Cybersecurity Human Capital:

Initiatives Need Better Planning and Coordination

GAO-12-8: Published: Nov 29, 2011. Publicly Released: Nov 29, 2011.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Threats to federal information technology (IT) infrastructure and systems continue to grow in number and sophistication. The ability to make federal IT infrastructure and systems secure depends on the knowledge, skills, and abilities of the federal and contractor workforce that implements and maintains these systems. In light of the importance of recruiting and retaining cybersecurity personnel, GAO was asked to assess (1) the extent to which federal agencies have implemented and established workforce planning practices for cybersecurity personnel and (2) the status of and plans for governmentwide cybersecurity workforce initiatives. GAO evaluated eight federal agencies with the highest IT budgets to determine their use of workforce planning practices for cybersecurity staff by analyzing plans, performance measures, and other information. GAO also reviewed plans and programs at agencies with responsibility for governmentwide cybersecurity workforce initiatives.

Federal agencies have taken varied steps to implement workforce planning practices for cybersecurity personnel. Five of eight agencies, including the largest, the Department of Defense, have established cybersecurity workforce plans or other agencywide activities addressing cybersecurity workforce planning. However, all of the agencies GAO reviewed faced challenges determining the size of their cybersecurity workforce because of variations in how work is defined and the lack of an occupational series specific to cybersecurity. With respect to other workforce planning practices, all agencies had defined roles and responsibilities for their cybersecurity workforce, but these roles did not always align with guidelines issued by the federal Chief Information Officers Council and National Institute of Standards and Technology (NIST). Agencies reported challenges in filling highly technical positions, challenges due to the length and complexity of the federal hiring process, and discrepancies in compensation across agencies. Although most agencies used some form of incentives to support their cybersecurity workforce, none of the eight agencies had metrics to measure the effectiveness of these incentives. Finally, the robustness and availability of cybersecurity training and development programs varied significantly among the agencies. For example, the Departments of Commerce and Defense required cybersecurity personnel to obtain certifications and fulfill continuing education requirements. Other agencies used an informal or ad hoc approach to identifying required training. The federal government has begun several governmentwide initiatives to enhance the federal cybersecurity workforce. The National Initiative for Cybersecurity Education, coordinated by NIST, includes activities to examine and more clearly define the federal cybersecurity workforce structure and roles and responsibilities, and to improve cybersecurity workforce training. However, the initiative lacks plans defining tasks and milestones to achieve its objectives, a clear list of agency activities that are part of the initiative, and a means to measure the progress of each activity. The Chief Information Officers Council, NIST, Office of Personnel Management, and the Department of Homeland Security (DHS) have also taken steps to define skills, competencies, roles, and responsibilities for the federal cybersecurity workforce. However, these efforts overlap and are potentially duplicative, although officials from these agencies reported beginning to take steps to coordinate activities. Furthermore, there is no plan to promote use of the outcomes of these efforts by individual agencies. The Office of Management and Budget and DHS have identified several agencies to be service centers for governmentwide cybersecurity training, but none of the service centers or DHS currently evaluates the training for duplicative content, effectiveness, or extent of use by federal agencies. The Scholarship for Service program, run by the National Science Foundation, is a small though useful source of new talent for the federal government, but the program lacks data on whether its participants remain in the government long-term. GAO is making recommendations to enhance individual agency cybersecurity workforce planning activities and to address governmentwide cybersecurity workforce challenges through better planning, coordination, and evaluation of governmentwide activities. Agencies concurred with the majority of GAO's recommendations and outlined steps to address them. Two agencies did not provide comments on the report.

Recommendations for Executive Action

  1. Status: Open

    Comments: Commerce will implement the 2013 Federal Cybersecurity Initiative, using the common taxonomy and lexicon in OPM's guidance and the National Cybersecurity Workforce Framework to define cybersecurity work and workers. Commerce has begun workforce planning, including a schedule that meets OPM's Project on Cybersecurity guidance for federal agencies to identify and code 90 percent of 2210 series positions by September 30, 2014. Other cybersecurity series are being coded as well and will be part of a statistical data set for OPM's Enterprise Human Resources Integration (EHRI) system.

    Recommendation: To improve individual agency cybersecurity workforce planning efforts, the Secretary of Commerce should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to develop and implement a departmentwide cybersecurity workforce plan or ensure that departmental components are conducting appropriate workforce planning activities.

    Agency Affected: Department of Commerce

  2. Status: Closed - Implemented

    Comments: Defense has updated its departmentwide cybersecurity workforce plan to address human capital requirements, critical skills and competencies, and cybersecurity workforce strategies. This action enhances the ability of Defense's Chief Information Officer to ensure that cybersecurity staff are able to support information security goals.

