cfr_sections
Data license: Public Domain (U.S. Government data) · Data source: Federal Register API & Regulations.gov API
46 rows where part_number = 101 and title_number = 33 sorted by section_id
This data as json, CSV (advanced)
Suggested facets: subpart, subpart_name, amendment_citations
| section_id ▼ | title_number | title_name | chapter | subchapter | part_number | part_name | subpart | subpart_name | section_number | section_heading | agency | authority | source_citation | amendment_citations | full_text |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 33:33:1.0.1.8.50.1.26.1 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | A | Subpart A—General | § 101.100 Purpose. | USCG | [USCG-2003-14792, 68 FR 39278, July 1, 2003, as amended at 68 FR 60470, Oct. 22, 2003] | (a) The purpose of this subchapter is: (1) To implement portions of the maritime security regime required by the Maritime Transportation Security Act of 2002, as codified in 46 U.S.C. Chapter 701; (2) To align, where appropriate, the requirements of domestic maritime security regulations with the international maritime security standards in the International Convention for the Safety of Life at Sea, 1974 (SOLAS Chapter XI-2) and the International Code for the Security of Ships and of Port Facilities, parts A and B, adopted on 12 December 2002; and (3) To ensure security arrangements are as compatible as possible for vessels trading internationally. (b) For those maritime elements of the national transportation system where international standards do not directly apply, the requirements in this subchapter emphasize cooperation and coordination with local port community stakeholders, and are based on existing domestic standards, as well as established industry security practices. (c) The assessments and plans required by this subchapter are intended for use in implementing security measures at various MARSEC Levels. The specific security measures and their implementation are planning criteria based on a set of assumptions made during the development of the security assessment and plan. These assumptions may not exist during an actual transportation security incident. | |||
| 33:33:1.0.1.8.50.1.26.2 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | A | Subpart A—General | § 101.105 Definitions. | USCG | [USCG-2003-14792, 68 FR 39278, July 1, 2003] | Unless otherwise specified, as used in this subchapter: Alternative Security Program means a third-party or industry organization developed standard that the Commandant has determined provides an equivalent level of security to that established by this subchapter. Area Commander means the U.S. Coast Guard officer designated by the Commandant to command a Coast Guard Area as described in 33 CFR part 3. Area Maritime Security (AMS) Assessment means an analysis that examines and evaluates the infrastructure and operations of a port taking into account possible threats, vulnerabilities, and existing protective measures, procedures and operations. Area Maritime Security (AMS) Committee means the committee established pursuant to 46 U.S.C. 70112(a)(2)(A). This committee can be the Port Security Committee established pursuant to Navigation and Vessel Inspection Circular (NVIC) 09-02 series, available from the cognizant Captain of the Port (COTP) or at https://www.dco.uscg.mil/Our-Organization/NVIC/ . Area Maritime Security (AMS) Plan means the plan developed pursuant to 46 U.S.C. 70103(b). This plan may be the Port Security plan developed pursuant to NVIC 09-02 provided it meets the requirements of part 103 of this subchapter. Area of Responsibility (AOR) means a Coast Guard area, district, marine inspection zone or COTP zone described in 33 CFR part 3. Audit means an evaluation of a security assessment or security plan performed by an owner or operator, the owner or operator's designee, or an approved third-party, intended to identify deficiencies, non-conformities and/or inadequacies that would render the assessment or plan insufficient. Barge means a non-self-propelled vessel (46 CFR 24.10-1). Barge fleeting facility means a commercial area, subject to permitting by the Army Corps of Engineers, as provided in 33 CFR part 322, part 330, or pursuant to a regional general permit the purpose of which is for the making up, breaking down, or staging of barge tows. Biometric match means a confirmation t… | |||
| 33:33:1.0.1.8.50.1.26.3 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | A | Subpart A—General | § 101.110 Applicability. | USCG | Unless otherwise specified, this subchapter applies to vessels, structures, and facilities of any kind, located under, in, on, or adjacent to waters subject to the jurisdiction of the U.S. | ||||
| 33:33:1.0.1.8.50.1.26.4 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | A | Subpart A—General | § 101.112 Federalism. | USCG | [USCG-2007-28915, 81 FR 57708, Aug. 23, 2016] | (a) The regulations in 33 CFR parts 101, 103, 104, and 106 have preemptive effect over State or local regulation within the same field. (b) The regulations in 33 CFR part 105 have preemptive effect over State or local regulations insofar as a State or local law or regulation applicable to the facilities covered by part 105 would conflict with the regulations in part 105, either by actually conflicting or by frustrating an overriding Federal need for uniformity. | |||
| 33:33:1.0.1.8.50.1.26.5 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | A | Subpart A—General | § 101.115 Incorporation by reference. | USCG | [USCG-2003-14792, 68 FR 39278, July 1, 2003, as amended at 69 FR 18803, Apr. 9, 2004; USCG-2010-0351, 75 FR 36282, June 25, 2010; USCG-2013-0397, 78 FR 39173, July 1, 2013] | (a) Certain material is incorporated by reference into this subchapter with the approval of the Director of the Federal Register under 5 U.S.C. 552(a) and 1 CFR part 51. To enforce any edition other than that specified in paragraph (b) of this section, the Coast Guard must publish notice of change in the Federal Register and the material must be available to the public. All approved material is on file at the Office of the Coast Guard Port Security Directorate (CG-5P), Coast Guard Headquarters, 2100 2nd St., SW., Stop 7581, Washington, DC 20593-7581, or at the National Archives and Records Administration (NARA). For information on the availability of this material at NARA, call 202-741-6030, or go to: http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.html. All material is available from the sources indicated in paragraph (b) of this section. (b) The materials approved for incorporation by reference in this subchapter are as follows: International Maritime Organization (IMO) Publication Section, 4 Albert Embankment, London SE1 7SR, United Kingdom. Publication Section, 4 Albert Embankment, London SE1 7SR, United Kingdom. | |||
