Guidance on Maritime Cybersecurity Standards, 75574-75575 [2014-29658]

Download as PDF 75574 Federal Register / Vol. 79, No. 243 / Thursday, December 18, 2014 / Notices Properly filed competing applications for a license filed in response to this notice will be treated as objections to the contemplated license. Comments and objections submitted in response to this notice will not be made available for public inspection, and, to the extent permitted by law, will not be released under the Freedom of Information Act, 5 U.S.C. 552. Dated: December 11, 2014. Richard U. Rodriguez, Acting Director, Office of Technology Transfer, National Institutes of Health. [FR Doc. 2014–29572 Filed 12–17–14; 8:45 am] BILLING CODE 4140–01–P DEPARTMENT OF HOMELAND SECURITY Coast Guard [Docket No. USCG–2014–1020] Guidance on Maritime Cybersecurity Standards Coast Guard, DHS. Notice with request for comments. AGENCY: ACTION: The Coast Guard is developing policy to help vessel and facility operators identify and address cyber-related vulnerabilities that could contribute to a Transportation Security Incident. Coast Guard regulations require certain vessel and facility operators to conduct security assessments, and to develop security plans that address vulnerabilities identified by the security assessment. The Coast Guard is seeking public input from the maritime industry and other interested parties on how to identify and mitigate potential vulnerabilities to cyber-dependent systems. The Coast Guard will consider these public comments in developing relevant guidance, which may include standards, guidelines, and best practices to protect maritime critical infrastructure. DATES: Comments must be submitted to the online docket via http:// www.regulations.gov, or reach the Docket Management Facility, on or before February 17, 2015. ADDRESSES: Submit comments using one of the listed methods, and see SUPPLEMENTARY INFORMATION for more information on public comments. • Online—http://www.regulations.gov following Web site instructions. • Fax—202–493–2251. • Mail or hand deliver—Docket Management Facility (M–30), U.S. Department of Transportation, West Building Ground Floor, Room W12–140, mstockstill on DSK4VPTVN1PROD with NOTICES SUMMARY: VerDate Sep<11>2014 19:23 Dec 17, 2014 Jkt 235001 1200 New Jersey Avenue SE., Washington, DC 20590–0001. Hours for hand delivery are 9 a.m. to 5 p.m., Monday through Friday, except Federal holidays (telephone 202–366–9329). FOR FURTHER INFORMATION CONTACT: For information about this document call or email LT Josephine Long, Coast Guard; telephone 202–372–1109, email Josephine.A.Long@uscg.mil or LCDR Joshua Rose, Coast Guard; 202–372– 1106, email Joshua.D.Rose@uscg.mil. For information about viewing or submitting material to the docket, call Cheryl Collins, Program Manager, Docket Operations, telephone 202–366– 9826, toll free 1–800–647–5527. SUPPLEMENTARY INFORMATION: Public Participation and Comments We encourage you to submit comments (or related material) on the questions listed below. We will consider all submissions and may adjust our final policy actions based on your comments. Comments should be marked with docket number USCG–2014–1020, and should provide a reason for each suggestion or recommendation. You should provide personal contact information so that we can contact you if we have questions regarding your comments; but please note that all comments will be posted to the online docket without change and that any personal information you include can be searchable online (see the Federal Register Privacy Act notice regarding our public dockets, 73 FR 3316, Jan. 17, 2008). Mailed or hand-delivered comments should be in an unbound 81⁄2 x 11 inch format suitable for reproduction. The Docket Management Facility will acknowledge receipt of mailed comments if you enclose a stamped, self-addressed postcard or envelope with your submission. Documents mentioned in this notice, and all public comments, are in our online docket at http:// www.regulations.gov and can be viewed by following the Web site’s instructions. You can also view the docket at the Docket Management Facility (see the mailing address under ADDRESSES) between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. Discussion The Coast Guard is developing policy to help vessel and facility operators identify and address cyber-related vulnerabilities that could contribute to a Transportation Security Incident (TSI).1 1 A Transportation Security Incident is defined in 33 CFR 101.105 to mean ‘‘a security incident resulting in a significant loss of life, environmental PO 00000 Frm 00044 Fmt 4703 Sfmt 4703 Coast Guard regulations require certain vessel and facility operators to conduct security assessments, and to develop security plans that address vulnerabilities identified by the security assessment.2 Vessel and facility security plans must also address specific security functions, including the following: • Communications • Security Training Requirements • Procedures for vessel/facility interfacing • Declaration of Security • Security Systems and Equipment Maintenance • Security Measures for Access Control • Security Measures for Handling Cargo • Security Measures for Monitoring • Security Incident Procedures The Coast Guard is seeking public input on the following questions: (1) What cyber-dependent systems, commonly used in the maritime industry, could lead or contribute to a TSI if they failed, or were exploited by an adversary? (2) What procedures or standards do vessel and facility operators now employ to identify potential cybersecurity vulnerabilities to their operations? (3) Are there existing cybersecurity assurance programs in use by industry that the Coast Guard could recognize? If so, to what extent do these programs address vessel or facility systems that could lead to a TSI? (4) To what extent do current security training programs for vessel and facility personnel address cybersecurity risks and best practices? (5) What factors should determine when manual backups or other nontechnical approaches are sufficient to address cybersecurity vulnerabilities? (6) How can the Coast Guard leverage Alternative Security Programs 3 to help vessel and facility operators address cybersecurity risks? (7) How can vessel and facility operators reliably demonstrate to the Coast Guard that critical cyber-systems meet appropriate technical or procedural standards? (8) Do classification societies, protection and indemnity clubs, or insurers recognize cybersecurity best practices that could help the maritime industry and the Coast Guard address damage, transportation system disruption, or economic disruption in a particular area.’’ 2 33 CFR parts 104 and 105, subparts C and D. 3 An Alternative Security Program is defined in 33 CFR 101.105 to mean ‘‘a third-party or industry organization developed standard that the Commandant [of the Coast Guard] has determined provides an equivalent level of security to that established by [33 CFR Chapter I, Subchapter H].’’ E:\FR\FM\18DEN1.SGM 18DEN1 Federal Register / Vol. 79, No. 243 / Thursday, December 18, 2014 / Notices cybersecurity risks? (See also http:// www.dhs.gov/publication/cybersecurityinsurance.) Authority This notice is issued under the authority of 5 U.S.C. 552(a). Dated: December 12, 2014. Captain Andrew Tucci, Chief, Office of Port & Facility Compliance, U.S. Coast Guard. [FR Doc. 2014–29658 Filed 12–17–14; 8:45 am] BILLING CODE 9110–04–P DEPARTMENT OF HOMELAND SECURITY Federal Emergency Management Agency [Docket No. FEMA–2014–0002; Internal Agency Docket No. FEMA–B–1436] Proposed Flood Hazard Determinations report for each community are accessible online through the FEMA Map Service Center at www.msc.fema.gov for comparison. You may submit comments, identified by Docket No. FEMA–B–1436, to Luis Rodriguez, Chief, Engineering Management Branch, Federal Insurance and Mitigation Administration, FEMA, 500 C Street SW., Washington, DC 20472, (202) 646–4064, or (email) Luis.Rodriguez3@fema.dhs.gov. FOR FURTHER INFORMATION CONTACT: Luis Rodriguez, Chief, Engineering Management Branch, Federal Insurance and Mitigation Administration, FEMA, 500 C Street SW., Washington, DC 20472, (202) 646–4064 or (email) Luis.Rodriguez3@fema.dhs.gov; or visit the FEMA Map Information eXchange (FMIX) online at www.floodmaps.fema.gov/fhm/fmx_ main.html. FEMA proposes to make flood hazard determinations for each community listed in the table below, in accordance with Section 110 of the Flood Disaster Protection Act of 1973, 42 U.S.C. 4104, and 44 CFR 67.4(a). These proposed flood hazard determinations, together with the floodplain management criteria required by 44 CFR 60.3, are the minimum that are required. They should not be construed to mean that the community must change any existing ordinances that are more stringent in their floodplain management requirements. The community may at any time enact stricter requirements of its own, or pursuant to policies established by other Federal, State, or regional entities. These flood hazard determinations are used to meet the floodplain management requirements of the NFIP and are also used to calculate the appropriate flood insurance premium rates for new buildings built after the FIRM and FIS report become effective. Use of a Scientific Resolution Panel (SRP) is available to communities in SUPPLEMENTARY INFORMATION: Federal Emergency Management Agency; DHS. ACTION: Notice; correction. AGENCY: On November 3, 2014, FEMA published in the Federal Register a proposed flood hazard determination notice that contained an erroneous table. This notice provides corrections to that table, to be used in lieu of the information published at 79 FR 65231. The table provided here represents the proposed flood hazard determinations and communities affected for the East Nishnabotna Watershed. DATES: Comments are to be submitted on or before March 18, 2015. ADDRESSES: The Preliminary Flood Insurance Rate Map (FIRM), and where applicable, the Flood Insurance Study (FIS) report for each community are available for inspection at both the online location and the respective Community Map Repository address listed in the table below. Additionally, the current effective FIRM and FIS SUMMARY: 75575 support of the appeal resolution process. SRPs are independent panels of experts in hydrology, hydraulics, and other pertinent sciences established to review conflicting scientific and technical data and provide recommendations for resolution. Use of the SRP may only be exercised after FEMA and local communities have been engaged in a collaborative consultation process for at least 60 days without a mutually acceptable resolution of an appeal. Additional information regarding the SRP process can be found online at http://floodsrp.org/pdfs/srp_ fact_sheet.pdf. The communities affected by the flood hazard determinations are provided in the table below. Any request for reconsideration of the revised flood hazard determinations shown on the Preliminary FIRM and FIS report that satisfies the data requirements outlined in 44 CFR 67.6(b) is considered an appeal. Comments unrelated to the flood hazard determinations will also be considered before the FIRM and FIS report are made final. Correction In the proposed flood hazard determination notice published at 79 FR 65230 in the November 3, 2014, issue of the Federal Register, FEMA published a table titled East Nishnobta Watershed. This table contained inaccurate information as to the spelling for the watershed name. In this document, FEMA is publishing a table containing the accurate information. The information provided below should be used in lieu of that previously published. (Catalog of Federal Domestic Assistance No. 97.022, ‘‘Flood Insurance.’’) Dated: November 24, 2014. Roy E. Wright, Deputy Associate Administrator for Mitigation, Department of Homeland Security, Federal Emergency Management Agency. EAST NISHNABOTNA WATERSHED Community Community map repository address Audubon County, Iowa, and Incorporated Areas mstockstill on DSK4VPTVN1PROD with NOTICES Maps Available for Inspection Online at: http://www.fema.gov/preliminaryfloodhazarddata City City City City of of of of Audubon ........................................................................................ Brayton .......................................................................................... Exira .............................................................................................. Gray .............................................................................................. City of Kimballton ..................................................................................... Unincorporated Areas of Audubon County .............................................. VerDate Sep<11>2014 19:23 Dec 17, 2014 Jkt 235001 PO 00000 Frm 00045 Fmt 4703 City Hall, City Hall, City Hall, Audubon 50025. City Hall, Audubon 50025. Sfmt 4703 410 North Park Place, Audubon, IA 50025. 202 County Trunk Road, Brayton, IA 50042. 108 East Washington Street, Exira, IA 50076. County Courthouse, 318 Leroy Street, Suite 4, Audubon, IA 116 North Main Street, Kimballton, IA 51543. County Courthouse, 318 Leroy Street, Suite 4, Audubon, IA E:\FR\FM\18DEN1.SGM 18DEN1

