Maritime Cybersecurity Act

Rick Scott

Republican · FL · Senator

Source: Congress.gov · FEC

• Andy Kim (D-NJ)Original· 2026-05-19

Read twice and referred to the Committee on Commerce, Science, and Transportation.

2026-05-19

Source: Congress.gov

The Coast Guard would be required to evaluate the cybersecurity risks of software and hardware used at important maritime facilities like ports and shipping terminals to identify potential vulnerabilities that hackers could exploit. This assessment would help protect critical infrastructure that millions of Americans depend on for trade, transportation, and national security. The bill is currently under review by the Senate Commerce Committee.

AI-assisted summary generated from the official bill metadata (title, subjects, actions) sourced from Congress.gov. Cached and reviewed. Always verify against the official text linked below.

[Congressional Bills 119th Congress] [From the U.S. Government Publishing Office] [S. 4564 Introduced in Senate (IS)] <DOC> 119th CONGRESS 2d Session S. 4564 To amend title 46, United States Code, to require the Secretary of the department in which the Coast Guard is operating to assess cybersecurity risks of certain software and hardware used in certain maritime facilities, and for other purposes. _______________________________________________________________________ IN THE SENATE OF THE UNITED STATES May 19, 2026 Mr. Scott of Florida (for himself and Mr. Kim) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation _______________________________________________________________________ A BILL To amend title 46, United States Code, to require the Secretary of the department in which the Coast Guard is operating to assess cybersecurity risks of certain software and hardware used in certain maritime facilities, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Maritime Cybersecurity Act''. SEC. 2. CYBERSECURITY VULNERABILITY ASSESSMENTS OF CERTAIN MARITIME FACILITY SOFTWARE AND HARDWARE. Section 70102 of title 46, United States Code, is amended-- (1) in subsection (b)-- (A) in paragraph (1)(C), by inserting ``(including, with respect to covered facilities, cybersecurity risks of covered software or hardware as provided under subsection (d)(1))'' after ``cybersecurity risks''; (B) in paragraph (3), by inserting before the period ``, except that, for covered facilities, the Secretary shall annually update each such vulnerability assessment with respect to the identification of weaknesses in security and cybersecurity risks of covered software or hardware in accordance with subsection (d)(1)''; and (C) in paragraph (4)-- (i) by striking ``In lieu'' and inserting ``(A) Except as provided in subparagraph (B), in lieu''; and (ii) by adding at the end the following: ``(B) In the event that the Secretary accepts an alternative assessment described in subparagraph (A) for a covered facility, the Secretary shall still conduct an assessment under paragraph (1) of weaknesses in security and cybersecurity risks of covered software or hardware used at the facility in accordance with subsection (d)(1).''; and (2) by adding at the end the following: ``(d) Assessing Cybersecurity Risks of Covered Software or Hardware.-- ``(1) Assessments.-- ``(A) In general.--Not later than 1 year after the date of enactment of this subsection, and annually thereafter, the Secretary, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall conduct an assessment under subsection (b)(1) with respect to weaknesses in security and cybersecurity risks of covered software or hardware. ``(B) Reducing barriers.--The Secretary may conduct an assessment under this paragraph-- ``(i) notwithstanding any provision of an end user licensing agreement or other contract that would otherwise hinder such assessment; and ``(ii) without obtaining the consent of any owner or operator of a covered facility, or any other person, notwithstanding any other provision of law. ``(2) Covered facility reports and compliance.-- ``(A) In general.--Not later than 180 days after the date of enactment of this subsection, and annually thereafter, the owner or operator of a covered facility shall submit a report to the Secretary that-- ``(i) identifies-- ``(I) any covered software or hardware that-- ``(aa) the owner or operator is using, plans to use, or during the previous year used at the facility; and ``(bb) was manufactured-- ``(AA) by a foreign entity of concern or a foreign country of concern; ``(BB) by a company controlled or operated by a foreign entity of concern or a foreign country of concern; or ``(CC) in a foreign country of concern; ``(II) any instance with respect to…

