On January 17, 2025, the U.S. Coast Guard published its long-awaited final rule on “Cybersecurity in the Marine Transportation System” (MTS) under the Maritime Transportation Security Act (MTSA). This landmark ruling introduces mandatory cybersecurity standards for U.S.-flagged vessels, offshore facilities, and MTSA-regulated onshore facilities—setting a new baseline for safeguarding the nation’s maritime supply chain.

The rule officially goes into effect on July 16, 2025, with staggered compliance deadlines stretching into 2027. Here’s a breakdown of what’s inside, what’s required, and how to prepare.

Why This Rule Matters

Cyber threats are no longer theoretical for the maritime industry. Increasing digitalization of vessel operations, port logistics, and offshore platforms means a single breach can disrupt commerce, compromise safety, or even threaten national security.

The Coast Guard’s new rule is designed to:

  • Establish minimum cybersecurity requirements across MTSA-regulated entities.
  • Align industry practices with recognized standards like the NIST Cybersecurity Framework and CISA’s Cybersecurity Performance Goals.
  • Provide a structured framework for training, planning, and incident response.

Key Requirements and Deadlines

The regulation phases in over the next two years. Here are the critical milestones:

Requirement: Cyber Incident Reporting
Deadline: July 16, 2025
Details: Reportable cyber incidents must be submitted to the National Response Center (NRC).

Requirement: Cybersecurity Training
Deadline: January 12, 2026
Details: All relevant personnel trained; new hires trained within 5 days of system access or 30 days of hire, then annually.

Requirement: Designation of Cybersecurity Officer (CySO)
Deadline: July 16, 2027
Details: Each facility/vessel must designate a CySO and may appoint alternates.

Requirement: Cybersecurity Assessments
Deadline: July 16, 2027
Details: Initial assessment required; repeated annually or after ownership changes.

Requirement: Cybersecurity Plan Submission
Deadline: July 16, 2027
Details: Comprehensive cybersecurity plan must be submitted to the Coast Guard.

Requirement: Drills and Exercises
Deadline: Ongoing (after plan approval)
Details: At least two cybersecurity drills per year, plus one full exercise annually (no more than 18 months apart).

What Must Be in a Cybersecurity Plan

The Coast Guard requires a Cybersecurity Plan and a Cyber Incident Response Plan that address both IT and OT (operational technology) systems. Core elements include:

Account Security

  • No default passwords (or equivalent controls)
  • Minimum password strength rules
  • Multi-factor authentication for IT and remotely accessible OT systems
  • Automatic account lockouts after repeated login failures
  • Least privilege for privileged accounts
  • Credential separation for critical systems
  • Timely removal of user access upon termination

Device and Data Protections

  • Hardware/software/firmware inventory and approvals
  • Secure system logging and monitoring
  • Encryption of sensitive data
  • Safeguards for OT environments

Training and Drills

  • Initial and annual workforce training
  • Semiannual drills and yearly exercises simulating cyber incidents

Incident Reporting and Response

  • Clear procedures for detecting, reporting, and mitigating cyber incidents

Alignment with Frameworks

  • Integration with NIST CSF and CISA’s Cybersecurity Performance Goals for scalability and industry consistency

Flexibility and Waivers

Recognizing the diversity of maritime operations, the Coast Guard has left room for equivalency requests and waivers, allowing operators to propose alternative measures that provide equal or greater security.

Additionally, public comments are being reviewed on whether to grant 2-to-5-year extensions for U.S.-flagged vessels, giving some operators more time to comply without compromising overall security objectives.

The Road Ahead

The MTSA cybersecurity ruling is not just about regulatory compliance—it’s about strengthening resilience in an industry increasingly targeted by cyberattacks.

To prepare, operators should:

  1. Start reporting incidents beginning July 16, 2025.
  2. Build training programs now to meet the January 2026 deadline.
  3. Designate a Cybersecurity Officer and begin assessments well ahead of 2027.
  4. Develop a comprehensive Cybersecurity Plan that meets Coast Guard requirements and aligns with best practices.

By investing early in compliance, the maritime sector will be better positioned to protect supply chains, ensure safe operations, and reduce risk in an evolving digital threat landscape.

Bottom Line: The Coast Guard’s MTSA cybersecurity rule is the most significant regulatory shift for maritime security in decades. With deadlines already approaching, operators should act now to integrate cybersecurity into their core safety and compliance strategies.