The U.S. Government Accountability Office (GAO) published last week a report on progress in protecting the maritime transportation system from cyber threats posed by China, Iran, North Korea, Russia, transnational criminal organizations, and other actors. It also found that some areas have been neglected in addressing these high cybersecurity risks and recommended that the Coast Guard update its system of record to provide ready access to complete cyber deficiency data, ensure its cyber strategy and plans align with all key characteristics of a national strategy, and analyze, assess, and address workforce competency gaps.
The Department of Homeland Security (DHS) concurred with GAO’s recommendations.
The report addresses the cybersecurity threats and associated risks facing the maritime transportation system, including the extent to which the Coast Guard has established procedures for maintaining cybersecurity incident information; and the extent to which the Coast Guard has taken action to assist and oversee the maritime transportation system owners and operators in mitigating cybersecurity risks, conducted strategic planning to mitigate cybersecurity risks to the maritime transportation system, and implemented leading practices for cyber workforce competency assessments, including addressing prior cyber workforce staffing recommendations.
GAO developed a list of cyber actors that could pose a threat to the MTS, reviewed vulnerable components that could be exploited and the potential impact of cyberattacks on the MTS, and assessed the reliability of the Coast Guard’s data on cybersecurity incidents. To develop the list of cyber threat actors, the agency also reviewed its prior work on cyber-based threats facing critical infrastructure as well as federal threat reports, including the Coast Guard’s 2023 Cyber Trends and Insights in the Marine Environment.
To confirm the accuracy of its cyber threat actor list, GAO interviewed officials and representatives from the Coast Guard, four relevant federal agencies, and four nonfederal stakeholders to confirm the accuracy of its cyber threat actor list.
The report added that when it comes to identifying vulnerable components that could be exploited and the potential impact of attacks on the MTS, GAO reviewed reports developed by relevant federal and industry stakeholders, as well as its previous work on cybersecurity risks to critical infrastructure. “To assess the reliability of Coast Guard’s data on cybersecurity incidents impacting the MTS from July 2019 through May 2024, we compared the data to the definition that the Coast Guard uses for a cybersecurity incident. We determined that Coast Guard’s data were not sufficiently reliable for our purposes of describing the number of reported cybersecurity incidents impacting the MTS.”
GAO reviewed federal cybersecurity requirements as well as Coast Guard documentation on efforts to mitigate cybersecurity risks. It also analyzed Coast Guard policies, procedures, and guidance related to overseeing MTS owner and operator compliance with federal statutes and regulations related to computer systems and networks and documenting cybersecurity risks, and interviewed relevant Coast Guard headquarters and sector officials to confirm their understanding of this information.
“In January 2025, the Coast Guard finalized its rule on minimum cybersecurity requirements for most MTS owners and operators,” the GAO reported. “We have included these updated requirements in our report, as applicable; however, the report does not address the implementation of these new minimum requirements as they will not begin to take effect until July 2025. Additionally, we reviewed cybersecurity-related data recorded in Coast Guard’s Marine Information for Safety and Law Enforcement (MISLE) case management system for facility and vessel inspections in fiscal year 2019 through June 2024. However, we found that, for the purposes of our review, the MISLE inspection-related data that Coast Guard provided are likely not complete.”
GAO reported that for its third objective, the agency analyzed the service’s efforts to develop approaches for implementing a cybersecurity strategy for the MTS subsector. “This included comparing the Coast Guard’s MTS cybersecurity strategy and plans against leading practices we identified in prior work on key characteristics for an effective national strategy.”
For the fourth objective, GAO reviewed documentation related to the Coast Guard’s workforce competency efforts. “We then compared these efforts against leading practices we identified in our prior work highlighting the importance of ensuring that staff are assigned the performance competencies to effectively carry out their duties. We also interviewed Coast Guard officials on their efforts to develop competencies, as well as assess and address competency gaps for the service’s cyber workforce, including efforts to address our prior relevant recommendations.”
In its conclusion, GAO identified that the Coast Guard plays a vital role in protecting the nation’s waterways, ports, and vessels. However, the technology underpinning the MTS is vulnerable to highly damaging cyberattacks, while the Coast Guard’s lack of procedures for cataloging cyber incidents has left the service without an accurate summary of such incidents. Implementing procedures to identify and track accurate cybersecurity incident information would help strengthen the Coast Guard’s ability to prevent or mitigate disruptions that could jeopardize billions in critical commerce.
