measures for owners and operators of U.S.-flagged vessels, facilities, 
and OCS facilities, including multifactor authentication, to be 
approximately $178,911,259 over a 10-year period of analysis, using a 
7-percent discount rate. We estimate the annualized cost to be 
approximately $25,472,938, using a 7-percent discount rate. See table 
17.
[GRAPHIC] [TIFF OMITTED] TP22FE24.016


[[Page 13437]]


Cybersecurity Training Cost
    The second cost provision under cybersecurity measures, in proposed 
Sec.  101.650(d), would be training. All persons with access to IT and 
OT would need annual training in topics such as the relevant aspects of 
the owner or operator's specific cybersecurity technology and concerns, 
recognition of threats and incidents, and incident reporting 
procedures. Given the importance of having a workforce trained on 
onsite cybersecurity systems as soon as possible to detect and mitigate 
cyber incidents, cybersecurity training would be verified during annual 
inspections following the implementation of this proposed rule. This 
means we assume there will be costs related to training in the first 
year of analysis. The Coast Guard requests comment on the ability of 
affected owners and operators to develop and provide relevant 
cybersecurity training within the first year of implementation.
    Based on information from the Jones Walker ``Ports and Terminals 
Cybersecurity Survey,'' (see footnote 69), about 25 percent of 
facilities are currently conducting cybersecurity training on an annual 
basis.\78\ Therefore, we estimate the number of facility and OCS 
facility owners and operators needing to implement training to be about 
1,281 (1,708 owners and operators x 0.75).
---------------------------------------------------------------------------

    \78\ See footnote 69 and page 48 of the survey in the docket.
---------------------------------------------------------------------------

    Based on information from CISA's SMEs, we assume that the CySO at a 
facility or OCS facility would spend 2 hours per year to develop, 
update, and provide cybersecurity training. SMEs at CISA also estimate 
that it would take 1 hour per facility employee to complete the 
training annually, based on existing industry-leading cyber awareness 
training programs. This proposed rule would also require part-time 
employees and contractors to complete the training. However, the Coast 
Guard has data only on the number of full-time employees at facilities 
and OCS facilities, so we use this estimate with the acknowledgement 
that costs may be higher for facilities than we estimate in this 
analysis if we take other employees into account, such as part-time 
employees and contractors. As before, we use the estimate of the 
average number of employees at facilities and OCS facilities, or 74.
    To obtain the unloaded mean hourly wage rate of employees at 
facilities and OCS facilities, we use BLS's Quarterly Census of 
Employment and Wages (QCEW) data. We also use the North American 
Industry Classification System (NAICS) code for ``Port and Harbor 
Operations,'' which is 488310, to obtain the representative hourly wage 
for employees at facilities and OCS facilities. The BLS reports the 
weekly wage to be $1,653.\79\ Dividing this value by the standard 
number of hours in a work week, or 40, we obtain the unloaded hourly 
wage rate of approximately $41.33. We once again apply a load factor of 
1.46 to this wage to obtain a loaded mean hourly wage rate for facility 
employees of approximately $60.34 (($1,653 / 40 hours) x 1.46)).
---------------------------------------------------------------------------

    \79\ Readers can access this web page at www.bls.gov/cew/. In 
the menu at the top of the page, readers should use the dropdown 
menu under ``QCEW Data,'' and select ``Databases.'' Doing this will 
bring the reader to https://www.bls.gov/cew/data.htm. On this page, 
select the multi-screen tool (https://data.bls.gov/cgi-bin/dsrv?en). 
On screen 1, select ``488310 NAICS 488310 Port and harbor 
operations.'' On screen 2, select ``US000 U.S. TOTAL.'' Select ``5 
Private,'' ``4 Average Weekly Wage,'' and ``0 All establishment 
sizes'' on screens 3, 4, and 5, respectively. Screen 6 shows the 
relevant Series ID (ENUUS000405488310). Select ``Retrieve Data.'' 
Please consider that 2022 data from QCEW are preliminary and may 
change from the estimate in the text. For the purposes of this 
analysis, we used Q1 2022 QCEW data. Accessed on July 13, 2023.
---------------------------------------------------------------------------

    We estimate the undiscounted initial-year and annual cost for 
facility and OCS facility owners and operators to train employees on 
aspects of cybersecurity to be approximately $5,935,437, rounded [1,281 
facility owners and operators x ((74 employees at each facility company 
x $60.34 x 1 hour) + (1 CySO developing training x $84.14 x 2 hours))].
    We estimate the discounted cost for facility and OCS facility 
owners and operators to complete annual training to be approximately 
$41,688,025 over a 10-year period of analysis, using a 7-percent 
discount rate. We estimate the annualized cost to be approximately 
$5,935,437, using a 7-percent discount rate. See table 18.
[GRAPHIC] [TIFF OMITTED] TP22FE24.017


[[Page 13438]]


    Employees on board U.S.-flagged vessels would also be required to 
complete annual cybersecurity training. The hour estimates for the CySO 
to develop cybersecurity training and employees to complete the 
training are the same as for facility estimates, 2 hours and 1 hour, 
respectively. The training costs for U.S.-flagged vessels are based 
upon the number of employees for each vessel type, similar to the cost 
analysis for account security measures. We chose several representative 
labor categories of vessel employees based on the manning requirements 
listed in the certificates of inspection for each vessel. From the BLS 
OEWS program, we use the labor categories, ``Captains, Mates, and 
Pilots of Water Vessels,'' with an occupational code of 53-5021, 
``Sailors and Marine Oilers,'' with an occupational code of 53-5011, 
and ``Ship Engineers,'' with an occupational code of 53-5031.\80\ The 
unloaded mean hourly wage rates from May 2022 for these occupations are 
$50.09, $25.65, and $48.55, respectively. We also use an assortment of 
labor categories to estimate a mean hourly wage for the industrial 
personnel identified in the certificate of inspection for MODUs in the 
affected population. According to SMEs with CG-CVC, industrial 
personnel aboard MODUs generally include a mixture of hotel and steward 
staff; laborers and riggers; specialized technicians; and mechanics, 
electricians, and electronic technicians for maintenance. For these 
groups, we find a combined unloaded weighted mean hourly wage of 
$25.16. For each vessel type, we weight the representative wages based 
on the average occupational ratios across vessels in the population. 
See Appendix A: Wages Across Vessel Types, for more details on how the 
industrial personnel and weighted mean hourly wages for each vessel 
type were calculated.\81\ We apply the same load factor we used 
previously in this analysis, 1.46, to these wage rates, to obtain the 
loaded mean hourly wage rates shown in table 19.\82\
---------------------------------------------------------------------------

    \80\ See https://www.bls.gov/oes/2022/may/oes_nat.htm#00-0000 
for 2022 wage rates associated with the listed occupations. Accessed 
September 9, 2023.
    \81\ It should be noted that the wage calculations in Appendix 
A: Wages Across Vessel Types are conducted with occupational ratios 
based on employee counts without the 1.33 shoreside employee 
modifier applied. Applying this multiplier evenly across all the 
employee counts would not have an impact on the occupational ratios, 
and thus would not impact our estimated weighted mean hourly wages. 
Because we do not have a good grasp on what occupations the 
shoreside employees would have, we simply apply the weighted mean 
hourly wages to all employees in the give population of vessels.
    \82\ See footnote 71.
    \83\ See Appendix A: Wages Across Vessel Types for more 
information on how these wages rates were calculated.
[GRAPHIC] [TIFF OMITTED] TP22FE24.018

    We estimate the undiscounted initial-year and annual cost of 
cybersecurity training for vessel employees to be approximately 
$6,166,909 (number of vessels for each affected vessel category x 
number of employees for each vessel type x representative mean hourly 
wage for vessel type x 1 hours for training). For example, using OSVs, 
there are about 426 OSVs, with 16 employees for each OSV. Therefore, we 
estimate the annual training cost for OSVs to be about $374,335 (426 
OSVs x 16 employees x $54.92 x 1 hour), rounded. We perform this 
calculation for all for the affected vessel types in this proposed rule 
and add it to the estimated costs for training development. We estimate 
the undiscounted annual cost to develop cybersecurity training to be 
approximately $269,585 (1,602 vessel companies x 1 CySO per vessel 
company x $84.14 x 2 hours to develop training)]. This means the total 
undiscounted annual training cost for the affected population of U.S.-
flagged vessels is $6,436,494 ($6.166,909 employee training costs + 
$269,585 training development costs). Table 20 displays the total 
employee training costs for each vessel type impacted by the proposed 
training requirement.

[[Page 13439]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.019

    We estimate the discounted cost for employees aboard U.S.-flagged 
vessels to complete annual cybersecurity training to be approximately 
$45,207,239 over a 10-year period of analysis, using a 7-percent 
discount rate. We estimate the annualized cost to be approximately 
$6,436,494, using a 7-percent discount rate. See table 21.
[GRAPHIC] [TIFF OMITTED] TP22FE24.020

    We estimate the total discounted cost of cybersecurity training for 
facilities and vessels to be approximately $86,895,266 over a 10-year 
period of analysis, using a 7-percent discount rate. We estimate the 
annualized cost to

[[Page 13440]]

be approximately $12,371,931, using a 7-percent discount rate. See 
table 22.
[GRAPHIC] [TIFF OMITTED] TP22FE24.021

Penetration Testing
    The third proposed provision under cybersecurity measures that 
would impose costs on industry is penetration testing, in proposed 
Sec.  101.650(e)(2). The CySO for each U.S.-flagged vessel, facility, 
and OCS facility would ensure that a penetration test is completed in 
conjunction with renewing the FSP, VSP, or OCS FSP. We assume facility 
and vessel owners and operators in the affected population would pay a 
third party to conduct a penetration test to maintain safety and 
security within the IT and OT systems for all KEVs. The cost for 
penetration testing is a function of the number of vessel and facility 
owners and operators, because networks are typically managed at a 
corporate level. At the conclusion of the test, the CySO would also 
need to document all identified vulnerabilities in the FSA, OCS FSP, or 
VSA--a cost that is included in our analysis of annual Cybersecurity 
Plan maintenance. Further, it is expected that the CySO would also work 
to correct or mitigate the identified vulnerabilities. However, the 
methods employed and time taken to correct or mitigate these 
vulnerabilities represent a source of uncertainty in our analysis, and 
we are unable to estimate the associated costs.
    Based on the Jones Walker survey (see footnote number 69), 68 
percent of facilities and OCS facilities are currently conducting 
penetration testing. Using 1,708 affected facility owners and 
operators, the number of facility and OCS facility owners and operators 
needing to conduct penetration testing is about 547 (1,708 x 0.32). 
Using cost estimates for penetration testing from NMSAC members who 
have experience conducting and contracting with facilities and OCS 
facilities to conduct penetration tests, we estimate it would cost each 
facility owner or operator $5,000 for the initial penetration test and 
an additional $50 for each employee's internet Protocol (IP) 
address,\84\ to capture the additional costs of network complexity. The 
number of employees for each facility is 74. Facility and OCS facility 
owners and operators would incur penetration testing costs in 
conjunction with submitting and renewing the Cybersecurity Plan, or 
every 5 years. This means penetration testing costs would be incurred 
in the second and seventh year of analysis. We estimate the 
undiscounted second- and seventh-year costs to facilities and OCS 
facilities for penetration testing to be about $4,758,900 [(547 
facility owners and operators x $5,000) + (74 employees x 547 facility 
owners and operators x $50)]. We estimate the discounted cost for 
owners and operators of facilities and OCS facilities to conduct 
penetration testing to be about $7,120,212 over a 10-year period of 
analysis, using a 7-percent discount rate. We estimate the annualized 
cost to be about $979,477 using a 7-percent discount rate. See table 
23.
---------------------------------------------------------------------------

    \84\ An IP address is a unique numerical identifier for each 
device or network that connects to the internet. Because we do not 
have data on the number of devices each organization uses, we use 
the number of employees as a proxy because each employee could have 
a device using the organizational network.

---------------------------------------------------------------------------

[[Page 13441]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.022

    Owners and operators of U.S.-flagged vessels would also need to 
conduct penetration testing, similar to facilities. We do not include 
barges or barge-specific owners and operators, given the unmanned 
nature of barges and their relatively limited onboard IT and OT 
systems. All estimates for vessel penetration testing are the same as 
for facilities and OCS facilities. We estimate the undiscounted second- 
and seventh-year costs for owners and operators of vessels to conduct 
penetration testing to be approximately $14,322,700 [(1,602 vessel 
owners and operators x $5,000) + (number of vessels for each vessel 
type x number of employees for each vessel type x $50)]. See table 24 
for a calculation of the costs per IP address for the various vessel 
populations, which can be added to the costs per owner or operator 
costs, or $8,010,000 (1,602 owners and operators x $5,000) in years 2 
and 7.

[[Page 13442]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.023

    We estimate the discounted cost for owners and operators of vessels 
to conduct penetration testing to be approximately $21,429,459 over a 
10-year period of analysis, using a 7-percent discount rate. We 
estimate the annualized cost to be approximately $3,051,073 using a 7-
percent discount rate. See table 25.
[GRAPHIC] [TIFF OMITTED] TP22FE24.024

    We estimate the total discounted cost to conduct penetration 
testing for owners and operators of facilities, OCS facilities, and 
U.S.-flagged vessels to be approximately $28,549,669 over a 10-year 
period of analysis, using a 7-percent discount rate. We estimate the 
annualized cost to be approximately $4,064,831 using a 7-percent 
discount rate. See table 26.

[[Page 13443]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.025

Resilience
    The fourth cost provision under cybersecurity measures would be 
resilience, in proposed Sec.  101.650(g). Each CySO for a facility, OSC 
facility, and U.S.-flagged vessel would be required to report any cyber 
incident to the NRC, develop a Cyber Incident Response Plan, validate 
the effectiveness of Cybersecurity Plans through annual tabletop 
exercises or periodic reviews of incident response cases, and perform 
backups of critical IT and OT systems. Of these proposed requirements, 
the costs associated development of a Cyber Incident Response Plan are 
already captured in the overall costs to develop the Cybersecurity 
Plan, and any subsequent annual maintenance for the Cyber Incident 
Response Plan would be captured in the costs for annual maintenance of 
the Cybersecurity Plan. In addition, costs associated with validating 
and conducting exercise of Cybersecurity Plans through annual tabletop 
exercises or periodic reviews of incident response cases is already 
captured in the costs estimated for drills and exercises in proposed 
Sec.  101.635.
    To estimate the costs associated with cyber incident reporting, the 
Coast Guard uses historical cyber incident reporting data from the NRC. 
From 2018 to 2022, the NRC fielded and processed an average of 18 cyber 
incident reports from facilities and OCS facilities, and an average of 
2 cyber incident reports from U.S.-flagged vessels, for a total of 20 
cyber incident reports per year. While we anticipate that this number 
could increase or decrease following the publication of a rule focused 
on cybersecurity standards and procedures, we use the historical 
averages to estimate costs for the affected population.\85\ Due to the 
uncertainty surrounding how these regulatory changes may impact the 
number of incident reports made in the future, the Coast Guard requests 
comment on the expected number of incident reports submitted each year.
---------------------------------------------------------------------------

    \85\ The Coast Guard believes that cyber incident reports could 
increase following publication of this NPRM due to greater 
enforcement of reporting procedures and greater awareness 
surrounding the need to report. However, the Coast Guard 
acknowledges that cyber incident reports could also decrease because 
greater prevention measures would be implemented because of this 
proposed rule. As a result, we use historical cyber incident 
reporting data to analyze costs moving forward.
---------------------------------------------------------------------------

    For both the population of facilities and OCS facilities and the 
population of U.S.-flagged vessels, we assume that it will take 8.5 
minutes (0.15 hours) of a CySO's time to report a cyber incident to the 
NRC. We base this estimated hour burden on the time to report 
suspicious maritime activity to the NRC in currently approved OMB ICR, 
Control Number 1625-0096 titled ``Report of Oil or Hazardous Substance 
Discharge and Report of Suspicious Maritime Activity.'' For the 
population of facilities and OCS facilities, we estimate annual 
undiscounted costs of $227 (18 cyber incident reports x 0.15 hours to 
report x $84.14 CySO wage). We estimate the discounted cost for owners 
and operators of facilities and OCS facilities to report cyber 
incidents to be about $1,592 over a 10-year period of analysis, using a 
7-percent discount rate. We estimate the annualized cost to be about 
$227 using a 7-percent discount rate. See table 27.

[[Page 13444]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.026

    For the population of U.S.-flagged vessels, we estimate annual 
undiscounted costs of $25 (2 cyber incident reports x 0.15 hours to 
report x $84.14 CySO wage). We estimate the discounted cost for owners 
and operators of facilities and OCS facilities to report cyber 
incidents to be about $250 over a 10-year period of analysis, using a 
7-percent discount rate. We estimate the annualized cost to be about 
$25 using a 7-percent discount rate. See table 28.
[GRAPHIC] [TIFF OMITTED] TP22FE24.027


[[Page 13445]]


    We estimate the total discounted cost for owners and operators of 
facilities, OCS facilities, and U.S.-flagged vessels to be 
approximately $1,771 over a 10-year period of analysis, using a 7-
percent discount rate. We estimate the annualized cost to be 
approximately $252 using a 7-percent discount rate. See table 29.
[GRAPHIC] [TIFF OMITTED] TP22FE24.028

    The Coast Guard does not have data on the IT resources that owners 
and operators would need to back up data, either internally or 
externally. Coast Guard SMEs indicate that most of the affected 
population is likely already performing data backups. The time burden 
of backing up data is minimal because they can occur in the background 
through automated processes, making any new costs a function of data 
storage space. The external storage of data would require cloud storage 
(storage on an external server), and the cost would be dependent upon 
the capacity needed; for example, 1 terabyte or 100 terabytes of space. 
These costs would likely be incurred on a monthly basis, although we do 
not know how much additional data space a given owner or operator would 
need, if any. Coast Guard SMEs with CG-CYBER indicate that the current 
market prices for cloud storage subscriptions range from $21 to $41 per 
month for 1 terabyte of data, $54 to $320 per month for 10 terabytes, 
and up to $402 to $3,200 per month for 100 terabytes of data. There may 
also be costs associated with the encryption of data that we are not 
able to estimate in this analysis. The Coast Guard requests public 
comment on the costs associated with data backup storage and 
protection.
Routine System Maintenance for Risk Management
    The final cost provision under cybersecurity measures would be 
routine system maintenance for risk management, in proposed Sec.  
101.650(e)(3)(i) through (vi). This proposed rule would require the 
CySO of a U.S.-flagged vessel, facility, or OCS facility to ensure 
patching (software updates) or implementing controls for all KEVs in 
critical IT and OT systems in paragraph (e)(3)(i), maintain a method to 
receive or act on publicly submitted vulnerabilities in paragraph 
(e)(3)(ii), maintain a method to share threat and vulnerability 
information with external stakeholders in paragraph (e)(3)(iii), ensure 
there are no exploitable channels exposed to internet accessible 
systems in paragraph (e)(3)(iv), ensure that no OT is connected to the 
publicly accessible internet unless explicitly required for operation 
in paragraph (e)(3)(v), and conduct vulnerability scans according to 
the Cybersecurity Plan in paragraph (e)(3)(vi).
    Based on information from CGCYBER and NMSAC, we estimate costs for 
only the vulnerability scans in this analysis, because it is expected 
that CySOs will incorporate many of these provisions into the initial 
development and annual maintenance of the Cybersecurity Plan. 
Provisions that require setting up routine patching, developing methods 
for communicating vulnerabilities, and ensuring limited network 
connectivity of OT and other exploitable systems are expected to be 
less time-intensive efforts that will be completed following an initial 
Cybersecurity Assessment and documented in the Cybersecurity Plan. As a 
result, we include those costs in that portion of the analysis. 
However, if an OT system does need to be taken offline or segmented 
from other IT systems, the Coast Guard does not have information on how 
long or intensive that process would be because of the great degree of 
variability in OT systems within the affected population.
    We discuss network segmentation and uncertainty more in later 
sections in this NPRM. We request public comment on the expected costs 
of network segmentation, particularly from those in the affected 
population who have completed these processes in the past.
    Based on information from CGCYBER, the cost to acquire third-party 
software capable of vulnerability scans would be approximately $3,390 
annually (which includes the software subscription cost) for each U.S.-
flagged vessel, facility, and

[[Page 13446]]

OCS facility. We base our analysis on the cost of a prevalent 
vulnerability scanner or virus software for business. Vulnerability 
scans can occur in the background while systems are operational and 
represent a less intensive method of monitoring IT and OT systems for 
vulnerabilities, which complements more intensive penetration tests 
that would be required every 5 years. For this reason, we do not 
estimate an hour burden in addition to the annual subscription cost of 
securing vulnerability scanning software. We estimate the undiscounted 
annual cost for facility owners and operators to subscribe to and use 
vulnerability scanning software to be approximately $5,790,120 (1,708 
facility owners and operators x $3,390). We estimate the undiscounted 
annual cost for vessel owners and operators to subscribe to and use 
vulnerability scanning software to be approximately $5,430,780 (1,602 
vessel owners and operators x $3,390). Combined, we estimate the total 
discounted cost for owners and operators of facilities, OCS facilities, 
and U.S.-flagged vessels to use vulnerability scanning software to be 
approximately $78,810,907 over a 10-year period of analysis, using a 7-
percent discount rate. We estimate the annualized cost to be 
approximately $11,220,900, using a 7-percent discount rate. See table 
30.
[GRAPHIC] [TIFF OMITTED] TP22FE24.029

Total Costs of the Proposed Rule to Industry
    We estimate the total discounted cost of this proposed rule to the 
affected population of facilities and OCS facilities to be 
approximately $221,437,074 over a 10-year period of analysis, using a 
7-percent discount rate. We estimate the annualized cost to be 
approximately $31,527,658, using a 7-percent discount rate. See table 
31.

[[Page 13447]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.030

    As seen in table 31, the primary cost drivers for the population of 
facilities and OCS facilities are Cybersecurity Plan-related costs 
(development, resubmission, maintenance, and audits) at 43.26 percent 
of the total costs to

[[Page 13448]]

industry. Cybersecurity training and vulnerability management costs 
come in second and third at 19 percent and 18.54 percent of the total 
costs, respectively. We believe some of this is due to the analysis of 
Cybersecurity Plan costs and vulnerability management costs, which 
assumes no baseline activity within the affected population because of 
a lack of information. Costs that appear as a higher percentage of the 
total costs in the population of U.S.-flagged vessels (account security 
and multifactor authentication, for example) have been adjusted based 
on current baseline activity within the population of facilities based 
on survey results, and thus, appear as smaller impacts to the 
population in general.
    We estimate the total discounted cost of this proposed rule to the 
affected population of U.S.-flagged vessels to be approximately 
$313,656,415 over a 10-year period of analysis, using a 7-percent 
discount rate. We estimate the annualized cost to be approximately 
$44,657,617, using a 7-percent discount rate. See table 32.

[[Page 13449]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.031

    As in table 32, the primary cost drivers for the population of 
U.S.-flagged vessels are costs related to account security and 
multifactor authentication at 48.43 percent of the total costs to 
industry. Costs related to

[[Page 13450]]

the Cybersecurity Plan and cybersecurity training come in second and 
third at 14.69 percent and 14.63 percent of the total costs, 
respectively. We estimate that account security and multifactor 
authentication costs represent such a high portion of the overall costs 
related to cybersecurity because the Coast Guard was unable to estimate 
current baseline activity for these provisions and used conservative 
(upper-bound) estimates related to the costs of implementing and 
managing multifactor authentication. As a result, the Coast Guard 
requests public comment on who in the affected population of U.S.-
flagged vessels has already implemented multifactor authentication and 
what the associated costs were.
    We estimate the total discounted cost of this proposed rule to 
industry to be approximately $535,093,488 over a 10-year period of 
analysis, using a 7-percent discount rate. We estimate the annualized 
cost to be approximately $76,185,275, using a 7-percent discount rate. 
See table 33.

[[Page 13451]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.032


[[Page 13452]]


Total Costs of the Proposed Rule per Affected Owner or Operator
    We estimate the average annual cost per owner or operator of a 
facility or OCS facility to be approximately $27,589, under the 
assumption that an owner or operator would need to implement each of 
the provisions required by this proposed rule. Each additional facility 
owned or operated would increase the estimated annual costs by an 
average of $4,396 per facility, since each facility or OCS facility 
will require an individual Cybersecurity Plan. Year 2 of the analysis 
period represents the year with the highest costs incurred per owner, 
with estimated costs of $37,667 for an owner or operator with one 
facility or OCS facility. See table 34 for a breakdown of the costs per 
entity for an owner or operator owning one facility or OCS facility.

