Strengthening Cybersecurity in the Maritime Transportation System

The U.S. Maritime Transportation System (MTS) plays a critical role in national and economic security, handling over $5.4 trillion in goods annually. However, as the Government Accountability Office (GAO) details in its February 2025 report, Coast Guard: Additional Efforts Needed to Address Cybersecurity Risks to the Maritime Transportation System (GAO-25-107244), the MTS faces escalating cybersecurity threats that could disrupt operations and national supply chains. While the U.S. Coast Guard (USCG) has taken steps to mitigate these risks, GAO identifies critical gaps in cybersecurity oversight, strategic planning, and workforce capabilities that must be addressed to protect the nation’s ports, vessels, and facilities.

According to the GAO, multiple cyber threats endanger the MTS. Nation-state actors such as China, Iran, North Korea, and Russia, along with transnational criminal organizations, hacktivists, and insider threats, pose significant risks. These actors have targeted critical infrastructure globally, and recent cybersecurity incidents in U.S. maritime facilities underscore their growing capabilities. For example, a ransomware attack in 2019 shut down a port facility for 30 hours, affecting cargo operations and highlighting vulnerabilities in both enterprise IT and operational technology (OT) systems.

One of the report’s key findings is that the Coast Guard’s ability to track and manage cybersecurity incidents is inadequate. The Marine Information for Safety and Law Enforcement (MISLE) system does not allow for ready access to complete cybersecurity-related deficiencies identified during inspections. Without comprehensive and accessible data, the Coast Guard lacks the insight needed to oversee cybersecurity threats effectively. The GAO recommends updating this system to ensure better oversight and proactive threat mitigation.

Despite the Coast Guard’s development of a cyber strategy for the MTS, GAO finds it falls short in several areas. The strategy fully addresses the purpose, scope, and methodology, but it does not adequately define risks, establish performance metrics, outline specific investments, or clarify roles and responsibilities. Without a fully developed cybersecurity framework, the Coast Guard risks allocating resources inefficiently, leaving critical vulnerabilities unaddressed. The report recommends revising the cyber strategy to align with key national strategy characteristics, ensuring a more comprehensive and actionable plan for securing the MTS.

Another significant issue highlighted in the report is the Coast Guard’s cyber workforce deficiencies. While USCG has approximately 200 cybersecurity personnel, including Cyber Protection Teams and sector-based cybersecurity specialists, it has not fully defined competency requirements for its cyber workforce. Moreover, it has not conducted a complete assessment of skill gaps. The GAO warns that until the Coast Guard addresses these shortcomings, it cannot be confident in its ability to mitigate cybersecurity risks effectively. GAO recommends that the Coast Guard analyze and address these workforce competency gaps to strengthen its ability to respond to cyber threats.

For federal contractors working within the MTS, the implications of this report are substantial. The Coast Guard’s new cybersecurity requirements, which will take effect in July 2025, will require vessel and facility operators to implement stricter security controls, including multi-factor authentication, password policies, and better system monitoring. Contractors engaged in maritime cybersecurity services should anticipate increased demand for compliance-related services as the Coast Guard enhances oversight. Those providing IT and OT solutions to port operators and vessel owners must ensure that their systems align with emerging federal cybersecurity standards to maintain eligibility for federal contracts.

Additionally, firms specializing in cybersecurity training and workforce development may find new opportunities to support the Coast Guard in closing its cyber competency gaps. Given GAO’s emphasis on the need for better workforce planning, companies offering cybersecurity training aligned with federal frameworks may be well-positioned to assist in these efforts.

In summary, GAO’s report underscores the urgent need for improved cybersecurity oversight and workforce development in the maritime sector. As cyber threats become more sophisticated, the Coast Guard must enhance its ability to track incidents, implement a comprehensive cybersecurity strategy, and build a skilled cyber workforce. Federal contractors operating within the MTS should prepare for increased cybersecurity requirements and compliance measures that will shape future contracting opportunities in the maritime industry.

This blog post is based on GAO-25-107244 and does not guarantee accuracy or provide legal advice. Readers should refer to the full GAO report for official findings and recommendations.