The U.S. Coast Guard (USCG) Office of Maritime Cybersecurity Policy (CG-MCP) has issued the attached Cybersecurity Training Verification Job Aid (Job Aid) to provide USCG inspectors with targeted questions to verify compliance with MTSA cybersecurity training requirements (33 CFR Part 101, Subpart F). These questions can now be incorporated into existing MTSA inspections and spot checks. Accordingly, please review the Job Aid and be prepared to respond to each of the questions and produce evidence of compliance, if requested.
Below is a short summary of the focus areas highlighted in the Job Aid:
Cybersecurity Training Program
- Scope of Training – Has the facility identified all personnel (including “key personnel) who require training?
- Training Deadline – Was the initial training for all required personnel completed by January 12, 2026?
- Training Content – Does the training provided address each of the required topics?
- New Hire Training – Do new personnel (employees and contractors) receive the required training within 5 days of gaining access or within 30 days of hire?
Training Records
- Training Record Maintenance and Detail – Does the facility maintain records of cybersecurity training that, at a minimum, include: (1) the date and duration of the training; (2) a description of the training; and (3) a list of attendees?
Untrained Personnel Access Control
- Untrained Access Policy – Does the facility have a process for managing persons who require access to IT or OT systems but have not completed the required training?
- Supervision Measures – What methods are used to supervise persons who are unable to complete the required cybersecurity training?
- Remote Escorting – Are there processes in place for remote escorting of untrained personnel and who is responsible for managing that process?
- Contractor/Third-Party Provided Training – Does the facility provide training to contractors who access IT or OT systems or is the training provided by the contractor company? If provided by the contractor company, has the facility reviewed the training to ensure compliance with 33 CFR § 101.650(d).