| 33:33:1.0.1.8.50.1.26.6 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | A | Subpart A—General | § 101.120 Alternatives. | USCG | [USCG-2003-14792, 68 FR 39278, July 1, 2003, as amended at 68 FR 60471, Oct. 22, 2003; USCG-2013-0397, 78 FR 39173, July 1, 2013] | (a) Alternative Security Agreements. (1) The U.S. may conclude in writing, as provided in SOLAS Chapter XI-2, Regulation 11 (Incorporated by reference, see § 101.115), a bilateral or multilateral agreements with other Contracting Governments to SOLAS on Alternative Security Arrangements covering short international voyages on fixed routes between facilities subject to the jurisdiction of the U.S. and facilities in the territories of those Contracting Governments. (2) As further provided in SOLAS Chapter XI-2, Regulation 11, a vessel covered by such an agreement shall not conduct any vessel-to-vessel activity with any vessel not covered by the agreement. (b) Alternative Security Programs. (1) Owners and operators of vessels and facilities required to have security plans under part 104, 105, or 106 of this subchapter, other than vessels that are subject to SOLAS Chapter XI, may meet the requirements of an Alternative Security Program that has been reviewed and approved by the Commandant (CG-5P) as meeting the requirements of part 104, 105, or 106, as applicable. (2) Owners or operators must implement an approved Alternative Security Program in its entirety to be deemed in compliance with either part 104, 105, or 106. (3) Owners or operators who have implemented an Alternative Security Program must send a letter to the appropriate plan approval authority under part 104, 105, or 106 of this subchapter identifying which Alternative Security Program they have implemented, identifying those vessels or facilities that will implement the Alternative Security Program, and attesting that they are in full compliance therewith. A copy of this letter shall be retained on board the vessel or kept at the facility to which it pertains along with a copy of the Alternative Security Program and a vessel, facility, or Outer Continental Shelf facility specific security assessment report generated under the Alternative Security Program. (4) Owners or operators shall make available to the Coast Guard, upon request, any informat… | |||
| 33:33:1.0.1.8.50.1.26.7 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | A | Subpart A—General | § 101.125 [Reserved] | USCG | |||||
| 33:33:1.0.1.8.50.1.26.8 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | A | Subpart A—General | § 101.130 Equivalent security measures. | USCG | [USCG-2003-14792, 68 FR 39278, July 1, 2003, as amended by USCG-2013-0397, 78 FR 39173, July 1, 2013] | (a) For any measure required by part 104, 105, or 106 of this subchapter, the owner or operator may substitute an equivalent security measure that has been approved by the Commandant (CG-5P) as meeting or exceeding the effectiveness of the required measure. The Commandant (CG-5P) may require that the owner or operator provide data for use in assessing the effectiveness of the proposed equivalent security measure. (b) Requests for approval of equivalent security measures should be made to the appropriate plan approval authority under parts 104, 105 or 106 of this subchapter. | |||
| 33:33:1.0.1.8.50.2.26.1 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | B | Subpart B—Maritime Security (MARSEC) Levels | § 101.200 MARSEC Levels. | USCG | [USCG-2003-14792, 68 FR 39278, July 1, 2003, as amended by USCG-2013-0397, 78 FR 39173, July 1, 2013] | (a) MARSEC Levels advise the maritime community and the public of the level of risk to the maritime elements of the national transportation system. Ports, under direction of the local COTP, will respond to changes in the MARSEC Level by implementing the measures specified in the AMS Plan. Similarly, vessels and facilities required to have security plans under part 104, 105, or 106 of this subchapter shall implement the measures specified in their security plans for the applicable MARSEC Level. (b) Unless otherwise directed, each port, vessel, and facility shall operate at MARSEC Level 1. (c) The Commandant will set (raise or lower) the MARSEC Level commensurate with risk, and in consideration of any maritime nexus to any active National Terrorism Advisory System (NTAS) alerts. Notwithstanding the NTAS, the Commandant retains discretion to adjust the MARSEC Level when necessary to address any particular security concerns or circumstances related to the maritime elements of the national transportation system. (d) The COTP may raise the MARSEC Level for the port, a specific marine operation within the port, or a specific industry within the port, when necessary to address an exigent circumstance immediately affecting the security of the maritime elements of the transportation in his/her area of responsibility. Application of this delegated authority will be pursuant to policies and procedures specified by the Commandant. | |||
| 33:33:1.0.1.8.50.2.26.2 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | B | Subpart B—Maritime Security (MARSEC) Levels | § 101.205 [Reserved] | USCG | |||||
| 33:33:1.0.1.8.50.3.26.1 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | C | Subpart C—Communication (Port—Facility—Vessel) | § 101.300 Preparedness communications. | USCG | [USCG-2003-14792, 68 FR 39278, July 1, 2003, as amended at 68 FR 60472, Oct. 22, 2003] | (a) Notification of MARSEC Level change. The COTP will communicate any changes in the MARSEC Levels through a local Broadcast Notice to Mariners, an electronic means, if available, or as detailed in the AMS Plan. (b) Communication of threats. When the COTP is made aware of a threat that may cause a transportation security incident, the COTP will, when appropriate, communicate to the port stakeholders, vessels, and facilities in his or her AOR the following details: (1) Geographic area potentially impacted by the probable threat; (2) Any appropriate information identifying potential targets; (3) Onset and expected duration of probable threat; (4) Type of probable threat; and (5) Required actions to minimize risk. (c) Attainment. (1) Each owner or operator of a vessel or facility required to have a security plan under parts 104 or 105 of this subchapter affected by a change in the MARSEC Level must ensure confirmation to their local COTP the attainment of measures or actions described in their security plan and any other requirements imposed by the COTP that correspond with the MARSEC Level being imposed by the change. (2) Each owner or operator of a facility required to have a security plan under part 106 of this subchapter affected by a change in the MARSEC Level must ensure confirmation to their cognizant District Commander the attainment of measures or actions described in their security plan and any other requirements imposed by the District Commander or COTP that correspond with the MARSEC Level being imposed by the change. | |||
