Actions taken by DHS and two of its component agencies (the Coast Guard and FEMA) as well as other federal agencies to address cybersecurity in the maritime port environment have been limited, GAO has said.
It said that while the Coast Guard has initiated a number of activities and coordinating strategies to improve physical security in specific ports, it has not conducted a risk assessment that fully addresses cyber-related threats, vulnerabilities, and consequences.
The Coast Guard says it’s planning to conduct such an assessment in the future, but did not provide details to show how it would address cybersecurity. It also says guidance for developing the next set of maritime security plans (due for update this year) will include cybersecurity requirements, according to GAO-14-459.
It said that under a program to provide security-related grants to ports, FEMA identified enhancing cybersecurity capabilities as a funding priority for the first time in fiscal 2013 and has provided guidance for cybersecurity-related proposals.
However, the agency has not consulted cybersecurity-related subject matter experts to inform the multi-level review of cyber-related proposals — partly because FEMA has downsized the expert panel that reviews grants, GAO said.
DHS agreed with recommendations to direct the Coast Guard to assess cyber-related risks, use this assessment to inform maritime security guidance, and determine whether the sector coordinating council should be reestablished. It also agreed to direct FEMA to develop procedures to consult DHS cybersecurity experts for assistance in reviewing grant proposals and use the results of the cyber-risk assessment to inform its grant guidance.
