US Coast Guard mandates cybersecurity training for personnel with IT, OT access by January 2026 - Industrial Cyber

Attacks And Vulnerabilities CISA Critical Infrastructure ICS Cyber Security Training Industrial Cyber Attacks Malware, Phishing & Ransomware News Transportation US Coast Guard mandates cybersecurity training for personnel with IT, OT access by January 2026 DECEMBER 02, 2025 The U.S. Coast Guard issued a policy letter outlining new cybersecurity training requirements for personnel with access to IT or OT (operational technology) systems. Aligned with recent regulations, the policy is part of broader efforts to enhance cybersecurity within the Marine Transportation System. It also mandates that personnel on U.S.-flagged vessels, facilities, and Outer Continental Shelf (OCS) facilities subject to the Maritime Transportation Security Act (MTSA) of 2002 complete the required cybersecurity training by Jan. 12, 2026. In an update last week, the USCG detailed an October Policy Letter that announced the publication of Navigation and Vessel Inspection Circular (NVIC) 02-24, CH 1, Reporting Breaches of Security, Suspicious Activity, Transportation Security Incidents, and Cyber Incidents. The circular includes updated guidance on reporting cyber incidents.  The key updates include the incorporation of reportable cyber incident reporting requirements, alignment of cyber incident and reportable cyber incident reporting criteria, and harmonization of cyber incident reporting. Additionally, the FBI now accepts NRC reports as meeting federal notification requirements. This update reflects the Coast Guard’s ongoing efforts to enhance maritime cybersecurity policy and ensure consistent, efficient communication in light of evolving threats. Maritime industry professionals should review the updated NVIC closely to ensure full compliance with these revised requirements. All personnel with access to IT or OT systems are required to comply with the relevant guidelines. When owners or operators designate a Cybersecurity Officer (CySO), they must ensure the CySO has the necessary expertise and that any training provided aligns with these specified requirements. During the interim period before a Cybersecurity Plan (CSP) is approved, when a CySO may not yet be assigned, training on relevant provisions may be deferred until the CSP is approved and a CySO is designated, but no later than July 16, 2027.  The individual, group, or third-party entity responsible for implementing, developing, or approving the training must meet or exceed the knowledge standards for a CySO as outlined. Additionally, the requirement for training on procedures for reporting a cyber incident to the CySO may be adjusted to reflect the current cyber incident reporting procedures under the Facility Security Plan (FSP), Vessel Security Plan (VSP), or Outer Continental Shelf Facility Security Plan (OCS FSP). Once the CySO is designated and the CSP is approved, the CySO must review the existing training to ensure it is appropriately tailored to the entity’s operations, considering the specific IT and OT systems and equipment to which personnel have access at their respective vessel, facility, or OCS facility. Personnel who cannot receive cybersecurity training may access IT and/or OT systems only if they are physically accompanied or monitored by trained personnel. The arrangement is designed to mitigate risk by limiting untrained users’ access to only what is necessary and ensuring their actions are closely observed. Examples of untrained personnel in this category include, but are not limited to, short-term technicians, stevedores, longshoremen, maintenance support staff, and other individuals with temporary or infrequent access as defined in Section 7(a). The owner/operator may also permit remote access for untrained personnel under operational necessity or exigent circumstances. If physical accompaniment is not feasible, remote access may be allowed using remote ‘escorting,’ where trained personnel or automated systems monitor the session. Such access must adhere to the principle of least privilege, with additional controls to safeguard system and network integrity. The owner/operator should ensure that personnel responsible for managing these remote sessions possess the necessary knowledge to recognize potential security threats and the authority to terminate access if required immediately.  Remote ‘escorting’ measures may include, but are not limited to, periodic reviews of access logs during the session; session recording; automated systems that provide real-time security monitoring and notification to detect unauthorized activity by untrained personnel (if chosen, should include session recording); and/or remote control/shadowing by personnel who are trained.  The USCG outlined that remote access to OT by untrained personnel must include remote control/shadowing by a trained application system engineer/owner; Considering the examples above, operational conditions, and cybersecurity risks, owners/operators are expected to document the processes or procedures for physical accompaniment or monitoring of untrained personnel as well as the processes, procedures, and/or automated systems utilized for remote ‘escorting’ of untrained personnel. The policy letter called upon owners/operators to maintain training records and documentation, which the Coast Guard will use to verify that the cybersecurity training meets the basic requirements. Records documenting training may be kept in hard copy and/or electronic format, including in a Learning Management System, and include the date of each session, duration of session, a description or outline of the training demonstrating how personnel are trained in the topics provided, and a list of attendees.  