USCG's New Cybersecurity Rule for US-Flagged Vessels

Introduction

On 17 January 2025, the United States Coast Guard (USCG) released mandatory cybersecurity requirements for US-flagged vessels, Outer Continental Shelf (OCS) facilities, and shore-based maritime facilities. The rule will take effect on 16 July 2025 and will commence a 24-month period to achieve full compliance with the standards required by the rule. This article outlines the key provisions of the rule and what members with US-flagged vessels should do to prepare.

Scope and Applicability

The new cybersecurity rule will apply to:

• US-flagged vessels exceeding 100 GT, passenger vessels certified for more than 150 passengers, offshore supply vessels (OSVs), mobile offshore drilling units (MODUs), towing vessels engaged in hazardous cargo transport, and cruise ships on international voyages (Foreign-flagged vessels are excluded from this rule).
• Facilities such as container terminals, chemical and petroleum terminals, cruise ship terminals, LNG/LPG terminals, barge fleeting facilities handling dangerous cargo, and other facilities governed by the Maritime Transportation Security Act (MTSA) of 2002.
• OCS Facilities, including offshore oil and gas production platforms, FPSOs, deepwater ports, offshore wind energy facilities, and offshore loading/unloading terminals.

Key Cybersecurity Requirements

The rule introduces several key requirements, including:

• Cyber Incident Reporting: From 16 July 2025, members with US-flagged vessels will be required to report cyber incidents to the National Response Center (NRC) immediately upon occurrence.
• Cybersecurity Training: By 12 January 2026, personnel will be required to undergo cybersecurity training, and annually thereafter. The training shall include recognition and detection of cybersecurity threats and all types of cyber incidents, techniques used to circumvent cybersecurity measures, and procedures for reporting cyber incidents to the CySO.
• Designation of a Cyber Security Officer (CySO): By 16 July 2027, owners and operators of US-flagged vessels are required to appoint a CySO responsible for implementing and maintaining cybersecurity policies.
• Regular Cybersecurity Assessments: A cybersecurity assessment is required to be conducted by 16 July 2027 and annually thereafter (or sooner, if there is a change in ownership).
• Development of a Cybersecurity Plan: Owners and operators of US-flagged vessels will be required to submit a comprehensive cybersecurity plan for USCG’s approval by 16 July 2027. The cybersecurity plan shall include measures for account security (multifactor authentication, strong passwords), device security (restricted software/hardware), data security (encryption, secure logging), and network monitoring.
• Cybersecurity Drills and Exercises: Owners and operators of US-flagged vessels will be required to conduct at least two cybersecurity drills and at least one cybersecurity exercise each calendar year (with no more than an 18-month interval between the cybersecurity exercises). The results of the penetration tests shall be available to USCG upon request.

Conclusion

Members with US-flagged vessels are recommended to refer to the attached USCG factsheet for further details. There are concerns that the timeline is too short to comply. As such, the USCG has invited relevant stakeholders to review the final rule at www.regulations.gov (Docket No. USCG-2022-0802) and submit comments by 18 March 2025, on whether the implementation period requires to be delayed. The Club will provide a further update should there be any major changes announced.