Business Context and Volume
NMFS requires the use of permits or registrations by participants in U.S. federally regulated fisheries. Permits to fish in waters of the United States and international waters are authorized by various statutes and laws, primarily the Magnuson-Stevens Fishery Conservation and Management Act (Public Law 94-265, as variously amended, most recently by the Magnuson-Stevens Fishery Conservation and Management Reauthorization Act (P.L. 109-479)) (MSA) and the High Seas Fishery Management and Conservation Act. The most used permitting authority, the MSA, provides authority for issuance of permits for foreign fishing; or, under § 303(A) Limited Access Privilege Programs (LAPPs) or § 303(b) as a discretionary provision under authority of a Fishery Management Plan: for vessels, vessel operators, or processors.
Permits and licensing provide means to verify appropriate participation and allocation of resources. For example, foreign participation is limited in most U.S. fisheries. Permits are fundamental to limited access privilege programs (LAPP), also known as individual transferable quotaor individual fishing quota (IFQ), which are increasingly used as instruments to manage fisheries from the perspectives of optimum yield and economic viability. Permits facilitate collection of critical harvest, effort, and economic data and are fundamental to enforcing compliance with record-keeping and reporting laws and regulations. Permits are also critical for analytic purposes such as determining economic dependence on fisheries, studying fishery development and collapse, assessing status of stocks, and as the basis of allocation decisions.
Currently 6 vessels report electronically, could go up to 200 vessels, must transfer within 72 hours of landing, typically vessels land every few weeks, potential exists for daily reporting via VMS....
Business Drivers
With e-signature fishers would be more accepting of electronic reporting. Fishers have concerns about achieving compliance. Drivers for wanting e-reporting... better data, faster data, less corrections.... Magnusen-Stephens driver for reducing cycle time? More.... The more could include what business benefit they derive from the permit and what business risk they incur if they break NMFS rules. Is this the spot for cycle times?
Business Risk in the Permit Context
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
...
Users and functionality
...
These are mid-size vessels (vicinity of 70ft) that have GPS, VMS, and sophisticated fish-finding technology. A number of the vessels have e-logbook software onboard integrated with track plotting systems. This e-logbook application includes a unique identifier via a hardware dongle which could be used to identify data from the vessel. An existing rule provides authority for optional electronic reporting. E-Logbook Vendor Certification Guidelines are in the approval process that would allow a vendor to promote an e-logbook application as NMFS-approved for e-logbook compliance.
By regulation responsibility for fishing logbook reporting is on the operator of the fishing vessel.
Functionality would be creation/maintenance of the e-logbook record, storage of the e-logbook records on portable media (floppy, cd, memory stick), and physical transfer of the portable media to NMFS... or, alternatively, email transmission of e-logbook records to NMFS.
...
Data sensitivity and security
...
E-Logbook data is fisheries confidential data under the trade secrets act. Information collected pursuant to requirements of the MSA, including permit application information, is protected by its confidentiality provisions at § 402 and under its implementing regulations at 50 CFR Part 600 Subpart E, including NOAA Administrative Order (NAO) 216-100. Additional protections of the Privacy Act and FOIA apply to such data as well as those collected under the Halibut Act.
...
Mitigating controls
...
Perhaps the most significant mitigating control is that in commercial fisheries transactions, both parties to the transaction (typically the fisher and the fish processor) are permitted entities and each has some responsibility for accurate and complete record-keeping and reporting (for example, the fisher may be required to keep a logbook showing fishing efforts and catch, while the processor is required to report fish purchased). In these transactions it is typical for the parties to the transactions to have opposite and balancing interests (for example, when a fisher is selling fish to a processor, the fisher wants the amount paid to be high, while the processor wants the amount paid to be low). These multiple sources of information and counter-balanced incentives tend to make deception more difficult to initiate and sustain.
Another mitigating control is that under the authority of the Debt Collection Improvement Act (31 U.S.C. 7701), NMFS would collect Tax Identification Number information from individuals in order to issue, renew, or transfer fishing permits or to make nonpermit registrations.
