US Coast Guard issues additional FAQs to clarify cybersecurity requirements for marine transportation system
Publish Date: 2026-01-13 07:53:00
Source Domain: industrialcyber.co
Using an unordered list, summarize the following article with between 4 and 8 key points.
The U.S. Coast Guard published a set of frequently asked questions last week to support its final rule on cybersecurity in the Marine Transportation System. The FAQs respond to questions raised by affected stakeholders and are intended to provide clarity while additional guidance is developed.
Last week, the Coast Guard detailed questions that reflect common themes from stakeholder submissions and have been edited, consolidated, and organized for clarity. Grouped by relevant regulatory citation or include a reference to the applicable section of the rule, the agency emphasized that the FAQs do not introduce new requirements and are not themselves regulatory. Instead, they are meant to help organizations better understand and implement the cybersecurity obligations outlined in the final rule.
The Coast Guard will accept the submission of a cyber plan in accordance with the final rule at this time, but plans are not yet being approved. The Coast Guard is still developing review and approval procedures to ensure consistent application of standards across the maritime industry. Any cyber plans that have already been submitted will be securely retained until the review and approval process is finalized.
Responsibility for ensuring cybersecurity training under the final rule rests with the owner or operator of a Maritime Transportation Security Act-regulated facility or vessel. The owner or operator is ultimately responsible for ensuring that all required personnel receive cybersecurity training relevant to the cybersecurity plan and procedures of the regulated facility or vessel, in accordance with 33 CFR 101.650(d). Under 33 CFR 101.625(d), the Cybersecurity Officer, acting on behalf of the owner or operator, is responsible for ensuring that personnel receive adequate cybersecurity training.
Compliance with the training requirements before approval of a cybersecurity plan can be demonstrated by following guidance issued by the Coast Guard. In October, the Coast Guard published a policy letter that provides additional clarification on training expectations.
The Coast Guard has indicated that it is still determining the most effective approach to guide how compliance with cybersecurity requirements will be inspected or enforced, to address stakeholder needs. Facilities and vessels regulated under the Maritime Transportation Security Act that do not operate operational technology systems are not exempt from the cybersecurity regulations.
The MTSA regulation implies transportation security incident risk regardless of the presence of operational technology. All regulated entities are required to conduct a cybersecurity assessment, after which waivers or equivalence determinations may be requested if warranted. The appeals process for cybersecurity deficiencies begins with a request for reconsideration submitted to the cognizant Captain of the Port. If the issue remains unresolved, appeals are handled in accordance with 33 CFR 101.420.
Maritime academies operating under the Maritime Administration may be required to adopt the new Coast Guard cybersecurity regulations, depending on whether their operations meet the criteria of a Maritime Transportation Security Act-regulated entity. The rule does not expand the scope of MTSA applicability but instead adds cybersecurity requirements within the existing regulatory framework.
If a maritime academy operates vessels subject to 33 CFR Part 104 or facilities subject to 33 CFR Part 105, those operations may fall under the new requirements. In cases where a vessel already has an approved Vessel Security Plan and complies with MTSA, it will likely also need to comply with the new cybersecurity provisions. Additional guidance can be found in the Memorandum of Understanding between MARAD and the Coast Guard.
The maritime agency detailed that the expected frequency of mandatory cybersecurity assessments and audits is outlined under 33 CFR 101.650(e)(1). An initial cybersecurity assessment must be completed no later than July 16, 2027, and assessments are required annually thereafter. A new assessment is also required sooner if there is a change in ownership. The purpose of the assessment is to inform the development and maintenance of the cybersecurity plan by identifying risks and vulnerabilities, and the assessment must be conducted before developing the cybersecurity plan.
Moreover, internal cybersecurity audits are required at least annually and may be required more frequently if there is a change in owner or operator or if cybersecurity measures are modified. The purpose of these audits is to identify issues or changes since the previous audit and to initiate amendments to the cybersecurity plan when necessary.
A fleet of vessels with identical information technology and OT (operational technology) footprints may be covered by a single cybersecurity assessment. However, if there is any deviation on one or more vessels, a separate cybersecurity assessment is required for each vessel to address its unique IT and OT footprint.
Under 33 CFR 101.650(g), the Coast Guard has capabilities and resources available to assist companies in responding to cyber incidents. The Coast Guard can provide guidance and assistance through sector Marine Transportation System Specialist–Cyber personnel stationed in local Captain of the Port zones, the U.S. Coast Guard Cyber Protection Team, and the Coast Guard Maritime Industry Cybersecurity Resource website.
Assistance may be requested during a National Response Center report, directly through the Sector Command Center, through the Sector Marine Transportation System Specialist–Cyber, or by email at [email protected].
Last July, the USCG published FAQs for its cybersecurity in the Marine Transportation System Final Rule, offering much-needed guidance for U.S.-flagged vessels, Outer Continental Shelf facilities, and MTSA-regulated sites as they work to comply with the new mandatory cybersecurity requirements.
The cybersecurity regulations for the maritime sector, effective January 2026, include a requirement for personnel to complete cybersecurity training. Even before an approved cybersecurity plan is in place, regulated entities must begin compliance by following existing documentation procedures for MTSA-related training, as outlined in their approved Facility Security Plans (FSP), Outer Continental Shelf Facility Security Plans (OCS FSP), or Vessel Security Plans (VSP). Training records must specify the topics covered and demonstrate alignment with the regulation.
Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.
