Who Needs Maritime Cybersecurity Training Under 33 CFR 101 Subpart F??

Feb 23 / Jessica Whipple
The U.S. Coast Guard’s cybersecurity regulations (33 CFR Part 101 Subpart F) establish mandatory cybersecurity training requirements for certain maritime organizations.

If your vessel or facility is required to maintain a security plan under any of the following, the cybersecurity training requirements apply to you:

  • 33 CFR Part 104 (Vessels)
  • 33 CFR Part 105 (Facilities)
  • 33 CFR Part 106 (OCS Facilities)


But who exactly needs training? And does everyone need the same type?

Let’s break it down.

1️⃣ Who Needs Cybersecurity Awareness Training?

Short Answer: 
All personnel with unescorted access to IT or OT systems — regardless of where they are physically located.

This includes:

  • Full-time employees
  • Part-time employees
  • Temporary workers
  • Contractors


This requirement is not limited to personnel physically working on the vessel or at the facility. It may also include:

  • Corporate or headquarters (HQ) personnel
  • Shoreside support staff
  • Remote IT personnel
  • Centralized network administrators
  • Shared services teams
  • Third-party service providers


If someone has access to your systems, they likely require training.
Empty space, drag to resize
What Counts as “Access”?
Under Coast Guard guidance, access includes both logical and physical access to IT or OT systems.

  • Logical access includes logging into networks, remote/VPN access, administrative privileges, or managing systems that support a regulated vessel or facility.


  • Physical access includes entering spaces that house IT or OT equipment, accessing control rooms, or connecting devices such as laptops or USB drives.

Personnel with unescorted physical or logical access to regulated systems are considered to have access — and cybersecurity training requirements likely apply.
Empty space, drag to resize
What Must Awareness Training Cover?
Personnel with access must receive training on:

  • Recognition and detection of cybersecurity threats and all types of cyber incidents → 33 CFR 101.650(d)(1)(ii)
  • Techniques used to circumvent cybersecurity → 33 CFR 101.650(d)(1)(iii)
  • Procedures for reporting a cyber incident to the Cybersecurity Officer (CySO) (once CySO is designated) → 33 CFR 101.650(d)(1)(iv)
  • OT-specific cybersecurity training for all personnel whose duties include using OT → 33 CFR 101.650(d)(1)(v)
  • Relevant provisions of the Cybersecurity Plan (once plan is approved) → 33 CFR 101.650(d)(1)(i)

Our Maritime Cybersecurity Awareness Training is designed to align with the general awareness requirements of 33 CFR 101.650(d)(1)(ii)–(iv)*.

*Note: Cybersecurity Plan provisions are entity-specific and must be provided by the regulated vessel or facility. OT-specific cybersecurity training is delivered through a separate module outlined in the next section.

2️⃣ Who Needs OT-Specific Cybersecurity Training?

Short Answer:
Personnel whose duties include using Operational Technology (OT).

Not everyone needs the OT module — but many operational personnel do.
Empty space, drag to resize
What Is Operational Technology (OT)?
OT includes systems that interact with or control the physical environment, such as:

  • Engine control systems
  • Cargo handling systems
  • Ballast systems
  • SCADA systems
  • Control room systems
  • Industrial automation systems
  • Machinery monitoring systems


If a system affects physical operations, it likely qualifies as OT.
Empty space, drag to resize
Who Typically Needs OT Training?
Examples include:

  • Engineers
  • Machinery operators
  • Control room operators
  • Maintenance technicians
  • Terminal automation operators
  • OT system administrators


OT training should focus on:

  • Specific OT systems in use at your vessel or facility
  • Secure physical access to OT environments
  • Recognizing abnormal OT system behavior
  • OT-specific threat techniques (e.g., malware introduced via USB, remote manipulation risks)


If someone operates, maintains, or directly interacts with OT systems, they need this module.
Empty space, drag to resize
Our Cybersecurity for Operational Technology module is designed to meet this requirement.

3️⃣ Who Needs “Key Personnel” Cybersecurity Training?

Short Answer:
Some personnel — typically those with elevated access, cybersecurity oversight, or incident response responsibilities — require additional role-based training.

These are referred to as Key Personnel under 33 CFR 101.650(d)(2).
Empty space, drag to resize
Who Qualifies as Key Personnel?
The owner or operator determines who qualifies, but generally this includes individuals who:

  • Are directly involved in cyber incident response
  • Have cybersecurity oversight responsibilities
  • Have elevated system access or administrative privileges
  • Are responsible for the Cybersecurity Plan
  • Oversee IT or remotely accessible OT systems
Empty space, drag to resize
Examples of Key Personnel
Owners/operators are expected to document how they define Key Personnel within their organization.

Examples may include:

  • Company leadership
  • Company Security Officer (CSO)
  • Facility Security Officer (FSO)
  • Vessel Security Officer (VSO)
  • Cybersecurity Officer (CySO)
  • IT administrators
  • Network administrators
  • OT engineers with elevated privileges
Empty space, drag to resize
Additional Training Required for Key Personnel
In addition to standard awareness training, Key Personnel must receive training on:

  • Roles and responsibilities during a cyber incident and response procedure → 33 CFR 101.650(d)(2)(i)
  • Maintaining current knowledge of changing cybersecurity threats and countermeasures → 33 CFR 101.650(d)(2)(ii)


They must also complete any OT-specific training if applicable.
Empty space, drag to resize
Our Cybersecurity for Key Personnel training is specifically developed to address the role-based requirements of 33 CFR 101.650(d)(2).

