Coast Guard Must Address Cyber Workforce Needs, Watchdog Says

The Coast Guard—which ensures the safety and security of the U.S. maritime transportation system and borders—should address its cyberspace workforce needs as it becomes more reliant on that workforce to maintain and protect its IT systems and data from threat, according to a report released Tuesday by the Government Accountability Office. The need is increasingly important as the marine transportation system experienced more than 500 cyberattacks in 2020 and the average cost of a data breach was $3.9 million.

The report stated that in 2015 the agency established cyberspace as an operational domain to help protect the maritime transportation system from threats that could come from the internet, telecommunications networks and computer systems. The watchdog noted that as of September 2021, the Coast Guard had a little more than 4,500 authorized cyberspace workforce positions—which include funded vacant and filled positions—that consist of military and civilian personnel. 

Specifically, about 9%—or 412 positions—are vacant and 91%—or 4,095 positions—are filled as of September 2021; however, more civilian positions were vacant. Approximately three-quarters of the workforce positions are for military personnel. The authorized positions comprise five categories: cyberspace IT, cyberspace enablers, cybersecurity, cyberspace intelligence and cyberspace effects. As of September 2021, about 85% of the positions overall were in the cyberspace IT category, according to a GAO analysis.

While the Coast Guard has its Manpower Requirements Determination process “to assess and determine necessary staffing levels and skills to meet mission needs,” it has not used this process for a large portion of its cyber workforce, according to the watchdog. GAO found that as of February 2022, the Coast Guard had not utilized this process for three headquarter units, which make up 55% of its cyberspace workforce positions. GAO stated that until this process is performed, the agency “will not fully understand the resources it requires,” including for its cyber workforce. For example, GAO noted that the Coast Guard has not assessed the number of positions it needs and the mix of skills necessary to meet mission demands, which may or may not align with the authorized positions.

The Coast Guard has also only fully implemented seven out of 12 chosen recruitment, retention and training leading practices, based on related GAO reports and federal guidance; it has only partially implemented three of these best practices and did not implement two of them, according to the watchdog. GAO stated that if the Coast Guard follows these practices it would better manage its cyberspace workforce.

Specifically, GAO found that the Coast Guard has not created a strategic workforce plan for its cyber workforce. Best recruitment practice plans include the following: strategic direction; supply, demand and gap analysis; and solution implementation, as well as plan progress monitoring. According to the watchdog, the agency needs to implement this plan to ensure it is not missing recruitment opportunities for positions.

GAO made six recommendations for the Coast Guard to address, including for the agency to determine its cyberspace staffing level needs to meet its mission demands and for it to fully implement the five remaining best practices. Additionally, GAO recommended that the agency: create a strategic workforce plan; use data from the Cyber Mission Specialist rating to inform its workforce planning; develop recruitment metrics to assess the effectiveness of recruitment and hiring efforts; establish retention goals and objectives; and set up and track metrics of success to improve personnel morale for the cyberspace workforce, to be reported to agency leadership.

The Department of Homeland Security, which houses the Coast Guard, agreed with these recommendations.