The US Coast Guard’s New Cybersecurity Regulations: Navigating the Digital Seas
By Andrew R. Lee and Ilsa H. Luther
April 13, 2025
The $5.4 trillion global maritime industry faces a perfect storm of cyber vulnerabilities, and a new government regulation aims to be the lighthouse guiding stakeholders to safer digital harbors.
On January 17, 2025, the US Coast Guard (USCG) published a final rule titled “Cybersecurity in the Marine Transportation System,” aiming to bolster the cybersecurity posture of the nation’s marine transportation system (MTS). This rule introduces mandatory cybersecurity measures for US-flagged vessels, Outer Continental Shelf (OCS) facilities, and certain facilities regulated under the Maritime Transportation Security Act of 2002 (MTSA).
The integration of digital technologies and interconnected systems within the MTS has heightened vulnerability to cyber threats. Recognizing these risks, the USCG’s rule sets a baseline for cybersecurity standards, ensuring entities within the MTS can effectively detect, respond to, and recover from cyber incidents.
The final rule applies to:
- US-flagged vessels, including cargo vessels exceeding 100 gross tons, commercial passenger vessels carrying more than 150 passengers, offshore supply vessels, mobile offshore drilling units, towing vessels longer than 26 feet engaged in towing certain dangerous cargo barges, and cruise ships or passenger vessels carrying more than 12 passengers on international voyages.
- Facilities subject to MTSA, such as container terminals, chemical facilities with waterfront access, petroleum terminals, cruise ship terminals, bulk liquid transfer facilities, LNG/LPG terminals, barge fleeting facilities handling dangerous cargo, facilities receiving vessels carrying more than 150 passengers, and marine cargo terminals.
- OCS facilities, including offshore oil and gas production platforms, drilling rigs, floating production storage and offloading units, deepwater ports, offshore wind energy facilities, and offshore loading/unloading terminals.
The rule outlines several critical requirements to enhance cybersecurity within the MTS:
- Cybersecurity Plan Development: Owners and operators must create a comprehensive cybersecurity plan addressing:
- Account Security: Implement measures like automatic account lockout after failed login attempts, enforce strong password policies, utilize multifactor authentication, apply the principle of least privilege, maintain separate user credentials for critical systems, and promptly revoke access when personnel leave the organization.
- Device Security: Develop inventories of approved hardware, firmware, and software; disable unnecessary executable code; maintain accurate records of network-connected systems; and document network maps and device configurations.
- Data Security: Ensure secure logging practices, protect log data from unauthorized access, and employ encryption to safeguard sensitive information and maintain data integrity.
- Cyber Incident Response Plan: Establish a plan detailing procedures for responding to cyber incidents that clearly defines roles, responsibilities, and decision-making authority among personnel.
- Designation of a Cybersecurity Officer (CySO): Appoint a CySO responsible for implementing and maintaining the Cybersecurity and Cyber Incident Response Plans, conducting regular audits, arranging cybersecurity training, and ensuring timely reporting of incidents.
- Training and Awareness: Within six months of the rule’s effective date, conduct training sessions to recognize and detect cybersecurity threats, understand circumvention techniques, and familiarize personnel with reporting procedures. Key personnel are required to undergo more in-depth training.
- Plan Approval and Audits: Submit cybersecurity plans to the USCG for review and approval within 24 months of the rule’s effective date. The USCG reserves the authority to perform inspections and audits to verify compliance.
- Reporting Requirements: Promptly report “reportable cyber incidents” to the National Response Center. The rule also revises the definition of “hazardous condition” to explicitly include cyber incidents.
- Waivers and Equivalence Determinations: Provide mechanisms for limited waivers or equivalence determinations if entities can demonstrate that certain cybersecurity requirements are unnecessary or that alternative measures offer an equivalent level of security. Requests will be evaluated on a case-by-case basis.
The final rule is set to take effect on July 16, 2025. However, the USCG is soliciting comments on the potential for a two-to-five-year delay in the implementation periods for US-flagged vessels. Interested parties must submit comments by March 18, 2025.
The USCG’s final rule represents a significant step toward safeguarding the MTS against evolving cyber threats. As the July 2025 enforcement date approaches, maritime stakeholders must chart their course toward compliance—not merely to satisfy regulations, but to safeguard the critical infrastructure that keeps America’s maritime economy afloat in increasingly treacherous digital waters.
The Authors
Andy Lee is a partner in Jones Walker LLP’s Litigation Practice Group and co-leader of the firm’s privacy, data strategy, and artificial intelligence team.
Ilsa Luther is an associate in Jones Walker LLP’s Maritime Practice Group and a member of the firm’s Energy, Environmental & Natural Resources Industry Team.