| 33:33:1.0.1.8.50.3.26.2 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | C | Subpart C—Communication (Port—Facility—Vessel) | § 101.305 Reporting. | USCG | [USCG-2003-14792, 68 FR 39278, July 1, 2003, as amended by USCG-2004-18057, 69 FR 34925, June 23, 2004; USCG-2005-21531, 70 FR 36349, June 23, 2005; USCG-2006-25150, 71 FR 39208, July 12, 2006; USCG-2008-0179, 73 FR 35009, June 19, 2008] | (a) Notification of suspicious activities. An owner or operator required to have a security plan under part 104, 105, or 106 of this subchapter shall, without delay, report activities that may result in a transportation security incident to the National Response Center at the following toll free telephone: 1-800-424-8802, direct telephone 202-267-2675, or TDD 202-267-4477. Any other person or entity is also encouraged to report activities that may result in a transportation security incident to the National Response Center. (b) Notification of breaches of security. An owner or operator required to have a security plan under parts 104, 105, or 106 of this subchapter shall, without delay, report breaches of security to the National Response Center via one of the means listed in paragraph (a) of this section. (c) Notification of transportation security incident (TSI). (1) Any owner or operator required to have a security plan under part 104 or 105 of this subchapter shall, without delay, report a TSI to their local COTP and immediately thereafter begin following the procedures set out in their security plan, which may include contacting the National Response Center via one of the means listed in paragraph (a) of this section. (2) Any owner or operator required to have a security plan under part 106 of this subchapter shall, without delay, report a TSI to their cognizant District Commander and immediately thereafter begin following the procedures set out in their security plan, which may include contacting the National Response Center via one of the means listed in paragraph (a) of this section. (d) Callers to the National Response Center should be prepared to provide as much of the following information as possible: (1) Their own name and contact information; (2) The name and contact information of the suspicious or responsible party; (3) The location of the incident, as specifically as possible; and (4) The description of the incident or activity involved. | |||
| 33:33:1.0.1.8.50.3.26.3 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | C | Subpart C—Communication (Port—Facility—Vessel) | § 101.310 Additional communication devices. | USCG | (a) Alert Systems. Alert systems, such as the ship security alert system required in SOLAS Chapter XI-2, Regulation 6 (Incorporated by reference, see § 101.115), may be used to augment communication and may be one of the communication methods listed in a vessel or facility security plan under part 104, 105, or 106 of this subchapter. (b) Automated Identification Systems (AIS). AIS may be used to augment communication, and may be one of the communication methods listed in a vessel security plan under part 104 of this subchapter. See 33 CFR part 164 for additional information on AIS device requirements. | ||||
| 33:33:1.0.1.8.50.4.26.1 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | D | Subpart D—Control Measures for Security | § 101.400 Enforcement. | USCG | (a) The rules and regulations in this subchapter are enforced by the COTP under the supervision and general direction of the District Commander, Area Commander, and the Commandant. All authority and power vested in the COTP by the rules and regulations in this subchapter is also vested in, and may be exercised by, the District Commander, Area Commander, and the Commandant. (b) The COTP, District Commander, Area Commander, or Commandant may assign the enforcement authority described in paragraph (a) of this section to any other officer or petty officer of the Coast Guard or other designees authorized by the Commandant. (c) The provisions in this subchapter do not limit the powers conferred upon Coast Guard commissioned, warrant, or petty officers by any other law or regulation, including but not limited to 33 CFR parts 6, 160, and 165. | ||||
| 33:33:1.0.1.8.50.4.26.2 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | D | Subpart D—Control Measures for Security | § 101.405 Maritime Security (MARSEC) Directives. | USCG | [USCG-2003-14792, 68 FR 39278, July 1, 2003, as amended at 68 FR 60472, Oct. 22, 2003] | (a)(1) When the Coast Guard determines that additional security measures are necessary to respond to a threat assessment or to a specific threat against the maritime elements of the national transportation system, the Coast Guard may issue a MARSEC Directive setting forth mandatory measures. Only the Commandant or his/her delegee may issue MARSEC Directives under this section. Prior to issuing a MARSEC Directive, the Commandant or his/her delegee will consult with those Federal agencies having an interest in the subject matter of that MARSEC Directive. All MARSEC Directives issued under this section shall be marked as sensitive security information (SSI) in accordance with 49 CFR part 1520. (2) When a MARSEC Directive is issued, the Coast Guard will immediately publish a notice in the Federal Register, and affected owners and operators will need to go to their local COTP or cognizant District Commander to acquire a copy of the MARSEC Directive. COTPs and District Commanders will require owners or operators to prove that they are a person required by 49 CFR 1520.5(a) to restrict disclosure of and access to sensitive security information, and that under 49 CFR 1520.5(b), they have a need to know sensitive security information. (b) Each owner or operator of a vessel or facility to whom a MARSEC Directive applies is required to comply with the relevant instructions contained in a MARSEC Directive issued under this section within the time prescribed by that MARSEC Directive. (c) Each owner or operator of a vessel or facility required to have a security plan under parts 104, 105 or 106 of this subchapter that receives a MARSEC Directive must: (1) Within the time prescribed in the MARSEC Directive, acknowledge receipt of the MARSEC Directive to their local COTP or, if a facility regulated under part 106 of this subchapter, to their cognizant District Commander; and (2) Within the time prescribed in the MARSEC Directive, specify the method by which the measures in the MARSEC Directive have been implemented (or wil… | |||
| 33:33:1.0.1.8.50.4.26.3 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | D | Subpart D—Control Measures for Security | § 101.410 Control and Compliance Measures. | USCG | [USCG-2003-14792, 68 FR 39278, July 1, 2003, as amended at 68 FR 60472, Oct. 22, 2003] | (a) The COTP may exercise authority pursuant to 33 CFR parts 6, 160 and 165, as appropriate, to rectify non-compliance with this subchapter. COTPs or their designees are the officers duly authorized to exercise control and compliance measures under SOLAS Chapter XI-2, Regulation 9, and the ISPS Code (Incorporated by reference, see § 101.115). (b) Control and compliance measures for vessels not in compliance with this subchapter may include, but are not limited to, one or more of the following: (1) Inspection of the vessel; (2) Delay of the vessel; (3) Detention of the vessel; (4) Restriction of vessel operations; (5) Denial of port entry; (6) Expulsion from port; (7) Lesser administrative and corrective measures; or (8) Suspension or revocation of a security plan approved by the U.S., thereby making that vessel ineligible to operate in, on, or under waters subject to the jurisdiction of the U.S. in accordance with 46 U.S.C. 70103(c)(5). (c) Control and compliance measures for facilities not in compliance with this subchapter may include, but are not limited to, one or more of the following: (1) Restrictions on facility access; (2) Conditions on facility operations; (3) Suspension of facility operations; (4) Lesser administrative and corrective measures; or (5) Suspension or revocation of security plan approval, thereby making that facility ineligible to operate in, on, under or adjacent to waters subject to the jurisdiction of the U.S. in accordance with 46 U.S.C. 70103(c)(5). (d) Control and compliance measures under this section may be imposed on a vessel when it has called on a facility or at a port that does not maintain adequate security measures to ensure that the level of security to be achieved by this subchapter has not been compromised. | |||