Agencies

[Federal Register Volume 79, Number 243 (Thursday, December 18, 2014)]
[Notices]
[Pages 75574-75575]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-29658]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Coast Guard

[Docket No. USCG-2014-1020]


Guidance on Maritime Cybersecurity Standards

AGENCY: Coast Guard, DHS.

ACTION: Notice with request for comments.

-----------------------------------------------------------------------

SUMMARY: The Coast Guard is developing policy to help vessel and 
facility operators identify and address cyber-related vulnerabilities 
that could contribute to a Transportation Security Incident. Coast 
Guard regulations require certain vessel and facility operators to 
conduct security assessments, and to develop security plans that 
address vulnerabilities identified by the security assessment. The 
Coast Guard is seeking public input from the maritime industry and 
other interested parties on how to identify and mitigate potential 
vulnerabilities to cyber-dependent systems. The Coast Guard will 
consider these public comments in developing relevant guidance, which 
may include standards, guidelines, and best practices to protect 
maritime critical infrastructure.

DATES: Comments must be submitted to the online docket via http://www.regulations.gov, or reach the Docket Management Facility, on or 
before February 17, 2015.

ADDRESSES: Submit comments using one of the listed methods, and see 
SUPPLEMENTARY INFORMATION for more information on public comments.
     Online--http://www.regulations.gov following Web site 
instructions.
     Fax--202-493-2251.
     Mail or hand deliver--Docket Management Facility (M-30), 
U.S. Department of Transportation, West Building Ground Floor, Room 
W12-140, 1200 New Jersey Avenue SE., Washington, DC 20590-0001. Hours 
for hand delivery are 9 a.m. to 5 p.m., Monday through Friday, except 
Federal holidays (telephone 202-366-9329).

