Essex Junction, VT802-335-2662dkoran@davidkoran.com
DK
David Koran& Associates
Practice Area · Maritime Cybersecurity

Maritime cybersecurity is now a regulated obligation, and the compliance clock runs through July 2027.

The Coast Guard's Cybersecurity in the Marine Transportation System rule, codified at 33 CFR Part 101, Subpart F, took effect on July 16, 2025 and establishes binding cybersecurity requirements for covered maritime entities. I help applicable vessel and facility operators understand cybersecurity across vessels, facilities, shore-side systems, OT, remote access, vendors, physical security, and the operational dependencies that connect them, and I build the assessment, plan, and remediation work on what the operation actually shows onsite.

Subpart F
33 CFR Part 101
Jul 16, 2025
Rule Effective
Jan 12, 2026
Training Deadline, Then Annual
Jul 16, 2027
Cybersecurity Plan Deadline
Who Is Covered

The first question is whether the rule applies to you.

Subpart F applies to owners and operators of U.S.-flagged vessels, facilities, and Outer Continental Shelf facilities that are required to maintain a security plan under 33 CFR parts 104, 105, or 106. In practical terms, coverage follows the existing Maritime Transportation Security Act security plan framework: if the vessel or facility already operates under an approved Vessel Security Plan, Facility Security Plan, or OCS Facility Security Plan, the cybersecurity requirements now attach to it as well. The subpart does not apply to foreign-flagged vessels subject to part 104.

Coverage does not depend on the size of the IT or OT footprint. During the rulemaking, the Coast Guard declined to exclude operators with limited systems, reasoning that even minimal connected systems can expose positional data, personal information, or operational access. A covered operator with a modest environment still conducts a Cybersecurity Assessment and scales its Cybersecurity Plan to what the assessment finds. The rule also provides waiver and equivalence procedures for operators who believe specific requirements are impractical in their environment.

Not every marina, vessel, shipyard, or waterfront business is covered by this rule. Coverage turns on the existing MTSA security plan framework, and establishing where a specific operation stands is the correct first step, taken before any money is spent on compliance work.

For operators near the boundary of coverage, that first step matters in both directions. An operator that assumes it is exempt and is wrong inherits a compressed compliance timeline. An operator that assumes it is covered and is wrong spends money building a regulatory program it does not owe. I support that determination with a structured review of the operation against the applicability provisions, working alongside the operator's legal counsel where the question is close.

A note on roles

David Koran & Associates Inc. is an independent advisory practice. I do not issue Coast Guard approvals, certifications, legal opinions, or regulatory acceptance, and Cybersecurity Plans are reviewed and approved by the Coast Guard, not by consultants. My role is readiness: making sure the assessment, the plan, the evidence, and the operating environment support each other before the operator submits anything or answers to anyone.

The Requirements

What Subpart F obligates a covered operator to do.

The rule establishes minimum cybersecurity requirements organized around a small number of core obligations. The descriptions below are a practitioner summary. The controlling text is the regulation itself, and the Coast Guard has published supporting policy and guidance documents as implementation proceeds.

Plan

Cybersecurity Plan

Each covered owner or operator must develop, maintain, and submit a Cybersecurity Plan for Coast Guard review and approval, documenting how the cybersecurity measures required by the subpart are implemented for the specific vessel or facility.

CySO

Cybersecurity Officer

A Cybersecurity Officer must be designated in writing, by name and title, with defined duties and accessibility to the Coast Guard 24 hours a day, 7 days a week. One person may serve multiple vessels or facilities where the arrangement is workable.

Assessment

Cybersecurity Assessment

A Cybersecurity Assessment identifies the operator's systems, vulnerabilities, and risks, and forms the analytical basis for the Cybersecurity Plan. The assessment must be conducted before the plan deadline and renewed on the required cycle thereafter.

Response

Cyber Incident Response Plan

Operators must maintain a Cyber Incident Response Plan and report reportable cyber incidents to the National Response Center. The reporting obligation has been in effect since the rule's effective date.

