When National Cyber Regulation Becomes a Ship Requirement — CIRCIA, the MTSA Cyber Rule, EO 14028 vs. IACS UR E26/E27
When National Cyber Regulation Becomes a Ship Requirement
Three U.S. instruments and one class standard reach the same hull from opposite ends of its life.
- LinkedIn : https://www.linkedin.com/in/abysstoinfinity
A merchant vessel is a single asset, but the rules that govern it are not singular. Three U.S. cybersecurity instruments — CIRCIA, the USCG MTSA Cyber Rule, and Executive Order 14028 — aim at the same hull from three different points, while IACS UR E26/E27 overlaps at the design stage. This piece maps where they meet, where they diverge, and what an owner can reuse.
1. One Ship, Four Regulations Arriving From Different Directions
Looking at the U.S. cybersecurity policy stack alone, three distinct legal instruments aim at the same hull from three different points. Layered above them is a class-driven international standard — IACS UR E26/E27 — that overlaps at the design stage. The key is that each grips a different axis of the ship's life cycle.
An owner calling at U.S. ports under a class notation earned elsewhere sits precisely at the intersection of these four axes.
This piece draws a map of that intersection.
2. Executive Order 14028 — The Force That Pushed the Supply Chain, and Its Retreat
Executive Order 14028 ("Improving the Nation's Cybersecurity") was signed on 12 May 2021, in the immediate wake of the SolarWinds and Colonial Pipeline incidents. It does not regulate ships directly. Instead, using federal procurement as leverage, it was a policy-forcing instrument meant to change the practices of the software supply chain itself. Three concepts sat at its core.
The mechanism was self-attestation. Under OMB Memorandum M-22-18, suppliers selling software to the federal government had to attest to their own SSDF conformance. Yet across 2025–2026 that forcing power was substantially rolled back.
The implication for an owner is paradoxical. The mandate weakened, but the concept had already spread. Even EO 14306 left standing a directive for NIST to develop, with an industry consortium, guidance for secure software development based on SP 800-218. The habit of thinking in SBOMs and vulnerability handling was, by the time EO 14028's obligations loosened, already embedded in vendor practice and in other frameworks — notably the supplier requirements of IACS UR E27. In other words, EO 14028 is now best read not by asking "what does it mandate today," but "what did it make into normal practice."
3. CIRCIA — A Post-Incident Obligation, Still Idling Before Ignition
CIRCIA (the Cyber Incident Reporting for Critical Infrastructure Act) was enacted on 15 March 2022, and it is a different creature entirely — a statute imposing a post-incident reporting duty. Across the 16 critical-infrastructure sectors — which include the Transportation Systems sector, within which maritime transport sits — a "covered entity" must report to CISA:
But CIRCIA is not yet in force. The proposed rule was published in April 2024, yet the final rule has slipped repeatedly — from the original statutory deadline of October 2025 to May 2026, and again to a target of September 2026. The core figures, 72 and 24 hours, are not expected to change. Exactly which shipping actors qualify as "covered entities" is a matter the final rule will settle; for now it is a provisional reading against the proposed rule.
For an owner, CIRCIA is less a duty for today than a clock about to start ticking.
4. The USCG MTSA Cyber Rule — A Real, Operative Duty
Of the three U.S. instruments, the one actually in force and operating today is the U.S. Coast Guard's cyber rule. Formally titled "Cybersecurity in the Marine Transportation System," it amends 33 CFR (adding a new Part 101, Subpart F). The final rule was published in the Federal Register on 17 January 2025 and took effect on 16 July 2025. It applies to owners and operators of U.S.-flagged vessels and facilities required to hold a security plan under 33 CFR Parts 104, 105, and 106 — and it expressly states that it does not apply to foreign-flagged vessels.
The implementation clock is phased:
One nuance matters here. When a foreign-flagged vessel calls at a U.S. port, it enters this ecosystem indirectly — through Port State Control and the ISPS regime, and through its points of contact with the regulated U.S. facility — but it is not the addressee of the duty to build its own Cybersecurity Plan. For a foreign-flagged vessel built and registered in Korea or the EU, direct U.S. regulation arrives largely through the facility interface.
