(a) Unless otherwise specified in this section, the Vessel Security Officer must keep records of the activities as set out in paragraph (b) of this section for at least 2 years and make them available to the Coast Guard upon request.
(b) Records required by this section may be kept in electronic format. If kept in an electronic format, they must be protected against unauthorized deletion, destruction, or amendment. The following records must be kept:
(1) Training. For training under § 104.225, the date of each session, duration of session, a description of the training, and a list of attendees;
(2) Drills and exercises. For each drill or exercise, the date held, description of drill or exercise, list of participants; and any best practices or lessons learned which may improve the Vessel Security Plan (VSP);
(3) Incidents and breaches of security. Date and time of occurrence, location within the port, location within the vessel, description of incident or breaches, to whom it was reported, and description of the response;
(4) Changes in Maritime Security (MARSEC) Levels. Date and time of notification received, and time of compliance with additional requirements;
(5) Maintenance, calibration, and testing of security equipment. For each occurrence of maintenance, calibration, and testing, the date and time, and the specific security equipment involved;
(6) Security threats. Date and time of occurrence, how the threat was communicated, who received or identified the threat, description of threat, to whom it was reported, and description of the response;
(7) Declaration of Security (DoS). Manned vessels must keep on board a copy of the last 10 DoSs and a copy of each continuing DoS for at least 90 days after the end of its effective period;
(8) Annual audit of the VSP. For each annual audit, a letter certified by the Company Security Officer or the VSO stating the date the audit was completed; and
(9) Electronic Reader/Physical Access Control System (PACS). For each individual granted unescorted access to a secure area, the: FASC-N; date and time that unescorted access was granted; and, if captured, the individual's name. Additionally, documentation to demonstrate that the owner or operator has updated the Canceled Card List with the frequency required in § 101.525 of this subchapter.
(c) Any records required by this part must be protected from unauthorized access or disclosure. TWIC reader records and similar records in a PACS are sensitive security information and must be protected in accordance with 49 CFR part 1520.
[USCG-2003-14749, 68 FR 39302, July 1, 2003, as amended at 68 FR 60514, Oct. 22, 2003; USCG-2007-28915, 81 FR 57710, Aug. 23, 2016]