Darkreading.com reported that “The US Coast Guard’s first-ever mandatory cybersecurity framework for ports, vessels, and offshore facilities has taken effect, ending two decades of voluntary compliance and putting operators on a countdown with a 2027 deadline.” The April 17, 2026 article entitled ” Coast Guard’s New Cybersecurity Rules Offers Lessons for CISOs” (https://www.darkreading.com/cybersecurity-operations/coast-guards-cybersecurity-rules-lessons-cisos) included these comments
The regulations affect any US-flagged vessel or maritime facility subject to the Maritime Transportation Security Act of 2002 and requires that they develop and maintain a cybersecurity plan, designate a cybersecurity officer (CySO), conduct annual assessments, and train any information- and operational-technology workers on their cybersecurity duties.
The regulations resemble the requirements for other industries, such as the National Electric Reliability Council’s Critical Infrastructure Protection (NERC-CIP) plan, which has improved cybersecurity across the power-generation and distribution ecosystem, says Elan Alvey, principal industrial consultant at Dragos, an industrial cybersecurity provider.
“Regulation has helped — it’s not the fix for everything, because threat groups are pretty sneaky,” he says. “But, it gets rid of a lot of the low-hanging fruit that your opportunists, hackers, your ransomware folks, will see and say, ‘Oh, it’s open. Let’s go [attack] it.'”
The cybersecurity regulations come as the maritime transportation industry has suffered some major cyberattacks, including the NotPetya attack that halted shipping by AP Moller-Maersk and global positioning system attacks that caused ships to run aground. International standards already require similar cybersecurity measures for transoceanic shipping and foreign-flagged vessels. Other oil-and-gas producing nations, such as Norway, have made decisive moves to strengthen the cybersecurity of ships and offshore facilities.
In 2025, the US Coast Guard expanded the requirements of the Maritime Transportation Security Act of 2002 to include mandatory reporting of cybersecurity incidents starting in July 2025, followed by cybersecurity training for all IT and OT workers on their roles and responsibilities under the law by January of this year. The rule mirrors how the post-9/11 MTSA reshaped physical port security, signaling that Washington aims to shore up maritime cybersecurity, Dragos’s Alvey stated in an analysis.
The next deadline is in July, when every US-flagged vessel or outer-continental shelf (OCS) facility — think oil rigs — need to have completed a cybersecurity assessment and have created a cybersecurity plan that enforces segmentation between IT and OT networks.
Good news! First published at https://www.vogelitlaw.com/blog/are-you-ready-for-the-new-cybersecurity-officer-cyso-title