| 33:33:1.0.1.8.50.4.26.4 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | D | Subpart D—Control Measures for Security | § 101.415 Penalties. | USCG | [USCG-2003-14792, 68 FR 39278, July 1, 2003, as amended by USCG-2008-0179, 73 FR 35009, June 19, 2008; USCG-2020-0304, 85 FR 58277, Sept. 18, 2020] | (a) Civil and criminal penalty. Violation of any order or other requirement imposed under section 101.405 of this part is punishable by the civil and criminal penalties prescribed in 46 U.S.C. 70036 or 46 U.S.C. 70052, as appropriate. (b) Civil penalty. As provided in 46 U.S.C. 70119, any person who does not comply with any other applicable requirement under this subchapter, including a Maritime Security Directive, shall be liable to the U.S. for a civil penalty of not more than $ 25,000 for each violation. Enforcement and administration of this provision will be in accordance with 33 CFR 1.07. | |||
| 33:33:1.0.1.8.50.4.26.5 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | D | Subpart D—Control Measures for Security | § 101.420 Right to appeal. | USCG | [USCG-2003-14792, 68 FR 39278, July 1, 2003, as amended at 68 FR 60472, Oct. 22, 2003; 68 FR 62502, Nov. 4, 2003; USCG-2008-0179, 73 FR 35009, June 19, 2008; USCG-2013-0397, 78 FR 39173, July 1, 2013] | (a) Any person directly affected by a decision or action taken by a COTP under this subchapter, may appeal that action or decision to the cognizant District Commander according to the procedures in 46 CFR 1.03-15. (b) Any person directly affected by a decision or action taken by a District Commander, whether made under this subchapter generally or pursuant to paragraph (a) of this section, with the exception of those decisions made under § 101.410 of this subpart, may appeal that decision or action to the Commandant (CG-5P), according to the procedures in 46 CFR 1.03-15. Appeals of District Commander decisions or actions made under § 101.410 of this subpart should be made to the Commandant (CG-CVC), according to the procedures in 46 CFR 1.03-15. (c) Any person directly affected by a decision or action taken by the Commanding Officer, Marine Safety Center, under this subchapter, may appeal that action or decision to the Commandant (CG-5P) according to the procedures in 46 CFR 1.03-15. (d) Decisions made by Commandant (CG-5P), whether made under this subchapter generally or pursuant to the appeal provisions of this section, are considered final agency action. | |||
| 33:33:1.0.1.8.50.5.26.1 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | E | Subpart E—Other Provisions | § 101.500 Procedures for authorizing a Recognized Security Organization (RSO). [Reserved] | USCG | |||||
| 33:33:1.0.1.8.50.5.26.10 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | E | Subpart E—Other Provisions | § 101.540 Electronic TWIC inspection requirements for vessels, facilities, and OCS facilities not in Risk Group A. | USCG | [USCG-2007-28915, 81 FR 57709, Aug. 23, 2016] | A vessel or facility not in Risk Group A may use the electronic TWIC inspection requirements of § 101.535 in lieu of visual TWIC inspection. If electronic TWIC inspection is used, the recordkeeping requirements of § 104.235(b)(9) and (c) of this subchapter, or § 105.225(b)(9) and (c) of this subchapter, as appropriate, apply. | |||
| 33:33:1.0.1.8.50.5.26.11 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | E | Subpart E—Other Provisions | § 101.545 [Reserved] | USCG | |||||
| 33:33:1.0.1.8.50.5.26.12 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | E | Subpart E—Other Provisions | § 101.550 TWIC inspection requirements in special circumstances. | USCG | [USCG-2007-28915, 81 FR 57709, Aug. 23, 2016] | Owners or operators of any vessel, facility, or Outer Continental Shelf (OCS) facility subject to part 104, 105, or 106 of this subchapter must ensure that a Transportation Worker Identification Credential (TWIC) Program is implemented as follows: (a) Lost, damaged, stolen, or expired TWIC. If an individual cannot present a TWIC because it has been lost, damaged, stolen, or expired, and the individual previously has been granted unescorted access to secure areas and is known to have had a TWIC, the individual may be granted unescorted access to secure areas for a period of no longer than 30 consecutive calendar days if— (1) The individual provides proof that he or she has reported the TWIC as lost, damaged, or stolen to the Transportation Security Administration (TSA) as required in 49 CFR 1572.19(f), or the individual provides proof that he or she has applied for the renewal of an expired TWIC; (2) The individual can present another identification credential that meets the requirements of § 101.515; and (3) There are no other suspicious circumstances associated with the individual's claim that the TWIC was lost, damaged, or stolen. (b) TWIC on the Canceled Card List. In the event an individual reports his or her TWIC as lost, damaged, or stolen, and that TWIC is then placed on the Canceled Card List, the individual may be granted unescorted access by a Physical Access Control System (PACS) that meets the requirements of § 101.530 for a period of no longer than 30 days. The individual must be known to have had a TWIC, and known to have reported the TWIC as lost, damaged, or stolen to TSA. (c) Special requirements for Risk Group A vessels and facilities. If a TWIC reader or a PACS cannot read an individual's biometric templates due to poor biometric quality or no biometrics enrolled, the owner or operator may grant the individual unescorted access to secure areas based on either of the following secondary authentication procedures: (1) The owner or operator must conduct a visual TWIC inspection and re… | |||
| 33:33:1.0.1.8.50.5.26.13 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | E | Subpart E—Other Provisions | § 101.555 Recurring Unescorted Access for Risk Group A vessels and facilities. | USCG | [USCG-2007-28915, 81 FR 57710, Aug. 23, 2016] | This section describes how designated TWIC-holders may access certain secure areas on Risk Group A vessels and facilities on a continual and repeated basis without undergoing repeated electronic TWIC inspections. (a) An individual may enter a secure area on a vessel or facility without undergoing an electronic TWIC inspection under the following conditions: (1) Access is through a Designated Recurring Access Area (DRAA), designated under an approved Vessel, Facility, or Joint Vessel-Facility Security Plan. (2) The entire DRAA is continuously monitored by security personnel at the access points to secure areas used by personnel seeking Recurring Unescorted Access. (3) The individual possesses a valid TWIC. (4) The individual has passed an electronic TWIC inspection within each shift and in the presence of the on-scene security personnel. (5) The individual passes an additional electronic TWIC inspection prior to being granted unescorted access to a secure area if he or she enters an unsecured area outside the DRAA and then returns. (b) The following requirements apply to a DRAA: (1) It must consist of an unsecured area where personnel will be moving into an adjacent secure area repeatedly. (2) The entire DRAA must be visible to security personnel. (3) During operation as a DRAA, there must be security personnel present at all times. (c) An area may operate as a DRAA at certain times, and during other times, access to secure areas may be obtained through the procedures in § 101.535. (d) Personnel may enter the secure areas adjacent to a DRAA at any time using the procedures in § 101.535. | |||
