The U.S. Coast Guard (USCG) issued a final rule on January 17, 2025, to address cybersecurity threats in the Marine Transportation System (MTS). Effective July 16, 2025, the rule establishes new cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and onshore facilities regulated under the Maritime Transportation Security Act of 2002 (MTSA).
(Summary of Blank Rome’s article: “Cybersecurity in the Marine Transportation System: What You Need to Know About the Coast Guard’s Final Rule”)
Maritime Cybersecurity Training and Compliance Requirements
The rule requires cybersecurity training within six months of its effective date. The training must cover cyber threat recognition, security breach detection, and reporting procedures. Additionally, key personnel must undergo advanced training.
Owners and operators must complete a Cybersecurity Assessment and implement a Cybersecurity Plan and Cyber Incident Response Plan within 24 months. A designated Cybersecurity Officer will oversee these measures. Plans must include security protocols for accounts, devices, and data, along with risk management, penetration testing, and incident response procedures.
Plan Approval, Audits, and Reporting
Facilities and vessels must submit Cybersecurity Plans to the USCG for approval. The Coast Guard will conduct audits to ensure compliance. The maritime cybersecurity rule mandates immediate reporting of cyber incidents to the National Response Center. It expands the definition of “hazardous condition” to include cyber incidents.
Potential Implementation Delay
The USCG is considering delaying compliance with the maritime cybersecurity rule for U.S.-flagged vessels by two to five years. Comments on the proposed delay are due by March 18, 2025.
Industry Preparation and Next Steps
Maritime stakeholders should review the new cybersecurity requirements and prepare for compliance. Companies are encouraged to submit feedback on the proposed delay before the deadline.
