Key point: The US Coast Guard’s new cybersecurity rule will transform the security standards and reporting requirements for vessels and marine facilities nationwide over the next three years.
On July 16, 2025, the US Coast Guard’s (USCG) final rule, Cybersecurity in the Marine Transportation System, codified at 33 C.F.R. § 101.600 et seq., went into effect. The final rule establishes cybersecurity requirements for the critical infrastructure owners and operators (CI/OO) of regulated entities (e.g., U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities regulated under the Maritime Transportation Security Act of 2002). See 90 Fed. Reg. 6298 (Jan. 17, 2025). These entities were already required to have a Vessel or Facility Security Plan (VSP/FSP) as defined by 33 C.F.R. §§ 104-106. Under the final rule, the CI/OO for these entities have incident reporting obligations, must develop Cybersecurity and Cyber Incident Response Plans, and designate a Cybersecurity Officer charged with implementing the plans. The regulation will be introduced in stages over the next three years, with certain provisions taking effect immediately.
As of July 16, 2025, all regulated entities are required to report certain cyber incidents to the National Response Center (NRC).
This new reporting requirement creates a bureaucratic maze for regulated entities. In its response to public comments, the USCG expects that reportable cyber incidents will be reported to the NRC “only by those entities not already required to report cyber incidents under 33 C.F.R. § 6.16-1” (emphasis added). 90 Fed. Reg. 6321. The USCG’s existing regulation requires vessels, harbors, ports and waterfront facilities to report evidence of:
Sabotage, subversive activity, or an actual or threatened cyber incident involving or endangering any vessel, harbor, port, or waterfront facility, including any data, information, network, program, system, or other digital infrastructure thereon or therein, shall be reported immediately to the [FBI], [CISA] (for any cyber incident), and the Captain of the Port, or to their respective representatives.
33 C.F.R. § 6.16-1 (emphasis added).
Unfortunately, as evinced by the preamble’s explanation of the incident reporting requirements, the final rule creates a second reporting requirement for those entities that were not subject to § 6.16-1 but with a different deadline and a different government point of contact. The final rule states that a reportable cyber incident must be reported to the NRC without delay, in contrast to § 6.16-1 requiring that the Captain of the Port, the FBI and CISA (for any cyber incident) be notified immediately.
In addition to this regulatory inconsistency causing confusion within the maritime industry, the new requirement exacerbates additional disparities across the critical infrastructure ecosystem by declining to adopt CISA’s proposed definition for substantial cyber incidents. CISA’s proposed definition implements Congress’s intent in the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) for CI/OO to report covered cyber incidents to CISA within 72 hours. See 89 Fed. Reg. 23660 (Apr. 4, 2024).
Although the final rule does incorporate CIRCIA’s statutory definition of a ‘cybersecurity incident’ verbatim but when it came to defining incidents that must be reported, USCG stated without a hint of irony, that it is committed to harmonizing cyber reporting requirements, but that the reporting requirements to CISA and USCG serve “complementary but distinct operational purposes,” but two columns of agency explanation in the Federal Register that attempt to justify separate reporting channels fail to adequately explain which agency a CI/OO should call, and whether multiple notifications are expected or required. See 90 Fed. Reg. 6321.
Instead of adopting CISA’s proposed definition of a ‘substantial cyber incident’ and the 72-hour reporting requirement from CIRCIA, the final rule creates a new defined term, a “reportable cyber incident” that means:
An incident that leads to or, if still under investigation, could reasonably lead to any of the following: Substantial loss of confidentiality, integrity, or availability of a covered information system, network, or OT system; Disruption or significant adverse impact on the reporting entity’s ability to engage in business operations or deliver goods or services, including those that have a potential for significant impact on public health or safety or may cause serious injury or death; Disclosure or unauthorized access directly or indirectly of nonpublic personal information of a significant number of individuals; Other potential operational disruption to critical infrastructure systems or assets; or Incidents that otherwise may lead to a transportation security incident as defined in [this subpart].
33 C.F.R. § 101.615. Read together, Congress, CISA, and the USGC have created inconsistent reporting requirements for maritime critical infrastructure with respect to (1) which agencies must be notified, (2) when the agencies must be notified, and (3) the criteria under which the notification needs to be made. For CI/OO who are responsible for multi-modal transportation, the notification requirements will be complicated to say the least.
By January 12, 2026, all CI/OO personnel with access to information technology (IT) or operational technology (OT) systems must complete cybersecurity training.
The CI/OO and Cybersecurity Officer must ensure that all personnel, whether part-time, full-time, temporary or permanent employees and contractors who have access to IT and OT systems, complete the applicable cybersecurity training, and that key personnel must receive specialized training annually or more frequently as needed. Existing personnel are required to receive training on relevant provisions of the Cybersecurity Plan within 60 days of the Cybersecurity Plan for the vessel/facility being approved. All cybersecurity training must be conducted annually thereafter.
Notably, this training does not need to be delivered in a classroom or in any particular format. Rather, it must be applicable to the Cybersecurity Plan, including recognizing, detecting, and circumventing cybersecurity threats, and the procedures for reporting cyber incidents. The training must also ensure that individuals understand basic cyber hygiene, recognize potential threats, and follow secure practices when interacting with critical systems. The requirement applies to both existing personnel and new hires, with new hires required to complete training within 5 days of gaining system access, but no later than 30 days after hiring. After the initial deadline, training must be repeated annually to maintain compliance.
By July 16, 2027, all regulated entities must designate a Cybersecurity Officer (CySO).
The CySO will be responsible for (1) overseeing cybersecurity implementation and incident response; (2) conducting a Cybersecurity Assessment to identify vulnerabilities and evaluate system resilience; and (3) submitting a Cybersecurity Plan to USCG for approval, detailing measures for security, training protocols, and incident response.
The CySO can be a full-time, collateral or contracted position, and a CySO can be responsible for more than one vessel and facility. The USCG states that a CySO must have a general knowledge of several issues relating to cybersecurity, such as cybersecurity administration, relevant laws and regulations, current threats and trends, risk assessments, inspections, control procedures, and procedures for conducting cyber exercises and drills.
The captain of a maritime vessel has a uniquely high level of accountability for the welfare of the vessel, crew, and passengers. It is unclear from the final rule whether a captain will face a similar level of accountability based on the new, rapidly evolving cyber threat environment. As our prior analysis has shown, cybersecurity procedures and protocols are becoming part of a vessel’s seaworthiness criteria. The extent to which a vessel’s captain will have to leverage the knowledge and skills of a CySO to keep the vessel seaworthy remains to be seen.
Similarly, it is unclear whether a CySO working on a vessel or facility owned by a publicly traded company will be held to the same level of responsibility and accountability in the event of a reportable cybersecurity incident as a Chief Information Security Officer would be following an incident. If the Department of Justice cases against Uber’s Chief Security Officer, or Solar Winds’ CISO are indicators of future enforcement actions, CySOs would be wise to work closely with the corporate legal department when preparing the documentation required by the final rule.
The USCG acknowledges that U.S.-flagged vessels may face unique challenges in meeting the rule’s requirements within the given timeframe, and the Coast Guard sought public comments on a proposed 2-to-5-year delay for implementing the requirements for U.S.-flagged vessels. A review of the public comments shows that a majority of commenters supported the delay. However, there have been no follow-up publications or decisions released yet that address whether the delay would be granted. Regardless of any potential delay, the final rule represents a major shift in maritime cybersecurity, and the CI/OO who can demonstrate their organization’s compliance with the regulations will be better positioned to explain a cybersecurity incident when (not if) it occurs.
[View source.]
