The U.S. Coast Guard has taken a decisive step to bolster cybersecurity across the Marine Transportation System, issuing a policy letter that outlines new training requirements for personnel with access to IT or operational technology (OT) systems. This move aligns with recent regulations and underscores the growing emphasis on safeguarding maritime infrastructure from cyber threats.
By January 12, 2026, personnel on U.S.-flagged vessels, facilities, and Outer Continental Shelf (OCS) facilities subject to the Maritime Transportation Security Act (MTSA) of 2002 must complete the mandated cybersecurity training. This directive is part of a broader effort to ensure that all personnel are equipped with the knowledge and skills necessary to identify and mitigate cyber risks.
In a recent update, the Coast Guard detailed an October policy letter that announced the publication of Navigation and Vessel Inspection Circular (NVIC) 02-24, CH 1. This circular provides updated guidance on reporting breaches of security, suspicious activity, transportation security incidents, and cyber incidents. The key updates include the incorporation of reportable cyber incident reporting requirements, alignment of cyber incident and reportable cyber incident reporting criteria, and harmonization of cyber incident reporting.
One significant development is that the FBI now accepts National Response Center (NRC) reports as meeting federal notification requirements. This change reflects the Coast Guard’s ongoing efforts to enhance maritime cybersecurity policy and ensure consistent, efficient communication in light of evolving threats.
“The updated NVIC is a critical tool for maritime industry professionals to ensure compliance with the latest cybersecurity requirements,” said a Coast Guard spokesperson. “It provides clear guidelines on reporting cyber incidents and aligns with broader efforts to protect the Marine Transportation System from cyber threats.”
Maritime industry professionals are urged to review the updated NVIC closely to ensure full compliance with these revised requirements. The circular serves as a comprehensive guide for reporting and managing cyber incidents, providing detailed instructions and criteria for what constitutes a reportable cyber incident.
This policy update is a proactive measure to address the increasing sophistication of cyber threats. By mandating cybersecurity training and streamlining the reporting process, the Coast Guard aims to create a more resilient and secure maritime environment. The collaboration with the FBI and the acceptance of NRC reports further strengthen the framework for cyber incident management.
As the maritime industry continues to evolve, so too must its approach to cybersecurity. The Coast Guard’s latest policy letter and the updated NVIC are pivotal steps in this ongoing effort. By ensuring that personnel are well-trained and that reporting procedures are clear and consistent, the Coast Guard is setting a strong foundation for enhanced cybersecurity across the Marine Transportation System.
Industry stakeholders should take note of these developments and take immediate action to comply with the new requirements. The stakes are high, and the need for robust cybersecurity measures has never been more apparent. By working together, the maritime community can effectively mitigate cyber risks and protect critical infrastructure from potential threats.