In 2020, the marine transportation system, which moves people and goods through U.S. waterways, suffered over 500 cyber attacks. The U.S. Coast Guard is responsible for ensuring the safety and security of the nation’s maritime transportation system and maritime borders. It established cyberspace as an operational domain in 2015 to help protect the marine transportation system from threats that could be delivered through the internet, telecommunications networks, and computer systems. In 2022, it established a new cyber protection team consisting of 44 personnel to focus on cybersecurity at critical ports of entry.
The Coast Guard is increasingly dependent upon its cyberspace workforce to maintain and protect its information systems and data from threats. As of September 2021, the Coast Guard determined it had 4,507 authorized cyberspace workforce positions (i.e., funded positions that could be vacant or filled), consisting of military and civilian personnel. Coast Guard guidance calls for the service to use its Manpower Requirements Determination process to assess and determine necessary staffing levels and skills to meet mission needs. However, the Government Accountability Office (GAO) has found that the service had not used this process for a large portion of its cyberspace workforce.
According to GAO, as of February 2022, the Coast Guard had not used this process for three headquarters units that collectively represent 55 percent of its cyberspace workforce positions.
The Coast Guard has faced persistent challenges filling certain cyberspace positions it considers as critical, or understaffed. For example, on the military workforce side, the service had 75 vacancies in its Electronics Technician enlisted rating, as of September 2021. Positions in this rating make up approximately half of the enlisted cyberspace workforce positions. According to an October 2021 memo, the Coast Guard identified filling positions for this rating as critical and offered a recruitment bonus for it. On the civilian workforce side, the Coast Guard has faced particular challenges in filling positions within its civilian IT Management series, its largest civilian cyberspace workforce position category. According to an April 2021 Coast Guard memo, the service has had difficulty filling and retaining personnel for these positions because many were leaving for higher paying positions in the private sector. The same memo states that retaining these personnel is mandatory for remaining resilient to cyber threats.
Of 12 selected recruitment, retention, and training leading practices, GAO determined that the Coast Guard fully implemented seven, partially implemented three, and did not implement two. For example, it has not developed a strategic workforce plan for its cyberspace workforce, and GAO is concerned that Coast Guard will likely miss opportunities to recruit for difficult to fill cyberspace positions.
In June 2022, Coast Guard officials from the Office of Cyberspace Forces stated that they were developing a management plan to govern the Coast Guard’s cyberspace workforce. They told GAO that they are developing this plan as part of the implementation of a new Cyber Mission Specialist rating, and that they anticipate completing the plan by calendar year 2024.
GAO found that while the Coast Guard has data on its retention approaches for its officer, enlisted, and civilian cyberspace workforce, it has not evaluated the successes of its retention approaches. It also has not quantified or set specific retention goals and objectives across the cyberspace workforce. Coast Guard officials also told GAO that that the service had not established or tracked metrics of success for improving cyberspace workforce morale.
On a more positive note, from fiscal years 2019 through 2021, the Coast Guard provided over $9 million in retention incentives to both military and civilian cyberspace personnel. This includes retention incentives to cyberspace officers that commit at least four years of service; enlisted personnel who have skills critical to the Coast Guard and who have obtained critical cyber certifications; and civilian personnel who obtained critical cyber certifications. GAO was also satisfied with the Coast Guard’s training efforts for its cyberspace workforce.
To address the shortcomings found in its review, GAO has recommended that the Coast Guard should:
- assess and determine the staffing levels needed to meet its cyberspace mission demands;
- establish a strategic workforce plan for its cyberspace workforce, to include strategies and implementing activities to address all competency and staffing needs;
- incorporate data from the Cyber Mission Specialist rating to inform its strategic workforce planning for the enlisted cyberspace workforce;
- develop metrics for recruitment of enlisted and all civilian cyberspace personnel, and use these metrics to assess the effectiveness of its recruitment and hiring efforts;
- set and quantify retention goals and objectives for its cyberspace workforce; and
- establish and track metrics of success for improving cyberspace personnel morale and report its progress to Coast Guard leadership.
The Department of Homeland Security (DHS) concurred with the majority of the recommendations and described planned actions to address them. For example, DHS stated that the Coast Guard anticipates completing a Manpower Requirements Analysis for its Cyber Command in August 2023 and plans to identify stakeholders and resources to assess options for additional analysis of the remaining cyberspace workforce. In addition, the Coast Guard’s Office of Cyberspace Forces plans to complete a workforce management plan that will address the maturation of the Coast Guard’s operational cyber workforce by the end of September 2023.
GAO’s report comes just weeks after it warned the Coast Guard of IT and Operational Technology (OT) vulnerabilities after the watchdog concluded that the service cannot ensure that it is applying adequate cybersecurity measures to all systems and devices on its network.