Maritime Transportation Security Act (MTSA)

Cybersecurity Final Rule

On January 17, 2025, the United States Coast Guard (USCG) published its Cybersecurity in the Marine Transportation System Final Rule (Final Rule) in the Federal Register. The Final Rule, which represents the most significant update to the MTSA regulation since its inception, establishes minimum cybersecurity requirements for MTSA facilities.

Key Compliance Dates

  • Cybersecurity Training – Cybersecurity training for: (1) all personnel with access to IT and OT systems; and (2) “key personnel” must be completed by January 12, 2026 (and annually thereafter).
  • Cybersecurity Assessment – A Cybersecurity Assessment must be conducted no later than July 16, 2027 (and annually thereafter).
  • Cybersecurity Plan – A Cybersecurity Plan addressing facility-specific risks must be submitted to the USCG no later than July 16, 2027.

Key Compliance Requirements

  • Cybersecurity Officer (CySO) – Facilities are required to designate a CySO (and one or more Alternate CySOs, as necessary) who is responsible for the development, implementation, and maintenance of the Cybersecurity Plan.
  • Cybersecurity Drills – Facilities are required to conduct at least two cybersecurity drills each calendar year that test individual elements of the Cybersecurity Plan.
  • Cybersecurity Exercises – Facilities are required to conduct one cybersecurity exercise each calendar year (with no more than 18 months between exercises).
  • Recordkeeping – Facilities are required to maintain records of cybersecurity training, drills, exercises, threats, reportable cybersecurity incidents, and audits.
  • Technical Cybersecurity Measures – Facilities must maintain various technical measures, including, but not limited to: (1) Account Security Measures; (2) Device Security Measures; (3) Data Security Measures; (4) Risk Management; (5) Resilience; and (6) Network Segmentation.