4️⃣ What About Contractors and Third Parties?

Contractors with unescorted system access must also be trained.

If contractors are not trained, they must:

  • Be physically escorted or monitored, or
  • Be remotely “escorted” under strict control measures


Untrained personnel cannot have unrestricted access to IT or OT systems.
Empty space, drag to resize
Can Contractors Use Their Own Cybersecurity Training?
Yes. Contractors and third-party personnel do not have to take the vessel or facility’s internal training — as long as they receive the required regulatory topics for their role and level of access.

Contractors may:

✅ Take the owner/operator’s training
✅ Complete their own company’s training
✅ Use a combination of both

The key requirement is that their training covers all applicable topics under 33 CFR 101.650(d), including:

  • General awareness training
  • OT-specific training (if they use OT systems)
  • Key Personnel training (if applicable)


The regulated vessel or facility remains responsible for ensuring the training meets the regulatory requirements.

5️⃣ Quick Reference Summary

The table below provides a general illustration of how training requirements may apply to different roles.

⚠️ Important: This is for example purposes only.
Each owner/operator must determine training requirements based on:

  • The individual’s actual system access
  • Their job duties
  • Whether they interact with OT systems
  • Whether they qualify as Key Personnel
  • The organization’s documented definitions and risk profile


Final determinations must align with 33 CFR 101.650(d) and applicable Coast Guard guidance.

Role Awareness Training OT-Specific Module Key Personnel Module
Office staff with IT access ✅ Yes ❌ No ❌ No
Engineer using OT systems ✅ Yes ✅ Yes Possibly
IT Administrator ✅ Yes If using OT ✅ Yes
Cybersecurity Officer (CySO) ✅ Yes If using OT ✅ Yes
Contractor with system access ✅ Yes If using OT Possibly
Empty space, drag to resize
At-a-Glance Summary
If someone has:

✔ IT access → Awareness Training

✔ OT access → Awareness + OT Training

✔ Incident response or elevated privileges → Awareness + Key Personnel (and OT if applicable)
Empty space, drag to resize
Remember: Titles Don’t Determine Training — Access Does
Two people with the same job title may have different training requirements depending on:

  • System permissions
  • Physical access
  • Operational responsibilities
  • Cyber incident roles
  • Owner/operator designation

Training decisions must be documented and defensible under 33 CFR 101 Subpart F.

6️⃣ Training Requirements & Ongoing Compliance

The January 12, 2026 initial training deadline has passed.

Organizations subject to 33 CFR 101 Subpart F should now be operating under ongoing compliance requirements.

Cybersecurity training is not a one-time event — it is continuous.
Empty space, drag to resize
🔁 Annual Training Requirement
All personnel with unescorted access to IT or OT systems must complete cybersecurity training:

  • At least annually, and
  • Whenever required to address updated threats, systems, or responsibilities.


Key Personnel must also maintain current knowledge of evolving cybersecurity threats and countermeasures as part of their ongoing obligations.
Empty space, drag to resize
👤 New Personnel
Newly hired personnel must complete required training:

  • Within 5 days of gaining system access,
  • But no later than 30 days after hiring,
  • And annually thereafter.
Empty space, drag to resize
💻 New IT or OT Systems
When new IT or OT systems are introduced, personnel who will use those systems must complete applicable training:

  • Within 5 days of gaining access to the new system,
  • And continue with annual training thereafter.


Cybersecurity training must also be properly documented and maintained for Coast Guard inspection.

Compliance is not optional — and maintaining current, documented training is essential to meeting regulatory obligations.

7️⃣ Applying the Requirements to Your Organization

If your organization maintains a security plan under 33 CFR Parts 104, 105, or 106, your personnel likely fall into one of these categories.

The regulation itself provides the framework — but applying it correctly requires careful consideration of:

  • Your operational structure
  • Your IT and OT environment
  • Levels of system access
  • Contractor involvement
  • How you define and document Key Personnel
  • The scope of your Cybersecurity Plan


Training determinations are based on actual access and responsibilities — not just job titles. Two individuals with the same title may require different training depending on their role and system privileges.

Clear documentation and defensible reasoning are essential to maintaining compliance under 33 CFR 101 Subpart F.

Misclassifying personnel can create compliance gaps. Over-classifying can create unnecessary burden.
Empty space, drag to resize
Need More Help?
Understanding the rule is one thing. Implementing it correctly — and defensibly — is another.

If you would like assistance reviewing your training classifications, evaluating contractor training alignment, or ensuring your program meets regulatory expectations, we’re available to help.

We regularly work with vessel operators and facility owners to interpret and apply Coast Guard requirements in a practical, operationally realistic way.

Feel free to contact us to discuss your organization’s training approach or determine the right path forward.
Empty space, drag to resize
Ready to Meet the Requirement?
Our training modules are built specifically to align with 33 CFR 101 Subpart F:



If you're ready to implement compliant training, explore our courses or contact us to discuss licensing and seat management options.