The maritime industry is undergoing its most significant regulatory shift in decades. Under 33 CFR Part 101, Subpart F, the U.S. Coast Guard has elevated cybersecurity to a mandatory pillar of maritime security. For vessel and facility operators, compliance is no longer a “best practice”, it is a legal requirement with strict deadlines for cybersecurity training, assessments, audits, incident response plans, and formal Cybersecurity Plans (CSP).
Armexa helps maritime organizations navigate this transition by bridging the gap between high-level federal mandates and the complex reality of Operational Technology (OT). We don’t just help you check a box; we provide the engineering expertise and risk-based strategies needed to protect your “as-built” infrastructure from evolving cyber threats while ensuring full MTSA compliance.
Our Approach
The 3D Maritime Assessment Model:
Armexa utilizes our proven, three-dimensional approach to identify vulnerabilities, quantify risk, and build a defensible security posture tailored to the maritime environment.
Dimension 1: Validated System Design Review
Many compliance failures stem from limited system visibility. in a Validated System Design Review (VSDR), we conduct a deep-dive analysis of your actual network architecture by gathering data directly from the environment. This allows us to validate asset inventories, map data flows, and uncover hidden vulnerabilities across OT and IT systems.
Dimension 2: Maturity & Gap Assessment
We benchmark your cybersecurity program against Subpart F requirements and recognized standards such as NIST CSF and ISA/IEC 62443. This Maturity & Gap Assessment clearly identifies where Facility or Vessel Security Plans (FSP/VSP) may fall short of current Coast Guard mandates.
Dimension 3: Consequence-Based Risk Assessment
Risk is often confused with vulnerabilities or gaps—but they are not the same. Using our proprietary CyberHAZOP™ and CyberBowtie™ methodologies, we shift the focus from theoretical threats to operational consequences. We identify cyber events that could lead to a Transportation Security Incident (TSI), enabling you to prioritize the most critical safeguards
Plans and Exercises:
Beyond assessment, Armexa supports full MTSA implementation by delivering the documentation, governance, and validation activities required by the U.S. Coast Guard. Our approach is designed to make compliance sustainable, auditable, and operationally effective.
Plan Development: Cybersecurity Plans (CSPs) & Incident Response Plans (IRPs)
All plans are aligned with NVIC 02‑24 and fully integrated into existing FSPs or VSPs. Deliverables include clearly defined roles, responsibilities, escalation paths, and interfaces between cybersecurity, operations, and security management.
Drills and Exercises
Armexa designs and facilitates realistic cybersecurity drills and tabletop exercises that directly leverage the findings from your assessments and plans. These exercises test the organization’s ability to detect, respond to, and recover from simulated cyber incidents—while producing documented evidence suitable for inspections and audits.
Mandatory Training:
Armexa delivers practical, MTSA‑aligned cybersecurity training designed specifically for maritime facilities and vessels. Our training translates Subpart F requirements into clear, operationally relevant guidance that personnel can apply in real environments, not abstract IT scenarios.
Our role‑based curriculum supports:
- Facility and Vessel Security Officers (FSOs/VSOs)
- Cybersecurity and IT personnel
- Engineers and OT practitioners
- Operational and support staff
Training focuses on building foundational awareness, clarifying regulatory responsibilities, and reinforcing how cybersecurity failures can escalate into Transportation Security Incidents (TSIs).
Developed by OT cybersecurity practitioners with real maritime experience, Armexa’s training reflects actual system architectures and operational constraints. Content is available as general awareness or role‑specific modules, delivered via LMS and offered as standardized courses or customized to facility (or vessel‑specific environments) helping organizations meet MTSA training mandates while strengthening day‑to‑day cyber resilience.
Results and Benefits
By partnering with Armexa, maritime operators move from reactive “firefighting” to a proactive, resilient security culture.
- Regulation Compliance: Ensure your facility or vessel meets all Subpart F requirements, avoiding operational delays, fines, or denial-of-entry by the Coast Guard.
- Operational Resilience: Minimize the risk of downtime caused by ransomware or system failures by securing the OT systems that control your actual operations.
- Optimized Security Spending: By using a consequence-based approach, we ensure your budget is spent on the 20% of controls that mitigate 80% of your operational risk.
- Executive-Level Clarity: Our visual risk models (CyberBowtie™) translate complex technical vulnerabilities into clear operational impacts that executive leadership and stakeholders can understand.
- Audit Readiness: Receive a comprehensive “compliance package” including validated network diagrams, asset inventories, and documented drill results, making USCG inspections seamless.
Is your facility ready for the next Coast Guard inspection? Contact Armexa today to schedule your initial MTSA Gap Analysis and turn regulatory pressure into a competitive advantage for your operations.