[[Page 13453]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.033

    To estimate the cost for an owner or operator of a facility or OCS 
facility to develop, resubmit, conduct annual maintenance, and audit 
the Cybersecurity Plan, we use estimates provided earlier in the 
analysis. The

[[Page 13454]]

hour-burden estimates are 100 hours for developing the Cybersecurity 
Plan (average hour burden), 10 hours for annual maintenance of the 
Cybersecurity Plan (which would include amendments), 15 hours to renew 
Cybersecurity Plans every 5 years, and 40 hours to conduct annual 
audits of Cybersecurity Plans.
---------------------------------------------------------------------------

    \86\ The cost totals in table 34 represent cost estimates for 
owners and operators of 1 facility or OCS facility under the 
assumption that they will need to implement all cost-creating 
provisions of the proposed rule. Therefore, when multiplied over the 
full number of affected entities, the calculated totals will exceed 
those estimated for the population of facilities and OCS facilities 
elsewhere in the analysis. In addition, the cost estimates for items 
related to the Cybersecurity Plan are dependent upon the number of 
facilities owned and must be multiplied accordingly by the number of 
facilities owned. This is discussed in further detail later in the 
analysis of costs per owner or operator.
---------------------------------------------------------------------------

    Based on estimates from Coast Guard FSP and OCS FSP reviewers at 
local inspections offices, approximately 10 percent of Cybersecurity 
Plans would need to be resubmitted in the second year due to revisions 
that would be needed to the Plans, which is consistent with the current 
resubmission rate for FSPs and OCS FSPs. For renewals of Plans after 5 
years (occurring in the seventh year of the analysis period), Plans 
would need to be further revised and resubmitted in approximately 10 
percent of cases as well. However, in this portion of the analysis, we 
estimate costs as though the owner or operator will need to revise and 
resubmit their Plans in all cases, resulting in an upper-bound (high) 
estimate of per-entity costs. We estimate the time for revision and 
resubmission to be about half the time to develop the Plan itself, or 
50 hours in the second year of submission, and 7.5 hours after 5 years 
(in the seventh year of the analysis period). Because we include the 
annual Cybersecurity Assessment in costs to develop Plans, and we do 
not assume that owners and operators will wait until the second year of 
analysis to begin developing the Cybersecurity Plan or implementing 
relevant cybersecurity measures, we divide the estimated 100 hours to 
develop Plans equally across the first and second years of analysis.
    Using the CySO loaded hourly CySO wage of $84.14, we estimate the 
Cybersecurity Plan-related costs by adding the total number of hours to 
develop, resubmit, maintain, and audit each year and multiplying by the 
CySO wage. For example, we estimate owners would incur $8,414 in costs 
in year 2 of the analysis period [1 facility x $84.14 CySO wage x (50 
hours to develop the Plan + 50 hours to revise and resubmit the Plan) = 
$8,414]. Table 35 displays the per-entity cost estimates for an owner 
or operator of 1 facility or OCS facility over a 10-year period of 
analysis. For an owner or operator of multiple facilities or OCS 
facilities, we estimate the total costs by multiplying the total costs 
in table 35 by the number of owned facilities.
[GRAPHIC] [TIFF OMITTED] TP22FE24.034

    Similarly, we use earlier estimates for the calculation of per-
entity costs for drills and exercises, account security measures, 
multifactor authentication, cybersecurity training, penetration 
testing, vulnerability management and resilience.
    For drills and exercises, we assume that a CySO on behalf of each 
owner and operator will develop cybersecurity components to add to 
existing physical security drills and exercises. This development is 
expected to take 0.5 hours for each of the 4 annual drills and 8 hours 
for an annual exercise. Using the loaded hourly wage for a CySO of 
$84.14, we estimate annual costs of approximately $841 per facility 
owner or operator [$84.14 CySO wage x ((0.5 hours x 4 drills) + (8 
hours x 1 exercise)) = $841], as seen in table 34.
    For account security measures, we assume that a database 
administrator on behalf of each owner or operator will spend 8 hours 
each year implementing and managing account security. Using the loaded 
hourly wage for a database administrator of $71.96, we estimate annual 
costs of approximately $576

[[Page 13455]]

($71.96 database administrator wage x 8 hours = $576), as seen in table 
34.
    For multifactor authentication, we assume that an owner or operator 
of a facility or OCS facility will spend $9,000 in the initial year on 
average to implement a multifactor authentication system and spend 
approximately $150 per employee annually for system maintenance and 
support. Therefore, we estimate first year costs of approximately 
$20,100 [$9,000 implementation cost + ($150 support and maintenance 
costs x 74 average facility company employees)], and subsequent year 
costs of $11,100 ($150 support and maintenance costs x 74 average 
facility company employees), as seen in table 34.
    For cybersecurity training, we assume that a CySO will take 2 hours 
each year to develop and manage employee cybersecurity training, and 
employees at a facility or OCS facility will take 1 hour to complete 
the training each year. Using the estimated CySO wage of $84.14 and the 
estimated facility employee wage of $60.34, we estimate annual training 
costs of approximately $4,633 [($84.14 x 2 hours) + ($60.34 x 74 
facility company employees x 1 hour)].
    For penetration testing, we estimate costs only in the second and 
seventh years of analysis since tests are required to be performed in 
conjunction with submitting and renewing the Cybersecurity Plan. We 
assume that facility owners and operators will spend approximately 
$5,000 per penetration test and an additional $50 per IP address at the 
organization in order to capture network complexity. We use the total 
number of company employees as a proxy for the number of IP addresses, 
since the Coast Guard does not have data on IP addresses or the network 
complexity at a given company. As a result, we estimate second- and 
seventh-year costs of approximately $8,700 [$5,000 testing cost + ($50 
x 74 employees)], as seen in table 34.
    For vulnerability management, we assume that each facility or OCS 
facility will need to secure a vulnerability scanning program or 
software. Because vulnerability scans can occur in the background, we 
do not assume an additional hour burden associated with the 
implementation or use of a vulnerability scanner each year. Using the 
annual subscription cost of an industry leading vulnerability scanning 
software, we estimate annual costs of approximately $3,390, as seen in 
table 34.
    Finally, for resilience, we assume that each facility or OCS 
facility owner or operator will need to make at least one cybersecurity 
incident report per year. While this is incongruent with historical 
data that shows the entire affected population of facilities and OCS 
facilities reports only 18 cybersecurity incidents per year, we are 
attempting to capture a complete estimate of what the costs of this 
proposed rule could be for an affected entity. As such, we estimate 
that a CySO will need to take 0.15 hours to report a cybersecurity 
incident to the NRC, leading to annual per entity costs of 
approximately $13 ($84.14 CySO wage x 0.15 hours), as seen in table 34.
    We perform the same calculations to estimate the per-entity costs 
for owners and operators of U.S.-flagged vessels. However, the 
estimates for the population of U.S.-flagged vessels have more 
dependency upon the type and number of vessels owned by the company 
being analyzed. This is largely due to the varying numbers of employees 
per vessel, by vessel type. We estimate fixed, average per-entity costs 
of approximately $10,877 per U.S.-flagged vessel owner or operator, as 
seen in table 36.

[[Page 13456]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.035

    To estimate the per-entity costs that are dependent upon the number 
and type of vessel, we use the number of employees per vessel, and in 
the case of cybersecurity training costs, a unique weighted hourly wage 
based on the

[[Page 13457]]

personnel employed on each vessel type as calculated in Appendix A: 
Wages Across Vessel Types. Table 37 displays the average number of 
employees for each vessel type, including shoreside employees, and 
their unique weighted mean hourly wages. Table 38 displays the per-
vessel costs associated with each type of vessel.
---------------------------------------------------------------------------

    \87\ The cost estimates in table 36 represent the costs incurred 
at a company level for each U.S.-flagged vessel owner and operator, 
and thus must be added to the costs calculated in table 38, which 
are dependent on the type and number of vessels owned, to create a 
full picture of the estimated costs per owner or operator. When 
these totals are multiplied over the full number of affected 
entities, the calculated totals will exceed those estimated for the 
population of U.S.-flagged vessels elsewhere in the analysis because 
we assume that each owner or operator will need to implement all 
cost-creating provisions of the proposed rule. This is discussed in 
further detail in the analysis of costs per owner or operator.
[GRAPHIC] [TIFF OMITTED] TP22FE24.036


[[Page 13458]]


[GRAPHIC] [TIFF OMITTED] TP22FE24.037

    In order to calculate the total cost per-entity in the population 
of U.S.-flagged vessels, we add the annual per-vessel costs from table 
38 based on the number and types of vessels owned to the fixed costs 
estimated in table 36.
---------------------------------------------------------------------------

    \88\ When adding these costs to the fixed costs for owners and 
operators, only add these estimated penetration testing costs in 
years 2 and 7.
---------------------------------------------------------------------------

    To estimate the cost for an owner or operator of a U.S.-flagged 
vessel to develop, resubmit, conduct annual maintenance, and audit the 
Cybersecurity Plan, we use estimates provided earlier in the analysis. 
The hour-burden estimates are 80 hours for developing the Cybersecurity 
Plan (average hour burden), 8 hours for annual maintenance of the 
Cybersecurity Plan (which would include amendments), 12 hours to renew 
Cybersecurity Plans every 5 years, and 40 hours to conduct annual 
audits of Cybersecurity Plans. Based on estimates from Coast Guard VSP 
reviewers at MSC, approximately 10 percent of Plans would need to be 
resubmitted in the second year due to revisions that would be needed to 
the Plans, which is consistent with the current resubmission rate for 
VSPs. For renewals of Plans after 5 years (occurring in the seventh 
year of the analysis period), Cybersecurity Plans would need to be 
further revised and resubmitted in approximately 10 percent of cases as 
well. However, in this portion of the analysis, we estimate costs as 
though the owner or operator will need to revise and resubmit their 
Plans in all cases resulting in an upper-bound (high) estimate of per-
entity costs. We estimate the time for revision and resubmission to be 
about half the time to develop the Cybersecurity Plan itself, or 40 
hours in the second year of submission, and 6 hours after 5 years (in 
the seventh year of the analysis period). Because we include the annual 
Cybersecurity Assessment in the cost to develop Plans, and we do not 
assume that owners and operators will wait until the second year of 
analysis to begin developing the Cybersecurity Plan or implementing 
related cybersecurity measures, we divide the estimated 80 hours to 
develop Plans equally across the first and second years of analysis.
    Using the CySO loaded hourly CySO wage of $84.14, we estimate the 
Cybersecurity Plan-related costs by adding the total number of hours to 
develop, resubmit, maintain, and audit each year and multiplying by the 
CySO wage. For example, we estimate owners and operators would incur 
approximately $6,731 in costs in year 2 of the analysis period [$84.14 
CySO wage x (40 hours to develop the Plan + 40 hours to revise and 
resubmit the Plan) = $6,731]. See table 39.

[[Page 13459]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.038

    Similarly, we use earlier estimates for the calculation of per-
entity costs for drills and exercises, account security measures, 
multifactor authentication, cybersecurity training, penetration 
testing, vulnerability management, and resilience.
    For drills and exercises, we assume that a CySO on behalf of each 
owner and operator will develop cybersecurity components to add to 
existing physical security drills and exercises. This development is 
expected to take 0.5 hours for each of the 4 annual drills and 8 hours 
for an annual exercise. Using the loaded hourly wage for a CySO of 
$84.14, we estimate annual costs of approximately $841 per vessel owner 
or operator [$84.14 CySO wage x ((0.5 hours x 4 drills) + (8 hours x 1 
exercise)) = $841], as seen in table 36.
    For account security measures, we assume that a database 
administrator on behalf of each owner or operator will spend 8 hours 
each year implementing and managing account security. Using the loaded 
hourly wage for a database administrator of $71.96, we estimate annual 
costs of approximately $576 ($71.96 database administrator wage x 8 
hours = $576), as seen in table 36.
    For multifactor authentication, we assume that a vessel owner or 
operator will spend $9,000 in the initial year on average to implement 
a multifactor authentication system and spend approximately $150 per 
employee annually for system maintenance and support. Therefore, we 
estimate first year fixed costs of approximately $9,000 for all owners 
and operators, with annual costs in years 2 through 10 dependent on the 
number of employees for each type of vessel. For example, we estimate 
the first-year costs to an owner or operator of one OSV to be 
approximately $11,400 [$9,000 implementation cost + ($150 support and 
maintenance costs x 16 average employees per OSV)], and subsequent year 
costs of $2,400 ($150 support and maintenance costs x 16 average 
employees per OSV). Fixed per-entity implementation costs of $9,000 can 
be found in table 36, and variable per-vessel costs can be found in 
table 38.
    For cybersecurity training, we assume that a CySO for each vessel 
owner or operator will take 2 hours each year to develop and manage 
employee cybersecurity training, and vessel employees will take 1 hour 
to complete the training each year. The per employee costs associated 
with training vary depending on the types and number of vessels and 
would be based on the average number of employees per vessel and the 
associated weighted hourly wage. For example, using the estimated CySO 
wage of $84.14 and the estimated OSV employee wage of $54.91, we 
estimate annual training costs of approximately $1,047 [($84.14 x 2 
hours) + ($54.91 x 16 average employees per OSV x 1 hour)]. Fixed per-
entity costs of $168 can be found in table 36 and variable per-vessel 
costs can be found in table 38.
    For penetration testing, we estimate costs only in the second and 
seventh years of analysis since tests are required to be performed in 
conjunction with submitting and renewing the Cybersecurity Plan. We 
assume that owners and operators of vessels will spend approximately 
$5,000 per penetration test and an additional $50 per IP address at the 
organization in order to capture network complexity. We use the average 
number of employees per vessel as a proxy for the number of IP 
addresses, since the Coast Guard does not have data on IP addresses or 
the network complexity at a given company. As a result, we estimate 
second- and seventh-year costs as follows: [$5,000 testing cost + ($50 
x average number of employees per vessel)]. For example, we estimate 
second- and seventh-year cost of approximately $5,800 for an owner or 
operator of an OSV [$5,000 testing cost + ($50 x 16 average number of 
employees per OSV)]. Fixed per-entity costs of $5,000 can be found in 
table 36, and variable per-vessel costs can be found in table 38.
    For vulnerability management, we assume that each U.S.-flagged 
vessel owner or operator will need to secure a vulnerability scanning 
program or software. Because vulnerability scans can occur in the 
background, we do not assume an additional hour burden

[[Page 13460]]

associated with the implementation or use of a vulnerability scanner 
each year. Using the annual subscription cost of an industry leading 
vulnerability scanning software, we estimate annual costs of 
approximately $3,390, as seen in table 36.
    Finally, for resilience, we assume that each U.S.-flagged vessel 
owner or operator will need to make at least one cybersecurity incident 
report per year. While this is incongruent with historical data that 
shows the entire affected population of vessels only reports two 
cybersecurity incidents per year on average, we are attempting to 
capture a complete estimate of what the costs of the proposed rule 
could be for an affected entity. As such, we estimate that a CySO will 
need to take 0.15 hours to report a cybersecurity incident to the NRC, 
leading to annual per-entity costs of approximately $13 ($84.14 CySO 
wage x 0.15 hours), as seen in table 34.
Unquantifiable Cost Provisions or No-Cost Provisions of This Proposed 
Rule
Communications
    Under proposed Sec.  101.645, this NPRM would require CySOs to have 
a method to effectively notify owners and operators of facilities, OCS 
facilities, and U.S.-flagged vessels, as well as personnel of changes 
in cybersecurity conditions. The proposed requirements would allow 
effective and continuous communication between security personnel on 
board U.S.-flagged vessels and at facilities and OCS facilities; U.S.-
flagged vessels interfacing with a facility or an OCS facility, the 
cognizant COTP, and national and local authorities with security 
responsibilities. Based on communication requirements established in 33 
CFR 105.235 for facilities, 106.240 for OCS facilities, and 104.245 for 
vessels, the Coast Guard assumes that owners and operators of vessels, 
facilities, and OCS facilities already have communication channels 
established for physical security notifications which could easily be 
used for cybersecurity notifications. As a result, we do not estimate 
regulatory costs for communications. The Coast Guard requests public 
comment on this assumption and whether this communications provision 
would add an additional time burden.
Device Security Measures
    Under proposed Sec.  101.650(b)(1), this NPRM would require owners 
and operators of U.S. facilities, OCS facilities, and U.S.-flagged 
vessels to develop and maintain a list of company-approved hardware, 
firmware, and software that may be installed on IT or OT systems. This 
approved list would be documented in the Cybersecurity Plan. Because 
this requirement would be included in the development of the 
Cybersecurity Plan, we estimated these costs earlier in that section of 
the cost analysis.
    Under proposed Sec.  101.650(b)(2), this NPRM would require owners 
and operators of facilities, OCS facilities, and U.S.-flagged vessels 
to ensure applications running executable code are disabled by default 
on critical IT and OT systems. Based on information from CGCYBER, the 
time it would take to disable such applications is likely minimal; 
however, we currently lack data on how prevalent these applications are 
within the affected population. Therefore, we are unable to estimate 
the regulatory costs of this proposed provision. The Coast Guard 
requests public comments on the device security measures under this 
regulatory provision.
    Under proposed Sec.  101.650(b)(3) and (4), this NPRM would require 
owners and operators of facilities, OCS facilities, and U.S.-flagged 
vessels to develop and maintain an accurate inventory of network-
connected systems, the network map, and OT device configuration. 
Because these items would be developed and documented as a part of the 
Cybersecurity Plan, we previously estimated these costs in that section 
of the cost analysis.
Data Security Measures
    Under proposed Sec.  101.650(c), this NPRM would require owners and 
operators of facilities, OCS facilities, and U.S.-flagged vessels to 
securely capture, store, and protect data logs, as well as encrypt all 
data in transit and at rest. The Jones Walker survey (see footnote 69) 
reveals that 64 percent of U.S. facilities and OCS facilities are 
currently performing active data logging and retention, and 45 percent 
are always encrypting data for the purpose of communication.
    Because data logging can be achieved with default virus-scanning 
tools, such as Windows Defender on Microsoft systems, the cost of 
storage and protection of data logs is primarily a function of the data 
space required to store them. Based on information from CGCYBER, cloud 
storage can cost from $21 to $41 per month for 1 terabyte of data, $54 
to $320 per month for 10 terabytes, and up to $402 to $3,200 per month 
for 100 terabytes of data. However, the Coast Guard does not have 
information on the amount of data space the affected population would 
need to comply with this proposed rule, or if data purchases would be 
necessary in all cases. Therefore, we are unable to estimate regulatory 
costs for this proposed provision. The Coast Guard requests public 
comment on these estimates and any additional information on this 
proposed regulatory provision.
    Similarly, encryption is often available in default systems, or in 
publicly available algorithms.\89\ The Coast Guard would accept these 
encryption standards that came with the software or on default systems. 
However, there are potentially some IT and OT systems in use that do 
not have native encryption capabilities. In these instances, encryption 
would likely represent an additional cost. However, the Coast Guard 
does not have information on the number of systems lacking encryption 
capabilities. As a result, we are unable to estimate the regulatory 
costs for encryption above and beyond what is included in default 
systems, and we request public comment on the potential costs 
associated with this provision.
---------------------------------------------------------------------------

    \89\ For example, see the following web pages for descriptions 
of default encryption policies on Google and Microsoft programs and 
cloud-based storage systems: https://cloud.google.com/docs/security/encryption/default-encryption and https://learn.microsoft.com/en-us/microsoft-365/compliance/encryption?view=o365-worldwide, accessed 
July 19, 2023.
---------------------------------------------------------------------------

Supply Chain Management
    Under proposed Sec.  101.650(f)(1) and (2), this NPRM would include 
provisions to specify measures for managing supply chain risk. This 
would not create any additional hour burden, as owners and operators 
would only need to consider cybersecurity capabilities when selecting 
third-party vendors for IT and OT systems or services. In addition, 
based on information from CGCYBER, most third-party providers have 
existing cybersecurity capabilities and already have systems in place 
to notify the owners and operators of facilities, OCS facilities, and 
U.S.-flagged vessels of any cybersecurity vulnerabilities, incidents, 
or breaches that take place. Therefore, the Coast Guard does not 
estimate a cost for this proposed provision.
    Additionally, under proposed Sec.  101.650(f)(3), this NPRM would 
require owners and operators of U.S. facilities, OCS facilities, and 
U.S.-flagged vessel to monitor third-party remote connections and 
document how and where a third party connects to their networks. Based 
on information from CGCYBER, many IT and OT vendors provide systems 
with the ability to remotely access the system to

[[Page 13461]]

perform maintenance or trouble-shoot problems as part of a warranty or 
service contract. Because remote access is typically identified in 
warranties and service contracts, the Coast Guard assumes that industry 
is already aware of these types of connections and would only need to 
document them when developing the Cybersecurity Plan. We estimated 
these costs previously in the development of the Cybersecurity Plan 
section of this cost analysis. The Coast Guard requests public comment 
on the validity of this assumption and any additional information on 
this proposed regulatory provision.
Network Segmentation
    Under proposed Sec.  101.650(h)(1) and (2), this NPRM would require 
owners and operators of facilities, OCS facilities, and U.S.-flagged 
vessels to segment their IT and OT networks and log and monitor all 
connections between them. Based on information from CGCYBER, CG-CVC, 
and NMSAC, network segmentation can be particularly difficult in the 
MTS, largely due to the age of infrastructure in the affected 
population of facilities, OCS facilities and U.S.-flagged vessels. The 
older the infrastructure, the more challenging network segmentation may 
be. Given the amount of diversity and our uncertainty regarding the 
state of infrastructure across the various groups in our affected 
population, we are not able to estimate the regulatory costs associated 
with this proposed provision. The Coast Guard requests public comment 
on the anticipated costs of network segmentation within the affected 
population, especially from those who have previously segmented 
networks at their organizations.
Physical Security
    Under proposed Sec.  101.650(i)(1) and (2), this NPRM would require 
owners and operators of facilities, OCS facilities, and U.S.-flagged 
vessels to limit physical access to IT and OT equipment; secure, 
monitor, and log all personnel access; and establish procedures for 
granting access on a by-exception basis. The Coast Guard assumes that 
owners and operators have already implemented physical access 
limitations and systems, by which access can be granted on a by-
exception basis, based on requirements established in Sec. Sec.  
104.265 and 104.270 for vessels, Sec. Sec.  105.255 and 105.260 for 
facilities, and Sec. Sec.  106.260 and 106.265 for OCS facilities. 
Therefore, we do not believe that this proposed rule would impose new 
regulatory costs on owners and operators of facilities, OCS facilities, 
and U.S.-flagged vessels for this provision. However, we understand 
that Sec.  101.650(i)(2), which requires potential blocking, disabling, 
or removing of unused physical access ports on IT and OT 
infrastructure, may represent taking steps above and beyond what has 
been expected under established requirements. The Coast Guard currently 
lacks information on the prevalence of these physical access ports on 
systems in use in the affected population, and therefore cannot 
currently calculate an associated cost. We request public comment on 
the anticipated costs associated with physical security provisions in 
this proposed rule above and beyond what has already been incurred 
under existing regulation.
    Lastly, it is likely that this proposed rule would have 
unquantifiable costs associated with the incompatibility between the 
installation of the proposed newer software and the use of older or 
legacy software systems on board U.S.-flagged vessels, facilities, and 
OCS facilities. We request comments from the public on the anticipated 
costs associated with this difference in software for the affected 
population of this proposed rule.
Sources of Uncertainty Related to Quantified Costs in the Proposed Rule
    Given the large scope of this proposed rule, our analysis contains 
several areas of uncertainty that could lead us to overestimate or 
underestimate the quantified costs associated with certain provisions. 
In table 39, we outline the various sources of uncertainty, the 
expected impact on cost estimates due to the uncertainty, potential 
cost ranges, and a ranking of the source of uncertainty based on how 
much we believe it is impacting the accuracy of our estimates. A rank 
of 1 indicates that we believe the source of uncertainty has the 
potential to cause larger overestimates or underestimates than a source 
of uncertainty ranked 2, and so on. The Coast Guard requests public 
comment from members of the affected populations of facilities, OCS 
facilities, and U.S.-flagged vessels who could provide insight into the 
areas of uncertainty specified in table 40, especially those relating 
to potential cost estimates, hour burdens, or current baseline 
activities.

