News

DHS and DOJ Issue Interim Final Rule Implementing the SAFER SKIES Act

On July 1, 2026, the Department of Homeland Security and Department of Justice issued an Interim Final Rule (IFR) implementing the SAFER SKIES Act and establishing a new framework for state, local, tribal, and territorial law enforcement and correctional agencies to conduct counter-unmanned aircraft system (C-UAS) operations. The IFR is intended to address the growing security risks posed by drones near large public events, critical infrastructure, correctional facilities, and other protected locations. It authorizes qualified agencies to detect, identify, monitor, track, warn, and, when necessary, mitigate credible drone threats, subject to significant training, technology, coordination, reporting, and privacy requirements.

The IFR creates a two-tier structure. Detection and warning operations require completion of an online certification through the FBI’s National Counter-UAS Training Center, while mitigation actions – such as disrupting, taking control of, disabling, damaging, or destroying a drone – require more extensive mitigation certification through the FBI’s national schoolhouse. Agencies must also use authorized technologies, adopt an implementation policy, prepare C-UAS Operations Plans, coordinate with federal partners, obtain FCC authorization for RF-emitting systems, and provide real-time air traffic control notification when mitigation systems are activated.

For critical infrastructure owners and operators, the IFR is important but limited. It does not directly authorize private facilities to conduct their own C-UAS mitigation operations. Instead, it creates a pathway for qualified law enforcement and correctional agencies to provide C-UAS protection, including through mutual aid or support for critical infrastructure sites. The IFR also includes privacy and civil liberties protections, data retention limits, audit requirements, and potential civil penalties for unauthorized or improperly coordinated mitigation actions. Comments on the IFR are due on or before September 4, 2026.

USCG Issues Waiver & Equivalency Guidance

On June 3, 2026, the U.S. Coast Guard’s (USCG’s) Office of Cybersecurity Policy (CG-MCP) issued Cybersecurity Waiver & Equivalency Guidance (MCP-WI-002) to provide a unified process for entities to request waivers or equivalencies from the Maritime Transportation Security Act (MTSA) Cybersecurity Regulation (33 CFR Part 101 – Subpart F). The Work Instruction promotes consistent USCG review of waiver and equivalency requests while preserving flexibility for entities with different operational profiles, cyber maturity levels, and Information Technology (IT) and Operational Technology (OT) environments. The Work Instruction also emphasizes that a completed Cybersecurity Assessment (CSA) is the required foundation, and a mandatory pre-requisite, for any waiver or equivalency request – even if the entity has no IT/OT.

Waivers

A waiver is a request for relief from a specific cybersecurity requirement that the entity believes is unnecessary based on the nature or operating conditions of the entity. A waiver excuses the regulatory requirement, either long-term or permanently, if the USCG agrees that doing so will not reduce overall security or increase Transportation Security Incident (TSI) risk. Importantly, the Work Instruction clarifies that if a regulatory requirement does not apply (e.g., because the relevant system, network, device, or capability does not exist in the environment), then the proper approach is generally to document the requirement as “Not Applicable” in the CSA and Cybersecurity Plan rather than requesting a waiver.

Equivalencies

An equivalency is a request to use an alternative safeguard, process, system, standard, or control that meets or exceeds the required level of protection in the regulation. Equivalency requests require a detailed justification showing how the alternative measure provides comparable or superior security. The Work Instruction specifically allows entities to rely on recognized classification society standards or industry cybersecurity frameworks (provided the entity submits a clear crosswalk showing how the standard satisfies the applicable regulatory requirements).

Submission Process

The waiver submission process consists of completing the CSA, preparing a formal signed request, and submitting it to CG-MCP.  Equivalency requests follow a similar process but focus more heavily on identifying the alternative measure and demonstrating, through technical or operational evidence, that the equivalency meets or exceeds the regulatory requirement.

All submissions must include a copy of the CSA and identify the specific entity, point of contact, regulatory sections at issue, scope of the request, and whether critical IT/OT is involved. Submissions should also list the facility’s Captain of the Port (COTP) Zone and describe the entity, its operations, products, applicable interconnectivity with pipelines, rail, vessels, corporate networks, shared infrastructure, and any unique or critical Marine Transportation System (MTS) role.  CG-MCP issued a separate Work Instruction entitled  DoD SAFE Instructions for Cybersecurity Plan, Cybersecurity Assessment, Waiver & Equivalency Request Submissions describing the process for submitting requests using DoD Safe.

USCG Issues Cybersecurity Assessment Initial Scoping and Process Policy Letter

USCG Issues Cybersecurity Assessment Initial Scoping and Process Policy Letter

On June 2, 2026, the U.S. Coast Guard’s (USCG’s) Office of Cybersecurity Policy (CG-MCP) issued Policy Letter 01-26: Cybersecurity Assessment Initial Scoping and Process. The Policy Letter provides guidance that regulated entities may use to identify Information Technology (IT) and Operational Technology (OT) that is “in scope” for the purposes of applicability under the MTSA Cybersecurity Regulation (33 CFR Part 101 – Subpart F). This process is centered on the use of a Cybersecurity Assessment (CSA).

