Coast Guard: Actions Needed to Enhance IT Program Implementation
IT systems and operational technology—like sensors and radar—are critical for U.S. Coast Guard operations. However, Coast Guard has a long history of problems managing these resources.
The Coast Guard plans to spend $93 million in fiscal year 2022 to improve its IT systems and infrastructure. But the Coast Guard still doesn't fully assess its IT network capacity needs. For example, it doesn't test bandwidth limits to know when busy network traffic may affect performance. Also, Coast Guard doesn't include all of its operational tech in its cybersecurity efforts.
We made 8 recommendations to the Coast Guard addressing these and other issues.
Common Types of Information Technology and Operational Technology
What GAO Found
The U.S. Coast Guard lacks a documented network capacity planning process. Network capacity planning is an important aspect of IT infrastructure planning that involves determining the network resources required to support an entity's mission. However, the Coast Guard uses an ad hoc process that does not fully align with five common practices GAO identified for network capacity. The table below describes the extent to which it implemented the practices. Without fully implementing these practices, the Coast Guard faces significant risks in resulting inefficiencies and disruptions in network availability to users.
Extent to Which Coast Guard Implemented Network Capacity Planning Practices
|
Common Practices |
Implementation Status |
|
Compile an inventory of hardware, software, and configurations |
◑ |
|
Identify the baseline network utilization and traffic growth predictions |
◑ |
|
Determine bandwidth allocation needs for variations and prioritize network traffic |
◑ |
|
Run simulations and perform analyses of network usage |
○ |
|
Make refinements to the network and continually monitor the health of the infrastructure |
◑ |
Legend: ● = addressed: The Coast Guard demonstrated that it had fully implemented the practice; ◑ = partially addressed: The Coast Guard demonstrated that it implemented some, but not all of the practice; and ○= not addressed: The Coast Guard could not demonstrate that it had implemented the practice.
Source: GAO analysis of U.S. Coast Guard documentation and industry publications. | GAO-22-105092
In accordance with the January 2017 agreement between the Department of Homeland Security and Department of Defense (DOD), the Coast Guard is to follow DOD's Risk Management Framework. This framework establishes two different cybersecurity risk management processes for identifying and applying cybersecurity controls for IT and for operational technology resources. However, the Coast Guard did not consistently apply the framework for its operational technology. This inconsistency is due in part to the lack of a comprehensive and accurate inventory. In addition, it lacks a cybersecurity risk management process for two types of operational technology—industrial control systems and supervisory control and data acquisition systems. Without a consistently applied process, accurate inventory, and coverage for all systems, the Coast Guard cannot ensure effective management of cybersecurity risks.
In March 2021, the Coast Guard issued a cloud strategy that outlines its strategic objectives for cloud computing over the next five years. The cloud strategy and associated relevant documentation incorporated most federal cloud requirements and guidance. However, the Coast Guard did not address key actions related to security and its workforce. Updating its strategy to include all cloud-related requirements and guidance would further facilitate the migration to cloud services.
Why GAO Did This Study
The U.S. Coast Guard, a component of the Department of Homeland Security, relies extensively on IT systems and services to carry out its 11 statutory missions. It also relies on operational technology, which encompasses a broad range of programmable systems or devices that interact with the physical environment, such as sensors and radar. Historically, the Coast Guard has had longstanding issues managing its technology resources. As such, it plans to spend $93 million to improve the reliability and performance of these resources in fiscal year 2022.
The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 included a provision for GAO to review several aspects of the Coast Guard's IT program. This report addresses, among other things, the extent to which the Coast Guard (1) has a process to plan for network capacity; (2) has cybersecurity risk management processes for IT and for operational technology; and (3) has incorporated federal requirements in its strategy for cloud computing.
To do so, GAO evaluated the Coast Guard's IT policies and procedures against common practices for network capacity planning. GAO also analyzed the Coast Guard's cybersecurity processes for IT and operational technology and assessed their application. Further, it assessed the cloud strategy and other related documentation against federal requirements and guidance.
Recommendations
GAO is making eight recommendations to improve the Coast Guard's IT program implementation. The Department of Homeland Security agreed with all eight recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Coast Guard | The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to develop network capacity planning policies and procedures that address the leading practices we identified, including (1) compiling a complete and accurate inventory of hardware, software, and configurations; (2) identifying traffic growth predictions; (3) prioritizing network traffic; (4) performing simulations and what-if-analyses; and (5) continually monitoring the health of the infrastructure to ensure it is meeting demand and mission needs. (Recommendation 1) |
In January 2023, the Department of Homeland Security (DHS) stated that the Coast Guard is transitioning to the Enterprise Infrastructure Services (EIS) contract, along with additional network services that will be undertaken upon completion of the transition. According to DHS, as part of this process, the Coast Guard will address the policies and procedures described within each part of this recommendation, as appropriate, given the dependency of the transition and the specific services provided by the vendor, which vary by service provider. As of May 2023, the Coast Guard plans to have this recommendation implemented by March 29, 2024. We will continue to monitor the Coast Guard's efforts in implementing the recommendation.
|
| United States Coast Guard |
Priority Rec.