[[Page 13462]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.039


[[Page 13463]]


[GRAPHIC] [TIFF OMITTED] TP22FE24.040


[[Page 13464]]


[GRAPHIC] [TIFF OMITTED] TP22FE24.041


[[Page 13465]]


[GRAPHIC] [TIFF OMITTED] TP22FE24.042


[[Page 13466]]


[GRAPHIC] [TIFF OMITTED] TP22FE24.043


[[Page 13467]]


[GRAPHIC] [TIFF OMITTED] TP22FE24.044

    The uncertainty surrounding these aspects of this analysis makes 
estimating many costs challenging. The Coast Guard has considered 
several alternative scenarios to demonstrate how alternative 
assumptions may affect

[[Page 13468]]

the cost estimates presented in this analysis.
    First, we consider an alternative assumption regarding the baseline 
cybersecurity activities in the population of U.S.-flagged vessels, 
which we determined may have the biggest impact on our cost estimates 
for this proposed rule. Because the Coast Guard lacks data on current 
cybersecurity activities in the population of U.S.-flagged vessels, we 
assume that all owners and operators of U.S.-flagged vessels have no 
baseline cybersecurity activity to avoid potentially underestimating 
costs in the preceding cost analysis. However, we were able to use 
existing survey data to estimate baseline cybersecurity activity in the 
population of facilities and OCS facilities, which allowed us to more 
accurately estimate the cost impacts of many of the proposed 
provisions.
    If we use the same rates of baseline activity we assume for 
facilities and OCS facilities for the U.S.-flagged vessels as well, we 
would see a reduction in undiscounted cost estimates related to account 
security measures, multifactor authentication implementation and 
management, cybersecurity training, and penetration testing. Like the 
rates of baseline activity cited for the population of facilities and 
OCS facilities, this alternative would assume that 87 percent of the 
U.S.-flagged vessel population are managing account security, 83 
percent have implemented multifactor authentication, 25 percent are 
conducting cybersecurity training, and 68 percent are conducting 
penetration tests.\90\ Using these assumptions would result in 
estimated annual population costs of approximately $119,891 for account 
security ($922,239 primary estimated cost x 0.13), $5,670,537 for 
multifactor authentication implementation and maintenance ($33,356,100 
primary estimated cost x 0.17), $4,827,371 for cybersecurity training 
($6,436,494 primary estimate cost x 0.75), and $4,583,264 for 
penetration testing ($14,322,700 primary estimated cost x 0.32). This 
would result in reduced undiscounted annual cost estimates of 
approximately $47,882,654 for the population of U.S.-flagged vessels. 
See table 41.
---------------------------------------------------------------------------

    \90\ See footnote 69.
    [GRAPHIC] [TIFF OMITTED] TP22FE24.045
    
    The Coast Guard requests comment on whether these assumptions of 
baseline activity are more reasonable than what is currently used in 
this RIA, or if there are additional alternative assumptions about 
baseline activities in these areas or other areas not discussed that 
would lead to more accurate estimates.
    In addition, we considered adding cost estimates for those areas of 
uncertainty where we were able to estimate a range of potential costs. 
For proposed provisions in Sec.  101.650(c) and (g) related to storing 
data logs and performing data backups, we anticipate that this data 
storage will be set up to occur in the background, meaning systems will 
not need to be taken offline and no burden hours. However, this makes 
the associated cost a function of the data space required to store and 
backup data. While we do not have information on how much data space a 
given company would need, we can estimate industry costs based on SME 
estimates for a range of potential data space amounts. As described in 
table 40, current market prices indicate that cloud-based storage can 
cost from $21 to $41 per month for 1 terabyte of data, $54 to $320 per 
month for 10 terabytes, and up to $402 to $3200 per month for 100 
terabytes of data. To estimate the annual cost of 1 additional terabyte 
of data, we take the average estimated monthly cost of $31 [($41 + $21) 
/ 2] and multiply it by 12 to find the average annual cost of $372 per 
terabyte. If each facility and OCS facility company required an 
additional terabyte of data space as a result of this proposed rule, we 
would estimate approximately $635,376 ($372 x 1,708 facility owners and 
operators) in additional undiscounted annual costs to industry. 
Similarly, if we assumed each U.S.-flagged vessel company required an 
additional terabyte of data space because of this proposed rule, we 
would estimate approximately $660,300 ($372 x 1,775 vessel owners and 
operators) in additional undiscounted annual costs to industry. See 
table 42.

[[Page 13469]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.046

    These costs could change if we were to add additional assumptions 
about current baseline activities or adjusted the expected need for 
data space. Therefore, we request public comment on the accuracy and 
inclusion of these estimates.
Government Costs
    There are three primary drivers of Government costs associated with 
this proposed rule. The first would be under proposed Sec.  101.630(e), 
where owners and operators of the affected population of U.S.-flagged 
vessels, facilities, and OCS facilities would be required to submit a 
copy of their Cybersecurity Plan for review and approval to either the 
cognizant COTP or the OCMI for facilities or OCS facilities, or to the 
MSC for U.S.-flagged vessels. In addition, proposed Sec.  101.630(f) 
would require owners and operators to submit Cybersecurity Plan 
amendments to the Coast Guard, under certain conditions, for review and 
approval. The second cost driver is related to the marginal increase in 
inspection time as a result of added Cybersecurity Plan components that 
will be reviewed as a part of an on-site inspection of facilities, OCS 
facilities, and U.S.-flagged vessels. The final cost driver would be 
under proposed Sec.  101.650(g)(1), where owners and operators of the 
affected population of U.S.-flagged vessels, facilities, and OCS 
facilities would be required to report cyber incidents to the NRC. The 
NRC would then need to process the report and generate notifications 
for each incident report they receive. The Coast Guard examines these 
costs under the assumption that we will use the existing frameworks in 
place to review security plans and amendments, process incident 
reports, and conduct inspections. Given uncertainty surrounding Coast 
Guard staffing needs related to this proposed rule, we have not 
estimated costs associated with new hires or the establishment of a 
centralized office.
    First, we analyze the costs to the Government associated with 
reviewing and approving Cybersecurity Plans and amendments. Based on 
Coast Guard local facility inspector estimates, it would take plan 
reviewers about 40 hours to review an initial Cybersecurity Plan for a 
facility or OCS facility, 8 hours to review a resubmission of a Plan in 
the initial year, and 4 hours to review an amendment in years 3 through 
6 and 8 through 10 of the analysis period. It would also take about 8 
hours of review for the renewal of plans in year 7 of the analysis 
period, and another 8 hours for any necessary resubmissions of Plan 
renewals. The hour-burden and frequency estimates for resubmissions and 
amendments are consistent with estimates for resubmissions of FSPs and 
OCS FSPs, as we expect the Cybersecurity Plans and amendments to be of 
a similar size and scope. As discussed earlier in the analysis, we 
estimate that resubmissions of initial Cybersecurity Plans and Plan 
renewals occur at a rate of 10 percent in years 2 and 7 of the analysis 
period. We use the number of facilities and OCS facilities that would 
submit Plans, which would be about 3,411.
    We determine the wage of a local facility inspector using publicly 
available data found in Commandant Instruction 7310.1W.\91\ We use an 
annual mean hourly wage rate of $89 for an inspector at the O-3 
(Lieutenant) level, based on the occupational labor category used in 
ICR 1625-0077.
---------------------------------------------------------------------------

    \91\ Readers can view Commandant Instruction 7310.1W for 
military personnel at media.defense.gov/2022/Aug/24/2003063079/-1/-1/0/CI_7310_1W.PDF, accessed January 2024.
---------------------------------------------------------------------------

    We estimate the undiscounted second-year (initial year of Plan 
review) cost for the Coast Guard to review Cybersecurity Plans for U.S. 
facilities and OCS facilities to be approximately $12,385,952 [(3,411 
facility Plan initial submissions x $89.00 x 40 hours) + (341 facility 
Plan resubmissions x $89.00 x 8 hours)]. Except in year 7, when renewal 
of all Plans would occur, we estimate the undiscounted annual cost to 
the Coast Guard for the review of amendments to be approximately 
$1,214,316 (3,411 amendments x $89.00 x 4 hours). In year 7, we 
estimate the undiscounted cost to be approximately $2,671,424 [(3,411 
Plans for 5-year renewal x $89.00 x 8 hours) + (341 facility Plan 
resubmissions x $89.00 x 8 hours)]. We estimate the discounted cost for 
the Coast Guard to review facility and OCS facility Cybersecurity Plans 
to be approximately $18,059,127 over a 10-year period of analysis, 
using a 7-percent discount rate. We estimate the annualized cost to be 
approximately $2,571,213, using a 7-percent discount rate. See table 
43.

[[Page 13470]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.047

    Based on Coast Guard MSC estimates, it would take about 28 hours to 
review an initial U.S.-flagged vessel Cybersecurity Plan, 8 hours to 
review a resubmission of the Cybersecurity Plan in the initial year, 
and 4 hours to review

[[Page 13471]]

an amendment in years 3 through 6 and 8 through 10 of the analysis 
period. It would also take about 8 hours of review for the renewal of 
Plans, and another 8 hours to review resubmitted Plan renewals in year 
7 of the analysis period. The hour-burden and frequency estimates for 
resubmissions and amendments are consistent with estimates for 
resubmissions of VSPs, as we expect the Cybersecurity Plans and 
amendments to be of a similar size and scope. We use the number of 
U.S.-flagged vessel owners and operators who would submit Plans, about 
1,775.
    According to ICR 1625-0077, the collection of information related 
to VSPs, FSPs, and OCS FSPs, the MSC uses contract labor to conduct 
Plan and amendment reviews. The MSC provided us with its independent 
Government cost estimate for their existing contract for VSP reviews. 
The average loaded annual mean hourly wage rate for the various 
contracted reviewers from the independent Government cost estimate is 
$81.83.
    We estimate the undiscounted second-year cost for the Coast Guard 
to review Cybersecurity Plans for U.S.-flagged vessels to be 
approximately $4,183,477 [(1,775 initial vessel Plan submissions x 
$81.83 x 28 hours) + (178 vessel Plan resubmissions x $81.83 x 8 
hours)]. Except in year 7, when resubmission of all Plans would occur, 
we estimate the undiscounted annual cost to the Coast Guard for 
reviewing amendments to be approximately $580,993 (1,775 amendments x 
$81.83 x 4 hours). In year 7, we estimate the undiscounted cost to be 
approximately $1,278,512 [(1,775 Plans for 5-year renewal x $81.83 x 8 
hours) + (178 facility Plan resubmissions x $81.83 x 8 hours)]. We 
estimate the discounted cost for the Coast Guard to review U.S.-flagged 
vessel Cybersecurity Plans to be approximately $7,118,596 over a 10-
year period of analysis, using a 7-percent discount rate. We estimate 
the annualized cost to be approximately $1,013,528, using a 7-percent 
discount rate. See table 44.

[[Page 13472]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.048

    The second source of Government costs would be the marginal 
increase in onsite inspection time due to the expansion of FSPs, OCS 
FSPs, and VSPs to include the Cybersecurity Plans and provisions 
proposed by this NPRM. The

[[Page 13473]]

proposed cybersecurity provisions would add to the expected onsite 
inspection times for the populations of facilities, OCS facilities, and 
U.S.-flagged vessels. Coast Guard SMEs within CG-FAC conferred with 
local inspection offices to estimate the expected marginal increase in 
facility and OCS facility inspection time. Local facility inspectors 
estimate that the additional cybersecurity provisions from this 
proposed rule would add an average of 1 hour to an onsite inspection, 
and that the inspection would typically be performed by an inspector at 
a rank of O-2 (Lieutenant Junior Grade). According to Commandant 
Instruction 7310.1W Reimbursable Standard Rates, an inspector with an 
O-2 rank has a fully loaded wage rate of $72.\92\ Therefore, we 
estimate the annual undiscounted Government cost associated with the 
expected marginal increase in onsite inspections of facilities and OCS 
facilities is $245,592 (3411 facilities and OCS facilities x 1 hour 
inspection time x $72 facility inspector wage). We estimate the total 
discounted cost of increased inspection time to be approximately 
$1,724,936 over a 10-year period of analysis, using a 7-percent 
discount rate. We estimate the annualized cost to be approximately 
$245,592, using a 7-percent discount rate. See table 45.
---------------------------------------------------------------------------

    \92\ Readers can view Commandant Instruction 7310.1W for 
military personnel at media.defense.gov/2022/Aug/24/2003063079/-1/-1/0/CI_7310_1W.PDF, accessed December 2023.
[GRAPHIC] [TIFF OMITTED] TP22FE24.049

    Similarly, Coast Guard SMEs within CG-ENG estimate that the 
additional cybersecurity provisions from the proposed rule would add an 
average of 0.167 hours (10 minutes) to an on-site inspection of a U.S.-
flagged vessel and that the inspection would typically be performed by 
an inspector at a rank of E-5 (Petty Officer Second Class). According 
to Commandant Instruction 7310.1W Reimbursable Standard Rates, an 
inspector with an E-5 rank has a fully loaded wage rate of $58. 
Therefore, we estimate the annual undiscounted Government cost 
associated with the expected marginal increase in onsite inspections of 
U.S.-flagged vessels is $99,630 (10,286 vessels x 0.167 hours 
inspection time x $58 facility inspector wage). We estimate the total 
discounted cost of increased inspection time to be approximately 
$699,761 over a 10-year period of analysis, using a 7-percent discount 
rate. We estimate the annualized cost to be approximately $99,630, 
using a 7-percent discount rate. See table 46.

[[Page 13474]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.050

    The final source of Government costs from this proposed rule would 
be the time to process and generate notifications for each cyber 
incident reported to the NRC. As discussed earlier in our analysis of 
costs associated with cyber incident reporting, from 2018 to 2022, the 
NRC fielded and processed an average of 18 cyber incident reports from 
facilities and OCS facilities, and an average of 2 cyber incident 
reports from U.S.-flagged vessels, for a total of 20 cyber incident 
reports per year. In addition, the NRC generated an average of 31 
notifications for appropriate Federal, State, local and tribal agencies 
per processed cyber incident over that same time period, meaning an 
average of 620 notifications per year (20 cyber incident reports x 31 
notifications).
    Based on ICR 1625-0096, Report of Oil or Hazardous Substance 
Discharge; and Report of Suspicious Maritime Activity, it takes the NRC 
approximately 0.15 hours (8.5 minutes) to receive an incident report, 
and 0.2 hours (12 minutes) to disseminate a verbal notification to the 
Federal on-scene coordinator or appropriate Federal agency. Given that 
cyber incidents and the reports of suspicious activity detailed in the 
ICR are processed in a similar fashion, we use the same hour estimates 
here. According to ICR 1625-0096, a contractor, equivalent to a GS-9, 
processes incident reports and generates relevant notifications. We use 
the GS-9-Step 5 hourly basic rate from the Office of Personnel 
Management (OPM) 2022 pay table, or $29.72.\93\ To account for the 
value of benefits to government employees, we first calculate the share 
of total compensation of Federal employees accounted for by wages. The 
Congressional Budget Office (2017) reports total compensation to 
Federal employees with a bachelor's degree (consistent with a GS level 
of GS-7 to GS-10) as $67.00 per hour and associated wages as 
$39.50.\94\ This implies that total compensation is approximately 1.70 
times the average wage ($67.00 / $39.50). Therefore, we can calculate 
$50.52 ($29.72 x 1.70 load factor) as the fully loaded wage rate for 
the NRC contractor equivalent to a GS-9, Step 5.
---------------------------------------------------------------------------

    \93\ Please see: https://www.opm.gov/policy-data-oversight/pay-leave/salaries-wages/salary-tables/pdf/2022/RUS_h.pdf. We use the 
Rest of U.S. (RUS) rate here to maintain consistency with the rates 
used in ICR 1612-0096; accessed July 12, 2023.
    \94\ Congressional Budget Office (2017), ``Comparing the 
Compensation of Federal and Private-Sector Employees, 2011 to 
2015,'' https://www.cbo.gov/system/files/115th-congress-2017-2018/reports/52637-federalprivatepay.pdf, accessed July 19, 2023.
---------------------------------------------------------------------------

    We estimate undiscounted annual Government costs of cyber incident 
report processing and notification to be $6,416 [(20 cyber incident 
reports x 0.15 hours to process x $50.52 contractor wage) + (620 
notifications x 0.2 hours x $50.52 contractor wage)]. We estimate the 
total discounted cost to be approximately $45,064 over a 10-year period 
of analysis, using a 7-percent discount rate. We estimate the 
annualized cost to be approximately $6,416, using a 7-percent discount 
rate. See table 47.

[[Page 13475]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.051

    We estimate the total discounted Government costs of the proposed 
rule for the review of Cybersecurity Plans, increase in on-site 
inspection time, and processing cyber incident reports to be 
approximately $27,647,481 over a 10-year period of analysis, using a 7-
percent discount rate. We estimate the annualized cost to be 
approximately $3,936,379, using a 7-percent discount rate. See table 
48.
[GRAPHIC] [TIFF OMITTED] TP22FE24.052


[[Page 13476]]


Total Costs of the Proposed Rule
    We estimate the total discounted costs of the proposed rule to 
industry and government to be approximately $562,740,969 over a 10-year 
period of analysis, using a 7-percent discount rate. We estimate the 
annualized cost to be approximately $80,121,654, using a 7-percent 
discount rate. See table 49.
[GRAPHIC] [TIFF OMITTED] TP22FE24.053

Benefits
    Malicious cyber actors, including individuals, groups, and nation 
states, have rapidly increased in sophistication over the years and use 
techniques that make them more and more difficult to detect. Recent 
years have seen the rise of cybercrime as a service, where malicious 
cyber actors are hired to conduct cyber-attacks.\95\ Some national 
governments have also used ransomware to advance their strategic 
interests, including evading sanctions.\96\ The increased growth of 
cybercrime is a factor that has intensified in the last 20 years. Per 
the Federal Bureau of Investigation's cybercrime reporting unit, 
financial losses from reported incidents of cybercrime exceeded $10.3 
billion in 2022, and $35.9 billion since 2001.\97\ While there are 
significant private economic incentives for MTS participants to 
implement their own cybersecurity measures, and survey results indicate 
that MTS participants are more confident in their cybersecurity 
capabilities than in years past, the same survey indicates that there 
are important gaps in capabilities that leave the MTS and downstream 
economic participants exposed to risk.\98\ In the 2018 report, the CEA 
stated, ''[b]ecause no single entity faces the full costs of the 
adverse cyber events, the Government can step in to achieve the optimal 
level of cybersecurity, either through direct involvement in 
cybersecurity or by incentivizing private firms to increase cyber 
protection.'' \99\
---------------------------------------------------------------------------

    \95\ See https://cybernews.com/security/crimeware-as-a-service-model-is-sweeping-over-the-cybercrime-world/ for a description of 
cybercrime as a service and https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/ for a description of 
its growth in recent years. Accessed December 6, 2023.
    \96\ Institute for Security and Technology, ``RTF Report: 
Combating Ransomware: A Comprehensive Framework for Action: Key 
Recommendations from the Ransomware Task Force,'' https://securityandtechnology.org/ransomwaretaskforce/report/, accessed July 
19, 2023.
    \97\ See the Federal Bureau of Investigation's ``2022 Internet 
Crime Report,'' Internet Crime Complaint Center (IC3), March 14, 
2023. This report can be found at https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf, accessed December 4, 2023. For a 
summary of financial losses from reported incidents of cybercrime 
since 2001, see https://www.statista.com/statistics/267132/total-damage-caused-by-by-cybercrime-in-the-us/, accessed December 4, 
2023.
    \98\ Readers can access the survey in the docket or at https://www.joneswalker.com/en/insights/2022-Jones-Walker-LLP-Ports-and-Terminals-Cybersecurity-Survey-Report.html; accessed July 19, 2023. 
See page 16 of the survey for data on industry confidence and pages 
34-41 for data on cybersecurity practices.
    \99\ Economic Report of the President supra note 1 at 369.
---------------------------------------------------------------------------

    The overall benefit of this proposed rule would be the reduced risk 
of a cyber incident and, if an incident occurs, improved mitigation of 
its impact. This would benefit owners and operators and help protect 
the maritime industry and the United States. We expect this proposed 
rule would have significant but currently unquantifiable benefits for 
the owners and operators of facilities, OCS facilities, and U.S.-
flagged vessels, as well as downstream economic participants \100\ and 
the public at large. This proposed rule would benefit the owners and 
operators of facilities, OCS facilities, and U.S.-flagged vessels by 
having a means, through the Cybersecurity Plan, to ensure that all 
cybersecurity measures are in place and tested periodically, which 
would improve the resiliency of owners and operators to respond to a 
cyber incident and to maintain a current cybersecurity posture, 
reducing the risk

[[Page 13477]]

of economic losses for owners and operators as well as downstream 
economic participants. For example, this proposed rule would require 
training, drills, and exercises, which would benefit owners and 
operators by having a workforce that is knowledgeable and trained in 
most aspects of cybersecurity, which reduces the risk of a cyber 
incident and mitigates the impact if an incident occurs. Conducting 
training, drills, and exercises would also enable the owners and 
operators of facilities, OCS facilities, and U.S.-flagged vessels to 
prevent, detect, and respond to a cyber incident with improved 
capabilities.
---------------------------------------------------------------------------

    \100\ Downstream economic participants are entities or 
individuals involved in the later stages of the supply chain or 
production process, such as distributors, wholesalers, service 
providers, and retailers that supply and sell products directly to 
consumers.
---------------------------------------------------------------------------

    In addition, cybersecurity measures in this proposed rule would 
require owners and operators of facilities, OCS facilities, and U.S.-
flagged vessels to identify weaknesses or vulnerabilities in their IT 
and OT systems and to develop strategies or safeguards to identify and 
detect security breaches when they occur. The software and physical 
requirements of this proposed rule would ensure that there is the 
minimal level of protection for critical IT and OT systems and allow 
for the proper monitoring of these systems. In table 50, we list the 
expected benefits associated with each major regulatory provision of 
the proposed rule.

[[Page 13478]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.054


[[Page 13479]]


[GRAPHIC] [TIFF OMITTED] TP22FE24.055


[[Page 13480]]


[GRAPHIC] [TIFF OMITTED] TP22FE24.056


[[Page 13481]]


[GRAPHIC] [TIFF OMITTED] TP22FE24.057


[[Page 13482]]


[GRAPHIC] [TIFF OMITTED] TP22FE24.058


[[Page 13483]]


[GRAPHIC] [TIFF OMITTED] TP22FE24.059


[[Page 13484]]


[GRAPHIC] [TIFF OMITTED] TP22FE24.060

Cyber Incidents and Risks Addressed by the Proposed Rule
---------------------------------------------------------------------------

    \101\ Economic Report of the President supra note 1 at 370.
    \102\ Economic Report of the President supra note 1 at 370 and 
327.
    \103\ Economic Report of the President supra note 1 at 362.
    \104\ Economic Report of the President supra note 1 at 382-383.
    \105\ Economic Report of the President supra note 1 at 342.
---------------------------------------------------------------------------

    In May 2021, the Colonial Pipeline Company suffered a cyber-attack 
that disrupted the supply of fuel to the east coast of the United 
States. Colonial Pipeline Company was forced to shut down operations 
for 6 days, which created gasoline and fuel shortages. In addition to 
the direct financial losses incurred by Colonial Pipeline Company, the 
shutdown and subsequent shortages negatively impacted consumers, 
creating a 4 cents-per-gallon increase in average gasoline prices in 
the impacted areas, with price increases lingering even after the 
pipeline returned to operation.\106\ Further, fuel shortages caused 
some fuel stations to temporarily close due to shortened supply, and 
some airlines in the impacted area were forced to scramble for 
additional fuel sources and added additional stops along select long-
haul flights.\107\ This was a ransomware cyber-attack that, based on 
public reports, was a result of the attackers using a legacy Virtual 
Private Network and Colonial Pipeline not having a two-factor 
authentication method, more commonly known as multifactor 
authentication, in place on its computer systems.\108\ Therefore, it 
was possible for computer hackers to access Colonial Pipeline's 
computer systems with only a password. This proposed rule would likely 
prevent an attack similar to the Colonial Pipeline attack from 
occurring by requiring owners and operators of vessels, facilities, and 
OCS facilities to implement account security measures and multifactor 
authentication on their computer systems. An example of multifactor 
authentication would be requiring a five- or six-digit passcode after a 
password has been entered by company personnel. Multifactor 
authentication is part of account security measures in the proposed 
Sec.  101.650.
---------------------------------------------------------------------------

    \106\ Tsvetanov, T., & Slaria, S. (2021). The effect of the 
colonial pipeline shutdown on gasoline prices. Economics Letters, 
209. https://doi.org/10.1016/j.econlet.2021.110122. Accessed 
December 14, 2023.
    \107\ Josephs, L. (2021). Pipeline outage forces American 
Airlines to add stops to some long-haul flights, southwest flies in 
Fuel. CNBC. https://www.cnbc.com/2021/05/10/colonial-pipeline-shutdown-forces-airlines-to-consider-other-ways-to-get-fuel.html, 
accessed January 18, 2024.
    \108\ U.S. Senate, Joseph Blount, Jr. Committee on Homeland 
Security & Governmental Affairs. ``Hearing Before the United States 
Senate Committee on Homeland Security and Governmental Affairs--
Threats to Critical Infrastructure: Examining the Colonial Pipeline 
Cyber Attack.'' June 8, 2021. Washington, DC and via video 
conference. Text can be downloaded at https://www.hsgac.senate.gov/hearings/threats-to-critical-infrastructure-examining-the-colonial-pipeline-cyber-attack/, accessed June 28, 2023.
---------------------------------------------------------------------------

    The encryption of data in the proposed Sec.  101.650 under data 
security measures may have relegated stolen data to being useless in 
the event of a cyber-attack. Furthermore, Colonial Pipeline would 
likely have benefitted from a penetration test, which they had not 
conducted, to ensure the safety and security of its critical systems. 
The proposed requirement of a penetration test would simulate real-
world cyber-attacks that would help companies identify the risks to 
their computer systems and prepare the necessary measures to lessen the 
severity of a cyber-attack.
    Additionally, under proposed Sec.  101.650 for device security 
measures, documenting and identifying the network map and OT device 
configuration information, Colonial Pipeline may have been able to 
detect exactly where the connections to the affected systems were and 
may have been able to isolate the problem without having to shut down 
all pipeline operations, as it did temporarily, which greatly affected 
its fuel supply operations.

