Page 12: of Maritime Reporter Magazine (August 2025)

USCG Cyber Compliance

FROM RISK TO READINESS: 5 Essentials for U.S. Coast Guard Cyber Compliance

Vessel operators must embed cybersecurity into their operational procedures to meet USCG 33 CFR Part 104, writes Nicolas Furgé, President, Cyber, Marlink.

U.S. Coast Guard photo s cyber threats continue to grow in both scale and plement vulnerability scanning, periodic testing of cyber mea- complexity, maritime stakeholders, from shipown- sures (which may include vulnerability scans or penetration ers and operators to port facilities are facing new tests), crew training and cyber drills tailored to each vessel.

A regulatory demands to improve cyber resilience. While the regulation does not directly affect suppliers, it may

The latest cybersecurity rules from the United States Coast indirectly impact them by requiring MTSA-regulated vessels

Guard (USCG), amending parts 101, 104, 105 and 106 of 33 and facilities to assess and manage cybersecurity risks associat-

CFR Sub-chapter F, represent a major shift in how cybersecu- ed with third-party vendors and service providers in their CSP.

rity is addressed by U.S.-? agged vessels and U.S. maritime facilities regulated under the Maritime Transportation Secu- Five Focus Areas rity Act (MTSA), including ports and facilities on the Outer The compliance journey starts with identifying what’s at risk.

Continental Shelf. A risk assessment helps determine which onboard systems are

These rules, effective from May 22, 2025, with full implemen- most critical, what threats are most likely (like phishing or ran- tation by 22 May 2027, are not just about technology, they require somware), and how an incident could impact operations.

operational and procedural changes to how maritime cyber risk The updated USCG rules require cyber risk to be addressed is managed. Vessel owners and operators will need to go beyond in the Vessel Security Plan. This includes documenting how basic IT/OT controls and adopt a structured approach to manag- risks are mitigated, how access is controlled, and how the ing cyber risk within their broader vessel security programs. crew is expected to respond to cyber events.

Marlink has identi? ed ? ve essential steps to achieving com- Operators must be ready to identify and report cyber events pliance with the USCG regulations that vessel operators need that may qualify as a Transportation Security Incident (TSI), to consider. Each step calls for speci? c actions needed for a cyber incident that signi? cantly disrupts vessel operations, compliance and how to prepare for the implementation of the safety, or the environment. These incidents must be reported rules and how to maintain compliance. immediately to the National Response Center.

The VSP should clearly de? ne what constitutes a report-

A Phased Approach able event, how reporting will be handled, and who is respon-

To meet these requirements, vessel operators must take a step- sible. Operators must have a documented incident response by-step approach that includes assessment, planning, implemen- plan outlining the steps to contain, investigate, and recover tation, and ongoing monitoring. Marlink supports a phased strat- from cyber events, including co-ordination across vessels and egy designed to make this process manageable and effective. shore-based teams.

The ? rst phase calls for a cybersecurity gap assessment, Each vessel or ? eet must assign a Cybersecurity Of? cer comprising a detailed review of a vessel’s IT and OT environ- responsible for managing cyber risks and ensuring ongoing ments, procedures, and current controls to identify regulatory compliance. This includes overseeing vulnerability assess- gaps and technical weaknesses. The results are used to create ments, managing incident response procedures, and ensuring a compliance roadmap that can be applied ? eet wide. that training and cyber drills are regularly conducted. The

Next, owners must develop a Cybersecurity Plan (CSP), CySO must have the authority, training, and resources to ef- documenting cybersecurity policies, access controls and re- fectively lead cybersecurity efforts.

sponse plans. Ongoing reviews and updates will be critical Operators must implement technical and procedural con- to maintaining compliance and adapting to emerging threats. trols to control access to critical onboard systems. This in-

After completing phases one and two, operators must im- cludes role-based access, authentication policies and the seg- 12 Maritime Reporter & Engineering News • August 2025

MR #8 (1-17).indd 12 MR #8 (1-17).indd 12 8/4/2025 7:23:33 PM8/4/2025 7:23:33 PM