Cybersecurity in the Marine Transportation System: Requirements Explained
Beginning with July 16 2025, US-flagged vessels and offshore facilities are subject to a new rule governing Cybersecurity in the Marine Transportation System. With this new regulation, the Coast Guard is establishing minimum requirements for cybersecurity in order to minimize risks to the uninterrupted shipping of goods.
What Is the New Cybersecurity Rule for Marine Transportation?
The U.S. Coast Guard published the final rule on “Cybersecurity in Marine Transportation Systems” on January 17, 2025. With it, the Coast Guard and DHS introduce a number of new cybersecurity requirements.
Regulated vessels and facilities must:
Report cybersecurity incidents
Designate a Cybersecurity Officer (CySO)
Develop and maintain a Cyber Incident Response Plan
Implement a Cybersecurity Plan that conforms to the listed requirements
Who Does the Marine Transportation Cybersecurity Rule Apply to?
While the new rule introduces additional requirements for cybersecurity, it does not expand who is affected by this regulation: Any entity that is required to have a security plan under the 2002 Marine Transportation Security Act (MTSA) must also meet these new obligations.
Specifically, the Cybersecurity in the Marine Transportation System rule applies to anyone listed under 33 CFR parts 104, 105 and 106.
When Does the New Cybersecurity Rule Go into Effect?
The new rule officially goes into effect on July 16, 2025. However, due to the rule’s phased implementation schedule, not all requirements are applied immediately. There are three important stages you need to be aware of:
Effective immediately (July 16 2025): Entities must report cyber incidents to the National Response Center (NRC).
Within 6 months: Personnel must complete cybersecurity training.
Within 24 months: Owners/operators must designate a Cybersecurity Officers, submit their Cybersecurity Plan for approval and conduct their first Cybersecurity Assessment.
Why Are Stricter Rules for Maritime Cybersecurity Necessary?
Cybercrime is on the rise and no industry is immune to this threat. Shipping and logistics is no exception. Quite the opposite: There are numerous factors that put marine transportation at high risk for cybersecurity incidents.
Legacy Systems: Marine vessels and facilities rely on operational technology (OT). Many of these legacy systems have been in use for decades and are challenging to replace or update. Vulnerabilities in these essential systems are therefore difficult to mitigate without replacing highly specialized equipment.
Critical Infrastructure: Marine transportation plays a crucial role in the flow of goods and resources around the world. Disruptions to shipping can have significant downstream effects for the global economy, as incidents like the obstruction of the Suez Canal in 2021 show. This puts critical importance on minimizing the impact of cybersecurity incidents.
Geopolitical Tensions: Global trade has become a heavily politicized issue in recent months, with governments clashing over tariffs and import restrictions. If tensions continue to rise, state-backed hacking groups may turn their focus on the shipping industry as a proxy for this conflict.
Marine Transportation: Cybersecurity Requirements Explained!
Cybersecurity Officer
The owner or operator of a regulated vessel must designate a Cybersecurity Officer (CySO), identify how they can be contacted by the Coast Guard and make sure they are available for contact 24/7. The same person can serve as CySO for multiple vessels and/or facilities.
In addition to serving as point of contact, the Cybersecurity Officer must ensure that:
Cybersecurity Assessments are conducted.
The Cybersecurity Plan and Cyber Incident Response plan comply with this rule.
Security measures from the Cybersecurity Plan are implemented and operating as intended.
Annual audits of the Cybersecurity Plan and its implementation are conducted.
Personnel receives adequate cybersecurity training
Records are maintained and incidents are reported.
Security and management personnel are briefed about changes to cybersecurity conditions.
In order to execute their duties, the Cybersecurity Officer must be a qualified individual with knowledge of cybersecurity best practices, relevant laws and regulations, current threat patterns and how to conduct audits and inspections. This is in addition to their understanding of the vessel/facility they are assigned to.
Incident Reporting
Under the new Coast Guard rule, entities that are not already required to report incidents under 33 CFR 6.16-1 must notify the National Response Center (NRC) of any reportable incidents.
