The Coast Guard recently released CG-5PC Policy Letter 01-25, Cybersecurity for Personnel with Access to Information Technology (IT) or Operational Technology (OT) Systems, on October 10, 2025. This policy supports recent Cybersecurity in the Marine Transportation System regulations, specifically requirements stated under 33 Code of Federal Regulations (CFR) 101.650(d). The policy outlines crucial cybersecurity training requirements for personnel with access to IT and OT systems on U.S.-flagged vessels, facilities, and Outer Continental Shelf (OCS) facilities, subject to the Maritime Transportation Security Act (MTSA) of 2002. Regulated stakeholders must ensure this training is completed no later than January 12, 2026.
The Coast Guard also announces the publication of Navigation and Vessel Inspection Circular (NVIC) 02-24, CH 1, Reporting Breaches of Security, Suspicious Activity, Transportation Security Incidents, and Cyber Incidents. NVIC 02-24, CH 1, includes updated guidance on reporting cyber incidents as required under 33 CFR Part 101, Subpart F. Key Updates Include:
- Incorporation of reportable cyber incident reporting requirements
- Alignment of cyber incident and reportable cyber incident reporting criteria
- Harmonization of cyber incident reporting under 33 CFR Part 6
- FBI now accepts NRC reports as meeting federal notification requirements
This update reflects the Coast Guard’s ongoing efforts to enhance maritime cybersecurity policy and ensure consistent, efficient communication in the face of evolving threats. Maritime industry professionals should review the updated NVIC closely to ensure full compliance with these revised requirements.
These documents, in addition to other maritime cybersecurity resources, can be found on the Coast Guard Maritime Industry Cybersecurity Resource Center website.
For any questions not addressed in these documents or regarding the recent regulations, please reach out to the Coast Guard at MTSCyberRule@uscg.mil .
###