GAO determines Coast Guard cyberspace workforce planning actions must address growing mission demands

A U.S. Government Accountability Office (GAO) report has been released that addresses the extent the U.S. Coast Guard has identified its cyberspace workforce and determined its associated mission needs and implemented selected leading practices in its cyberspace workforce recruitment, retention, and training. The watchdog selected the leading practices by reviewing those identified in relevant GAO reports and federal guidance.

The Coast Guard has a process to assess workforce levels and skills needed for its missions. But it hasn’t used this process for a large portion of its cyberspace workforce, including across three headquarters units that collectively represent 55 percent of its cyberspace positions. 

In 2020, the marine transportation system, which moves people and goods through U.S. waterways, suffered over 500 cyberattacks. As of September last year, the Coast Guard determined it had 4,507 authorized cyberspace workforce positions (i.e., funded positions that could be vacant or filled), consisting of military and civilian personnel. 

Coast Guard guidance calls for the service to use its Manpower Requirements Determination process to assess and determine necessary staffing levels and skills to meet mission needs, GAO said in a report released on Tuesday. However, GAO found that the service had not used this process for a large portion of its cyberspace workforce.

For example, as of February this year, the Coast Guard had not used this process for three headquarters units representing 55 percent of its cyberspace workforce positions. Until the completion of such analysis, the Coast Guard will not fully understand the resources it requires, including those to protect its information systems and data from threats.

“To address the first objective, we analyzed Coast Guard data and documentation, reviewed an applicable law and standards and interviewed cognizant Coast Guard officials,” GAO reported. “Specifically, we analyzed Coast Guard data on its cyberspace personnel, as of September 2021—the most recent date Coast Guard officials told us data were available.” The GAO conducted this performance audit from May 2021 to September 2022, following generally accepted government auditing standards. 

Based on its findings, the GAO recommended to the Coast Guard that the commandant of the Coast Guard should assess and determine the staffing levels needed to meet its cyberspace mission demands. The Commandant also should establish a strategic workforce plan for its cyberspace workforce, including strategies and implementing activities to address all competency and staffing needs, and incorporate data from the cyber mission specialist rating to inform its strategic workforce planning for the enlisted cyberspace workforce. 

Additionally, the GAO report suggested that the Commandant of the Coast Guard should develop metrics for the recruitment of enlisted and all civilian cyberspace personnel and use these metrics to assess the effectiveness of its recruitment and hiring efforts. The Commandant should also set and quantify retention goals and objectives for its cyberspace workforce, establish and track metrics of success for improving cyberspace personnel morale, and report its progress to Coast Guard leadership.

GAO said in its report that it analyzed Coast Guard documentation, data and interviewed cognizant Coast Guard officials. To assess the reliability of the data, GAO reviewed the Coast Guard’s procedures manual for identifying and recording personnel within its cyberspace workforce, performed electronic testing, such as testing for missing data, and interviewed Coast Guard officials from its Office of Cyberspace Forces about their practices for maintaining the data. 

GAO determined that the data were sufficiently reliable to report characteristics of authorized cyberspace positions. “Specifically, these characteristics included the personnel type (i.e., military or civilian), status (i.e., filled or vacant), cyberspace category (e.g., Cyberspace IT or Cybersecurity), and unit type.” 

The agency also reviewed applicable laws and standards for identifying the cyberspace workforce and interviewed officials from the Coast Guard’s Office of Cyberspace Forces to understand how the service implemented them.

The U.S. watchdog also analyzed the Coast Guard’s documentation on its process for determining workforce staffing levels needed for its cyberspace mission needs. The documentation GAO analyzed included the Coast Guard’s Manpower Requirement Determination Tactics, Techniques, and Procedures (TTPs) and its most recently issued Manpower Requirements Plan. 

In addition, GAO reviewed documentation on the Coast Guard’s status in conducting workforce analysis, known as Manpower Requirements Analysis, for its cyberspace workforce. It compared this information against Coast Guard guidance for conducting these analyses and its human capital strategy documentation.

To address the second objective, GAO identified topic areas associated with human capital management based on its review of workforce planning and management reports and guidance from the Office of Personnel Management (OPM) and the Office of Management and Budget (OMB). From these topic areas, GAO selected five of particular importance to successful workforce planning, including strategic workforce planning, recruiting and hiring efforts, retention incentives, employee morale, and training and development. 

GAO also analyzed Coast Guard data on recruitment and retention incentives and the service provided to its cyberspace workforce from fiscal years 2019 through 2021. The Coast Guard did not have retention incentive data available on civilian and officer personnel for the fiscal year 2019 because it had not provided incentives to the cyberspace workforce during this time. 

“To assess the reliability of the data, we reviewed the Coast Guard’s guidance for providing these incentives and interviewed officials about their practices for maintaining the data,” GAO said. “We determined that the data were sufficiently reliable for the purpose of reporting the number of personnel who received these incentives and the amount provided.”

GAO said that although it is central to effectively managing its cyberspace workforce, the Coast Guard has not developed a strategic workforce plan for this workforce segment or fully used data and metrics to guide its planning efforts. “Without having such a plan—that includes strategies and implementing activities to address all cyberspace competency and staffing needs—the Coast Guard will likely miss opportunities to recruit for difficult-to-fill cyberspace positions, a problem that has worsened in recent years.” 

Additionally, incorporating data from its new Cyber Mission Specialist rating into its strategic workforce planning would put the Coast Guard in a better position to plan for its enlisted cyberspace workforce. Further, developing metrics and using them to assess the effectiveness of its enlisted and all civilian cyberspace workforce recruitment and hiring process would better position the Coast Guard to understand and improve these efforts.

GAO also said that setting and quantifying specific retention goals and objectives for its cyberspace workforce would help the Coast Guard better evaluate the success of its retention approaches. Additionally, efforts to improve morale in the cyberspace workforce are important to retain the personnel. “By establishing and tracking metrics of success for improving its cyberspace workforce morale and reporting its progress to leadership, the Coast Guard would have information to address cyberspace morale issues. It would also allow the Coast Guard to determine any progress made on improving morale,” it added.

Last week, the GAO reported that the National Nuclear Security Administration (NNSA) and its contractors have not fully implemented six foundational cybersecurity risk practices in its traditional IT environment. In addition, the NNSA has not fully implemented these practices in its operational technology (OT) and nuclear weapons IT (NW-IT) environments.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.