A new Coast Guard rule puts cybersecurity front and center for maritime operators - Federal News Network

CYBERSECURITY A new Coast Guard rule puts cybersecurity front and center for maritime operators "The Coast Guard wants everyone to know the basics of cyber hygiene to be able to spot threats," said Benjamin Nashed. Terry Gerton August 25, 2025 10:13 am           Guest: Erik Dullea and Benjamin Nashed Title: Partner and Attorney, Husch Blackwell LLP Summary: Cybersecurity is no longer optional for the maritime industry. Under a new Coast Guard rule, vessel and facility operators must report cyber incidents, designate a Cybersecurity Officer and train staff to recognize and respond to threats. The regulation introduces new reporting channels and timelines that could create confusion for operators already navigating overlapping federal requirements. The Federal Drive with Terry Gerton provides expert insights on current events in the federal community. Read more interviews to keep up with daily news and analysis that affect the federal workforce. Reach out to Terry and the Federal Drive producers with feedback and story ideas at FederalDrive@federalnewsnetwork.com. Interview transcript: Terry Gerton Benjamin, I want to start with you and with the basics. What is this new maritime cybersecurity rule from the Coast Guard, and what do agencies need to know about it? Benjamin Nashed Sure, so this rule was published back in January of 2025, actually, and it’s kind of a game-changer for U.S.-flagged vessels, outer continental shelf facilities and pretty much everyone regulated under the Maritime Transportation Security Act. And the way it sort of works is, there’s three phases to it. It’s going to happen over the next three years. It begins with sort of a reporting phase, a training phase, and then a planning phase. So, first up, starting on July 16, 2025, all regulated organizations have to report certain cyber incidents to the National Response Center. The National Response Center was not created by this rule. It’s existed since the 1970s, and it acts as the main government hotline for all kinds of environmental and maritime emergencies. So traditionally that has been things like oil spills or chemical leaks or even security threats on the water. But now with these new rules, cybersecurity events have also been added to that list of reportable things. The Coast Guard also defined what they think of as a reportable cyber event, and that’s any event that significantly disrupts, or threatens to disrupt even, the safe or secure operation of a vessel or a facility. So we can think of traditional cybersecurity, things like unauthorized access or malware attacks or denial of service situations, but we’re really also focused on anything that’s going to compromise the navigation of a vessel or its propulsion or cargo handling or security systems in general. So that’s the reporting part of this rule.         Join us Apr. 13 for Federal News Network's CX Exchange to find out how agencies are unifying services and scaling AI for the next era of government delivery. Register today! The next part is a training part of the this rule and that starts in January 2026: January 12, 2026. By then, anyone who can access IT or OT systems needs to finish some type of cybersecurity training. The Coast Guard wants everyone to know the basics of cyber hygiene to be able to spot threats and use safe practices when they’re operating critical systems. And they mean everyone, too. They want temporary hires, contract employees, part-time folks, everyone to take this sort of training. And it’s not just for existing staff. Any new staff that come on have to take this sort of training within their first 30 days. And it doesn’t stop there, either. Going forward, you have to repeat this training every year to stay in compliance. And then looking even further ahead to the final portion of this rule, by July 16, 2027, there’s a few more big requirements. Every affected organization has to appoint a new cybersecurity officer to carry out a thorough cybersecurity assessment and then send a cybersecurity plan to the Coast Guard for approval. That plan needs to cover how you’re keeping systems secure, how your staff are trained and how you intend to respond to incidents when they come. The Coast Guard has recognized that this might be difficult for some organizations to comply with or to implement, so they have opened a comment window for folks to comment on delaying these. And they even have a provision in there for organizations to apply for waivers. But the first part of this has already gone into effect. And so organizations now need to be reporting to NRC any cybersecurity event that happens. Terry Gerton That is a really helpful overview. And just one more piece of that: Which agencies or activities or organizations does this role cover? Benjamin Nashed Sure, so it covers any U.S.-flagged vessel, so any vessel operating in the United States that’s been flagged by the UnitedStates. Outer continental shelf facilities, so those are things like oil rigs, things that are outside of the coast, and then the other part are sort of broad spectrum, Maritime Transportation Security Act-covered entities. That includes things like ports, terminals on the ports, facilities next to the port. Sometimes if you’re driving along the highway, you can see the cranes or you see like those big tanker facilities. Those are all included in this rule, too. Terry Gerton Thank you. And Erik, let me go to you. How does this rule fit in with the broader cyber infrastructure and environment? Erik Dullea Great question, Terry. It’s similar and it is moving in a consistent direction with where the government and the nation have been moving, but it is not as well aligned as perhaps it could have been. So across the critical infrastructure ecosystem, all 16 sectors that the federal government has identified, if we think about those groups that are vital to the U.S. economy, or where damage would have a deleterious, grave and significant effect on the United States. Those sectors, we have seen a desire from the government and either through a carrot and stick methodology, a desire for them to improve their cybersecurity posture. On the maritime side, there are existing regulations under 33 CFR 16-1, which has really been around since the 1950s, that