To address longstanding issues, the U.S. Coast Guard plans to spend $93 million in fiscal year 2022 to improve its IT systems and infrastructure. But a new report from the Government Accountability Office (GAO) says the Coast Guard still doesn’t fully assess its IT network capacity needs and does not include all of its operational tech in its cybersecurity efforts.
IT systems and operational technology are critical for Coast Guard operations. The Department of Homeland Security (DHS) component relies extensively on IT systems and services to carry out its 11 statutory missions. It also relies on operational technology, which encompasses a broad range of programmable systems or devices that interact with the physical environment, such as sensors and radar. GAO is concerned that the Coast Guard has a history of problems managing these resources and lacks a documented network capacity planning process.
Network capacity planning is an important aspect of IT infrastructure planning that involves determining the network resources required to support an entity’s mission. However, GAO found that the Coast Guard uses an ad hoc process that does not fully align with five common practices GAO identified for network capacity such as running simulations and performing analyses of network usage.
The Coast Guard is required to follow the Department of Defense’s Risk Management Framework, which establishes two different cybersecurity risk management processes for identifying and applying cybersecurity controls for IT and for operational technology resources. However, GAO found that the Coast Guard did not consistently apply the framework for its operational technology, a failing which the watchdog attributes in part to the lack of a comprehensive and accurate inventory. For example, for one Coast Guard-owned system that is operated by the U.S. Navy, the service could not demonstrate that it had obtained and approved a complete security authorization package from the Navy, as required by the Coast Guard’s cybersecurity risk management process. In addition, GAO determined that the Coast Guard lacks a cybersecurity risk management process for two types of operational technology—industrial control systems and supervisory control and data acquisition systems.
GAO warns that without a comprehensive inventory of all systems, including all operational technology, the Coast Guard cannot ensure that it is applying adequate cybersecurity measures to all systems and devices on its network. Additionally, without consistently applying a cybersecurity risk management process to platform IT, the Coast Guard risks unauthorized access to those systems or devices, potentially leading to system disruptions and loss of data.
In March 2021, the Coast Guard issued a cloud strategy that outlines its strategic objectives for cloud computing over the next five years. The cloud strategy and associated relevant documentation incorporated most federal cloud requirements and guidance. GAO’s review found, however, that the Coast Guard did not address key actions related to security and its workforce. In April 2022, a Coast Guard official in the Office of Cyberspace Forces stated that the service had received funding to conduct a workforce analysis on the Coast Guard Cyber Command during fiscal year 2022, and that those efforts were underway. According to officials in the same office’s Resources and Planning division, the analysis is scheduled to begin in May 2022 and be completed by May 2023.
GAO has made eight recommendations to the Coast Guard to help improve its IT implementation and security:
- Develop network capacity planning policies and procedures that address the leading practices GAO identified, including (1) compiling a complete and accurate inventory of hardware, software, and configurations; (2) identifying traffic growth predictions; (3) prioritizing network traffic; (4) performing simulations and what-if-analyses; and (5) continually monitoring the health of the infrastructure to ensure it is meeting demand and mission needs.
- Implement the leading practices for network capacity planning.
- Establish a comprehensive and accurate inventory of all operational technology.
- Develop a plan or strategy for aligning all operational technology to the Department of Defense risk management framework, including time frames for completing the alignment.
- Ensure that this plan or strategy is effectively implemented.
- Update existing policy and procedures to explicitly describe a cybersecurity risk management process for ICS and SCADA systems.
- Send a list of cloud services that do not meet FedRAMP requirements to the appropriate agency head for submission to the Federal CIO.
- Update the service’s cloud strategy and other relevant documentation to include a cross-walk of new and old skills and occupational categories, and to conduct a skills gap analysis.
DHS concurred with all eight recommendations and said it recognized the importance of having improved IT management and operational technology processes and managing risks for all systems.
This is not the first time that the Coast Guard’s IT management has come under GAO’s spotlight. Most recently, in May, the government watchdog reported that the Coast Guard needed to improve oversight of its non-major IT acquisition programs after a review found the DHS component does not define risk levels for IT programs. The watchdog found, for example, that the service’s oversight of its non-major IT acquisition programs was hindered because programs are establishing, revising, and communicating cost and schedule goals (or baselines) inconsistently.