S-4564-119
Read twice and referred to the Committee on Commerce, Science, and Transportation.
Sponsored by Rick Scott (R-FL)
What it does
This bill would require the Secretary of the department housing the Coast Guard, working with the Cybersecurity and Infrastructure Security Agency (CISA), to conduct annual cybersecurity assessments of software and hardware used at regulated maritime facilities — including equipment made by or in foreign countries of concern. It would also require facility owners and operators to submit annual reports identifying any such covered technology, disclose cybersecurity incidents, and certify that their software and hardware meets National Institute of Standards and Technology (NIST) standards. Facilities that cannot certify compliance would be prohibited from using the non-compliant technology unless the Secretary grants a waiver based on low national security risk outweighed by commercial benefit.
Who benefits
U.S. port security broadly, including the roughly 360 commercial ports that handle over $1.5 trillion in annual trade. Domestic technology and hardware manufacturers who compete with foreign-made equipment and could gain market share if foreign-sourced products are restricted. Cybersecurity firms and consultants hired to conduct assessments and remediation. Federal agencies (Coast Guard, CISA) that gain expanded authority and data. Shipping companies and supply chain participants who benefit from reduced risk of cyberattack-induced port disruptions. Communities near ports whose economic activity depends on uninterrupted port operations.
Who is hurt
Owners and operators of covered maritime facilities who would bear the cost of annual reporting, compliance assessments, and potential technology replacement. Facilities currently using hardware or software manufactured in foreign countries of concern (e.g., Chinese-made port cranes, which account for a significant share of U.S. port crane inventory) that may face costly upgrades or replacements. Foreign technology manufacturers and their U.S. distributors who could lose access to the maritime market. Smaller port operators with fewer resources to absorb compliance costs. End users of port services who may face higher fees if compliance costs are passed through.
Supporters argue
Supporters argue that U.S. ports are a critical infrastructure chokepoint — over 90% of U.S. trade moves through them — and that foreign-manufactured equipment, particularly Chinese-made cranes from ZPMC, has already drawn documented national security scrutiny from the FBI and DHS. They contend that annual, government-led assessments fill a gap that voluntary industry practices have left open, and that requiring NIST-standard compliance establishes a clear, internationally recognized baseline that reduces the risk of a cyberattack capable of paralyzing supply chains and causing cascading economic harm.
Opponents argue
Opponents argue that the bill's broad definition of "covered software or hardware" — encompassing any internet-connected technology at a facility that could pose a cybersecurity risk — creates sweeping compliance obligations with significant costs that fall disproportionately on smaller port operators. They contend that the provision allowing the government to conduct assessments without owner consent and notwithstanding end-user licensing agreements raises serious property rights and contractual due process concerns, and that the waiver process gives the Secretary broad, loosely defined discretion that could be applied inconsistently across facilities and administrations.
Constitutional context
The bill rests on Congress's Commerce Clause authority (Art. I, §8, cl. 3), as maritime ports are central nodes of interstate and international commerce — well within the aggregation principle affirmed in Wickard v. Filburn (1942). The provision authorizing government assessments without owner consent and "notwithstanding any other provision of law" could raise Takings Clause questions under the 5th Amendment; Cedar Point Nursery v. Hassid (2021) held that government-mandated physical access to private property constitutes a per se taking, and a similar argument could be raised regarding compelled access to private systems or data.
Checks and balances
The Executive Branch (Coast Guard Secretary and CISA Director) gains new assessment and enforcement authority; Congress checks this through annual reporting requirements to the Senate Homeland Security and Governmental Affairs Committee and the House Homeland Security Committee, and the Secretary's waiver authority is bounded by a statutory two-part test.
Historical precedent
The Maritime Transportation Security Act of 2002 established the existing vulnerability assessment framework this bill amends, and Executive Order 14116 (2024) directed the Coast Guard to address cybersecurity risks from Chinese-manufactured port cranes as a directly analogous prior federal action.