Maritime cybersecurity is now a regulated obligation, and the compliance clock runs through July 2027.
The Coast Guard's Cybersecurity in the Marine Transportation System rule, codified at 33 CFR Part 101, Subpart F, took effect on July 16, 2025 and establishes binding cybersecurity requirements for covered maritime entities. I help applicable vessel and facility operators understand cybersecurity across vessels, facilities, shore-side systems, OT, remote access, vendors, physical security, and the operational dependencies that connect them, and I build the assessment, plan, and remediation work on what the operation actually shows onsite.
The first question is whether the rule applies to you.
Subpart F applies to owners and operators of U.S.-flagged vessels, facilities, and Outer Continental Shelf facilities that are required to maintain a security plan under 33 CFR parts 104, 105, or 106. In practical terms, coverage follows the existing Maritime Transportation Security Act security plan framework: if the vessel or facility already operates under an approved Vessel Security Plan, Facility Security Plan, or OCS Facility Security Plan, the cybersecurity requirements now attach to it as well. The subpart does not apply to foreign-flagged vessels subject to part 104.
Coverage does not depend on the size of the IT or OT footprint. During the rulemaking, the Coast Guard declined to exclude operators with limited systems, reasoning that even minimal connected systems can expose positional data, personal information, or operational access. A covered operator with a modest environment still conducts a Cybersecurity Assessment and scales its Cybersecurity Plan to what the assessment finds. The rule also provides waiver and equivalence procedures for operators who believe specific requirements are impractical in their environment.
Not every marina, vessel, shipyard, or waterfront business is covered by this rule. Coverage turns on the existing MTSA security plan framework, and establishing where a specific operation stands is the correct first step, taken before any money is spent on compliance work.
For operators near the boundary of coverage, that first step matters in both directions. An operator that assumes it is exempt and is wrong inherits a compressed compliance timeline. An operator that assumes it is covered and is wrong spends money building a regulatory program it does not owe. I support that determination with a structured review of the operation against the applicability provisions, working alongside the operator's legal counsel where the question is close.
David Koran & Associates Inc. is an independent advisory practice. I do not issue Coast Guard approvals, certifications, legal opinions, or regulatory acceptance, and Cybersecurity Plans are reviewed and approved by the Coast Guard, not by consultants. My role is readiness: making sure the assessment, the plan, the evidence, and the operating environment support each other before the operator submits anything or answers to anyone.
What Subpart F obligates a covered operator to do.
The rule establishes minimum cybersecurity requirements organized around a small number of core obligations. The descriptions below are a practitioner summary. The controlling text is the regulation itself, and the Coast Guard has published supporting policy and guidance documents as implementation proceeds.
Cybersecurity Plan
Each covered owner or operator must develop, maintain, and submit a Cybersecurity Plan for Coast Guard review and approval, documenting how the cybersecurity measures required by the subpart are implemented for the specific vessel or facility.
Cybersecurity Officer
A Cybersecurity Officer must be designated in writing, by name and title, with defined duties and accessibility to the Coast Guard 24 hours a day, 7 days a week. One person may serve multiple vessels or facilities where the arrangement is workable.
Cybersecurity Assessment
A Cybersecurity Assessment identifies the operator's systems, vulnerabilities, and risks, and forms the analytical basis for the Cybersecurity Plan. The assessment must be conducted before the plan deadline and renewed on the required cycle thereafter.
Cyber Incident Response Plan
Operators must maintain a Cyber Incident Response Plan and report reportable cyber incidents to the National Response Center. The reporting obligation has been in effect since the rule's effective date.
Technical and Organizational Measures
The rule specifies cybersecurity measures addressing areas including account security, device and data security, network segmentation between IT and OT, supply chain and third parties, resilience, and physical security of cyber-relevant systems.
Training, Drills, and Exercises
All personnel with access to covered systems must complete cybersecurity training, initially by January 12, 2026 and annually thereafter, with new personnel trained shortly after gaining access. Drills and exercises test the plan in practice, and the program is subject to audit.
Two deadlines have passed. The third defines the next year.
The rule phases in over two years. As of today, the incident reporting and training obligations are already live for covered operators, and the remaining milestone is the July 16, 2027 deadline for the Cybersecurity Officer designation, the Cybersecurity Assessment, and the Cybersecurity Plan submission. An operator starting now has a workable but finite runway, because the assessment has to precede the plan, and the plan has to describe measures that actually exist.
Incident reporting began.
Upon the effective date, covered operators not already reporting under other authority became responsible for reporting reportable cyber incidents to the National Response Center.
Personnel training came due.
All personnel were required to complete the cybersecurity training specified in the rule by this date, and the obligation recurs annually. New personnel must be trained within the required window after gaining access to covered systems.
CySO, Assessment, and Plan.
By this date, covered owners and operators must designate the Cybersecurity Officer, complete the Cybersecurity Assessment, and submit the Cybersecurity Plan to the Coast Guard for review and approval.
Maritime cybersecurity lives where the water meets the network.
Maritime operations combine business IT, operational technology, physical infrastructure, transient personnel, and vendor dependence in a way few other industries do. A readiness assessment that examines only the office network misses most of what the rule is concerned with. The onsite work covers six areas as one environment.
