Marine Cybersecurity: Key Takeaways from the Coast Guard's Final Rule
The U.S. Coast Guard (USCG) published a final rule on January 17, 2025, addressing Cybersecurity in the Marine Transportation System (the “Final Rule”), which seeks to minimize cybersecurity-related transportation security incidents (“TSIs”) within the maritime transportation system (“MTS”) by establishing requirements to enhance the detection, response, and recovery from cybersecurity risks. Effective July 16, 2025, the Final Rule will apply to U.S.-flagged vessels, Outer Continental Shelf, and onshore facilities subject to the Maritime Transportation Security Act of 2002 (“MTSA”). The USCG also seeks comments on a potential two-to-five-year implementation delay for U.S.-flagged vessels. Comments are due March 18, 2025.
Background
The need for enhanced cybersecurity protocols within the MTS has long been recognized. MTSA laid the groundwork for addressing various security threats in 2002 and gave the USCG broad authority to take action and set requirements to prevent TSIs. MTSA was amended in 2018 to make clear that cybersecurity-related risks may cause TSIs to fall squarely within the authority of MTSA and USCG.
Over the years, the USCG and the International Maritime Organization have dedicated resources and published guidelines for addressing the growing cybersecurity threats arising as technology increasingly integrates into all aspects of the MTS. The USCG expanded its efforts to address cybersecurity threats throughout the MTS in its latest rulemaking, publishing the original Notice of Proposed Rulemaking (“NPRM”) on February 22, 2024. The NPRM received significant public feedback, leading to the development of the Final Rule.
Final Rule
In its Final Rule, the USCG addresses the many comments received on the NPRM and sets forth minimum cybersecurity requirements for U.S.-flagged vessels and applicable facilities.
Training: Within six months of the Final Rule’s effective date, training must be conducted on recognizing and detecting cybersecurity threats and all types of cyber incidents, techniques used to circumvent cyber security measures, and reporting procedures, among others. Key personnel are required to complete more in-depth training.
Assessment and Plans: The Final Rule requires owners and operators of U.S.-flagged vessels and applicable facilities to conduct a Cybersecurity Assessment, develop a Cybersecurity Plan and Cyber Incident Response Plan, and appoint a Cybersecurity Officer that meets specified requirements within 24 months of the effective date. There are a host of requirements for the Cybersecurity Plan, including, among others, provisions for account security, device protection, data safeguarding, training, drills and exercises, risk management practices, strategies for mitigating supply chain risks, penetration testing, resilience planning, network segmentation, reporting protocols, and physical security measures. The Cyber Incident Response Plan must also provide instructions for responding to cyber incidents and delineate the staff’s key roles, responsibilities, and decision-making authorities.
Plan Approval and Audits: The Final Rule requires Cybersecurity Plans to be submitted to the USCG for review and approval within 24 months of the Final Rule’s effective date unless a waiver or equivalence is granted. The Rule also gives the USCG the power to perform inspections and audits to verify the implementation of the Cybersecurity Plan.
Reporting: The Final Rule requires timely reporting of “reportable cyber incidents”[1] to the National Response Center. The reporting requirement is effective immediately on July 16, 2025. Further, the Final Rule revises the definition of “hazardous conditions” to include cyber incidents.
Potential Waivers: The Final Rule allows for limited waivers or equivalence determinations. A waiver may be granted if the owner or operator demonstrates that the cybersecurity requirements are unnecessary, given the specific nature or operating conditions. An equivalence determination may be granted if the owner or operator demonstrates that the U.S.-flagged vessel or facility complies with international conventions or standards that provide an equivalent level of security. Each waiver or equivalence request will be evaluated on a case-by-case basis.
Potential Delay in Implementation: Due to several comments on the ability of U.S.-flagged vessels to meet the implementation schedule, the Final rule seeks comments on whether a delay of an additional two to five years is appropriate.
Conclusion: As automation and digitalization continue to advance within the maritime sector, it is imperative to develop cyber security strategies tailored to specific management and operational needs of each company, facility, and vessel. Owners and operators of U.S.-flagged vessels and MTSA facilities are advised to review the new regulations closely and begin preparations for the latest cybersecurity requirements at the earliest opportunity. Stakeholders are also encouraged to provide comments before March 18, 2025, addressing the potential two-to-five-year delay in implementation for U.S.-flagged vessels.
- Watch a related podcast on the emerging rules, recorded in New Orleans in November before the final rules came into force, a podcast featuring several vessel owners, communication suppliers, classification and the USCG: