Updates to Vessel and Facility Security Plan Requirements

From a policymaking perspective, I think we all can agree that 2025 was a remarkable year for U.S. commercial maritime interests. Congress’s interest in commercial maritime issues seems reinvigorated after many years of inattention and neglect. This renewed interest has manifested itself in various congressional hearings on the size and health of the U.S.-flagged fleet and of U.S. shipyards, as well as in sweeping legislation known as the Shipbuilding and Harbor Infrastructure Prosperity and Security (SHIPS) for America Act (S. 1541/ H.R. 3151).

Likewise, President Trump last April issued Executive Order 14269, entitled “Restoring America’s Maritime Dominance.” In it, he orders a number of actions including the launch of a Maritime Security Trust Fund, creation of augmented commercial shipbuilding financial incentives, establishment of “maritime prosperity zones,” modernization of the U.S. Merchant Marine Academy, and an interagency strategy document referred to as the Maritime Action Plan (MAP) focused on implementing all of this. It is hoped that the Trump Administration will share the MAP with the public later this winter or perhaps in early spring.

And the President and Congress worked together to enact the President’s One Big Beautiful Bill Act (Pub. L. No. 119-21), which among many other things appropriated over $20 billion for new-build vessel procurement by DOD services and agencies and just over $14 billion for new-build vessel procurement by the Coast Guard.

While these and other high-profile actions by policymakers in 2025 were grabbing the headlines, the Coast Guard quietly took an important step as well, helping commercial vessels and facilities secure themselves from the ever-growing threat of cyberattacks. Effective July 16, 2025, it updated its implementing regulations for the Maritime Transportation Security Act of 2002 (Pub. L. No. 107-295), adding new, minimum cybersecurity requirements that will aid vessel and facility owners or operators in identifying cyber risks and responding to cyberattacks. Included in the updates are requirements to develop and maintain a cybersecurity plan, designate a Cybersecurity Officer (CySO), and take a variety of different concrete steps to maintain adequate cybersecurity. This is very much needed. As the maritime industry has relied more and more on cyber-connected technology in recent decades, it has faced increasing cybersecurity threats from both state and non-state actors. The Coast Guard’s regulatory updates seek to address the risks from this increased interconnectivity and the digital transformation of vessels and facilities.

The updated regulations require owners or operators of U.S.-flagged vessels, facilities, or Outer Continental Shelf (OCS) facilities, if required to conduct a security assessment and maintain a security plan under 33 C.F.R. parts 104, 105, or 106, respectively, to also conduct an annual cybersecurity assessment and develop and maintain a cybersecurity plan and cyber incident response plan. A covered owner or operator is likewise required to have in place certain account security and device security measures, which are to be documented in the cybersecurity plan.

The new required account security measures for owners or operators include: enabling of automatic account lockout after repeated failed log-in attempts on information technology (IT) systems; changing default passwords before using any IT system or operational technology (OT) system; maintaining a minimum password strength on all IT and OT systems capable of password protection; implementing multifactor authentication on password protected IT and remotely accessible OT systems; applying the principle of “least privilege” to administrator or otherwise privileged accounts on IT and OT systems; maintaining separate user credentials on critical IT and OT systems; and revoking user credentials when a user leaves the organization.

The new required device security measures for owners or operators include: developing and maintaining a list of any hardware, firmware, and software approved by the owner or operator that may be installed on IT or OT systems; ensuring that applications running executable code are disabled by default on critical IT and OT systems; maintaining an accurate inventory of network-connected systems including those critical IT and OT systems; and developing and documenting the network map and OT device configuration information.

Two new data security measures also must be implemented and documented in each cybersecurity plan. Each owner or operator must ensure that logs are securely captured, stored, and protected and accessible only to privileged users, and must deploy effective encryption to maintain confidentiality of sensitive data and the integrity of IT and OT traffic.

In the cyber incident response plan noted above, an owner or operator is required to set forth procedures on how to respond to a cyber incident and identify key roles, responsibilities, and decision-makers.

Each owner or operator is required to designate a CySO who must ensure that vessel or facility personnel implement the cybersecurity plan and the cyber incident response plan. The CySO also is responsible for ensuring that the cybersecurity plan remains current, including through annual audits. Additionally, the CySO is charged under the updated regulations with arranging cybersecurity inspections and ensuring that personnel have adequate training.

Finally, the updated regulations require that an owner or operator report to the Coast Guard’s National Response Center any incident that rises to the level of a “reportable cyber incident”—a term specifically defined in the regulations to include any cyber incident that led or reasonably could have led to a substantial loss of confidentiality, integrity, or availability of a covered IT or OT system, disruption in business operations, or other comparable impacts.

Cyber incident reporting requirements began to apply last July 17, cybersecurity training should have been completed last in January, and by July 17, 2028, covered owners and operators must have: (1) designated in writing their CySO; (2) conducted their cybersecurity assessment; and (3) submitted their cybersecurity plan to the Coast Guard approval.

Kudos to the Coast Guard for taking these important steps to help keep our maritime commerce and our marine transportation system safe and secure from 21^st century cyber threats.