    Recommendation: To improve individual agency cybersecurity workforce planning efforts, the Secretary of Defense should direct the department's Chief Information Officer, in consultation with the Deputy Assistant Secretary for Defense for Civilian Personnel Policy, to update its departmentwide cybersecurity workforce plan or ensure that departmental components have plans that appropriately address human capital approaches, critical skills, competencies, and supporting requirements for its cybersecurity workforce strategies.

    Agency Affected: Department of Defense

  3. Status: Open

    Comments: Action pending.

    Recommendation: To improve individual agency cybersecurity workforce planning efforts, the Secretary of Health and Human Services should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to develop and implement a departmentwide cybersecurity workforce plan or ensure that departmental components are conducting appropriate workforce planning activities.

    Agency Affected: Department of Health and Human Services

  4. Status: Open

    Comments: The Department of Transportation will use in its plans the cybersecurity position descriptions and competencies designed by OPM, the Federal Chief Information Officers (CIO) Council, and the National Initiative for Cybersecurity Education (NICE). Once the CIO Council and NICE initiatives implement position descriptions and competencies Transportation will update its cybersecurity workforce plans.

    Recommendation: To improve individual agency cybersecurity workforce planning efforts, the Secretary of Transportation should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to update its departmentwide cybersecurity workforce plan or ensure that departmental components have plans that fully address gaps in human capital approaches and critical skills and competencies and supporting requirements for its cybersecurity workforce strategies.

    Agency Affected: Department of Transportation

  5. Status: Open

    Comments: The Department of the Treasury will classify its cybersecurity job positions according to the Office of Personnel Management's (OPM) data codes, and the position descriptions in the National Initiative for Cybersecurity Education (NICE) Framework. Treasury expects to meet OPM's goal of coding 90 percent of all cybersecurity positions by the end of fiscal year 2014. In fiscal year 2015, Treasury will perform a broad workforce-planning effort. Once the evaluation and coding of cybersecurity positions are complete, Treasury will launch its departmentwide workforce planning model.

    Recommendation: To improve individual agency cybersecurity workforce planning efforts, the Secretary of Treasury should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to develop and implement a departmentwide cybersecurity workforce plan or ensure that departmental components are conducting appropriate workforce planning activities.

    Agency Affected: Department of the Treasury

  6. Status: Open

    Comments: Action pending.

    Recommendation: To improve individual agency cybersecurity workforce planning efforts, the Secretary of Veterans Affairs should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to update its departmentwide cybersecurity competency model or establish a cybersecurity workforce plan that fully addresses gaps in human capital approaches and critical skills and competencies, supporting requirements for its cybersecurity workforce strategies, and monitoring and evaluating agency progress.

    Agency Affected: Department of Veterans Affairs

  7. Status: Closed - Implemented

    Comments: OMB has partnered with OPM to guide several actions by interagency workgroups and councils, including the CIO Council. These efforts involve improving federal personnel systems by implementing uniform definitions of cybersecurity staff positions. By defining cybersecurity occupations for the federal workforce, OMB's efforts with OPM and the CIO Council help federal agencies better identify and track their cybersecurity workforces.

    Recommendation: To help federal agencies better identify their cybersecurity workforce, the Director of the Office of Personnel Management, in coordination with the Director of the Office of Management and Budget, should collaborate with the CIO Council to identify and develop governmentwide strategies to address challenges federal agencies face in tracking their cybersecurity workforce.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  8. Status: Closed - Implemented

    Comments: The Office of Personnel Management has collaborated with other federal organizations to develop tools for agencies to track their cybersecurity workforces. In May 2013, OPM issued guidance on cybersecurity job category and specialty area codes using definitions that matched those developed by the National Cybersecurity Workforce Framework. By defining cybersecurity occupations for the federal workforce, OPM and the National Initiative for Cybersecurity Education (NICE) Framework help increase assurance that agencies will consistently identify and track their cybersecurity workforces.

    Recommendation: To help federal agencies better identify their cybersecurity workforce, the Director of the Office of Personnel Management, in coordination with the Director of the Office of Management and Budget, should collaborate with the CIO Council to identify and develop governmentwide strategies to address challenges federal agencies face in tracking their cybersecurity workforce.

    Agency Affected: Office of Personnel Management

  9. Status: Closed - Implemented

    Comments: Homeland Security has assumed leadership roles in some components of the National Initiative for Cybersecurity Education (NICE). Additionally, NICE's strategic plan clarifies the organization's governance structure. These steps increase assurance that NICE will achieve its goals, including improving cybersecurity education for the federal government.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities.

