Introduction
As there are a lot of terms and definitions and some background information that is required to understand the new rule making, I have divided this article into 4 parts.
This article:
[ Part 1]
A little dive into CFR- What is a CFR etc:
[ Part 2 ]
Introduction to the New Rulemaking 33 CFR Part 101 — General Maritime Security Provisions
[ Part 3 ]
The Cybersecurity Plan from Subpart F of the New Rulemaking 33 CFR Part 101
[ Part 4 ]
Cybersecurity for critical infrastructure has become one of the biggest challenges for the nation and in order to protect our national security interests, That’s why agencies like the U.S. Coast Guard now treat cyber incidents as Transportation Security Incidents (TSI-C) and require them to be reported—highlighting the urgent need for strong cyber risk management in maritime and industrial environments.
If you are a owner / operator of US Flagged vessels, facilities or Outer Continental Shelf (OCS) facilitiy then these new requirements mandate you to have a security plan under the 33 CFR parts 104, 105 and 106. What is a 33 CFR or more specifically what is a CFR?
CFR
A CFR stands for Code of Federal Regulations. It’s the official compilation of all the rules and regulations issued by federal agencies of the United States government.
CFR 33
CFR Title 33 refers to Title 33 of the Code of Federal Regulations, which governs Navigation and Navigable Waters in the United States.
It includes the rules and regulations issued primarily by the U.S. Coast Guard and other federal agencies responsible for protecting U.S. waters, maritime operations, and port security.
Some key areas include:
⚓ Maritime Transportation Security (MTSA) Regulations
Part 101 – General security regulations (definitions, responsibilities, reporting, etc.)
Part 104 – Vessel security regulations
Part 105 – Facility security regulations (includes chemical, port, and energy infrastructure)
Part 106 – Offshore facility security regulations (e.g., OCS platforms)
These parts were updated in 2025 to include minimum cybersecurity requirements.
In the context of the U.S. Coast Guard’s cybersecurity rule going into effect on July 16, 2025, the CFR contains the final rule that legally mandates what U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and MTSA-regulated terminals must do to comply. This is pivotal and timely as maritime industry faces increasing cybersecurity threats as it increasingly relies on cyber-connected systems. The purpose of this final rule is to safeguard the marine transportation system (MTS) against current and emerging threats.
This new rule adds minimum cybersecurity requirements to 33 CFR part 101 to help detect, respond to, and recover from cybersecurity risks that may cause transportation security incidents (TSIs).
TSI
Transportation security incidents are a security incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area.
So what qualifies as a TSI? This is a great question to ask your security group becuase, an incident that has the potential to cause a TSI or an incident that causes a TSI has to be reported to the National Response Center https://nrc.uscg.mil/
For example, a cyberattack that disables critical systems at a fuel terminal, halting port operations can be considered a TSI.
Could phishing qualify as a Transportation Security Incident (TSI)?, Yes but only if it leads to significant consequences. Phishing on its own (like a user clicking a malicious email) is not automatically a TSI. However, if the phishing attack results in:
Operational shutdown of a regulated facility or port
Unauthorized access to OT systems controlling hazardous materials
Disruption of cargo operations leading to economic or transportation impacts
Release of hazardous chemicals or safety systems being disabled
Critical infrastructure services being affecte
.. then it could escalate to a TSI.
To get more context on this new rule for cyber, we need to look at what MTSA facilities have been doing. For years, Facility Security Officers (FSOs) have been on the front lines maintaining Facility Security Plans (FSPs), running drills, managing access controls, and ensuring MTSA compliance for physical security in these facilities.
Now, with the new USCG cybersecurity rule taking effect July 16, 2025, we’re entering a new phase and just like FSPs protect our perimeter, we now need a Cybersecurity Plan (CSP) to protect our networks, control systems, and digital operations.
And just like the FSO owns the FSP, the new rule requires appointing a Cybersecurity Officer (CySO) someone with both authority and technical insight to manage cyber risks, lead response efforts, and coordinate with the FSO when incidents overlap.
So then the next question is, what is CySO? CySO is a person who is designated by the owner or operator to develop , implement and maintain the cybersecurity portions of the Vessel Security Plan (VSP), Facility Security Plan (FSP) or Outer Continental Shelf (OCS) FSP. He/She will act as a liason between the Captain of the Port (COTP) and other security officers, coordinating activities and responses. There can be one CySO, multiple CySOs or an alternate CySO or primary and secondary CySO or you can also call them Main CySo and assistant CySO. The most important thing to note is that you may be able to designate multiple individuals to this role, this way you have a backup and coverage. We will look at the requirements for the CySO role in the later section.
The most important dates for this rule making is as follows. This is very important as it will help you plan your next steps. Also, considering you are an existing MTSA regulated facility, you may already have an established FSP.
what is FSP?
A Facility Security Plan (FSP) is a comprehensive, site-specific document required by the Maritime Transportation Security Act (MTSA) and codified in 33 CFR Part 105. It outlines the security measures a maritime facility must implement to prevent, detect, and respond to security threats. Now to maintain this FSP, you have an FSO. The Facility Security Officer (FSO) is responsible for:
Ensuring compliance with 33 CFR Part 105. Developing and maintaining the FSP. Training facility personnel on security roles. Conducting drills and exercises. He/She also serves as the point of contact for the U.S. Coast Guard. CySO is technical under FSO, but has more jurisdiction over the Cyber aspects.
The final rule making went live July 16,2025. Let us look at some of the other deadlines that are coming up.
[source: https://www.news.uscg.mil/maritime-commons/Article/4247529/final-rule-cybersecurity-in-the-marine-transportation-system-implementation-tim/)
- Immediately upon the effective date of July 16, 2025, all reportable cyber incidents must be reported to the National Response Center.
- By January 12, 2026, and annually thereafter, all personnel must complete the training specified in 33 CFR 101.650.
- By July 16, 2027, owners and operators must designate the Cybersecurity Officer, conduct the Cybersecurity Assessment, and submit the Cybersecurity Plan for approval.
We will explore the requirements in detail in the part: 33 CFR part 101.