New maritime cybersecurity regulations go into effect

A U.S. Coast Guard Station Los Angeles-Long Beach small response boat conducts maneuvers in preparation for their exercises as part of the port operations for Operation Mojave Falcon in the Port of Long Beach, California, on June 4, 2025. (U.S. Coast Guard photo by Petty Officer 3rd Class Richard B. Uranga)

By Bridget Johnson • Jul 17, 2025

New cybersecurity regulations for the maritime sector went into effect Wednesday for all U.S.-flagged vessels, offshore facilities such as energy projects and maritime transportation facilities handling certain volumes of cargo and ships.

The Coast Guard released the Cybersecurity in the Marine Transportation System rule Jan. 17, requiring covered entities to create a cybersecurity plan, designate a cybersecurity officer to oversee plan implementation and updates and have a response plan with “instructions on how to respond to a cyber incident and identifies key roles, responsibilities and decision-makers amongst personnel,” among other measures.

“The maritime industry is undergoing a significant transformation that involves the increased use of cyber-connected systems. While these increasingly interconnected and networked systems improve commercial vessel and port facility operations, they also bring a new set of challenges affecting design, operations, safety, security, training, and the workforce,” the rule said, noting as an example the 2021 Colonial Pipeline attack.

“Unmitigated cyber-related risks to the maritime domain can compromise the critical infrastructure that people and companies depend on to fulfill their daily needs and that maintain the effective operation of the MTS,” the rule added. “…An attack that compromises navigational or operational systems can pose a serious safety risk. It can result in accidents at sea, potential environmental disasters like oil spills, and loss of life.”

Beginning this week, all reportable cyber incidents must be reported to the National Response Center by entities subject to the rule, the Coast Guard said.

By Jan. 12, personnel at these regulated entities will be required to complete “adequate” cybersecurity training requirements.

And those covered under the new rule will have two years — until July 16, 2027 — to designate a cybersecurity officer and conduct a cybersecurity assessment. Vessels will have to submit a cybersecurity plan to the Coast Guard’s Marine Safety Center by that date, and facilities will have to submit the plan to a Captain of the Port Office.

“Recognizing the escalating cyber threat from adversarial actors targeting the U.S. Marine Transportation System, the U.S. Coast Guard, leveraging the post-9/11 alignment of domestic MTSA authorities with international SOLAS and ISPS Code regimes, will intensify Port State Control (PSC) scrutiny on indicators of poor cybersecurity practices, specifically those impacting International Safety Management (ISM) Code compliance on foreign flagged vessels,” the Coast Guard said Wednesday. “This elevated focus may lead to the issuance of deficiencies requiring correction, or, if circumstances warrant, result in vessel detention, denial of entry or Captain of the Port (COTP) action to control vessel movement, as the Coast Guard implements measures to control, secure and defend the nation’s ports, waterways and shipping interests while restoring U.S. maritime dominance.”