New mandatory USCG cyber regulations. What you need to know

TL;DR

• US Coast Guard introduces mandatory new Marine Transportation System cybersecurity requirements
• They take effect on July 16, 2025, and training must begin by July 17, 2025
• US flagged large commercial vessels affected
• Cybersecurity Officers (CySO) need to be appointed
• Penetration testing of systems is required
• Two cybersecurity drills needed annual to test readiness.
• Safeguarding is the priority

Requirements include the appointment of a Cybersecurity Officer (CySO) who will be in charge of compliance. The development of a Cybersecurity Plan and an Incident Response Plan and it’s important that all personnel complete cybersecurity training starting on July 17, 2025, to meet the requirements. Organizations must also conduct two cybersecurity drills annually to test their readiness.

Additionally, technical measures must be implemented, including multifactor authentication, secure device and data management, network segmentation, resilience strategies, and supply chain security to mitigate third-party risks.

The rule is performance-based, meaning organizations have flexibility in how they meet compliance standards, but they must demonstrate effectiveness in safeguarding operations.

Further information:

• US Coast Guard Maritime Industry Cybersecurity Resource Center
• US Coast Guard fact sheet

Compliance timeline

The compliance timeline is strict. The rule takes effect on July 16, 2025, and training must begin by July 17, 2025. Cybersecurity plans and assessments must be submitted by July 16, 2027. The USCG is accepting comments until March 18, 2025, on potential deadline extensions for U.S. flagged vessels and US based port facilities. Failure to comply could result in fines, legal action, and operational restrictions.

How can we help you if you’re in the US maritime transport sector?

1. Capability review and technical requirements audit

Our team conducts comprehensive assessments to evaluate your organization’s current cybersecurity posture. This involves reviewing existing policies, procedures, and technical controls to identify gaps and areas for improvement. We align our audits with industry standards and the specific requirements outlined in the new USCG regulations to ensure your systems meet the mandated criteria.

2. On-vessel penetration testing

Understanding the unique complexities of maritime environments requires experience and expertise. Our experts perform thorough penetration testing on vessels to assess the security of critical systems. This includes evaluating navigation systems, communication channels, and operational technologies to identify vulnerabilities that could be exploited by cyber threats. Our goal is to ensure that all critical vessel systems adhere to the technical standards required by the USCG.

3. Shore systems penetration testing

Beyond the vessel, shore-based IT and OT systems are integral to maritime operations. We have conducted rigorous You should look for penetration testers that have worked on these systems many times before. They will help you ensure they are securely configured and resilient against cyber attacks. Assessing network infrastructures, administrative controls, and data management practices will help safeguard against potential breaches.

4. Crew and shore staff security awareness training

Human factors play a crucial role in cybersecurity so training is essential. We have specialized training programs led by former mariners who are also cybersecurity experts. These programs are designed to enhance the security awareness of both crew members and shore-based staff, focusing on good practice and protocols to prevent cyber incidents. Our training ensures that personnel are well-versed in identifying threats and responding effectively, thereby strengthening the overall security posture of your operations.

Practical testing that we also assist with

• Assessing vessel systems for security flaws, including bridge, engine control, and operational networks.
• Testing satellite communications (SATCOM) and VSAT terminals for weak passwords, outdated software, and poor configuration.
• Evaluating network segregation between operational technology (OT) and IT systems to prevent cross-network threats.
• Reviewing ECDIS (Electronic Chart Display and Information Systems) and other navigation systems for security risks, such as GPS spoofing vulnerabilities.
• Testing remote access systems to identify weak authentication mechanisms that could allow unauthorized access to ship networks.
• Providing guidance on supplier security expectations, ensuring shipping companies demand verifiable cybersecurity measures from vendors.
• Conducting penetration tests and attack simulations to assess how an attacker could exploit onboard networks and critical systems.
• Ensuring compliance with IMO (International Maritime Organization) cyber risk management guidelines, as well as industry standards like BIMCO and IACS UR E26/E27.