5. IACS UR E26/E27 — The Contrasting Axis at Design and Construction
Where the U.S. stack grips procurement, operation, and post-incident reporting, IACS UR E26/E27 grips the opposite end — design and construction. This is not national regulation but a class-driven international standard, and it follows a newbuilding regardless of flag. That is exactly the point at which it fills the gap left by the absence of direct U.S. regulation over foreign-flagged vessels.
Treats the ship as one collective entity
Secure OT/IT integration across the life cycle
Five functions: identify · protect · detect · respond · recover
Third-party suppliers secure & harden integrity
Where the SBOM / vulnerability mindset returns
— now as a supplier requirement
There was a correction to the application date. The requirements were originally slated for ships contracted from 1 January 2024, but extensive revisions superseded the originals, and the standard was settled to apply to new ships contracted for construction on or after 1 July 2024. Mandatory versus non-mandatory scope is divided by ship type and size.
6. Comparison — Four Regulations Along Seven Axes
| Axis | EO 14028 | CIRCIA | MTSA Cyber Rule | IACS UR E26/E27 |
|---|---|---|---|---|
| Unit of regulation | Product / software | Incident (covered entity) | Operating party | Ship / equipment |
| Life-cycle axis | Before it enters the ship | After an incident | During operation | Design & construction |
| Character | Procurement forcing (retreated) | Post-incident reporting | Operational duty | Class technical standard |
| Main trigger | Federal procurement | Incident / ransom payment | 33 CFR security plan | Construction contract date |
| Timing | 2021– (amended 2025–26) | Final rule pending (~Sep 2026) | Effective 16 Jul 2025 | Contracts from 1 Jul 2024 |
| Extraterritorial reach | Indirect, via procurement | U.S. Transportation entities | U.S.-flag only (foreign excluded) | Flag-agnostic, follows newbuildings |
| Enforcing body | OMB / agencies | CISA | USCG | Class (IACS members) |
Scroll horizontally to view the full matrix on narrow screens.
7. Overlap and Divergence — What to Reuse, What to Stand Up Separately
The four regulations are not four separate to-do lists but overlapping layers on the same boundary: the ship.
E26 zone/conduit design → MTSA assessment
One response playbook → MTSA + CIRCIA
Enforcer: OMB · CISA · USCG · class
Trigger & timing differ
Reach: flag-agnostic vs. U.S.-flag only
An equipment SBOM built once serves both EO 14028-style practice and E27. The zone-and-conduit design evidence from E26 can support much of the MTSA Cybersecurity Assessment. But the unit of regulation, the enforcing body, the trigger, and the extraterritorial reach genuinely differ — so the seams must be built deliberately, not assumed.
8. The Owner's Conclusion
The three U.S. instruments and the two IACS standards govern the same ship, from opposite ends of its life and along different axes. An owner who treats them as four separate compliance projects pays three times over and still leaves gaps at the seams. An owner who maps these layers onto a single asset model reuses most of the evidence.
Direct U.S. regulation reaches a foreign-flagged vessel largely only through the facility interface — yet the IACS standard follows that ship, flag notwithstanding, from the design stage onward.
For a foreign-flagged fleet trading in and out of U.S. waters, the thing that sets the de facto cybersecurity baseline may not be national regulation at all — but the class standard. The sharper you read the boundary, the less everyone pays.
Key Sources
· GovInfo — EO 14028 text (12 May 2021); White House & Congress.gov CRS — EO 14306 (6 Jun 2025)
· Davis Wright Tremaine & Wiley — OMB M-26-05 (23 Jan 2026), rescinding software-security attestation requirements
· CISA · Sidley · Congress.gov CRS — CIRCIA (15 Mar 2022) and its NPRM; final rule targeted for September 2026
· Federal Register · eCFR · USCG · Jones Walker — USCG MTS cyber final rule (effective 16 Jul 2025; foreign-flagged vessels excluded)
· IACS · ClassNK · DNV — UR E26/E27 (new ships contracted on/after 1 Jul 2024)
This article is general analysis of a regulatory landscape; the legal obligations of any specific vessel or fleet must be confirmed through the relevant authorities, classification society, and legal counsel.
Owner-side maritime cybersecurity advisor covering IACS UR E26/E27 compliance, zone and conduit design, and OT/IT security architecture for commercial vessels — working across LR, ClassNK, DNV, ABS, and BV newbuilding projects.
⚓ Join the ShipPaulJobs Community
Join →
Comments
Post a Comment