Beyond Badges: What the Coast Guard's Maritime Cybersecurity Rule Signals for Facility Access
The first mandatory cybersecurity rule for U.S. ports and vessels doesn't mention the front desk. But it bolts a documented, auditable security program onto the same Facility Security Plan that already governs who walks through the gate — and that quietly raises the bar for visitor access everywhere it touches.
On July 16, 2025, the U.S. Coast Guard's first mandatory cybersecurity rule for the marine transportation system took effect. It is a cyber rule — about networks, operational technology, and incident reporting — so at first glance it has nothing to do with who signs in at a terminal gate. Look closer and the connection is hard to miss.
The rule, codified at 33 CFR Part 101, Subpart F, doesn't create a standalone cyber program off to the side. It folds cybersecurity into the Facility Security Plan (and Vessel and OCS Facility Security Plans) that MTSA-regulated operators have maintained for two decades — the very plan that governs fences, badges, escorts, and physical access to the facility. When the regulator chose to extend that plan rather than write a separate one, it sent a message about how it now thinks about security at a port or terminal: as one converged, documented, auditable program, not a cyber pile and a physical pile.
The short version
The Coast Guard's maritime cyber rule is in force and phasing in through 2027. It doesn't require visitor management software — but it lives inside the same Facility Security Plan that governs physical access, and it signals that “prove it, log it, keep it” is now the baseline for security at regulated facilities. Paper badges and a sign-in sheet aren't that.
What the rule actually does
The final rule, “Cybersecurity in the Marine Transportation System,” was published in the Federal Register on January 17, 2025 and became effective July 16, 2025. It is the first time the Maritime Transportation Security Act's framework carries a mandatory baseline for cybersecurity. It applies to owners and operators that already hold a security plan: U.S.-flagged vessels (33 CFR Part 104), facilities (Part 105), and Outer Continental Shelf facilities (Part 106).
At a high level, regulated operators must adopt cybersecurity measures — including account and access management for their IT and operational-technology systems — designate a Cybersecurity Officer, conduct a Cybersecurity Assessment, maintain a Cybersecurity Plan, train personnel, run drills and exercises, keep records, and report cyber incidents. The rollout is phased.
The phased timeline
- July 16, 2025 — report reportable cyber incidents to the National Response Center without delay.
- January 12, 2026 — personnel with IT/OT access complete cybersecurity training (annually thereafter). This deadline is now in effect.
- July 16, 2027 — designate the Cybersecurity Officer, complete the Cybersecurity Assessment, and submit the Cybersecurity Plan for approval.
The Coast Guard sought public comment on a possible multi-year delay of the implementation periods for U.S.-flagged vessels. Treat any delay as unsettled, confirm it against the Coast Guard, and note it was framed around vessels — not facilities.
Why a cyber rule moves the bar on physical access
Here is the part that matters for anyone who runs a gate. The rule does not stand alone — it is documented and maintained inside the existing Facility Security Plan. Training records follow existing FSP procedures. Incident reporting threads into the same security organization. The Coast Guard deliberately made cyber a chapter of the security plan that already covers who is allowed on the property and how their access is recorded.
That design choice is the signal. The regulator is treating “security” at a maritime facility as a single accountable system: an owner (the Cybersecurity Officer for the cyber side; the Facility Security Officer for the physical side), an assessment of risk, written measures, trained people, logged events, and reportable incidents. Once that is the expectation for the cyber half of the plan, a sign-in clipboard for the physical half looks exactly like what it is — the weakest, least defensible part of an otherwise documented program.
The people at a port gate are a security surface
Maritime facilities are among the most international worksites in the country: foreign-flag crews, ship agents, marine surveyors, bunker and provisioning vendors, drayage drivers, inspectors, and contractors flow through the gate every day. Workers carry a TWIC; visitors and vendors are exactly the population a credential program doesn't resolve. That is where restricted-party screening and an honest access record do their work.
What “beyond badges” looks like in practice
A badge answers one question: does this person have a credential? It does not say whether the company sending the contractor is on a restricted list, whether the visiting vendor is owned by a sanctioned party, who escorted them, or whether any of it can be reconstructed six months later for an inspector. The converged-security era the cyber rule points toward expects answers to all of those — and expects them to be recorded.
For physical visitor access, that means a short, unglamorous list: screen the people and companies coming in against the right lists, resolve ownership when a listed party might be behind a counterparty, hold rather than wave through when a check can't complete, and keep a timestamped record of every entry and decision. None of that replaces the cyber program the rule requires. It is the physical-access analogue of the same discipline.
Where SecurePoint fits: our visitor platform screens visitors and vendors against the OFAC SDN List and the BIS Entity List, flags potential 50%-rule ownership matches for human review, fails closed when a screen can't finish, and maintains a timestamped audit trail of who entered, when, and under what conditions. That supports the access-control and recordkeeping elements of a Facility Security Plan. It is not — and we never claim it to be — a cybersecurity program or a substitute for the Cybersecurity Officer, Assessment, and Plan the Coast Guard rule requires.
Two halves of one Facility Security Plan
- Accountable owner
- Cybersecurity Officer (CySO)
- Core obligations
- Assessment, Cybersecurity Plan, IT/OT account & access management, training, incident reporting
- Authority
- 33 CFR Part 101 Subpart F (effective Jul 16, 2025)
- SecurePoint's role
- None — this is a cybersecurity program we do not replace
- Accountable owner
- Facility Security Officer (FSO)
- Core obligations
- Access control, visitor/vendor screening, escorting, physical access records
- Authority
- MTSA Facility Security Plan (33 CFR Part 105) + sanctions/export law
- SecurePoint's role
- Restricted-party screening, ownership flags, timestamped access audit trail
A practical access-side checklist
Pull physical access into the same conversation as the cyber plan — the regulator already did, by putting both in one Facility Security Plan.
Screen visitors and vendors against the OFAC SDN List and the BIS Entity List, not just against your badge database.
Resolve ownership where a listed party may sit behind a counterparty — the 50% rule means restricted owners aren’t always named on a list.
Fail closed: when a screen can’t complete, the default is hold and review, not wave through.
Keep a timestamped record of every entry, escort, and access decision — reasonable care is something you can reconstruct for an inspector, not assert.
Re-screen recurring vendors and contractors; lists and ownership change, and a one-time check at first visit goes stale.
Frequently asked questions
Primary sources
- Final Rule — Cybersecurity in the Marine Transportation System (Federal Register, Jan 17, 2025)
- 33 CFR Part 101 Subpart F — Cybersecurity (eCFR)
- USCG Maritime Commons — Final Rule Implementation Timeline
- USCG Office of Port & Facility Compliance — Cybersecurity
- OFAC — Specially Designated Nationals (SDN) List
Effective dates, phased deadlines, and any proposed delays change. Verify the current status of the rule against the U.S. Coast Guard before relying on it. This article is educational and is not legal advice.
Make the front gate part of the program
Screen who comes in, resolve ownership, and keep the access record an inspector can read — in one place. See how SecurePoint USA supports visitor and vendor screening and audit-ready access logs for regulated facilities.