identified a requirement for maritime covered entities to notify the FBI if there was sabotage, subversive activity, actual or threatened cyber events, and to notify the FBI and then subsequently CISA [(Cybersecurity and Infrastructure Security Agency)] immediately. This rule tweaks or adds sort of a different layer of a reporting requirement to it. And that’s where we see some of the, I wouldn’t call it inconsistency, but perhaps not as aligned or as efficient as the regulated community may have hoped. The covered entities that weren’t under the previous rule that I just mentioned now have a requirement to notify the NRC, as Ben mentioned, without delay. So you have, from the industry’s perspective, in my opinion, two different rules for two different parts of the industry, to contact a different part of the federal government and under a different time schedule. They’re similar. And there is the advancement of a consistent goal of sharing information, allowing the government to see if there is an incident that might ripple across the industry. But the schedules aren’t the same. If you have people moving from one side of the industry to the other, they now have to figure out who they have to call and when. And for outside parts of the U.S. economy that either would handle insurance for these types of entities or perhaps are doing M&A [(mergers and acquisitions)] deals and due diligence work and trying to figure is this company compliant or not, now you have two different sets of rules and policies to look at. As opposed to saying, everybody that is involved in maritime needs to call so-and-so by this time, show me your playbook that says that. So that’s where I see a bit of the inconsistency, even though this rule is intended to be moving us forward in a good and positive direction. Terry Gerton I’m speaking with Erik Dullea, he’s a partner at Husch Blackwell, and Benjamin Nashed, an attorney there as well. Erik, let me follow up with you on that question. For these regulated entities, then, how do they sort through all of these competing requirements? What’s your best advice for firms to make sure they comply with the rules?         Sign up for our daily newsletter so you never miss a beat on all things federal Erik Dullea I would honestly say to take advantage of some of the federal resources that are out there to help the sector that they belong in. So under the Presidential directives, we have sector risk management agencies that are structured and geared to help specific industries within the U.S. So if you talk to CISA, which has cross-sector responsibility, think of them as sort of the music conductor of looking to coordinate the effort. And then within the maritime sector, looking at the Coast Guard to say, how am I supposed to do this? How are you helping small businesses or smaller entities look to comply, making sure that you’ve got a little bit of feedback or that you are with that agency or that you partner with FBI and InfraGuard, which is their community watch program for critical infrastructure, to make sure you have a point of contact that you can call with questions. Before a crisis or an event kicks in and you’re into the reactive stage. Terry Gerton Thanks, that’s helpful. And Benjamin, let me come back to you then. From a legal, maybe an operational standpoint, what are the biggest risks or liabilities for firms if they don’t meet these requirements, or if they meet them on time? Benjamin Nashed Sure, so maybe I’ll even step back from that too. I think the last couple of years have really demonstrated that there are vulnerabilities out there, even in the maritime space. I think sometimes when we think of cybersecurity incidents, we think of financial institutions or we think of personal data, but there have been a number of incidents over the last couple of years and they’re only increasing, where malicious actors have hacked into vessel operations or even port operations. And so from a just practical standpoint, compliance with these sorts of things is helpful to the industry itself. Terry Gerton And Erik, what about the liabilities for the individual firms who don’t comply or don’t make it on time? Erik Dullea That’s a good point, because the final rule doesn’t specifically call out enforcement mechanisms. So what we’re doing is relating it back under the Maritime Transportation Security Act, the MTSA that Ben mentioned earlier. And there the Coast Guard has the power to issue penalties for noncompliance; deny or revoke approvals of a security plan that has previously been in place; you know, a fun one for the regulated community, undergo unannounced inspections; or, through letters of corrective action, direct that covered entity to change its procedures in order to be brought back into compliance. Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.           Terry Gerton Terry Gerton is host of the Federal Drive and has been working in or with the federal government for more than 40 years. Sign up for breaking news. Related Stories ACT-IAC relaunches Partners Program for senior leaders who want to deepen impact WORKFORCE Read more Getty Images/Alex Cristi OMB convenes agencies, industry to talk AI for cyber defense CYBERSECURITY Read more Getty Images/Iurii Motov Stop the AI panic COMMENTARY Read more Related Topics ALL NEWS BENJAMIN NASHED COAST GUARD CYBERSECURITY CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY ERIK DULLEA MARITIME TRANSPORTATION SECURITY ACT TECHNOLOGY TERRY GERTON THE FEDERAL DRIVE UPCOMING EVENTS Federal News Network’s DoD Modernization Exchange 2026 Federal Retirement Tax Planning and TSP Maximization How to get the most from your TSP as a federal employee [Live Q&A] Federal News Network’s CX Exchange 2026 Ask the CIO: Defense Cyber Crime Center More TOP STORIES Treasury prepares RIF for office created to avoid financial crisis, IRS IT resumes hiring after mass reassignments WORKFORCE Bills to pay FAA and TSA workers during shutdowns get introduced but keep stalling in Congress GOVERNMENT SHUTDOWN Army ‘rebalancing’ effort forces civilians to accept reassignments to avoid layoffs ARMY Trump signs order to pay TSA employees amid shutdown standoff GOVERNMENT SHUTDOWN Harsher penalties for contractors who violate new DEI EO ACQUISITION POLICY HUD challenges telework restoration orders, calling them ‘disruptive’ WORKFORCE