On July 22, 2025, the Coast Guard released Cybersecurity in the MTS final rule's Frequently Asked Questions, which further addressed industry questions and feedback. This document is invaluable in providing increased granularity on the final rule.
With mandatory requirements including designating a Cybersecurity Officer (CySO), performing annual cyber assessments, developing a cybersecurity plan, and consistently executing that plan, the rule marks a new era in maritime security. It's not just about IT hygiene, it's about safety, protecting commerce, and national security.
The Coast Guard’s rule responds to this growing threat by requiring proactive cybersecurity measures. It reinforces the need for digital risks to be managed with the same discipline as physical ones, pushing maritime stakeholders to integrate cybersecurity into the heart of their operational and risk management strategies. By following this rule, organizations not only protect their operations but also build resilience and credibility with partners, regulators, and insurers.
The rule applies to all entities governed by the Maritime Transportation Security Act (MTSA), including:
| U.S.-Flagged Vessels | |
| Outer Continental Shelf (OCS) Facilities | |
| MTSA-Regulated Port Terminals and Facilities |
These organizations are required to update their Facility Security Plans (FSPs) with cybersecurity components and demonstrate active implementation. While NVIC 01-20 requires that certain cybersecurity elements be addressed in the FSP, the new Rule provides additional requirements necessitating greater fidelity and, in most cases, will require updates to FSPs. Importantly, non-regulated entities are also encouraged to adopt these standards. As cybersecurity becomes a supply chain issue, organizations that follow NIST and CISA best practices gain a competitive edge, reduce risk exposure, and prepare for future regulatory expansion.
At the core of the Coast Guard’s rule are five required actions:
Annual Cybersecurity TrainingEach covered entity must ensure that personnel complete cybersecurity training promulgated in 33 CFR 101.650 by January 12, 2026, and annually thereafter. |
Designated Cybersecurity Officer (DCO)
Each regulated entity must designate a qualified Cybersecurity Officer (CySO) to oversee cybersecurity efforts. This individual doesn’t need to serve as CySO full-time, but they must understand maritime systems and cyber risk management, and, along with any alternate CySOs, be available “at all times.” |
Annual Cybersecurity AssessmentOrganizations must assess their technical controls, policies, and procedures annually to uncover vulnerabilities and drive improvement. |
Comprehensive Cybersecurity PlanThe plan must detail how cyber threats are identified, prevented, detected, and responded to. It must include risk analysis, response protocols, and recovery steps. |
|
Execution and Continuous ImprovementCyber plans must be tested, revised, and embedded into daily operations. Training, drills, and responsive updates are critical to maintaining readiness. |
The Coast Guard’s rule doesn’t start from scratch. It draws directly from:
| NIST Cybersecurity Framework (CSF): A risk-based model for organizing cyber controls | |
|
|
CISA Cybersecurity Performance Goals (CPGs): Practical, outcome-oriented controls suitable across sectors |
Aligning with these frameworks ensures that maritime organizations meet federal expectations and position themselves for long-term scalability.
To achieve compliance, MTSA-regulated entities must implement key technical safeguards:
| Access Control and MFA: Limit system access through multi-factor authentication and least privilege models. | |
| Continuous Monitoring: Deploy tools to detect unusual activity across IT and OT environments. | |
| Patch Management: Regularly update software and firmware to mitigate known vulnerabilities. | |
| Network Segmentation: Divide systems into secure zones to prevent lateral movement during an incident. |
These controls form the backbone of an effective maritime cybersecurity program.
Human error remains a leading cause of cybersecurity failures. That’s why the Coast Guard mandates:
| Cybersecurity Training for all relevant personnel | |
| Drills and Exercises to test incident response procedures | |
| Incident Reporting to the National Response Center (NRC) for qualifying events |
This cultural shift demands buy-in from the bridge to the boardroom. Coordinating responses with federal, state, and third-party stakeholders ensures incidents are managed effectively and transparently.
While the rule does allow for waivers and equivalency determinations, the Coast Guard has made it clear: these are exceptions, not shortcuts. Approval depends on whether an alternative control offers equal or greater protection than the original requirement.
Successful waiver submissions must include:
| A valid justification for the deviation | |
| Thorough documentation of compensating controls | |
| Risk assessments aligned with NIST and CISA guidance |
As threats evolve, so will regulations. Industry trends point toward broader oversight of subcontractors, third-party providers, and smaller operators. Meanwhile, insurers and global shippers are beginning to factor cybersecurity posture into underwriting and contract decisions.
Forward-leaning organizations are investing now in:
| AI threat detection tools | |
| Satellite communication security | |
| IoT device hardening |
MAD Security is a trusted partner to maritime operators across the U.S., providing end-to-end cybersecurity solutions tailored to the industry’s unique operational and compliance demands. As a CMMC Registered Provider Organization (RPO) with deep expertise in NIST 800-171 and MTSA-aligned security frameworks, our team supports everything from initial assessments to managed security services.
Our core maritime cybersecurity services include:
|
Cybersecurity Gap Assessments |
Incident Response and Recovery |
|
|
|
We tailor each program to the client’s needs, ensuring full alignment with Coast Guard expectations and CISA guidelines. Whether you're preparing for your first audit or seeking to improve a mature program, MAD Security delivers.
With the U.S. Coast Guard’s final rule on Cybersecurity in the Maritime Transportation System (MTS) now in effect as of July 16, 2025, MTSA-regulated organizations need to act decisively. The cost of inaction includes regulatory penalties, operational downtime, reputational damage, and lost business.
MAD Security offers:
| Cyber gap/vulnerability assessments | |
| Virtual Compliance Management | |
| 24/7 incident response | |
| SOC-as-a-Service (24/7 eyes on glass) | |
| Penetration Testing and Vulnerability Scanning |
Whether you need full program development or support with a specific requirement, we deliver clarity, confidence, and Coast Guard-aligned execution. Let MAD Security help you navigate the cybersecurity frontier with precision and purpose. Schedule your maritime cybersecurity consultation today.
Originally Published: July 29, 2025
By: MAD Security Maritime