Coast Guard: Actions Needed to Enhance IT Program Implementation
Fast Facts
IT systems and operational technology—like sensors and radar—are critical for U.S. Coast Guard operations. However, Coast Guard has a long history of problems managing these resources.
The Coast Guard plans to spend $93 million in fiscal year 2022 to improve its IT systems and infrastructure. But the Coast Guard still doesn't fully assess its IT network capacity needs. For example, it doesn't test bandwidth limits to know when busy network traffic may affect performance. Also, Coast Guard doesn't include all of its operational tech in its cybersecurity efforts.
We made 8 recommendations to the Coast Guard addressing these and other issues.
Common Types of Information Technology and Operational Technology
Highlights
What GAO Found
The U.S. Coast Guard lacks a documented network capacity planning process. Network capacity planning is an important aspect of IT infrastructure planning that involves determining the network resources required to support an entity's mission. However, the Coast Guard uses an ad hoc process that does not fully align with five common practices GAO identified for network capacity. The table below describes the extent to which it implemented the practices. Without fully implementing these practices, the Coast Guard faces significant risks in resulting inefficiencies and disruptions in network availability to users.
Extent to Which Coast Guard Implemented Network Capacity Planning Practices
|
Common Practices |
Implementation Status |
|
Compile an inventory of hardware, software, and configurations |
◑ |
|
Identify the baseline network utilization and traffic growth predictions |
◑ |
|
Determine bandwidth allocation needs for variations and prioritize network traffic |
◑ |
|
Run simulations and perform analyses of network usage |
○ |
|
Make refinements to the network and continually monitor the health of the infrastructure |
◑ |
Legend: ● = addressed: The Coast Guard demonstrated that it had fully implemented the practice; ◑ = partially addressed: The Coast Guard demonstrated that it implemented some, but not all of the practice; and ○= not addressed: The Coast Guard could not demonstrate that it had implemented the practice.
Source: GAO analysis of U.S. Coast Guard documentation and industry publications. | GAO-22-105092
In accordance with the January 2017 agreement between the Department of Homeland Security and Department of Defense (DOD), the Coast Guard is to follow DOD's Risk Management Framework. This framework establishes two different cybersecurity risk management processes for identifying and applying cybersecurity controls for IT and for operational technology resources. However, the Coast Guard did not consistently apply the framework for its operational technology. This inconsistency is due in part to the lack of a comprehensive and accurate inventory. In addition, it lacks a cybersecurity risk management process for two types of operational technology—industrial control systems and supervisory control and data acquisition systems. Without a consistently applied process, accurate inventory, and coverage for all systems, the Coast Guard cannot ensure effective management of cybersecurity risks.
In March 2021, the Coast Guard issued a cloud strategy that outlines its strategic objectives for cloud computing over the next five years. The cloud strategy and associated relevant documentation incorporated most federal cloud requirements and guidance. However, the Coast Guard did not address key actions related to security and its workforce. Updating its strategy to include all cloud-related requirements and guidance would further facilitate the migration to cloud services.
Why GAO Did This Study
The U.S. Coast Guard, a component of the Department of Homeland Security, relies extensively on IT systems and services to carry out its 11 statutory missions. It also relies on operational technology, which encompasses a broad range of programmable systems or devices that interact with the physical environment, such as sensors and radar. Historically, the Coast Guard has had longstanding issues managing its technology resources. As such, it plans to spend $93 million to improve the reliability and performance of these resources in fiscal year 2022.
The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 included a provision for GAO to review several aspects of the Coast Guard's IT program. This report addresses, among other things, the extent to which the Coast Guard (1) has a process to plan for network capacity; (2) has cybersecurity risk management processes for IT and for operational technology; and (3) has incorporated federal requirements in its strategy for cloud computing.
To do so, GAO evaluated the Coast Guard's IT policies and procedures against common practices for network capacity planning. GAO also analyzed the Coast Guard's cybersecurity processes for IT and operational technology and assessed their application. Further, it assessed the cloud strategy and other related documentation against federal requirements and guidance.
Recommendations
GAO is making eight recommendations to improve the Coast Guard's IT program implementation. The Department of Homeland Security agreed with all eight recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Coast Guard | 1. The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to develop network capacity planning policies and procedures that address the leading practices we identified, including (1) compiling a complete and accurate inventory of hardware, software, and configurations; (2) identifying traffic growth predictions; (3) prioritizing network traffic; (4) performing simulations and what-if-analyses; and (5) continually monitoring the health of the infrastructure to ensure it is meeting demand and mission needs. (Recommendation 1) |
In April 2024, the Coast Guard stated that they had not yet implemented the recommendation but expected to have a timeframe for implementing it by the end of fiscal year 2024.
|
| United States Coast Guard |
Priority Rec.
