WeVote

Bill

Bill

S 4564

Maritime Cybersecurity Act

119th Congress Introduced by Andy Kim and 1 co-sponsor

The bill requires annual cybersecurity vulnerability assessments of covered software/hardware at designated maritime facilities and annual reporting to Congress.

Introduced in Senate
0
WeVote Research Nonpartisan
Bill Summary · S 4564

Overview

  • Bill: S. 4564, Maritime Cybersecurity Act
  • Session: 119th Congress
  • Introduced: May 19, 2026 by Sen. Scott (FL) and Sen. Kim (NJ). Co-sponsors: Sen. Scott and Sen. Kim.
  • Purpose: Amend title 46, United States Code to require the Secretary (of the department in which the Coast Guard operates) to assess cybersecurity risks of certain software and hardware used in certain maritime facilities, and to establish related reporting, compliance, and coordination provisions.

Main purpose and intent

  • Enhance maritime transportation security by systematically identifying and addressing cybersecurity risks in software and hardware used at designated maritime facilities.
  • Mandate regular cybersecurity vulnerability assessments and reporting to Congress.
  • Create a framework for oversight, compliance, and information sharing to mitigate cyber risks that could affect the marine transportation system and port security.

Key provisions and changes

  • Amends Section 70102 of title 46 to incorporate cybersecurity vulnerability assessment requirements for covered software and hardware.
  • Definitions:
    • Covered facility: A facility described in subsection (b)(1) and subject to certain parts of title 33 (33 U.S.C. parts 105 or 106) (related to port security and maritime facilities).
    • Covered software or hardware: Any software or hardware that connects to the internet or presents a cybersecurity risk, used at a covered facility, used in the marine transportation system, and tied to foreign entities of concern or other high-risk scenarios.
    • Foreign country of concern / foreign entity of concern: As defined in section 10612(a) of the Research and Development, Competition, and Innovation Act.
    • Cybersecurity vulnerability: A weakness that could be exploited by threats affecting software, hardware, or affiliated systems.
  • Cybersecurity vulnerability assessments (new subsection (d)):
    • Mandatory assessments: The Secretary, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency (CISA), must conduct annual assessments of weaknesses and cybersecurity risks in covered software/hardware, starting within one year after enactment.
    • Barriers: Assessments may proceed notwithstanding end-user license agreements or contracts, and may be conducted without consent of facility owners/operators or other parties, to the extent necessary to perform the assessment.
  • Covered facility reports and compliance (new subsection (b)(4)):
    • Timing: Within 180 days after enactment of subsection (d) and annually thereafter, facility owners/operators must submit a report to the Secretary.
    • Contents of the report:
    • Identify covered software/hardware in use or planned for use at the facility, including those manufactured by foreign entities of concern or controlled/operated by such entities, or located in foreign countries of concern.
    • Note any cybersecurity incidents related to transportation security or port security systems, and other cybersecurity risks at the facility.
    • Certification that covered software/hardware used or planned to be used has been assessed for consistency with National Institute of Standards and Technology (NIST) standards or equivalent, and that mitigations have been implemented.
    • Compliance mechanics:
    • Generally, facilities may not use covered software/hardware that cannot certify consistency with NIST/equivalent standards.
    • The Secretary may grant waivers allowing continued use of non-compliant software/hardware if the Secretary determines there is low national-security risk that is outweighed by commercial benefits.
  • Annual congressional reporting (new subsection (e)(3)):
    • The Secretary, in coordination with the Director of CISA, must deliver annual congressional reports detailing:
    • Findings of the latest assessments and reports.
    • Actions taken to mitigate cybersecurity risks.
    • Recommendations to strengthen maritime transportation security related to cybersecurity.
  • Non-disclosure and information sharing:
    • Information gathered through assessments and reports is subject to non-disclosure protections, with coordination provisions to share information with federal entities and other entities under information-sharing agreements for security and risk mitigation purposes.
  • Other definitions (new subsection (e)):
    • Covered facility, covered software or hardware, and cybersecurity vulnerability definitions are codified.
    • Clarifies the scope of “foreign country of concern” and “foreign entity of concern” to align with related law.

Who would be affected

  • Owners and operators of covered facilities (likely certain high-security maritime facilities described in existing port-security statutes) would have new reporting and certification obligations.
  • Private sector suppliers and manufacturers of software/hardware used at covered facilities, especially those with foreign affiliations or origins identified as concerns.
  • Federal entities, notably the Coast Guard and the Cybersecurity and Infrastructure Security Agency (CISA), would coordinate assessments, enforcement, and information sharing.
  • Congress would receive annual reports detailing vulnerabilities, mitigation actions, and policy recommendations.

Procedural and timeline aspects

  • Effective date: Subsection (d) requires initial assessments not later than one year after enactment; annual assessments thereafter.
  • Initial reporting deadline: Within 180 days after enactment of subsection (d) for facility owners/operators to submit their first reports, with annual updates thereafter.
  • Compliance framework: Establishes a standard (NIST or equivalent) for software/hardware security certification; provides a waiver mechanism for national-security–risk–balanced exceptions.
  • Information sharing: Encourages coordination with federal partners and information-sharing agreements to support maritime security and risk mitigation.

Practical impact and considerations

  • Increased scrutiny of cybersecurity in the maritime sector, particularly for facilities using software/hardware with foreign connections or origins of concern.
  • Potential costs for facilities to assess, report, and certify compliance with cybersecurity standards.
  • Enhanced visibility for Congress on maritime cyber risks and resilience needs, informing future policy and security investments.
  • Balancing national security with commercial interests via the waiver process and potential exemptions.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.