[[Page 13485]]

    Lastly, Colonial Pipeline did not have a Cybersecurity Plan in 
place but did have an emergency response plan. With proposed Sec. Sec.  
101.630, Cybersecurity Plan, and 101.635, Drills and Exercises, a 
Cybersecurity Plan could have benefitted Colonial Pipeline because it 
includes periodic training and exercises that increase the awareness of 
potential cyber threats and vulnerabilities throughout the 
organization. A Cybersecurity Plan also creates best practices so 
company personnel have the knowledge and skills to identify, mitigate, 
and respond to cyber threats when they occur. Creating the 
Cybersecurity Plan would allow the CySO to ensure all aspects of the 
Plan have been implemented at a CySO's respective company. Improved 
awareness of potential cybersecurity vulnerabilities and the steps 
taken to correct them could have helped Colonial Pipeline identify its 
password weakness issue before it was exploited.
    In another cyber-attack that occurred in 2017 against the global 
shipping company Maersk, computer hackers, based on public reports, 
exploited Maersk's computer systems because of vulnerabilities in 
Microsoft's Windows operating system. The malware was disguised as 
ransomware, which created more damage to Maersk's computer systems. In 
2016, one year prior to the attack, IT professionals at Maersk 
highlighted imperfect patching policies, the use of outdated operating 
systems, and a lack of network segmentation as the largest holes in the 
company's cybersecurity. While there were plans to implement measures 
to address these concerns, they were not undertaken, leaving Maersk 
exposed and underprepared for the attack it faced in 2017. The effects 
of this attack were far-reaching. Beyond the direct financial losses 
incurred by Maersk (estimated at nearly $300 million), shipping delays 
and supply chain disruptions caused additional downstream economic 
losses that are much more difficult to quantify as shipments went 
unfulfilled for businesses and consumers, and trucks were forced to sit 
and wait at ports.\109\ Under proposed Sec.  101.650, cybersecurity 
measures such as patching would likely prevent a similar attack from 
occurring and help prevent such losses. Patching vessel, facility, and 
OCS facility computer systems would ensure they are not vulnerable to a 
cyber-attack because the latest software updates would be installed on 
these systems with periodic software patches.
---------------------------------------------------------------------------

    \109\ Andy Greenberg, ``The Untold Story of NotPetya, the Most 
Devastating Cyberattack in History''; WIRED; August 22, 2018; 
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/, accessed June 28, 2023.
---------------------------------------------------------------------------

    Additionally, penetration testing may have identified the 
vulnerabilities in Maersk's computer systems. Regular cybersecurity 
drills and exercises may have enabled Maersk's employees to quickly 
identify the cyber threat and may have reduced the impact and longevity 
of the cyber-attack. Further, network segmentation as proposed in Sec.  
101.650(h) could have helped stop the spread of malware to all its 
computer systems, which ultimately crippled its operations. By 
separating networks, Maersk could have better isolated the attack and 
kept larger portions of its business open, meaning fewer financial 
losses and downstream economic impacts to other companies and 
consumers.
    Resilience played a significant role in Maersk's ability to recover 
from the cyber-attack quickly. Company personnel worked constantly to 
recover the affected data and eventually restored the data after 2 
weeks.\110\ Proposed Sec.  101.650 contains provisions for resilience, 
which owners and operators such as Maersk must possess to recover from 
a cyber-attack. However, with proper backups of critical IT and OT 
systems, Maersk may have been able to recover more quickly from the 
attack.
---------------------------------------------------------------------------

    \110\ News reports suggest this recovery time was luck and not 
due to existing cybersecurity practices. ``Maersk staffers finally 
found one pristine backup in their Ghana office. By a stroke of 
luck, a blackout had knocked the server offline prior to the 
NotPetya attack, disconnecting it from the network. It contained a 
single clean copy of the company's domain controller data, and its 
discovery was a source of great relief to the recovery team.'' See 
Daniel E. Capano, ``Throwback Attack: How NotPetya accidentally took 
down global shipping giant Maersk,'' September 30, 2021, https://www.industrialcybersecuritypulse.com/threats-vulnerabilities/throwback-attack-how-notpetya-accidentally-took-down-global-shipping-giant-maersk/, accessed July 25, 2023.
---------------------------------------------------------------------------

    The Coast Guard emphasizes that this proposed rule might also have 
quantifiable benefits from reducing or preventing lost productivity 
from a cyber incident and possibly lost revenues from the time that 
critical IT and OT systems are inoperable as a result of a cyber 
incident, if one occurs. Such benefits would accrue to owners and 
operators of vessels and facilities, as well as to downstream 
participants in related commerce, and to the public at large. For 
instance, short-term disruptions to the MTS could result in increases 
to commodity prices, while prolonged disruptions could lead to 
widespread supply chain shortages. Short- and long-term disruptions and 
delays may affect other domestic critical infrastructure and 
industries, such as our national defense system, that depend on 
materials transported via the MTS.
    The societal impacts from a cyber security incident such as the 
attack that occurred against Maersk are difficult to quantify. They may 
include the effects of delays in cargo being delivered, which could 
result in the loss of some or all of the cargo, especially if the cargo 
is comprised of perishable items such as food or raw goods, such as 
certain types of oil that would be later used in the supply chain to 
manufacture final goods such as food items. Delays themselves may 
result in the unfulfillment of shipping orders to customers as vessels 
wait offshore to enter a port, which would have the downstream effect 
of customers not receiving goods because delivery trucks would sit idle 
at ports until OT and IT systems either at the port or onboard vessels 
once again become operational after the attack. Other societal impacts 
could include, but are not limited to, delays in shipments of medical 
supplies that may be carried onboard vessels that would not be 
delivered on time to individuals and medical institutions who rely on 
these supplies for their healthcare needs and service, respectively. 
Therefore, it should be noted that a cyber-attack may have considerable 
economic impacts on multiple industries in the United States such as, 
but not limited to, healthcare, food, transportation, utilities, 
defense, and retail. It should also be noted that the Coast Guard is 
not able to estimate, quantify, or predict the societal harm of 
shipping delays from a cyber-attack on the MTS or the economic impact 
it could cause because it would be dependent on many variables such as: 
the type of attack, the severity of the attack, the length of the 
attack, the response by the affected parties to the attack, and other 
variables.
    The benefits of this NPRM could be particularly salient in the case 
of a coordinated attack by a malicious actor seeking to disrupt 
critical infrastructure for broader purposes. For instance, in a 
circumstance where the rule's provisions prevented a terrorist or 
nation-state actor \111\ from using a cyber-

[[Page 13486]]

attack in connection with a broader scheme that threatened human life, 
a strategic waterway, or a major port, the avoided economic and social 
costs may be substantial.
---------------------------------------------------------------------------

    \111\ For instance, the Office of the Director of National 
Intelligence recently reported on the cyber espionage and attack 
threats from multiple nation-states with respect to U.S. critical 
infrastructure. See Office of the Director of National Intelligence, 
Annual Threat Assessment of the U.S. Intelligence Community at 10, 
15, 19 (Feb. 6, 2023), available at https://www.dni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Report.pdf (last visited 
July 31, 2023) (describing cyber threats associated with China, 
Russia, and Iran). A recent multi-national cybersecurity advisory 
noted that ``Russian state-sponsored cyber actors have demonstrated 
capabilities to compromise IT networks; develop mechanisms to 
maintain long-term, persistent access to IT networks; exfiltrate 
sensitive data from IT and [OT] networks; and disrupt critical [ICS/
OT] functions by deploying destructive malware.'' See Joint 
Cybersecurity Advisory, Russian State Sponsored and Criminal Cyber 
Threat to Critical Infrastructure, Alert AA22-110A (April 20, 2022), 
available at: https://www.cisa.gov/uscert/ncas/alerts/aa22-110a 
(accessed December 14, 2023).
---------------------------------------------------------------------------

    With respect to the latter, as noted by Cass R. Sunstein in Laws of 
Fear: Beyond the Precautionary Principle (The Seeley Lectures, Series 
Number 6), ``fear is a real social cost, and it is likely to lead to 
other social costs.'' \112\ In addition, Ackerman and Heinzerling state 
``terrorism `works' through the fear and demoralization caused by 
uncontrollable uncertainty.'' As devastating as the direct impacts of a 
successful cyber-attack can be on the U.S. marine transportation system 
and supply chain, avoiding the impacts of the more difficult to measure 
indirect effects of fear and demoralization in connection with a 
coordinated attack would also entail substantial benefits. However, the 
Coast Guard is not able to quantify these potential benefits because 
they would depend on the incident, the duration of the incident, and 
how various private and public actors would respond to the incident.
---------------------------------------------------------------------------

    \112\ Cass R. Sunstein, Laws of Fear, at 127; Cambridge 
University Press (2005).
---------------------------------------------------------------------------

    Through the provisions of this proposed rule, benefits from 
implementing and enhancing a cybersecurity program may likely increase 
over time. By requiring that a range of cybersecurity measures be 
implemented, such as account security measures, vulnerability scanning, 
and automated backups, an organization can drastically reduce the 
downtime it takes to remedy a breach. Education and training can also 
help guide employees to identify potential email phishing scams, 
suspect links, and other criminal efforts, which will likely increase 
protection against external and internal threats before they occur. 
Further, because so many of the proposed provisions include periodic 
updates and modifications following tests or assessments, we believe 
that cybersecurity programs will continue to improve each time they are 
tested and reexamined by the implementing entity.
    This NPRM proposes to address the challenges facing businesses 
today by requiring the implementation of safeguards to cybersecurity on 
the MTS. In adopting these measures, owners and operators of U.S.-
flagged vessels, facilities, and OCS facilities can take preemptive 
action before malicious actors and the threats they pose take advantage 
of vulnerabilities in their critical IT and OT systems.
Breakeven Analysis
    While the Coast Guard is able to describe the qualitative benefits 
that this proposed rule may have for owners and operators of U.S.-
flagged vessels, facilities, and OCS facilities, and others who would 
be affected by a cyber-attack, the Coast Guard is not able to quantify 
and monetize benefits. One reason is that it is challenging to project 
the number of cyber-attacks that would occur over a relevant period 
without this proposed rule; another reason is that it is challenging to 
quantify the magnitude of the harm from such attacks. It is further 
challenging to quantify the marginal impact of this rulemaking, both 
because the Coast Guard cannot quantify the effectiveness of the 
provisions included in the proposals (how many attacks would be 
prevented or how much damage would be mitigated) and because the Coast 
Guard has uncertainty around the appropriate baseline to consider 
regarding what cybersecurity actions are being taken for reasons beyond 
this rulemaking. Without such projections and quantification, it is not 
possible to monetize the benefits of the proposed rule in terms of 
harms averted. As an alternative, we present a breakeven analysis for 
this proposed rule.
    Thus, this breakeven analysis only considers the $80 million in 
costs (at a 7 percent discount rate) that Coast Guard was able to 
quantify. The Coast Guard notes that, based on available data, there 
are likely additional costs the Coast Guard is not able to monetize. 
Furthermore, the downstream costs and impacts resulting from a cyber-
attack on an individual firm are challenging to quantify given the 
overlapping and intersecting nature of the supply chain. However, 
research examining the overall impacts of the NotPetya cyber-attack 
(one of the largest cyber-attacks in history), estimates societal 
impacts and downstream costs nearly four times greater than the direct 
impact on the firm suffering the initial attack.\113\ The Coast Guard 
requests comment on this finding and its relevance to the impact of 
cyber-attacks in the maritime transportation system specifically. To 
the extent that the costs of this proposed rule are higher than the 
Coast Guard's monetized estimate, the amount of costs this proposed 
rule must prevent would also need to increase to justify this proposed 
rule. The proposed rule would set the minimum requirements for 
companies to address their cybersecurity posture and provides the 
flexibility for these companies to take the necessary action to protect 
themselves from a cyber-attack.
---------------------------------------------------------------------------

    \113\ For example, analysis of the NotPetya attack revealed 
overall estimates of impacts on customers four times greater than 
those on the firms directly impacted by the attack. For more 
details, please see: Matteo Crosignani et al, ``Pirates without 
Borders: The Propagation of Cyberattacks through Firms' Supply 
Chains,'' Federal Reserve Bank of New York Staff Reports, No. 937 
(July 2020, revised July 2021), https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr937.pdf, accessed July 
7, 2023.
---------------------------------------------------------------------------

    OMB's Circular A-4 (September 17, 2003) states that, in the case of 
``non-quantified factors,'' agencies may consider the use of a 
threshold (``breakeven'') analysis.\114\ A breakeven analysis provides 
calculations to show how small or large the value of the non-quantified 
benefits could be before the proposed rule would yield zero net 
benefits. For this proposed rule, we calculate breakeven results from 
one example, using the estimated cost of a real-world cyber-attack on a 
regulated entity. Global shipper Maersk reported that it suffered an 
estimated $300 million in business costs and income losses due to a 
cyber-attack.\115\ The actual losses were likely much larger than the 
$300 million in business impacts to Maersk due to impacts on Maersk's 
customers.
---------------------------------------------------------------------------

    \114\ Readers can access OMB Circular A-4 dated September 17, 
2003, at https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A4/a-4.pdf, accessed July 20, 
2023.
    \115\ Greenberg, supra note 109.
---------------------------------------------------------------------------

    Over the past decade, there have been numerous cyber-attacks--not 
just on the international and domestic maritime sector, but on other 
sectors of the U.S. and global economies.\116\ In a paper published by 
Akpan, Bendiab, Shiaelis, Karamperidis, and Michaloliakos (2022), the 
authors state that the maritime sector has shown a 900-percent increase 
in cybersecurity breaches as it enters the digital era.\117\ The paper 
adds that many automated systems on vessels, by their nature, are 
vulnerable to a cyber-attack, and

[[Page 13487]]

include navigation systems such as Electronic Chart Display and 
Information Systems, Global Positioning Systems, and Global Navigation 
Satellite Systems. Other affected systems include radar systems; 
Automatic Identification Systems; communication systems; and systems 
that control the main engine, generators, among others (Akpan et al., 
2022).\118\ Furthermore, the paper presents the vulnerabilities and 
consequences of cyber-attacks to ships' systems ranging from hijacking 
ships, destroying and stealing data, damaging equipment, disrupting 
vessel operations, uploading malware to computer systems, losing lives 
and cargo, and more (Akpan et al., 2022).\119\
---------------------------------------------------------------------------

    \116\ NIST provides a definition for the term ``cyber-attack.'' 
Readers can access this definition at https://csrc.nist.gov/glossary/term/cyber_attack; accessed July 20, 2023.
    \117\ Frank Akpan, Gueltoum Bendiab, Stavros Shiaeles, Stavros 
Karamperidis, and Michalis Michaloliakos; ``Cybersecurity Challenges 
in the Maritime Sector''; Network; March 7, 2022; page 123; https://www.mdpi.com/2673-8732/2/1/9/pdf?version=1646653034; accessed May 
2023. MDPI has open access to journals and published papers. 
Additionally, NIST provides a definition of the term breach, 
although not specifically related to cybersecurity at, https://csrc.nist.gov/glossary/term/breach, accessed July 2023.
    \118\ Akpan et al., supra note 117, at 129-30.
    \119\ Id.
---------------------------------------------------------------------------

    In a paper by Jones (2016), the author noted that outdated systems 
are vulnerable to cyber-attacks.\120\ The paper refers to a study that 
states 37 percent of servers running Microsoft failed to download the 
correct patch and left systems vulnerable to a cyber-attack. 
Additionally, Jones states that ``many ships were built before cyber 
security was a major concern'' and goes on to state that many newer 
software systems are not compatible with older software systems.
---------------------------------------------------------------------------

    \120\ Kevin Jones, ``Threats and Impacts in Maritime Cyber 
Security,'' April 15, 2016, pages 7 and 8, https://pearl.plymouth.ac.uk/handle/10026.1/4387?show=full; accessed May 22, 
2023.
---------------------------------------------------------------------------

    Akpan, et al. (2022) also list a few cyber-attacks that have 
occurred in the maritime transportation sector in the past few years. 
Allianz Global Corporate and Specialty (AGCS) reports that there was a 
record 623 million ransomware attacks in 2021.\121\ In a paper 
published by Meland, Bernsmed, Wille, Rodseth, and Nesheim (2021), the 
authors state that 46 successful \122\ cyber-attacks with a significant 
impact on the maritime industry have occurred worldwide between 2010 
and 2020, or an average of 4.2 attacks a year.\123\ Of the 46 attacks, 
the most notable cyber-attack stated by the authors of this paper, and 
earlier in the Benefits discussion of this preamble, occurred in 2017 
against the shipping company Maersk. Maersk estimated their economic 
loss to be nearly $300 million in the form of costs and reduced income 
to a specific firm as the result of the incident (Meland et al., 2021). 
Based on other reports, the economic damage that resulted from this 
incident may have been considerably more because of the downstream 
impacts that this incident may have had on customers and other 
companies who rely on the shipping industry for their businesses.\124\
---------------------------------------------------------------------------

    \121\ AGCS is a global insurance company. Readers can access 
this report at https://www.agcs.allianz.com/news-and-insights/news/cyber-risk-trends-2022-press.html. The Coast Guard accessed this 
report in May 2023. AGCS's website is, https://www.agcs.allianz.com.
    \122\ The analysis did not include mere attempts to attack, 
unsuccessful attacks, or attacks categorized as ``white hat'' 
attacks, which are attempts to infiltrate cybersecurity systems to 
identify vulnerabilities in software, hardware, or networks. 
Definition of ``white hat hacking'' at https://www.fortinet.com/resources/cyberglossary/whitehat-security, accessed July 20, 2023.
    \123\ The title of this paper is ``A Retrospective Analysis of 
Maritime Cyber Security Incidents.'' Readers can access this paper 
at https://www.semanticscholar.org/paper/A-Retrospective-Analysis-of-Maritime-Cyber-Security-Meland-Bernsmed/6caba4635f991dd1d99ed98cf640812f8cae16ba (pages 519 and 523). The 
Coast Guard accessed this pdf link in May 2023. Readers may need to 
create an account to view this paper, other papers, and research 
literature. The paper is also available at, https://www.transnav.eu. 
The authors of the study noted that shipping is a very diverse 
sector and that their source materials tend to focus on larger ships 
and operations. The authors stated that it is highly unlikely that 
this study has captured all the different cyber incidents over the 
sector. Additionally, the authors did not define what a 
``significant impact'' entails; nevertheless, in some cyber-attacks 
they cited, they provided the effect of an attack in their 
description of the incident.
    \124\ This figure does not include indirect effects on third 
parties, such as logistics firms and others who may have experienced 
losses because of this incident. See, for example, Matteo Crosignani 
et al, ``Pirates without Borders: The Propagation of Cyberattacks 
through Firms' Supply Chains,'' Federal Reserve Bank of New York 
Staff Reports, No. 937 (July 2020, revised July 2021), https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr937.pdf, accessed July 7, 2023 (analyzing a sample of customers 
indirectly affected by the NotPetya attack, and concluding that 
``the customers of these directly hit firms [of the NotPetya attack] 
recorded significantly lower profits relative to similar but 
unaffected firms,'' with one measure of effects on customers being 
four times higher, in the aggregate, than effects on firms directly 
affected by the attack); Andy Greenberg, Wired Magazine, ``The 
Untold Story of NotPetya, the Most Devastating Cyberattack in 
History'' (August 22, 2018), https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/, accessed July 7, 
2023 (describing indirect costs to logistics firms and other costs 
associated with a large-scale disruption to the global supply 
chain).
---------------------------------------------------------------------------

    Monetizing the impact of the cyber-attack on Maersk allows the 
Coast Guard to create a breakeven point as it relates to a specific 
company (risk reduction percentage and the number of years the proposed 
rule would have to prevent one incident annually) for this proposed 
rule using the estimated costs of a cyber-attack that occurred against 
a shipping company. The breakeven point would be higher if effects on 
third parties were considered.
    Although this cyber-attack did not occur against a U.S. company, 
and represents one attack against a single company, it impacted a large 
shipping company and affected almost one-fifth of global shipping 
operations, according to Meland, et al. (2021). The Coast Guard is 
using this incident as an example while understanding that the economic 
impact of a cyber-attack can vary greatly, depending upon the severity 
of a cyber-attack and the surrounding conditions. We acknowledge that 
the Maersk incident we use in this breakeven analysis may not be 
representative of other cyber-attacks that occur in the future in the 
maritime sector. Meland, et al. (2021), also state that a majority of 
cyber-attacks in the maritime industry were not reported.
    Using this example of a cyber-attack with our explanation in the 
benefits section of the RIA of how we believe this proposed rule may 
prevent such an attack, we can estimate a breakeven point. We take the 
estimated annualized \125\ cost of this proposed rule using a 7-percent 
discount rate ($80.1 million)--which may be an underestimation of the 
actual costs that this proposed rule may impose on industry--and divide 
by the avoided loss from the Maersk attack ($300 million)--a loss that 
this proposed rule may prevent noting that the reported business loss 
of the Maersk attack may be an underestimate of the actual impact of 
the attack on social welfare.\126\ From there, we obtain an annual 
risk-reduction value to the affected firm of approximately 0.267, or 
about 27 percent ($80.1 million / $300 million), which is the minimum 
annual risk-reduction percentage that would need to occur to justify 
this proposed rule to the affected firm. If we state this another way, 
this proposed rule would need to reduce the risk or the likelihood of 
one or more successful cyber-attacks, similar to this attack, by 
approximately 27 percent annually for the benefits to justify the 
estimated costs to the affected firm. To be clear, the Coast Guard does 
not have an estimate for how much this proposed rule would actually 
reduce the risk of successful cyber-attacks on the MTS.
---------------------------------------------------------------------------

    \125\ We use annualized costs because we assume this proposed 
rule would result in constant reduced probability in every year 
following this proposed rule's implementation. Stated differently, 
we assume the risk reduction to be constant each year.
    \126\ The loss estimate used for the Maersk attack also 
represents a potential underestimation as it does not include 
indirect effects on third parties, such as logistics firms and 
others who may have experienced losses because of this incident. See 
footnote 113.
---------------------------------------------------------------------------

    The Coast Guard estimates the number of years the proposed rule 
would have to prevent a cyber-attack to break even, though the Coast 
Guard cautions that it does not know the degree to which the proposed 
rule would prevent cyber-attacks. For an

[[Page 13488]]

incident similar to the Maersk cyber-attack, we estimate this proposed 
rule would have to prevent at least one attack of this type (with the 
same avoided losses) approximately every 3.75 years ($300 million / 
$80.1 million) to break even. Additionally, the losses from similar 
cyber-attacks may be lower given that this proposed rule may have the 
intended effect of mitigating the size of losses from these types of 
attacks. Readers should also note that the losses estimated from this 
incident were reported by Maersk and not from an independent source. 
Table 51 summarizes the breakeven results of this NPRM.
[GRAPHIC] [TIFF OMITTED] TP22FE24.061

Analysis of Alternatives
    Cybersecurity has become a critical issue across all sectors. The 
maritime industry, a pivotal component of the global supply chain, is 
no exception. With an increasing amount of sensitive data being stored 
and processed online, regulations are needed to protect this data from 
unauthorized access and breaches. As cyber threats grow more 
sophisticated and pervasive, it has become increasingly apparent that 
clear and actionable cybersecurity regulations are needed for the 
maritime industry. Furthermore, cybersecurity is not just a matter of 
individual or business concerns, it is also a national security issue. 
Robust regulations help protect critical infrastructure and government 
services from cyber-attacks that could threaten national stability. For 
instance, unauthorized access to a ship's navigation system could lead 
to disastrous consequences, including collisions or groundings, which 
can put people at risk and lead to economic losses for the affected 
entities and the U.S. economy. To prevent incidents like this, the 
Coast Guard has included several proposed regulatory provisions that 
identify potential network and system vulnerabilities. Of these 
provisions, penetration testing is one of the more intensive and 
costly, but would provide important benefits, including demonstrating 
where and how malicious actors could exploit system weaknesses, so that 
organizations can better prioritize cybersecurity upgrades and 
improvements based on risk.
    Given the relatively high costs associated with penetration 
testing, and the significant vulnerability risks associated with not 
performing these tests, the Coast Guard contemplated four alternatives: 
(1) maintain the status quo; (2) require annual penetration testing and 
submission of results to the Coast Guard; (3) allow penetration testing 
at the discretion of the owner or operator; or (4) require penetration 
testing every 5 years in conjunction with the submission and approval 
of Cybersecurity Plans (the preferred alternative).
(1) Status Quo
    Currently. the Coast Guard does not require owners and operators of 
facilities, OCS facilities, and U.S.-flagged vessels to conduct 
penetration tests as a part of their security plans. Despite this, 
survey data indicates that some MTS entities are already conducting 
penetration tests for their organizations as they face an evolving 
cyber threat landscape. While we expect the adoption of penetration 
testing policies to grow over time, 32 percent of facility and OCS 
facility owners and operators (see footnote number 69) and an unknown 
number of U.S.-flagged vessel owners and operators have yet to add this 
test to their suite of cybersecurity measures.
    Maintaining the status quo by not requiring any penetration testing 
would reduce the costs for affected owners and operators of the 
proposed rule by $28,549,669, with an annualized cost reduction of 
$4,064,831 over a 10-year period of analysis, discounted at 7 percent, 
when compared to the preferred alternative. However, not requiring 
penetration testing would leave a significant gap in the vulnerability 
detection capability of a large portion of the MTS, exposing MTS 
stakeholders and the wider U.S. economy to greater risk. Without 
periodic penetration tests to determine weaknesses in critical IT and 
OT systems, the affected population puts itself at greater risk of 
cyber incidents, which can endanger employees, consumers, and the 
supply chain. As a result, the Coast Guard rejected the status quo 
alternative and has proposed requiring penetration tests every 5 years, 
aligned with the renewal of a Cybersecurity Plan, as discussed in 
alternative (4), below.
(2) Annual Penetration Testing
    Penetration testing represents a crucial element of a comprehensive 
cybersecurity strategy. It involves proactively testing computer 
systems, networks, and software applications to identify 
vulnerabilities that might be exploited by attackers. Because 
penetration testing provides a much more in-depth review of the 
vulnerabilities and weaknesses of IT and OT systems, the Coast Guard 
considered an alternative that would require it on an annual basis. 
Through annual penetration testing, an organization would be better 
equipped to identify weaknesses within their systems and prepare for 
real cyber threats. However, the costs and resources needed for 
penetration testing can be significant. As such, annual testing might 
impose an undue burden on the affected organizations.
    Based on Coast Guard estimates, penetration testing would cost 
approximately $5,000 per test, plus an additional $50 per IP address at 
the organization to capture network complexity. By increasing the 
frequency of these tests, the costs to facilities, OCS facilities, and 
U.S. flagged vessels would increase significantly. Under the preferred 
alternative, which requires penetration testing every 5 years in 
conjunction with the submission and renewal of a Cybersecurity Plan, 
the

