Cybersecurity Human Capital:

Initiatives Need Better Planning and Coordination

GAO-12-8: Published: Nov 29, 2011. Publicly Released: Nov 29, 2011.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Threats to federal information technology (IT) infrastructure and systems continue to grow in number and sophistication. The ability to make federal IT infrastructure and systems secure depends on the knowledge, skills, and abilities of the federal and contractor workforce that implements and maintains these systems. In light of the importance of recruiting and retaining cybersecurity personnel, GAO was asked to assess (1) the extent to which federal agencies have implemented and established workforce planning practices for cybersecurity personnel and (2) the status of and plans for governmentwide cybersecurity workforce initiatives. GAO evaluated eight federal agencies with the highest IT budgets to determine their use of workforce planning practices for cybersecurity staff by analyzing plans, performance measures, and other information. GAO also reviewed plans and programs at agencies with responsibility for governmentwide cybersecurity workforce initiatives.

Federal agencies have taken varied steps to implement workforce planning practices for cybersecurity personnel. Five of eight agencies, including the largest, the Department of Defense, have established cybersecurity workforce plans or other agencywide activities addressing cybersecurity workforce planning. However, all of the agencies GAO reviewed faced challenges determining the size of their cybersecurity workforce because of variations in how work is defined and the lack of an occupational series specific to cybersecurity. With respect to other workforce planning practices, all agencies had defined roles and responsibilities for their cybersecurity workforce, but these roles did not always align with guidelines issued by the federal Chief Information Officers Council and National Institute of Standards and Technology (NIST). Agencies reported challenges in filling highly technical positions, challenges due to the length and complexity of the federal hiring process, and discrepancies in compensation across agencies. Although most agencies used some form of incentives to support their cybersecurity workforce, none of the eight agencies had metrics to measure the effectiveness of these incentives. Finally, the robustness and availability of cybersecurity training and development programs varied significantly among the agencies. For example, the Departments of Commerce and Defense required cybersecurity personnel to obtain certifications and fulfill continuing education requirements. Other agencies used an informal or ad hoc approach to identifying required training. The federal government has begun several governmentwide initiatives to enhance the federal cybersecurity workforce. The National Initiative for Cybersecurity Education, coordinated by NIST, includes activities to examine and more clearly define the federal cybersecurity workforce structure and roles and responsibilities, and to improve cybersecurity workforce training. However, the initiative lacks plans defining tasks and milestones to achieve its objectives, a clear list of agency activities that are part of the initiative, and a means to measure the progress of each activity. The Chief Information Officers Council, NIST, Office of Personnel Management, and the Department of Homeland Security (DHS) have also taken steps to define skills, competencies, roles, and responsibilities for the federal cybersecurity workforce. However, these efforts overlap and are potentially duplicative, although officials from these agencies reported beginning to take steps to coordinate activities. Furthermore, there is no plan to promote use of the outcomes of these efforts by individual agencies. The Office of Management and Budget and DHS have identified several agencies to be service centers for governmentwide cybersecurity training, but none of the service centers or DHS currently evaluates the training for duplicative content, effectiveness, or extent of use by federal agencies. The Scholarship for Service program, run by the National Science Foundation, is a small though useful source of new talent for the federal government, but the program lacks data on whether its participants remain in the government long-term. GAO is making recommendations to enhance individual agency cybersecurity workforce planning activities and to address governmentwide cybersecurity workforce challenges through better planning, coordination, and evaluation of governmentwide activities. Agencies concurred with the majority of GAO's recommendations and outlined steps to address them. Two agencies did not provide comments on the report.

Recommendations for Executive Action

  1. Status: Open

    Comments: The Department of Commerce concurred with the recommendation. In fiscal year 2016 we verified that Commerce, in response to our recommendation, intends to design a department-wide cybersecurity workforce plan that is guided by the Office of Management and Budget's October 2015 Cybersecurity Strategy and Implementation Plan and the Cybersecurity National Action Plan. Commerce expects to develop its cybersecurity workforce plan by the second quarter of fiscal year 2017.

    Recommendation: To improve individual agency cybersecurity workforce planning efforts, the Secretary of Commerce should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to develop and implement a departmentwide cybersecurity workforce plan or ensure that departmental components are conducting appropriate workforce planning activities.

    Agency Affected: Department of Commerce

  2. Status: Closed - Implemented

    Comments: Defense has updated its departmentwide cybersecurity workforce plan to address human capital requirements, critical skills and competencies, and cybersecurity workforce strategies. This action enhances the ability of Defense's Chief Information Officer to ensure that cybersecurity staff are able to support information security goals.

