Coast Guard: Actions Needed to Improve IT Program Implementation

What the GAO found

The US Coast Guard does not have a documented network capacity planning process. Network capacity planning is an important aspect of IT infrastructure planning that involves determining the network resources needed to support an entity’s mission. However, the Coast Guard uses an ad hoc process that does not fully align with the five common practices identified by the GAO for network capacity. The table below describes the extent to which it has implemented the practices. Without full implementation of these practices, the Coast Guard faces significant risks resulting from inefficiencies and disruptions in network availability to users.

Extent to which the Coast Guard has implemented network capacity planning practices

Common practices

Implementation status

Compile an inventory of hardware, software and configurations

Identify core network utilization and traffic growth forecasts

Determine bandwidth allocation needs for variations and prioritize network traffic

Run simulations and perform analyzes of network usage

Make network improvements and continuously monitor infrastructure health

Legend: ● = addressed: The Coast Guard has demonstrated that it has fully implemented the practice; ◑ = partially addressed: the Coast Guard has demonstrated that it has implemented some, but not all of the practice; and ○= not addressed: the Coast Guard could not demonstrate that it had implemented the practice.

Source: GAO analysis of US Coast Guard literature and industry publications. | GAO-22-105092

Per the January 2017 agreement between the Department of Homeland Security and the Department of Defense (DOD), the Coast Guard must follow the DOD’s Risk Management Framework. This framework establishes two different cybersecurity risk management processes to identify and apply cybersecurity controls for IT and operational technology resources. However, the Coast Guard has not applied the framework consistently for its operational technology. This inconsistency is partly due to the lack of a complete and accurate inventory. Additionally, a cybersecurity risk management process is missing for two types of operational technologies: industrial control systems and supervisory control and data acquisition systems. Without a consistently applied process, accurate inventory, and coverage for all systems, the Coast Guard cannot effectively manage cybersecurity risks.

In March 2021, the Coast Guard released a cloud strategy that outlines its strategic goals for cloud computing over the next five years. The cloud strategy and associated relevant documentation incorporated most federal cloud requirements and guidance. However, the Coast Guard has not addressed key actions related to safety and its workforce. Updating its policy to include all cloud-related requirements and guidance would further facilitate migration to cloud services.

Why GAO Did This Study

The US Coast Guard, part of the Department of Homeland Security, relies heavily on computer systems and services to carry out its 11 statutory missions. It also relies on operational technology, which encompasses a wide range of programmable systems or devices that interact with the physical environment, such as sensors and radars. Historically, the Coast Guard has had longstanding issues in managing its technological resources. As such, it plans to spend $93 million to improve the reliability and performance of these resources in fiscal year 2022.

The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 included a provision for the GAO to review several aspects of the Coast Guard’s computer program. This report addresses, among other things, the extent to which the Coast Guard (1) has a process for planning network capacity; (2) has cybersecurity risk management processes for IT and operational technology; and (3) incorporated federal requirements into its cloud computing strategy.

To accomplish this, GAO assessed Coast Guard IT policies and procedures against current network capacity planning practices. The GAO also analyzed the Coast Guard’s cybersecurity processes for IT and operational technologies and assessed their application. Additionally, it assessed the cloud strategy and other related documents against federal requirements and guidelines.

Ryan H. Bowman