    Agency Affected: Department of Homeland Security

  10. Status: Closed - Implemented

    Comments: Commerce has a lead role in the governance structure of the National Initiative for Cybersecurity Education (NICE), as described in the NICE Strategic Plan. This plan was developed through the cooperation of the various member agencies. A defined governance structure increases assurance that NICE will achieve its goals to educate and improve the nation's cybersecurity workforce.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities.

    Agency Affected: Department of Commerce

  11. Status: Closed - Implemented

    Comments: OMB has taken steps to clarify the governance structure of the National Initiative for Cybersecurity Education (NICE). OMB's role was one of leadership and guidance to accomplish specific tasks, including the issuance of the NICE Cybersecurity Framework. In particular, OMB was responsible for finalizing and approving the Framework before issuance.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  12. Status: Closed - Implemented

    Comments: OPM and other member agencies have defined the governance structure of the National Initiative for Cybersecurity Education (NICE)in the organization's strategic plan. The plan identifies OPM's leadership roles as a member of NICE. These actions increase assurance that NICE is able to perform its mission effectively.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities.

    Agency Affected: Office of Personnel Management

  13. Status: Open

    Comments: The Department of Homeland Security (DHS) has produced metrics for measuring agencies' progress in meeting objectives of the National Initiative for Cybersecurity Education (NICE). However, DHS and other NICE member agencies have not yet provided the detailed plans called for in this recommendation.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to develop and finalize detailed plans allowing agency accountability, measurement of progress, and determination of resources to accomplish agreed-upon activities.

    Agency Affected: Department of Homeland Security

  14. Status: Closed - Implemented

    Comments: The Department of Commerce has implemented quarterly reports that compile information from members of the National Initiative for Cybersecurity Education (NICE) on performance measures and metrics for NICE objectives. These steps increase assurance that NICE members will develop detailed plans for improving the cybersecurity workforce.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to develop and finalize detailed plans allowing agency accountability, measurement of progress, and determination of resources to accomplish agreed-upon activities.

    Agency Affected: Department of Commerce

  15. Status: Open

    Comments: Action pending.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to develop and finalize detailed plans allowing agency accountability, measurement of progress, and determination of resources to accomplish agreed-upon activities.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  16. Status: Closed - Implemented

    Comments: OPM issued a memorandum in July 2013 that lays out plans for establishing accountability, measuring progress, and determining resources for improving the cybersecurity workforce. OPM also is working with various federal groups to implement a data bank that will help measure agencies' success in reducing gaps in cybersecurity workforce skills. In addition, OPM has developed a checklist with metrics, actions, deliverables, and schedules for closing these skills gaps. OPM is collaborating with NICE and the CIO Council to help agencies with these efforts. These steps increase assurance that the National Initiative for Cybersecurity Education (NICE) will achieve its goals of strengthening cybersecurity.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to develop and finalize detailed plans allowing agency accountability, measurement of progress, and determination of resources to accomplish agreed-upon activities.

    Agency Affected: Office of Personnel Management

  17. Status: Closed - Implemented

    Comments: The Department of Homeland Security is a member of The National Initiative for Cybersecurity Education (NICE), an interagency effort to increase awareness and knowledge of information security, including efforts directed at the federal workforce. NICE has launched the National Cybersecurity Workforce Framework, which describes roles, responsibilities, skills, and competencies for the cybersecurity workforce. These job descriptions are used by the Office of Personnel Management to define job codes for federal employees. In February 2013, Homeland Security launched the National Initiative for Cybersecurity Careers and Studies (NICCS), an online resource that incorporates the National Cybersecurity Workforce Framework and its definitions of duties and skills for cybersecurity professionals.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to consolidate and align efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce.

    Agency Affected: Department of Homeland Security

  18. Status: Closed - Implemented

    Comments: The Department of Commerce is a member of The National Initiative for Cybersecurity Education (NICE), an interagency effort to improve the nation's cybersecurity education, including efforts directed at the federal workforce. As a member of NICE, Commerce worked with the IT Workforce Assessment for Cybersecurity to establish category and specialty job descriptions for cybersecurity professionals. These job descriptions are used by the Office of Personnel Management to define job codes for federal employees. Commerce's National Institute of Standards and Technology hosts the NICE Web site with its National Cybersecurity Workforce Framework, which defines roles, responsibilities, skills, and competencies for cybersecurity professionals.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to consolidate and align efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce.