    Recommendation: To improve individual agency cybersecurity workforce planning efforts, the Secretary of Defense should direct the department's Chief Information Officer, in consultation with the Deputy Assistant Secretary for Defense for Civilian Personnel Policy, to update its departmentwide cybersecurity workforce plan or ensure that departmental components have plans that appropriately address human capital approaches, critical skills, competencies, and supporting requirements for its cybersecurity workforce strategies.

    Agency Affected: Department of Defense

  3. Status: Closed - Implemented

    Comments: In fiscal year 2015 we verified that the Department of Health and Human Services, in response to our recommendation, issued a cybersecurity workforce plan in 2013. The plan outlines key workforce planning activities for Health and Human Services, and lists recommendations for addressing the department's near and long-term cybersecurity workforce needs. In addition, Health and Human Services has tracked outcomes of efforts it has taken to meet cybersecurity workforce goals.

    Recommendation: To improve individual agency cybersecurity workforce planning efforts, the Secretary of Health and Human Services should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to develop and implement a departmentwide cybersecurity workforce plan or ensure that departmental components are conducting appropriate workforce planning activities.

    Agency Affected: Department of Health and Human Services

  4. Status: Open

    Comments: The Department of Transportation neither concurred nor disagreed with the recommendation. In fiscal year 2016 we verified that Transportation has not substantially addressed this recommendation, but has efforts underway to update its workforce planning. Transportation's Chief Information Officer and Chief Human Capital Officer are collecting baseline functional data and workforce planning information from department components through fiscal year 2019, for reporting to OPM as part of the Federal Cybersecurity Strategy Implementation Plan. Transportation intends to use this aggregated data to identify and address gaps in its human capital approaches, critical skills, competencies, and workforce strategies.

    Recommendation: To improve individual agency cybersecurity workforce planning efforts, the Secretary of Transportation should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to update its departmentwide cybersecurity workforce plan or ensure that departmental components have plans that fully address gaps in human capital approaches and critical skills and competencies and supporting requirements for its cybersecurity workforce strategies.

    Agency Affected: Department of Transportation

  5. Status: Closed - Implemented

    Comments: The Department of the Treasury concurred with the recommendation. In fiscal year 2016 we verified that Treasury has produced a departmentwide policy for workforce planning, and is ensuring that departmental components are developing workforce plans. Within Treasury, workforce planning is decentralized, so the Department has developed a draft desk guide to help standardize efforts. Components within Treasury are using the guide to produce workforce action plans that address their specific needs. In addition, the Department has performed a cybersecurity workforce gap analysis.

    Recommendation: To improve individual agency cybersecurity workforce planning efforts, the Secretary of Treasury should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to develop and implement a departmentwide cybersecurity workforce plan or ensure that departmental components are conducting appropriate workforce planning activities.

    Agency Affected: Department of the Treasury

  6. Status: Closed - Implemented

    Comments: In fiscal year 2015 we verified that the Department of Veterans Affairs, in response to our recommendation, has issued two documents that address cybersecurity workforce planning. Veterans Affairs' 2013-2015 Information Resources Management Strategic Plan outlines how the department supports and implements competency models. These models build on the Office of Personnel Management's Information Technology Roadmap, but are customized to reflect the specific needs of Veterans Affairs. The competency models set the baseline of knowledge, skills, and abilities for information technology roles, and identify training needs for professional development. The department's Human Capital Strategic Plan 2014-2020 describes how Veterans Affairs will remediate competency gaps, promote workforce strategies to build a well-trained, appropriately skilled cybersecurity staff, and monitor and evaluate implementation of these efforts.

    Recommendation: To improve individual agency cybersecurity workforce planning efforts, the Secretary of Veterans Affairs should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to update its departmentwide cybersecurity competency model or establish a cybersecurity workforce plan that fully addresses gaps in human capital approaches and critical skills and competencies, supporting requirements for its cybersecurity workforce strategies, and monitoring and evaluating agency progress.

    Agency Affected: Department of Veterans Affairs

  7. Status: Closed - Implemented

    Comments: OMB has partnered with OPM to guide several actions by interagency workgroups and councils, including the CIO Council. These efforts involve improving federal personnel systems by implementing uniform definitions of cybersecurity staff positions. By defining cybersecurity occupations for the federal workforce, OMB's efforts with OPM and the CIO Council help federal agencies better identify and track their cybersecurity workforces.

