Cybersecurity in the Marine Transportation System
Published Date: 1/17/2025
Rule
Summary
The Coast Guard is rolling out new cybersecurity rules for U.S. ships and marine facilities to keep them safe from cyberattacks. Starting July 16, 2025, these places must have a Cybersecurity Plan and a dedicated Cybersecurity Officer to spot and handle threats. Ship owners should watch for a possible delay in when these rules kick in, with a chance to share their thoughts by March 18, 2025.
Analyzed Economic Effects
7 provisions identified: 1 benefits, 6 costs, 0 mixed.
Estimated $1.2B Industry and Government Cost
The Coast Guard estimates this final rule will create approximately $1.2 billion in total costs and $138.7 million annualized (2022 dollars, discounted at 2 percent) for industry and Government. The rule is effective July 16, 2025, and the Coast Guard is requesting comments on a possible 2-to-5-year delay for U.S.-flagged vessel implementation, with comments due March 18, 2025.
Must Create Cybersecurity Plans
If you own or operate a U.S.-flagged vessel, a facility, or an Outer Continental Shelf (OCS) facility that must have a security plan, you must develop and maintain a Cybersecurity Plan and a Cyber Incident Response Plan. The rule is effective July 16, 2025, and Cybersecurity Plans must be submitted to the Coast Guard for review and approval within 24 months of that date (by July 16, 2027).
Designate a Cybersecurity Officer
Owners or operators must designate a Cybersecurity Officer (CySO) to ensure the Cybersecurity Plan and Cyber Incident Response Plan are implemented. The CySO must keep the plan current, arrange cybersecurity inspections, ensure personnel training, perform an annual audit, and record and report cyber incidents.
Cyber Assessments and Penetration Testing
Owners or operators must conduct a cyber assessment within 24 months of the rule's effective date and must complete penetration testing when renewing a Cybersecurity Plan; the CySO must submit a letter verifying the test and list vulnerabilities found. For critical IT and OT systems, owners must patch or implement documented compensating controls for known exploited vulnerabilities (KEVs) without delay.
Two Cybersecurity Drills Per Year
The rule requires two cybersecurity drills every 12 months (revising a prior quarterly phrasing). This becomes effective July 16, 2025 and must follow applicable drill rules in 33 CFR 104.230, 105.220, or 106.225 as appropriate.
New Incident Reporting Rules
Entities not subject to 33 CFR 6.16-1 must report reportable cyber incidents to the National Response Center (NRC) without delay. A "reportable cyber incident" is defined to include events that cause substantial loss of confidentiality, integrity, or availability; major operational disruption; large disclosure of non-public personal information; or incidents that may lead to a transportation security incident.
Waivers, Equivalents, and Temporary Deviations
After completing a Cybersecurity Assessment, an owner or operator may seek a waiver or an equivalence determination for subpart F requirements consistent with waiver and equivalence procedures in 33 CFR parts 104, 105, and 106. Owners must notify the Coast Guard when they must temporarily deviate from requirements rather than when they are simply unable to meet them.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Related Federal Register Documents
2026-11904 — Establishment of Class E Airspace; Mullin, TX
The FAA is creating new Class E airspace around Smoky Bend Ranch Airport in Mullin, TX to help pilots fly safely using instruments, especially in bad weather. This change starts on October 29, 2026, and mainly affects pilots flying under instrument flight rules (IFR). No extra costs for the public, just smoother and safer skies for everyone!
2026-11849 — Revising HUD's Noise Abatement and Control Regulations
HUD is updating its rules to better control noise around housing, making neighborhoods quieter and more comfortable for everyone. These changes affect people living in HUD-supported homes and aim to improve how noise is measured and managed. The new rules will roll out soon, with no extra costs for residents, just a smoother, quieter living experience.
2026-11861 — Establishment of Class E Airspace; Freer, TX
The FAA is creating new Class E airspace around Silverhorn Ranch Airport in Freer, TX, to support safer flying with new instrument flight rules. This change starts on October 29, 2026, and mainly affects pilots flying in and out of this airport. No extra costs for the public, just smoother and safer skies for everyone!
2026-11860 — Establishment of Class E Airspace; Canton, OH
The FAA is creating new Class E airspace around Canton, Ohio to make flying safer and more organized for pilots. This change affects local pilots and air traffic controllers, with no extra costs or delays expected. The new airspace rules will kick in soon to keep the skies smooth and secure.
2026-11884 — Partial Withdrawals of Findings of Failure To Submit State Implementation Plan (SIP) Revisions To Amend Provisions Applying to Excess Emissions During Periods of Startup, Shutdown, and Malfunction
The EPA is rolling back part of its previous decision that said six states or local agencies didn’t update their pollution plans for startup, shutdown, and malfunction emissions. This change follows a court ruling and means some deadlines and penalties no longer apply. It gives these agencies more time and flexibility without immediate money or sanction hits.
2026-11838 — Drawbridge Operation Regulation; Big Carlos Pass, Estero Island, FL
The Coast Guard is officially removing the old drawbridge rules for the SR 865 Bridge at Big Carlos Pass, FL, because the drawbridge was replaced with a fixed bridge in April 2026. This means boaters and drivers no longer need to worry about bridge openings or delays. The change takes effect June 12, 2026, and won’t cost anyone extra or cause any disruptions.
Previous / Next Documents
Previous: 2025-00703 — Procedural Rules
The Federal Mine Safety and Health Review Commission updated its procedural rules to make mine safety cases faster, fairer, and less costly. These changes affect anyone involved in mine safety legal cases and take effect on March 3, 2025. You can still send your comments until February 18, 2025, so don’t miss your chance to weigh in!
Next: 2025-00721 — Defense Federal Acquisition Regulation Supplement: Definition of Material Weakness (DFARS Case 2021-D006)
Starting January 17, 2025, the Department of Defense is updating its rules to replace the term “significant deficiency” with “material weakness” when checking contractor business systems. This change affects contractors working with the DoD and helps make evaluations clearer and more consistent. No big cost changes are expected, but contractors should get ready for the new wording in their audits and reports.