The United States Coast Guard (USCG) published Policy Letter 01-26 on 02 June 2026, providing detailed guidance on the scoping and execution of Cybersecurity Assessments (CSAs) required under the recently introduced maritime cybersecurity regulations in 33 CFR Subpart F.
The policy letter aims to promote a consistent approach across the U.S. maritime industry and clarifies how vessel and facility operators should determine the scope of their cybersecurity assessments. The guidance emphasizes that organizations should not focus solely on systems that are already assumed to be critical. Instead, the assessment process should begin with a comprehensive review of the entire digital environment before identifying critical Information Technology (IT) and Operational Technology (OT) assets.
According to the guidance, organizations should inventory and assess not only internal systems under their direct control, but also external dependencies and interfaces that may introduce cybersecurity risks. Examples include satellite communications, cloud services, third-party vendors, remote access solutions, wireless networks, and other interconnected technologies that support maritime operations.
The USCG highlights that the Cybersecurity Assessment is intended to validate existing assumptions while identifying less obvious vulnerabilities, dependencies, and operational risk pathways that could contribute to a cyber incident or Transportation Security Incident (TSI).
The guidance introduces a structured assessment methodology that includes:
- Defining organizational risk tolerance and assessment assumptions;
- Identifying essential business and operational functions;
- Developing a comprehensive asset inventory;
- Identifying threats and vulnerabilities;
- Evaluating likelihood, impact, and overall risk;
- Determining priority assets;
- Classifying Critical IT and OT systems; and
- Documenting findings to support the Cybersecurity Plan (CSP).
One notable aspect of the guidance is the recognition that cybersecurity risk extends beyond traditional IT and OT assets. The USCG specifically highlights the importance of assessing interfaces between systems, as well as dependencies on third-party services and external infrastructure.
The policy also reinforces the importance of appointing a qualified Cybersecurity Officer (CySO) or obtaining appropriate cybersecurity expertise to support the assessment process.
For maritime operators preparing for compliance with the new cybersecurity regulations, this guidance provides valuable insight into the Coast Guard’s expectations and demonstrates a risk-based approach focused on understanding the broader digital ecosystem that supports maritime operations.
At Cyber Onboard, we welcome this practical guidance as an important step toward improving cybersecurity resilience across the maritime sector. The emphasis on dependencies, interfaces, and operational risk pathways closely aligns with the evolving threat landscape facing today’s connected ships and shore-based operations.
Loading...
Reload document 
Open in new tab 
