Top Five Essentials for U.S. Coast Guard Cyber Compliance
Vessel operators must embed cybersecurity into their operational procedures to meet USCG 33 CFR Part 104, writes Nicolas Furgé, President Cyber, Marlink

As cyber threats continue to grow in both scale and complexity, maritime stakeholders, from shipowners and operators to port facilities are facing new regulatory demands to improve cyber resilience.
The latest cybersecurity rules from the United States Coast Guard (USCG), amending parts 101, 104, 105 and 106 of 33 CFR Sub-chapter F, represent a major shift in how cybersecurity is addressed by U.S.-flagged vessels and U.S. maritime facilities regulated under the Maritime Transportation Security Act (MTSA), including ports and facilities on the Outer Continental Shelf.
These rules, effective from May 22, 2025 with full implementation by 22 May 2027, are not just about technology, they require operational and procedural changes to how maritime cyber risk is managed. Vessel owners and operators will need to go beyond basic IT/OT controls and adopt a structured approach to managing cyber risk within their broader vessel security programs.Marlink has identified five essential steps to achieving compliance with the USCG regulations that vessel operators need to consider. Each step calls for specific actions needed for compliance and how to prepare for the implementation of the rules and how to maintain compliance.
A Phased Approach
To meet these requirements, vessel operators must take a step-by-step approach that includes assessment, planning, implementation, and ongoing monitoring. Marlink supports a phased strategy designed to make this process manageable and effective.
The first phase calls for a cybersecurity gap assessment, comprising a detailed review of a vessel’s IT and OT environments, procedures, and current controls to identify regulatory gaps and technical weaknesses. The results are used to create a compliance roadmap that can be applied fleet wide.
Next, owners must develop a Cybersecurity Plan (CSP), documenting cybersecurity policies, access controls and response plans. Ongoing reviews and updates will be critical to maintaining compliance and adapting to emerging threats.
After completing phases one and two, operators must implement vulnerability scanning, periodic testing of cyber measures (which may include vulnerability scans or penetration tests), crew training and cyber drills tailored to each vessel.
While the regulation does not directly affect suppliers, it may indirectly impact them by requiring MTSA-regulated vessels and facilities to assess and manage cybersecurity risks associated with third-party vendors and service providers in their CSP.
Five Focus Areas
The compliance journey starts with identifying what’s at risk. A risk assessment helps determine which onboard systems are most critical, what threats are most likely (like phishing or ransomware), and how an incident could impact operations.
The updated USCG rules require cyber risk to be addressed in the Vessel Security Plan. This includes documenting how risks are mitigated, how access is controlled, and how the crew is expected to respond to cyber events.
Operators must be ready to identify and report cyber events that may qualify as a Transportation Security Incident (TSI), a cyber incident that significantly disrupts vessel operations, safety, or the environment. These incidents must be reported immediately to the National Response Center. The VSP should clearly define what constitutes a reportable event, how reporting will be handled, and who is responsible. Operators must have a documented incident response plan outlining the steps to contain, investigate, and recover from cyber events, including co-ordination across vessels and shore-based teams.
Each vessel or fleet must assign a Cybersecurity Officer responsible for managing cyber risks and ensuring ongoing compliance. This includes overseeing vulnerability assessments, managing incident response procedures, and ensuring that training and cyber drills are regularly conducted. The CySO must have the authority, training, and resources to effectively lead cybersecurity efforts.
Operators must implement technical and procedural controls to control access to critical onboard systems. This includes role-based access, authentication policies and the segmentation of IT and OT networks to prevent lateral movement during a cyber event.
Remote access, especially by third-party vendors, must be tightly managed and logged. These access controls must be clearly defined in the VSP and supported by both technical enforcement and crew awareness.
Beyond Compliance
Meeting these new requirements will require investment to perform assessments, documentation and training. However, this must be set against the cost of non-compliance which span denial of port entry, regulatory penalties or increased insurance premiums.
Cybersecurity readiness is also becoming a factor in vendor evaluations. Starting early in planning for compliance may help operators gain a competitive edge in an increasing risk-aware market.
The new USCG cybersecurity regulations position cyber risk as a critical aspect of maritime safety. As part of its enforcement of the Maritime Transportation Security Act (MTSA), the USCG now requires cybersecurity to be addressed in vessel security planning, treating cyber threats with the same priority as physical ones like piracy or terrorism.
While the U.S. Coast Guard's final rule on Maritime Cybersecurity takes effect on July 16, 2025, it’s important to note that the USCG has requested public comments on a potential to-to-five year delay in implementation for U.S.-flagged vessels.
The public comment period closed on March 18, 2025, and any decision to delay would require a separate rulemaking process. As of now, no official delay has been announced, but stakeholders should monitor for updates and proceed with preparations under the assumption that the original compliance dates remain in effect.
While compliance may seem complex, it presents a valuable opportunity to enhance security and demonstrate leadership in a rapidly evolving threat landscape. Starting with a gap assessment and building cybersecurity into the VSP moves operators from compliance toward true readiness.
Despite the provisions of the regulation and the specifics of the VSP, it remains the case that rules tend to reflect minimum achievable baselines rather than a complete solution. Partnering with a cybersecurity solutions provider experienced in protecting critical infrastructure can help prepare operators for compliance.
They can also help the operator to adopt a more proactive stance towards cyber security, moving from a reactive posture based on solid defense to a proactive stance that seeks to understand emerging threats, how to reduce them and how to meet USCG requirements.

About the Author: Nicolas Furge, President, Marlink Cyber.
Nicolas has 30 years of experience in technology-powered businesses, holding successive functions in project management, business unit management and general management in Orange, Alstom and Keolis Groups. He scaled up cybersecurity at Orange Business Services to a Euro150m business. He has served as President, Digital of Marlink Group since 2021 and was appointed President, Marlink Cyber in April 2025.

This article was published on 15.07.25 in Marine Link by Maritime Reporter and Engineering News
How can we help you?
Get in touch
Contact us to find out how we can help you create new possibilities for your operations.
Insights
Read about our latest insights and explore the forefront of digital protection through our curated selection of news, articles, and expert blogs.