Marine Link
Sunday, February 9, 2025

Marine Cybersecurity: Key Takeaways from the Coast Guard's Final Rule

Maritime Activity Reports, Inc.

February 4, 2025

New maritime cybersecurity rules was the topic of a panel discussion late last year in New Orleans, an event sponsored by Marlink and ABS. Copyright GT

New maritime cybersecurity rules was the topic of a panel discussion late last year in New Orleans, an event sponsored by Marlink and ABS. Copyright GT

The U.S. Coast Guard (USCG) published a final rule on January 17, 2025, addressing Cybersecurity in the Marine Transportation System (the “Final Rule”), which seeks to minimize cybersecurity-related transportation security incidents (“TSIs”) within the maritime transportation system (“MTS”) by establishing requirements to enhance the detection, response, and recovery from cybersecurity risks. Effective July 16, 2025, the Final Rule will apply to U.S.-flagged vessels, Outer Continental Shelf, and onshore facilities subject to the Maritime Transportation Security Act of 2002 (“MTSA”). The USCG also seeks comments on a potential two-to-five-year implementation delay for U.S.-flagged vessels. Comments are due March 18, 2025.


Background

The need for enhanced cybersecurity protocols within the MTS has long been recognized. MTSA laid the groundwork for addressing various security threats in 2002 and gave the USCG broad authority to take action and set requirements to prevent TSIs. MTSA was amended in 2018 to make clear that cybersecurity-related risks may cause TSIs to fall squarely within the authority of MTSA and USCG.  

Over the years, the USCG and the International Maritime Organization have dedicated resources and published guidelines for addressing the growing cybersecurity threats arising as technology increasingly integrates into all aspects of the MTS. The USCG expanded its efforts to address cybersecurity threats throughout the MTS in its latest rulemaking, publishing the original Notice of Proposed Rulemaking (“NPRM”) on February 22, 2024. The NPRM received significant public feedback, leading to the development of the Final Rule.


Final Rule

In its Final Rule, the USCG addresses the many comments received on the NPRM and sets forth minimum cybersecurity requirements for U.S.-flagged vessels and applicable facilities. 

Training: Within six months of the Final Rule’s effective date, training must be conducted on recognizing and detecting cybersecurity threats and all types of cyber incidents, techniques used to circumvent cyber security measures, and reporting procedures, among others. Key personnel are required to complete more in-depth training.

Assessment and Plans: The Final Rule requires owners and operators of U.S.-flagged vessels and applicable facilities to conduct a Cybersecurity Assessment, develop a Cybersecurity Plan and Cyber Incident Response Plan, and appoint a Cybersecurity Officer that meets specified requirements within 24 months of the effective date. There are a host of requirements for the Cybersecurity Plan, including, among others, provisions for account security, device protection, data safeguarding, training, drills and exercises, risk management practices, strategies for mitigating supply chain risks, penetration testing, resilience planning, network segmentation, reporting protocols, and physical security measures. The Cyber Incident Response Plan must also provide instructions for responding to cyber incidents and delineate the staff’s key roles, responsibilities, and decision-making authorities.

Plan Approval and Audits: The Final Rule requires Cybersecurity Plans to be submitted to the USCG for review and approval within 24 months of the Final Rule’s effective date unless a waiver or equivalence is granted. The Rule also gives the USCG the power to perform inspections and audits to verify the implementation of the Cybersecurity Plan.

Reporting: The Final Rule requires timely reporting of “reportable cyber incidents”[1] to the National Response Center. The reporting requirement is effective immediately on July 16, 2025. Further, the Final Rule revises the definition of “hazardous conditions” to include cyber incidents. 

Potential Waivers: The Final Rule allows for limited waivers or equivalence determinations. A waiver may be granted if the owner or operator demonstrates that the cybersecurity requirements are unnecessary, given the specific nature or operating conditions. An equivalence determination may be granted if the owner or operator demonstrates that the U.S.-flagged vessel or facility complies with international conventions or standards that provide an equivalent level of security. Each waiver or equivalence request will be evaluated on a case-by-case basis.

Potential Delay in Implementation: Due to several comments on the ability of U.S.-flagged vessels to meet the implementation schedule, the Final rule seeks comments on whether a delay of an additional two to five years is appropriate.

Conclusion: As automation and digitalization continue to advance within the maritime sector, it is imperative to develop cyber security strategies tailored to specific management and operational needs of each company, facility, and vessel. Owners and operators of U.S.-flagged vessels and MTSA facilities are advised to review the new regulations closely and begin preparations for the latest cybersecurity requirements at the earliest opportunity. Stakeholders are also encouraged to provide comments before March 18, 2025, addressing the potential two-to-five-year delay in implementation for U.S.-flagged vessels. 


  • Watch a related podcast on the emerging rules, recorded in New Orleans in November before the final rules came into force, a podcast featuring several vessel owners, communication suppliers, classification and the USCG:


The orderbook for U.S. dredgers is about $3B, and according to DCA CEO Bill Doyle, the incoming political administration could help this niche maritime sector continue its bull run.
Read the Magazine

Accuracy Needed for Hard Talk on Ship Emissions

Solving Heat Issues in Ship Energy-System Flow – a Vital Part of the Decarbonization Mix

Subscribe for
Maritime Reporter E-News

Maritime Reporter E-News is the maritime industry's largest circulation and most authoritative ENews Service, delivered to your Email five times per week