The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to implement the leading practices for network capacity planning that we identified, including (1) compiling a complete and accurate inventory of hardware, software, and configurations; (2) identifying traffic growth predictions; (3) prioritizing network traffic; (4) performing simulations and what-if-analyses; and (5) continually monitoring the health of the infrastructure to ensure it is meeting demand and mission needs. (Recommendation 2) |
In January 2023, DHS stated that the Coast Guard will implement the leading practices for network capacity planning we recommended through its pending Enterprise Infrastructure Services contract, and will take measures to implement network capacity planning. DHS added that in September 2021, the Coast Guard procured a new inventory system called Alphabet, and is in the process of updating system data. As of May 2023, the Coast Guard plans to fully implement the recommendation by March 29, 2024. We will continue to monitor the Coast Guard's efforts in implementing the recommendation.
|
| United States Coast Guard | The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to establish a comprehensive and accurate inventory of all operational technology, including ICS and SCADA systems. (Recommendation 3) |
In January 2023, DHS stated that the Coast Guard is tracking it operational technology under the cognizant divisions responsible for the systems. However, according to DHS, the Coast Guard has efforts underway to consolidate this operational technology inventory data into a central, comprehensive inventory by May 2023. We will continue to monitor the Coast Guard's efforts in implementing this recommendation.
|
| United States Coast Guard | The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to develop a plan or strategy for aligning all operational technology to the Department of Defense risk management framework, including time frames for completing the alignment. (Recommendation 4) |
In January 2023, DHS stated that the Coast Guard plans to develop a standard to ensure that operational technology is securely configured in accordance with applicable DOD policies and National Institute of Standards and Technology (NIST) standards. However, according to DHS, the relevant NIST publication, NIST special publication 800-82 revision 3, is currently in draft and the Coast Guard cannot provide a firm estimated completion date for the department's activities until the publication is complete. DHS added that once the NIST guidance is complete, the Coast Guard will review it and determine how to best align a future OT Cybersecurity Risk Management Implementation Standard to this guidance, as well as measure the effectiveness of the implementation. We will continue to monitor the Coast Guards efforts in implementing the recommendation.
|
| United States Coast Guard |
Priority Rec.
The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to ensure that the plan or strategy for aligning all operational technology to the Department of Defense risk management framework is effectively implemented. (Recommendation 5) |
In January 2023, DHS stated that the Coast Guard plans to update its cybersecurity policy, to require that all OT comply with the Department of Defense risk management framework. As of May 2023, the Coast Guard estimates that the policy update will be completed by June 30, 2023. DHS added that upon completion of the NIST special publication 800-82 Rev. 3, the Coast Guard will also review the updated guidance and determine how to best align a future OT Cybersecurity Risk Management Implementation Standard to this guidance, as well as measure the effectiveness of the implementation. We will continue to monitor the Coast Guard's efforts in implementing the recommendation.
|
| United States Coast Guard | The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to update existing policies and procedures to explicitly describe a cybersecurity risk management process for ICS and SCADA systems. (Recommendation 6) |
In January 2023, DHS stated that the Coast Guard plans to ensure that the next update to its cybersecurity policy includes requirements for ICS and SCADA, as well as the importance of tracking the cybersecurity risk management of ICS and SCADA systems. As of May 2023, the Coast Guard plans to complete this action by June 30, 2023. DHS added that, within one year of issuance, the Coast Guard plans to review the updated NIST special publication 800-82 to determine how to best align a future OT Cybersecurity Risk Management Implementation Standard to this guidance. We will continue to monitor the Coast Guard's efforts in implementing the recommendation.
|
| United States Coast Guard | The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to send its list of cloud services that do not meet FedRAMP requirements to the appropriate agency head for submission to the Federal CIO. (Recommendation 7) |
In January 2023, DHS stated that the Coast Guard established a Cloud Implementation Integrated Project Team in September 2022 to examine existing contracts for commercial cloud services and to determine alignment with Department of Defense requirements. DHS added that the team is developing language for cloud services for inclusion in all future cloud contracts, which requires each service to meet the minimum requirements for Department of Defense services in a cloud service provider. The Coast Guard estimates that they will complete this action by May 31, 2023. We will continue to monitor the Coast Guard's actions in implementing this recommendation.
|
| United States Coast Guard | The Commandant of the United States Coast Guard should direct the Deputy Commandant for Mission Support to update the service's cloud strategy and other relevant documentation to include a cross-walk of new and old skills and occupational categories, and to conduct a skills gap analysis. (Recommendation 8) |
In January 2023, DHS stated that the Coast Guard established a Cloud Integrated Project Team in September 2022 to examine the service's Cloud Strategy, as well as to review and analyze the skills of the current workforce. As of May 2023, the Coast Guard plans to complete the analysis by November 30, 2023. We will continue to monitor the Coast Guard's efforts in implementing the recommendation.
|