On July 16, 2025, the U.S. Coast Guard’s final rule to update cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities subject Maritime Transportation Security Act of 2022 (MTSA) begins to take effect. The final rule is codified at 33 C.F.R. § 101.600 et seq (“Rule”). In addition to other security regulations already in place, the Rule newly requires the owners and operators of the impacted entities to report certain cybersecurity events, develop and implement Cybersecurity and Cyber Incident Response Plans, and designate a Cybersecurity Officer responsible for implementing the plans. Certain provisions of the Rule are in effect now, while others are on a phased implementation.
While the Rule represents a good-faith effort to further strengthen the cyber-resilience of the U.S.’s maritime industry and environment, the notification and other requirements appear to further complicate already overlapping notification obligations in place today, as well as future notice obligations expected from other federal agencies.
New Notice Requirement Now in Place
The Rule now requires entities that have not reported a reportable cyber incident to the Coast Guard pursuant to, or are not subject to, 33 C.F.R. 6.16-1, are now required to report to the National Response Center (NRC) “without delay”. § 101.650(g)(1) (emphasis added). A “reportable cyber incident” is:
[A]n incident that leads to or, if still under investigation, could reasonably lead to any of the following: Substantial loss of confidentiality, integrity, or availability of a covered information system, network, or OT system; Disruption or significant adverse impact on the reporting entity’s ability to engage in business operations or deliver goods or services, including those that have a potential for significant impact on public health or safety or may cause serious injury or death; Disclosure or unauthorized access directly or indirectly of nonpublic personal information of a significant number of individuals; Other potential operational disruption to critical infrastructure systems or assets; or Incidents that otherwise may lead to a transportation security incident as defined in 33 CFR 101.105.
Id. at § 101.615.
And yet, 33 C.F.R. 6.16-1 already requires the following U.S.-flagged vessels, harbors, ports, and waterfront facilities:
Evidence of sabotage, subversive activity, or an actual or threatened cyber incident involving or endangering any vessel, harbor, port, or waterfront facility, including any data, information, network, program, system, or other digital infrastructure thereon or therein, shall be reported immediately to the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency (for any cyber incident), and the Captain of the Port, or to their respective representatives.
The key phrasing “have not yet reported” leads to overlapping reporting requirements based on the deadline to report under the new Rule versus existing USCG obligations. The NRC must be done “without delay”, while reporting to the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Captain of the Port must be done “immediately.”
Adding to this inconsistency is the anticipated final rule from the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Under the proposed rules released in 2024, a critical infrastructure entity must report a covered cyber incident to CISA within 72 hours and a ransomware payment within 24 hours of that payment. See 96 Fed. Reg. 23660. CIRCIA also has varying definitions of what constitutes a reportable or covered cyber incident.
That being said, CISA has still not released a final rule for review, and time is running out. CISA must publish a final rule by October 2025, and current reporting suggests that the agency may not be able to fulfill that requirement. Despite outspoken commitment and movement by CISA since the CIRCIA’s passage to meet the deadline throughout 2022-2024, CISA has said little on CIRCIA since January 2025.[1] CISA has also been without a confirmed director of CISA since January 20, 2025. As that deadline inches ever closer, impacted entities should watch to see whether CIRCIA is amended to allow for additional time to prepare a final rule or if the current administration will halt the progress made and prevent a rule from being finalized.
U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities subject Maritime Transportation Security Act of 2022 (MTSA) should be aware of these reporting obligations and their deadlines to comply with the regulations in the event of a cybersecurity incident. The first 24-72 hours of a cyber incident are intense and hectic; knowledge of these deadlines and process for handling them is critical to maintaining compliance during an incident response.
Additional Obligations
The Rule provides for additional obligations that become effective January 12, 2026 and July 16, 2027. The USCG also asked for, and received, public comments concerning whether enforcement of these obligations should be delayed for U.S.-flagged vessels, as they may require more time than facilities to implement all requirements in the final rule.[2] Owners and operators of U.S.-flagged vessels should monitor further developments from the USCG and any additional time provided.
Currently, by January 12, 2026:
- All entity personnel with access to IT and OT (operational technology) systems must complete cybersecurity training, including recognition of threats and threat detection, techniques used to circumvent cybersecurity measures, procedures for reporting cyber incidents to the entity’s Cybersecurity Officer (CySo) and any operational technology specific training.
- Key personnel with access to IT and remotely available OT systems must, in addition to the above training, complete additional training concerning their responsibilities during a cyber incident and how to maintain current knowledge of emerging cyberthreats and countermeasures.
By July 16, 2027:
- Owners and operators must designate, in writing, their CySo.
- Owners and operators must conduct a Cybersecurity Assessment and annually thereafter (or sooner if there is a change in ownership).
- Owners and operators must submit their Cybersecurity Plan to the USCG for approval.
The Cybersecurity Officer (CySo) is similar to a Data Protection Officer and is responsible for overseeing the cybersecurity implementation and incident response. The CySo will also lead the effort to conduct a Cybersecurity Assessment and submit the Cybersecurity Plan to the USCG for approval.
A “Cybersecurity Assessment” is an appraisal of the risks facing an entity, asset, system, or network, organizational operations, individuals, geographic area, other organizations, or society, and includes identification of relevant vulnerabilities and threats and determining the extent to which adverse circumstances or events could result in operational disruption and other harmful consequences. This assessment helps evaluate the systems as they currently stand, improvements to be made, and potential risks should the information be compromised. The Assessment helps inform the Cybersecurity Plan, which ensures application and implementation of the cybersecurity measures designed to protect the owner’s or operator’s systems and equipment.
Once the USCG approves the Cybersecurity Plan, owners and operators must conduct cybersecurity drills at least twice each calendar year. Owners and operators must also conduct cybersecurity exercises at least once per calendar year. Personnel involved in implementing the activities discussed in the Cybersecurity Plan must be trained within 60 days of receiving approval of the Plan. Further, owners and operators must ensure that the cybersecurity portion of the Plan and an entity’s penetration test results are available to the USCG upon request.
Further Remarks
Whether a delay is instituted or not, entities subject to these new requirements would be wise to act now to implement the requirements into their current cyber incident response plans and initiate discussions on how to achieve and maintain compliance. This new Rule, particularly the approval process for the Cybersecurity Plans, reflects a major “hands on” change in how the USCG will monitor and effectuate cybersecurity controls in the maritime space. It is not uncommon for a cybersecurity assessment to reveal overlooked lapses in security measures, so entities should give themselves sufficient time to complete the assessments and address any oversights well before the 2026 and 2027 deadlines.
[1] Lauren Boas Hayes, “CISA is facing a tight CIRCIA deadline. Here’s how Sean Plankey can attempt to meet it”, Cyberscoop.com (Jul. 30, 2025) (https://cyberscoop.com/cisa-sean-plankey-circia-deadline-op-ed/).
[2] “Fact Sheet: U.S. Coast Guard Issues Final Rule & Request for Comments on New Cybersecurity Regulations for the Marine Transportation System”, U.S. Coast Guard (Jan. 2025) (https://www.uscg.mil/Portals/0/Images/cyber/Cyber%20Regulations%20Fac