The Port Crane Security and Inspection Act of 2025 would require the Department of Homeland Security, acting through the Cybersecurity and Infrastructure Security Agency, to inspect newly constructed foreign cranes at U.S. ports identified as high risk before they are put into service. It also directs a threat assessment within 180 days of enactment to identify risks posed by existing and new foreign cranes, with any crane posing a risk taken offline until it is certified as no longer risky.
The act then establishes a prohibition on foreign cranes contracted after enactment from operating at U.S. ports and requires removal of foreign software within five years. The definitions of a “covered foreign country” and a “foreign crane” tie to threat assessments and ownership or control by entities linked to such countries.
At a Glance
What It Does
Hazards are identified and mitigated through inspections of high-risk foreign cranes before service, followed by a federal threat assessment and risk-based offline actions. A prohibition on post-enactment foreign-crane contracts and a five-year deadline for replacing foreign software creates a transition pathway.
Who It Affects
Port operators and terminal managers at high-risk ports, DHS/CISA and other homeland-security entities, crane manufacturers and suppliers, and logistics operators interfacing with port infrastructure.
Why It Matters
It establishes a risk-based, government-led governance framework for critical port infrastructure, aiming to reduce cyber and physical risks from foreign-origin hardware and software.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill creates a formal process for securing port cranes that are connected to the internet and manufactured or supplied by entities linked to foreign countries designated as adversaries. It tasks DHS, via CISA, with inspecting newly built foreign cranes at high-risk ports before they are used in the United States.
In addition, it requires DHS to conduct a 180-day threat assessment of both existing and new cranes and to take offline any crane judged to pose a security risk until it is certified safe. The legislation also imposes a prohibition on operating foreign cranes at U.S. ports if the contract was entered into after the enactment date and sets a five-year deadline for removing or replacing foreign software on cranes already in use.
The definitions of “covered foreign country” and “foreign crane” anchor these requirements in threat intelligence and the ownership or control of the crane’s IT/OT components, respectively. The act thus creates a phased, risk-based framework for port infrastructure security and signals a shift away from reliance on foreign-origin software and hardware in critical maritime operations.
This is a compliance-driven blueprint for port security agencies and operators to reassess and sanitize crane systems over a defined timeline.
The Five Things You Need to Know
The bill requires DHS/CISA to inspect newly constructed foreign cranes at high-risk ports before service.
A 180-day period mandates a threat assessment of existing and new foreign cranes with offline actions for risky assets.
Within 1 year of enactment, DHS must brief Congress on foreign crane security risks posed by these assets.
A prohibition blocks operation of post-enactment foreign-crane contracts at U.S. ports and imposes a 5-year deadline to remove foreign software.
Definitions tie cranes to threat assessments and ownership/ control of foreign-country entities.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
This section designates the act’s formal name, Port Crane Security and Inspection Act of 2025, establishing the legislative framing and reference point for the rest of the provisions.
Foreign Crane Inspection, Transportation and Port Security Provisions
This section mandates that newly constructed foreign cranes at high-risk ports, which connect to the internet, be inspected by DHS through the Cybersecurity and Infrastructure Security Agency before placing into service. It requires a threat assessment within 180 days to identify security risks posed by existing and new foreign cranes and authorizes offline removal of cranes deemed risky until they are certified not to pose a threat. The section also sets up a framework for reporting to Congress within one year outlining the security posture of these cranes across U.S. ports.
Foreign Crane Prohibition
This section prohibits operating a foreign crane at a U.S. port if a contract was entered into on or after enactment and prohibits foreign software on any crane five years after enactment. It also defines key terms such as “covered foreign country,” “foreign crane,” and “foreign software” to anchor the prohibition in threat intelligence, ownership, and control considerations.
This bill is one of many.
Codify tracks hundreds of bills on Infrastructure across all five countries.
Explore Infrastructure in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- DHS and CISA teams gain a formalized authority to identify and mitigate cyber-physical risks in port infrastructure, strengthening federal oversight.
- Port authorities and terminal operators at high-risk ports benefit from clearer security standards and rapid risk mitigation to protect cargo flows.
- Shippers and logistics providers relying on U.S. ports gain stability from reduced disruption due to security incidents with critical cranes.
- Cybersecurity professionals and port-operations teams gain standardized protocols for monitoring, assessment, and remediation of crane systems.
Who Bears the Cost
- Port operators at high-risk ports bear costs related to inspections, system offline periods, and potential transition timelines for cranes with foreign components.
- Crane manufacturers and suppliers with foreign-origin IT/OT components face costs associated with compliance, documentation, and potential product redesign or replacement timelines.
- U.S.-based logistics and supply chain intermediaries may experience transitional disruption or increased costs during the replacement or upgrade of crane systems and software.
- Federal agencies conducting assessments and oversight may incur administrative costs for ongoing reporting and enforcement activities.
Key Issues
The Core Tension
Balancing rapid security risk mitigation with the practical realities of port operations and the supply chain — especially when legacy equipment and global vendor ecosystems are involved.
The bill’s risk-based approach relies on intelligence assessments to identify which cranes and countries qualify as “covered foreign” and to determine when cranes pose a risk. This creates a potential tension between timely security actions and operational continuity, particularly for imported cranes.
The timelines (180-day assessment window and five-year software-removal deadline) put pressure on port operators and foreign manufacturers to accelerate testing, certification, and, where needed, replacement or remediation of crane systems. Enforcement complexity may arise if cranes span multiple ports or if foreign-made components are embedded in legacy equipment, requiring coordination across federal agencies and the private sector.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.