It also detailed that a plan amendment is not required if cybersecurity training is documented as additional security training under the existing FSP/VSP/OCS FSP. In addition to documenting the minimum training data listed above, documented information must cover how key personnel are defined, how training is delivered, which may utilize a combination of delivery options, details on how the processes or procedures for physical accompaniment or monitoring of untrained personnel as well as the processes, procedures, and/or automated systems utilized for remote ‘escorting’ of untrained personnel; and contractor training records, if applicable.  Until the CSP is approved, the information above can either be included as a section under existing rules or kept as a standalone document.  The policy letter mentioned that key personnel with access to the IT or remotely accessible OT systems, including contractors, whether part-time, full-time, temporary, or permanent, must also have cybersecurity training to understand their roles and responsibilities during a cyber incident and response procedure. This may be accomplished by referencing the role types, responsibilities, and resources that may be required to respond to a cyber incident, and then referencing or direct key personnel to consult existing cybersecurity response or remediation plans for more detailed response information.  They must also maintain current knowledge of changing cybersecurity threats and countermeasures. This may be accomplished by referencing reliable sources that key personnel may use to stay apprised of the changing cybersecurity landscape, such as information pages from the CISA (Cybersecurity and Infrastructure Security Agency), sector-specific Information Sharing and Analysis Center (ISAC), or other third-party sources.  The USCG mentioned that training approved by the owner/operator or CySO may incorporate a range of delivery approaches, or a combination of approaches, including, but not limited to, virtual, in-person, or self-paced instruction. The owner/operator should determine the training provider, with options including in-house employees, contractors, or third-party entities. The training requirements are performance-based, and the Coast Guard does not endorse specific training programs or content. The owner/operator is responsible for selecting training that satisfies their operational needs and meets regulatory requirements. If the owner/operator utilizes existing cybersecurity training materials, then the owner/operator should be able to demonstrate how existing training module(s) or content address each regulatory topic.  Before authorizing IT and OT system access for a contractor or third-party employee at the vessel, facility, or OCS facility, the owner/operator should train the contractor using the owner’s/operator’s training, monitor or accompany, or evaluate the third-party entity’s existing cybersecurity training program for regulatory compliance and specific alignment. Based on this evaluation, the owner/operator may deem the training adequate to mitigate human factor cybersecurity risks associated with the use of their systems and meet compliance. If the owner/operator accepts the third-party entity’s training program, the owner/operator should maintain a record of this decision and keep it with the VSP/FSP/OCS FSP until the CSP is approved. This record should include the date of evaluation, scope of the review, consideration of regulatory requirements, and the rationale for acceptance. Training records for each impacted third-party employee should also be maintained. All records should be available for Coast Guard inspection upon request. Additionally, if this option is chosen, the owner/operator must review the third-party training program for currency of information and compliance at least annually and produce or access contractor training records for Coast Guard inspection upon request. Anna Ribeiro Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT. Related ARCON teams with DNV Cyber to strengthen privileged access management capabilities in the Nordics New York introduces cybersecurity rules, $2.5 million grant program to strengthen water infrastructure defenses Building ‘Incident Management for Industrial Control Systems’ to address gaps in OT cyber incident response GAO report highlights risks to CMMC rollout as nation-state attacks target defense contractors Why industrial cybersecurity must evolve as climate disruption and digitalization reshape critical infrastructure ISAC advisory highlights cyber and physical risks to critical infrastructure as Middle East tensions rise Suspected Iran-linked cyberattack hits medical technology giant Stryker amid Middle East tensions Finland’s National Security Overview 2026 flags Russian and Chinese cyber espionage targeting government, critical infrastructure Cydome flags NAVTOR NavBox path traversal and authentication flaws exposing vessel data, networks to cyber risk Iran-linked cyber espionage surges across Middle East as conflict tensions rise, researchers say