Note: The methodology / process outlined in the Policy Letter is not mandatory. Companies are free to utilize alternate approaches (e.g., “systems of systems” approach) to identify the IT/OT “in scope.”

CSA Scoping Approach

The Policy Letter describes the CSA as a risk-filtering process: Entities should first inventory systems, dependencies, and interfaces, then assess threats, vulnerabilities, likelihood, impact, and risk. It identifies three categories of assets:

  1. Internal Networks: Systems owned, operated, or technically controlled by the entity, such as Closed-Circuit Television servers, physical access control systems, cargo control systems, administrative workstations, and onboard or facility systems.
  1. External Networks / Dependencies: Third-party systems or services that support operations but are not directly controlled by the entity, such as cloud software, internet service providers, utilities, satellite communications, landlord networks, supply chain platforms, vendor connections, and bring-your-own-device environments.
  1. Interfaces: Physical, digital, wireless, cloud-based, or human-driven connection points where systems exchange information. These include VPNs, remote access tools, USB connections, Wi-Fi, Bluetooth, shared accounts, vendor access, and cloud service connections.

The Policy Letter states that even though the USCG does not directly regulate contractor or third-party networks, owners and operators remain responsible for managing cybersecurity risks created by their reliance on those external services – and the CSA should analyze those dependencies.

Recommended CSA Process

The Policy Letter provides an optional guide for conducting a CSA that includes the following steps:

  1. Prepare: Establish the assessment scope, risk tolerance, assumptions, constraints, necessary operational/business functions, and asset inventory.
  1. Conduct: Identify threats and vulnerabilities, determine likelihood and impact, evaluate risk, and identify priority assets that support necessary functions.
  1. Classify Critical IT/OT: Determine whether loss or degradation of a priority asset’s confidentiality, integrity, or availability could result in a Transportation Security Incident. Assets with a “Yes” or “Maybe” answer should receive heightened scrutiny and may need to be designated as “Critical IT/OT.” Sections of 33 CFR § 101.650 require additional cybersecurity measures for “Critical IT/OT.”
  1. Communicate and Document: Document vulnerabilities, recommendations, resolutions, and risk decisions in a CSA Report maintained with the Cybersecurity Plan.

USCG Issues Cybersecurity Training Verification Job Aid

The U.S. Coast Guard (USCG) Office of Maritime Cybersecurity Policy (CG-MCP) has issued the attached Cybersecurity Training Verification Job Aid (Job Aid) to provide USCG inspectors with targeted questions to verify compliance with MTSA cybersecurity training requirements (33 CFR Part 101, Subpart F). These questions can now be incorporated into existing MTSA inspections and spot checks. Accordingly, please review the Job Aid and be prepared to respond to each of the questions and produce evidence of compliance, if requested.

Below is a short summary of the focus areas highlighted in the Job Aid:

Cybersecurity Training Program

  • Scope of Training – Has the facility identified all personnel (including “key personnel) who require training?
  • Training Deadline – Was the initial training for all required personnel completed by January 12, 2026?
  • Training Content – Does the training provided address each of the required topics? 
  • New Hire Training – Do new personnel (employees and contractors) receive the required training within 5 days of gaining access or within 30 days of hire?

Training Records

  • Training Record Maintenance and Detail – Does the facility maintain records of cybersecurity training that, at a minimum, include: (1) the date and duration of the training; (2) a description of the training; and (3) a list of attendees?

Untrained Personnel Access Control

  • Untrained Access Policy – Does the facility have a process for managing persons who require access to IT or OT systems but have not completed the required training?
  • Supervision Measures – What methods are used to supervise persons who are unable to complete the required cybersecurity training?
  • Remote Escorting – Are there processes in place for remote escorting of untrained personnel and who is responsible for managing that process?
  • Contractor/Third-Party Provided Training – Does the facility provide training to contractors who access IT or OT systems or is the training provided by the contractor company? If provided by the contractor company, has the facility reviewed the training to ensure compliance with 33 CFR § 101.650(d).

MTSA Cybersecurity Training Compliance Reminder

As a reminder, MTSA cybersecurity training (33 CFR § 101.650(d)) must be completed no later than January 12, 2026. Specifically, this includes training for all persons with access to IT or OT systems and additional training for “key personnel” with access to IT or remotely accessible OT systems. Personnel who gain IT or OT system access on or after January 12, 2026 must complete training within five days – but no later than within 30 days of being hired, and annually thereafter.

Beginning on January 12, 2026, the USCG has the right (but not the obligation) to review MTSA cybersecurity training compliance. Please note however, the USCG cannot review compliance with other parts of the Cybersecurity Final Rule at this time (e.g., Cybersecurity Assessments, Cybersecurity Plans, etc.).

USCG Publishes MTSA Cybersecurity FAQs

The USCG’s Cybersecurity in the Marine Transportation System (MTS) Final Rule became effective on July 16, 2025. In response to industry questions – and to provide information while future guidance is considered – the USCG published a set of Frequently Asked Questions (FAQs) on July 22, 2025. The USCG notes that the FAQs are designed only to support the regulation and do not represent or supersede the regulation itself.