Cybersecurity in the Marine Transportation System: What You Need to Know About the Coast Guard’ s Final Rule
DANA S. MERKEL, VANESSA C. DIDOMENICO, AND HOLLI B. PACKER
DANA S. MERKEL PARTNER
VANESSA C. DIDOMENIC ASSOCIATE
HOLLI B. PACKER ASSOCIATE On January 17, 2025, the U. S. Coast Guard(“ USCG”) published a final rule addressing Cybersecurity in the Marine Transportation System( the“ Final Rule”), which seeks to minimize cybersecurity related transportation security incidents(“ TSIs”) within the maritime transportation system(“ MTS”) by establishing requirements to enhance the detection, response, and recovery from cybersecurity risks. Effective July 16, 2025, the Final Rule will apply to U. S.-flagged vessels, as well as Outer Continental Shelf and onshore facilities subject to the Maritime Transportation Security Act of 2002(“ MTSA”). The USCG also sought comments on a potential two-tofive-year delay of implementation for U. S.- flagged vessels. Comments were due March 18, 2025.
Background The need for enhanced cybersecurity protocols within the MTS has long been recognized. MTSA laid the groundwork for addressing various security threats in 2002 and provided the USCG with broad authority to take action and set requirements to prevent TSIs. MTSA was amended in 2018 to make clear that cybersecurity related risks that may cause TSIs fall squarely within MTSA and USCG authority.
Over the years, the USCG, as well as the International Maritime Organization, have dedicated resources and published guidelines related to addressing the growing cybersecurity threats arising as technology is integrated more and more into all aspects of the MTS. The USCG expanded its efforts to address cybersecurity threats throughout the MTS in its latest rulemaking, publishing the original Notice of Proposed Rulemaking(“ NPRM”) on February 22, 2024. The NPRM received significant public feedback, leading to the development of the Final Rule.
Final Rule In its Final Rule, the USCG addresses the many comments received on the NPRM and sets forth minimum cyber security requirements for U. S.-flagged vessels and applicable facilities.
The Final Rule requires owners and operators of U. S.-flagged vessels and applicable facilities to conduct a Cybersecurity Assessment, develop a Cybersecurity Plan and Cyber Incident Response Plan, and appoint a Cybersecurity Officer that meets specified requirements within 24 months of the effective date.
Training. Within six months of the Final Rule’ s effective date, training must be conducted on recognition and detection of cybersecurity threats and all types of cyber incidents, techniques used to circumvent cyber security measures, and reporting procedures, among others. Key personnel are required to complete more in-depth training.
Assessment and Plans. The Final Rule requires owners and operators of U. S.-flagged vessels and applicable facilities to conduct a Cybersecurity Assessment, develop a Cybersecurity Plan and Cyber Incident Response Plan, and appoint a Cybersecurity Officer that meets specified requirements within 24 months of the effective date. There are a host of requirements for the Cybersecurity
7 • MAINBRACE