In the Hawaii longline logbook case we have independent confirmation of the vessel's location through the VMS system. The e-logbook software application licensing compliance dongle forms a unique identifier for each logbook page and it can tie the logbook page to a particular instance of the e-logbook software.
These vessels are permitted to fish and therefore have a prior "trusted relationship" with NMFS. In many cases this prior relationship involves confirming vessel ownership with the US Coast Guard, verifying participation in prior fisheries through previously submitted state or federal fish tickets or logbooks, confirmation of business ownership, etc.
Threat and Vulnerability Identification
Vulnerability | Threat-source | Threat Action | Category of Harm | Likelihood of Harm | Impact of Harm |
|---|---|---|---|---|---|
Impersonation in e-logbook transactions | Common criminal/identity thief | Impersonation using stolen identity credentials, with fraudulent reporting of false data to incriminate or defame victim | Inconvenience, distress or damage to standing or reputation | Low: common criminals are unlikely to have subject-area expertise to discover an incrimination or defamation opportunity and there are probably easier attacks | Low: impersonated parties or agency staff would be likely to notice during dockside interview process and/or subsequent data review, and when detected, the impact could be effectively mitigated |
" | " | Impersonation using stolen identity credentials, for access to sensitive information | Unauthorized release of sensitive information | Low: successful identity theft could result in compromise of sensitive information from the victim's logbook records but an uninformed criminal would be unlikely to find or identify sensitive information | Low: probably the only information of value that is credibly at risk is catch location, timing, and gear, and the people with the means to take advantage of that unique information are already well placed to have that same knowledge or to acquire it by closely observing the victim's fishing activity. Also, the impact would be limited to the party whose identity has been stolen |
Impersonation in e-logbook transactions | Disgruntled industry employee | Impersonation using stolen identity credentials, with fraudulent reporting of false data to incriminate or defame victim | Inconvenience, distress or damage to standing or reputation | Moderate: an employee might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions | Low: impersonated parties or agency staff would be likely to notice during dockside interview process and/or subsequent data review, and when detected, the impact could be effectively mitigated |
" | " | Impersonation using stolen identity credentials, for access to sensitive information | Unauthorized release of sensitive information | Low: the employee with the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in e-logbook data | Low: probably the only information of value that is credibly at risk is catch location, timing, and gear, and the people with the means to take advantage of that unique information are already well placed to have that same knowledge or to acquire it by closely observing the victim's fishing activity. Also, the impact would be limited to the party whose identity has been stolen |
Impersonation in e-logbook transactions | Competitor | Impersonation using stolen identity credentials, with fraudulent reporting of false data to incriminate or defame victim | Inconvenience, distress or damage to standing or reputation | Low: a competitor might have a motive, but an electronic system makes them less likely to have means or opportunity. Risk exposure is reduced significantly in electronic transactions versus paper transactions. | Low: impersonated parties or agency staff would be likely to notice during dockside interview process and subsequent data review, and when detected, the impact could be effectively mitigated |
" | " | Impersonation using stolen identity credentials, for access to sensitive information | Unauthorized release of sensitive information | Low: a competitor might have a motive, but an electronic system does not make them more likely to have means or opportunity. Risk exposure is not significantly different in electronic transactions than it is in paper transactions. | Low: probably the only information of value that is credibly at risk is catch location, timing, and gear, and the people with the means to take advantage of that unique information are already well placed to have that same knowledge or to acquire it by closely observing the victim's fishing activity. Also, the impact would be limited to the party whose identity has been stolen |
Repudiation to escape accountability | Customer (fisher) | Signer claims "I didn't sign that" | Inconvenience, distress or damage to standing or reputation | Low: in most cases a customer who repudiated an e-logbook submission could then be prosecuted for fishing without reporting. There will generally be independent evidence of the fishing or processing activity (follow the fish, also follow the VMS track.) | Low: agency might expend effort to resolve, but the distress would be limited and short-term |
...
OMB Categories of Harm for reference
...
Inconvenience, distress or damage to standing or reputation
...
Financial loss or agency liability
...
Harm to agency programs or public interest
...
Unauthorized release of sensitive information
...
Insert graphic here
| Child pages (Children Display) | ||
|---|---|---|
|