News

USCG Issues Waiver & Equivalency Guidance

On June 3, 2026, the U.S. Coast Guard’s (USCG’s) Office of Cybersecurity Policy (CG-MCP) issued Cybersecurity Waiver & Equivalency Guidance (MCP-WI-002) to provide a unified process for entities to request waivers or equivalencies from the Maritime Transportation Security Act (MTSA) Cybersecurity Regulation (33 CFR Part 101 – Subpart F). The Work Instruction promotes consistent USCG review of waiver and equivalency requests while preserving flexibility for entities with different operational profiles, cyber maturity levels, and Information Technology (IT) and Operational Technology (OT) environments. The Work Instruction also emphasizes that a completed Cybersecurity Assessment (CSA) is the required foundation, and a mandatory pre-requisite, for any waiver or equivalency request – even if the entity has no IT/OT.

Waivers

A waiver is a request for relief from a specific cybersecurity requirement that the entity believes is unnecessary based on the nature or operating conditions of the entity. A waiver excuses the regulatory requirement, either long-term or permanently, if the USCG agrees that doing so will not reduce overall security or increase Transportation Security Incident (TSI) risk. Importantly, the Work Instruction clarifies that if a regulatory requirement does not apply (e.g., because the relevant system, network, device, or capability does not exist in the environment), then the proper approach is generally to document the requirement as “Not Applicable” in the CSA and Cybersecurity Plan rather than requesting a waiver.

Equivalencies

An equivalency is a request to use an alternative safeguard, process, system, standard, or control that meets or exceeds the required level of protection in the regulation. Equivalency requests require a detailed justification showing how the alternative measure provides comparable or superior security. The Work Instruction specifically allows entities to rely on recognized classification society standards or industry cybersecurity frameworks (provided the entity submits a clear crosswalk showing how the standard satisfies the applicable regulatory requirements).

Submission Process

The waiver submission process consists of completing the CSA, preparing a formal signed request, and submitting it to CG-MCP.  Equivalency requests follow a similar process but focus more heavily on identifying the alternative measure and demonstrating, through technical or operational evidence, that the equivalency meets or exceeds the regulatory requirement.

All submissions must include a copy of the CSA and identify the specific entity, point of contact, regulatory sections at issue, scope of the request, and whether critical IT/OT is involved. Submissions should also list the facility’s Captain of the Port (COTP) Zone and describe the entity, its operations, products, applicable interconnectivity with pipelines, rail, vessels, corporate networks, shared infrastructure, and any unique or critical Marine Transportation System (MTS) role.  CG-MCP issued a separate Work Instruction entitled  DoD SAFE Instructions for Cybersecurity Plan, Cybersecurity Assessment, Waiver & Equivalency Request Submissions describing the process for submitting requests using DoD Safe.

Share:

More Posts

USCG Publishes MTSA Cybersecurity FAQs

The USCG’s Cybersecurity in the Marine Transportation System (MTS) Final Rule became effective on July 16, 2025. In response to industry questions – and to