News

MTSA Cybersecurity Training Compliance Reminder

January 8, 2026

As a reminder, MTSA cybersecurity training (33 CFR § 101.650(d)) must be completed no later than January 12, 2026. Specifically, this includes training for all persons with access to IT or OT systems and additional training for “key personnel” with access to IT or remotely accessible OT systems. Personnel who gain IT or OT system access on or after January 12, 2026 must complete training within five days – but no later than within 30 days of being hired, and annually thereafter.

Beginning on January 12, 2026, the USCG has the right (but not the obligation) to review MTSA cybersecurity training compliance. Please note however, the USCG cannot review compliance with other parts of the Cybersecurity Final Rule at this time (e.g., Cybersecurity Assessments, Cybersecurity Plans, etc.).

USCG Publishes MTSA Cybersecurity FAQs

August 4, 2025

The USCG’s Cybersecurity in the Marine Transportation System (MTS) Final Rule became effective on July 16, 2025. In response to industry questions – and to provide information while future guidance is considered – the USCG published a set of Frequently Asked Questions (FAQs) on July 22, 2025. The USCG notes that the FAQs are designed only to support the regulation and do not represent or supersede the regulation itself.

USCG Homeport Website Decommissioned

May 1, 2025

On April 12, 2025, the USCG decommissioned Homeport. The USCG stated that the “Homeport system is facing increasing costs and system obsolescence. As a result, it is no longer a viable tool for managing the many functions required to ensure the smooth and safe flow of vessel traffic.” It is unclear what, if anything, will replace it (which FSOs and other MTSA stakeholders primarily used for MARSEC status and Transportation Worker Identification Credential New Hire compliance). With respect to the former, the USCG now posts MARSEC Levels for each Captain of the Port Zone via its Navigation Center website. With respect to the latter, the Office of Port & Facility Compliance “will work directly with the U.S. Transportation Security Administration (TSA) to verify newly hired employees.” FSOs seeking to verify the status of a newly hired employee for accompanied access to secure areas must email [email protected].

Join Us for the MTSA Cybersecurity Final Rule Workshop – Hosted by the Houston Ship Channel Security District & EHCMA Security Committee

January 31, 2025

The U.S. Coast Guard recently issued a Final Rule amending the Maritime Transportation Security Act (MTSA) regulations to introduce new cybersecurity requirements for MTSA-regulated facilities. These changes represent one of the most significant updates to the MTSA program since its inception and will have a substantial impact on maritime security compliance for ports, terminals, and industrial facilities in the Houston Ship Channel and beyond.

To help Facility Security Officers (FSOs), Corporate Security Officers, and IT/OT cybersecurity professionals understand these new requirements and their implications, the Houston Ship Channel Security District and EHCMA Security Committee are hosting a MTSA Cybersecurity Regulation Workshop.

Workshop Details

Date: Wednesday, March 12, 2025
Time: 8:30 AM – 3:00 PM CST

Location: Houston Pilots Association – Meeting Room

Address: 203 Deerwood Glen Drive, Deer Park, TX 77536
Facilitator: Steve Roberts, Roberts Law Group / Chemical Security Group
Cost: Free | Lunch Provided
RSVP by March 7: [https://forms.office.com/r/cxuZSEk17F]

What You’ll Learn

Breakdown of the New MTSA Cybersecurity Regulations
Compliance Requirements & Implementation Strategies
Cybersecurity Risk Mitigation for Maritime Facilities
Best Practices for Facility Security Officers and IT/OT Teams
Interactive Discussions & Industry Insights

Why Attend?

🔹 Ensure Compliance with the U.S. Coast Guard’s Cybersecurity Final Rule
🔹 Learn from Leading Industry Experts
🔹 Engage with Security Professionals & Peers
🔹 Gain Practical, Actionable Insights

About the Facilitator: Steve Roberts

We are proud to have Steve Roberts from Roberts Law Group / Chemical Security Group leading this workshop. With extensive expertise in maritime security law, compliance, and regulatory enforcement, Steve brings a pragmatic and strategic approach to cybersecurity compliance in the maritime industry. Attendees will gain real-world insights on how to prepare for and implement the new MTSA cybersecurity requirements effectively.

How to Register

RSVP by March 7, 2025: [https://forms.office.com/r/cxuZSEk17F]

Don’t miss this opportunity to stay ahead of regulatory changes and fortify your maritime security program. We look forward to seeing you there!

Meta Description: Join the MTSA Cybersecurity Final Rule Workshop on March 12, 2025, in Deer Park, TX. Led by Steve Roberts, this free event will cover U.S. Coast Guard cybersecurity regulations, compliance strategies, and risk mitigation for MTSA-regulated facilities. RSVP by March 7!

Understanding the Impact of the Regulatory Freeze Executive Order on the MTSA Cybersecurity Final Rule

January 23, 2025

On January 17, 2025, the MTSA Cybersecurity Final Rule was published in the Federal Register establishing baseline cybersecurity measures for Maritime Transportation Security Act (MTSA) facilities. However, with the issuance of President Trump’s Executive Order (EO) “Regulatory Freeze Pending Review,” questions have arisen about the Rule’s timeline and implementation.

Specifically, Section (3) of the EO encourages federal agencies to delay the effective date of published rules for 60 days to review potential questions of fact, law, or policy. For the MTSA Cybersecurity Final Rule, the 60-day delay would extend to March 20, 2025, without affecting its current July 16, 2025, effective date. During this review period, agencies can open a comment period to evaluate issues and potentially propose further delays if needed.