01 Vessel and facility systems
Navigation, propulsion, cargo, terminal, and monitoring systems alongside the business systems that support them. The inventory question comes first: what connected systems exist, what do they control, and which of them fall within the assessment.
02 Shore-side and OT boundaries
Where operational technology meets the business network, and whether the segmentation the rule expects actually exists in the switch closet rather than only on the diagram. In many operations, the honest answer is discovered onsite.
03 Remote access and connectivity
Vendor maintenance connections, satellite and cellular links, remote monitoring, and the accounts and pathways that reach covered systems from outside. Remote access is consistently where documented practice and daily practice diverge the most.
04 Vendors and third parties
Equipment manufacturers, integrators, communications providers, agents, and service firms whose access, software, and practices become part of the operator's risk. The rule's supply chain expectations make this a documented obligation rather than an informal one.
05 Physical security and personnel
Access to bridges, engine rooms, control rooms, server spaces, and network infrastructure, along with the crew and shore personnel practices that determine who actually touches covered systems. Physical and cyber access are one question in a maritime environment.
06 Documentation and evidence
Whether the assessment, plan, training records, drill records, and incident procedures describe the operation as it runs. The Coast Guard reviews documents, but the documents have to survive comparison with the vessel and the facility behind them.
Maritime cybersecurity services.
Applicability Review
A structured review of the operation against the coverage provisions of Subpart F and the underlying MTSA security plan framework, so the owner or operator can determine where the operation stands before committing to a compliance program. Conducted alongside legal counsel where the question is close.
Cybersecurity Readiness Assessment
An onsite assessment of the vessel, facility, IT and OT systems, remote access, vendors, and physical security against the requirements of the rule. Management receives a clear picture of current state, the gaps that matter, and the evidence available to support each conclusion.
Cybersecurity Assessment and Plan Support
Support for the operator's required Cybersecurity Assessment and the development of a Cybersecurity Plan that describes the actual operation rather than a template. The plan is the operator's document, submitted to the Coast Guard by the operator, built on defensible groundwork.
Cybersecurity Officer Support
Advisory support for the designated CySO, who in many operations carries the role alongside other duties. The work covers the responsibilities the rule assigns, the records the role must maintain, and the practical judgment calls the position involves.
Remediation Planning
A prioritized remediation plan with ownership and sequencing for the gaps the assessment identifies, built around operational reality: sailing schedules, seasons, budgets, and the fact that a working waterfront cannot stop for a security project.
Training, Drills, and Program Sustainment
Support for the recurring obligations: annual training aligned to the operation, drills and exercises that test the plan honestly, and periodic review so the program remains accurate between deadlines rather than being rebuilt at each one.
How a maritime engagement proceeds.
The engagement follows the same three phase discipline used across the practice. Scope and duration are set by the number of vessels and facilities involved, the complexity of the IT and OT environment, and where the operator stands against the compliance timeline.
Discovery and Scope
Confirm objectives and the operator's coverage posture, review the existing security plans and available documentation, interview leadership and the people responsible for vessels, facilities, IT, and operations, and define the systems and locations the assessment will cover.
Onsite Assessment
Examine the vessels, facilities, systems, records, vendor arrangements, and daily practices directly. Interview the responsible personnel, test the answers against what the environment shows, and identify the regulatory, technical, and operational gaps that carry consequence.
Roadmap and Sustainment
Deliver executive findings, prioritize remediation with ownership and sequencing, support the assessment and plan work the rule requires, and provide periodic validation so the program stays accurate through the training, drill, and audit cycle.
The regulation sets the floor. Maturity determines whether the program lasts.
Subpart F establishes minimum requirements, and meeting them is the immediate obligation for covered operators. The longer question is whether the resulting program survives its first crew change, vendor turnover, or budget cycle. That is a maturity question, and for maritime organizations that want to answer it deliberately, a C2M2 maturity assessment evaluates whether the capabilities behind the plan are established, governed, and sustainable. The model addresses IT and OT together, which fits the maritime environment well.
Some maritime operators also serve as defense contractors or suppliers, in shipbuilding, repair, logistics, and related work. Where an operation handles covered defense information, the CMMC and NIST SP 800-171 practice addresses those contractual obligations, which run in parallel with the Coast Guard requirements rather than replacing them.
Sources
The controlling regulatory text is 33 CFR Part 101, Subpart F, available from the Electronic Code of Federal Regulations. The final rule, Cybersecurity in the Marine Transportation System, was published in the Federal Register on January 17, 2025. The Coast Guard publishes implementation policy and guidance through its Maritime Commons channel and program offices.
The descriptions on this page are a practitioner summary. For compliance decisions, rely on the current regulatory text and Coast Guard guidance directly, together with legal counsel where appropriate. David Koran & Associates Inc. is an independent advisory practice and is not affiliated with, endorsed by, or acting on behalf of the United States Coast Guard.
Discuss a Maritime Engagement
A first conversation usually covers the vessels and facilities involved, the operator's coverage posture under the MTSA framework, where the operation stands against the compliance timeline, and what management wants the engagement to accomplish. Call, email, or send a note. I respond personally to every inquiry, usually within one business day.
Discuss an Assessment
Whether you are working out if the rule applies to your operation, preparing for the July 2027 plan deadline, or looking for an independent assessment of where the program stands, the first conversation carries no commitment and no pitch.
Discuss an Assessment →