    Agency Affected: Department of Commerce

  19. Status: Closed - Implemented

    Comments: OMB, in response to our recommendation, has provided leadership and guidance for the National Initiative for Cybersecurity Education's (NICE) Cybersecurity Workforce Framework, which defines roles, responsibilities, skills, and competencies for the cybersecurity workforce. In addition, OMB worked with OPM to build a databank in OPM's Enterprise Human Resources Integration (EHRI) data warehouse. The databank defines and catalogs those federal positions performing cybersecurity work as a major duty.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to consolidate and align efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  20. Status: Closed - Implemented

    Comments: OPM has worked with OMB and the CIO Council, along with other agencies and interagency groups, to coordinate and align efforts to define roles, responsibilities, skills, and competencies for the cybersecurity workforce. In May 2013, OPM issued guidance on cybersecurity job category and specialty area codes using definitions that matched those developed by the National Initiative for Cybersecurity Education (NICE) in its Cybersecurity Workforce Framework. By defining cybersecurity occupations for the federal government, OPM and the NICE Framework help agencies consistently identify and track their cybersecurity workforces.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to consolidate and align efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce.

    Agency Affected: Office of Personnel Management

  21. Status: Closed - Implemented

    Comments: OPM has issued final regulations for pay and incentives that give agencies the authority to authorize retention incentives in order to meet strategic needs. The regulations also define how incentives are to be tracked, assessed, and reported, and specify that incentives cannot be offered unless agencies can show a need to use them for hard-to-fill positions.

    Recommendation: To improve governmentwide cybersecurity workforce planning efforts, the Director of the Office of Personnel Management should finalize and issue guidance to agencies on how to track the use and effectiveness of incentives for hard-to-fill positions, including cybersecurity positions.

    Agency Affected: Office of Personnel Management

  22. Status: Open

    Comments: The Office of Personnel Management (OPM) did not concur with this recommendation. OPM stated that its standard job analysis methodology is sufficient for ensuring that the competency model accurately reflects the skills of the cybersecurity workforce and that it is not feasible to develop a method for collecting and tracking data on the use of the competency model because many different types of entities use and modify the model. Furthermore, OPM stated it has not had a reason to revise or update the model, so it has not created a schedule for doing so.

    Recommendation: To improve governmentwide cybersecurity workforce planning efforts, the Director of the Office of Personnel Management should maximize the value of the cybersecurity competency model by (1) developing and implementing a method for ensuring that the competency model accurately reflects the skill set unique to the cybersecurity workforce, (2) developing a method for collecting and tracking data on the use of the competency model, and (3) creating a schedule for revising or updating the model as needed.

    Agency Affected: Office of Personnel Management

  23. Status: Open

    Comments: Action pending.

    Recommendation: To improve governmentwide cybersecurity workforce planning efforts, the Director of the Office of Management and Budget should direct the CIO Council to develop a strategy for and track agencies' use of the IT Workforce Capability Assessment data.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  24. Status: Open

    Comments: The Department of Homeland Security is developing a questionnaire to gather, in a uniform and comprehensive manner from federal agencies, information on customer satisfaction with security awareness training. The anticipated implementation of the questionnaire is the end of fiscal year 2014. DHS is also working with the Department of State in State's capacity as a training Shared Service Center to obtain feedback on customer satisfaction with specialized training for cybersecurity professionals.

    Recommendation: To ensure that the benefits of the training provided through the Information Systems Security Line of Business are maximized, and resources are used most efficiently, the Secretary of the Department of Homeland Security should implement a process for tracking agency use of line of business training and gathering feedback from agencies on the training's value and opportunities for improvement.

    Agency Affected: Department of Homeland Security

  25. Status: Open

    Comments: DHS, as a participant in the National Initiative for Cybersecurity Education, has reduced duplication in federal procurements of cybersecurity training by using Shared Service Centers to consolidate procurement functions. DHS is also exploring ways to minimize the production and distribution of duplicative products.

    Recommendation: To ensure that the benefits of the training provided through the Information Systems Security Line of Business are maximized, and resources are used most efficiently, the Secretary of the Department of Homeland Security should develop a process to coordinate training offered through the line of business to minimize the production and distribution of duplicative products.

    Agency Affected: Department of Homeland Security

  26. Status: Open

    Comments: According to National Science Foundation officials, as of September 2012 Scholarship for Service (SFS) recipients who are awarded support must report their workforce status for 10 years after completion of their service obligations. The SFS program office at the Office of Personnel Management provides oversight to ensure that all recipients sign the documentation requiring recipients to report this information.

    Recommendation: To better determine the value to the government of the Scholarship for Service program, the Director of the National Science Foundation should develop and implement a mechanism to track the retention rate of program participants beyond their contractual obligation to the government.

    Agency Affected: National Science Foundation

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Sep 2, 2014

Jul 15, 2014

Jun 6, 2014

May 8, 2014

Apr 9, 2014

Mar 4, 2014

Jan 29, 2014

Jul 18, 2013

Jul 8, 2013

Looking for more? Browse all our products here