Coast Guard: Additional Efforts Needed to Address Cybersecurity Risks to the Maritime Transportation System
Fast Facts
Owners and operators of U.S. maritime facilities and vessels rely on systems that are connected to internal and external networks—including the internet. These facilities and vessels face heightened cybersecurity risks from certain nations and transnational criminal organizations.
The Coast Guard provides guidance for and inspects facilities and vessels that are subject to cybersecurity-related requirements.
But it can't readily access complete information on these inspection results—which can make oversight harder. We made 5 recommendations to address this and other issues we found.
Engine Control Room of a Modern Cruise Ship
Highlights
What GAO Found
The Maritime Transportation System (MTS) faces significant and increasing cybersecurity risks including:
- Threat actors. China, Iran, North Korea, Russia, and transnational criminal organizations pose the greatest cyber threats to the MTS.
- Vulnerabilities. MTS facilities and vessels increasingly rely on technology that is vulnerable to cyberattacks.
- Impacts. According to federal and nonfederal officials, cyber incidents have affected port operations, and the potential impacts of future incidents could be severe.
To help address these risks, the Coast Guard assists MTS owners and operators through offering direct technical assistance, providing voluntary guidelines for implementing cybersecurity practices, and sharing cyber threat information. The service also provides oversight through facility and vessel inspections, including the identification and documentation of cybersecurity-related deficiencies. However, Coast Guard cannot readily access complete information on inspection results specific to cybersecurity from its system of record (Marine Information for Safety and Law Enforcement). Updating its system to provide ready access to complete information on all cybersecurity-related deficiencies would help the Coast Guard better provide oversight of owners and operators and help position the service to prevent cyberattacks that could impact the MTS.
Although the Coast Guard developed a cyber strategy to address MTS cybersecurity risks, it did not fully address all of the key characteristics needed for an effective national strategy. Specifically, the cyber strategy fully addressed the key characteristic related to purpose, scope, and methodology, but did not fully address the other four characteristics, as shown in the table below. Addressing all of the key characteristics would better position the Coast Guard to ensure its actions and resources are addressing the highest cybersecurity risks.
GAO Assessment of How Coast Guard's Cyber Strategy Addresses Key National Strategy Characteristics
|
Characteristic |
GAO assessment |
|---|---|
|
Purpose, scope, and methodology |
● |
|
Problem definition and risk assessment |
◑ |
|
Goals, subordinate objectives, activities, and performance measures |
◑ |
|
Resources and investments |
◑ |
|
Roles, responsibilities, and coordination |
◑ |
Legend: ● Fully addresses ◑ Partially addresses. ○ Does not address.
Source: GAO analysis of Coast Guard's strategy and accompanying plans. | GAO-25-107244
Further, the Coast Guard has not fully addressed leading practices to ensure its cyber workforce has the competencies needed to address MTS cybersecurity risks. Specifically, the Coast Guard has not fully developed competency requirements. In addition, the Coast Guard has not fully assessed and addressed competency gaps for its cyber workforce. Until it does, the Coast Guard will not have assurance it is effectively mitigating cybersecurity risks to the MTS.
Why GAO Did This Study
The Maritime Transportation System (MTS) is an essential critical infrastructure subsector, handling more than $5.4 trillion in goods and services annually. As the lead risk management agency for the subsector, the Coast Guard is to protect the system from all threats, including those related to cybersecurity.
The James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 includes a provision for GAO to review cybersecurity risks to the MTS, including vessels and facilities. This report addresses (1) cybersecurity risks to the MTS, Coast Guard's efforts to (2) assist and oversee MTS owner and operator actions on cyber risks, (3) strategic planning to mitigate these risks, and (4) implementation of leading practices on cyber workforce competencies.
GAO reviewed federal and industry reports on MTS cybersecurity risks; federal statutes and regulations; and Coast Guard documentation and inspection data from fiscal year 2019 through June 2024. GAO also interviewed federal and non-federal stakeholders at four ports based on volume of trade, geographic dispersion, and other factors.