    Recommendation: To help federal agencies better identify their cybersecurity workforce, the Director of the Office of Personnel Management, in coordination with the Director of the Office of Management and Budget, should collaborate with the CIO Council to identify and develop governmentwide strategies to address challenges federal agencies face in tracking their cybersecurity workforce.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  8. Status: Closed - Implemented

    Comments: The Office of Personnel Management has collaborated with other federal organizations to develop tools for agencies to track their cybersecurity workforces. In May 2013, OPM issued guidance on cybersecurity job category and specialty area codes using definitions that matched those developed by the National Cybersecurity Workforce Framework. By defining cybersecurity occupations for the federal workforce, OPM and the National Initiative for Cybersecurity Education (NICE) Framework help increase assurance that agencies will consistently identify and track their cybersecurity workforces.

    Recommendation: To help federal agencies better identify their cybersecurity workforce, the Director of the Office of Personnel Management, in coordination with the Director of the Office of Management and Budget, should collaborate with the CIO Council to identify and develop governmentwide strategies to address challenges federal agencies face in tracking their cybersecurity workforce.

    Agency Affected: Office of Personnel Management

  9. Status: Closed - Implemented

    Comments: Homeland Security has assumed leadership roles in some components of the National Initiative for Cybersecurity Education (NICE). Additionally, NICE's strategic plan clarifies the organization's governance structure. These steps increase assurance that NICE will achieve its goals, including improving cybersecurity education for the federal government.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities.

    Agency Affected: Department of Homeland Security

  10. Status: Closed - Implemented

    Comments: Commerce has a lead role in the governance structure of the National Initiative for Cybersecurity Education (NICE), as described in the NICE Strategic Plan. This plan was developed through the cooperation of the various member agencies. A defined governance structure increases assurance that NICE will achieve its goals to educate and improve the nation's cybersecurity workforce.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities.

    Agency Affected: Department of Commerce

  11. Status: Closed - Implemented

    Comments: OMB has taken steps to clarify the governance structure of the National Initiative for Cybersecurity Education (NICE). OMB's role was one of leadership and guidance to accomplish specific tasks, including the issuance of the NICE Cybersecurity Framework. In particular, OMB was responsible for finalizing and approving the Framework before issuance.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  12. Status: Closed - Implemented

    Comments: In fiscal year 2015 we verified that the Office of Personnel Management (OPM), in response to our recommendation and in concert with other agencies, has defined the governance structure of the National Initiative for Cybersecurity Education (NICE) in the organization's strategic plan. The plan identifies OPM's leadership roles as a member of NICE. These actions increase assurance that NICE is able to perform its mission effectively.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities.

    Agency Affected: Office of Personnel Management

  13. Status: Closed - Implemented

    Comments: The National Initiative for Cybersecurity Education (NICE), of which the Department of Homeland Security is a partner, developed and finalized a NICE strategic plan that lays out the program goals for cybersecurity education. The plan also mentions various performance measures and supporting metrics for NICE's cybersecurity goals.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to develop and finalize detailed plans allowing agency accountability, measurement of progress, and determination of resources to accomplish agreed-upon activities.

    Agency Affected: Department of Homeland Security

  14. Status: Closed - Implemented

    Comments: The Department of Commerce concurred with the recommendation. The National Initiative for Cybersecurity Education (NICE), of which Commerce is a partner, developed and finalized a NICE strategic plan that lays out the program goals for cybersecurity education. The plan also mentions various performance measures and supporting metrics for NICE's cybersecurity goals. In fiscal year 2016 we verified that Commerce's National Institute of Standards and Technology (NIST), acted as the lead agency to produce the revised NICE strategic plan, and that NIST's leadership team at NICE documented various performance measures and supporting metrics for NICE's cybersecurity goals.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to develop and finalize detailed plans allowing agency accountability, measurement of progress, and determination of resources to accomplish agreed-upon activities.

    Agency Affected: Department of Commerce

  15. Status: Closed - Implemented

    Comments: In fiscal year 2016 we verified that The National Initiative for Cybersecurity Education (NICE), of which the Office of Management and Budget is a partner, developed and finalized a NICE strategic plan that lays out the program goals for cybersecurity education. The plan also mentions various performance measures and supporting metrics for NICE's cybersecurity goals. Additionally, in October 2015 OMB issued a memorandum, M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government, that offers detailed plans for agency accountability, measurement of progress, and determination of resources to improve the federal cybersecurity workforce.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to develop and finalize detailed plans allowing agency accountability, measurement of progress, and determination of resources to accomplish agreed-upon activities.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  16. Status: Closed - Implemented

    Comments: The National Initiative for Cybersecurity Education (NICE), of which the Office of Personnel Management is a partner, developed and finalized a NICE strategic plan that lays out the program goals for cybersecurity education. The plan also mentions various performance measures and supporting metrics for NICE's cybersecurity goals.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to develop and finalize detailed plans allowing agency accountability, measurement of progress, and determination of resources to accomplish agreed-upon activities.