“Without the ability to readily access complete information on cybersecurity-related deficiencies identified during security inspections, the Coast Guard will be limited in its ability to oversee the extent to which MTS owners and operators comply with cybersecurity-related requirements, including cybersecurity requirements that will begin to take effect July 2025,” GAO reported. “By updating its case management system to provide ready access to complete information, the Coast Guard would be better positioned to fully understand the scope and type of cybersecurity risks MTS owners and operators have identified. Such information could also help the Coast Guard identify any patterns or trends to help inform future job aids and cybersecurity guidance it provides to owners and operators.”
Additionally, without a cybersecurity strategy and plan that addresses key characteristics needed to implement an effective national strategy, including a full assessment of cybersecurity risks to the MTS, the Coast Guard will not be positioned to fully confront these risks. Also, decision-makers will have limited guidance for allocating resources to priority risks. Moreover, updating its strategy and plan would help ensure accountability for efforts to address priority risks.
Finally, fully implementing leading workforce planning activities could help the Coast Guard ensure its personnel have the competencies to help manage key cyber risks to the MTS. Not having a comprehensive understanding of its cyber workforce competency needs limits the Coast Guard’s ability to make informed decisions and plan for staffing needs. Developing competency requirements for all its personnel with MTS cyber responsibilities and addressing any identified gaps could improve the Coast Guard’s efforts to manage cyber risks to the MTS.
GAO made five recommendations to the Coast Guard, including that the Commandant of the Coast Guard should develop and implement documented procedures to ensure the accuracy of cybersecurity incident information that the service identifies and tracks. The Commandant of the Coast Guard should ensure that its case management system for facility and vessel security inspections provides ready access to complete data on specific cybersecurity deficiencies identified during those inspections. Thirdly, the Commandant of the Coast Guard should ensure its cybersecurity strategy and plans address the key characteristics of an effective national strategy, including a full assessment of cybersecurity risks to the MTS.
The report also called upon the Commandant of the Coast Guard to develop future competency needs for all of the service’s personnel with MTS cyber responsibilities for mitigating cyber risks to the MTS and analyze the gaps between current competencies and future needs. Lastly, the Commandant of the Coast Guard should, using the gap analysis of current and future competency needs for personnel with MTS cyber risk mitigation responsibilities, address any gaps in competencies, such as through training.
Regarding the first recommendation that the Commandant of the Coast Guard develop and implement documented procedures to ensure the accuracy of cybersecurity incident information identified and tracked by the service, the Department of Homeland Security (DHS) concurred. DHS stated that the Coast Guard would review its existing cybersecurity incident procedures and determine what additional measures are necessary to ensure the accuracy of tracked cybersecurity incident information, as appropriate.
Concerning the second recommendation that the Commandant of the Coast Guard ensure its case management system for facility and vessel security inspections provides ready access to complete data on specific cybersecurity deficiencies identified during inspections, DHS also concurred.
The Department indicated that the Coast Guard’s Office of Port and Facility Compliance would lead efforts to update the MISLE database to ensure the system provides ready access to complete data on specific cybersecurity deficiencies identified during inspections. These efforts include coordinating system enhancements with other stakeholders, as appropriate, to update MISLE data entry guidelines for vessel and facility inspections.
DHS further concurred with the third recommendation that the Commandant of the Coast Guard ensure its cybersecurity strategy and plans address the key characteristics of an effective national strategy, including a comprehensive assessment of cybersecurity risks to the maritime transportation sector.
DHS noted that once the maritime transportation sector risk assessment and management plan is published, estimated completion date of July 2025, the Coast Guard’s Office of Cyberspace Forces will align the service’s next iteration of the Coast Guard Cyber Strategic Outlook with this plan.
Regarding the fourth recommendation that the Commandant of the Coast Guard develop future competency needs for all personnel with MTS cyber responsibilities to mitigate cyber risks to the MTS and analyze gaps between current competencies and future needs, DHS concurred.
The Department stated that the Coast Guard’s Office of Port and Facility Compliance would establish a cross-program team to determine future competency needs for personnel with MTS cyber responsibilities, analyze gaps between current competencies and future needs, and make recommendations on required competencies, as appropriate.
DHS also concurred with the fifth recommendation that the Commandant of the Coast Guard, leveraging the gap analysis of current and future competency needs for personnel with MTS cyber risk mitigation responsibilities, address any identified competency gaps, such as through training initiatives. DHS noted that the Coast Guard’s Office of Cyberspace Forces acknowledges that future or currently required competencies may necessitate additional training and education.
According to DHS, once the service finalizes its recommendations regarding the necessary competencies for personnel with cyber responsibilities to mitigate cyber risks to the MTS, the Office of Cyberspace Forces will ensure these recommendations are reviewed by relevant program offices and that appropriate actions are developed to address any gaps, as needed. Ongoing monitoring will assess the Coast Guard’s actions and the extent to which they address these recommendations.
