MTS CYBER Act of 2026

This Act may be cited as the Marine Transportation System Cybersecurity Budget and Evaluation Report Act of 2026 or the MTS CYBER Act of 2026.

Congress finds the following:

(1) Maritime trade is essential to America’s economic stability, supporting $2,100,000,000,000 in economic activity, or 41.5 percent of the global trade value of the United States.

(2) The increasing frequency and severity of cyber threats to the marine transportation system (hereinafter referred to as MTS) presents economic and national security risks.

(3) The Department of Homeland Security and the Department of Transportation are designated as co-Sector Risk Management Agencies (hereinafter referred to as SRMAs) for the MTS under Presidential Policy Directive 21, with further delegation of responsibilities to agencies such as the Coast Guard and the Transportation Security Administration as outlined in implementing documents.

(4) Executive Order 14116, issued by President Biden in February 2024, expands the United States Coast Guard’s regulatory authorities to strengthen MTS cybersecurity.

(5) The Coast Guard issued a final cybersecurity rule, Cybersecurity in the Marine Transportation System, establishing mandatory incident reporting for regulated entities, significantly expanding the Coast Guard’s cybersecurity oversight responsibilities.

(6) Through the Investing in America Agenda, the Biden administration dedicated $20,000,000,000 for United States port infrastructure, but it fails to specify cybersecurity-specific spending allocations to provide the Coast Guard with adequate resources and funding.

(7) The Coast Guard remains underfunded and understaffed for the purpose of sector risk management.

(8) The ability of the Coast Guard to fulfill SRMA duties is contingent upon adequate budgetary resources and a healthy workforce.

(9) A Government Accountability Office audit is necessary to assess the budget and capabilities of the Coast Guard as an SRMA to ensure it can fulfill responsibilities for protecting the MTS against cyber threats.

Not later than 270 days after the date of enactment of this Act, the Comptroller General of the United States shall conduct a review to assess the funding and resource needs of the Coast Guard to fulfill the SRMA responsibilities of the Coast Guard, including—

(1) an evaluation of the sufficiency of Coast Guard funding for the sector risk management responsibilities, including funding for cybersecurity personnel, training, and enforcement, in light of statutory requirements under section 9002 of the National Defense Authorization Act for Fiscal Year 2021 and additional requirements in Presidential Policy Directive 21;

(2) the ability of Coast Guard personnel to evaluate compliance with cybersecurity requirements for regulated entities; and

(3) the sufficiency of guidance provided to industry stakeholders on implementing and complying with cyber regulations, assessed against applicable statutory requirements, Federal regulatory benchmarks, and widely recognized industry best practices for maritime cybersecurity.

The Comptroller General shall submit the findings and recommendations from the review required under subsection (a) to—

(1) the Committee on Commerce, Science, and Transportation, the Committee on Appropriations, and the Committee on Homeland Security and Governmental Affairs of the Senate; and

(2) the Committee on Transportation and Infrastructure, the Committee on Appropriations, and the Committee on Homeland Security of the House of Representatives.

In this Act:

The term marine transportation system means navigable waterways, ports, terminals, intermodal connections, vessels, and related infrastructure that facilitate the movement of goods and people by water.

The term Sector Risk Management Agency or SRMA has the meaning given the term Sector Risk Management Agency in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).