| 33:33:1.0.1.8.50.5.26.2 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | E | Subpart E—Other Provisions | § 101.505 Declaration of Security (DoS). | USCG | [USCG-2003-14792, 68 FR 39278, July 1, 2003, as amended at 68 FR 60472, Oct. 22, 2003] | (a) The purpose of a DoS, as described in SOLAS Chapter XI-2, Regulation 10, and the ISPS Code (Incorporated by reference, see § 101.115), is to state the agreement reached between a vessel and a facility, or between vessels in the case of a vessel-to-vessel activity, as to the respective security measures each must undertake during a specific vessel-to-facility interface, during a series of interfaces between the vessel and the facility, or during a vessel-to-vessel activity. (b) Details as to who must complete a DoS, when a DoS must be completed, and how long a DoS must be retained are included in parts 104 through 106 of this subchapter. A DoS must, at a minimum, include the information found in the ISPS Code, part B, appendix 1 (Incorporated by reference, see § 101.115). (c) All vessels and facilities required to comply with parts 104, 105, and 106 of this subchapter must, at a minimum, comply with the DoS requirements of the MARSEC Level set for the port. (d) The COTP may also require a DoS be completed for vessels and facilities during periods of critical port operations, special marine events, or when vessels give notification of a higher MARSEC Level than that set in the COTP's Area of Responsibility (AOR). | |||
| 33:33:1.0.1.8.50.5.26.3 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | E | Subpart E—Other Provisions | § 101.510 Assessment tools. | USCG | [USCG-2012-0306, 77 FR 37313, June 21, 2012, as amended by USCG-2013-0397, 78 FR 39173, July 1, 2013; USCG-2022-0323, 88 FR 10028, Feb. 16, 2023] | Ports, vessels, and facilities required to conduct security assessments by part 103, 104, 105, or 106 of this subchapter may use any assessment tool that meets the standards set out in part 103, 104, 105, or 106, as applicable. These tools may include USCG assessment tools, which are available from the cognizant COTP or at https://www.dco.uscg.mil/Our-Organization/NVIC/ , as set out in the following: (a) Navigation and Vessel Inspection Circular titled, “Guidelines for Port Security Committees, and Port Security Plans Required for U.S. Ports” (NVIC 9-02 series); (b) Navigation and Vessel Inspection Circular titled, “Security Guidelines for Vessels”, (NVIC 10-02 change 1); and (c) Navigation and Vessel Inspection Circular titled, “Security Guidelines for Facilities”, (NVIC 11-02 change 1). | |||
| 33:33:1.0.1.8.50.5.26.4 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | E | Subpart E—Other Provisions | § 101.514 TWIC Requirement. | USCG | [USCG-2006-24196, 72 FR 3578, Jan. 25, 2007, as amended at 73 FR 25565, May 7, 2008; USCG-2015-0433, 80 FR 44281, July 27, 2015; USCG-2007-28915, 81 FR 57708, Aug. 23, 2016] | (a) All persons requiring unescorted access to secure areas of vessels, facilities, and OCS facilities regulated by parts 104, 105 or 106 of this subchapter must possess a TWIC before such access is granted, except as otherwise noted in this section. A TWIC must be obtained via the procedures established by TSA in 49 CFR part 1572. (b) Federal officials are not required to obtain or possess a TWIC. Except in cases of emergencies or other exigent circumstances, in order to gain unescorted access to a secure area of a vessel, facility, or OCS facility regulated by parts 104, 105 or 106 of this subchapter, a Federal official must present his/her agency issued, HSPD 12 compliant credential. Until each agency issues its HSPD 12 compliant cards, Federal officials may gain unescorted access by using their agency's official credential. The COTP will advise facilities and vessels within his or her area of responsibility as agencies come into compliance with HSPD 12. (c) Law enforcement officials at the State or local level are not required to obtain or possess a TWIC to gain unescorted access to secure areas. They may, however, voluntarily obtain a TWIC where their offices fall within or where they require frequent unescorted access to a secure area of a vessel, facility or OCS facility. (d) Emergency responders at the State or local level are not required to obtain or possess a TWIC to gain unescorted access to secure areas during an emergency situation. They may, however, voluntarily obtain a TWIC where their offices fall within or where they desire frequent unescorted access to a secure area of a vessel, facility or OCS facility in non-emergency situations. | |||
| 33:33:1.0.1.8.50.5.26.5 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | E | Subpart E—Other Provisions | § 101.515 TWIC/Personal Identification. | USCG | [USCG-2006-24196, 72 FR 3578, Jan. 25, 2007, as amended by USCG-2007-28915, 81 FR 57708, Aug. 23, 2016] | (a) Persons not described in § 101.514 must present personal identification in order to gain entry to a vessel, facility, and OCS facility regulated by parts 104, 105 or 106 of this subchapter. These individuals must be under escort, as that term is defined in § 101.105 of this part, while inside a secure area. This personal identification must, at a minimum, meet the following requirements: (1) Be laminated or otherwise secure against tampering; (2) Contain the individual's full name (full first and last names, middle initial is acceptable); (3) Contain a photo that accurately depicts that individual's current facial appearance; and (4) Bear the name of the issuing authority. (b) The issuing authority in paragraph (a)(4) of this section must be: (1) A government authority, or an organization authorized to act on behalf of a government authority; or (2) The individual's employer, union, or trade association. (c) Vessel, facility, and OCS facility owners and operators must permit law enforcement officials, in the performance of their official duties, who present proper identification in accordance with this section and § 101.514 to enter or board that vessel, facility, or OCS facility at any time, without delay or obstruction. Law enforcement officials, upon entering or boarding a vessel, facility, or OCS facility, will, as soon as practicable, explain their mission to the Master, owner, or operator, or their designated agent. (d) Inspection of credential. (1) Each person who has been issued or possesses a TWIC must present the TWIC for inspection upon a request from TSA, the Coast Guard, or other authorized DHS representative; an authorized representative of the National Transportation Safety Board; or a Federal, State, or local law enforcement officer. (2) Each person who has been issued or possesses a TWIC must pass an electronic TWIC inspection, and must submit his or her reference biometric, such as a fingerprint, and any other required information, such as a Personal Identification Number, upon a… | |||
