Gao Warns Coast Guard Of It And Ot Cybersecurity Vulnerabilities – Hs Today – Hstoday

GAO Warns Coast Guard of IT and OT Cybersecurity Vulnerabilities – HS Today – HSToday

Without consistently applying a cybersecurity risk management process to platform IT, the Coast Guard risks unauthorized access to those systems or devices, potentially leading to system disruptions and loss of data.
To address longstanding issues, the U.S. Coast Guard plans to spend $93 million in fiscal year 2022 to improve its IT systems and infrastructure. But a new report from the Government Accountability Office (GAO) says the Coast Guard still doesn’t fully assess its IT network capacity needs and does not include all of its operational tech in its cybersecurity efforts.
IT systems and operational technology are critical for Coast Guard operations. The Department of Homeland Security (DHS) component relies extensively on IT systems and services to carry out its 11 statutory missions. It also relies on operational technology, which encompasses a broad range of programmable systems or devices that interact with the physical environment, such as sensors and radar. GAO is concerned that the Coast Guard has a history of problems managing these resources and lacks a documented network capacity planning process.
Network capacity planning is an important aspect of IT infrastructure planning that involves determining the network resources required to support an entity’s mission. However, GAO found that the Coast Guard uses an ad hoc process that does not fully align with five common practices GAO identified for network capacity such as running simulations and performing analyses of network usage.
The Coast Guard is required to follow the Department of Defense’s Risk Management Framework, which establishes two different cybersecurity risk management processes for identifying and applying cybersecurity controls for IT and for operational technology resources. However, GAO found that the Coast Guard did not consistently apply the framework for its operational technology, a failing which the watchdog attributes in part to the lack of a comprehensive and accurate inventory. For example, for one Coast Guard-owned system that is operated by the U.S. Navy, the service could not demonstrate that it had obtained and approved a complete security authorization package from the Navy, as required by the Coast Guard’s cybersecurity risk management process. In addition, GAO determined that the Coast Guard lacks a cybersecurity risk management process for two types of operational technology—industrial control systems and supervisory control and data acquisition systems. 
GAO warns that without a comprehensive inventory of all systems, including all operational technology, the Coast Guard cannot ensure that it is applying adequate cybersecurity measures to all systems and devices on its network. Additionally, without consistently applying a cybersecurity risk management process to platform IT, the Coast Guard risks unauthorized access to those systems or devices, potentially leading to system disruptions and loss of data.
In March 2021, the Coast Guard issued a cloud strategy that outlines its strategic objectives for cloud computing over the next five years. The cloud strategy and associated relevant documentation incorporated most federal cloud requirements and guidance. GAO’s review found, however, that the Coast Guard did not address key actions related to security and its workforce. In April 2022, a Coast Guard official in the Office of Cyberspace Forces stated that the service had received funding to conduct a workforce analysis on the Coast Guard Cyber Command during fiscal year 2022, and that those efforts were underway. According to officials in the same office’s Resources and Planning division, the analysis is scheduled to begin in May 2022 and be completed by May 2023.
GAO has made eight recommendations to the Coast Guard to help improve its IT implementation and security:
DHS concurred with all eight recommendations and said it recognized the importance of having improved IT management and operational technology processes and managing risks for all systems. 
This is not the first time that the Coast Guard’s IT management has come under GAO’s spotlight. Most recently, in May, the government watchdog reported that the Coast Guard needed to improve oversight of its non-major IT acquisition programs after a review found the DHS component does not define risk levels for IT programs. The watchdog found, for example, that the service’s oversight of its non-major IT acquisition programs was hindered because programs are establishing, revising, and communicating cost and schedule goals (or baselines) inconsistently.
Read the full report at GAO



Leave a Comment

Leave a Reply

Your email address will not be published.

Why Proactive Cybersecurity Is a Must in Today's Sophisticated Threat Environment – HS Today – HSToday

How attackers are breaking into organizations – Cybersecurity Dive

New cyber rules for New York financial firms signal nationwide changes – SC Media

How Microsoft Helps Prevent Cybersecurity Attacks in Schools – Microsoft