Enforcement began July 2025. Plan submission deadline: July 2027.
The United States Coast Guard now requires every vessel calling at US ports to implement cybersecurity measures under 33 CFR Part 101, Subpart F. NCoDE Command maps every regulatory requirement into guided workflows, technical controls, and audit-ready evidence — so your vessel is compliant from day one, not scrambling at the last minute.
Requirement-by-Requirement Coverage
The table below maps each section of 33 CFR 101 Subpart F to the specific NCoDE Command modules and features that satisfy the requirement. No spreadsheets. No guesswork. Every control is traceable, auditable, and continuously monitored.
| CFR Section | Requirement | How NCoDE Command Addresses It |
|---|---|---|
| §101.620–625 | CySO designation and qualifications | LDAP Role Tracking LDAP directory stores role assignments including CySO designation. Qualification certificates are tracked with expiry dates and automatic renewal alerts. The system maintains a verifiable chain of custody proving who holds the CySO role, when they were appointed, and whether their qualifications remain current. Auditors can pull a complete CySO history in one click. |
| §101.630–635 | Cyber risk assessment | Risk Register 5×5 Matrix The Risk Register module provides a structured cyber risk assessment using an industry-standard 5×5 likelihood-impact matrix. Each identified risk is categorised, scored, assigned an owner, and tracked through mitigation. The register links directly to USCG-required categories including IT systems, OT systems, navigation equipment, and communication systems. Risk assessments are versioned and timestamped for audit evidence. |
| §101.640 | Cybersecurity training | Training Matrix LDAP Certs The Training Matrix tracks every crew member's cybersecurity training status against role-based requirements. Expiry alerts fire 90, 60, and 30 days before certificates lapse. LDAP certificate tracking links training records directly to personnel identities. The system distinguishes between CySO-level training and general crew awareness training as required by the rule. |
| §101.645 | Drills and exercises | Drill Scheduler Findings Tracker Cybersecurity drills can be scheduled, executed, and documented within NCoDE. Each drill records participants, scenario details, findings, and corrective actions. The system tracks whether corrective actions have been completed and closed. Drill frequency compliance is monitored automatically to ensure the vessel meets the quarterly and annual exercise requirements specified in the regulation. |
| §101.650(a) | Account security | LDAP Access Control Password Policy MFA Tracking LDAP-based access control enforces role-based permissions across all vessel systems. Password policies are centrally managed with minimum complexity, rotation intervals, and lockout thresholds. Multi-factor authentication deployment is tracked per user and per system. Account lifecycle management covers onboarding, role changes, and offboarding with full audit trails. |
| §101.650(b) | Device security | Software Allowlist Wazuh Endpoint The Software Allowlist panel maintains an approved software inventory for every endpoint on the vessel. Wazuh agents monitor each device for unauthorised software installations, configuration changes, and policy violations. Endpoint health status is visible on the main dashboard. Any deviation from the approved baseline triggers an alert that is logged and escalated. |
| §101.650(c) | Data security | Backup & Recovery Encryption Tracking Backup and recovery scheduling ensures critical data is protected on a documented cycle. Each backup job records success or failure status, verification results, and offsite replication state. Encryption tracking monitors which systems and data stores use encryption at rest and in transit, providing evidence of data protection controls for auditors. |
| §101.650(d) | Network security | Peplink Integration Network Segmentation Direct integration with Peplink routers provides real-time visibility into network topology, WAN status, traffic flows, and web content filtering. Network segmentation between IT, OT, and guest networks is monitored continuously. The system detects and alerts on cross-zone traffic that violates segmentation policies. Firewall rule sets are documented and version-controlled. |
| §101.650(e) | Vulnerability management | Patch Lifecycle Wazuh SCA KEV Tracking The Patch Lifecycle module tracks software updates from identification through testing, approval, deployment, and verification. Wazuh Security Configuration Assessment (SCA) scans endpoints against CIS benchmarks and flags non-compliant configurations. Known Exploited Vulnerabilities (KEV) from the CISA catalogue are cross-referenced against the vessel's software inventory to prioritise critical patches. |
