New USCG Cybersecurity Rule
On January 17, 2025 the United States Coast Guard promulgated a Final Rule with request for comments on “Cybersecurity in the Marine Transportation System.” The effective date for the Final Rule is presently July 16, 2025 and assumes the incoming administration does not suspend or cancel the rulemaking.
The new Rule imposes a number of requirements on vessel owner and operators which includes the following:
Training requirements that must be implemented within 6 months after the effective date of the rule (§ 101.650(d));
Designation, in writing, of a company Cyber Security Officer (CySO) within 24 months of the effective date (§ 101.620(b)(3) and (c)(1));
A Cybersecurity Assessment within 24 months of the effective date and annually thereafter (or sooner than annually if there is a change in ownership) (§ 101.650(e)(1)); and
Submission of a Cybersecurity Plan to the Coast Guard for approval within 24 months after the effective date (§ 101.655).
The new Rule reflects a number of changes from the NPRM, including:
1. The draft requirement that “major amendments” to the Cybersecurity Plan be submitted to the Coast Guard has been amended to a requirement to submit “proposed amendments to cybersecurity measures included in the Plan.”
2. While the Rule still requires amendments be sent 30 days in advance, it now includes a provision that nothing limits owner or operator from timely implementation of additional security measures as necessary to address exigent circumstances.
3. The cybersecurity drill requirement has been amended to require 2 drills per 12 months, instead of 1 per quarter.
4. The time period for conducting a cyber assessment has been extended from 23 months to 24 months.
The request for comments is specifically in connection with a potential 2 to 5 year delay for the implementation of new requirements on U.S. flag vessels, specifically the ones noted above with a deadline for comments of March 18, 2025.
The new Rule can be found HERE.