Maritime Cybersecurity Act
Sponsored By: Senator Scott, Rick [R-FL]
Introduced
Summary
Strengthen federal cybersecurity oversight of maritime facility software and hardware. The Maritime Cybersecurity Act would require the department housing the Coast Guard to run coordinated risk and vulnerability assessments, set an annual review process, and require reporting and mitigation for software and devices used at covered ports and high-risk maritime sites.
Show full summary
- Port and facility operators: would need to identify covered software and hardware within 180 days, certify assessments against National Institute of Standards and Technology (NIST) or equivalent standards, and provide annual updates on findings and fixes.
- Vendors and supply chains: would face disclosure rules about products made by foreign entities or countries of concern and could be subject to waivers only when low national security risk is outweighed by commercial benefits.
- Federal partners and Congress: the secretary would coordinate annual vulnerability assessments with the Cybersecurity and Infrastructure Security Agency, share compiled findings with federal partners under nondisclosure protections, and送 deliver an annual report to Congress with mitigation actions and recommendations.
Your PRIA Score
Personalized for You
How does this bill affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Bill Overview
Analyzed Economic Effects
3 provisions identified: 0 benefits, 1 costs, 2 mixed.
Port operators must report cyber risks
If enacted, each owner or operator of a covered facility would have to file a report to the Secretary within 180 days and then every year. The report would list covered software and hardware used or planned, say if items were made or controlled by a foreign country or entity of concern, and describe any cybersecurity risks or incidents. Owners would also have to certify that such software and hardware were assessed against NIST or equivalent standards in the past year and that problems were mitigated, unless the Secretary grants a waiver for low national security risk weighed against commerce benefits.
Federal port cybersecurity assessments
If enacted, the Secretary (with CISA) would assess cybersecurity weaknesses in software and hardware at covered maritime facilities within 1 year and every year after. The Secretary could run those assessments even if contracts or licensing terms or owner consent say otherwise. The Secretary must still do the federal assessment if an alternative assessment is accepted, and must update facility vulnerability assessments each year. Assessment information would be shared with federal partners for security work and would be withheld from public disclosure under existing exemptions.
Which maritime facilities and systems are covered
If enacted, the bill would define key terms for the program. It would define "covered facility" as facilities subject to certain port security rules and would define "covered software or hardware" to include internet-connected or other systems that pose cybersecurity risks in the marine transportation system or other high-risk maritime infrastructure. It would also define "cybersecurity vulnerability" and adopt existing statutory meanings for foreign countries and entities of concern.
Sponsors & CoSponsors
Sponsor
Scott, Rick [R-FL]
FL • R
Cosponsors
Sen. Kim, Andy [D-NJ]
NJ • D
Sponsored 5/19/2026
Roll Call Votes
No roll call votes available for this bill.
View on Congress.gov