New Rulemaking Alert: Updates to 33 CFR Part 101 — General Maritime Security Provisions
The U.S. Coast Guard has issued a new rulemaking impacting 33 CFR Part 101, the foundational section that defines the general provisions under the Maritime Transportation Security Act (MTSA). These changes reflect the evolving nature of maritime threats, particularly those involving cybersecurity, supply chain disruption, and the need for enhanced coordination between industry and federal stakeholders.
Even though we covered 33 CFR Part 101 in the previous part, here is a more detailed breakdown:
Part 101 serves as the cornerstone of the MTSA regulatory framework. It defines:
General maritime security policies
Definitions and responsibilities for key personnel (e.g., COTP, FSO, FMSC)
The MARSEC (Maritime Security) level system
National and Area Maritime Security Planning
Requirements for incident reporting, including Transportation Security Incidents (TSIs)
This section applies broadly to all MTSA-regulated vessels, facilities, and Outer Continental Shelf (OCS) activities. It also serves as the cornerstone of the MTSA regulatory framework. It defines the following:
General maritime security policies
Definitions and responsibilities for key personnel (e.g., COTP, FSO, FMSC)
The MARSEC (Maritime Security) level system
National and Area Maritime Security Planning
Requirements for incident reporting, including Transportation Security Incidents (TSIs)
Note: This section applies broadly to all MTSA-regulated vessels, facilities, and Outer Continental Shelf (OCS) activities.
Why This Matters to Facilities and FSOs?
These rule changes will directly impact how Facility Security Officers (FSOs) and regulated facilities approach:
Cybersecurity planning
Incident reporting
Annual reviews of Facility Security Plans (FSPs)
Participation in port-wide exercises and tabletop scenarios
If your facility is located along a navigable waterway especially in high-traffic zones like the Houston Ship Channel you must stay current with these evolving requirements. And if you dont, then the consequences can be as follows:
Civil Penalties: Fines can range from thousands to hundreds of thousands of dollars per violation, depending on severity.
Operational Restrictions: The Coast Guard (COTP) can impose restrictions or even shut down port operations or vessel movements until compliance is restored.
Criminal Liability: In extreme cases, especially where negligence leads to safety or security incidents, criminal charges may be pursued.
Reputational Damage: Non-compliance can severely damage a company’s reputation with regulators, customers, and partners.
Increased Scrutiny: The facility may be subject to more frequent inspections, audits, and enforcement actions.
Who is utimately responsible?
The primary legal responsibility lies with the Facility Owner and/or Operator.
They must ensure all MTSA security requirements, including those under Part 101, are implemented.
The Facility Security Officer (FSO) manages day-to-day compliance and acts as the liaison with the Coast Guard but does not bear ultimate legal liability.
Owners/operators are accountable for ensuring resources, training, and security measures are adequate and maintained.
Now for the meat on the bone! The actual CFR which is in Subpart F—Cybersecurity and is found in the last part of this article – [All about the Cyber Security Plan (CSP), CySO and MTSA Facility – Part 4]
33 CFR stands for Title 33 of the Code of Federal Regulations, which governs Navigation and Navigable Waters in the United States. It contains rules and regulations issued primarily by the U.S. Coast Guard and U.S. Army Corps of Engineers (USACE), along with other federal maritime authorities.
As of 2025, Title 33 CFR contains over 200 parts, divided into subchapters based on subject area, see table 2-1.
Subchapter
Range
Description
A
Parts 1–199
U.S. Coast Guard general navigation rules, aids to navigation, bridges, boating safety, marine environmental protection
B
Parts 200–399
U.S. Army Corps of Engineers (USACE) regulations on navigation, locks, dam operations, and permitting
C
Parts 400–499
Saint Lawrence Seaway regulations
E
Parts 500–599
U.S. Coast Guard regulations on Great Lakes Pilotage
Table 2-1: High-level breakdown of the major subchapters and example parts
Parts that Apply for MTSA Facilities:
As my focus is for MTSA Regulated Facilities, out of the various parts, only the following SUBCHAPTER applies, see Table 2-2:
Parts in Subchapter H (MTSA-Related)
Part
Subject
101
General Provisions (security terms, MARSEC levels)
102
National Maritime Transportation Security Incident Response
103
Area Maritime Security Committees (AMSCs)
104
Vessel Security
105
Facility Security
106
Outer Continental Shelf (OCS) Facility Security
Table 2-2: Parts in Subchapter H
More specifically, the following applies to a MTSA regulated facility:
Topic
Reference
Applies To
Authority
Facility Security Plans
33 CFR 105
MTSA-regulated terminals
COTP
Port Authority & Control
33 CFR 160
Ships & Facilities
COTP
Cyber Incident Reporting
NVIC 01-20, 33 CFR 101.305
OT/IT systems
NRC & COTP
AMSC Participation
33 CFR 103
Stakeholders in the port
FMSC
MTSA Requirements
33 CFR 101–106
Maritime sector security
DHS & USCG
Table 2-3: Parts (from the Subchapter H) that applies to MTSA Facilities such as a Chemical Plant.