| 33:33:1.0.1.8.50.5.26.6 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | E | Subpart E—Other Provisions | § 101.520 Electronic TWIC inspection. | USCG | [USCG-2007-28915, 81 FR 57708, Aug. 23, 2016] | To conduct electronic TWIC inspection, the owner or operator of a vessel or facility must ensure the following actions are performed. (a) Card authentication. The TWIC must be authenticated by performing a challenge/response protocol using the Certificate for Card Authentication (CCA) and the associated card authentication private key stored in the TWIC. (b) Card validity check. The TWIC must be checked to ensure the TWIC has not expired and against TSA's list of cancelled TWICs, and no match on the list may be found. (c) Identity verification. (1) One of the biometric templates stored in the TWIC must be matched to the TWIC-holder's live sample biometric or, by matching to the PACS enrolled reference biometrics linked to the FASC-N of the TWIC; or (2) If an individual is unable to provide a valid live sample biometric, the TWIC-holder must enter a Personal Identification Number (PIN) and pass a visual TWIC inspection. | |||
| 33:33:1.0.1.8.50.5.26.7 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | E | Subpart E—Other Provisions | § 101.525 TSA list of cancelled TWICs. | USCG | [USCG-2007-28915, 81 FR 57709, Aug. 23, 2016] | (a) At Maritime Security (MARSEC) Level 1, the card validity check must be conducted using information from the TSA that is no more than 7 days old. (b) At MARSEC Level 2, the card validity check must be conducted using information from the TSA that is no more than 1 day old. (c) At MARSEC Level 3, the card validity check must be conducted using information from the TSA that is no more than 1 day old. (d) The list of cancelled TWICs used to conduct the card validity check must be updated within 12 hours of any increase in MARSEC level, no matter when the information was last updated. (e) Only the most recently obtained list of cancelled TWICs must be used to conduct card validity checks. | |||
| 33:33:1.0.1.8.50.5.26.8 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | E | Subpart E—Other Provisions | § 101.530 PACS requirements for Risk Group A. | USCG | [USCG-2007-28915, 81 FR 57709, Aug. 23, 2016] | This section lays out requirements for a Physical Access Control System (PACS) that may be used to meet electronic TWIC inspection requirements. (a) A PACS may use a TWIC directly to perform electronic TWIC inspection; (b) Each PACS card issued to an individual must be linked to that individual's TWIC, and the PACS must contain the following information from each linked TWIC: (1) The name of the TWIC-holder holder as represented in the Printed Information container of the TWIC. (2) The TWIC-signed CHUID (with digital signature and expiration date). (3) The TWIC resident biometric template. (4) The TWIC digital facial image. (5) The PACS Personal Identification Number (PIN). (c) When first linked, a one-time electronic TWIC inspection must be performed, and the TWIC must be verified as authentic, valid, and biometrically matched to the individual presenting the TWIC. (d) Each time the PACS card is used to gain access to a secure area, the PACS must— (1) Conduct identity verification by: (i) Conducting a biometric scan, and match the result with the biometric template stored in the PACS that is linked to the TWIC, or (ii) Having the individual enter a stored PACS PIN and conducting a Non-TWIC visual identity verification as defined in § 101.105. (2) Conduct a card validity check; and (3) Maintain records in accordance with § 104.235(g) or § 105.225(g) of this subchapter, as appropriate. | |||
| 33:33:1.0.1.8.50.5.26.9 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | E | Subpart E—Other Provisions | § 101.535 Electronic TWIC inspection requirements for Risk Group A. | USCG | [USCG-2007-28915, 81 FR 57709, Aug. 23, 2016] | Owners or operators of vessels or facilities subject to part 104 or 105 of this subchapter, that are assigned to Risk Group A in § 104.263 or § 105.253 of this subchapter, must ensure that a Transportation Worker Identification Credential (TWIC) Program is implemented as follows: (a) Requirements for Risk Group A vessels. Prior to each boarding of the vessel, all persons who require access to a secure area of the vessel must pass an electronic TWIC inspection before being granted unescorted access to the vessel. (b) Requirements for Risk Group A facilities. Prior to each entry into a secure area of the facility, all persons must pass an electronic TWIC inspection before being granted unescorted access to secure areas of the facility. (c) A Physical Access Control System that meets the requirements of § 101.530 may be used to meet the requirements of this section. (d) The requirements of this section do not apply under certain situations described in § 101.550 or § 101.555. (e) Emergency access to secure areas, including access by law enforcement and emergency responders, does not require electronic TWIC inspection. | |||
| 33:33:1.0.1.8.50.6.26.1 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.600 Purpose. | USCG | The purpose of this subpart is to set minimum cybersecurity requirements for U.S.-flagged vessels, facilities, and Outer Continental Shelf (OCS) facilities to safeguard and ensure the security and resilience of the Marine Transportation System (MTS). | ||||
| 33:33:1.0.1.8.50.6.26.10 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.645 Communications. | USCG | (a) The CySO must have a means to effectively notify owners or operators and personnel of a U.S.-flagged vessel, facility, or OCS facility of changes in cybersecurity conditions at the U.S.-flagged vessel, facility, and OCS facility and document these means in Section 5 of the Cybersecurity Plan. (b) Communication systems and procedures must allow effective and continuous communications between U.S.-flagged vessel, facility, and OCS facility security personnel, vessels interfacing with a facility or an OCS facility, the cognizant COTP, and national and local authorities with security responsibilities. | ||||
| 33:33:1.0.1.8.50.6.26.11 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.650 Cybersecurity measures. | USCG | (a) Account security measures. Each owner or operator of a U.S.-flagged vessel, facility, or OCS facility must ensure, at a minimum, the following account security measures are in place and documented in Section 7 of the Cybersecurity Plan: (1) Automatic account lockout after repeated failed login attempts must be enabled on all password-protected IT systems; (2) Default passwords must be changed before using any IT or OT systems. When changing default passwords is not feasible, appropriate compensating security controls must be implemented and documented; (3) A minimum password strength must be maintained on all IT and OT systems that are technically capable of password protection; (4) Multifactor authentication must be implemented on password-protected IT and remotely accessible OT systems. When multifactor authentication is not feasible, appropriate compensating security controls must be implemented and documented; (5) The principle of least privilege must be applied to administrator or otherwise privileged accounts on both IT and OT systems; (6) The owner or operator must ensure that users maintain separate credentials on critical IT and OT systems; and (7) The owner or operator must ensure that user credentials are removed or revoked when a user leaves the organization. (b) Device security measures. Each owner or operator or designated CySO of a U.S.-flagged vessel, facility, or OCS facility must ensure the following device security measures are in place, addressed in Section 6 of the Cybersecurity Plan, and made available to the Coast Guard upon request: (1) Develop and maintain a list of approved hardware, firmware, and software that may be installed on IT or OT systems. Any hardware, firmware, and software installed on IT and OT systems must be on the owner- or operator-approved list; (2) Ensure applications running executable code are disabled by default on critical IT and OT systems; (3) Maintain an accurate inventory of network-connected systems, including designation of critical IT and … | ||||
