USCG Published New Minimum Cybersecurity Requirements For US-Flagged Vessels

The US Coast Guard published minimum cybersecurity requirements for U.S.-flagged vessels, facilities, and Outer Continental Shelf (OCS) facilities to safeguard the Marine Transportation System (MTS). These requirements are intended to help detect risks, respond to, and recover from cybersecurity incidents. The final rule requires the development and maintenance of a Cybersecurity Plan, the designation of a Cybersecurity Officer (CySO), and the implementation of various cybersecurity measures.

Here are some of the main cybersecurity requirements for shipping companies:

  • Cybersecurity Plan: Owners or operators of U.S.-flagged vessels, facilities, and OCS facilities must develop and maintain a Cybersecurity Plan that includes:
    • Account Security Measures: These measures include:
      • Enabling automatic account lockout after repeated failed login attempts.
      • Maintaining password requirements.
      • Using multifactor authentication.
      • Applying the principle of least privilege to privileged accounts.
      • Removing or revoking user credentials when a user leaves the organization.
    • Device Security Measures: These measures include:
      • Developing and maintaining a list of approved hardware, firmware, and software that may be installed on IT or OT systems.
      • Ensuring that applications running executable code are disabled by default on critical IT and OT systems.
      • Maintaining an accurate inventory of network-connected systems, including critical IT and OT systems.
      • Developing and documenting the network map and OT device configuration information.
    • Data Security Measures: These measures include:
      • Ensuring that logs are securely captured, stored, and protected and accessible only to privileged users.
      • Deploying effective encryption to maintain confidentiality of sensitive data and integrity of IT and OT traffic when technically feasible.
    • Cybersecurity Training: Providing cybersecurity training to personnel, including:
      • Training on recognizing, detecting, and circumventing cybersecurity threats.
      • Training on reporting cyber incidents to the CySO.
      • OT-specific cybersecurity training for personnel using OT.
      • Training for key personnel on their roles and responsibilities during a cyber incident.
    • Risk Management: Implementing measures to manage cybersecurity risks, including:
      • Conducting a Cybersecurity Assessment no later than July 16, 2027, and annually thereafter. This assessment includes analyzing networks, validating the Cybersecurity Plan, and documenting recommendations.
      • Completing a penetration test in conjunction with Cybersecurity Plan renewal.
      • Ensuring patching or implementation of documented compensating controls for all Known Exploited Vulnerabilities (KEVs) in critical IT or OT systems, without delay.
    • Supply Chain Management: Implementing measures to manage cybersecurity risks in the supply chain, including:
      • Considering cybersecurity capabilities when selecting vendors.
      • Establishing a process for vendors to report vulnerabilities or incidents without delay.
      • Monitoring third-party connections.
    • Resilience: Implementing measures for resilience, including:
      • Reporting cyber incidents to the National Response Center (NRC) without delay.
      • Ensuring backups of critical IT and OT systems.
    • Network Segmentation: Implementing segmentation between IT and OT networks and monitoring the connections.
    • Physical Security: Implementing physical security measures to prevent unauthorized access to sensitive areas and equipment.
  • Cybersecurity Officer (CySO): Each owner or operator must designate a CySO responsible for developing, implementing, and maintaining the Cybersecurity Plan. The CySO must also ensure that a Cybersecurity Assessment is conducted annually, arrange for cybersecurity inspections, ensure personnel have adequate cybersecurity training, record and report cybersecurity incidents, and take steps to mitigate them.
  • Cybersecurity Drills and Exercises: Owners and operators are required to perform cybersecurity drills and exercises to test the effectiveness of their plans.
  • Reporting Cyber Incidents: Owners and operators are required to report cyber incidents to the NRC.
  • Record Keeping: Maintaining records of cybersecurity related information, such as training, drills, and incidents.
  • Compliance Documentation: The cybersecurity portion of the plan and penetration test results must be available to the Coast Guard upon request.
  • Waivers and Equivalents: Owners or operators may seek a waiver or an equivalence determination for the requirements if they feel a requirement is unnecessary, using the procedures in § 101.665 after completing a Cybersecurity Assessment.

These regulations aim to create a regulatory environment for cybersecurity in the maritime domain and address the increasing cybersecurity threats. The Coast Guard encourages participation and collaboration between stakeholders and maritime entities in addressing cybersecurity risks.

Cydome can help comply with the new requirements – contact us for a free consultation.

USCG minimum cybersecurity requirements
You are invited to leave your details and book a session with our expert.
share the article
Skip to content