FOR FURTHER INFORMATION CONTACT: For information about this document 
call or email LT Josephine Long, Coast Guard; telephone 202-372-1109, 
email Josephine.A.Long@uscg.mil or LCDR Joshua Rose, Coast Guard; 202-
372-1106, email Joshua.D.Rose@uscg.mil. For information about viewing 
or submitting material to the docket, call Cheryl Collins, Program 
Manager, Docket Operations, telephone 202-366-9826, toll free 1-800-
647-5527.

SUPPLEMENTARY INFORMATION:

Public Participation and Comments

    We encourage you to submit comments (or related material) on the 
questions listed below. We will consider all submissions and may adjust 
our final policy actions based on your comments. Comments should be 
marked with docket number USCG-2014-1020, and should provide a reason 
for each suggestion or recommendation. You should provide personal 
contact information so that we can contact you if we have questions 
regarding your comments; but please note that all comments will be 
posted to the online docket without change and that any personal 
information you include can be searchable online (see the Federal 
Register Privacy Act notice regarding our public dockets, 73 FR 3316, 
Jan. 17, 2008).
    Mailed or hand-delivered comments should be in an unbound 8\1/2\ x 
11 inch format suitable for reproduction. The Docket Management 
Facility will acknowledge receipt of mailed comments if you enclose a 
stamped, self-addressed postcard or envelope with your submission.
    Documents mentioned in this notice, and all public comments, are in 
our online docket at http://www.regulations.gov and can be viewed by 
following the Web site's instructions. You can also view the docket at 
the Docket Management Facility (see the mailing address under 
ADDRESSES) between 9 a.m. and 5 p.m., Monday through Friday, except 
Federal holidays.

Discussion

    The Coast Guard is developing policy to help vessel and facility 
operators identify and address cyber-related vulnerabilities that could 
contribute to a Transportation Security Incident (TSI).\1\ Coast Guard 
regulations require certain vessel and facility operators to conduct 
security assessments, and to develop security plans that address 
vulnerabilities identified by the security assessment.\2\ Vessel and 
facility security plans must also address specific security functions, 
including the following:
---------------------------------------------------------------------------

    \1\ A Transportation Security Incident is defined in 33 CFR 
101.105 to mean ``a security incident resulting in a significant 
loss of life, environmental damage, transportation system 
disruption, or economic disruption in a particular area.''
    \2\ 33 CFR parts 104 and 105, subparts C and D.

 Communications
 Security Training Requirements
 Procedures for vessel/facility interfacing
 Declaration of Security
 Security Systems and Equipment Maintenance
 Security Measures for Access Control
 Security Measures for Handling Cargo
 Security Measures for Monitoring
 Security Incident Procedures

The Coast Guard is seeking public input on the following questions:
    (1) What cyber-dependent systems, commonly used in the maritime 
industry, could lead or contribute to a TSI if they failed, or were 
exploited by an adversary?
    (2) What procedures or standards do vessel and facility operators 
now employ to identify potential cybersecurity vulnerabilities to their 
operations?
    (3) Are there existing cybersecurity assurance programs in use by 
industry that the Coast Guard could recognize? If so, to what extent do 
these programs address vessel or facility systems that could lead to a 
TSI?
    (4) To what extent do current security training programs for vessel 
and facility personnel address cybersecurity risks and best practices?
    (5) What factors should determine when manual backups or other non-
technical approaches are sufficient to address cybersecurity 
vulnerabilities?
    (6) How can the Coast Guard leverage Alternative Security Programs 
\3\ to help vessel and facility operators address cybersecurity risks?
---------------------------------------------------------------------------

    \3\ An Alternative Security Program is defined in 33 CFR 101.105 
to mean ``a third-party or industry organization developed standard 
that the Commandant [of the Coast Guard] has determined provides an 
equivalent level of security to that established by [33 CFR Chapter 
I, Subchapter H].''
---------------------------------------------------------------------------

    (7) How can vessel and facility operators reliably demonstrate to 
the Coast Guard that critical cyber-systems meet appropriate technical 
or procedural standards?
    (8) Do classification societies, protection and indemnity clubs, or 
insurers recognize cybersecurity best practices that could help the 
maritime industry and the Coast Guard address

[[Page 75575]]

cybersecurity risks? (See also http://www.dhs.gov/publication/cybersecurity-insurance.)

Authority

    This notice is issued under the authority of 5 U.S.C. 552(a).

    Dated: December 12, 2014.
Captain Andrew Tucci,
Chief, Office of Port & Facility Compliance, U.S. Coast Guard.
[FR Doc. 2014-29658 Filed 12-17-14; 8:45 am]
BILLING CODE 9110-04-P