| 33:33:1.0.1.8.50.6.26.12 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.655 Cybersecurity compliance dates. | USCG | All Cybersecurity Plans mentioned in this subpart must be submitted to the Coast Guard for review and approval no later than July 16, 2027, according to 33 CFR 104.410 for U.S.-flagged vessels, 33 CFR 105.410 for facilities, or 33 CFR 106.410 for OCS facilities. | ||||
| 33:33:1.0.1.8.50.6.26.13 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.660 Cybersecurity compliance documentation. | USCG | Each owner or operator must ensure that the cybersecurity portion of their Plan and penetration test results are available to the Coast Guard upon request. The Alternative Security Program provisions apply to cybersecurity compliance documentation and are addressed in 33 CFR 104.140 for vessels, 33 CFR 105.140 for facilities, and 33 CFR 106.135 for OCS facilities. | ||||
| 33:33:1.0.1.8.50.6.26.14 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.665 Noncompliance, waivers, and equivalents. | USCG | An owner or operator, after completion of the required Cybersecurity Assessment, may seek a waiver or an equivalence determination for the requirements in subpart F using the standards and submission procedures applicable to a U.S.-flagged vessel, facility, or OCS facility as outlined in 33 CFR 101.130, 104.130, 104.135, 105.130, 105.135, 106.125, or 106.130. If an owner or operator must temporarily deviate from the requirements in this part, they must notify the cognizant COTP for facilities or OCS facilities, or the MSC for U.S.-flagged vessels, and may request temporary permission to continue to operate under the provisions as outlined in 33 CFR 104.125, 105.125, or 106.120. | ||||
| 33:33:1.0.1.8.50.6.26.15 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.670 Severability. | USCG | Any provision of this subpart held to be invalid or unenforceable as applied to any person or circumstance shall be construed so as to continue to give the maximum effect to the provision permitted by law, including as applied to persons not similarly situated or to dissimilar circumstances, unless such holding is that the provision of this subpart is invalid and unenforceable in all circumstances, in which event the provision shall be severable from the remainder of this subpart and shall not affect the remainder thereof. | ||||
| 33:33:1.0.1.8.50.6.26.2 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.605 Applicability. | USCG | (a) This subpart applies to the owners and operators of U.S.-flagged vessels, facilities, and OCS facilities required to have a security plan under 33 CFR parts 104, 105, and 106. (b) This subpart does not apply to any foreign-flagged vessels subject to 33 CFR part 104. | ||||
| 33:33:1.0.1.8.50.6.26.3 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.610 Federalism. | USCG | Consistent with § 101.112(b), with respect to a facility regulated under 33 CFR part 105 to which this subpart applies, the regulations in this subpart have preemptive effect over a State or local law or regulation insofar as the State or local law or regulation applicable to the facility conflicts with these regulations, either by actually conflicting or by frustrating an overriding Federal need for uniformity. | ||||
| 33:33:1.0.1.8.50.6.26.4 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.615 Definitions. | USCG | Unless otherwise specified, as used in this subpart: Approved list means an owner or operator's authoritative catalog for products that meet cybersecurity requirements. Backup means a copy of physical or virtual files or databases stored separately for preservation and recovery. It may also refer to the process of creating a copy. Credentials means a set of data attributes that uniquely identifies a system entity such as a person, an organization, a service, or a device, and attests to one's right to access to a particular system. Critical Information Technology (IT) or Operational Technology (OT) systems means any Information Technology (IT) or Operational Technology (OT) system used by the vessel, facility, or OCS facility that, if compromised or exploited, could result in a transportation security incident (TSI), as determined by the Cybersecurity Officer (CySO) in the Cybersecurity Plan. Critical IT or OT systems include those business support services that, if compromised or exploited, could result in a TSI. This term includes systems whose ownership, operation, maintenance, or control is delegated wholly or in part to any other party. Cyber incident means an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system, or actually jeopardizes, without lawful authority, an information system. Cyber Incident Response Plan means a set of predetermined and documented procedures to respond to a cyber incident. It is a document that gives the owner or operator or a designated CySO instructions on how to respond to a cyber incident and pre-identifies key roles, responsibilities, and decision-makers. Cyber threat means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stor… | ||||
| 33:33:1.0.1.8.50.6.26.5 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.620 Owner or operator. | USCG | (a) Each owner or operator of a U.S.-flagged vessel, facility, or OCS facility is responsible for compliance with the requirements of this subpart. (b) For each U.S.-flagged vessel, facility, or OCS facility, the owner or operator must— (1) Ensure a Cybersecurity Plan is developed, approved, and maintained; (2) Define in Section 1 of the Cybersecurity Plan the cybersecurity organizational structure and identify each person exercising cybersecurity duties and responsibilities within that structure, with the support needed to fulfill those obligations; (3) Designate, in writing, by name and by title, a Cybersecurity Officer (CySO) who is accessible to the Coast Guard 24 hours a day, 7 days a week, and identify how the CySO can be contacted at any time; (4) Ensure that cybersecurity exercises, audits, and inspections, as well as the Cybersecurity Assessment, are conducted as required by this part and in accordance with the Cybersecurity Plan (see § 101.625(d)(1), (3), (6) and (7)); (5) Ensure that the U.S.-flagged vessel, facility, or OCS facility operates in compliance with the approved Cybersecurity Plan; (6) Ensure the development, approval, and execution of the Cyber Incident Response Plan; and (7) For entities that have not reported to the Coast Guard pursuant to, or are not subject to, 33 CFR 6.16-1, ensure all reportable cyber incidents are reported to the National Response Center (NRC). | ||||