the facility of a cybersecurity risk resulting in a transportation security incident involving the marine transportation system or any port security system; and ``(III) any other cybersecurity risk with respect to the facility, without regard to whether the risk resulted in a transportation security incident; and ``(ii) except as provided under subparagraph (B)(ii), certifies that any covered software or hardware that the owner or operator is using, plans to use, or during the previous year used has been assessed for consistency with standards of the National Institute of Standards and Technology or equivalent standards within the previous year and the owner or operator has mitigated against any inconsistencies with such standards. ``(B) Compliance.-- ``(i) In general.--Except as provided in clause (ii), the owner or operator of a covered facility may not use any covered software or hardware described in subparagraph (A)(ii) for which it cannot certify consistency with standards of the National Institute of Standards and Technology or equivalent standards. ``(ii) Waiver process.--The Secretary may issue a waiver to allow an owner or operator of a covered facility to use covered software or hardware for which it cannot certify consistency with standards of the National Institute of Standards and Technology or equivalent standards if the Secretary determines that there is low risk to national security which is outweighed by the benefit to commerce. ``(3) Annual reports to congress.--Not later than 1 year after the date of enactment of this subsection, and annually thereafter, the Secretary, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall provide a report, to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives, on-- ``(A) the findings of the most recent assessment under paragraph (1); ``(B) the findings of the most recent reports under paragraph (2); ``(C) any actions taken by the Secretary, or the Director of the Cybersecurity and Infrastructure Security Agency, to mitigate cybersecurity risks with respect to covered software or hardware; and ``(D) any recommendations to Congress on strengthening maritime transportation and port security with respect to cybersecurity risks of covered software or hardware. ``(4) Nondisclosure.--Subject to paragraph (5), information in any assessment or report under this subsection shall not be disclosed to the public, pursuant to section 552(b)(3) of the United States Code. ``(5) Coordination.--The Secretary shall coordinate, as appropriate, with Federal entities, and any other entities that have an agreement in effect with the Secretary for the sharing of information, to make information compiled by the Secretary under this subsection available to such entities for the purposes of maritime transportation security, cybersecurity risk mitigation, or compliance assistance related to covered facilities or covered software or hardware. ``(e) Definitions.--In this section: ``(1) Covered facility.--The term `covered facility' means a facility-- ``(A) that is described in subsection (b)(1); and ``(B) to which part 105 or 106 of title 33, Code of Federal Regulations (or successor regulations), applies. ``(2) Covered software or hardware.--The term `covered software or hardware' means any software or hardware that-- ``(A) connects to the internet or otherwise poses a cybersecurity risk; ``(B) is used at a covered facility; and ``(C) is used in-- ``(i) the marine transportation system, including in a crane manufactured-- ``(I) by a foreign entity of concern or a foreign country of concern; ``(II) by a company controlled or operated by a foreign entity of concern or a foreign country of concern; or ``(III) in a foreign country of concern; or ``(ii) a business system that, if compromised or exploited, could result in a transportation security incident; ``(iii) a system whose ownership, operation, maintenance, or control is delegated wholly or in part to any other party; or ``(iv) any other maritime infrastructure determined by the Secretary to be a high cybersecurity risk to the security of any covered facility or to maritime transportation security. ``(3) Cybersecurity vulnerability.--The term `cybersecurity vulnerability' means a characteristic or specific weakness that renders software or hardware or affiliated systems open to exploitation by a given threat or susceptible to a given hazard. ``(4) Foreign country of concern; foreign entity of concern.--The terms `foreign country of concern' and `foreign entity of concern' have the meanings given such terms in section 10612(a) of the Research and Development, Competition, and Innovation Act (42 U.S.C. 19221(a)).''. <all>

• S4663A bill to appropriate sums for the Secretary of Agriculture to provide block grants to States for losses of revenue as a consequence of certain freezes or cold weather conditions.
  Referred to Committee · 2026-06-02
• SRES749A resolution designating May 2026 as "Older Americans Month".
  Introduced · 2026-05-21
• S4601Chinese CBDC Prohibition Act of 2026
  Referred to Committee · 2026-05-20
• S4586Blocking CCP Spy Tech Act of 2026
  Referred to Committee · 2026-05-20