(WASHINGTON) — The U.S. Coast Guard on Friday published a final rule in the Federal Register concerning cybersecurity in the nation’s marine transportation system. Here is a summary of the document:
The maritime industry faces increasing cybersecurity threats as it increasingly relies on cyberconnected systems. The purpose of this final rule is to safeguard the marine transportation system (MTS) against current and emerging threats associated with cybersecurity by adding minimum cybersecurity requirements to 33 CFR part 101 to help detect, respond to, and recover from cybersecurity risks that may cause transportation security incidents (TSIs). This final rule addresses risks from the increased interconnectivity and digitalization of the MTS and current and emerging cybersecurity threats to maritime security in the MTS with the additional minimum requirements specified below.
First, this final rule requires that owners or operators of U.S.-flagged vessels, facilities, or Outer Continental Shelf (OCS) facilities required to have a security plan under 33 CFR parts 104, 105, and 106 to develop and maintain a cybersecurity plan and cyberincident response plan. The cybersecurity plan must include seven account security measures for owners or operators of a U.S.-flagged vessel, facility, or OCS facility:
(1) Enabling of automatic account lockout after repeated failed log in attempts on all password protected information technology (IT) systems;
(2) Changing default passwords (or implementing other compensating security controls if unfeasible) before using any IT or operational technology (OT) systems;
(3) Maintaining a minimum password strength on all IT and OT systems technically capable of password protection;
(4) Implementing multi-factor authentication on password-protected IT and remotely accessible OT systems;
(5) Applying the principle of least privilege to administrator or otherwise privileged accounts on both IT and OT systems;
(6) Maintaining separate user credentials on critical IT and OT systems; and
(7) Removing or revoking user credentials when a user leaves the organization.
The cybersecurity plan also must include four device security measure requirements:
(1) Develop and maintain a list of any hardware, firmware, and software approved by the owner or operator that may be installed on IT or OT systems;
(2) Ensure that applications running executable code are disabled by default on critical IT and OT systems;
(3) Maintain an accurate inventory of network-connected systems including those critical IT and OT systems; and
(4) Develop and document the network map and OT device configuration information.
In addition, the cybersecurity plan must include two data security measure requirements:
(1) Ensure that logs are securely captured, stored, and protected and accessible only to privileged users, and
(2) Deploy effective encryption to maintain confidentiality of sensitive data and integrity of IT and OT traffic when technically feasible.
Owners or operators of U.S.-flagged vessels, facilities, or OCS facilities must also prepare and document a cyberincident response plan that outlines instructions on how to respond to a cyberincident and identifies key roles, responsibilities, and decision-makers among personnel.
Owners or operators must also designate a cybersecurity officer (CySO) who must ensure that U.S.-flagged vessel, facility, or OCS facility personnel implement the cybersecurity plan and the cyberincident response plan. The CySO must also ensure that the cybersecurity plan is up to date and undergoes an annual audit. The CySO must also arrange for cybersecurity inspections, ensure that personnel have adequate cybersecurity training, record and report cybersecurity incidents to the owner or operator, and take steps to mitigate them.
With this final rule, the Coast Guard finalizes the requirements that were proposed in the notice of proposed rulemaking (NPRM), “Cybersecurity in the Marine Transportation System,” published on February 22, 2024. The final rule is effective July 16, 2025.
Click here to read the final rule in its entirety.