The American Association of Port Authorities is urging the Cybersecurity and Infrastructure Security Agency to work with the Coast Guard as it scopes out mandatory incident reporting requirements for the maritime sector and work continues on new port security rules at the Coast Guard.
“AAPA believes that upon final implementation of Coast Guard’s NPRM, Cybersecurity in the Marine Transportation System, ports will satisfy CISA’s reporting requirements and thus qualify for the exemption that exists for entities subject to substantially similar reporting obligations to a related agency in a substantially similar time frame,” the trade association says in July 3 comments to CISA.
The filing says, “AAPA will work tirelessly to support the speedy implementation of a CIRCIA agreement between Coast Guard and CISA to exempt ports from dual reporting.”
The Coast Guard issued in February a notice of proposed rulemaking to update its maritime security regulations to address cybersecurity. The NPRM is part of a broader series of initiatives announced on Feb. 21 by the Biden administration to boost U.S. port security.
CISA published a notice of proposed rulemaking on April 4 required under the 2022 Cyber Incident Reporting for Critical Infrastructure Act where covered entities would be required to report incidents to the agency within 72 hours and 24 hours for a ransom payment.
The NPRM contains a section on how CISA will grant exceptions to the reporting requirement through working with other government entities who have “substantially similar” requirements.
CISA notes in the NPRM that the maritime sector has a similar requirement on the books to meet the cyber agency’s upcoming needs under the new regime that cuts across critical infrastructure.
The NPRM says CISA’s proposed approach for the maritime sector “will result in two separate cyber incident reporting requirements for entities that are subject to both [the Maritime Transportation Safety Act] and CIRCIA.”
“CISA and USCG are committed to exploring the substantially similar reporting exception or other mechanisms to allow entities that are subject to both MTSA and CIRCIA cyber incident reporting requirements to comply with both requirements through the submission of a single cyber incident report,” the NPRM says.
AAPA writes, “The administrative impact of implementing all these regulations as currently proposed with no CIRCIA agreement could be overwhelming and detrimentally impact the operation of our nation’s ports. Smaller ports may not have dedicated cybersecurity personnel, and the requirement to monitor, update, and comply with new cybersecurity protocols could strain limited staff.”
The filing says, “Likewise, large ports, which experience greater volumes of cyber activity, may be hindered in their compliance with the 72-hour reporting requirement by the obligation to make duplicative reports in the critical hours following a substantial cyber incident- which itself may hinder their ability to respond to these threats.”
“AAPA ports have a strong preference to continue reporting directly to Coast Guard via the National Response Center. Port security managers often have extensive and decades-long relationships with their Coast Guard counterparts and wish to continue working directly with the agency. This has the benefit of avoiding confusion or duplication where a reportable incident may have both cybersecurity and physical or pollution effects,” the filing says.
AAPA writes, “Ports have expressed preference for CISA to obtain information regarding cyber incidents directly from Coast Guard to streamline inter-agency coordination, and the Coast Guard is encouraged to coordinate directly with CISA to ensure their final rule’s reporting requirement satisfies any requirements under the pending CIRCIA implementation regulations.” -- Sara Friedman (sfriedman@iwpnews.com)