The bill strengthens port cybersecurity and federal oversight to reduce disruption risk to shipping and commerce, but it imposes compliance costs, limits public transparency of vulnerabilities, and creates potential legal conflicts from expanded federal assessment authority.
Port owners/operators, maritime facility staff, and shippers must identify and mitigate cybersecurity weaknesses annually, and the Secretary/CISA can perform timely vulnerability assessments even when contractual limits exist, reducing the risk of cyber incidents that would disrupt shipping, commerce, and supply chains.
State and local governments, Congress, and facility operators get clearer oversight and guidance because the Secretary and CISA must produce annual reports to congressional committees and the bill defines covered facilities and use-case criteria, improving federal transparency and giving operators clearer compliance expectations.
Owners/operators of covered maritime facilities, especially small businesses and local port operators, will face administrative burdens and potential significant costs to meet annual reporting and mitigation certification deadlines and to replace non‑certified software/hardware (unless they obtain a waiver).
State and local governments, facility operators, and the public will have limited access to assessment and report information because those materials are kept nonpublic, reducing external oversight and public accountability of cybersecurity risks.
Small-business owners and vendors may face legal and commercial conflicts because the Secretary's authority to assess systems without owner consent or despite existing contracts could trigger contract disputes, operational disruptions, and litigation.
Based on analysis of 2 sections of legislative text.
Requires DHS annual cybersecurity vulnerability assessments of covered maritime software/hardware and mandates owner/operator reporting and certification.
Official title: Amend title 46, United States Code, to require the Secretary of the department in which the Coast Guard is operating to assess cybersecurity risks of certain software and hardware used in certain maritime facilities, and for other purposes.
Introduced May 19, 2026 by Richard Lynn Scott · Last progress May 19, 2026
Requires the Department of Homeland Security to perform an initial and then annual cybersecurity vulnerability assessment of specified software and hardware used at covered maritime facilities, and requires facility owners/operators to report and certify compliance. Owners/operators must identify covered systems, report incidents and risks, and certify alignment with NIST or equivalent standards; DHS can perform assessments even if end-user license agreements or owner consent would otherwise block access and may waive restrictions for low national-security-risk items.