America's Seaport Cybersecurity

The United States moves roughly $5 trillion in trade every year. Nearly all of it touches a seaport. For years, the cybersecurity posture protecting that infrastructure has been voluntary — a patchwork of recommended frameworks, political fragmentation, and competing port authorities with no federal mandate to comply with anything.  That just changed.

On January 17, 2025, the U.S. Coast Guard published 33 CFR Part 101 Subpart F in the Federal Register (90 FR 6447) — the first mandatory federal cybersecurity regulation for the U.S. Marine Transportation System. If your organization operates a U.S.-flagged vessel, an MTSA-regulated port facility, or an Outer Continental Shelf facility, compliance is no longer optional. And if you depend on those operators as part of your supply chain, this regulation affects your risk exposure whether you know it or not.

Why Seaports Were Already a Problem

Before getting into what the new rule requires, it helps to understand how exposed the maritime sector has been — and still is — going into this compliance window.  U.S. ports handle over 95% of overseas trade. In 2017, that amounted to $5.2 trillion in goods and services, supporting over 23 million jobs. The National Retail Federation has estimated that a five-day West Coast port shutdown would cost $1 billion per day, climbing to $2.5 billion per day beyond 20 days. That is not a logistics problem — it is an economic crisis.

The threat is not theoretical. In June 2017, A.P. Moller-Maersk — the world's largest shipping company, handling one in every seven containers globally — was hit by the NotPetya ransomware attack. Operations were disrupted for ten days, volume dropped 20%, over 20,000 containers required manual re-routing, and the company had to rebuild its entire IT infrastructure: 4,000 servers, 45,000 PCs, 2,500 applications. Total damage: approximately $300 million.  In 2013, a drug cartel hired hackers to breach the Port of Antwerp's cargo management system — not to steal data, but to identify which containers held their smuggled contraband so drivers could collect it before the legitimate owners arrived. The port's IT systems became a tool for international drug trafficking.  These were not obscure edge cases. They were direct hits on the exact systems that 33 CFR Part 101 Subpart F now mandates be secured.

The Gap the New Rule Closes

The core structural problem in maritime cybersecurity has always been governance. Of the 361 U.S. ports, 126 are public seaport agencies — governed by a mix of appointed officials, elected bodies, and in 21 cases, no governing body whatsoever. These are not cybersecurity professionals. They are political appointees managing enormous technical infrastructure with no federal requirement to secure it.  Until now, the Transportation Security Administration served as the Sector-Specific Agency for ports, but its cybersecurity guidance was advisory. The NIST Cybersecurity Framework was recommended, not required. Ports competed aggressively with each other for shipping volume, which meant CISOs didn't share threat intelligence, incident response was siloed, and the federal government had no single point of contact for maritime cyber incidents.  The new regulation establishes a binding floor for the first time. Compliance is not a choice.

What 33 CFR Part 101 Subpart F Actually Requires

The regulation applies to owners and operators of U.S.-flagged vessels, facilities, and Outer Continental Shelf facilities already required to hold a security plan under 33 CFR parts 104, 105, and 106. Here is what they are now mandated to do.  Designate a Cybersecurity Officer (CySO). The CySO must be named in writing, by name and title, and must be accessible to the Coast Guard 24 hours a day, seven days a week. The CySO is responsible for developing and maintaining the Cybersecurity Plan, managing audits and exercises, ensuring incident reporting, and remediating Known Exploited Vulnerabilities (KEVs) in critical IT and OT systems without delay.

Develop and submit a Cybersecurity Plan. The Plan must be submitted to the cognizant Captain of the Port (COTP) or Marine Safety Center no later than July 16, 2027. Once approved, it is valid for five years. The Plan must cover organizational structure, personnel training, drills and exercises, incident response procedures, access controls, network maps, OT device configuration, supply chain security, and a complete cybersecurity assessment.

Conduct a Cybersecurity Assessment. Due no later than July 16, 2027, and annually thereafter. The assessment must analyze all networks, identify vulnerabilities in critical IT and OT systems, and document remediation or compensating controls for every Known Exploited Vulnerability found.

