GAO Finds Gaps in USCG’s Oversight of Cybersecurity for Maritime Sector

USCG inspectors engine control room — USCG inspects vessels and marine operators including assessments on cybersecurity (USCG)

The U.S. Coast Guard needs to address additional issues in its efforts to ensure the cybersecurity of U.S. flagged vessels as well as ports and other facilities in the maritime transport system reports the U.S. Government Accountability Office. In a newly released audit, the GAO finds issues with record keeping, alignment with national security considerations, and efforts to ensure the competencies needed to address cybersecurity risks.

Aware of cyber dangers and the continuing concerns raised in Congress and elsewhere about Chinese-made cargo cranes, the Biden administration in 2024 directed the Coast Guard to take steps to enhance cybersecurity and reporting especially from ports. USCG released in January 2025 updated rules for cybersecurity in the marine transportation system.

The FY2023 National Defense Authorization Act included a provision for the GAO to review cybersecurity risks to the maritime transport system, including vessels and facilities. GAO reports it analyzed data on cybersecurity risks, statutes and regulations, and the Coast Guard documentation and inspection data from 2019 through June 2024. Based on its findings, the GAO is making five recommendations to be addressed by the USCG command.

The report highlights that owners and operators of U.S. maritime facilities and vessels rely on systems that are connected to internal and external networks and that they face heightened cybersecurity risks. They note that ports have been affected by cyber incidents and that the potential impacts of future incidents could be severe.

“The Coast Guard provided guidance for and inspects facilities and vessels that are subject to cybersecurity-related requirements,” they write in the report. “But it can’t readily access complete information on these inspection results – which can make oversight harder.”

The GAO found that the Coast Guard cannot readily access complete information on inspection results specific to cybersecurity from its system of records. They recommend updating the system to provide ready access to complete information on all cybersecurity-related deficiencies. GAO says this would provide better oversight and position the service to prevent cyberattacks.

They also concluded the USCG cyber strategy did not fully address all the key characteristics needed for an effective national strategy. Other issues included not fully addressing leading practices to ensure its cyber workforce has the competencies needed to address risks. They write that the USCG has not fully assessed and addressed competency gaps for its cyber workforce.

The GAO report details its five recommendations to address these issues within USCG. They also note that the Department of Homeland Security, of which USCG has been a part since 2003, concurred with GAO's cybersecurity recommendations.