Plan, including, among others: provisions for account security, device protection, data safeguarding, training, drills and exercises, risk management practices, strategies for mitigating supply chain risks, penetration testing, resilience planning, network segmentation, reporting protocols, and physical security measures. Additionally, the Cyber Incident Response Plan must provide instructions for responding to cyber incidents and delineate the key roles, responsibilities, and decision- making authorities among staff. standards that provide an equivalent level of security. Each waiver or equivalence request will be evaluated on a case-by-case basis.
Potential Delay in Implementation. Due to a number of comments received related to the ability of U. S.-flagged vessels to meet the implementation schedule, the Final rule sought comments on whether a delay of an additional two to five years is appropriate.
Plan Approval and Audits. The Final Rule requires Cybersecurity Plans be submitted to the USCG for review and approval within 24 months of the effective date of the Final Rule, unless a waiver or equivalence is granted. The Rule also gives the USCG the power to perform inspections and audits to verify the implementation of the Cybersecurity Plan.
Reporting. The Final Rule requires reporting of“ reportable cyber incidents” 1 to the National Response Center without delay. The reporting requirement is effective immediately on July 16, 2025. Further, the Final Rule revises the definition of“ hazardous condition” to expressly include cyber incidents.
Potential Waivers. The Final Rule allows for limited waivers or equivalence determinations. A waiver may be granted if the owner or operator demonstrates that the cybersecurity requirements are unnecessary given the specific nature or operating conditions. An equivalence determination may be granted if the owner or operator demonstrates that the U. S.-flagged vessel or facility complies with international conventions or
Conclusion As automation and digitalization continue to advance within the maritime sector, it is imperative to develop cyber security strategies tailored to specific management and operational needs of each company, facility, and vessel. Owners and operators of U. S.-flagged vessels and MTSA facilities are advised to review the new regulations closely and begin preparations for the new cybersecurity requirements at the earliest opportunity. p – 2025 BLANK ROME LLP
1. A reportable cyber incident is defined as an incident that leads to, or, if still under investigation, can reasonably lead to any of the following:( 1) substantial loss of confidentiality, integrity, or availability of a covered information system, network, or operational technology system;( 2) disruption or significant adverse impact on the reporting entity’ s ability to engage in business operations or deliver goods or services, including those that have a potential for significant impact on public health or safety or may cause serious injury or death;( 3) disclosure or unauthorized access directly or indirectly of non-public personal information of a significant number of individuals;( 4) other potential operational disruption to critical infrastructure systems or assets; or( 5) incidents that otherwise may lead to a TSI as defined in 33 C. F. R. 101.105.
MAINBRACE • 8