| §101.650(f) | Supply chain risk management | Vendor Tracker DPA Management Access Logging The Vendor Tracker maintains a registry of all third-party suppliers with access to vessel systems. Each vendor record includes data processing agreements (DPAs), access scope, renewal dates, and risk ratings. Remote access sessions by vendors are logged with timestamps, user identity, and session duration. Supply chain risk reviews are scheduled and documented. |
| §101.650(g) | Physical security of cyber systems | Compliance Tracker Attestation Workflows Physical security measures for IT and OT equipment are documented through attestation workflows. Server room access controls, cable security, portable media policies, and equipment disposal procedures are tracked as compliance items. Responsible personnel attest to each control on a scheduled basis, creating a timestamped audit trail that demonstrates continuous physical security compliance. |
| §101.650(h) | Incident detection and monitoring | Wazuh SIEM Security Events Wazuh SIEM integration provides continuous security event monitoring across all vessel endpoints and network infrastructure. Security events are collected, correlated, and displayed on the CyberSecurity dashboard. Alert rules are configured for the threat categories most relevant to maritime operations: malware, unauthorised access, data exfiltration, and configuration tampering. Detection capabilities operate 24/7 without manual intervention. |
| §101.655 | Incident reporting and response | Decision Tree NRC Reporting 30-Day Follow-up The incident response module provides a guided decision tree that walks the CySO through classification, containment, and escalation steps. When an incident meets the USCG reporting threshold, the NRC (National Response Center) reporting panel pre-populates required fields and guides the officer through the notification process. A 30-day follow-up tracker ensures the required written report is submitted on time. Every decision, action, and communication is logged as evidence. |
Compliance Workflow
From initial assessment to audit-ready evidence, NCoDE Command provides a structured four-step workflow that transforms USCG cybersecurity requirements from a regulatory burden into an operational capability built into the vessel.
The guided decision tree walks your Cyber Security Officer through a structured assessment of each USCG requirement. The system identifies gaps between your current posture and regulatory expectations, then generates a prioritised remediation plan. Risk scoring uses the 5×5 matrix methodology to ensure critical gaps are addressed first.
When a cybersecurity event occurs, the incident response workflow guides your team through containment, investigation, and recovery steps. Role-based escalation ensures the right people are notified at each stage. Every action is timestamped and logged, creating a defensible record that satisfies both USCG and classification society requirements.
The NRC reporting panel pre-populates Coast Guard notification fields from incident data already in the system. Multi-framework reporting maps a single incident to USCG, IMO MSC-FAL.1/Circ.3, and EU NIS2 requirements simultaneously. The 30-day follow-up report tracker ensures no deadline is missed. All reports are archived with full traceability.
A comprehensive audit trail captures every compliance action, configuration change, training completion, drill execution, and incident response decision. Evidence packages can be generated on demand for Coast Guard inspections, classification society audits, or internal reviews. Continuous monitoring dashboards show real-time compliance posture across all 15 USCG requirements.
Enforcement Reality
The July 2025 effective date is not a future event — it is already in force. Vessels calling at US ports face real consequences for non-compliance.
USCG port state control officers are now authorised to verify cybersecurity compliance during routine and targeted inspections. Vessels that cannot demonstrate compliance with 33 CFR 101 Subpart F risk deficiencies, delays, and in severe cases, detention. Every day in port costs money — a cyber deficiency can ground your vessel until resolved.
By July 2027, every vessel security plan must incorporate cybersecurity provisions that address all 15 requirement areas in Subpart F. NCoDE Command generates the evidence, controls documentation, and compliance records needed to support your plan submission. Starting now gives you 12+ months of operational compliance history to present to the Coast Guard.
The January 2026 training deadline requires documented evidence that all vessel personnel have completed cybersecurity awareness training appropriate to their role. The CySO must hold specific qualifications. NCoDE's Training Matrix and LDAP certificate tracking ensure every crew member's training status is current, documented, and instantly verifiable during inspections.
P&I clubs and charterers are increasingly requiring evidence of cyber compliance as a condition of coverage and charter agreements. USCG compliance is becoming a commercial requirement, not just a regulatory one. Vessels that can demonstrate compliance through NCoDE have a tangible competitive advantage in charter markets and insurance negotiations.
