Cybersecurity in the Marine Transportation System
Published Date: 1/17/2025
Rule
Summary
The Coast Guard is rolling out new cybersecurity rules for U.S. ships and marine facilities to keep them safe from cyberattacks. Starting July 16, 2025, these places must have a Cybersecurity Plan and a dedicated Cybersecurity Officer to spot and handle threats. Ship owners should watch for a possible delay in when these rules kick in, with a chance to share their thoughts by March 18, 2025.
Analyzed Economic Effects
7 provisions identified: 1 benefits, 6 costs, 0 mixed.
Estimated $1.2B Industry and Government Cost
The Coast Guard estimates this final rule will create approximately $1.2 billion in total costs and $138.7 million annualized (2022 dollars, discounted at 2 percent) for industry and Government. The rule is effective July 16, 2025, and the Coast Guard is requesting comments on a possible 2-to-5-year delay for U.S.-flagged vessel implementation, with comments due March 18, 2025.
Must Create Cybersecurity Plans
If you own or operate a U.S.-flagged vessel, a facility, or an Outer Continental Shelf (OCS) facility that must have a security plan, you must develop and maintain a Cybersecurity Plan and a Cyber Incident Response Plan. The rule is effective July 16, 2025, and Cybersecurity Plans must be submitted to the Coast Guard for review and approval within 24 months of that date (by July 16, 2027).
Designate a Cybersecurity Officer
Owners or operators must designate a Cybersecurity Officer (CySO) to ensure the Cybersecurity Plan and Cyber Incident Response Plan are implemented. The CySO must keep the plan current, arrange cybersecurity inspections, ensure personnel training, perform an annual audit, and record and report cyber incidents.
Cyber Assessments and Penetration Testing
Owners or operators must conduct a cyber assessment within 24 months of the rule's effective date and must complete penetration testing when renewing a Cybersecurity Plan; the CySO must submit a letter verifying the test and list vulnerabilities found. For critical IT and OT systems, owners must patch or implement documented compensating controls for known exploited vulnerabilities (KEVs) without delay.
Two Cybersecurity Drills Per Year
The rule requires two cybersecurity drills every 12 months (revising a prior quarterly phrasing). This becomes effective July 16, 2025 and must follow applicable drill rules in 33 CFR 104.230, 105.220, or 106.225 as appropriate.
New Incident Reporting Rules
Entities not subject to 33 CFR 6.16-1 must report reportable cyber incidents to the National Response Center (NRC) without delay. A "reportable cyber incident" is defined to include events that cause substantial loss of confidentiality, integrity, or availability; major operational disruption; large disclosure of non-public personal information; or incidents that may lead to a transportation security incident.
Waivers, Equivalents, and Temporary Deviations
After completing a Cybersecurity Assessment, an owner or operator may seek a waiver or an equivalence determination for subpart F requirements consistent with waiver and equivalence procedures in 33 CFR parts 104, 105, and 106. Owners must notify the Coast Guard when they must temporarily deviate from requirements rather than when they are simply unable to meet them.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Take It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in