As of July 16, 2025, the U.S. Coast Guard’s final rule, “Cybersecurity in the Marine Transportation System (MTS),” became effective for all U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities subject to Maritime Transportation Security Act of 2002 (MTSA). This final rule was executed in continuation of updates to Captain of the Port authority that definitively designated cybersecurity vulnerabilities as a potential threat to the security and safety of United States ports.
This final rule addresses current and emerging cybersecurity threats in the MTS by adding minimum cybersecurity requirements to help detect risks and respond to and recover from cybersecurity incidents. These requirements include developing and maintaining a Cybersecurity Plan, designating a Cybersecurity Officer (CySO), and taking various measures to maintain cybersecurity within the MTS.
This final rule also includes a solicitation for comments on a potential delay for the implementation periods for U.S.-flagged vessels.
The final rule can be accessed at Federal Register: Cybersecurity in the Marine Transportation System
- Final Rule Frequently Asked Questions
- Cyber Regulations Fact Sheet – Overview of the compliance timeframes, and guidance on submitting comments on the implementation periods for U.S.-flagged vessels.
- Cyber Small Entity Guide – Facilities
- Cyber Small Entity Guide – Vessels
The regulation contains a phased implementation schedule:
- Immediately upon the effective date of July 16, 2025, all reportable cyber incidents must be reported to the National Response Center.
- By January 12, 2026, and annually thereafter, all personnel must complete the training specified in 33 CFR 101.650.
- By July 16, 2027, owners and operators must designate the Cybersecurity Officer, conduct the Cybersecurity Assessment, and submit the Cybersecurity Plan for approval.
Recognizing the escalating cyber threat from adversarial actors targeting the U.S. Marine Transportation System, the U.S. Coast Guard, leveraging the post-9/11 alignment of domestic MTSA authorities with international SOLAS and ISPS Code regimes, will intensify Port State Control (PSC) scrutiny on indicators of poor cybersecurity practices, specifically those impacting International Safety Management (ISM) Code compliance on foreign flagged vessels. This elevated focus may lead to the issuance of deficiencies requiring correction, or, if circumstances warrant, result in vessel detention, denial of entry or Captain of the Port (COTP) action to control vessel movement, as the Coast Guard implements measures to control, secure and defend the nation’s ports, waterways and shipping interests while restoring U.S. maritime dominance.
About the Final Rule: Cybersecurity in the Marine Transportation System
The maritime industry faces increasing cybersecurity threats as it increasingly relies on cyber-connected systems. The purpose of this final rule is to safeguard the marine transportation system (MTS) against current and emerging threats associated with cybersecurity by adding minimum cybersecurity requirements to 33 CFR part 101 to help detect, respond to, and recover from cybersecurity risks that may cause transportation security incidents (TSIs). This final rule addresses risks from the increased interconnectivity and digitalization of the MTS and current and emerging cybersecurity threats to maritime security in the MTS with the additional minimum requirements specified below.
First, this final rule requires that owners or operators of U.S.-flagged vessels, facilities, or Outer Continental Shelf (OCS) facilities required to have a security plan under 33 CFR parts 104, 105, and 106 to develop and maintain a Cybersecurity Plan and Cyber Incident Response Plan. The Cybersecurity Plan must include seven account security measures for owners or operators of a U.S.-flagged vessel, facility, or OCS facility: (1) enabling of automatic account lockout after repeated failed log in attempts on all password protected information technology (IT) systems; (2) changing default passwords (or implementing other compensating security controls if unfeasible) before using any IT or operational technology (OT) systems; (3) maintaining a minimum password strength on all IT and OT systems technically capable of password protection; (4) implementing multifactor authentication on password-protected IT and remotely accessible OT systems; (5) applying the principle of least privilege to administrator or otherwise privileged accounts on both IT and OT systems; (6) maintaining separate user credentials on critical IT and OT systems; and (7) removing or revoking user credentials when a user leaves the organization.
The Cybersecurity Plan also must include four device security measure requirements: (1) develop and maintain a list of any hardware, firmware, and software approved by the owner or operator that may be installed on IT or OT systems; (2) ensure that applications running executable code are disabled by default on critical IT and OT systems; (3) maintain an accurate inventory of network-connected systems including those critical IT and OT systems; and (4) develop and document the network map and OT device configuration information. In addition, the Cybersecurity Plan must include two data security measure requirements: (1) ensure that logs are securely captured, stored, and protected and accessible only to privileged users, and (2) deploy effective encryption to maintain confidentiality of sensitive data and integrity of IT and OT traffic when technically feasible. Owners or operators of U.S.-flagged vessels, facilities, or OCS facilities must also prepare and document a Cyber Incident Response Plan that outlines instructions on how to respond to a cyber incident and identifies key roles, responsibilities, and decision-makers amongst personnel.
Owners or operators must also designate a Cybersecurity Officer (CySO) who must ensure that U.S.-flagged vessel, facility, or OCS facility personnel implement the Cybersecurity Plan and the Cyber Incident Response Plan. The CySO must also ensure that the Cybersecurity Plan is up to date and undergoes an annual audit. The CySO must also arrange for cybersecurity inspections, ensure that personnel have adequate cybersecurity training, record and report cybersecurity incidents to the owner or operator, and take steps to mitigate them.
For more information, see the final rule in the Federal Register using the eRulemaking Portal at www.regulations.gov under docket number USCG-2022-0802.
For further information about this rulemaking, email MTSCyberRule@uscg.mil. For facility-related questions, call Commander Brandon Link, Office of Port and Facility Compliance, at 202-372-1107. For vessel-related questions, call Commander Christopher Rabalais, Office of Design and Engineering Standards, at 202-372-1375.
Additional guidance on these regulations, including information about the waiver and Alternative Security Program process, will be posted on the Coast Guard Maritime Industry Cybersecurity Resource Website.