Measures

Technical and Organizational Measures

The rule specifies cybersecurity measures addressing areas including account security, device and data security, network segmentation between IT and OT, supply chain and third parties, resilience, and physical security of cyber-relevant systems.

People

Training, Drills, and Exercises

All personnel with access to covered systems must complete cybersecurity training, initially by January 12, 2026 and annually thereafter, with new personnel trained shortly after gaining access. Drills and exercises test the plan in practice, and the program is subject to audit.

The Compliance Timeline

Two deadlines have passed. The third defines the next year.

The rule phases in over two years. As of today, the incident reporting and training obligations are already live for covered operators, and the remaining milestone is the July 16, 2027 deadline for the Cybersecurity Officer designation, the Cybersecurity Assessment, and the Cybersecurity Plan submission. An operator starting now has a workable but finite runway, because the assessment has to precede the plan, and the plan has to describe measures that actually exist.

July 16, 2025 · In Effect

Incident reporting began.

Upon the effective date, covered operators not already reporting under other authority became responsible for reporting reportable cyber incidents to the National Response Center.

January 12, 2026 · In Effect

Personnel training came due.

All personnel were required to complete the cybersecurity training specified in the rule by this date, and the obligation recurs annually. New personnel must be trained within the required window after gaining access to covered systems.

July 16, 2027 · Ahead

CySO, Assessment, and Plan.

By this date, covered owners and operators must designate the Cybersecurity Officer, complete the Cybersecurity Assessment, and submit the Cybersecurity Plan to the Coast Guard for review and approval.

The sequence matters more than the dates. A credible Cybersecurity Plan rests on an honest assessment, and an honest assessment rests on an accurate picture of the vessels, facilities, systems, vendors, and practices in the actual operation. Operators who start with the operating environment, rather than with a plan template, arrive at the deadline with a document they can stand behind.
The Operating Environment

Maritime cybersecurity lives where the water meets the network.

Maritime operations combine business IT, operational technology, physical infrastructure, transient personnel, and vendor dependence in a way few other industries do. A readiness assessment that examines only the office network misses most of what the rule is concerned with. The onsite work covers six areas as one environment.

01 Vessel and facility systems

Navigation, propulsion, cargo, terminal, and monitoring systems alongside the business systems that support them. The inventory question comes first: what connected systems exist, what do they control, and which of them fall within the assessment.

02 Shore-side and OT boundaries

Where operational technology meets the business network, and whether the segmentation the rule expects actually exists in the switch closet rather than only on the diagram. In many operations, the honest answer is discovered onsite.

03 Remote access and connectivity

Vendor maintenance connections, satellite and cellular links, remote monitoring, and the accounts and pathways that reach covered systems from outside. Remote access is consistently where documented practice and daily practice diverge the most.

04 Vendors and third parties

Equipment manufacturers, integrators, communications providers, agents, and service firms whose access, software, and practices become part of the operator's risk. The rule's supply chain expectations make this a documented obligation rather than an informal one.

05 Physical security and personnel

Access to bridges, engine rooms, control rooms, server spaces, and network infrastructure, along with the crew and shore personnel practices that determine who actually touches covered systems. Physical and cyber access are one question in a maritime environment.

06 Documentation and evidence

Whether the assessment, plan, training records, drill records, and incident procedures describe the operation as it runs. The Coast Guard reviews documents, but the documents have to survive comparison with the vessel and the facility behind them.

This is the work I travel to do. Walking the facility, boarding the vessel, and talking with the people who operate the systems produces an assessment the operator can defend, which is worth considerably more than a plan that reads well.
Services

Maritime cybersecurity services.

01

Applicability Review

A structured review of the operation against the coverage provisions of Subpart F and the underlying MTSA security plan framework, so the owner or operator can determine where the operation stands before committing to a compliance program. Conducted alongside legal counsel where the question is close.

02

Cybersecurity Readiness Assessment

An onsite assessment of the vessel, facility, IT and OT systems, remote access, vendors, and physical security against the requirements of the rule. Management receives a clear picture of current state, the gaps that matter, and the evidence available to support each conclusion.

