The Coast Guard, which ensures the safety and security of the maritime transportation system and U.S. borders, must meet its cyber workforce needs as it becomes increasingly dependent on that workforce to maintain and protect its IT systems and threat data, according to a report released Tuesday by the Government Accountability Office. The need is all the more important as the maritime transport system suffered more than 500 cyber attacks in 2020 and the average cost of a data breach is $3.9 million.
The report states that in 2015, the agency established cyberspace as an operational domain to help protect the maritime transportation system from threats that could come from the Internet, telecommunications networks and computer systems. The watchdog noted that as of September 2021, the Coast Guard had just over 4,500 authorized cyber workforce positions — which include funded vacancies and tenured positions — that are comprised of military and civilian personnel.
Specifically, about 9% — or 412 positions — are vacant and 91% — or 4,095 positions — are filled as of September 2021; however, more civilian positions were unfilled. Approximately three-quarters of the workforce positions are for military personnel. The mandated positions consist of five categories: Cyber IT, Cyber Enablers, Cyber Security, Cyber Intelligence, and Cyber Effects. As of September 2021, about 85 percent of positions overall were in the cyber IT category, according to a GAO analysis.
Although the Coast Guard has its manpower requirements process “to assess and determine the necessary staffing levels and skills to meet mission needs,” it has not used that process for much of its cyber workforce, according to the supervisory authority. The GAO found that as of February 2022, the Coast Guard was not using this process for three units at headquarters that make up 55 percent of its cyber workforce positions. The GAO said that until that process is done, the agency “will not fully understand the resources it requires,” including for its cyber workforce. For example, GAO noted that the Coast Guard did not estimate the number of positions it needed and the skill mix needed to meet mission requirements, which may or may not match authorized positions.
The Coast Guard has also fully implemented only seven of 12 selected top recruitment, retention and training practices based on related GAO reports and federal guidance; it only partially implemented three of these best practices and failed to implement two of them, according to the watchdog. The GAO said if the Coast Guard follows these practices, it will better manage its cyber workforce.
Specifically, GAO found that the Coast Guard did not create a strategic workforce plan for its cyber workforce. Best practice recruiting plans include the following: strategic direction; supply, demand and shortage analysis; and implementing a solution as well as monitoring the progress of the plan. According to the watchdog, the agency needs to implement this plan to ensure it doesn’t miss opportunities to recruit for positions.
GAO made six recommendations to the Coast Guard, including that the agency determine the level of cyber staffing needed to meet its mission requirements and fully implement the five remaining best practices. In addition, GAO recommended that the agency: create a strategic workforce plan; uses Cyber Mission Specialist rating data to inform its workforce planning; developing recruiting metrics to evaluate the effectiveness of recruiting and hiring efforts; establish retention goals and objectives; and setting and tracking success metrics for improving staff morale for the cyber workforce to be reported to agency leadership.
The Department of Homeland Security, which houses the Coast Guard, agreed with those recommendations.