← Blogcyber
The USCG 2025 Cyber Rule Explained: What Every Operator Needs to Know Before July 16
46 CFR 101 Subpart F hits July 16, 2025. Here's what your vessel, facility, and crew need to be compliant — explained in plain English.
On January 17, 2025, the U.S. Coast Guard published 46 CFR 101 Subpart F — a new cybersecurity rule affecting US-flag MTSA-regulated vessels, facilities, and Outer Continental Shelf installations. The compliance deadline is July 16, 2025.
If you operate a passenger vessel over 100 gross tons, a cargo vessel on international voyages, a Subchapter H or L vessel, or a facility or OCS platform under 33 CFR Part 105 or 106, this rule applies to you.
This post walks through the six things the rule actually requires, who it covers, and how to get compliant in 90 days — in plain English, without the regulatory fog.
What the rule requires: six things
Strip away the 40 pages of preamble and rulemaking history and here's what you actually have to do:
- Designate a Cybersecurity Officer — a named individual accountable to the Coast Guard
- Maintain a written Cybersecurity Plan with six required elements
- Conduct annual cybersecurity assessments and document them
- Report cyber incidents within 48 hours to the National Response Center
- Provide cybersecurity training to all personnel with vessel or facility access
- Implement account management and multi-factor authentication on critical systems
That's it. The rest is detail.
Who does this apply to?
The rule picks up where MTSA leaves off. If your vessel is already subject to MTSA security requirements, you're in scope. Specifically:
- Passenger vessels over 100 GT carrying more than 12 passengers
- Cargo vessels over 100 GT on international voyages
- Subchapter H (passenger) and Subchapter L (offshore supply) vessels already regulated under MTSA
- Facilities under 33 CFR Part 105 (including bulk cargo terminals, barge fleets, CDC facilities)
- OCS facilities under 33 CFR Part 106
- MODUs (mobile offshore drilling units) in U.S. waters
If your vessel is under 100 GT and carries 12 or fewer passengers, you're generally not subject to this rule — though the Coast Guard may apply it to specific vessels through their COI.
Small passenger vessels under Subchapter T or K are generally not in scope unless they also fall under MTSA (e.g., carrying hazardous cargo or certain dangerous cargoes).
The CySO: Your most important hire
The Cybersecurity Officer is the backbone of the whole regulatory scheme. The CySO is accountable for:
- Overseeing the Cybersecurity Plan
- Ensuring the annual assessment happens
- Filing incident reports with the NRC
- Coordinating training
- Being the named contact for Coast Guard inquiries
You do not have to hire a new person. For most operators, the CySO will be a port captain, operations manager, or the owner. It's a role and accountability structure, not a headcount.
What you need to document: a designation letter or company policy naming the CySO, their qualifications, their responsibilities, and their authority to implement the plan. This goes in your Cybersecurity Plan.
Cross-coverage matters. If your CySO takes a week off and a phishing email hits, who's the backup? Name an alternate in writing.
The Cybersecurity Plan: Six Required Elements
Per §101.650, your written plan must cover six areas. Here's each one in practical terms:
1. Account Security (§101.650(b)(1))
- Multi-factor authentication on every administrative account — Coast Guard specifically calls this out
- Password policy (length, rotation, reuse prohibition)
- Quarterly account review (who has access? is it still needed?)
- Account provisioning + de-provisioning (new hire / termination workflows)
Most operators fail this element on the "quarterly review" piece. Stale admin accounts belonging to former employees are the #1 compliance gap.
2. Device Security (§101.650(b)(2))
- Asset inventory of every device that touches the vessel network — ECDIS, radar MFDs, bridge laptops, engine room monitors, office workstations
- Patching schedule
- End-of-life identification and replacement plan
- Device disposal protocol
The gotcha: ECDIS and OT systems count. Your Furuno/Simrad/JRC bridge electronics are devices. Your Automation/VDR systems are devices. If they run firmware or software, they're in scope.
3. Data Security (§101.650(b)(3))
- Encryption at rest and in transit
- Backup policy (daily, offsite, tested restore)
- Retention policy aligned with other regulations (49 CFR Part 40 drug records, 46 CFR 4 casualty records)
- Data classification
Don't conflate this with data privacy (HIPAA, CCPA, GDPR). The Coast Guard cares that your data can't be tampered with or disclosed to unauthorized parties. How you handle personal data is a separate compliance thread.
4. Governance + Training (§101.650(b)(4))
- Written roles and responsibilities
- Annual cybersecurity training for all personnel with access
- Training records retained for 3 years minimum
- Phishing simulation program
The cheapest and highest-ROI piece here is an annual KnowBe4 or SANS Maritime Cyber subscription (about $30/user/year). They give you training modules, phishing simulations, and completion records — all of which are directly auditable evidence for §101.650(b)(4).
5. Risk Management (§101.650(b)(5))
- Written risk register
- Annual assessment documenting threats, vulnerabilities, mitigations
- Integration with your SMS (Safety Management System) if you have one
This is where most operators panic. It sounds like a $50k consultant engagement. It's not. A one-page risk register with 10-15 line items — each listing the threat, likelihood, impact, and your mitigation — is sufficient to demonstrate the process. Auditors want to see that you thought about it.
6. Supply Chain (§101.650(b)(6))
- Written subprocessor/vendor list
- Security review for new integrations
- Breach notification obligations from vendors
- Third-party access controls
Your SaaS vendors (like Binnacle AI), your AIS provider, your Class society portal, your bunker supplier's billing system — they all touch your data. You need to know who they are and hold them to a minimum standard.
