Coast Guard Issues Cyber Rule for Maritime Transport Safety - Dark Reading

Threat IntelligenceCybersecurity OperationsCyber RiskCyberattacks & Data BreachesNewsCoast Guard Issues Cybersecurity Rule for Maritime Transport SafetyThe cybersecurity requirements follow an extended timeline over the next two years, and are meant to secure US shipping ports from disruption by malicious actors.Kristina Beek,Associate Editor,Dark ReadingJuly 22, 20252 Min ReadSource: Stocktrek Images, Inc. via Alamy Stock PhotoNEWS BRIEFThe Coast Guard has announced that the rule known as Cybersecurity in Marine Transportation System (MTS) has gone into full effect for all US-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities subject to Maritime Transportation Security Act of 2002 (MTSA). After designating cybersecurity vulnerabilities as a potential threat to the safety and security of US ports, the Coast Guard is implementing the rule to help address risks from the "increased interconnectivity and digitalization of the MTS"; it aims to mitigate against current and emerging threats, as well as help detect, respond to, and recover from cybersecurity attacks. There are several requirements to be met in the final rule that include developing and maintaining a cybersecurity plan, designating cybersecurity officers, and taking measures to maintain cybersecurity in the MTS. The cybersecurity plan also specifically includes seven account security measures that owners or operators of a US flagged vessel, facility, or OCS facility are required to follow:Enabling of automatic account lockout after repeated failed log in attempts on all password protected IT systemsChanging default passwords before using any IT or operational technology (OT) systemsMaintaining a minimum password strength on all IT and OT systems technically capable of password protectionImplementing multifactor authentication on password-protected IT and remotely accessible OT systemsApplying the principle of least privilege to administrator or otherwise privileged accounts on both IT and OT systemsMaintaining separate user credentials on critical IT and OT systemsRemoving or revoking user credentials when a user leaves the organizationThe implementation began on July 16, where all reportable cyber incidents must now be reported to the National Response Center. By Jan. 12, 2026, and every year after, all personnel must complete the training specified in 33 Code of Federal Regulations (CFR) 101.650. And by July 16, 2027, "owners and operators must designate the cybersecurity officer, conduct the cybersecurity assessment, and submit the cybersecurity plan for approval," according to an announcement from the US Coast Guard this week."Recognizing the escalating cyber threat from adversarial actors targeting the US Marine Transportation System, the US Coast Guard, leveraging the post-9/11 alignment of domestic MTSA authorities with international [maritime partners], will intensify Port State Control (PSC) scrutiny on indicators of poor cybersecurity practices, specifically those impacting International Safety Management (ISM) Code compliance on foreign-flagged vessels," according to the US Coast Guard.Read more about:News BriefsAbout the AuthorKristina BeekAssociate Editor, Dark ReadingKristina Beek is an associate editor at Dark Reading, where she covers a wide range of cybersecurity topics and spearheads video-related content. She is the creator and host of the Heard It From a CISO video series, where she interviews CISOs, directors, and other industry strategists to provide insights into the ever-evolving cybersecurity landscape. In addition to her editorial work, Kristina manages Dark Reading's social media channels and contributes to the platform's video coverage.Kristina graduated from North Carolina State University in 2021 with a degree in Political Science, concentrating in law and justice, and a minor in English. During her time at NC State, she honed her writing skills by contributing opinion pieces to the university's newspaper. After graduation, she began her career as a content editor before joining Dark Reading.Currently based in Washington, DC, you can find Kristina reading, taking walks in Georgetown, and wandering the museums surrounding the National Mall.See more from Kristina BeekMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportCybersecurity Forecast 2026The ROI of AI in SecurityThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space