2.
The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to implement the leading practices for network capacity planning that we identified, including (1) compiling a complete and accurate inventory of hardware, software, and configurations; (2) identifying traffic growth predictions; (3) prioritizing network traffic; (4) performing simulations and what-if-analyses; and (5) continually monitoring the health of the infrastructure to ensure it is meeting demand and mission needs. (Recommendation 2) |
In April 2024, the Coast Guard stated that through its Infrastructure Managed Services contract, awarded in December 2022, the Coast Guard has required that its vendor address three of the five leading practices in the recommendation-compiling an inventory, prioritizing network traffic, and continually monitoring the health of the infrastructure. In addition, the Coast Guard stated that it plans to develop the supporting policies and requirements for the remaining two leading practices-identifying traffic growth predictions and performing simulations. The Coast Guard expected to have a timeline for completing this task by the end of fiscal year 2024. We will continue to monitor the Coast Guard's efforts to fully implement this recommendation.
|
| United States Coast Guard | 3. The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to establish a comprehensive and accurate inventory of all operational technology, including ICS and SCADA systems. (Recommendation 3) |
In January 2023, DHS stated that the Coast Guard is tracking it operational technology under the cognizant divisions responsible for the systems. However, according to DHS, the Coast Guard has efforts underway to consolidate this operational technology inventory data into a central, comprehensive inventory. In February 2024, the Coast Guard stated that it expected to have the inventory completed by May 31, 2024. We will continue to monitor the Coast Guard's efforts in implementing this recommendation.
|
| United States Coast Guard | 4. The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to develop a plan or strategy for aligning all operational technology to the Department of Defense risk management framework, including time frames for completing the alignment. (Recommendation 4) |
In January 2024, the Coast Guard stated that its Office of Information Management will develop a standard to ensure that operational technology is securely configured in accordance with applicable Department of Defense policies and security controls. According to the agency, the standard will set expectations for operational technology to undergo a special assessment of functional and security-related capabilities and deficiencies. As of February 2024, the Coast Guard did not have an estimated timeframe for completing the standard. We will continue to monitor the agency's progress in implementing this recommendation.
|
| United States Coast Guard |
Priority Rec.
5.
The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to ensure that the plan or strategy for aligning all operational technology to the Department of Defense risk management framework is effectively implemented. (Recommendation 5) |
In February 2024, the Coast Guard updated its Cybersecurity Policy to require that all operational technology comply with the Department of Defense risk management framework. The Coast Guard stated that they are working on developing a plan for aligning all operational technology to the Department of Defense risk management framework but did not have an estimated time, as of February 2024, for completing the plan. We will continue to monitor the agency's progress in implementing this recommendation.
|
| United States Coast Guard | 6. The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to update existing policies and procedures to explicitly describe a cybersecurity risk management process for ICS and SCADA systems. (Recommendation 6) |
In February 2024, Coast Guard updated its cybersecurity policy to include requirements for ICS and SCADA systems to follow the DOD cybersecurity risk management process. As a result of this action, the Coast Guard is better positioned to ensure that it is effectively managing risks to those systems.
|
| United States Coast Guard | 7. The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to send its list of cloud services that do not meet FedRAMP requirements to the appropriate agency head for submission to the Federal CIO. (Recommendation 7) |
In November 2023, the Coast Guard stated that its Cloud Implementation Integrated Project Team developed Department of Defense (DOD) Security Requirements Group (SRG) compliant contract language, which requires each cloud service to meet the minimum requirements for DOD cloud service providers. The agency added that during IT acquisition reviews, if a cloud service is requested, the review team ensures that the proposed contract language is included, or the acquisition request will be denied until the appropriate contract language is added. As of February 2024, the Coast Guard plans to submit a list of cloud services that do not meet FedRAMP requirements to the agency head by December 31, 2024.
|
| United States Coast Guard | 8. The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to update the service's cloud strategy and other relevant documentation to include a cross-walk of new and old skills and occupational categories, and to conduct a skills gap analysis. (Recommendation 8) |
In January 2024, the Coast Guard stated that it has established various activities to identify cloud capabilities and engage with stakeholders to address cloud skills requirements in the workforce. The Coast Guard also described how cloud training will be tailored to specific agency needs and roles. The agency added that cloud support and staffing is primarily being delivered through contract staffing services. Therefore, the agency stated that it did not see a need to modify the Coast Guard's Cloud Strategy to address identified cloud workforce skill gaps. However, as we reported in July 2022, federal policy and guidance states that agencies should establish a strategy for workforce development, to include a cross-walk of new and old skills and occupational categories, and to conduct cloud-based skills gap analyses for future skill and position requirements. We will continue to monitor the Coast Guard's actions to address this recommendation.
|