USCG-2022-0802 Compliance

The New Standard for Maritime Cybersecurity

On January 17, 2025, the U.S. Coast Guard published a final rule establishing mandatory cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities subject to the Maritime Transportation Security Act of 2002 (MTSA). The rule became effective July 16, 2025.

If your organization falls under MTSA, compliance isn't optional — and the deadlines are already in motion.

Who Does This Apply To?

U.S.-flagged vessels exceeding 100 GT
Passenger vessels certified for more than 150 passengers
Offshore supply vessels (OSVs)
Mobile offshore drilling units (MODUs)
Towing vessels engaged in hazardous cargo transport
Container terminals, chemical and petroleum terminals, cruise ship terminals
LNG/LPG terminals
Barge fleeting facilities handling dangerous cargo
Other facilities governed by MTSA

Compliance Timeline

Deadline	Requirement
July 16, 2025	Reportable cyber incidents must be reported to the National Response Center (NRC) without delay
January 12, 2026	All personnel must complete required cybersecurity training
July 16, 2027	Designate Cybersecurity Officer (CySO), complete Cybersecurity Assessment, and submit Cybersecurity Plan for USCG approval

What's Required

Cybersecurity Officer (CySO)

You must designate a Cybersecurity Officer responsible for implementing the Cybersecurity Plan and Cyber Incident Response Plan. The CySO ensures the plan stays current, arranges inspections, oversees training, records and reports incidents, and takes steps to mitigate them. This can be a full-time, collateral, or contracted position.

Cybersecurity Assessment

An assessment identifying vulnerabilities in your critical IT and OT systems, evaluating risks, and determining the potential for operational disruption or other harmful consequences. Required within 24 months of the effective date and annually thereafter.

Cybersecurity Plan

A comprehensive plan submitted to the Coast Guard for approval. Must include:

Account Security (7 measures):

Automatic account lockout after failed login attempts
Change default passwords before use
Minimum password strength requirements
Multifactor authentication on IT and remotely accessible OT systems
Principle of least privilege for privileged accounts
Separate credentials on critical systems
Credential removal when personnel leave

Device Security (4 measures):

Approved hardware/firmware/software list
Executable code disabled by default on critical systems
Accurate inventory of network-connected systems
Documented network map and OT device configuration

Data Security (2 measures):

Secure logging accessible only to privileged users
Encryption for sensitive data and IT/OT traffic (when technically feasible)

Cyber Incident Response Plan

Instructions on how to respond to a cyber incident, including identification of key roles, responsibilities, and decision-makers among personnel.

Penetration Testing

Required when renewing your Cybersecurity Plan. Results must be available to the Coast Guard upon request.

Drills and Exercises

At least two cybersecurity drills per calendar year. At least one cybersecurity exercise per calendar year (no more than 18 months between exercises).

What Happens If You Don't Comply?

Up to $25,000 per violation
Operational shutdown — you cannot operate until compliant
Lost revenue during shutdown
Reputation damage

How Tactical Cyber Services Helps

We built our services around the requirements maritime organizations face. Here's how we support USCG-2022-0802 compliance:

Blue Team Services

Our Blue Team works inside your network to evaluate your security posture, review policies and procedures, and help develop your Cybersecurity Plan. We assess the same areas the regulation requires: account security, device security, data security, and incident response readiness.

Learn more about Blue Team Services →

External Network Penetration Testing

Penetration testing is required when renewing your Cybersecurity Plan. Our penetration testers, backed by Sterling7, deliver the documentation you need — including a notarized letter of attestation after issues are corrected.

Learn more about Penetration Testing →

Vulnerability Scans

A point-in-time snapshot of your security state. Useful for baseline assessments or ongoing verification between full engagements.

Learn more about Vulnerability Scans →

Managed Services

Ongoing support for organizations that need help maintaining compliance. From patch management to endpoint detection and response, we handle the security tasks so your team can focus on operations.

Learn more about Managed Services →