This article however focuses mainly on the 33 CFR Part 101, which falls under the MTSA Requirements. Hence We will explore this topic. If you need more information on other topics in Table 2-3, refer to the post [Understanding U.S. Coast Guard Maritime Security: What Facilities and Stakeholders Need to Know], also you can view all of 33 CFR online via ecfr.gov (Electronic Code of Federal Regulations), updated regularly by the National Archives and Office of the Federal Register.
Now lets get back to the new rule making , check out the Part 3 of the post [All about the Cyber Security Plan (CSP), CySO and MTSA Facility – Part 3]
The U.S. Coast Guard (USCG) plays a vital role in ensuring maritime safety, security, and environmental protection along the navigable waters of the United States. For operators of port facilities, terminals, chemical plants along waterways, and vessel owners, compliance with Coast Guard regulations is not optional—it’s a fundamental responsibility. This post provides a practical overview of key U.S. Coast Guard maritime security mandates and how they apply to real-world operations, particularly those regulated under the Maritime Transportation Security Act (MTSA).
Key Regulatory Authority you need to know:
The legal backbone for maritime security in the U.S. is found in Title 33 of the Code of Federal Regulations (33 CFR). Several key parts define the obligations for facilities and vessels:
33 CFR Part 105 – Facility Security This part applies to MTSA-regulated port facilities. It mandates the development of Facility Security Plans (FSPs), the appointment of a Facility Security Officer (FSO), and the execution of security measures aligned with MARSEC levels. Facilities handling chemicals, petroleum, or maritime cargo are typically covered.
33 CFR Part 160 – Port Operations This part outlines the broad authority of the Captain of the Port (COTP), including vessel control, port access, and the ability to create safety or security zones during emergencies or heightened threat conditions.
33 CFR Part 101.305 – Incident Reporting This section details the requirement for reporting Transportation Security Incidents (TSIs)—including cyber-related events (TSI-C)—to the National Response Center (NRC) within 12 hours of occurrence.
33 CFR Part 104 – Vessel Security While Part 104 sets requirements for Vessel Security Plans (VSPs), it applies only to vessels such as tankers, cargo ships, and barges. It does not apply to land-based facilities unless they own or operate MTSA-regulated vessels.
MTSA Requirements You Need to Understand
Passed in the wake of the 9/11 attacks, the Maritime Transportation Security Act of 2002 created the foundation for modern port security regulations. MTSA requires that:
All designated facilities and vessels have security plans (FSPs/VSPs).
Workers in secure areas must hold a valid TWIC (Transportation Worker Identification Credential).
Facilities participate in coordinated Area Maritime Security Committees (AMSCs).
These provisions are enforced by the U.S. Coast Guard and monitored via inspections, audits, and security exercises.
What Is a Facility Security Plan (FSP)?
Each MTSA-regulated facility must maintain a Coast Guard-approved Facility Security Plan. This plan is a detailed, living document that defines how the facility will:
Control access to restricted areas
Monitor and secure the perimeter
Conduct regular training and drills
Respond to security threats and cyber incidents
Another important term you will often hear in meetings is Area Maritime Security Committees (AMSCs),
AMSCs:
These commitees are led by the Federal Maritime Security Coordinator (FMSC) usually the local Sector Commander, AMSCs are forums where industry and government stakeholders collaborate to:
Share threat intelligence
Conduct risk assessments
Develop and maintain Area Maritime Security Plans (AMSPs)
For example, the Houston-Galveston AMSC includes chemical plant operators, terminal managers, law enforcement, and emergency services throughout the Houston Ship Channel region.
A designated Facility Security Officer (FSO) is responsible for maintaining and implementing the FSP and communicating with the local COTP. If you are the new CySO, then you will be coordinating tighly with the FSO. Which means, you may be in the same AMSC meetings etc.
Understanding and adhering to maritime security requirements under the U.S. Coast Guard’s authority is critical for protecting infrastructure, people, and commerce. From FSP development to participating in the local AMSC and reporting TSI-C events, facility operators and stakeholders must be proactive, informed, and collaborative.
Introduction As there are a lot of terms and definitions and some background information that is required to understand the new rule making, I have divided this article into 4 parts.
This article: [ Part 1]
A little dive into CFR- What is a CFR etc: [ Part 2 ]
Introduction to the New Rulemaking 33 CFR Part 101 — General Maritime Security Provisions [ Part 3 ]
The Cybersecurity Plan from Subpart F of the New Rulemaking 33 CFR Part 101 [ Part 4 ]
Cybersecurity for critical infrastructure has become one of the biggest challenges for the nation and in order to protect our national security interests, That’s why agencies like the U.S. Coast Guard now treat cyber incidents as Transportation Security Incidents (TSI-C) and require them to be reported—highlighting the urgent need for strong cyber risk management in maritime and industrial environments. If you are a owner / operator of US Flagged vessels, facilities or Outer Continental Shelf (OCS) facilitiy then these new requirements mandate you to have a security plan under the 33 CFR parts 104, 105 and 106. What is a 33 CFR or more specifically what is a CFR?
