Strengthening Maritime Cybersecurity: What the New U.S. Coast Guard Rule Means for Operators

On July 16, 2025, the U.S. Coast Guard’s final rule on “Cybersecurity in the Marine Transportation System” officially took effect. Issued under 33 CFR Part 101, Subpart F, this rule represents the first mandatory cybersecurity framework under the Maritime Transportation Security Act (MTSA). It establishes enforceable standards for safeguarding digital systems that support U.S.-flagged vessels, offshore energy platforms, and critical waterfront infrastructure.

This regulation arrives in response to a rapidly evolving threat landscape. Maritime operations increasingly rely on interconnected IT, OT, and IoT systems, creating complex attack surfaces for cyber adversaries to exploit. At the same time, reports, including a notable 2018 assessment from the Council of Economic Advisors, have underscored existing gaps in cyber incident tracking and the need for enhanced oversight to address underinvestment in cybersecurity. The final rule is designed to address these risks and bring consistency, accountability, and operational resilience to the entire Marine Transportation System (MTS).

Why the Rule Matters

The Marine Transportation System (MTS) is essential for the U.S. economy and national security. A single cyber incident affecting a port terminal, offshore facility, or cargo vessel has the potential to disrupt critical services and create cascading effects throughout supply chains. The Coast Guard’s rule introduces clear cybersecurity expectations, improves incident visibility, and supports national maritime security objectives outlined in the National Maritime Cybersecurity Plan.

It applies to U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities operating under U.S. jurisdiction, and MTSA-regulated shore-based facilities such as ports, terminals, and refineries. Foreign-flagged vessels’ cyber readiness will continue to be assessed through existing IMO guidelines and the Coast Guard’s CVC-WI-027(3) process during Port State Control inspections.

Compliance Timeline and Enforcement

The rule takes effect in phases to give organizations time to prepare.

Non-compliance may result in operational delays, denial of port entry, or enforcement actions. Organizations must align cybersecurity with traditional safety and security operations, and treat it as a business-critical function, not an IT-only concern.

Requirements:

• Cybersecurity Plan:
  Each covered entity must develop and maintain a written cybersecurity plan tailored to its operations. This includes controls to protect critical systems, detect cyber threats, and respond to incidents. Plans must be submitted to the Coast Guard for review and approval by July 16, 2027.
• Cybersecurity Officer (CySO):
  A qualified Cybersecurity Officer must be designated for each vessel or facility. The CySO is responsible for developing and maintaining the cybersecurity plan, overseeing training, and managing incident response and recovery. A CySO may serve multiple vessels or facilities where appropriate, but the role must be clearly defined with sufficient authority and resources.
• Training and Exercises:
  All personnel must receive cybersecurity awareness training within six months of the effective date of the rule. Security personnel must complete role-specific training. Operators must conduct at least two cybersecurity drills annually and one full-scale exercise every 18 months. Training must be refreshed regularly and tracked for compliance.
• Incident Reporting:
  Entities must report significant cyber incidents to the National Response Center without delay. For reporting purposes, a “reportable cyber incident” is a cyber event that leads to, or could reasonably lead to, a substantial loss of data confidentiality, integrity, or availability; significant disruption of business operations or critical services; unauthorized access to sensitive personal information of many individuals; or other impacts that could cause a Transportation Security Incident (TSI)..
• Cybersecurity Assessment and Controls:
  A full cybersecurity assessment must be completed by July 2027. Entities are expected to implement controls, including risk-based patching, network segmentation, backup strategies, multifactor authentication, device security, continuous asset visibility, behavior-based monitoring, and real-time threat detection. These measures should support timely incident identification, response, and recovery while reducing the risk of unauthorized access or disruption to critical operations. Entities should also document and retain the results of assessments, remediation efforts, and testing.

Supporting Frameworks

The rule integrates with broader security regulations under 33 CFR Parts 104, 105, and 106, which govern vessels, facilities, and OCS infrastructure, respectively. It is further supported by U.S. Coast Guard guidance in NVIC 02-24 and NVIC 05-17, which provide direction on incorporating cybersecurity into Facility Security Plans (FSPs) and Vessel Security Plans (VSPs). Together, these documents offer a cohesive framework for embedding cyber risk management into existing maritime safety programs.

How Armis Can Help

Armis Centrix™, our cyber exposure management platform authorized under FedRAMP and IL for cloud and hybrid deployments, supports maritime operators across multiple deployment models, including on-prem for air-gapped environments and mobile flyaway kits for rapid on-site assessments and incident response in remote or disconnected locations. The platform helps meet critical cybersecurity requirements through:

• Real-time asset discovery across IT, OT, and IoT systems using passive methods by default, with safe, optional active techniques available to enhance coverage when required
• Continuous risk scoring, device behavior analysis, and anomaly detection based on threat intelligence and contextual awareness
• Exportable compliance reports and dashboards that align with Coast Guard requirements, including asset inventories, risk logs, patch status, and incident history
• Attack path analysis to model lateral movement risks, enabling proactive segmentation and mitigation strategies
• Supports over 200 integrations with existing security tools, SIEMs, and network infrastructure to enable centralized visibility, coordinated response, and streamlined security actions when anomalies are detected

With Armis, vessel operators, port authorities, and offshore infrastructure managers gain a unified view of all cyber assets and activity. Armis helps teams transition from reactive to proactive cybersecurity, efficiently meet compliance requirements, and build long-term operational resilience across the maritime environment.