Beyond USCG
USCG 33 CFR 101 does not exist in isolation. Vessels trading internationally face overlapping requirements from IMO, EU NIS2, classification societies, and flag state administrations. NCoDE Command maps controls once and reports across all frameworks.
Full coverage of all 15 cybersecurity requirements including CySO designation, risk assessment, technical controls across seven domains, incident detection, and NRC reporting. NCoDE is purpose-built for this regulation, with every module traceable to a specific CFR section.
The IMO's guidelines on maritime cyber risk management provide the international baseline that the USCG rule builds upon. NCoDE's risk assessment and incident response modules align with IMO's five functional elements: Identify, Protect, Detect, Respond, and Recover.
Maritime transport operators within the EU fall under the NIS2 Directive's essential entities classification. NCoDE's supply chain management, incident reporting, and vulnerability management modules meet NIS2's requirements for risk management measures and incident notification obligations.
Technical Foundation
NCoDE Command is not a checklist tool bolted onto a generic GRC platform. It is a purpose-built vessel management system with deep technical integrations that provide real security controls, not just documentation.
Open-source security event monitoring deployed directly on vessel endpoints. File integrity monitoring, rootkit detection, vulnerability scanning, and Security Configuration Assessment run continuously. Events feed into the CyberSecurity dashboard for real-time threat visibility that satisfies §101.650(h) incident detection requirements.
Direct API integration with Peplink maritime routers provides network segmentation monitoring, traffic analysis, web content filtering, and WAN failover status. NCoDE reads firewall rules, monitors bandwidth allocation between IT and OT zones, and tracks connection priorities across cellular, VSAT, and Wi-Fi interfaces.
Centralised identity management for all vessel personnel. Role assignments, group memberships, certificate records, and access policies are managed through a vessel-local LDAP directory. Account provisioning and deprovisioning are logged and auditable. Password policies and MFA tracking are enforced at the directory level.
The regulatory decision tree guides the CySO through structured workflows for risk assessment, incident classification, and reporting obligations. Each branch point is documented with the relevant CFR section reference. Decisions and outcomes are recorded as audit evidence, creating a defensible record of compliance reasoning.
USCG 33 CFR Part 101 Subpart F is the US Coast Guard's cybersecurity regulation for MTSA-regulated vessels and facilities. It mandates cybersecurity plans, a designated Cybersecurity Officer (CySO), risk assessments, technical controls, crew training, incident reporting to the National Response Center (NRC), and regular drills. The rule took effect July 16, 2025.
A CySO is the designated person responsible for implementing and maintaining the vessel's cybersecurity plan under USCG 33 CFR 101. They must have documented qualifications, complete cybersecurity training, oversee drills, manage incident response, and ensure compliance with all technical control requirements. NCoDE Command tracks CySO designation, qualifications, and training status via LDAP integration.
Cybersecurity plans must be submitted to the Coast Guard by July 16, 2027. However, the rule is already in effect since July 2025, and training requirements began January 2026. Vessels should be actively developing their plans and implementing technical controls now to meet the deadline.
Vessels that fail to demonstrate cybersecurity compliance may face Port State Control deficiencies, operational restrictions, fines, and potential detention. Insurance underwriters are also increasingly requiring evidence of cyber compliance as a condition of coverage. NCoDE Command generates audit-ready evidence packages for USCG examiners.
Cyber incidents affecting vessel safety must be reported to the National Response Center (NRC) at 1-800-424-8802 without unnecessary delay. A written 30-day follow-up report is also required. NCoDE Command includes a guided decision tree that walks crew through incident assessment, automatically generates NRC report forms pre-populated with vessel data, and tracks the 30-day follow-up deadline.
Yes. NCoDE Command simultaneously manages compliance for USCG 33 CFR 101, EU NIS2 Directive (24h/72h/30d CSIRT reporting), and IMO MSC-FAL.1/Circ.3 (SMS chain reporting). A single incident automatically generates reporting deadlines for all applicable frameworks, so vessels operating across US and EU jurisdictions are covered from one platform.
NCoDE Command maps every USCG 33 CFR 101 Subpart F requirement into guided workflows, technical controls, and audit-ready evidence. One platform. 15 requirements. Complete compliance coverage from vessel to shore.