Department of Homeland Security, United States Coast Guard: Cybersecurity in the Marine Transportation System

B-337400

May 1, 2025

The Honorable Ted Cruz
Chairman
The Honorable Maria Cantwell
Ranking Member
Committee on Commerce, Science, and Transportation
United States Senate

The Honorable Sam Graves
Chairman
The Honorable Rick Larsen
Ranking Member
Committee on Transportation and Infrastructure
House of Representatives

Subject: Department of Homeland Security, United States Coast Guard: Cybersecurity in the Marine Transportation System

Pursuant to section 801(a)(2)(A) of title 5, United States Code, this is our report on a major rule promulgated by the Department of Homeland Security, United States Coast Guard (USCG) titled “Cybersecurity in the Marine Transportation System” (RIN: 1625-AC77). We received the rule on April 16, 2025. It was published in the Federal Register on January 17, 2025. 90 Fed. Reg. 6298. The effective date of the rule is July 16, 2025.

According to USCG, this rule updates its maritime security regulations by establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and facilities subject to the Maritime Transportation Security Act of 2002 regulations. USCG stated that the rule addresses current and emerging cybersecurity threats in the marine transportation system by adding minimum cybersecurity requirements to help detect risks and respond to and recover from cybersecurity incidents. USCG also stated that these include requirements to develop and maintain a Cybersecurity Plan, designate a Cybersecurity Officer, and take various measures to maintain cybersecurity within the marine transportation system. USCG stated further that it is also seeking comments on a potential delay for the implementation periods for U.S.-flagged vessels.

Enclosed is our assessment of USCG’s compliance with the procedural steps required by section 801(a)(1)(B)(i) through (iv) of title 5 with respect to the rule. If you have any questions about this report or wish to contact GAO officials responsible for the evaluation work relating to the subject matter of the rule, please contact Charlie McKiver, Assistant General Counsel, at (202) 512-5992.

Shirley A. Jones
Managing Associate General Counsel

Enclosure

ENCLOSURE

REPORT UNDER 5 U.S.C. § 801(a)(2)(A) ON A MAJOR RULE
ISSUED BY THE
DEPARTMENT OF HOMELAND SECURITY,
UNITED STATES COAST GUARD
TITLED
“CYBERSECURITY IN THE MARINE TRANSPORTATION SYSTEM”
(RIN: 1625-AC77)

(i) Cost-benefit analysis

The Department of Homeland Security, United States Coast Guard (USCG) estimates the total costs of this rule to be approximately $1,245,594,930 over a 10-year period of analysis, using a 2-percent discount rate. 90 Fed. Reg. 6298, 6346 (Jan. 17, 2025). USCG also estimates the annualized cost of the rule to be approximately $138,667,759, using a 2-percent discount rate. USCG stated that it is not able to quantify and monetize the benefits of the rule. 90 Fed.
Reg. at 6415. However, USCG provided a qualitative analysis of the benefits which included, for example, the reduction in the probability of a cyber incident and, if an incident occurs, improvement in the mitigation of its impacts. 90 Fed. Reg. at 6416.

(ii) Agency actions relevant to the Regulatory Flexibility Act (RFA), 5 U.S.C. §§ 603–605, 607, and 609

USCG stated that it cannot certify that this rule will not have a substantial impact on small entities. 90 Fed. Reg. at 6427. Accordingly, USCG prepared a Final Regulatory Flexibility Analysis for the rule. 90 Fed. Reg. at 6427–6444.

(iii) Agency actions relevant to sections 202–205 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. §§ 1532–1535

USCG determined that this rule will result in private sector expenditures of approximately $178,717,861, (in undiscounted 2022 dollars), during the most cost-intensive year. 90 Fed. Reg. at 6446. USCG stated that the regulatory analysis prepared in conjunction with the rule satisfies the Act’s requirements. Id.

(iv) Other relevant information or requirements under acts and executive orders

Administrative Procedure Act, 5 U.S.C. §§ 551 et seq.

On February 22, 2024, USCG issued a proposed rule. 89 Fed. Reg. 13404. USCG stated that they received comments on the proposed rule, which they summarized and responded to in the preamble of the rule. 90 Fed. Reg. at 6299, 6306.

Paperwork Reduction Act (PRA), 44 U.S.C. §§ 3501–3520

USCG determined that this rule contains information collection requirements under the Act. 90 Fed. Reg. at 6444.

Statutory authorization for the rule

USCG promulgated this rule pursuant to section 1333 of title 43 and sections 3306, 3703, 70102 through 70104, and 70124 of title 46, United States Code.

Executive Order No. 12866 (Regulatory Planning and Review)

USCG stated that the Office of Management and Budget has designated this rule as a significant regulatory action, as defined under the Order. 90 Fed. Reg. at 6343.

Executive Order No. 13132 (Federalism)

USCG determined that this rule does not have federalism implications. 90 Fed. Reg. at 6445.