Recommendations
GAO is making five recommendations, including that Coast Guard (1) update its system of record to provide ready access to complete cyber deficiency data, (2) ensure its cyber strategy and plans align with all key characteristics of a national strategy, and (3) analyze, assess, and address workforce competency gaps. The Department of Homeland Security concurred with GAO's recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Coast Guard | The Commandant of the Coast Guard should develop and implement documented procedures to ensure the accuracy of cybersecurity incident information that the service identifies and tracks. (Recommendation 1) |
In providing comments on our February 2025 report, Coast Guard agreed with our recommendation. In July 2025 and September 2025, Coast Guard officials provided documents that demonstrated they have begun to develop and implement procedures to ensure the accuracy of cybersecurity incident information it identifies and tracks. For example, in July 2025, Coast Guard officials updated and disseminated its Marine Transportation System Cyber Incident Response Playbook to assist with identifying cybersecurity incidents. In addition, in September 2025, Coast Guard officials provided its Incident Management Activity Quick Reference Guide to assist relevant officials in tracking cybersecurity incident information and example entries of incident information captured within its system of record. However, neither the guide or the playbook include procedures for officials to consistently enter accurate cyber incident information within its systems of record. For example, neither the guide or playbook demonstrate procedures for ensuring that the relevant sector or subsector that is impacted is recorded accurately (e.g., Maritime Transportation System), which may vary by the official responsible for entering such information in its system of record. Further, Coast Guard officials have not demonstrated whether its guide has been disseminated to appropriate officials that are responsible for entering cyber incident information within its system of record. We will continue to monitor the Coast Guard's progress on implementing this recommendation. Therefore, we conclude that this recommendation is partially addressed and will continue to follow up with Coast Guard on their progress with fully implementing it.
|
| United States Coast Guard | The Commandant of the Coast Guard should ensure that its case management system for facility and vessel security inspections provides ready access to complete data on specific cybersecurity deficiencies identified during those inspections. (Recommendation 2) |
In providing comments on our February 2025 report, Coast Guard agreed with our recommendation. In August 2025, Coast Guard stated that it established a case management system change implementation team to identify new activities, sub-activities, deficiency categories, and other necessary data fields. More specifically, the Coast Guard is working to ensure that this system provides ready access to complete data on specific cybersecurity deficiencies identified during facility and vessel security inspections. The Coast Guard estimates that this system change will be completed by the end of May 2026. We will continue to follow-up with Coast Guard on the status of their efforts to implement this recommendation.
|
| United States Coast Guard | The Commandant of the Coast Guard should ensure its cybersecurity strategy and plans address the key characteristics of an effective national strategy, including a full assessment of cybersecurity risks to the MTS. (Recommendation 3) |
In providing comments on our February 2025 report, Coast Guard agreed with our recommendation. In August 2025, the Coast Guard stated that the Maritime Transportation Sector-Risk Assessment and Management Plan is currently under review and consideration for incorporation into a national plan. Following the incorporation into a national plan or separate publication, the Coast Guard will use this plan to ensure a full assessment of cybersecurity risks to the MTS in the next iteration of the Coast Guard Cyber Strategic Outlook. Additionally, Coast Guard stated that the Transportation Sector-Risk Assessment and Management Plan will also help the agency ensure a full assessment of cybersecurity risks in the Coast Guard Cyber Strategic Outlook. The Coast Guard estimates completing these tasks by the end of August 2026, and GAO will continue to follow up with Coast Guard on its progress.
|
| United States Coast Guard | The Commandant of the Coast Guard should develop future competency needs for all of the service's personnel with MTS cyber responsibilities for mitigating cyber risks to the MTS and analyze the gaps between current competencies and future needs. (Recommendation 4) |
In providing comments on our February 2025 report, Coast Guard agreed with our recommendation. In August 2025, Coast Guard stated it is working to establish a Cyber Regulation Implementation Team to support the implementation of the Cybersecurity in the Marine Transportation System final rule. Specifically, this team will determine future competency needs for all personnel with cyber responsibilities, analyze gaps between current competencies and future needs, and make recommendations on needed competencies, as appropriate. The Coast Guard estimated completing these tasks by the end of December 2025, and we are awaiting additional information from the Coast Guard. We will continue to follow up with Coast Guard to assess the agency's progress with implementing this recommendation.
|
| United States Coast Guard | The Commandant of the Coast Guard should, using the gap analysis of current and future competency needs for personnel with MTS cyber risk mitigation responsibilities, address any gaps in competencies, such as through training. (Recommendation 5) |
In providing comments on our February 2025 report, Coast Guard agreed with our recommendation. In August 2025, Coast Guard stated its Cyber Regulation Implementation Team will determine future competency needs for all personnel with cyber responsibilities, analyze gaps between current competencies and future needs, and make recommendations on needed competencies, as appropriate. Coast Guard also stated that once these recommendations are provided, the agency will ensure these recommendations are reviewed by appropriate program offices and that they develop actions to address competency gaps and new training requirements. The Coast Guard estimates completing these tasks by the end of October 2026, and we will continue to follow-up with the agency on its progress with implementing this recommendation.
|