    Agency Affected: Office of Personnel Management

  17. Status: Closed - Implemented

    Comments: The Department of Homeland Security is a member of The National Initiative for Cybersecurity Education (NICE), an interagency effort to increase awareness and knowledge of information security, including efforts directed at the federal workforce. NICE has launched the National Cybersecurity Workforce Framework, which describes roles, responsibilities, skills, and competencies for the cybersecurity workforce. These job descriptions are used by the Office of Personnel Management to define job codes for federal employees. In February 2013, Homeland Security launched the National Initiative for Cybersecurity Careers and Studies (NICCS), an online resource that incorporates the National Cybersecurity Workforce Framework and its definitions of duties and skills for cybersecurity professionals.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to consolidate and align efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce.

    Agency Affected: Department of Homeland Security

  18. Status: Closed - Implemented

    Comments: The Department of Commerce is a member of The National Initiative for Cybersecurity Education (NICE), an interagency effort to improve the nation's cybersecurity education, including efforts directed at the federal workforce. As a member of NICE, Commerce worked with the IT Workforce Assessment for Cybersecurity to establish category and specialty job descriptions for cybersecurity professionals. These job descriptions are used by the Office of Personnel Management to define job codes for federal employees. Commerce's National Institute of Standards and Technology hosts the NICE Web site with its National Cybersecurity Workforce Framework, which defines roles, responsibilities, skills, and competencies for cybersecurity professionals.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to consolidate and align efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce.

    Agency Affected: Department of Commerce

  19. Status: Closed - Implemented

    Comments: OMB, in response to our recommendation, has provided leadership and guidance for the National Initiative for Cybersecurity Education's (NICE) Cybersecurity Workforce Framework, which defines roles, responsibilities, skills, and competencies for the cybersecurity workforce. In addition, OMB worked with OPM to build a databank in OPM's Enterprise Human Resources Integration (EHRI) data warehouse. The databank defines and catalogs those federal positions performing cybersecurity work as a major duty.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to consolidate and align efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  20. Status: Closed - Implemented

    Comments: OPM has worked with OMB and the CIO Council, along with other agencies and interagency groups, to coordinate and align efforts to define roles, responsibilities, skills, and competencies for the cybersecurity workforce. In May 2013, OPM issued guidance on cybersecurity job category and specialty area codes using definitions that matched those developed by the National Initiative for Cybersecurity Education (NICE) in its Cybersecurity Workforce Framework. By defining cybersecurity occupations for the federal government, OPM and the NICE Framework help agencies consistently identify and track their cybersecurity workforces.

    Recommendation: To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to consolidate and align efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce.

    Agency Affected: Office of Personnel Management

  21. Status: Closed - Implemented

    Comments: OPM has issued final regulations for pay and incentives that give agencies the authority to authorize retention incentives in order to meet strategic needs. The regulations also define how incentives are to be tracked, assessed, and reported, and specify that incentives cannot be offered unless agencies can show a need to use them for hard-to-fill positions.

    Recommendation: To improve governmentwide cybersecurity workforce planning efforts, the Director of the Office of Personnel Management should finalize and issue guidance to agencies on how to track the use and effectiveness of incentives for hard-to-fill positions, including cybersecurity positions.

    Agency Affected: Office of Personnel Management

  22. Status: Closed - Not Implemented

    Comments: In fiscal year 2015 we verified that the Office of Personnel Management (OPM)will not take action on this recommendation. OPM did not concur with the recommendation when the GAO report was issued. According to an agency official, OPM's standard job-analysis methodology is sufficient for ensuring that the competency model accurately reflects the skills of the cybersecurity workforce. It is not feasible to develop a method for collecting and tracking data on the use of the competency model because many different types of entities use and modify the model. Furthermore, OPM has stated that it has not had a reason to revise or update the model, so the agency has not created a schedule for doing so.

    Recommendation: To improve governmentwide cybersecurity workforce planning efforts, the Director of the Office of Personnel Management should maximize the value of the cybersecurity competency model by (1) developing and implementing a method for ensuring that the competency model accurately reflects the skill set unique to the cybersecurity workforce, (2) developing a method for collecting and tracking data on the use of the competency model, and (3) creating a schedule for revising or updating the model as needed.