| 33:33:1.0.1.8.50.6.26.6 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.625 Cybersecurity Officer. | USCG | (a) Other duties. The Cybersecurity Officer (CySO) may serve in other roles or positions and may perform other duties within the owner's or operator's organization (U.S.-flagged vessel, facility, or OCS facility), provided the person is able to perform the duties and responsibilities required of the CySO by this part. (b) Serving as CySO for Multiple Vessels, Facilities, or OCS Facilities. The same person may serve as the CySO for more than one U.S.-flagged vessel, facility, or OCS facility. If a person serves as the CySO for more than one U.S.-flagged vessel, facility, or OCS facility, the name of each U.S.-flagged vessel, facility, or OCS facility for which that person is the CySO must be listed in the Cybersecurity Plan of each U.S.-flagged vessel, facility, or OCS facility for which that person is the CySO. (c) Assigning Duties Permitted. The CySO may assign security duties to other U.S.-flagged vessel, facility, or OCS facility personnel; however, the CySO retains ultimate responsibility for these duties. (d) Responsibilities. For each U.S.-flagged vessel, facility, or OCS facility for which they are designated, the CySO must— (1) Ensure that the Cybersecurity Assessment is conducted as required by this part; (2) Ensure the cybersecurity measures in the Cybersecurity Plan are developed, implemented, and operating as intended; (3) Ensure that an annual audit of the Cybersecurity Plan and its implementation is conducted and, if necessary, ensure that the Cybersecurity Plan is updated; (4) Ensure the Cyber Incident Response Plan is executed and exercised; (5) Ensure the Cybersecurity Plan is exercised in accordance with § 101.635(c); (6) Arrange for cybersecurity inspections, which may be conducted as their own inspections, or in conjunction with any scheduled Coast Guard inspection of a U.S.-flagged vessel, facility, or OCS facility; (7) Ensure the prompt correction of problems identified by exercises, audits, or inspections; (8) Enhance the cybersecurity awareness and vigilance of personnel… | ||||
| 33:33:1.0.1.8.50.6.26.7 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.630 Cybersecurity Plan. | USCG | (a) General. The CySO must develop, implement, and verify a Cybersecurity Plan for U.S.-flagged vessels, facilities, or OCS facilities. The Cybersecurity Plan must reflect all cybersecurity measures required in this subpart, as appropriate, to mitigate risks identified during the Cybersecurity Assessment. The Plan must describe in detail how the requirements of subpart F will be met. The Cybersecurity Plan may be included in a VSP, FSP, or an OCS FSP; as an annex to the VSP, FSP, or OCS FSP; as part of an approved Alternative Security Program; or may be provided in a separate submission from the VSP, FSP, or OCS FSP. (b) Protecting sensitive security information. The Cybersecurity Plan is sensitive security information and must be protected in accordance with 49 CFR part 1520. (c) Format. The owner or operator must ensure that the Cybersecurity Plan consists of the individual sections listed in this paragraph. If the Cybersecurity Plan does not follow the order as it appears on the list, the owner or operator must ensure that the Plan contains an index identifying the location of each of the following sections: (1) Cybersecurity organization and identity of the CySO; (2) Personnel training; (3) Drills and exercises; (4) Records and documentation; (5) Communications; (6) Cybersecurity systems and equipment, with associated maintenance; (7) Cybersecurity measures for access control, including the computer, IT, and OT access areas; (8) Physical security controls for IT and OT systems; (9) Cybersecurity measures for monitoring; (10) Audits and amendments to the Cybersecurity Plan; (11) Reports of all cybersecurity audits and inspections, to include documentation of resolution or mitigation of all identified vulnerabilities; (12) Documentation of all identified, unresolved vulnerabilities, to include those that are intentionally unresolved due to owner or operator risk acceptance; (13) Cyber incident reporting procedures in accordance with part 101 of this subchapter; and (14) Cybersecurity Asses… | ||||
| 33:33:1.0.1.8.50.6.26.8 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.635 Drills and exercises. | USCG | (a) General. (1) Drills and exercises must be used to test the proficiency of the U.S.-flagged vessel, facility, and OCS facility personnel in assigned cybersecurity duties and the effective implementation of the VSP, FSP, OCS FSP, and Cybersecurity Plan. The drills and exercises must enable the CySO to identify any related cybersecurity deficiencies that need to be addressed. (2) The drill or exercise requirements specified in this section may be satisfied with the implementation of cybersecurity measures required by the VSP, FSP, OCS FSP, and Cybersecurity Plan as the result of a cyber incident, as long as the U.S.-flagged vessel, facility, or OCS facility achieves and documents attainment of drill and exercise goals for the cognizant COTP. (b) Drills. (1) The CySO must ensure that cybersecurity drills are conducted at least twice each calendar year. Cybersecurity drills may be held in conjunction with other security or non-security drills, as required by 33 CFR 104.230, 105.220, or 106.225, where appropriate. (2) Drills must test individual elements of the Cybersecurity Plan, including responses to cybersecurity threats and incidents. Cybersecurity drills must take into account the types of operations of the U.S.-flagged vessel, facility, or OCS facility; changes to the U.S.-flagged vessel, facility, or OCS facility personnel; the type of vessel a facility is serving; and other relevant circumstances. (3) If a vessel is moored at a facility on a date a facility has planned to conduct any drills, the facility cannot require the vessel or vessel personnel to be a part of or participate in the facility's scheduled drill. (c) Exercises. (1) Exercises must be conducted at least once each calendar year, with no more than 18 months between exercises. (2) Exercises may be— (i) Full-scale or live; (ii) Tabletop simulation; (iii) Combined with other appropriate exercises as required by 33 CFR 104.230, 105.220, or 106.225; or (iv) A combination of the elements in paragraphs (c)(2)(i) through (iii) of this… | ||||
| 33:33:1.0.1.8.50.6.26.9 | 33 | Navigation and Navigable Waters | I | H | 101 | PART 101—MARITIME SECURITY: GENERAL | F | Subpart F—Cybersecurity | § 101.640 Records and documentation. | USCG | All records, reports, and other documents mentioned in this subpart must be created and maintained in accordance with 33 CFR 104.235 for U.S.-flagged vessels, 105.225 for facilities, and 106.230 for OCS facilities. At a minimum, the records must be created for the following activities: training, drills, exercises, cybersecurity threats, reportable cyber incidents, and audits of the Cybersecurity Plan. |
Advanced export
JSON shape: default, array, newline-delimited, object
CREATE TABLE cfr_sections (
section_id TEXT PRIMARY KEY,
title_number INTEGER,
title_name TEXT,
chapter TEXT,
subchapter TEXT,
part_number TEXT,
part_name TEXT,
subpart TEXT,
subpart_name TEXT,
section_number TEXT,
section_heading TEXT,
agency TEXT,
authority TEXT,
source_citation TEXT,
amendment_citations TEXT,
full_text TEXT
);
CREATE INDEX idx_cfr_title ON cfr_sections(title_number);
CREATE INDEX idx_cfr_part ON cfr_sections(part_number);
CREATE INDEX idx_cfr_agency ON cfr_sections(agency);