What annual cybersecurity assessment actually means
The rule requires an assessment at least annually but doesn't prescribe the format. In practice, operators are doing one of three things:
- Self-assessment with a checklist. Cheapest, acceptable for smaller operators. Document the process, not just the result.
- Third-party vulnerability scan. $2,000-$5,000 per engagement. Scans your external attack surface and produces a report.
- Full penetration test. $15,000-$50,000 depending on scope. Usually annual for operators with a large IT footprint or who also handle government/DoD cargo.
For most commercial operators, (1) or (2) is sufficient for the rule. The assessment must result in a written report filed with your Cybersecurity Plan and any findings remediated or formally accepted as residual risk.
Incident reporting: 48 hours to NRC
A "cyber incident" under this rule isn't every phishing email. It's an event that:
- Disrupts vessel or facility operations
- Compromises the integrity, confidentiality, or availability of critical systems
- Results in unauthorized access to operational technology
- Leads to loss or corruption of safety-related data
Call the National Response Center at 1-800-424-8802 within 48 hours of detection. Also notify your Coast Guard Sector. Document what you found, when, and what you did about it.
Common scenarios:
- Ransomware on the office network: report
- GPS spoofing incident: report
- Phishing email the user clicked, no data exfiltrated: probably no report needed, but document internally
- ECDIS firmware failure: not a cyber incident unless you suspect tampering
If in doubt, report. The Coast Guard would rather know about false alarms than miss a real one.
How to get compliant in 90 days
For the operator who hasn't started yet, here's a realistic 90-day path:
Weeks 1-2: CySO designation + framework
- Name your CySO in writing, designate an alternate
- Pull your existing security practices into a one-page outline mapped to the six elements
- Identify gaps
Weeks 3-4: Asset inventory + network segmentation
- List every device that touches vessel/facility systems
- Classify by network segment (bridge, engine, office, crew, guest)
- Note patch status, EOL, MFA status
Weeks 5-6: Written plan draft
- Put the six elements into a formal document
- Include the CySO designation letter, the asset inventory, the risk register
- Peer review with another operator if possible
Weeks 7-9: Training rollout + tabletop exercise
- Subscribe to KnowBe4 or equivalent
- Roll training to every employee with access
- Run one tabletop exercise (simulated phishing incident; document the response)
Weeks 10-12: Final assessment + sign-off
- First annual assessment
- CySO signs the plan
- Copy filed for Coast Guard inspection
- Calendar next-year assessment date
Common gotchas
"I'm a small operator, does this really apply to me?" If you're MTSA-regulated, yes. Size doesn't matter — applicability does.
"Is a GPS spoofing incident a cyber incident?" If your operations were disrupted or safety-critical data was corrupted, yes. Report it.
"My vessel is chartered — who's responsible?" Typically the operator of record. Charter party agreements should specify, and you should have this clarified in writing before the rule takes effect.
"My subcontractor had a breach — do I have to report it?" Only if the breach affects your systems or data. If your data processor notifies you of a breach affecting your data, you report to the NRC.
How Binnacle AI helps
Binnacle AI's Cyber Compliance module is purpose-built for this rule. You get:
- CySO designation tracking with contact details and qualifications
- Six-element Cybersecurity Plan with status per element
- Annual assessment date tracker with alerts when you're inside 60 days
- NRC 48-hour incident reporting workflow
- Training record per-crew with auto-expiration alerts
- Asset inventory with patching + EOL tracking
- MFA status per asset
- Audit-ready PDF exports for Coast Guard inspections
All for $99 per month, per organization. Hawaii-based, built by operators, no enterprise-sales gatekeeping.
Start here (free, no login)
Before you commit to any vendor — yours, mine, or anyone else's — try the free Binnacle AI compliance calculator:
[Try the free compliance checklist →](/compliance-calculator)
Enter your vessel subchapter, gross tonnage, route, and crew size. Get a list of 46 CFR sections that apply to your vessel, with citations, in under two minutes.
If that's useful, come back and let us help with the cyber piece.
Capt J is the founder of Binnacle AI. He runs a small maritime tech company on Oʻahu that builds compliance tools for commercial fleets. None of this article is legal advice — consult a qualified maritime attorney for specific regulatory questions.
You might also like
compliance
USCG Inspection Day: What to Say (and Not Say) in the First 10 Minutes
The first 10 minutes of a USCG boarding set the tone for the whole inspection. Four mistakes operators make — and the simple plan that beats them.
Read →
compliance
How to Prep for a Subchapter T COI Inspection: A 12-Point Checklist From an Operator
Sub T COI inspection coming up? Most fail on credentials or drill log — not equipment. Here's the 12-point pre-inspection checklist I use 30 days out.
Read →
compliance
How to Fill Out CG-2692 in 10 Minutes: A Line-by-Line Walkthrough for Operators
CG-2692 is due within 5 days of a marine casualty per 46 CFR §4.05-1. Here's the line-by-line walkthrough with a real Honolulu allision example.
Read →
Binnacle AI is not affiliated with, endorsed by, or sponsored by the U.S. Coast Guard. CFR citations refer to the current Code of Federal Regulations as of publication; confirm against eCFR before filing or inspection. This article is informational and is not legal advice — consult a qualified maritime attorney for specific regulatory questions.