CFR
A CFR stands for Code of Federal Regulations. It’s the official compilation of all the rules and regulations issued by federal agencies of the United States government.
CFR 33
CFR Title 33 refers to Title 33 of the Code of Federal Regulations, which governs Navigation and Navigable Waters in the United States.
It includes the rules and regulations issued primarily by the U.S. Coast Guard and other federal agencies responsible for protecting U.S. waters, maritime operations, and port security.
Part 101 – General security regulations (definitions, responsibilities, reporting, etc.)
Part 104 – Vessel security regulations
Part 105 – Facility security regulations (includes chemical, port, and energy infrastructure)
Part 106 – Offshore facility security regulations (e.g., OCS platforms)
These parts were updated in 2025 to include minimum cybersecurity requirements.
In the context of the U.S. Coast Guard’s cybersecurity rule going into effect on July 16, 2025, the CFR contains the final rule that legally mandates what U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and MTSA-regulated terminals must do to comply. This is pivotal and timely as maritime industry faces increasing cybersecurity threats as it increasingly relies on cyber-connected systems. The purpose of this final rule is to safeguard the marine transportation system (MTS) against current and emerging threats.
This new rule adds minimum cybersecurity requirements to 33 CFR part 101 to help detect, respond to, and recover from cybersecurity risks that may cause transportation security incidents (TSIs).
TSI
Transportation security incidents are a security incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area.
So what qualifies as a TSI? This is a great question to ask your security group becuase, an incident that has the potential to cause a TSI or an incident that causes a TSI has to be reported to the National Response Center https://nrc.uscg.mil/
For example, a cyberattack that disables critical systems at a fuel terminal, halting port operations can be considered a TSI.
Could phishing qualify as a Transportation Security Incident (TSI)?, Yes but only if it leads to significant consequences. Phishing on its own (like a user clicking a malicious email) is not automatically a TSI. However, if the phishing attack results in:
Operational shutdown of a regulated facility or port Unauthorized access to OT systems controlling hazardous materials Disruption of cargo operations leading to economic or transportation impacts Release of hazardous chemicals or safety systems being disabled Critical infrastructure services being affecte
.. then it could escalate to a TSI.
To get more context on this new rule for cyber, we need to look at what MTSA facilities have been doing. For years, Facility Security Officers (FSOs) have been on the front lines maintaining Facility Security Plans (FSPs), running drills, managing access controls, and ensuring MTSA compliance for physical security in these facilities.
Now, with the new USCG cybersecurity rule taking effect July 16, 2025, we’re entering a new phase and just like FSPs protect our perimeter, we now need a Cybersecurity Plan (CSP) to protect our networks, control systems, and digital operations.
And just like the FSO owns the FSP, the new rule requires appointing a Cybersecurity Officer (CySO) someone with both authority and technical insight to manage cyber risks, lead response efforts, and coordinate with the FSO when incidents overlap.
So then the next question is, what is CySO? CySO is a person who is designated by the owner or operator to develop , implement and maintain the cybersecurity portions of the Vessel Security Plan (VSP), Facility Security Plan (FSP) or Outer Continental Shelf (OCS) FSP. He/She will act as a liason between the Captain of the Port (COTP) and other security officers, coordinating activities and responses. There can be one CySO, multiple CySOs or an alternate CySO or primary and secondary CySO or you can also call them Main CySo and assistant CySO. The most important thing to note is that you may be able to designate multiple individuals to this role, this way you have a backup and coverage. We will look at the requirements for the CySO role in the later section.
The most important dates for this rule making is as follows. This is very important as it will help you plan your next steps. Also, considering you are an existing MTSA regulated facility, you may already have an established FSP.
what is FSP? A Facility Security Plan (FSP) is a comprehensive, site-specific document required by the Maritime Transportation Security Act (MTSA) and codified in 33 CFR Part 105. It outlines the security measures a maritime facility must implement to prevent, detect, and respond to security threats. Now to maintain this FSP, you have an FSO. The Facility Security Officer (FSO) is responsible for:
Ensuring compliance with 33 CFR Part 105. Developing and maintaining the FSP. Training facility personnel on security roles. Conducting drills and exercises. He/She also serves as the point of contact for the U.S. Coast Guard. CySO is technical under FSO, but has more jurisdiction over the Cyber aspects.
Immediately upon the effective date of July 16, 2025, all reportable cyber incidents must be reported to the National Response Center.
By January 12, 2026, and annually thereafter, all personnel must complete the training specified in 33 CFR 101.650.
By July 16, 2027, owners and operators must designate the Cybersecurity Officer, conduct the Cybersecurity Assessment, and submit the Cybersecurity Plan for approval.
We will explore the requirements in detail in the part: 33 CFR part 101.