03

Cybersecurity Assessment and Plan Support

Support for the operator's required Cybersecurity Assessment and the development of a Cybersecurity Plan that describes the actual operation rather than a template. The plan is the operator's document, submitted to the Coast Guard by the operator, built on defensible groundwork.

04

Cybersecurity Officer Support

Advisory support for the designated CySO, who in many operations carries the role alongside other duties. The work covers the responsibilities the rule assigns, the records the role must maintain, and the practical judgment calls the position involves.

05

Remediation Planning

A prioritized remediation plan with ownership and sequencing for the gaps the assessment identifies, built around operational reality: sailing schedules, seasons, budgets, and the fact that a working waterfront cannot stop for a security project.

06

Training, Drills, and Program Sustainment

Support for the recurring obligations: annual training aligned to the operation, drills and exercises that test the plan honestly, and periodic review so the program remains accurate between deadlines rather than being rebuilt at each one.

The Engagement

How a maritime engagement proceeds.

The engagement follows the same three phase discipline used across the practice. Scope and duration are set by the number of vessels and facilities involved, the complexity of the IT and OT environment, and where the operator stands against the compliance timeline.

Phase One

Discovery and Scope

Confirm objectives and the operator's coverage posture, review the existing security plans and available documentation, interview leadership and the people responsible for vessels, facilities, IT, and operations, and define the systems and locations the assessment will cover.

OutputAssessment scope and an onsite work plan.
Phase Two

Onsite Assessment

Examine the vessels, facilities, systems, records, vendor arrangements, and daily practices directly. Interview the responsible personnel, test the answers against what the environment shows, and identify the regulatory, technical, and operational gaps that carry consequence.

OutputA supported findings record covering the covered environment.
Phase Three

Roadmap and Sustainment

Deliver executive findings, prioritize remediation with ownership and sequencing, support the assessment and plan work the rule requires, and provide periodic validation so the program stays accurate through the training, drill, and audit cycle.

OutputExecutive findings, a remediation roadmap, and a sustainable program.
Maritime Cybersecurity and the Broader Practice

The regulation sets the floor. Maturity determines whether the program lasts.

Subpart F establishes minimum requirements, and meeting them is the immediate obligation for covered operators. The longer question is whether the resulting program survives its first crew change, vendor turnover, or budget cycle. That is a maturity question, and for maritime organizations that want to answer it deliberately, a C2M2 maturity assessment evaluates whether the capabilities behind the plan are established, governed, and sustainable. The model addresses IT and OT together, which fits the maritime environment well.

Some maritime operators also serve as defense contractors or suppliers, in shipbuilding, repair, logistics, and related work. Where an operation handles covered defense information, the CMMC and NIST SP 800-171 practice addresses those contractual obligations, which run in parallel with the Coast Guard requirements rather than replacing them.

Sources

The controlling regulatory text is 33 CFR Part 101, Subpart F, available from the Electronic Code of Federal Regulations. The final rule, Cybersecurity in the Marine Transportation System, was published in the Federal Register on January 17, 2025. The Coast Guard publishes implementation policy and guidance through its Maritime Commons channel and program offices.

The descriptions on this page are a practitioner summary. For compliance decisions, rely on the current regulatory text and Coast Guard guidance directly, together with legal counsel where appropriate. David Koran & Associates Inc. is an independent advisory practice and is not affiliated with, endorsed by, or acting on behalf of the United States Coast Guard.

Get In Touch

Discuss a Maritime Engagement

A first conversation usually covers the vessels and facilities involved, the operator's coverage posture under the MTSA framework, where the operation stands against the compliance timeline, and what management wants the engagement to accomplish. Call, email, or send a note. I respond personally to every inquiry, usually within one business day.

Travel
I travel to client sites nationally.

Discuss an Assessment

Whether you are working out if the rule applies to your operation, preparing for the July 2027 plan deadline, or looking for an independent assessment of where the program stands, the first conversation carries no commitment and no pitch.

Discuss an Assessment →