[[Page 13489]]

Coast Guard estimates total costs of penetration testing to industry of 
$28,549,669 and annualized costs of $4,064,831 over a 10-year period of 
analysis, discounted at 7 percent (see the Penetration Testing section 
of the RIA for more details on the calculations underlying this 
estimate). Requiring annual penetration testing would increase industry 
costs for penetration testing by over 300 percent, to approximately 
$134,021,173 total and $19,081,600 annualized over a 10-year period of 
analysis, discounted at 7 percent. This alternative would result in an 
18.7 percent increase in the total cost of the rule, bringing the total 
cost to industry and the government to approximately $668,212,472 total 
and $95,138,423, annualized, over a 10-year period of analysis, 
discounted at 7 percent. The Coast Guard believes these increased costs 
are prohibitive and ultimately decided to reject this alternative. See 
table 52 for the costs associated with annual penetration testing over 
a 10-year period of analysis.
    Using the estimated annualized cost of this alternative of 
approximately $95.1 million, and using the Maersk cyber-attack, we 
estimate the number of years this alternative would have to break even 
and to prevent at least one or more attacks of this type annually (with 
the same avoided losses) to be approximately 3.15 years ($300 million / 
$95.1 million), compared with 3.75 years with the chosen alternative.
[GRAPHIC] [TIFF OMITTED] TP22FE24.062

(3) Penetration Testing at the Discretion of an Owner or Operator
    Given the cost of penetration testing, particularly for small 
businesses with limited resources, the Coast Guard considered an 
alternative that would make penetration an optional provision. This 
would allow those in the affected population to choose to prioritize 
different cybersecurity measures. The decision to undertake penetration 
testing could be made as a result of thorough risk assessments for each 
organization, considering its operational environments, risk profile, 
and pertinent threats.
    Under this alternative, an owner or operator, or a CySO on their 
behalf, could determine when a penetration test is warranted, if at 
all. Because the testing would be optional, we assume that fewer owners 
and operators would conduct penetration testing in a given year, 
however, we have no way of knowing how many this would be. If none of 
the affected owners or operators elected to conduct penetration 
testing, this could hypothetically reduce costs for owners and 
operators for penetration testing down to zero, meaning a cost 
reduction of $28,549,669 and an annualized cost reduction of $4,064,831 
over a 10-year period of analysis, discounted at 7 percent when 
compared to the preferred alternative.
    However, the value of penetration testing for most organizations 
cannot be overstated. When integrated into a comprehensive 
cybersecurity strategy, penetration testing can be very effective in 
identifying vulnerabilities. By fostering a proactive rather than 
reactive approach in cybersecurity, penetration testing enables 
organizations to stay ahead of potential threats and better understand 
how malicious actors could exploit weaknesses in IT and OT systems. 
This is particularly crucial given the quickly evolving landscape of 
cyber threats. In addition, because the costs of a potential cyber 
incident could be high, with potential downstream economic impacts, the 
Coast Guard must prioritize some level of oversight on provisions that 
could lessen the risk of a cyber incident. Therefore, we rejected this 
alternative, despite the potential cost savings. It should be noted, 
however, that according to proposed Sec.  101.665, owners and operators 
of facilities, OCS facilities, and U.S.-flagged vessels can seek a 
waiver or an equivalence determination if they are unable to meet the 
proposed requirements, penetration testing included.
    With this alternative, the estimated annualized cost decreases to 
approximately $76.1 million compared

[[Page 13490]]

with the chosen alternative. Using the Maersk cyber-attack, we estimate 
the number of years for this alternative to breakeven and to prevent at 
least one or more attacks of this type annually (with the same avoided 
losses) to be approximately 3.9 years ($300 million / $76.1 million), 
compared with 3.75 years with the chosen alternative.
(4) Penetration Testing in Conjunction With Cybersecurity Plan 
Submission (Preferred Alternative)
    In an effort to best balance the cost of annual penetration testing 
with the risk of leaving the MTS vulnerable to cyber incidents with 
even more costly impacts, the Coast Guard considered requiring 
penetration tests every 5 years, aligned with the renewal of a 
Cybersecurity Plan. This is the preferred alternative because 
penetration testing would supplement other cybersecurity measures in 
the proposed regulations such as vulnerability scanning, annual 
Cybersecurity Assessments and audits, quarterly drills, and annual 
exercises, which may limit the necessity of annual penetration testing. 
However, making penetration testing an optional requirement for 
organizations could inadvertently leave them more exposed to cyber-
attacks and limit the Coast Guard's understanding of the MTS' 
cybersecurity readiness. Under the preferred alternative, owners and 
operators are still free to conduct more frequent tests at their 
discretion if they would like to increase their awareness of 
vulnerabilities. Alternatively, they could apply for waivers or 
exemptions if they feel like they cannot meet the proposed requirements 
related to penetration testing. Please see the ``Breakeven Analysis'' 
section of this RIA for the breakeven estimates of this chosen 
alternative.

B. Small Entities

    Under the Regulatory Flexibility Act (RFA), 5 U.S.C. 601-612, the 
Coast Guard has prepared this Initial Regulatory Flexibility Analysis 
(IRFA) that examines the impacts of this proposed rule on small 
entities.
    Per the RFA, a small entity may be a small independent business, 
defined as one independently owned and operated, organized for profit, 
and not dominant in its field under the Small Business Act (5 U.S.C. 
632); a small not-for-profit organization, defined as any not-for-
profit enterprise which is independently owned and operated and is not 
dominant in its field; or a small governmental jurisdiction, defined as 
a locality with fewer than 50,000 people.
    Section 603(b) of the RFA prescribes the content of the IRFA, which 
addresses the following:
    (1) A description of the reasons why action by the agency is being 
considered;
    (2) A succinct statement of the objectives of, and legal basis for, 
the proposed rule;
    (3) A description of and, where feasible, an estimate of the number 
of small entities to which this proposed rule will apply;
    (4) A description of the projected reporting, recordkeeping, and 
other compliance requirements to comply with the proposed rule, 
including an estimate of the classes of small entities which will be 
subject to the requirement and the type of professional skills 
necessary for preparation of the report or record;
    (5) An identification, to the extent practicable, of all relevant 
Federal rules which may duplicate, overlap, or conflict with this 
proposed rule; and
    (6) A description of any significant alternatives to the proposed 
rule which accomplish the stated objectives of applicable statutes and 
which minimize any significant economic impact of the proposed rule on 
small entities.
    1. Description of the reasons why action by the agency is being 
considered.
    This proposed rule helps address current and emerging cybersecurity 
threats to maritime security in the MTS. Cybersecurity risks result 
from vulnerabilities in the operation of vital systems, which increase 
the likelihood of cyber-attacks on facilities, OCS facilities, and 
vessels. Cyber-related risks to the maritime domain are threats to the 
critical infrastructure that citizens and companies depend on to 
fulfill their daily needs.
    Cyber-attacks on public infrastructure have raised awareness of the 
need to protect systems and equipment that facilitate operations within 
the MTS because cyber-attacks have the potential to disable the IT and 
OT of vessels, facilities, and OCS facilities. Autonomous vessel 
technology, automated OT, and remotely accessible machines provide 
additional opportunities for cyber-attackers. These systems and 
equipment are prime targets for cyber-attacks that could potentially 
disrupt vessel movements and shut down port operations, such as loading 
and unloading cargoes. Section III.A., The Problem We Seek to Address, 
and Section IV.A, The Current State of Cybersecurity in the MTS in this 
NPRM provide more details.
    2. A succinct statement of the objective of, and legal basis for, 
the proposed rule.
    The objective of this proposed rule is to establish minimum 
performance-based cybersecurity requirements for U.S.-flagged vessels, 
facilities, and OCS facilities subject to MTSA. The proposed 
requirements include account security measures, device security 
measures, data security measures, governance and training, risk 
management, supply chain management, resilience, network segmentation, 
reporting, and physical security.
    The Coast Guard has statutory authority to promulgate regulations 
under 43 U.S.C. 1333(d); 46 U.S.C. 3306, 3703, 70102 through 70104, 
70124; and DHS Delegation No. 00170, Revision No. 01.3. Section 4 of 
the Outer Continental Shelf Lands Act of 1953, codified as amended at 
43 U.S.C. 1333(d), authorizes the Secretary to promulgate regulations 
with respect to safety equipment and other matters relating to the 
promotion of safety of life and property on the artificial islands, 
installations, and other devices on the OCS. This authority was 
delegated to the Coast Guard by DHS Delegation No. 00170(II)(90), 
Revision No. 01.3.
    Sections 70102 through 70104 in Title 46 of the U.S.C. authorize 
the Secretary to evaluate for compliance vessel and facility 
vulnerability assessments, security plans, and response plans. Section 
70124 authorizes the Secretary to promulgate regulations to implement 
Chapter 701, including sections 70102 through 70104, dealing with 
vulnerability assessments for the security of vessels, facilities, and 
OCS facilities; VSPs, FSPs, and OCS FSPs; and response plans for 
vessels, facilities, and OCS facilities. These authorities were 
delegated to the Coast Guard by DHS Delegation No. 00170(II)(97)(a) 
through (c), Revision No. 01.3.
    Section III.C. of this preamble, Legal Authority to Address This 
Problem, provides more details on the Coast Guard's legal basis for 
these actions.
    3. A description of and, where feasible, an estimate of the number 
of small entities to which the proposed rule will apply.
    This section considers the number of small entities likely to be 
affected by this NPRM. First, we determine which owners of facilities, 
OCS facilities, and vessels in the affected population qualify as small 
businesses, small not-for-profit organizations, or small governments. 
Then, we compare reported annual revenues among the identified small 
entities with annual

[[Page 13491]]

compliance costs estimated by the Coast Guard.
Number of Small Entities Affected
    To identify the portion of the affected facility, OCS facility, and 
vessel owners that are likely to be small businesses and small not-for-
profit organizations, we match business-and organization-specific 
information with size standards for small businesses published in the 
Small Business Administration's (SBA) Table of Small Business Size 
Standards.127 128 The SBA defines small businesses in terms 
of firm revenues or number of employees. Size thresholds of small 
businesses differ depending on the industry sector, defined in terms of 
NAICS codes; therefore, the analysis also requires us to identify the 
relevant NAICS codes for the affected facility and vessel owners. To 
accomplish this, we take the following steps:
---------------------------------------------------------------------------

    \127\ SBA. ``Table of size standards.'' Available at: https://www.sba.gov/document/support-table-size-standards. Effective March 
17, 2023, accessed July 21, 2023.
    \128\ To determine whether not-for-profit organizations are 
small entities, we rely on the self-identified NAICS code reported 
by each organization to D&B Hoovers and the SBA's small business 
size standard for that NAICS code. Any organization qualifying as a 
small business pursuant to SBA's threshold is considered to be ``not 
dominant in its field'' (15 U.S.C. 632) and is categorized as a 
small organization. If no NAICS code is available, we assume the 
organization is small.
---------------------------------------------------------------------------

    (1) Identify the names and addresses of owners of facilities, OCS 
facilities, and U.S.-flagged vessels using information contained in the 
Coast Guard's MISLE database; \129\
---------------------------------------------------------------------------

    \129\ The Coast Guard provided MISLE data to Industrial 
Economics, Incorporated (IEc) on June 2, 2023, and June 9, 2023.
---------------------------------------------------------------------------

    (2) Upload the names and location information to D&B Hoovers' 
website and rely on D&B Hoovers' proprietary algorithm to match 
entities with the information stored in its database; \130\
---------------------------------------------------------------------------

    \130\ This process relies on D&B Hoovers' automated search 
functions to identify the business profiles associated with a list 
of businesses, not manual business-by-business searching. This 
search functionality is described in more detail in D&B Hoovers 
(2019, page 25). You can find this resource at https://app.dnbhoovers.com/product/wp-content/uploads/2020/10/DB-Hoovers-User-Guide-920.pdf. The matched data were downloaded from D&B 
Hoovers on June 20, 2023, accessed via: app.dnbhoovers.com/login, 
July 21, 2023.
---------------------------------------------------------------------------

    (3) Collect the primary NAICS code, ownership type,\131\ number of 
employees,\132\ and annual revenue information from entities that 
matched the information in D&B Hoovers' database; and
---------------------------------------------------------------------------

    \131\ D&B Hoovers provides ownership type for the matched 
entities. This analysis considers all entities marked as 
``private,'' ``public,'' or ``partnership'' as businesses. 
``Nonprofit'' ownership status is used to identify not-for-profit 
organizations.
    \132\ D&B Hoovers contains data fields for both ``employees at 
single site'' and ``employees at all sites.'' When both numbers are 
provided, we default to using the ``employees at all sites'' entry 
to capture the size of the larger parent company. When only the 
``employees at single site'' information is available, we use that 
entry instead.
---------------------------------------------------------------------------

    (4) Determine which owners are small businesses or small not-for-
profit organizations based on the SBA's definitions of small businesses 
matched to each NAICS code.\133\
---------------------------------------------------------------------------

    \133\ In some cases, SBA provides a size standard for the NAICS 
code as well as an ``exception'' for a sub-set of businesses with 
specific activity types. This analysis does not consider the 
``exceptions'' when classifying businesses and not-for-profit 
organizations as small.
---------------------------------------------------------------------------

    The RIA considers facilities, OCS facilities, and vessels owned by 
governments or quasi-government organizations separately.\134\ Small 
governmental jurisdictions are defined as governments of cities, 
counties, towns, townships, villages, school districts, or special 
districts, with a population of less than 50,000 (5 U.S.C. 601). After 
using D&B Hoovers to identify a sample of Government owners, the 2020 
U.S. Census informed our classification of Government 
jurisdictions.\135\
---------------------------------------------------------------------------

    \134\ Government owners are identified using the ``public 
sector'' ownership status in D&B Hoovers. In most cases, the 
entities that fall into the ``public sector'' ownership type also 
have 92 NAICS codes.
    \135\ 2020 U.S. Census data accessed from: https://www.census.gov/quickfacts/, accessed July 21, 2023.
---------------------------------------------------------------------------

Facility and OCS Facility Owners
    MISLE identifies 3,411 regulated facilities and OCS facilities. Of 
the facilities, 2,663 are associated with 1,334 unique owners, and 748 
lack owner information.\136\ Like the cost analysis, this analysis 
assumes the 748 facilities lacking owner information in MISLE are 
associated with an additional 374 unique owners, under the assumption 
that the average facility owner is associated with 2 regulated 
facilities. In total, this analysis assumes a total of 1,708 affected 
owners and operators of facilities and OCS facilities.
---------------------------------------------------------------------------

    \136\ Owners of facilities and OCS facilities are determined 
using various data files in MISLE. Owner information is not reported 
in a standard format for facilities and OCS facilities; therefore, 
considerable data cleaning was necessary to identify unique owner 
names and location information. This analysis assumes the sample of 
facilities with owner information identified is broadly 
representative of all regulated facilities. Additionally, D&B 
Hoovers further consolidated the list of affected owners of 
facilities and OCS facilities by identifying unifying parent 
companies for some owners thought to be independent businesses or 
organizations based on MISLE data.
---------------------------------------------------------------------------

    The names and location information of all 1,334 identifiable 
affected owners were uploaded to D&B Hoovers, and the search function 
returned information for 786 entities (59 percent) with at least one 
identified NAICS code. The 548 unmatched entities either do not have 
business profiles in D&B Hoovers or the owner's name and location 
information stored in MISLE does not match the business records on the 
website. Included among the owners that matched with records in D&B 
Hoovers were 770 businesses (98 percent of the matched owners), 11 not-
for-profit organizations (1 percent), and 5 Governments (1 percent). 
The 770 businesses categorize into 186 NAICS codes.
    Table 53 reports the number of businesses in the top 10 most 
frequently occurring NAICS codes, as well as the portion that meet the 
definition of small business. An additional row summarizes the 
businesses across the remaining 176 NAICS codes. As presented, 615 of 
770 businesses (80 percent) qualify as small based on their revenue or 
number of employees. Additionally, the 11 not-for-profit organizations 
include 10 small organizations (91 percent). The 5 Government 
jurisdictions include no small Governments (0 percent). Under the 
assumptions that (1) the 374 owners of facilities and OCS facilities 
without owner information in MISLE are small entities and (2) all 548 
of facilities and OCS facilities for which D&B Hoovers profiles are not 
available are small entities, we estimate 1,533 total small entities 
are affected by the requirements for facilities and OCS facilities in 
this proposed rule (90 percent of affected facility owners) (374 owners 
without identifying information in MISLE + 548 unmatched facility 
owners + 601 matched small businesses + 10 matched small organizations 
+ 0 matched small Governments= 1,533 total small entities). See table 
53.

[[Page 13492]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.063


[[Page 13493]]


Vessel Owners
    Across the eight categories of vessels regulated by the Coast Guard 
and considered for this proposed rule, MISLE identifies over 10,000 
vessels owned by 1,775 unique entities.\137\ The names and location 
information of all 1,775 owners stored in MISLE were uploaded to D&B 
Hoovers, and the search function returned information for 1,006 
entities (57 percent) with at least 1 NAICS code identified. Included 
among the entities that matched with records in D&B Hoovers were 989 
businesses (98 percent of the matched owners), 11 not-for-profit 
organizations (1 percent), and 6 Government jurisdictions (1 percent). 
The 989 businesses categorize into 170 NAICS codes.
---------------------------------------------------------------------------

    \137\ Like facilities and OCS facilities, unique businesses are 
determined using both organization name and address as stored in the 
Coast Guard's MISLE database. The information for owners is more 
complete for vessels than for facilities and OCS facilities in 
MISLE; all vessels include owner information. D&B Hoovers was able 
to identify unifying parent companies for some owners thought to be 
independent businesses or organizations based on MISLE data.
---------------------------------------------------------------------------

    Table 53 reports the number of businesses in the top 10 most 
frequently occurring NAICS codes, as well as the portion that meet the 
definition of small business. An additional row summarizes the 
businesses across the remaining 160 NAICS codes.\138\ As presented, 900 
of 989 businesses (91 percent) qualify as small businesses based on 
their revenue or number of employees. Additionally, the 11 not-for-
profit organizations include 9 small organizations (82 percent), and 
the 6 Government jurisdictions include 1 small Government (17 percent). 
Under the assumption that all 769 vessel owners for which D&B Hoovers 
profiles are not available are small entities, we estimate 1,633 total 
small entities are affected by the vessel requirements in this proposed 
rule (92 percent of affected vessel owners) (769 unmatched vessel 
owners + 854 matched small businesses + 9 matched small organizations + 
1 matched small Government = 1,633 total small entities). See table 54.
---------------------------------------------------------------------------

    \138\ Included in this group is NAICS code 99990 
``unclassified.'' Because SBA does not propose a size standard for 
this code, we assume all entities with NAICS code 99990 are small. 
For the matched vessel owners, 46 entities are classified with this 
code in D&B Hoovers.

---------------------------------------------------------------------------

[[Page 13494]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.064


[[Page 13495]]


Summary
    Across the combined 3,483 affected owners of facilities, OCS 
facilities, or vessels, we estimate that 3,180 small entities (91 
percent) may be affected, including small businesses, small not-for-
profit organizations, and small Governments. Because this analysis 
assumes all owners for which NAICS codes, employment, or revenue 
information is unmatched in D&B Hoovers are small entities, the 
projected number of affected small entities may be overestimated.
Costs Relative to Revenues
    This discussion compares the cost of the proposed changes per 
facility and vessel owner with annual revenues of affected small 
entities. Revenue information is obtained from D&B Hoovers for small 
businesses and small not-for-profit organizations. For small 
Governments, we use the 2021 State and Local Government Finance 
Historical Datasets and Tables available through the U.S. Census.\139\ 
We assume that the findings of this analysis are indicative of the 
impacts on entities for which revenue information is not readily 
available.
---------------------------------------------------------------------------

    \139\ Data downloaded on July 14, 2023, from https://www.census.gov/data/datasets/2021/econ/local/public-use-datasets.html, accessed July 21, 2023.
---------------------------------------------------------------------------

    The RFA does not define a ``significant effect'' in quantitative 
terms. In its guidance to agencies on how to comply with the RFA, the 
SBA states, ``[i]n the absence of statutory specificity, what is 
`significant' will vary depending on the economics of the industry or 
sector to be regulated. The agency is in the best position to gauge the 
small entity impacts of its regulation.'' \140\ One of the measures SBA 
uses to illustrate whether an impact could be significant, is to 
determine whether the cost per entity exceeds 1 percent of the gross 
revenues.\141\ Therefore, this analysis considers the 1 percent 
threshold when analyzing these potential impacts.
---------------------------------------------------------------------------

    \140\ U.S. Small Business Administration (SBA). 2017. A Guide 
for Government Agencies: How to Comply with the Regulatory 
Flexibility Act. Available at https://advocacy.sba.gov/2017/08/31/a-guide-for-government-agencies-how-to-comply-with-the-regulatory-flexibility-act/, page 18, accessed July 21, 2023.
    \141\ Id. Page 19.
---------------------------------------------------------------------------

Facility and OCS Facility Owners
    Assuming that an owner or operator would need to implement each of 
the provisions required by this proposed rule, Coast Guard estimates 
that the highest single-year costs would be incurred in year 2 of the 
analysis period. We estimate the year 2 cost is $37,667 for an owner or 
operator with one facility or OCS facility. Each additional facility or 
OCS facility owned or operated would increase the estimated annual 
costs by the cost of an additional Cybersecurity Plan, since each 
facility or OCS facility will require an individual Cybersecurity Plan. 
For example, consider an entity that owns 4 facilities. The estimated 
cost to that entity in year 2 is calculated as follows: $37,667 + (3 x 
$8,414) = $62,909. Table 55 provides a breakdown of the costs per owner 
or operator of one facility or OCS facility. The text that follows 
provides more detail on these cost calculations.

