On July 16, 2025, the U.S. Coast Guard updated its maritime security regulations contained in 33 Code of Federal Regulations (CFR) 101 Subpart F by establishing minimum cybersecurity requirements for U.S.-flagged vessels and facilities required to have a security plan under 33 CFR parts 104 and 105, respectively. The regulations will be phased in over the next two years to facilitate compliance. The first requirements to be phased in mandate specific cybersecurity training for personnel at regulated facilities and on U.S.-flag vessels. This training requirement involves both general awareness training for all staff with system access, and specialized role-based training for key personnel, emphasizing threat detection, incident reporting, and basic cyber hygiene. PVA has developed a cybersecurity training framework to assist members in meeting the upcoming deadline.
Current PVA Cybersecurity Guidance
Cybersecurity guidance and tools developed for the fifth revision to the Coast Guard-approved PVA Alternative Security Program and based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework remain relevant. That said, the NIST framework has been updated to NIST 2.0 and that will be used in addition to the specific regulatory requirements contained in 33 CFR 101 Subpart F when PVA submits the sixth revision of the PVA ASP for Coast Guard approval. The fifth revision of the PVA ASP remains in effect until Sept. 12, 2027, unless amended and approved by the Coast Guard earlier.
As part of the fifth revision to the PVA ASP members were required to assess their cybersecurity and identify operational technology (OT) systems. This information can be used when determining the level of training required by company personnel. Member that operate MTSA-regulated facilities should have already been inspected by the Coast Guard using the .
Overview of Training Requirements
The primary goal of the training is to ensure a workforce that can recognize potential threats, take basic precautions, and follow established procedures to protect critical facility and vessel systems. The rule does not mandate a specific training format (e.g., classroom, virtual, self-paced) but requires that the content be applicable to the vessel or facility’s specific cybersecurity policies until a formal cybersecurity plan can be developed.
General Training for All Personnel with IT/OT Access
Before any discussion of training, we need to define a couple terms used in the regulations and policy:
Access means the ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions. Access is typically granted based on user credentials and permissions, ensuring only authorized individuals can interact with the system. Access can be gained through physical access to a device (for example, plugging in a USB drive) or logical access (for example, logging into a network). Personnel with unrestricted physical access to spaces or areas housing information technology (IT) and/or OT equipment, regardless of logical access, are considered to have access for the purposes of this section.
Information technology, (IT), means any equipment or interconnected system or subsystem of equipment, used in the acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. Examples include PCs, laptops, AIS, etc.
Operational technology, (OT), means programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems or devices detect or cause a change through the monitoring or control of devices, processes, and events. Examples include autopilot, remote camera control, engine control systems, etc. More examples can be found in the PVA Cybersecurity Guidelines located in the Member Resource area of the PVA website.
By Jan. 12, 2026, all personnel (full-time, part-time, temporary employees, and contractors) who have access to information technology or operational technology systems must complete the initial training and annually thereafter. New personnel hired after the effective date must complete this training within 30 days of gaining system access.
General Training Requirements
The general training must cover:
- Recognition and detection of cybersecurity threats and incidents
- Techniques to circumvent cybersecurity measures
- Basic cyber hygiene, such as phishing prevention, password management, and secure practices for interacting with critical systems
- Procedures for reporting cyber incidents to the designated company security officer (CSO) or cybersecurity officer (CySO) once assigned
- OT specific cybersecurity training for all personnel whose duties include using OT
Specialized Training for Key Personnel and the Cybersecurity Officer
Key personnel with specific roles in cyber incident response must receive specialized training relevant to their responsibilities. This includes:
- Understanding roles and responsibilities during a cyber incident and response procedure
- Maintaining current knowledge of changing cybersecurity threats and countermeasures, potentially by referencing reliable sources such as information from the Cybersecurity and Infrastructure Security
Agency (CISA) or sector-specific information sharing and analysis centers (ISACs)
Companies will determine their key personnel and will likely include company leadership, CSO, vessel and facility security officers, individuals with elevated system access, and OT engineers and technicians.
Companies who have outsourced their IT or are payment card industry (CPI) compliant and have existing cyber awareness and hygiene training should compare their current training and verify that the training meets the Coast Guard requirements.
Vendors and contractors who will have access to a company’s IT and OT systems should be prepared to attest to compliance with 33 CFR 101.650(d) prior to being granted unescorted access to those systems.
Untrained Personnel
Similar to what is done for individuals who are granted access to secure or restricted areas of a facility or vessel without a Transportation Worker Identification Card (TWIC), individuals who have not received company cybersecurity training must be escorted by individuals who have had the training. Depending on the work being done by the individual, escorting can be done physically or remotely.
Documentation and Recordkeeping
Owners and operators must maintain training records and documentation in accordance with 33 CFR 101.640. Since development of a cyber security plan (CSP) is not required until July 2027, cybersecurity training will need be documented as additional security training under the PVA ASP (Section X) or a company’s existing FSP/VSP. Records documenting cybersecurity training may be kept in hard copy or electronic format (including in a learning management system) and must include the following information at a minimum:
- The date of each session
- Duration of session
- A description or outline of the training demonstrating how personnel are trained
- A list of attendees
This documentation will be used by the Coast Guard to verify that the cybersecurity training meets the basic requirements outlined above.
In addition to documenting the minimum training data listed above, the following information needs to be documented:
- How key personnel are defined
- How training is delivered, which may utilize a combination of delivery options, as noted above
- The processes or procedures for physical accompaniment or monitoring of untrained personnel as well as the processes, procedures, and/or automated systems utilized for remote “escorting” of untrained personnel
- Contractor training records, if applicable
Until such time as the sixth revision of the PVA ASP is approved, the additional information above can be kept as standalone document within appendix Q of the PVA ASP. Companies not using the PVA ASP can either include the information as a section under 33 CFR § 104.225 or 33 CFR § 105.215 or kept with the FSP/VSP as a standalone document.
Cybersecurity compliance information can be found in the Member Resource area of the PVA website under Security Tools. As more information becomes available and guidance developed, the website will be updated. For further information on Coast Guard cybersecurity requirements, members can consult the official or contact Eric Christensen of the PVA staff at .
Eric Christensen is the PVA Director of Regulatory Affairs & Risk Management