The U.S. Coast Guard published this week long-anticipated FAQs for its cybersecurity in the Marine Transportation System Final Rule, offering much-needed guidance for U.S.-flagged vessels, Outer Continental Shelf facilities, and MTSA-regulated sites as they work to comply with the new mandatory cybersecurity requirements.
The cybersecurity regulations for the maritime sector, effective January 2026, include a requirement for personnel to complete cybersecurity training. Even before an approved cybersecurity plan is in place, regulated entities must begin compliance by following existing documentation procedures for MTSA-related training, as outlined in their approved Facility Security Plans (FSP), Outer Continental Shelf Facility Security Plans (OCS FSP), or Vessel Security Plans (VSP). Training records must specify the topics covered and demonstrate alignment with the regulation.
The training must be delivered by individuals or organizations that meet or exceed the knowledge standards required for Cybersecurity Officers (CySOs). No amendment to existing FSP, OCS FSP, or VSP is required at this stage, provided the cybersecurity training is documented as part of existing security training. However, the Coast Guard is still determining how it will inspect and enforce cybersecurity compliance, with stakeholder engagement ongoing.
All MTSA-regulated facilities and vessels, regardless of whether they use operational technology (OT), must comply with the new cybersecurity regulations. These requirements are tied to the risk of a Transportation Security Incident (TSI), which exists independent of OT presence. Every regulated entity must complete a cybersecurity assessment. If appropriate, a waiver or equivalence determination may be requested following that assessment.
If a cybersecurity deficiency is identified, the first step in the appeals process is to request reconsideration from the cognizant Captain of the Port (COTP). If the issue remains unresolved, further appeals will be processed. Maritime Academies under the Maritime Administration (MARAD) may be subject to the Coast Guard’s cybersecurity regulations if they operate vessels or facilities.
The rule does not expand MTSA applicability but adds cybersecurity requirements to the existing framework. Any academy that already maintains a VSP and falls under MTSA is likely required to comply with the new provisions. The MARAD–USCG Memorandum of Understanding should be consulted for additional guidance.
The Coast Guard said that there is no specific licensing or certification required for a CySO. The role may be fulfilled by a third party, and there are no limits on how many vessels or terminals a CySO may oversee. Cybersecurity inspections may occur separately or alongside other inspections and are typically conducted in person, similar to existing security reviews. The CySO may participate remotely at the discretion of the COTP or Officer in Charge, Marine Inspection (OCMI).
The cybersecurity assessment must identify all IT and OT systems that impact maritime operations or could lead to a TSI. This includes systems not specifically listed in the FSP or VSP. Owners and operators are encouraged to take a holistic approach and can direct specific IT/OT questions to [email protected]. A single cybersecurity plan may be submitted for multiple U.S.-flagged vessels with similar operations. However, any risk differences between vessels must be addressed within the plan. This plan may also be combined and harmonized with an existing VSP or FSP, as permitted.
Cybersecurity audits and assessments serve distinct purposes. A cybersecurity assessment is foundational and must be completed before the cybersecurity plan is developed. It identifies vulnerabilities and informs the design of appropriate safeguards. Assessments are required by July 16, 2027, and must be repeated annually, or sooner if there is a change in ownership. Moreover, cybersecurity audits are internal checks to verify the effectiveness of the plan and identify whether amendments are needed. These are also required annually or whenever ownership or cybersecurity measures change. If the cybersecurity plan is amended, corresponding updates to the FSP or VSP may also be required.
The cybersecurity plan renewal does not need to align with the current FSP or VSP schedule. That decision is left to the owner or operator, although the Coast Guard will accommodate alignment requests where feasible. Once approved, the plan follows a five-year renewal cycle.
Biannual cybersecurity drills and annual exercises are both required. Drills test specific components of the cybersecurity plan, while exercises test the plan in full. A single drill may cover multiple facilities or vessels simultaneously if each one meets the full regulatory requirements. The same scenario may be reused across different entities, provided it remains applicable and relevant. Successive drills should vary and test different aspects of the plan where feasible. Simulated phishing campaigns or mock cyber incidents may count as drills, but they should not be the only type conducted.
Real-world cyber incidents may also fulfill drill or exercise requirements. Cybersecurity drills and exercises can be combined with physical security drills and exercises. When combined, the scenario must fully test both the cybersecurity and physical security plans and comply with all regulatory requirements for each. Personnel must meet the cybersecurity training requirements. Access, as defined for training purposes, includes the ability to interact with or control system components, gain knowledge of system data, or physically interface with IT/OT infrastructure, such as inserting a USB device or entering secure areas.
Cybersecurity assessments must be conducted no later than July 16, 2027, and repeated annually. These assessments inform the cybersecurity plan and must be completed before the plan is developed. Internal audits are required at least once a year, or more often if there are changes in ownership or cybersecurity measures. For fleets of vessels with identical IT/OT configurations, a single cybersecurity assessment may be used. However, if there are any deviations in the system configuration, each vessel must undergo its assessment.
The Coast Guard can provide support to companies responding to cyber incidents. Assistance may come from local Sector Marine Transportation System Specialists–Cyber (MTSS-C), the Coast Guard Cyber Protection Team (CPT), or resources available through the Maritime Industry Cybersecurity Resource website. Requests for help can be made through NRC reports, directly to the Sector Command Center, or through MTSS-Csl.
Entities that already comply with TSA’s Critical Infrastructure Protection (CIP) or Corporate Action Plan (CAP) programs may identify overlapping cybersecurity requirements during Coast Guard submissions or inspections to avoid duplication.