[[Page 13496]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.065

    To estimate the cost for an individual owner or operator of a 
facility or OCS facility to develop, resubmit, conduct annual 
maintenance, and audit the Cybersecurity Plan, we use estimates 
provided earlier in the analysis. The hour-burden estimates are 100 
hours to develop the Cybersecurity Plan (average hour burden), 10 hours 
to conduct annual maintenance of the Cybersecurity Plan (which would 
include amendments), 15 hours to renew Cybersecurity Plans every 5 
years, and 40 hours to conduct annual audits of Cybersecurity Plans. 
Based on

[[Page 13497]]

estimates from the Coast Guard's FSP and OCS FSP reviewers at local 
inspections offices, approximately 10 percent of Plans would need to be 
revised and resubmitted in the second year, which is consistent with 
the current resubmission rate for FSPs and OCS FSPs.
    For renewals of Plans after 5 years (occurring in the seventh year 
of the analysis period), Plans would need to be further revised and 
resubmitted in approximately 10 percent of cases as well. However, in 
this portion of the analysis, we estimate costs as though the owner or 
operator will need to revise and resubmit their Plans in all cases 
resulting in a conservative (upper-bound) estimate of per-entity costs. 
We estimate the time for revision and resubmission to be about half the 
time to develop the Plan itself, or 50 hours in the second year of 
submission, and 7.5 hours after 5 years (in the seventh year of the 
analysis period). Because we include the annual Cybersecurity 
Assessment in the cost to develop Cybersecurity Plans, and we do not 
assume that owners and operators will wait until the second year of 
analysis to begin developing the Cybersecurity Plan or implementing 
related cybersecurity measures, we divide the estimated 100 hours to 
develop Plans equally across the first and second years of analysis. 
Using the CySO loaded hourly CySO wage of $84.14, we estimate the 
Cybersecurity Plan related costs by adding the total number of hours to 
develop, resubmit, maintain, and audit each year and multiplying by the 
CySO wage. For example, we estimate owners would incur $8,414 in costs 
in year 2 of the analysis period [1 facility x $84.14 CySO wage x (50 
hours to develop the Plan + 50 hours to revise and resubmit the Plan) = 
$8,414]. Table 56 displays the per-entity cost estimates for an owner 
or operator of one facility over a 10-year period of analysis. For an 
owner or operator with multiple facilities or OCS facilities, we 
estimate the total costs by multiplying the estimates in table 56 by 
the number of owned facilities.
[GRAPHIC] [TIFF OMITTED] TP22FE24.066

    Similarly, we use earlier estimates for the calculation of per-
entity costs for drills and exercises, implementing account security 
measures, implementing multifactor authentication, cybersecurity 
training, penetration testing, vulnerability management, and 
resilience.
    For drills and exercises, we assume that a CySO on behalf of each 
owner and operator of a facility or OCS facility will develop 
cybersecurity components to add to existing physical security drills 
and exercises. This development is expected to take 0.5 hours for each 
of the 4 annual drills and 8 hours for an annual exercise. Using the 
loaded hourly wage for a CySO of $84.14, we estimate annual costs of 
approximately $841 per owner or operator of a facility or OCS facility 
[$84.14 CySO wage x ((0.5 hours x 4 drills) + (8 hours x 1 exercise)) = 
$841], as seen in table 55.
    For account security measures, we assume that a database 
administrator on behalf of each owner or operator will spend 8 hours 
each year implementing and managing account security. Using the loaded 
hourly wage for a database administrator of $71.96, we estimate annual 
costs of approximately $576 ($71.96 database administrator wage x 8 
hours = $576), as seen in table 55.
    For multifactor authentication, we assume that an owner or operator 
of a facility or OCS facility will spend $9,000 in the initial year on 
average to implement a multifactor authentication system and spend 
approximately $150 per employee annually for system maintenance and 
support. Therefore, we estimate first year costs of approximately 
$20,100 [$9,000 implementation cost + ($150 support and maintenance 
costs x 74 average facility company employees)], and subsequent year 
costs of $11,100 ($150 support and maintenance costs x 74 average 
facility company employees), as seen in table 55.
    For cybersecurity training, we assume that a CySO at a facility or 
OCS facility will take 2 hours each year to develop and manage 
cybersecurity training for

[[Page 13498]]

employees, and employees at a facility or OCS facility will take 1 hour 
to complete the training each year. Using the estimated CySO wage of 
$84.14 and the estimated employee wages at a facility or OCS facility 
of $60.34, we estimate annual training costs of approximately $4,633 
[($84.14 x 2 hours) + ($60.34 x 74 facility company employees x 1 
hour)], as seen in table 55.
    For penetration testing, we estimate costs only in the second and 
seventh years of analysis since tests are required to be performed in 
conjunction with submitting and renewing the Cybersecurity Plan. We 
assume that owners and operators of facilities or OCS facilities will 
spend approximately $5,000 per penetration test and an additional $50 
per IP address at the organization to capture network complexity. We 
use the total number of company employees as a proxy for the number of 
IP addresses, since the Coast Guard does not have data on IP addresses 
or the network complexity at a given company. As a result, we estimate 
second- and seventh-year costs of approximately $8,700 [$5,000 testing 
cost + ($50 x 74 employees)], as seen in table 55.
    For vulnerability management, we assume that each facility or OCS 
facility will need to secure a vulnerability scanning program or 
software. Because vulnerability scans can occur in the background, we 
do not assume an additional hour burden associated with implementing or 
using a vulnerability scanner each year. Using the annual subscription 
cost of an industry leading vulnerability scanning software, we 
estimate annual costs of approximately $3,390, as seen in table 55.
    Finally, for resilience, we assume that each owner or operator of a 
facility or OCS facility will need to make at least one cybersecurity 
incident report per year. While this is incongruent with historical 
data that shows the entire affected population of facilities and OCS 
facilities reports only 18 cybersecurity incidents per year, we are 
attempting to capture a complete estimate of what the costs of this 
proposed rule could be for an affected entity. As such, we estimate 
that a CySO will need to take 0.15 hours to report a cybersecurity 
incident to the NRC, leading to annual per entity costs of 
approximately $13 ($84.14 CySO wage x 0.15 hours), as seen in table 55.
    As demonstrated in table 55, affected entities are expected to 
incur the highest costs in year 2 of this proposed rule. This analysis 
estimates the cost of this proposed rule in year 2 per affected small 
entity, using the information presented in table 55 and adjusting for 
the number of facilities and OCS facilities owned by the entity as 
recorded in MISLE. Among all 1,547 presumed small entities (see table 
53), 833 owners (54 percent) are associated with one facility ($37,667 
cost in year 2), and the average small entity owns approximately 2 
facilities ($45,609 cost in year 2). The small entity with the highest 
projected cost owns 37 facilities ($340,571 cost in year 2).
    Table 57 compares the estimated year 2 costs specific to each 
entity with the annual revenues of 416 small entities in our sample of 
affected facilities for which revenue information is provided in D&B 
Hoovers.\142\ As shown, approximately 55 percent of small entities may 
incur costs that meet or exceed 1 percent of annual revenue in the 
second year of the rule [(61 + 168) / 416 = 55 percent]. The small 
entity with the highest ratio cost-to-revenue ratio is projected to 
incur costs of 158 percent of its reported annual revenue.
---------------------------------------------------------------------------

    \142\ Sales information is not available for 209 of the 
identified small businesses and small not-for-profit organizations 
with matched profiles in D&B Hoovers (33 percent of the 625 total 
matched small businesses and small not-for-profit organizations). 
This analysis does not identify small Governments among the set of 
owners with matched profiles in D&B Hoovers.
[GRAPHIC] [TIFF OMITTED] TP22FE24.067


[[Page 13499]]


Vessel Owners
    The costs to owners and operators of U.S.-flagged vessels differ 
from the costs to owners and operators of facilities and OCS facilities 
and are more heavily influenced by the number of vessels owned. Table 
58 presents the estimated fixed costs per entity regardless of the 
number of vessels owned and vessel type, equivalent to $10,877 per year 
on average across the first 10 years of implementing the provisions in 
this proposed rule. The data and assumptions underlying these estimates 
are provided later in this section.

[[Page 13500]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.068

    Several other categories of costs are dependent on the type and 
number of vessels owned by each entity. These costs are calibrated to 
the average number of employees by vessel type as well as a unique 
weighted hourly wage

[[Page 13501]]

based on the personnel employed on the vessels.\143\ Table 59 displays 
the average number of employees for each vessel type, including 
shoreside employees, and their unique weighted mean hourly wages. Table 
60, which follows, displays the variable per-vessel costs associated 
with each type of vessel. To calculate the total estimated cost per 
entity in the population of U.S.-flagged vessels, we add the annual 
estimated costs per vessel and per vessel type from table 60 based on 
the number and types of vessels owned observed in MISLE to the fixed 
costs presented in table 58. For example, consider an entity that owns 
two passenger vessels subject to subchapter H. The estimated cost to 
that entity in year 2 is calculated as follows: (2 x $20,557) + $16,719 
= $57,833.
---------------------------------------------------------------------------

    \143\ The average per-vessel employee counts were taken from 
manning requirements in the certificates of inspection in MISLE. We 
averaged the mariner counts listed for each vessel within a 
subpopulation of vessels, then applied a 1.33 shoreside employee 
modifier to account for non-mariner employees. The calculation of 
wage rates across vessel types are described in ``Appendix A: Wages 
Across Vessel Types.''
    \144\ When adding these costs to the fixed costs for owners and 
operators, only add the estimated penetration testing costs in years 
2 and 7.
[GRAPHIC] [TIFF OMITTED] TP22FE24.069

[GRAPHIC] [TIFF OMITTED] TP22FE24.070


[[Page 13502]]


    To estimate the cost for an owner or operator of a U.S.-flagged 
vessel to develop, resubmit, conduct annual maintenance, and audit the 
Cybersecurity Plan, we use estimates provided earlier in the analysis. 
The hour-burden estimates are 80 hours for developing the Cybersecurity 
Plan (average hour burden), 8 hours for conducting annual maintenance 
of the Cybersecurity Plan (which would include amendments), 12 hours to 
renew Cybersecurity Plans every 5 years, and 40 hours to conduct annual 
audits of Cybersecurity Plans. Based on estimates from Coast Guard VSP 
reviewers at MSC, approximately 10 percent of Plans would need to be 
resubmitted in the second year due to necessary revisions, which is 
consistent with the current resubmission rate for VSPs.
    For renewing Cybersecurity Plans after 5 years (occurring in the 
seventh year of the analysis period), Plans would need to be further 
revised and resubmitted in approximately 10 percent of cases as well. 
However, in this portion of the analysis, we estimate costs as though 
the owner or operator will need to revise and resubmit their Plans in 
all cases resulting in a conservative (upper-bound) estimate of per-
entity costs. We estimate the time for revision and resubmission to be 
about half the time to develop the Plan itself, or 40 hours in the 
second year of submission, and 6 hours after 5 years (in the seventh 
year of the analysis period).
    Because we include the annual Cybersecurity Assessment in the cost 
to develop Cybersecurity Plans, and we do not assume that owners and 
operators will wait until the second year of analysis to begin 
developing the Cybersecurity Plan or implementing related cybersecurity 
measures, we divide the estimated 80 hours to develop plans equally 
across the first and second years of analysis. Using the loaded hourly 
CySO wage of $84.14, we estimate the Cybersecurity Plan-related costs 
by adding the total number of hours to develop, resubmit, maintain, and 
audit the Plan each year and multiplying that figure by the CySO wage. 
For example, we estimate owners and operators would incur approximately 
$6,731 in costs in year 2 of the analysis period [$84.14 CySO wage x 
(40 hours to develop the plan + 40 hours to revise and resubmit the 
Plan) = $6,731]. See table 61.
[GRAPHIC] [TIFF OMITTED] TP22FE24.071

    For drills and exercises, we assume that a CySO on behalf of each 
owner and operator of a vessel will develop cybersecurity components to 
add to existing physical security drills and exercises. This 
development is expected to take 0.5 hours for each of the 4 annual 
drills and 8 hours for an annual exercise. Using the loaded hourly wage 
for a CySO of $84.14, we estimate annual costs of approximately $841 
per vessel owner or operator [$84.14 CySO wage x ((0.5 hours x 4 
drills) + (8 hours x 1 exercise)) = $841], as seen in table 58.
    For account security measures, we assume that a database 
administrator on behalf of each owner or operator of a vessel will 
spend 8 hours each year implementing and managing account security. 
Using the loaded hourly wage for a database administrator of $71.96, we 
estimate annual costs of approximately $576 ($71.96 database 
administrator wage x 8 hours = $576), as seen in table 58.
    For multifactor authentication, we assume that a vessel owner or 
operator will spend $9,000 in the initial year on average to implement 
a multifactor authentication system and spend approximately $150 per 
employee annually for system maintenance and support. Therefore, we 
estimate first-year fixed costs of approximately $9,000 for all owners 
and operators, with annual costs in years 2 through 10 dependent on the 
number of employees for each type of vessel. For example, we estimate 
the first-year costs to an owner or operator of one OSV to be 
approximately $11,400 [$9,000 implementation cost + ($150 support and 
maintenance costs x 16 average employees per OSV)], and subsequent

[[Page 13503]]

year costs of $2,400 ($150 support and maintenance costs x 16 average 
employees per OSV). Fixed per-entity implementation costs of $9,000 can 
be found in table 58 and variable per-vessel costs can be found in 
table 60.
    For cybersecurity training, we assume that a CySO for each owner or 
operator of a vessel will take 2 hours each year to develop and manage 
employee cybersecurity training, and vessel employees will take 1 hour 
to complete the training each year. The per employee costs associated 
with training vary depending on the types and number of vessels and 
would be based on the average number of employees per vessel and the 
associated weighted hourly wage. For example, using the estimated CySO 
wage of $84.14 and the estimated OSV employee wage of $54.91, we 
estimate annual training costs of approximately $1,047 [($84.14 x 2 
hours) + ($54.91 x 16 average employees per OSV x 1 hour)]. Fixed per-
entity costs of $168 can be found in table 58 and variable per-vessel 
costs can be found in table 60.
    For penetration testing, we estimate costs only in the second and 
seventh years of analysis since tests are required to be performed in 
conjunction with submitting and renewing the Cybersecurity Plan. We 
assume that owners and operators of vessels will spend approximately 
$5,000 per penetration test and an additional $50 per IP address at the 
organization to capture network complexity. We use the average number 
of employees per vessel as a proxy for the number of IP addresses, 
since the Coast Guard does not have data on IP addresses or the network 
complexity at a given company. As a result, we estimate second- and 
seventh-year costs as follows: [$5,000 testing cost + ($50 x average 
number of employees per vessel)]. For example, we estimate second- and 
seventh-year cost of approximately $5,800 for an owner or operator of 
an OSV [$5,000 testing cost + ($50 x 16 average number of employees per 
OSV)]. Fixed per-entity costs of $5,000 can be found in table 58 and 
variable per-vessel costs can be found in table 60.
    For vulnerability management, we assume that each owner or operator 
of a U.S.-flagged vessel will need to secure a vulnerability scanning 
program or software. Because vulnerability scans can occur in the 
background, we do not assume an additional hour burden associated with 
the implementation or use of a vulnerability scanner each year. Using 
the annual subscription cost of an industry leading vulnerability 
scanning software, we estimate annual costs of approximately $3,390, as 
seen in table 58.
    Finally, for resilience, we assume that each owner or operator of a 
U.S.-flagged vessel will need to make at least one cybersecurity 
incident report per year. While this is incongruent with historical 
data that shows the entire affected population of vessels only reports 
two cybersecurity incidents per year on average, we are attempting to 
capture a complete estimate of what the costs of this proposed rule 
could be for an affected entity. As such, we estimate that a CySO will 
need to take 0.15 hours a year to report a cybersecurity incident to 
the NRC, leading to annual per-entity costs of approximately $13 
($84.14 CySO wage x 0.15 hours), as seen in table 58.
    This analysis calculates vessel owner-specific annual compliance 
costs based on the type and number of vessels associated with each 
small entity as identified in MISLE. For the small entities that own 
only barges, there are no variable costs per vessel, and we assume that 
they will only incur per-company costs related to the Cybersecurity 
Plan and developing drills and exercises, meaning the greatest per-
owner costs would occur in year 2. Our analysis identifies 161 small 
entities that fall into this category and presumes this proposed rule 
will cost these entities $7,572 each in year 2 ($6,731 Cybersecurity 
Plan-related costs + $841 drills and exercises costs). For all other 
small entities that own vessels, the costs include a per-owner 
component as well as per-vessel costs that vary by vessel type, and the 
highest total annual costs per owner would also occur in year 2. Among 
the 1,472 small entities in this category, 770 owners (52 percent) are 
associated with 1 vessel (with an average cost of $23,271 in year 2). 
The average small entity owns 5 vessels (with an average cost of 
$32,850 in year 2), while the small entity with the highest projected 
costs owns 359 vessels (with a cost of $148,588 in year 2).\145\
---------------------------------------------------------------------------

    \145\ Values may not directly align with the incremental cost 
analysis due to rounding.
---------------------------------------------------------------------------

    Table 62 compares the entity-specific costs in year 2 with the 
greatest costs with the annual revenues of 793 small entities in our 
sample of affected facilities for which revenue information is provided 
in D&B Hoovers (for small businesses and small not-for-profit 
organizations) or the 2021 State and Local Government Finance 
Historical Datasets and Tables available through the U.S. Census (for 
small Governments).\146\ As shown, 59 percent of small entities may 
incur costs that meet or exceed 1 percent of annual revenue in the 
second year of the rule [(167 + 298) / 793 = 59 percent]. The small 
entity with the highest cost-to-revenue ratio is projected to incur 
costs of 146 percent of its reported annual revenue.
---------------------------------------------------------------------------

    \146\ Sales information is not available for 71 of the 
identified small businesses and small not-for-profit organizations 
with matched profiles in D&B Hoovers (8 percent of the 864 total 
matched small entities).

---------------------------------------------------------------------------

[[Page 13504]]

[GRAPHIC] [TIFF OMITTED] TP22FE24.072

Summary
    This IRFA characterizes the revenue impacts on small entities by 
projecting costs for each affected owner specific to the number and 
type of U.S.-flagged vessels as well as the number of facilities or OCS 
facilities owned according to data from the Coast Guard. There are two 
reasons the estimated compliance costs, and, therefore, the impacts on 
small entities, are likely to be overestimated. First, the approach we 
took to estimate costs assumes that all owners will incur costs 
associated with all provisions required in this proposed rule. However, 
it is highly likely that many affected owners already have invested in 
some of the cybersecurity measures before the publication of this 
proposed rule. Data available to the Coast Guard demonstrate this is 
the case for many facility and OCS facility owners, although whether 
those facility owners are small entities is uncertain.\147\ Second, 
some affected owners are unlikely to have IT or OT systems to which 
this proposed rule will apply. Those owners will incur only the costs 
associated with requesting a waiver or equivalence, which are likely to 
be far less than the costs described in this section.
---------------------------------------------------------------------------

    \147\ See footnote 69.
---------------------------------------------------------------------------

    4. A description of the projected reporting, recordkeeping, and 
other compliance requirements of the proposed rule, including an 
estimate of the classes of small entities which will be subject to the 
requirement and the type of professional skills necessary for 
preparation of the report or record.
    This proposed rule would call for a new collection of information 
under the Paperwork Reduction Act of 1995, 44 U.S.C. 3501-3520. As 
defined in 5 CFR 1320.3(c), ``collection of information'' comprises 
reporting, recordkeeping, monitoring, posting, labeling, and other 
similar actions. Section VI.D., Collection of Information, describes 
the title and description of the information collection, a description 
of those who must collect the information, and an estimate of the total 
annual burden. For a description of all other compliance requirements 
and their associated estimated costs, please see the preceding analysis 
of the per-entity costs of this proposed rule.
    5. An identification, to the extent practicable, of all relevant 
Federal rules which may duplicate, overlap or conflict with the 
proposed rule.
    The Coast Guard has identified two primary areas of overlap with 
this proposed rule. First, under proposed Sec.  101.645, the Coast 
Guard would require the CySO to maintain an effective means of 
communication to convey changes in cybersecurity conditions to the 
personnel of the U.S.-flagged vessel, facility, or OCS facility. The 
communication systems and procedures would need to allow for effective 
and continuous communications between security personnel at a vessel, 
facility, or OCS facility, vessels interfacing with a facility or an 
OCS facility, the cognizant COTP, and national and local authorities 
with security responsibilities. While these requirements would require 
the CySO to maintain means to specifically maintain communications 
regarding cybersecurity conditions, the Coast Guard believes there may 
be significant overlap with communication requirements for physical 
security established in 33 CFR 105.235 for facilities, 106.240 for OCS 
facilities, and 104.245 for vessels. Accordingly, we do not estimate 
additional costs related to these communications systems, but we 
request public comment on this assumption and if this new 
cybersecurity-specific requirement would create additional burden.
    Second, under proposed Sec.  101.650(i), the Coast Guard would 
require affected owners or operators to limit physical access to OT and 
related IT equipment to only authorized personnel and confirm that all 
HMIs and other hardware are secured, monitored, and logged for 
personnel access, with access granted on a by-exception basis. While 
these requirements are specific to the physical security of IT and OT 
systems, there is some overlap with physical security requirements 
established in Sec. Sec.  104.265 and 104.270 for vessels, Sec. Sec.  
105.255 and 105.260 for facilities, and Sec. Sec.  106.260 and 106.265 
for OCS facilities under which areas containing IT and OT systems 
should be designated restricted areas. Accordingly, we do not estimate 
additional costs related to these requirements but request public 
comment on this assumption and if these new cybersecurity-specific 
requirements would create additional burdens.
    6. A description of any significant alternatives to the proposed 
rule which

[[Page 13505]]

accomplish the stated objectives of applicable statutes and which 
minimize any significant economic impact of the rule on small entities.
    The purpose of this proposed rule is to safeguard the MTS against 
current and emerging threats associated with cybersecurity by adding 
minimum cybersecurity requirements to 33 CFR part 101. However, rather 
than making these requirements prescriptive, the Coast Guard is 
choosing to propose minimum performance-based cybersecurity 
requirements for the MTS. Like the existing requirements in 33 CFR 
parts 104, 105 and 106, the Coast Guard would allow owners and 
operators the flexibility to determine the best way to implement and 
comply with these new requirements. This means that, while the Coast 
Guard may require the implementation of a multifactor authentication 
system, for example, it is up to the discretion of the impacted owner 
or operator to determine what shape or form that system may take, and 
how many resources should be expended to implement it. As a result, 
many of the cost estimates in this RIA and small entities analysis 
represent conservative (upper-bound) estimates as we attempt to capture 
costs for a wide range of affected owners and operators. Further, the 
Coast Guard proposes to make waivers and equivalencies available to 
affected owners and operators who feel they are unable to meet the 
requirements of this proposed rule, offering additional flexibility to 
small entities that are not able to meet the full requirements.
    The Coast Guard also considered an alternative that would make the 
penetration testing requirements of this proposed rule optional for 
small entities. Given the nature of penetration testing, it can often 
come with a high cost, particularly for small entities with limited 
resources. Leaving the penetration testing requirements up to owner 
discretion could allow small entities in the affected population to 
prioritize different cybersecurity measures that may make more sense 
for their organization. The decision to undertake penetration testing 
could be made as a result of thorough risk assessments for each 
organization, considering its operational environments, risk profile, 
and pertinent threats. Under this alternative, an owner or operator, or 
a CySO on their behalf, could determine when a penetration test is 
warranted, if at all.
    Because penetration testing would be optional, this could 
hypothetically reduce costs for owners and operators for penetration 
testing down to zero, meaning an estimated cost reduction of $8,700 in 
the second and seventh years of analysis for an owner or operator of 
facilities and OCS facilities. It would also lead to estimated cost 
reductions in the second and seventh years of $23,600 ($5,000 + 
$18,600) for owners and operators of MODUs, $9,100 ($5,000 + $4,100) 
for owners and operators of vessels under subchapter I, $5,800 ($5,000 
+ $800) for owners and operators of OSVs, $9,250 ($5,000 + $4,250) for 
owners and operators of passenger vessels under subchapter H, $6,750 
($5,000 + $1,750) for owners and operators of passenger vessels under 
subchapter K, $5,650 ($5,000 + $650) for owners and operators of towing 
vessels under subchapter M, $7,000 ($5,000 + $2,000) for owners and 
operators of tank vessels under subchapter D and a combination of 
subchapters O&D, and $6,350 ($5,000 + $1,350) for owners and operators 
of international passenger vessels under subchapters K and T. The 
estimated cost reductions could be higher if ownership of multiple 
vessels is considered.
    Despite the potential for minimizing economic impacts, however, the 
value of penetration testing for most organizations, including small 
entities, cannot be overstated. When integrated into a comprehensive 
cybersecurity strategy, penetration testing can be very effective in 
identifying vulnerabilities. By fostering a proactive rather than 
reactive approach in cybersecurity, penetration testing enables 
organizations to stay ahead of potential threats and better understand 
how malicious actors could exploit weaknesses in IT and OT systems. 
This is particularly crucial given the quickly evolving landscape of 
cyber threats. In addition, because the costs of a potential cyber 
incident are so high, the Coast Guard must prioritize some level of 
oversight on provisions that could lessen the risk of a cyber incident. 
Therefore, we rejected this alternative despite the potential cost 
reductions.
    It should be noted, however, that according to proposed Sec.  
101.665, owners and operators of facilities, OCS facilities, and U.S.-
flagged vessels can seek a waiver or an equivalence determination if 
they are unable to meet any proposed requirements, penetration testing 
included. The Coast Guard requests public comment on the alternative 
presented here, as well as any other alternatives or options related to 
the proposed provisions that would alleviate impacts on affected small 
entities.
Conclusion
    The Coast Guard is interested in the potential impacts from this 
proposed rule on small entities (businesses and Governments), and we 
request public comment on these potential impacts. If you think that 
this proposed rule will have a significant economic impact on you, your 
business, or your organization, please submit a comment to the docket 
at the address under ADDRESSES in this proposed rule. In your comment, 
explain why, how, and to what degree you think this proposed rule would 
have an economic impact on you.

C. Assistance for Small Entities

    Under section 213(a) of the Small Business Regulatory Enforcement 
Fairness Act of 1996, Public Law 104-121, we want to assist small 
entities in understanding this proposed rule so that they can better 
evaluate its effects on them and participate in the rulemaking. If the 
proposed rule would affect your small business, organization, or 
governmental jurisdiction and you have questions concerning its 
provisions or options for compliance, please call or email the person 
in the FOR FURTHER INFORMATION CONTACT section of this proposed rule. 
The Coast Guard will not retaliate against small entities that question 
or complain about this proposed rule or any policy or action of the 
Coast Guard.
    Small businesses may send comments on the actions of Federal 
employees who enforce, or otherwise determine compliance with, Federal 
regulations to the Small Business and Agriculture Regulatory 
Enforcement Ombudsman and the Regional Small Business Regulatory 
Fairness Boards. The Ombudsman evaluates these actions annually and 
rates each agency's responsiveness to small business. If you wish to 
comment on actions by employees of the Coast Guard, call 1-888-REG-FAIR 
(1-888-734-3247).