A reportable incident is defined by the rule as any incident that could lead to:
Substantial loss of confidentiality, integrity or availability of IT/OT systems
Disruption of the entity’s ability to engage in business operations and deliver goods
Other operational disruptions to critical infrastructure assets
Potential for significant impact on public health or safety
Unauthorized access to nonpublic personal information of a significant number of individuals
Significant loss of life, environmental damage, transportation or economic disruption, as defined under 33 CFR 101.105
Cybersecurity Plan
The Cybersecurity Officer must develop and implement a Cybersecurity Plan that covers all security measures required by the Coast Guard rule, as necessary to mitigate risks uncovered by the Cybersecurity Assessment.
The Cybersecurity Plan must be submitted to the Coast Guard (Captain of the Port) for review and approval. Once approved, the plan and its implementation must be audited annually, as well as if the there is a change in ownership or cybersecurity measures.
Account Security
Automatic lockouts after repeated failed login attempts must be enabled.
Default passwords must be changed before using IT/OT systems.
A minimum password strength must be maintained on all password-protected systems.
Multi-factor authentication must be implemented on password-protected IT and remotely accessible OT systems.
Administrator and other privileged accounts must be managed according to the principle of least principle.
Users must maintain separate accounts for critical IT and OT systems.
Access credentials must be revoked when a user leaves the organization.
Enforcing least privilege access and ensuring that users are correctly offboarded requires an Identity Governance & Administration solution, which allows you to automate these critical steps.
Access Governance Best Practices for Microsoft Environments
Everything you need to know about implementing access control best practices in Active Directory, from implementation tips to common mistakes.
Device Security
Entities must maintain a list of approved hardware, firmware and software that can be installed on IT/OT systems and ensure that only approved hardware, firmware and software is installed.
Entities must maintain an accurate inventory of network-connected systems and designate critical IT and OT systems.
Applications running executable code must be disabled by default on critical IT and OT systems.
Documentation for the network map and OT device configurations must be kept up to date.
Data Security
Logs must be securely captured and stored such that they can only be accessed by privileged users.
Encryption must be used to protect sensitive data and IT/OT traffic where technically feasible.
Physical Security
Physical access to IT and OT systems must be limited to authorized personnel.
Physical access ports should be blocked, disabled or removed to prevent the use of unauthorized media or hardware.
Risk Management
Entities must conduct annual Cybersecurity Assessments to validate the Cybersecurity Plan, identify vulnerabilities to critical IT and OT systems and ensure they are patched or mitigated through compensating controls.
Entities must conduct penetration testing when they first implement their Cybersecurity Plan and whenever it is renewed (every 5 years).
Entities must ensure that routine system maintenance is carried out, including patching known exploited vulnerabilities, maintaining a method to be informed of vulnerabilities and ensuring that no exploitable channels or OT systems are connected to the internet (unless explicitly required).
Supply Chain
Cybersecurity must be taken into account when evaluating IT and OT systems for procurement.
Owners and operators must establish a process by which vendors and service providers notify them of vulnerabilities or reportable incidents without delay.
Third-party remote connections must be monitored to detect cyber incidents..
Resilience
The effectiveness of the Cybersecurity Plan must be validated through annual exercises and reviews of incident response cases.
Critical IT and OT systems must be backed up, with those backups being sufficiently protected and tested frequently.
Entities must maintain a Cyber Incident Response Plan, i.e. a set of instructions for how to respond to cyber incidents that identifies key roles and responsibilities.
Network Segmentation
IT and OT networks must be segmented from each other.
All connections between IT and OT systems must be logged and monitored for suspicious activity, unauthorized access or security breaches.
Streamline Access Control with tenfold IGA
Ensuring that only authorized personnel can access IT systems and that users are correctly offboarded when they leave the organization โ these are crucial safeguards against breaches and cyber incidents. And with the new rule for Cybersecurity in Marine Transportation Systems, they become a mandatory part of your Cybersecurity Plan.
To enforce these new requirements, you need the right tools! Identity Governance & Administration helps you on- and offboard users automatically, ensuring that their access remains appropriate from their first to last day. With in-depth reporting and auditing, staying compliant is a breeze!
Learn more about our IGA solution by signing up for a free trial today or booking a personal demo with our team.