Penetration testing. Required in conjunction with every Cybersecurity Plan renewal — once every five years. Results must be certified and included in the facility or vessel security assessment documentation.

Mandatory technical controls. The rule specifies a floor of required security measures including: multifactor authentication on all password-protected IT and remotely accessible OT systems; account lockout after failed login attempts; default password changes before any system use; least privilege access enforcement; separation of credentials between critical IT and OT systems; IT/OT network segmentation with logged and monitored connections; encryption of sensitive data and OT traffic where technically feasible; secure log retention accessible only to privileged users; and prohibition of OT systems being directly connected to the public internet unless explicitly documented and justified.

Supply chain requirements. Vendors and service providers must be required to notify the operator of any cybersecurity vulnerabilities or reportable incidents without delay. All third-party remote connections must be monitored and documented.  

Drills and exercises. Cybersecurity drills are required at least twice per calendar year. A full exercise — tabletop, live, or combined — is required at least once per calendar year with no more than 18 months between exercises.

Annual audits. The Cybersecurity Plan must be audited annually by personnel who are independent of the cybersecurity functions being audited. Audit findings requiring plan amendments must be submitted to the Coast Guard within 30 days of audit completion.

Incident reporting. Reportable cyber incidents — those that substantially affect availability or integrity of covered systems, disrupt operations, expose personal information, or could lead to a transportation security incident — must be reported to the National Response Center without delay.

One Deadline Has Already Passed

Here is the detail that matters most right now: the personnel training deadline was January 12, 2026.

All personnel with access to IT or OT systems — including contractors, part-time, temporary, and permanent staff — were required to complete cybersecurity awareness training by that date. Key personnel required additional training covering their roles during a cyber incident and maintaining current knowledge of evolving threats. For new hires joining after that date, training must be completed within 5 days of gaining system access and no later than 30 days after hiring.

Any covered operator that has not completed that training is already out of compliance. The Coast Guard has enforcement authority under 14 U.S. Code § 89. Non-compliance is not a paperwork problem — it is a regulatory exposure with real consequences, and it exists right now for operators who have not moved.

What This Means for Your Organization

If you operate a covered vessel or facility, the compliance requirements are not optional and the deadlines are fixed. The July 2027 plan submission deadline sounds distant, but building a compliant Cybersecurity Plan — completing a proper assessment, identifying and documenting all critical IT and OT systems, establishing a CySO, drafting incident response procedures, and getting Coast Guard approval — takes time. Organizations that start that process late will find themselves rushing, and rushed plans get rejected or require costly revisions. 

If you are not a direct operator but your business depends on the maritime supply chain — importers, exporters, logistics providers, freight forwarders, manufacturers sourcing overseas components — this regulation reshapes the risk profile of your upstream and downstream dependencies. A port facility or vessel operator in your supply chain that fails compliance is a potential point of disruption. Third-party risk assessments of maritime partners should now include review of their cybersecurity compliance posture under this rule.

The regulation also carries explicit supply chain requirements: covered operators must require their IT and OT vendors to notify them of vulnerabilities and incidents without delay, and must monitor and document all third-party remote access. If you are a technology vendor or managed service provider to a covered facility or vessel, your contracts and incident notification procedures will need to reflect that obligation.

The Bottom Line

33 CFR Part 101 Subpart F is the regulatory reckoning the maritime sector has needed for a long time. It establishes mandatory, enforceable cybersecurity standards with defined roles, documented plans, annual audits, and compliance deadlines. The era of voluntary frameworks and recommended best practices for U.S. port cybersecurity is over.

The training deadline has already passed. The plan submission and assessment deadlines are 15 months out. The organizations that treat this as a 2027 problem will spend 2026 behind.

If you need to understand where your organization stands against these requirements — whether you are a covered operator building toward compliance, or a business assessing supply chain exposure — that conversation starts with knowing exactly what the regulation demands and where your current posture falls short.