D. Collection of Information

    This proposed rule would call for a new collection of information 
under the Paperwork Reduction Act of 1995, 44 U.S.C. 3501-3520. As 
defined in 5 CFR 1320.3(c), ``collection of information'' comprises 
reporting, recordkeeping, monitoring, posting, labeling, and other 
similar actions. The title and description of the information 
collection, a description of those who must collect the information, 
and an estimate of the total annual burden follow. The estimate covers 
the time for reviewing instructions, searching existing sources of 
data, gathering, and maintaining the data needed, and completing and 
reviewing the collection.
    Title: Cybersecurity Plans.

[[Page 13506]]

    OMB Control Number: 1625-new.
    Summary of Collection of Information: This collection of 
information would be new. The Coast Guard would collect information 
from the owners and operators of vessels, facilities, and OCS 
facilities under 33 CFR part 101, subpart F. The information collection 
would be for the submission of Cybersecurity Plans, amendments to 
Cybersecurity Plans, and cyber incident reports proposed in 33 CFR 
101.650.
    Need for Information: The Coast Guard would be creating new 
cybersecurity requirements for vessel and facility owners and operators 
to mitigate or prevent a cyber incident from occurring. The information 
we would request from industry would be from (1) the development of 
Cybersecurity Plans, which would include details on implemented drills 
and exercise, training, and various cybersecurity measures in Sec.  
101.650 that might safeguard critical IT and OT systems from cyber 
incidents; (2) amendments to Cybersecurity Plans; and (3) reporting 
cyber incidents to the NRC.
    Proposed Use of Information: The Coast Guard would use this 
information to determine if vessel and facility owners and operators 
have cybersecurity measures in place and to ensure that owners and 
operators are conducting periodic reviews of plans and testing their IT 
and OT systems for adequacy. Additionally, the Coast Guard would ensure 
vessel and facility owners and operators are reporting cyber incidents 
to the Coast Guard.
    Description of the Respondents: The respondents are owners and 
operators of U.S.-flagged vessels, U.S. facilities, and OCS facilities.
    Number of Respondents: The number of respondents would be about 
1,775 U.S.-flagged vessel owners and operators and about 1,708 facility 
and OCS facility owners and operators. We assume that a CySO would be 
responsible for the reporting and recordkeeping requirements of the 
proposed rule on behalf of each owner and operator.
    Frequency of Response: The number of responses to this proposed 
rule would vary annually.
    Burden of Response: The burden of response would vary for each 
regulatory requirement.
    Estimate of Total Annual Burden: The estimate of annual burden 
varies based on the year of analysis. For the initial year of analysis, 
the hour burden for Cybersecurity Plan activities and cyber incident 
reporting would be about 241,553 hours across the affected population. 
This is derived from the development of 3,411 facility and OCS facility 
Cybersecurity Plans for 50 hours each, 1,775 vessel Cybersecurity Plans 
for 40 hours each, and 20 cyber incidents being reported for 0.15 hours 
each [(3,411 x 50) + (1,775 x 40) + (20 x 0.15)].
    For the second year of analysis, the hour burden for Cybersecurity 
Plan activities and cyber incident reporting would be about 265,723 
hours across the affected population. The second year of analysis 
represents the highest estimated hour burden for all years of analysis. 
This is derived from the development of 3,411 facility and OCS facility 
Cybersecurity Plans for 50 hours each, 341 facility and OCS facility 
Cybersecurity Plans being revised and resubmitted for an additional 50 
hours, 1,775 vessel Cybersecurity Plans for 40 hours each, 178 vessel 
Cybersecurity Plans being revised and resubmitted for an additional 40 
hours, and 20 cyber incidents being reported for 0.15 hours each 
[(3,411 x 50) + (341 x 50) + (1,775 x 40) + (178 x 40) + (20 x 0.15)].
    For the third through the sixth years of analysis, and the eighth 
through the tenth years of analysis, when Cybersecurity Plans are being 
maintained and amendments are being developed, the hour burden for 
Cybersecurity Plan activities and cyber incident reporting would be 
about 48,313 hours across the affected population. This is derived from 
the maintenance and amendment of 3,411 facility and OCS facility 
Cybersecurity Plans for 10 hours each, the maintenance and amendment of 
1,775 vessel Cybersecurity Plans for 8 hours each, and 20 cyber 
incidents being reported for 0.15 hours each [(3,411 x 10) + (1,775 x 
8) + (20 x 0.15)].
    For the seventh year of analysis, when Cybersecurity Plans are 
renewed, the hour burden for Cybersecurity Plan activities and cyber 
incident reporting would be about 76,094 hours across the affected 
population. This is derived from the renewal of 3,411 facility and OCS 
facility Cybersecurity Plans for 15 hours each, 341 facility and OCS 
facility Cybersecurity Plans being revised and resubmitted for an 
additional 7.5 hours, 1,775 vessel Cybersecurity Plans being renewed 
for 12 hours each, 178 vessel Cybersecurity Plans being revised and 
resubmitted for an additional 6 hours, and 20 cyber incidents being 
reported for 0.15 hours each [(3,411 x 15) + (341 x 7.5) + (1,775 x 12) 
+ (178 x 6) + (20 x 0.15)].
    This leads to an annualized hour burden total of 92,156 hours over 
the 10-year period of analysis.
    As required by 44 U.S.C. 3507(d), we will submit a copy of this 
proposed rule to OMB for its review of the collection of information.
    We ask for public comment on the proposed collection of information 
to help us determine, among other things--
     How useful the information is;
     Whether the information can help us perform our functions 
better;
     How we can improve the quality, usefulness, and clarity of 
the information;
     Whether the information is readily available elsewhere;
     How accurate our estimate is of the burden of collection;
     How valid our methods are for determining the burden of 
collection; and
     How we can minimize the burden of collection.
    If you submit comments on the collection of information, submit 
them to both the OMB and to the docket indicated under ADDRESSES.
    You need not respond to a collection of information unless it 
displays a currently valid control number from OMB. Before the Coast 
Guard could enforce the collection of information requirements in this 
proposed rule, OMB would need to approve the Coast Guard's request to 
collect this information.

E. Federalism

    A rule has implications for federalism under Executive Order 13132 
(Federalism) if it has a substantial direct effect on States, on the 
relationship between the National Government and the States, or on the 
distribution of power and responsibilities among the various levels of 
Government. We have analyzed this proposed rule under Executive Order 
13132 and have determined that it is consistent with the fundamental 
federalism principles and preemption requirements described in 
Executive Order 13132. Our analysis follows.
    It is well settled that States may not regulate in categories 
reserved for regulation by the Coast Guard and that all categories 
covered in 46 U.S.C. 3306, 3703, 7101, and 8101 (design, construction, 
alteration, repair, maintenance, operation, equipping, personnel 
qualification, and manning of vessels), as well as the reporting of 
casualties and any other category in which Congress intended the Coast 
Guard to be the sole source of a vessel's obligations, are within the 
field foreclosed from regulation by the States. See United States v. 
Locke, 529 U.S. 89 (2000). This proposed rule would

[[Page 13507]]

expand maritime security requirements under MTSA to expressly address 
current and emerging cybersecurity risks and safeguard the MTS. In 
enacting MTSA, Congress articulated a need to address port security 
threats around the United States while preserving the free flow of 
interstate and foreign commerce. MTSA's mandatory, comprehensive 
maritime security regime, founded on this stated interest of 
facilitating interstate and international maritime commerce, indicates 
that States and local governments are generally foreclosed from 
regulating in this field. Particularly with respect to vessels subject 
to this new subpart F, the Coast Guard's above noted comprehensive law 
and regulations would preclude State and local laws. OCS facilities, 
which do not generally fall under any State or local jurisdiction, are 
principally subject to federal law and regulation.
    Notwithstanding MTSA's general preemptive effect, States and local 
governments have traditionally shared certain regulatory jurisdiction 
with the Federal Government over waterfront facilities. Accordingly, 
current MTSA regulations make clear that the maritime facility security 
requirements of 33 CFR part 105 only preempt State or local regulation 
when the two conflict.\148\ Similarly, the cybersecurity requirements 
of this proposed rule as they apply to a facility under 33 CFR part 105 
would only have preemptive effect over a State or local law or 
regulation insofar as the two actually conflict (meaning compliance 
with both requirements is impossible or the State or local requirement 
frustrates an overriding Federal need for uniformity). In the unlikely 
event that state or local government would claim jurisdiction over an 
OCS facility, the aforenoted conflict preemption principles would 
apply.
---------------------------------------------------------------------------

    \148\ 33 CFR 101.112(b).
---------------------------------------------------------------------------

    In light of the foregoing analysis, this proposed rule is 
consistent with the fundamental federalism principles and preemption 
requirements described in Executive Order 13132.
    While it is well settled that States may not regulate in categories 
in which Congress intended the Coast Guard to be the sole source of a 
vessel's obligations, the Coast Guard recognizes the key role that 
State and local governments may have in making regulatory 
determinations. Additionally, for rules with federalism implications 
and preemptive effect, Executive Order 13132 specifically directs 
agencies to consult with State and local governments during the 
rulemaking process. If you believe this proposed rule would have 
implications for federalism under Executive Order 13132, please call or 
email the person listed in the FOR FURTHER INFORMATION CONTACT section 
of this preamble.

F. Unfunded Mandates

    The Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1531-1538, 
requires Federal agencies to assess the effects of their discretionary 
regulatory actions. The Act addresses actions that may result in the 
expenditure by a State, local, or tribal government, in the aggregate, 
or by the private sector of $100 million (adjusted for inflation) or 
more in any one year.
    Upon adjusting for inflation, this proposed action would need to 
result in the expenditure of $177 million or more in any one year, in 
2022 dollars. To obtain this inflated value, we use the 2022 and 1995 
annual gross domestic product implicit price deflator values of 127.224 
and 71.823, respectively. We divide these values to obtain a factor of 
approximately 1.77, rounded (127.224 / 71.823 = 1.77).\149\ Multiplying 
this factor by the expenditure amount identified in the Unfunded 
Mandates Reform Act of 1995 gives us our expenditure amount adjusted 
for inflation (1.77 x 100,000,000 = 177,000,000). Because this proposed 
rule would result in the expenditure by the private sector of 
approximately $91,170,100 in undiscounted 2022 dollars in the most 
cost-heavy year, this proposed action would not require an assessment.
---------------------------------------------------------------------------

    \149\ We use the implicit price deflator for gross domestic 
product values from the Bureau of Economic Analysis National Income 
and Product Accounts interactive data tables. See https://apps.bea.gov/iTable/?reqid=19&step=3&isuri=1&1921=survey&1903=11#eyJhcHBpZCI6MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOltbIk5JUEFfVGFibGVfTGlzdCIsIjEzIl0sWyJDYXRlZ29yaWVzIiwiU3VydmV5Il0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9ZZWFyIiwiMjAyMyJdLFsiU2NhbGUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ==, accessed 
July 13, 2023.
---------------------------------------------------------------------------

    Although this proposed rule would not result in such an 
expenditure, we do discuss the potential effects of this proposed rule 
elsewhere in this preamble. Additionally, many of the provisions 
proposed in this NPRM are intentionally designed to take owner or 
operator discretion into account, which could help reduce anticipated 
expenditures. While this proposed rule may require action related to a 
security measure (implementing multifactor authentication, for 
example), the method or policy used to achieve compliance with the 
provision is at the discretion of the impacted owner or operator. This 
NPRM also includes the option for waivers and equivalents, in Sec.  
101.665, for any affected party unable to meet the requirements of this 
proposed rule. These intentional flexibilities can help reduce expected 
costs for those in the affected population and allow for more tailored 
cybersecurity solutions.

G. Taking of Private Property

    This proposed rule would not cause a taking of private property or 
otherwise have taking implications under Executive Order 12630 
(Governmental Actions and Interference with Constitutionally Protected 
Property Rights).

H. Civil Justice Reform

    This proposed rule meets applicable standards in sections 3(a) and 
3(b)(2) of Executive Order 12988, (Civil Justice Reform), to minimize 
litigation, eliminate ambiguity, and reduce burden.

I. Protection of Children

    We have analyzed this proposed rule under Executive Order 13045 
(Protection of Children from Environmental Health Risks and Safety 
Risks). This proposed rule is not an economically significant rule and 
would not create an environmental risk to health or risk to safety that 
might disproportionately affect children.

J. Indian Tribal Governments

    This proposed rule does not have tribal implications under 
Executive Order 13175 (Consultation and Coordination with Indian Tribal 
Governments), because it would not have a substantial direct effect on 
one or more Indian tribes, on the relationship between the Federal 
Government and Indian tribes, or on the distribution of power and 
responsibilities between the Federal Government and Indian tribes.

K. Energy Effects

    We have analyzed this proposed rule under Executive Order 13211 
(Actions Concerning Regulations That Significantly Affect Energy 
Supply, Distribution, or Use). We have determined that it is not a 
``significant energy action'' under that order because although it is a 
``significant regulatory action'' under Executive Order 12866, it is 
not likely to have a significant adverse effect on the supply, 
distribution, or use of energy.

L. Technical Standards

    The National Technology Transfer and Advancement Act, codified as a 
note to 15 U.S.C. 272, directs agencies to use voluntary consensus 
standards in

[[Page 13508]]

their regulatory activities unless the agency provides Congress, 
through OMB, with an explanation of why using these standards would be 
inconsistent with applicable law or otherwise impractical. Voluntary 
consensus standards are technical standards (for example, 
specifications of materials, performance, design, or operation; test 
methods; sampling procedures; and related management systems practices) 
that are developed or adopted by voluntary consensus standards bodies.
    This proposed rule does not use technical standards. Therefore, we 
did not consider the use of voluntary consensus standards.

M. Environment

    We have analyzed this proposed rule under Department of Homeland 
Security Management Directive 023-01, Rev. 1, associated implementing 
instructions, and Environmental Planning COMDTINST 5090.1 (series), 
which guide the Coast Guard in complying with the National 
Environmental Policy Act of 1969 (42 U.S.C. 4321-4370f), and have made 
a preliminary determination that this action is one of a category of 
actions that do not individually or cumulatively have a significant 
effect on the human environment. A preliminary Record of Environmental 
Consideration supporting this determination is available in the docket. 
For instructions on locating the docket, see the ADDRESSES section of 
this preamble.
    This proposed rule would be categorically excluded under paragraphs 
A3 and L54 of Appendix A, Table 1 of DHS Instruction Manual 023-01-001-
01, Rev. 1. Paragraph A3 pertains to promulgation of rules, issuance of 
rulings or interpretations, and the development and publication of 
policies, orders, directives, notices, procedures, manuals, advisory 
circulars, and other guidance documents, notably those of a strictly 
administrative or procedural nature; and those that interpret or amend 
an existing regulation without changing its environmental effect. 
Paragraph L54 pertains to regulations that are editorial or procedural. 
This proposed rule involves establishing minimum cybersecurity 
requirements in Coast Guard regulations such as account security 
measures, device security measures, governance and training, risk 
management, supply chain management, resilience, network segmentation, 
reporting, and physical security. This proposed rule would promote the 
Coast Guard's maritime security mission by establishing measures to 
safeguard the MTS against emerging threats associated with 
cybersecurity. This proposed rule also would promote the Coast Guard's 
marine environmental protection mission by preventing or mitigating 
marine environmental damage that could ensue due to a cybersecurity 
incident. We seek any comments or information that may lead to the 
discovery of a significant environmental impact from this proposed 
rule.

List of Subjects in 33 CFR Part 101

    Harbors, Maritime security, Reporting and recordkeeping 
requirements, Security measures, Vessels, Waterways.

    For the reasons discussed in the preamble, the Coast Guard is 
proposing to amend 33 CFR part 101 as follows:

PART 101--MARITIME SECURITY: GENERAL

0
1. The authority citation for part 101 is revised to read as follows:

    Authority:  46 U.S.C. 70101-70104 and 70124; 43 U.S.C. 1333(d); 
Executive Order 12656, 3 CFR 1988 Comp., p. 585; 33 CFR 1.05-1, 
6.04-11, 6.14, 6.16, and 6.19; DHS Delegation No. 00170.1, Revision 
No. 01.3.

0
2. Amend part 101 by adding subpart F, consisting of Sec. Sec.  101.600 
through 101.670, to read as follows:

Subpart F--Cybersecurity

Sec.
101.600 Purpose.
101.605 Applicability.
101.610 Federalism.
101.615 Definitions.
101.620 Owner or Operator.
101.625 Cybersecurity Officer.
101.630 Cybersecurity Plan.
101.635 Drills and Exercises.
101.640 Records and Documentation.
101.645 Communications.
101.650 Cybersecurity Measures.
101.655 Cybersecurity Compliance Dates.
101.660 Cybersecurity Compliance Documentation.
101.665 Noncompliance, Waivers, and Equivalents.
101.670 Severability.


Sec.  101.600   Purpose.

    The purpose of this subpart is to set minimum cybersecurity 
requirements for vessels and facilities to safeguard and ensure the 
security and resilience of the Marine Transportation System (MTS).


Sec.  101.605   Applicability.

    (a) This subpart applies to the owners and operators of U.S.-
flagged vessels subject to 33 CFR part 104, U.S. facilities subject to 
33 CFR part 105, and Outer Continental Shelf (OCS) facilities subject 
to 33 CFR part 106.
    (b) This subpart does not apply to any foreign-flagged vessels 
subject to 33 CFR part 104.


Sec.  101.610   Federalism.

    Consistent with Sec.  101.112(b), with respect to a facility 
regulated under 33 CFR part 105 to which this subpart applies, the 
regulations in this subpart have preemptive effect over a State or 
local law or regulation insofar as the State or local law or regulation 
applicable to the facility conflicts with these regulations, either by 
actually conflicting or by frustrating an overriding Federal need for 
uniformity.


Sec.  101.615   Definitions.

    Unless otherwise specified, as used in this subpart:
    Approved list means an owner or operator's authoritative catalog 
for products that meet cybersecurity requirements.
    Backup means a copy of physical or virtual files or databases in a 
secondary location for preservation. It may also refer to the process 
of creating a copy.
    Credentials means a set of data attributes that uniquely identifies 
a system entity such as a person, an organization, a service, or a 
device, and attests to one's right to access to a particular system.
    Critical Information Technology (IT) or Operational Technology (OT) 
systems means any Information Technology or Operational Technology 
system used by the vessel, facility, or OCS facility that, if 
compromised or exploited, could result in a transportation security 
incident, as determined by the Cybersecurity Officer (CySO) in the 
Cybersecurity Plan. Critical IT or OT systems include those business 
support services that, if compromised or exploited, could result in a 
transportation security incident. This term includes systems whose 
ownership, operation, maintenance, or control is delegated wholly or in 
part to any other party.
    Cyber incident means an occurrence that actually jeopardizes, 
without lawful authority, the integrity, confidentiality, or 
availability of information or an Information System, or actually 
jeopardizes, without lawful authority, an Information System.
    Cyber Incident Response Plan means a set of predetermined and 
documented procedures to respond to a cyber incident. It is a document 
that gives the owner or operator or a designated Cybersecurity Officer 
(CySO) instructions on how to respond to a cyber incident and pre-
identifies key roles, responsibilities, and decision-makers. Cyber 
threat means an action,

[[Page 13509]]

not protected by the First Amendment to the Constitution of the United 
States, on or through an information system that may result in an 
unauthorized effort to adversely impact the security, availability, 
confidentiality, or integrity of an information system or information 
that is stored on, processed by, or transiting an information system. 
The term ``cyber threat'' does not include any action that solely 
involves a violation of a consumer term of service or a consumer 
licensing agreement.
    Cybersecurity Assessment means the appraisal of the risks facing an 
entity, asset, system, or network, organizational operations, 
individuals, geographic area, other organizations, or society, and 
includes identification of relevant vulnerabilities and threats and 
determining the extent to which adverse circumstances or events could 
result in operational disruption and other harmful consequences.
    Cybersecurity Officer, or CySO, means the person(s) designated as 
responsible for the development, implementation, and maintenance of the 
cybersecurity portions of the Vessel Security Plan (VSP), Facility 
Security Plan (FSP), or Outer Continental Shelf (OCS) FSP, and for 
liaison with the Captain of the Port (COTP) and Company, Vessel, and 
Facility Security Officers.
    Cybersecurity Plan means a plan developed to ensure application and 
implementation of cybersecurity measures designed to protect the 
owners' or operators' systems and equipment, as required by this part. 
A Cybersecurity Plan is either included in a VSP, FSP, or OCS FSP, or 
is an annex to a VSP, FSP, or OCS FSP.
    Cybersecurity risk means threats to and vulnerabilities of 
information or information systems and any related consequences caused 
by or resulting from unauthorized access, use, disclosure, degradation, 
disruption, modification, or destruction of such information or 
information systems, including such related consequences caused by an 
act of terrorism. It does not include any action that solely involves a 
violation of a consumer term of service or a consumer licensing 
agreement.
    Cybersecurity vulnerability means any attribute of hardware, 
software, process, or procedure that could enable or facilitate the 
defeat of a security control.
    Encryption means any procedure used in cryptography to convert 
plain text into cipher text to prevent anyone but the intended 
recipient from reading that data.
    Executable code means any object code, machine code, or other code 
readable by a computer when loaded into its memory and used directly by 
such computer to execute instructions.
    Exploitable channel means any information channel (such as a 
portable media device and other hardware) that allows for the violation 
of the security policy governing the information system and is usable 
or detectable by subjects external to the trusted user.
    Firmware means computer programs (which are stored in and executed 
by computer hardware) and associated data (which is also stored in the 
hardware) that may be dynamically written or modified during execution.
    Hardware means, collectively, the equipment that makes up physical 
parts of a computer, including its electronic circuitry, together with 
keyboards, readers, scanners, and printers.
    Human-Machine Interface, or HMI, means the hardware or software 
through which an operator interacts with a controller for industrial 
systems. An HMI can range from a physical control panel with buttons 
and indicator lights to an industrial personal computer with a color 
graphics display running dedicated HMI software.
    Information System means an interconnected set of information 
resources under the same direct management control that shares common 
functionality. A system normally includes hardware, software data, 
applications, communications, and people. It includes the application 
of Information Technology, Operational Technology, or a combination of 
both.
    Information Technology, or IT, means any equipment or 
interconnected system or subsystem of equipment, used in the 
acquisition, storage, analysis, evaluation, manipulation, management, 
movement, control, display, switching, interchange, transmission, or 
reception of data or information.
    Known Exploited Vulnerability, or KEV, means a computer 
vulnerability that has been exploited in the past.
    Multifactor Authentication means a layered approach to securing 
data and applications where a system requires users to present a 
combination of two or more credentials to verify their identity for 
login.
    Network means information system(s) implemented with a collection 
of interconnected components. A network is a collection of computers, 
servers, mainframes, network devices, peripherals, or other devices 
connected to allow data sharing. A network consists of two or more 
computers that are linked in order to share resources, exchange files, 
or allow electronic communications.
    Network map means a visual representation of internal network 
topologies and components.
    Network segmentation means a physical or virtual architectural 
approach that divides a network into multiple segments, each acting as 
its own subnetwork, to provide additional security and control that can 
help prevent or minimize the impact of a cyber incident.
    Operational Technology, or OT, means programmable systems or 
devices that interact with the physical environment (or manage devices 
that interact with the physical environment). These systems or devices 
detect or cause a change through the monitoring or control of devices, 
processes, and events.
    Patching means updating software and operating systems to address 
cybersecurity vulnerabilities within a program or product.
    Penetration test means a test of the security of a computer system 
or software application by attempting to compromise its security and 
the security of an underlying operating system and network component 
configurations.
    Principle of least privilege means that an individual should be 
given only those privileges that are needed to complete a task. 
Further, the individual's function, not identity, should control the 
assignment of privileges.
    Privileged user means a user who is authorized (and, therefore, 
trusted) to perform security functions that ordinary users are not 
authorized to perform.
    Risk means a measure of the extent to which an entity is threatened 
by a potential circumstance or event, and typically is a function of: 
(1) the adverse impact, or magnitude of harm, that would arise if the 
circumstance or event occurs; and (2) the likelihood of occurrence.
    Software means a set of instructions, data, or programs used to 
operate a computer and execute specific tasks.
    Supply chain means a system of organizations, people, activities, 
information, and resources for creating computer products and offering 
IT services to their customers.
    Threat means any circumstance or event with the potential to 
adversely impact organizational operations (including mission, 
functions, image, or reputation), organizational assets, individuals, 
other organizations, or the Nation through an information system 
through unauthorized access, destruction, disclosure, modification of 
information, or denial of service.
    Vulnerability means a characteristic or specific weakness that 
renders an

[[Page 13510]]

organization or asset (such as information or an information system) 
open to exploitation by a given threat or susceptible to a given 
hazard.
    Vulnerability scan means a technique used to identify hosts or host 
attributes and associated vulnerabilities.


Sec.  101.620   Owner or Operator.

