US Coast Guard issues expanded cybersecurity guidance, making risk assessments central to maritime resilience
Publish Date: 2026-06-16 06:28:00
Source Domain: industrialcyber.co
Using an unordered list, summarize the following article with between 4 and 8 key points.
The U.S. Coast Guard released additional policy and implementation guidance to assist regulated maritime entities in complying with cybersecurity regulations. The action establishes baseline cybersecurity requirements for U.S.-flagged vessels, facilities, and Outer Continental Shelf (OCS) facilities to enhance the security and resilience of the marine transportation system. The accompanying guidance is intended to help industry stakeholders and Coast Guard personnel consistently implement and comply with the new requirements as they move toward full regulatory compliance.
The updated policy addresses inspection procedures, oversight expectations, and implementation practices associated with the Towing Safety Management System (TSMS) option and the Coast Guard inspection regime. The agency said the additional guidance is designed to promote consistency in enforcement and compliance activities while supporting the long-term safety, security, and reliability of towing vessel operations across the U.S. maritime transportation system.
It provides guidance for determining the scope of the Cybersecurity Assessment (CSA) required. The policy emphasizes that a cybersecurity assessment is the foundational first step in a continuous maturity process, designed to help organizations align risk management strategies with current threats. Because the outcomes and findings of the CSA form the foundation of the CSP, the initial assessment is highly consequential and should be conducted to identify vulnerabilities, threats, operational dependencies, and interdependencies that could result in an operational disruption or transportation security incident
The guidance includes an optional risk-filtering process, aligned with industry standards such as the NIST Cybersecurity Framework, to help organizations identify threats, vulnerabilities, likelihood, and potential impacts. It also clarifies the risk analysis process used to determine which priority assets should be formally designated as critical IT or OT (operational technology) systems based on their importance to safe and secure operations.
The regulation requires owners and operators of U.S.-flagged vessels, facilities, and OCS facilities to maintain an approved Cybersecurity Plan, designate a Cybersecurity Officer available to the Coast Guard around the clock, conduct cybersecurity assessments and exercises, implement a Cyber Incident Response Plan, and ensure reportable cyber incidents are submitted to the National Response Center when required.
The rule allows a Cybersecurity Officer (CySO) to hold other positions within an organization and to serve multiple U.S.-flagged vessels, facilities, or OCS facilities, provided they can effectively fulfill their cybersecurity responsibilities. While specific duties may be delegated to other personnel, the CySO retains overall accountability for cybersecurity compliance.
The officer is responsible for overseeing cybersecurity assessments, audits, inspections, training, incident response planning, recordkeeping, regulatory reporting, and the implementation and maintenance of approved Cybersecurity Plans. The role also includes ensuring the timely remediation of identified vulnerabilities, including known exploited vulnerabilities (KEVs), and keeping personnel informed of evolving cyber risks.
To perform these duties, the CySO must possess knowledge of facility or vessel operations, cybersecurity best practices, incident response, relevant regulations, security technologies, auditing methods, cyber threat trends, and cybersecurity training and exercise procedures.
The regulation requires each U.S.-flagged vessel, facility, and OCS facility to maintain a Coast Guard-approved Cybersecurity Plan that addresses identified cyber risks, outlines cybersecurity measures, and establishes procedures for training, communications, access controls, monitoring, incident reporting, audits, and vulnerability management. The plan is classified as sensitive security information, must be submitted for Coast Guard approval, remains valid for five years, and must be updated when significant operational, ownership, or cybersecurity changes occur.
To ensure ongoing compliance, organizations must conduct annual audits of their cybersecurity plans and perform additional reviews following major operational or cybersecurity changes. The rules also mandate regular cybersecurity drills at least twice per year and exercises at least annually to test incident response capabilities, communications, coordination, and personnel readiness. Cybersecurity Officers are responsible for overseeing these activities, addressing identified deficiencies, documenting corrective actions, and ensuring that cybersecurity measures remain effective against evolving threats.
The regulation requires maritime owners and operators to maintain detailed cybersecurity records covering training, drills, exercises, cyber threats, reportable incidents, and audits. Organizations must establish communication procedures that enable continuous coordination among vessel, facility, and security personnel, as well as Coast Guard and other authorities, while ensuring personnel are promptly informed of changing cyber conditions.
The requirements establish a comprehensive cybersecurity baseline that includes account security controls, multifactor authentication, strong password management, least-privilege access, device inventories, network mapping, logging, encryption, and physical protections for IT and OT systems. Personnel and contractors with system access must receive cybersecurity training covering threat recognition, incident reporting, response procedures, and OT-specific risks, with regular refresher training required.
Organizations must also implement ongoing risk management measures, including annual cybersecurity assessments, vulnerability remediation, penetration testing, vulnerability scanning, and routine maintenance of critical systems.
Additional requirements address supply-chain security, vendor oversight, incident reporting, cyber resilience, backup and recovery capabilities, network segmentation between IT and OT environments, and continuous monitoring of connections between operational and IT systems. The rules further require organizations to promptly address known exploited vulnerabilities, restrict physical and remote access to critical systems, and ensure that OT is not exposed to the public internet unless there is a documented operational need.
As the Coast Guard continues rolling out its maritime cybersecurity framework, it has also issued a Cybersecurity Training Verification Job Aid to standardize how inspectors assess compliance during routine vessel and facility inspections. The guidance provides a consistent method for verifying that U.S.-flagged vessels, facilities, and OCS operations have implemented required cybersecurity training programs, maintain accessible training records, and have formal procedures for managing system access by personnel who have not completed training. These measures form part of the Coast Guard’s broader effort to operationalize its cybersecurity regulations and ensure consistent enforcement across the ecosystem.
Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.
