News

USCG Cybersecurity Final Rule: Key Updates and Compliance Deadlines

On January 17, 2025, the United States Coast Guard (USCG) published its Cybersecurity in the Marine Transportation System Final Rule (Final Rule) in the Federal Register. The Final Rule, which was issued less than 11 months following publication of the Notice of Proposed Rulemaking (NPRM) in February 2024, establishes minimum cybersecurity requirements for Maritime Transportation Security Act (MTSA) facilities. These include, among others, Cybersecurity Assessments, Cybersecurity Plans, new cybersecurity training, drills, exercises, and records as well as implementation of technical cybersecurity measures.

The requirements in the Final Rule largely mirror those proposed in the NPRM. However, the USCG made various adjustments and clarifications, including establishing the following compliance dates:

  • Cybersecurity Training – Cybersecurity training for both personnel with access to the IT or OT systems and key personnel with access to the IT or remotely accessible OT systems must be completed by January 12, 2026.
  • Cybersecurity Assessment – Facilities must complete a Cybersecurity Assessment no later than July 16, 2027.
  • Cybersecurity Plan – Facilities must submit a Cybersecurity Plan to the USCG no later than July 16, 2027.

Below is a summary of some of the additional changes the USCG made with the Final Rule:

Cybersecurity Officer (CySO)

  • Adjusts the definition of “cybersecurity officer” to clarify that facilities may designate one or more Alternate CySOs to assist the primary CySO when the primary CySO is unavailable.

Cybersecurity Plans

  • Removes the requirement to submit a letter with the Cybersecurity Plan submission certifying that the Cybersecurity Plan meets regulatory requirements. The USCG states that submitting the Cybersecurity Plan itself qualifies as certification that it meets the requirements.
  • Eliminates the requirement that only “major amendments” to the Cybersecurity Plan be proposed to the USCG prior to implementation (thereby removing any ambiguity about which amendments require resubmission of the Cybersecurity Plan).  
  • States that proposed Cybersecurity Plan amendments must be submitted to the USCG at least 30 days before their effective date. The USCG clarifies that this should not be construed as limiting facilities from implementation of any proposed cybersecurity measures to address exigent circumstances.
  • Establishes a 96-hour timeframe for submitting Cybersecurity Plan amendments to the USCG resulting from changes to the owner / operator and/or CySO.

Training

  • Adds a requirement that when personnel must access IT or OT systems, but are unable to receive the required cybersecurity training, personnel must be accompanied or monitored by a person who has completed the cybersecurity training.

Drills and Exercises

  • Reduces the cybersecurity drill frequency from once every three months to at least two cybersecurity drills each calendar year.

Cybersecurity Measures

Account Security Measures

  • Revises requirements involving automatic lockouts after repeated failed login attempts to state that such lockouts must be enabled only on password-protected IT systems – and not on OT systems as originally proposed.

Device Security Measures

  • Clarifies that the device security measures required by 33 CFR § 101.650(b), including the network map and OT device configuration information, must only be addressed in Section 6 of the Cybersecurity Plan and made available to the USCG upon request (and not documented and submitted with the Cybersecurity Plan as originally proposed).

Data Security Measures

  • Revises requirements involving data encryption to provide that effective encryption must be deployed to maintain confidentiality of sensitive data and integrity of IT and OT traffic, when technically feasible (rather than requiring “all data, both in transit and at rest,” be encrypted “using a suitably strong algorithm” as originally proposed).

Risk Management

  • Adjusts select requirements for Cybersecurity Assessments, including: (1) limiting the identification of vulnerabilities to only “critical” OT and IT systems (rather than to all OT and IT systems); and (2) replacing the expectation that facilities “mitigate any unresolved vulnerabilities” with a requirement that facilities ensure patching or implementation of documented compensating controls for all Known Exploited Vulnerabilities in critical IT or OT systems without delay.
  • Clarifies that penetration testing must be completed in conjunction with renewal of the Cybersecurity Plan – rather than in conjunction with renewal of the Facility Security Plan. Following completion of the penetration test, the CySO must maintain a letter with the Facility Security Assessment, required under 33 CFR § 105.305, certifying that test was conducted and listing all identified vulnerabilities

Resilience

  • Adds the term “reportable cybersecurity incident” and clarifies that such incidents must be reported to the National Response Center without delay if they are not otherwise reported to the USCG under its 33 CFR Part 6 regulation.
  • Adjusts the definition of “backup” to remove the implication that the backups of critical IT and OT systems must be stored off-site.

Noncompliance, Waivers, and Equivalents

  • Clarifies that after completing a Cybersecurity Assessment, facilities that believe certain requirements are not applicable  to their operations, or are technically not achievable, may seek a waiver or equivalence determination from the USCG.

Ready to ensure your facility complies with the new USCG Cybersecurity Final Rule? Contact us today to schedule a consultation and receive expert guidance on navigating these requirements and deadlines.

Share:

More Posts