    Agency Affected: Office of Personnel Management

  23. Status: Closed - Implemented

    Comments: In fiscal year 2016 we verified that the Office of Management and Budget (OMB) participates in the National Initiative for Cybersecurity Education (NICE), and supports agencies' use of the NICE Framework to map cybersecurity jobs. However, events overcame GAO's recommendation that OMB direct the CIO Council to develop a strategy for and track agencies' use of the IT Workforce Capability Assessment data. In 2015, after a major security breach in a federal agency's network systems, OMB took steps to strengthen cybersecurity practices across the government. In October 2015 OMB issued a memorandum, M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government. This memorandum directs agencies to participate in OPM's Special Cyber Workforce Project to identify their cyber talent and address gaps. The memorandum also lists several mechanisms for tracking agencies' efforts to improve their cybersecurity workforces, thereby addressing the intent of GAO's recommendation.

    Recommendation: To improve governmentwide cybersecurity workforce planning efforts, the Director of the Office of Management and Budget should direct the CIO Council to develop a strategy for and track agencies' use of the IT Workforce Capability Assessment data.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  24. Status: Closed - Implemented

    Comments: The Information Systems Security Line of Business (ISSLOB) is managed by the Department of Homeland Security (DHS). This initiative tracks Shared Service Centers (SSC), which procure training for federal agencies. In fiscal year 2015 we verified that DHS developed a survey instrument to track line of business training and to gather agencies' assessments of the training including ways in which it can be improved. DHS confirmed that it began distributing the survey in November 2014, and will continue to send the survey to agencies on a quarterly basis. Additionally, DHS developed a tracking tool to collect information on agencies' use of line of business training. This tracking tool is used to provide metrics and cost data on security awareness training and risk management framework training.  

    Recommendation: To ensure that the benefits of the training provided through the Information Systems Security Line of Business are maximized, and resources are used most efficiently, the Secretary of the Department of Homeland Security should implement a process for tracking agency use of line of business training and gathering feedback from agencies on the training's value and opportunities for improvement.

    Agency Affected: Department of Homeland Security

  25. Status: Closed - Implemented

    Comments: The Information Systems Security Line of Business (ISSLoB) is managed by the Department of Homeland Security. This initiative tracks Shared Service Centers, which procure training for federal agencies. ISSLOB reports on the performance of the Shared Service Centers in several areas, including agencies' use of these centers, and cost avoidance. Homeland Security developed a survey instrument to track line of business training and to gather agencies' assessments of the training including ways in which it can be improved. In fiscal year 2015 we verified that the department began distributing the survey in November 2014, and will continue to send the survey to agencies on a quarterly basis. This survey gives Homeland Security a procedure for periodically gathering information on the effectiveness of available training and determining where duplicative services exist. Survey results will allow the department and other agencies to coordinate and streamline training offered through the ISSLoB program.

    Recommendation: To ensure that the benefits of the training provided through the Information Systems Security Line of Business are maximized, and resources are used most efficiently, the Secretary of the Department of Homeland Security should develop a process to coordinate training offered through the line of business to minimize the production and distribution of duplicative products.

    Agency Affected: Department of Homeland Security

  26. Status: Closed - Implemented

    Comments: In fiscal year 2015 we verified that the National Science Foundation (NSF), in response to our recommendation, added a paragraph to the Cyber Corps Scholarship for Service (SFS) service agreement requiring scholarship recipients to update their contact information as needed and complete annual surveys for 8 years after they have completed their service commitments. The SFS Graduate Retention Survey that NSF developed asks participants for their employment history from the time that they were enrolled in the SFS program to the present. It also asks participants whether they are considering leaving their jobs within the next 12 months, and if so, why. Survey results allow the agency to track the number of scholarship recipients who continue to work in government cybersecurity positions after they have completed their contractual obligations. These steps increase assurance that the agency will be able to quantify the benefits of the Scholarship for Service program in relation to other such initiatives in the federal government.

    Recommendation: To better determine the value to the government of the Scholarship for Service program, the Director of the National Science Foundation should develop and implement a mechanism to track the retention rate of program participants beyond their contractual obligation to the government.

    Agency Affected: National Science Foundation

 

Explore the full database of GAO's Open Recommendations »

Sep 1, 2016

Aug 19, 2016

Jun 8, 2016

Mar 24, 2016

Jan 11, 2016

Jun 16, 2015

Apr 16, 2015

Mar 9, 2015

Jan 30, 2015

Jan 6, 2015

Looking for more? Browse all our products here