The Coast Guard has released a CG-5PC Policy Letter and two CG-MCP Work Instructions providing policy and guidance to assist regulated maritime entities in complying with cybersecurity regulations required under 33 CFR Part 101, Subpart F.
CG-5PC Policy Letter 01-26, Cybersecurity Assessment Initial Scoping and Process, provides guidance for determining the scope of the Cybersecurity Assessment (CSA) required under 33 CFR 101.650. The policy emphasizes that a cybersecurity assessment is the foundational first step in a continuous maturity process, designed to help organizations align risk management strategies with current threats. Because the outcomes and findings of the CSA form the foundation of the CSP, the initial assessment is highly consequential and should be rigorously conducted to identify vulnerabilities, threats, operational dependencies, and interdependencies that could result in an operational disruption or TSI. Key features include:
- Risk-Filtering Process: Provides an optional guide, grounded in industry standards like the NIST Cybersecurity Framework, to identify threats, vulnerabilities, likelihood, and impact.
- Critical IT/OT Designation: Clarifies the process for analyzing risk to determine which priority assets must be formally designated as Critical IT or OT.
CG-MCP-WI-002, Waiver and Equivalency Guidance for Requirements of 33 CFR Part 101, Subpart F – Cybersecurity, harmonizes guidance for regulated U.S.-flagged vessels, facilities, and Outer Continental Shelf (OCS) facilities for the preparation and submission of requests for a cybersecurity requirement to be waived or satisfied through an equivalent measure that achieves the same or higher level of protection.
This harmonized approach ensures that all maritime entities, regardless of size or digital maturity, follow the same guidelines for determinations, informed by a cybersecurity assessment.
Finally, CG-MCP-WI-003, DoD SAFE Instructions for Cybersecurity Plan (CSP), Cybersecurity Assessment (CSA), Waiver & Equivalency Request Submissions, provides guidance regarding the Coast Guard’s process for secure transmission of CSAs, CSPs, waivers and equivalency requests using the DoD SAFE portal.
While the Coast Guard is receiving and processing requests for waivers or equivalencies, we ask that maritime entities refrain from submitting full CSPs until further notice.
As a reminder, these policies and guidance are intended to support and inform compliance with applicable legal requirements, but are not themselves legal requirements, nor do they serve as a substitute. Use of this guidance is not mandatory. Owners and operators of maritime entities are welcome to use other frameworks or approaches that they feel best account for their individual footprint and operations.
The CG-5PC Policy Letter and CG-MCP Work Instructions can be found on the Coast Guard Maritime Industry Cybersecurity Resource Center website.
For any questions not addressed in these documents or regarding the recent regulations, please reach out to the Coast Guard at MTSCyberRule@uscg.mil .