Navigating the New Cybersecurity Regulations in the Maritime Sector
The U.S. Coast Guard has recently published long-anticipated FAQs regarding the cybersecurity regulations for the Marine Transportation System (MTS). These guidelines are crucial for U.S.-flagged vessels, Outer Continental Shelf facilities, and Maritime Transportation Security Act (MTSA)-regulated sites as they prepare to comply with new mandatory cybersecurity requirements set to take effect in January 2026.
Understanding the New Cybersecurity Requirements
The new regulations mandate that personnel complete cybersecurity training, even before an approved cybersecurity plan is in place. Regulated entities must adhere to existing documentation procedures for MTSA-related training, as outlined in their Facility Security Plans (FSP), Outer Continental Shelf Facility Security Plans (OCS FSP), or Vessel Security Plans (VSP). Training records must detail the topics covered and demonstrate compliance with the new regulations.
Training Standards and Documentation
The training must be conducted by individuals or organizations that meet or exceed the knowledge standards required for Cybersecurity Officers (CySOs). At this stage, no amendments to existing FSP, OCS FSP, or VSP are necessary, provided that the cybersecurity training is documented as part of the existing security training framework. However, the Coast Guard is still determining how it will inspect and enforce compliance, with ongoing stakeholder engagement.
Compliance for All Regulated Entities
All MTSA-regulated facilities and vessels must comply with the new cybersecurity regulations, regardless of whether they utilize operational technology (OT). These requirements are tied to the risk of a Transportation Security Incident (TSI), which exists independently of OT presence. Each regulated entity is required to complete a cybersecurity assessment, and if deficiencies are identified, they may request a waiver or equivalence determination.
Appeals Process for Cybersecurity Deficiencies
If a cybersecurity deficiency is identified, the first step in the appeals process is to seek reconsideration from the cognizant Captain of the Port (COTP). Should the issue remain unresolved, further appeals can be processed. Notably, Maritime Academies under the Maritime Administration (MARAD) may also be subject to these cybersecurity regulations if they operate vessels or facilities.
Clarifying the Role of Cybersecurity Officers
The new rule does not expand the applicability of MTSA but adds cybersecurity requirements to the existing framework. Importantly, there is no specific licensing or certification required for a CySO; this role can be fulfilled by a third party, and there are no limits on how many vessels or terminals a CySO may oversee. Cybersecurity inspections may occur separately or alongside other inspections, typically conducted in person, although remote participation may be allowed at the discretion of the COTP or Officer in Charge, Marine Inspection (OCMI).
Conducting Cybersecurity Assessments
The cybersecurity assessment must identify all IT and OT systems that impact maritime operations or could lead to a TSI. This includes systems not specifically listed in the FSP or VSP. Owners and operators are encouraged to adopt a holistic approach, and they can direct specific IT/OT questions to the Coast Guard. A single cybersecurity plan may be submitted for multiple U.S.-flagged vessels with similar operations, but any risk differences must be addressed within the plan.
Distinguishing Between Assessments and Audits
Cybersecurity audits and assessments serve distinct purposes. A cybersecurity assessment is foundational and must be completed before developing the cybersecurity plan. It identifies vulnerabilities and informs the design of appropriate safeguards. These assessments are required by July 16, 2027, and must be repeated annually or sooner if there is a change in ownership. Conversely, cybersecurity audits are internal checks to verify the effectiveness of the plan and identify necessary amendments.
Renewal and Drills
The cybersecurity plan renewal does not need to align with the current FSP or VSP schedule; this decision is left to the owner or operator. Once approved, the plan follows a five-year renewal cycle. Additionally, biannual cybersecurity drills and annual exercises are mandatory. Drills test specific components of the cybersecurity plan, while exercises evaluate the plan in its entirety.
Combining Drills with Physical Security Exercises
Cybersecurity drills and exercises can be combined with physical security drills, provided that the scenario fully tests both plans and complies with all regulatory requirements. Personnel must meet the cybersecurity training requirements, which include the ability to interact with or control system components.
Support from the Coast Guard
The Coast Guard can provide support to companies responding to cyber incidents through local Sector Marine Transportation System Specialists–Cyber (MTSS-C), the Coast Guard Cyber Protection Team (CPT), or resources available via the Maritime Industry Cybersecurity Resource website. Requests for assistance can be made through National Response Center (NRC) reports or directly to the Sector Command Center.
Overlapping Requirements with Other Programs
Entities already complying with the Transportation Security Administration’s (TSA) Critical Infrastructure Protection (CIP) or Corporate Action Plan (CAP) programs may identify overlapping cybersecurity requirements during Coast Guard submissions or inspections to avoid duplication.
As the maritime sector gears up for these new cybersecurity regulations, understanding the requirements and preparing accordingly will be crucial for ensuring compliance and safeguarding against cyber threats. The Coast Guard’s ongoing engagement with stakeholders will be vital in shaping effective enforcement and support mechanisms as the industry navigates this new landscape.