Coast Guard’s New Cybersecurity Regulations: Essential Insights for the Maritime Industry
In a significant move to bolster cybersecurity measures within the Marine Transportation System (MTS), the U.S. Coast Guard has recently published a comprehensive set of frequently asked questions (FAQs). These FAQs provide clarity on the final rule regarding cybersecurity, aimed at helping stakeholders understand the regulatory framework while additional guidance is put into place.
Clarifying the Final Rule
The Coast Guard’s latest publication addresses a multitude of queries raised by industry stakeholders. The FAQs effectively distill common concerns into a consolidated format that groups information by relevant regulatory citation, making it easier for maritime entities to navigate their obligations. Importantly, the FAQs are not new requirements or regulations; instead, they serve to elucidate existing obligations underscored in the final rule.
Cyber Plan Submissions
Currently, the Coast Guard is accepting submissions for cybersecurity plans as per the final rule, although no approvals are being granted just yet. This pause allows the agency time to develop a consistent review and approval process that will ensure uniformity across the maritime sector. Once the mechanisms for review are in place, any plans already submitted will be securely held until due processing begins.
Training Responsibilities
Under the new regulations, the responsibility for cybersecurity training falls on the owner or operator of a facility or vessel subject to the Maritime Transportation Security Act (MTSA). This means ensuring that all personnel receive relevant training that aligns with their facility’s cybersecurity protocols as stipulated in 33 CFR 101.650(d). The Cybersecurity Officer, acting on behalf of the owner or operator, is tasked with confirming that staff undergo adequate training to meet cybersecurity goals.
The Coast Guard has clarified compliance with these training requirements through prior guidance, including an updated policy letter issued in October that brings further clarity to training expectations.
Compliance Inspections and Exemptions
The Coast Guard is currently assessing how to effectively enforce compliance with these cybersecurity requirements. It is important to note that facilities and vessels regulated under the MTSA are not exempt from cybersecurity regulations, even if they do not utilize operational technology (OT) systems. According to MTSA, transportation security incident risks exist regardless of the presence of such systems. Every regulated entity must perform a cybersecurity assessment to identify vulnerabilities, after which they may request waivers if justified.
Role of Maritime Academies
Maritime academies may also have to align their operations with these new cybersecurity regulations, depending on whether their activities classify them as MTSA-regulated entities. While the scope of MTSA applicability remains unchanged, the latest rule introduces vital cybersecurity requirements to the existing framework. Academies operating vessels covered under 33 CFR Part 104 or facilities under 33 CFR Part 105 will need to comply with these updated requirements.
Mandatory Cybersecurity Assessments
One of the key elements of the new rule entails mandatory cybersecurity assessments, as specified in 33 CFR 101.650(e)(1). Each regulated entity must complete an initial assessment by July 16, 2027, followed by annual assessments. Changes in ownership or modifications to cybersecurity measures prompt the need for additional evaluations. These assessments are essential for identifying risks and informing the development of individual cybersecurity plans.
Regular internal audits are also necessary, occurring at least annually, with additional reviews triggered by significant changes within the organization, such as ownership changes or policy updates.
Unique Assessments for Vessels
For a fleet of vessels sharing the same information technology and operational technology infrastructure, a single cybersecurity assessment may suffice. However, should there be any differences among the vessels, a separate assessment must be conducted for each to ensure that unique vulnerabilities are addressed effectively.
Support from the Coast Guard
The Coast Guard has resources available to assist companies in addressing cybersecurity concerns. Stakeholders can access guidance through local sector Marine Transportation System Specialist–Cyber personnel, the U.S. Coast Guard Cyber Protection Team, and the Coast Guard Maritime Industry Cybersecurity Resource website. Assistance can be requested through various channels, including the National Response Center or directly via email.
Training Framework
As compliance with the cybersecurity regulations begins to take shape, maritime entities are encouraged to initiate training efforts before final cybersecurity plans receive approval. Personnel are required to complete training that intersects with the existing documentation relating to the MTSA, as outlined in their approved Facility Security Plans (FSP), Outer Continental Shelf Facility Security Plans (OCS FSP), or Vessel Security Plans (VSP). Proper record-keeping must reflect the training topics covered to ensure alignment with regulations.
With these new cybersecurity regulations set to take effect in January 2026, the maritime industry is poised to embark on a transformative journey towards a more secure operational landscape. The U.S. Coast Guard’s proactive approach provides a robust framework to protect against cyber threats, securing not only the industry’s operational integrity but also the safety of countless lives reliant on maritime activities.