In the case of the MTSA Cybersecurity Rule, there appear to be no substantial questions of fact, law, or policy:

  • Fact: Cybersecurity is a recognized security risk for the maritime sector.
  • Law: The U.S. Coast Guard has longstanding authority to regulate under the MTSA.
  • Policy: There is no new policy. Existing policy under Navigation and Vessel Inspection Circular remains in place.

Despite this, some stakeholders suggest the Rule may not go far enough. For instance, the exemption for foreign-flagged vessels has drawn scrutiny. It’s also worth noting that regulatory freezes are not new. The Biden Administration issued a similar “freeze” in 2021, with language nearly identical to the Trump Administration’s 2025 order. For now, the MTSA Cybersecurity Final Rule remains on track.

USCG Cybersecurity Final Rule: Key Updates and Compliance Deadlines

January 17, 2025

On January 17, 2025, the United States Coast Guard (USCG) published its Cybersecurity in the Marine Transportation System Final Rule (Final Rule) in the Federal Register. The Final Rule, which was issued less than 11 months following publication of the Notice of Proposed Rulemaking (NPRM) in February 2024, establishes minimum cybersecurity requirements for Maritime Transportation Security Act (MTSA) facilities. These include, among others, Cybersecurity Assessments, Cybersecurity Plans, new cybersecurity training, drills, exercises, and records as well as implementation of technical cybersecurity measures.

The requirements in the Final Rule largely mirror those proposed in the NPRM. However, the USCG made various adjustments and clarifications, including establishing the following compliance dates:

  • Cybersecurity Training – Cybersecurity training for both personnel with access to the IT or OT systems and key personnel with access to the IT or remotely accessible OT systems must be completed by January 12, 2026.
  • Cybersecurity Assessment – Facilities must complete a Cybersecurity Assessment no later than July 16, 2027.
  • Cybersecurity Plan – Facilities must submit a Cybersecurity Plan to the USCG no later than July 16, 2027.

Below is a summary of some of the additional changes the USCG made with the Final Rule:

Cybersecurity Officer (CySO)

  • Adjusts the definition of “cybersecurity officer” to clarify that facilities may designate one or more Alternate CySOs to assist the primary CySO when the primary CySO is unavailable.

Cybersecurity Plans

  • Removes the requirement to submit a letter with the Cybersecurity Plan submission certifying that the Cybersecurity Plan meets regulatory requirements. The USCG states that submitting the Cybersecurity Plan itself qualifies as certification that it meets the requirements.
  • Eliminates the requirement that only “major amendments” to the Cybersecurity Plan be proposed to the USCG prior to implementation (thereby removing any ambiguity about which amendments require resubmission of the Cybersecurity Plan).  
  • States that proposed Cybersecurity Plan amendments must be submitted to the USCG at least 30 days before their effective date. The USCG clarifies that this should not be construed as limiting facilities from implementation of any proposed cybersecurity measures to address exigent circumstances.
  • Establishes a 96-hour timeframe for submitting Cybersecurity Plan amendments to the USCG resulting from changes to the owner / operator and/or CySO.

Training

  • Adds a requirement that when personnel must access IT or OT systems, but are unable to receive the required cybersecurity training, personnel must be accompanied or monitored by a person who has completed the cybersecurity training.

Drills and Exercises

  • Reduces the cybersecurity drill frequency from once every three months to at least two cybersecurity drills each calendar year.

Cybersecurity Measures

Account Security Measures

  • Revises requirements involving automatic lockouts after repeated failed login attempts to state that such lockouts must be enabled only on password-protected IT systems – and not on OT systems as originally proposed.

Device Security Measures

  • Clarifies that the device security measures required by 33 CFR § 101.650(b), including the network map and OT device configuration information, must only be addressed in Section 6 of the Cybersecurity Plan and made available to the USCG upon request (and not documented and submitted with the Cybersecurity Plan as originally proposed).

Data Security Measures

  • Revises requirements involving data encryption to provide that effective encryption must be deployed to maintain confidentiality of sensitive data and integrity of IT and OT traffic, when technically feasible (rather than requiring “all data, both in transit and at rest,” be encrypted “using a suitably strong algorithm” as originally proposed).

Risk Management

  • Adjusts select requirements for Cybersecurity Assessments, including: (1) limiting the identification of vulnerabilities to only “critical” OT and IT systems (rather than to all OT and IT systems); and (2) replacing the expectation that facilities “mitigate any unresolved vulnerabilities” with a requirement that facilities ensure patching or implementation of documented compensating controls for all Known Exploited Vulnerabilities in critical IT or OT systems without delay.
  • Clarifies that penetration testing must be completed in conjunction with renewal of the Cybersecurity Plan – rather than in conjunction with renewal of the Facility Security Plan. Following completion of the penetration test, the CySO must maintain a letter with the Facility Security Assessment, required under 33 CFR § 105.305, certifying that test was conducted and listing all identified vulnerabilities

Resilience

  • Adds the term “reportable cybersecurity incident” and clarifies that such incidents must be reported to the National Response Center without delay if they are not otherwise reported to the USCG under its 33 CFR Part 6 regulation.
  • Adjusts the definition of “backup” to remove the implication that the backups of critical IT and OT systems must be stored off-site.

Noncompliance, Waivers, and Equivalents

  • Clarifies that after completing a Cybersecurity Assessment, facilities that believe certain requirements are not applicable  to their operations, or are technically not achievable, may seek a waiver or equivalence determination from the USCG.

Ready to ensure your facility complies with the new USCG Cybersecurity Final Rule? Contact us today to schedule a consultation and receive expert guidance on navigating these requirements and deadlines.