As of January 12, 2026, the US Coast Guard's Cybersecurity in the Marine Transportation System rule requires facilities and vessels regulated under the Maritime Transportation Security Act to provide cybersecurity training to every person with access to their IT or OT systems. If you operate regulated facilities or vessels, this is now a requirement you are expected to meet.
Meeting the requirement on paper is not the same as being prepared. The training is a starting point. What matters is whether your workforce can recognize a cybersecurity incident and respond to it, whether on a ship, a rig, a port facility, or any other vessel or facility that supports the Marine Transportation System.
Why Maritime Operations Are Hard to Defend
Modern maritime vessels and facilities are enterprise networks bolted onto operational technology. Crew and staff laptops, passenger and business systems, and administrative applications share space with the systems that run the vessel or the facility. In our assessments, the two are far less separated than operators assume. A foothold in the "ordinary IT" side is often a short walk from systems that matter.
The recurring gaps are not exotic. They are the ordinary ones:
- Flat networks that put safety-critical systems on the same infrastructure as non-mission systems.
- Default or shared credentials left in place on operational technology and network equipment, the first thing an attacker tries and too often the one that works.
- Unpatched, end-of-life systems still running critical functions, kept in service because they work and left exposed because they cannot be patched.
While these weaknesses tend to look familiar across the sector, the setting changes what is at stake. On an oil rig, at a port, or aboard a vessel, an incident is measured in safety and environmental terms rather than lost data alone, which makes the same ordinary gaps far more consequential.
Why a compliance course alone does not fix it
Annual awareness training meets the MTSA requirement and gives everyone a shared baseline. On its own, though, it is not meant to build the judgment a real incident demands. When something looks wrong, what matters is whether the people on watch understand what they are seeing and know what to do next, and that kind of readiness comes from three things working together:
- Role-based training built on real scenarios, so the lesson fits the job.
- Assessment, so you know where the actual gaps are before an adversary does.
- Tabletop exercises, so the team rehearses the decisions under pressure without touching production systems.
Training shows people what good looks like, assessment shows you where you actually stand, and tabletop exercises show whether your plan holds up when a real incident tests it. All three work together, and each one is weaker without the others.
What we have seen in the field
This is work CT Cubed does directly, in real maritime environments. We have run security assessments of cruise ships, covering their IT and OT systems. We have also facilitated cybersecurity tabletop exercises for offshore platforms, walking operations teams through realistic incident scenarios.
The consistent finding is the encouraging one: the gaps are ordinary, and they can be found before an incident, if someone goes looking.
Where to start
If you operate MTSA-regulated facilities or vessels, treat the training mandate as the beginning rather than the finish line. To help operators meet that training requirement, we partnered with ABS Group's Cyber Center of Excellence to build mtsatraining.com, a platform for delivering MTSA cybersecurity training to maritime operators.
From there, the real work is pairing that training with an honest assessment of your IT and OT and rehearsing your response before you need it. If you want to know where you actually stand, let's talk.