US Coast Guard’s Final Rule on Cybersecurity in the Marine Transportation System: A New Era of Maritime Safety
On January 17, 2025, the US Coast Guard unveiled a groundbreaking final rule aimed at bolstering cybersecurity within the US Marine Transportation System. This regulation, which will take effect on July 16, 2025, establishes mandatory minimum cybersecurity requirements for various entities in the maritime sector. As cyber threats continue to evolve, this rule represents a significant step towards safeguarding the maritime industry against potential vulnerabilities.
I. Scope and Applicability
The primary objective of the final rule is to enhance the cybersecurity posture of the US Marine Transportation System. It sets forth minimum mandatory requirements for US flag vessels, Outer Continental Shelf (OCS) facilities, and facilities governed by the Maritime Transportation Security Act of 2002. The rule acknowledges the increasing risks posed by cyber threats, particularly as the maritime sector becomes more reliant on interconnected digital systems. It emphasizes the importance of both preventing cyber incidents and preparing effective responses.
The rule applies to:
-
US Flag Vessels: This includes cargo vessels over 100 gross tons, commercial passenger vessels certified for more than 150 passengers, Offshore Supply Vessels (OSVs), Mobile Offshore Drilling Units (MODUs), and more.
-
Facilities Subject to 33 CFR Part 105: These encompass container terminals, chemical facilities with waterfront access, petroleum terminals, cruise ship terminals, and other marine cargo terminals.
- OCS Facilities Subject to 33 CFR Part 106: This category includes offshore oil and gas production platforms, offshore drilling rigs, floating production storage and offloading units (FPSOs), and offshore wind energy facilities.
II. Core Requirements
To comply with the new regulations, entities must develop a comprehensive cybersecurity plan that encompasses several critical components:
-
Cybersecurity Officer (CySO): Each covered entity must designate a Cybersecurity Officer responsible for implementing and maintaining cybersecurity requirements. The rule allows for alternate CySOs and permits one individual to oversee multiple vessels or facilities, providing flexibility for operators.
-
Cybersecurity Plans and Assessments: Organizations are required to maintain a comprehensive Cybersecurity Plan, a separate Cyber Incident Response Plan, and conduct regular cybersecurity assessments. These plans must be submitted to the Coast Guard for review within 24 months of the rule’s effective date.
-
Training and Exercises: The rule mandates cybersecurity training for all personnel utilizing IT/OT systems starting July 17, 2025, along with two cybersecurity drills annually and regular penetration testing aligned with plan renewal cycles.
- Technical Controls: Required security measures include account security controls (e.g., multifactor authentication), device security measures, data encryption, network segmentation, and supply chain security requirements.
III. Implementation Timeline
The implementation of these new regulations will occur in phases, with key compliance dates including:
- Rule Effective Date: July 16, 2025
- Training Requirements Begin: July 17, 2025
- Initial Cybersecurity Assessment Due: July 16, 2027
- Cybersecurity Plan Submission Due: July 16, 2027
The Coast Guard is also seeking public comments on the potential extension of implementation periods for US flag vessels, with feedback due by March 18, 2025. This could lead to a future rule allowing additional time for compliance.
IV. Harmonization with Other Requirements
In an effort to streamline compliance, the Coast Guard has aligned these new requirements with existing cybersecurity regulations, including the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The rule designates the National Response Center (NRC) as the primary reporting channel for maritime cyber incidents, simplifying the process for regulated entities.
V. Some Basic Questions and Answers
What are the mandatory cybersecurity measures outlined in the rule?
Owners and operators must implement a range of cybersecurity measures based on “cybersecurity performance goals” developed by the Cybersecurity and Infrastructure Security Agency (CISA). This includes vulnerability identification, addressing known exploited vulnerabilities, and conducting penetration testing.
What constitutes a reportable cyber incident?
A reportable cyber incident is any event leading to substantial loss of confidentiality, integrity, or availability of a covered system, disruption to business operations, or unauthorized access to nonpublic personal information. Such incidents must be reported to the NRC.
What is the Coast Guard’s approach to compliance and enforcement?
The rule adopts a performance-based approach, focusing on outcomes rather than prescribing specific technical solutions. While the methods of enforcement are still being defined, noncompliance could lead to penalties and legal repercussions.
Is there any flexibility in complying with this rule?
Yes, after completing a cybersecurity assessment, owners and operators can seek waivers or equivalence determinations for certain requirements.
VI. Key Takeaways
As the maritime industry prepares for these new regulations, several key actions should be prioritized:
- Begin Preparation Now: The 24-month implementation period will pass quickly, and entities should start assessing their current cybersecurity measures.
- Evaluate Staffing and Capabilities: Organizations should assess their cybersecurity staffing against the new CySO requirements.
- Review Existing Security Measures: A thorough review of current security measures against the detailed technical requirements is essential.
- Plan for Increased Training Obligations: Entities must prepare for the heightened training and exercise requirements.
- Consider Commenting on Implementation Extensions: Stakeholders should evaluate whether to provide feedback on the proposed implementation extension for vessels.
The introduction of this final rule marks a pivotal moment in the maritime sector’s approach to cybersecurity. With the right preparations and compliance strategies, entities can enhance their resilience against cyber threats, ensuring the safety and security of the US Marine Transportation System.