    (a) Each owner or operator of a vessel, facility, or OCS facility 
is responsible for compliance with the requirements of this subpart.
    (b) For each vessel, facility, or OCS facility, the owner or 
operator must--
    (1) Ensure a Cybersecurity Plan is developed, approved, and 
maintained;
    (2) Define in Section 1 of the Cybersecurity Plan the cybersecurity 
organizational structure and identify each person exercising 
cybersecurity duties and responsibilities within that structure, with 
the support needed to fulfill those obligations;
    (3) Designate, in writing, by name and by title, a CySO who is 
accessible to the Coast Guard 24 hours a day, 7 days a week, and 
identify how the CySO can be contacted at any time;
    (4) Ensure that cybersecurity exercises, audits, and inspections, 
as well as the Cybersecurity Assessment, are conducted as required by 
this part and in accordance with the Cybersecurity Plan (see Sec.  
101.625(d)(1), (3), (6) and (7));
    (5) Ensure that the vessel, facility, or OCS facility operates in 
compliance with the approved Cybersecurity Plan;
    (6) Ensure the development, approval, and execution of the Cyber 
Incident Response Plan; and
    (7) Ensure all cyber incidents are reported to the National 
Response Center (NRC) at the telephone number listed in Sec.  101.305 
of this part.


Sec.  101.625   Cybersecurity Officer.

    (a) Other duties. The Cybersecurity Officer (CySO) may perform 
other duties within the owner's or operator's organization (vessel or 
facility), provided the person is able to perform the duties and 
responsibilities required of the CySO by this part.
    (b) Serving as CySO for Multiple Vessels, Facilities or OCS 
Facilities. The same person may serve as the CySO for more than one 
vessel, facility, or OCS facility. If a person serves as the CySO for 
more than one vessel, facility, or OCS facility, the name of each 
location for which that person is the CySO must be listed in the 
Cybersecurity Plan of each vessel, facility, or OCS facility for which 
that person is the CySO.
    (c) Assigning Duties Permitted. The CySO may assign security duties 
to other vessel, facility, or OCS facility personnel; however, the CySO 
retains ultimate responsibility for these duties.
    (d) Responsibilities. For each vessel, facility, or OCS facility 
for which they are designated, the CySO must--
    (1) Ensure that the Cybersecurity Assessment is conducted as 
required by this part;
    (2) Ensure the cybersecurity measures in the Cybersecurity Plan are 
developed, implemented, and operating as intended;
    (3) Ensure that an annual audit of the Cybersecurity Plan and its 
implementation is conducted and, if necessary, ensure that the 
Cybersecurity Plan is updated;
    (4) Ensure the Cyber Incident Response Plan is executed and 
exercised;
    (5) Ensure the Cybersecurity Plan is exercised in accordance with 
Sec.  101.635(c) of this part;
    (6) Arrange for cybersecurity inspections in conjunction with 
vessel, facility and OCS facility inspections;
    (7) Ensure the prompt correction of problems identified by 
exercises, audits, or inspections;
    (8) Ensure the cybersecurity awareness and vigilance of personnel 
through briefings, drills, exercises, and training;
    (9) Ensure adequate cybersecurity training of personnel;
    (10) Ensure all breaches of security, suspicious activity that may 
result in TSIs, TSIs, and cyber incidents are recorded and reported to 
the owner or operator;
    (11) Ensure that records required by this part are maintained in 
accordance with Sec.  101.640 of this part;
    (12) Ensure any reports as required by this part have been prepared 
and submitted;
    (13) Ensure that the Cybersecurity Plan, as well as proposed 
substantive changes (or major amendments) to cybersecurity measures 
included therein, are submitted for approval to the cognizant COTP or 
the Officer in Charge, Marine Inspections (OCMI) for facilities or OCS 
facilities, or to the Marine Safety Center (MSC) for vessels, prior to 
amending the Cybersecurity Plan, in accordance with Sec.  101.630 of 
this part;
    (14) Ensure relevant security and management personnel are briefed 
regarding changes in cybersecurity conditions on board the vessel, 
facility, or OCS facility; and
    (15) Ensure identification and mitigation of all KEVs in critical 
IT or OT systems, without delay.
    (e) Qualifications. The CySO must have general knowledge, through 
training or equivalent job experience, in the following:
    (1) General vessel, facility, or OCS facility operations and 
conditions;
    (2) General cybersecurity guidance and best practices;
    (3) The vessel, facility, or OCS facility's Cyber Incident Response 
Plan;
    (4) The vessel, facility, or OCS facility's Cybersecurity Plan;
    (5) Cybersecurity equipment and systems;
    (6) Methods of conducting cybersecurity audits, inspections, 
control, and monitoring techniques;
    (7) Relevant laws and regulations pertaining to cybersecurity;
    (8) Instruction techniques for cybersecurity training and 
education;
    (9) Handling of Sensitive Security Information and security related 
communications;
    (10) Current cybersecurity threat patterns and KEVs;
    (11) Recognizing characteristics and behavioral patterns of persons 
who are likely to threaten security; and
    (12) Conducting and assessing cybersecurity drills and exercises.


Sec.  101.630   Cybersecurity Plan.

    (a) General. The CySO must develop, implement, and verify a 
Cybersecurity Plan for each vessel, facility, or OCS facility. The 
Cybersecurity Plan must reflect all cybersecurity measures required in 
this subpart, as appropriate, to mitigate risks identified during the 
Cybersecurity Assessment. The Plan must describe in detail how the 
requirements of subpart F will be met. The Cybersecurity Plan may be 
included in a VSP or an FSP, or as an annex to the VSP or FSP.
    (b) Protecting Sensitive Security Information. The Cybersecurity 
Plan is Sensitive Security Information and must be protected in 
accordance with 49 CFR part 1520.
    (c) Format. The owner or operator must ensure that the 
Cybersecurity Plan consists of the individual sections listed in this 
paragraph. If the Cybersecurity Plan does not follow the order as it 
appears on the list, the owner or operator must ensure that the Plan 
contains an index identifying the location of each of the following 
sections:
    (1) Cybersecurity organization and identity of the CySO;
    (2) Personnel training;
    (3) Drills and exercises;
    (4) Records and documentation;
    (5) Communications;
    (6) Cybersecurity systems and equipment, with associated 
maintenance;
    (7) Cybersecurity measures for access control, including the 
computer, IT, and OT access areas;

[[Page 13511]]

    (8) Physical security controls for IT and OT systems;
    (9) Cybersecurity measures for monitoring;
    (10) Audits and amendments to the Cybersecurity Plan;
    (11) Reports of all cybersecurity audits and inspections, to 
include documentation of resolution or mitigation of all identified 
vulnerabilities;
    (12) Documentation of all identified, unresolved vulnerabilities, 
to include those that are intentionally unresolved due to owner or 
operator risk acceptance;
    (13) Cyber incident reporting procedures in accordance with part 
101 of this subchapter; and
    (14) Cybersecurity Assessment.
    (d) Submission and approval. Each owner or operator must submit one 
copy of their Cybersecurity Plan for review and approval to the 
cognizant COTP or the OCMI for the facility or OCS facility, or to the 
MSC for the vessel. A letter certifying that the Plan meets the 
requirements of this subpart must accompany the submission.
    (1) The COTP, OCMI, or MSC will evaluate each submission for 
compliance with this part, and either--
    (i) Approve the Cybersecurity Plan and return a letter to the owner 
or operator indicating approval and any conditional approval;
    (ii) Require additional information or revisions to the 
Cybersecurity Plan and return a copy to the owner or operator with a 
brief description of the required revisions or additional information; 
or
    (iii) Disapprove the Cybersecurity Plan and return a copy, without 
delay, to the owner or operator with a brief statement of the reasons 
for disapproval.
    (iv) If the cognizant COTP, OCMI, or MSC requires additional time 
to review the plan, they have the authority to return a written 
acknowledgement to the owner or operator stating that the Coast Guard 
will review the Cybersecurity Plan submitted for approval, and that the 
U.S.-flagged vessel, facility, or OCS facility may continue to operate 
as long as it remains in compliance with the submitted Cybersecurity 
Plan.
    (2) Owners or operators submitting one Cybersecurity Plan to cover 
two or more vessels or facilities of similar operations must ensure the 
Plan addresses the specific cybersecurity risks for each vessel or 
facility.
    (3) A Plan that is approved by the COTP, OCMI, or MSC is valid for 
5 years from the date of its approval.
    (e) Amendments to the Cybersecurity Plan.
    (1) Amendments to a Coast Guard-approved Cybersecurity Plan must be 
initiated by either--
    (i) The owner or operator or the CySO; or
    (ii) When the COTP, OCMI, or MSC finds that the Cybersecurity Plan 
no longer meets the requirements in this part, the Plan will be 
returned to the owner or operator with a letter explaining why the Plan 
no longer meets the requirements and requires amendment. The owner or 
operator will have at least 60 days to amend the Plan and cure 
deficiencies outlined in the letter. Until the amendments are approved, 
the owner or operator must ensure temporary cybersecurity measures are 
implemented to the satisfaction of the Coast Guard.
    (2) Major amendments, as determined by the owner or operator based 
on types of changes to their security measures and operational risks, 
to the Cybersecurity Plan must be proposed to the Coast Guard prior to 
implementation. Proposed amendments to the Cybersecurity Plan must be 
sent to the Coast Guard at least 30 days before the proposed 
amendment's effective date. The Coast Guard will approve or disapprove 
the proposed amendment in accordance with this part. An owner or 
operator must notify the Coast Guard by the most rapid means 
practicable as to the nature of the amendments, the circumstances that 
prompted these amendments, and the period these amendments are expected 
to be in place.
    (3) If the owner or operator has changed, the CySO must amend the 
Cybersecurity Plan, without delay, to include the name and contact 
information of the new owner or operator and submit the affected 
portion of the Plan for review and approval in accordance with this 
part.
    (4) If the CySO has changed, the Coast Guard must be notified 
without delay and the affected portion of the Cybersecurity Plan must 
be amended and submitted to the Coast Guard for review and approval in 
accordance with this part without delay.
    (f) Audits. (1) The CySO must ensure that an audit of the 
Cybersecurity Plan and its implementation is performed annually, 
beginning no later than 1 year from the initial date of approval. The 
CySO must attach a report to the Plan certifying that the Plan meets 
the applicable requirements of this subpart.
    (2) In addition to the annual audit, the CySO must audit the 
Cybersecurity Plan if there is a change in the owner or operator of the 
vessel, facility, or OCS facility, or if there have been modifications 
to the cybersecurity measures, including, but not limited to, physical 
access, incident response procedures, security measures, or operations.
    (3) Auditing the Cybersecurity Plan as a result of modifications to 
the vessel, facility, or OCS facility, or because of changes to the 
cybersecurity measures, may be limited to those sections of the Plan 
affected by the modifications.
    (4) Personnel conducting internal audits of the cybersecurity 
measures specified in the Plan or evaluating its implementation must--
    (i) Have knowledge of methods of conducting audits and inspections, 
as well as access control and monitoring techniques;
    (ii) Not have regularly assigned cybersecurity duties for the 
vessel, facility, or OCS facility being audited; and
    (iii) Be independent of any cybersecurity measures being audited.
    (5) If the results of an audit require amending the Cybersecurity 
Plan, the CySO must submit, in accordance with this part, the 
amendments to the Coast Guard for review and approval no later than 30 
days after completion of the audit with a letter certifying that the 
amended Plan meets applicable requirements of subpart F.


Sec.  101.635   Drills and Exercises.

    (a) General. (1) Drills and exercises must be used to test the 
proficiency of the vessel, facility, and OCS facility personnel in 
assigned cybersecurity duties and the effective implementation of the 
VSP, FSP, OCS FSP, and Cybersecurity Plan. The drills and exercises 
must enable the CySO to identify any related cybersecurity deficiencies 
that need to be addressed.
    (2) The drill or exercise requirements specified in this section 
may be satisfied with the implementation of cybersecurity measures 
required by the VSP, FSP, OCS FSP, and Cybersecurity Plan as the result 
of a cyber incident, as long as the vessel, facility, or OCS facility 
achieves and documents attainment of drill and exercise goals for the 
cognizant COTP.
    (b) Drills. (1) The CySO must ensure that at least one 
cybersecurity drill is conducted every 3 months. Cybersecurity drills 
may be held in conjunction with other security or non-security drills, 
where appropriate.
    (2) Drills must test individual elements of the Cybersecurity Plan, 
including responses to cybersecurity threats and incidents. 
Cybersecurity drills must take into account the types of operations of 
the vessel, facility, or OCS facility; changes to the vessel, facility, 
or OCS facility personnel; the

[[Page 13512]]

type of vessel a facility is serving; and other relevant circumstances.
    (3) If a vessel is moored at a facility on a date a facility has 
planned to conduct any drills, the facility cannot require the vessel 
or vessel personnel to be a part of or participate in the facility's 
scheduled drill.
    (c) Exercises. (1) Exercises must be conducted at least once each 
calendar year, with no more than 18 months between exercises.
    (2) Exercises may be--
    (i) Full-scale or live;
    (ii) Tabletop simulation;
    (iii) Combined with other appropriate exercises; or
    (iv) A combination of the elements in paragraphs (c)(2)(i) through 
(iii) of this section.
    (3) Exercises may be vessel- or facility-specific, or part of a 
cooperative exercise program to exercise applicable vessel, facility, 
and OCS facility Cybersecurity Plans or comprehensive port exercises.
    (4) Each exercise must test communication and notification 
procedures and elements of coordination, resource availability, and 
response.
    (5) Exercises are a full test of the cybersecurity program and must 
include the substantial and active participation of the CySO(s).
    (6) If any corrective action identified during an exercise is 
needed, it must be addressed and documented as soon as possible.


Sec.  101.640   Records and Documentation.

    All records, reports, and other documents mentioned in this subpart 
must be created and maintained in accordance with 33 CFR 104.235 for 
vessels, 105.225 for facilities, and 106.230 for OCS facilities. At a 
minimum, the records must be created for the following activities: 
training, drills, exercises, cybersecurity threats, incidents, and 
audits of the Cybersecurity Plan.


Sec.  101.645   Communications.

    (a) The CySO must have a means to effectively notify owners or 
operators and personnel of a vessel, facility, or OCS facility of 
changes in cybersecurity conditions at the vessel, facility, and OCS 
facility.
    (b) Communication systems and procedures must allow effective and 
continuous communications between vessel, facility, and OCS facility 
security personnel, vessels interfacing with a facility or an OCS 
facility, the cognizant COTP, and national and local authorities with 
security responsibilities.


Sec.  101.650   Cybersecurity Measures.

    (a) Account security measures. Each owner or operator of a vessel, 
facility, or OCS facility must ensure, at a minimum, the following 
account security measures are in place and documented in Section 7 of 
the Cybersecurity Plan:
    (1) Automatic account lockout after repeated failed login attempts 
must be enabled on all password-protected IT and OT systems.
    (2) Default passwords must be changed before using any IT or OT 
systems.
    (3) A minimum password strength must be maintained on all IT and OT 
systems that are technically capable of password protection.
    (4) Multifactor authentication must be implemented on password-
protected IT and remotely accessible OT systems.
    (5) The principle of least privilege must be applied to 
administrator or otherwise privileged accounts on both IT and OT 
systems;
    (6) The owner or operator must ensure that users maintain separate 
credentials on critical IT and OT systems; and
    (7) The owner or operator must ensure that user credentials are 
removed or revoked when a user leaves the organization.
    (b) Device security measures. Each owner or operator or designated 
CySO of a vessel, facility, or OCS facility must ensure the following 
device security measures are in place and documented in Section 6 of 
the Cybersecurity Plan:
    (1) Develop and maintain a list of approved hardware, firmware, and 
software that may be installed on IT or OT systems. Any hardware, 
firmware, and software installed on IT and OT systems must be on the 
owner- or operator-approved list.
    (2) Ensure applications running executable code must be disabled by 
default on critical IT and OT systems. Exemptions must be justified and 
documented in the Cybersecurity Plan.
    (3) Maintain an accurate inventory of network-connected systems, 
including designation of critical IT and OT systems; and
    (4) Develop and maintain accurate documentation identifying the 
network map and OT device configuration information.
    (c) Data security measures. Each owner or operator or designated 
CySO of a vessel, facility, or OCS facility must ensure the following 
data security measures are in place and documented in Section 4 of the 
Cybersecurity Plan:
    (1) Data logs must be securely captured, stored, and protected so 
that they are accessible only by privileged users; and
    (2) All data, both in transit and at rest, must be encrypted using 
a suitably strong algorithm.
    (d) Cybersecurity training for personnel. The training program to 
address requirements under this paragraph must be documented in 
Sections 2 and 4 of the Cybersecurity Plan.
    (1) All personnel with access to the IT or OT systems, including 
contractors, whether part-time, full-time, temporary, or permanent, 
must have cybersecurity training in the following topics:
    (i) Relevant provisions of the Cybersecurity Plan;
    (ii) Recognition and detection of cybersecurity threats and all 
types of cyber incidents;
    (iii) Techniques used to circumvent cybersecurity measures;
    (iv) Procedures for reporting a cyber incident to the CySO; and
    (v) OT-specific cybersecurity training for all personnel whose 
duties include using OT.
    (2) Key personnel with access to the IT or remotely accessible OT 
systems, including contractors, whether part-time, full-time, 
temporary, or permanent, must also have cybersecurity training in the 
following additional topics:
    (i) Understanding their roles and responsibilities during a cyber 
incident and response procedure; and
    (ii) Maintaining current knowledge of changing cybersecurity 
threats and countermeasures.
    (3) All personnel must complete the training specified in 
paragraphs (d)(1)(ii) through (v) of this section by [DATE 180 DAYS 
AFTER EFFECTIVE DATE OF THE FINAL RULE], and annually thereafter. Key 
personnel must complete the training specified in paragraph (d)(2) of 
this section by [DATE 180 DAYS AFTER EFFECTIVE DATE OF THE FINAL RULE], 
and annually thereafter, or more frequently as needed. Training for new 
personnel not in place at the time of the effective date of this rule 
must be completed within 5 days of gaining system access, but no later 
than within 30 days of hiring, and annually thereafter. Training for 
personnel on new IT or OT systems not in place at the time of the 
effective date of this rule must be completed within 5 days of system 
access, and annually thereafter. All personnel must complete the 
training specified in paragraph (d)(1)(i) within 60 days of receiving 
approval of the Cybersecurity Plan. The training must be documented and 
maintained in the owner's or operator's records in accordance with 33 
CFR 104.235 for vessels, 105.225 for facilities, and 106.230 for OCS 
facilities.

[[Page 13513]]

    (e) Risk management. Each owner or operator or designated CySO of a 
vessel, facility, or OCS facility must ensure the following measures 
for risk management are in place and documented in Sections 11 and 12 
of the Cybersecurity Plan:
    (1) Cybersecurity Assessment. Each owner or operator or designated 
CySO of a U.S.-flagged vessel, facility, or OCS facility must ensure 
completion of a Cybersecurity Assessment that addresses each covered 
vessel, facility, and OCS facility. A Cybersecurity Assessment must be 
conducted within 1 year from [EFFECTIVE DATE OF FINAL RULE] and 
annually thereafter. However, the Cybersecurity Assessment must be 
conducted sooner than annually if there is a change in ownership of a 
U.S.-flagged vessel, facility, or OCS facility; or if there are major 
amendments to the Cybersecurity Plan. In conducting the Cybersecurity 
Assessment, the owner or operator must--
    (i) Analyze all networks to identify vulnerabilities to IT and OT 
systems and the risk posed by each digital asset;
    (ii) Validate the Cybersecurity Plan;
    (iii) Document recommendations and resolutions in the Facility 
Security Assessment (FSA)/Vessel Security Assessment (VSA), in 
accordance with 33 CFR 104.305, 105.305, and 106.305;
    (iv) Document and mitigate any unresolved vulnerabilities; and
    (v) Incorporate recommendations and resolutions from paragraph 
(e)(1)(iii) of this section into the Cybersecurity Plan through an 
amendment, in accordance with Sec.  101.630(e) of this part.
    (2) Penetration Testing. In conjunction with FSP, OCS FSP, or VSP 
renewal, the owner or operator or designated CySO must ensure that a 
penetration test has been completed. Following the penetration test, 
all identified vulnerabilities must be included in the FSA or VSA, in 
accordance with 33 CFR 104.305, 105.305, and 106.305.
    (3) Routine system maintenance. Each owner or operator or a 
designated CySO of a vessel, facility, or OCS facility must ensure the 
following measures for routine system maintenance are in place and 
documented in Section 6 of the Cybersecurity Plan:
    (i) Ensure patching or implementation of documented compensating 
controls for all KEVs in critical IT or OT systems, without delay;
    (ii) Maintain a method to receive and act on publicly submitted 
vulnerabilities;
    (iii) Maintain a method to share threat and vulnerability 
information with external stakeholders;
    (iv) Ensure there are no exploitable channels directly exposed to 
internet-accessible systems;
    (v) Ensure no OT is connected to the publicly accessible internet 
unless explicitly required for operation, and verify that, for any 
remotely accessible OT system, there is a documented justification; and
    (vi) Conduct vulnerability scans as specified in the Cybersecurity 
Plan.
    (f) Supply chain. Each owner or operator or designated CySO of a 
vessel, facility, or OCS facility must ensure the following supply-
chain measures are in place and documented in Section 4 of the 
Cybersecurity Plan:
    (1) Consider cybersecurity capability as criteria for evaluation to 
procure IT and OT systems or services;
    (2) Establish a process through which all IT and OT vendors or 
service providers notify the owner or operator or designated CySO of 
any cybersecurity vulnerabilities, incidents, or breaches, without 
delay; and
    (3) Monitor and document all third-party remote connections to 
detect cyber incidents.
    (g) Resilience. Each owner or operator or designated CySO of a 
vessel, facility, or OCS facility must ensure the following measures 
for resilience are in place and documented in Sections 3 and 9 of the 
Cybersecurity Plan:
    (1) Report any cyber incidents to the NRC, without delay, to the 
telephone number listed in Sec.  101.305 of this part;
    (2) In addition to other plans mentioned in this subpart, develop, 
implement, maintain, and exercise the Cyber Incident Response Plan;
    (3) Periodically validate the effectiveness of the Cybersecurity 
Plan through annual tabletop exercises, annual reviews of incident 
response cases, or post-cyber incident review, as determined by the 
owner or operator; and
    (4) Perform backup of critical IT and OT systems, with those 
backups being sufficiently protected and tested frequently.
    (h) Network segmentation. Each owner or operator or designated CySO 
of a vessel, facility, or OCS facility must ensure the following 
measures for network segmentation are in place and documented in 
Sections 7 and 8 of the Cybersecurity Plan:
    (1) Implement segmentation between IT and OT networks; and
    (2) Verify that all connections between IT and OT systems are 
logged and monitored for suspicious activity, breaches of security, 
TSIs, unauthorized access, and cyber incidents.
    (i) Physical security. Each owner or operator or designated CySO of 
a vessel, facility, or OCS facility must ensure the following measures 
for physical security are in place and documented in Sections 7 and 8 
of the Cybersecurity Plan:
    (1) In addition to any other requirements in this part, limit 
physical access to OT and related IT equipment to only authorized 
personnel, and confirm that all HMIs and other hardware are secured, 
monitored, and logged for personnel access; and
    (2) Ensure unauthorized media and hardware are not connected to IT 
and OT infrastructure, including blocking, disabling, or removing 
unused physical access ports, and establishing procedures for granting 
access on a by-exception basis.


Sec.  101.655   Cybersecurity Compliance Dates.

    All Cybersecurity Plans mentioned in this subpart must be submitted 
to the Coast Guard for review and approval during the second annual 
audit following [EFFECTIVE DATE OF FINAL RULE], according to 33 CFR 
104.415 for vessels, 33 CFR 105.415 for facilities, or 106.415 for OCS 
facilities.


Sec.  101.660   Cybersecurity Compliance Documentation.

    Each owner or operator must ensure that the cybersecurity portion 
of their Plan and penetration test results are available to the Coast 
Guard upon request. The Alternative Security Program provisions are 
addressed in 33 CFR 104.140 for vessels, 105.140 for facilities, and 
106.135 for OCS facilities.


Sec.  101.665   Noncompliance, Waivers, and Equivalents.

    An owner or operator who is unable to meet the requirements in 
subpart F may seek a waiver or an equivalence determination using the 
provisions applicable to a vessel, facility, or OCS facility as 
outlined in 33 CFR 104.130, 104.135, 105.130, 105.135, 106.125, or 
106.130. If an owner or operator is temporarily unable to meet the 
requirements in this part, they must notify the cognizant COTP or MSC, 
and may request temporary permission to continue to operate under the 
provisions as outlined in 33 CFR 104.125, 105.125, or 106.120.

[[Page 13514]]

Sec.  101.670   Severability.

    Any provision of this subpart held to be invalid or unenforceable 
as applied to any person or circumstance shall be construed so as to 
continue to give the maximum effect to the provision permitted by law, 
including as applied to persons not similarly situated or to dissimilar 
circumstances, unless such holding is that the provision of this 
subpart is invalid and unenforceable in all circumstances, in which 
event the provision shall be severable from the remainder of this 
subpart and shall not affect the remainder thereof.

Linda Fagan,
Admiral, U.S. Coast Guard, Commandant.
[FR Doc. 2024-03075 Filed 2-21-24; 8:45 am]
BILLING CODE 9110-04-P