On February 21, 2024, President Biden signed an Executive Order on Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports, and Waterfront Facilities of the United States, updating Title 33, Code of Federal Regulations (CFR), Part 6, to explicitly address cyber threats.
Among other provisions, this Executive Order added a definition for “cyber incident” and created a requirement to report evidence of an actual or threatened cyber incident involving or endangering any vessel, harbor, port, or waterfront facility to the Coast Guard, the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA).
The broad applicability of 33 CFR Part 6 and the new definition of a cyber incident created an overlap with existing Maritime Transportation Security Act (MTSA) reporting requirements. NVIC 02-24 provides clarification and voluntary guidance on the reporting requirements identified in 33 CFR Part 101 and 33 CFR Part 6.
Previously, the Coast Guard provided guidance on incident reporting through CG-5P Policy Letter 08-16, Reporting Suspicious Activity and Breaches of Security. NVIC 02-24 will replace Policy Letter 08-16.
When in doubt as to whether an incident or situation meets any of the requirements of a Breach of Security, Suspicious Activity, Transportation Security Incident, or Cyber Incident, maritime stakeholders are encouraged to report an incident or occurrence to the Coast Guard’s National Response Center without delay at 1-800-424-8802.