Skip to main content

Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination

GAO-12-8 Published: Nov 29, 2011. Publicly Released: Nov 29, 2011.
Jump To:
Skip to Highlights

Highlights

Threats to federal information technology (IT) infrastructure and systems continue to grow in number and sophistication. The ability to make federal IT infrastructure and systems secure depends on the knowledge, skills, and abilities of the federal and contractor workforce that implements and maintains these systems. In light of the importance of recruiting and retaining cybersecurity personnel, GAO was asked to assess (1) the extent to which federal agencies have implemented and established workforce planning practices for cybersecurity personnel and (2) the status of and plans for governmentwide cybersecurity workforce initiatives. GAO evaluated eight federal agencies with the highest IT budgets to determine their use of workforce planning practices for cybersecurity staff by analyzing plans, performance measures, and other information. GAO also reviewed plans and programs at agencies with responsibility for governmentwide cybersecurity workforce initiatives.

Federal agencies have taken varied steps to implement workforce planning practices for cybersecurity personnel. Five of eight agencies, including the largest, the Department of Defense, have established cybersecurity workforce plans or other agencywide activities addressing cybersecurity workforce planning. However, all of the agencies GAO reviewed faced challenges determining the size of their cybersecurity workforce because of variations in how work is defined and the lack of an occupational series specific to cybersecurity. With respect to other workforce planning practices, all agencies had defined roles and responsibilities for their cybersecurity workforce, but these roles did not always align with guidelines issued by the federal Chief Information Officers Council and National Institute of Standards and Technology (NIST). Agencies reported challenges in filling highly technical positions, challenges due to the length and complexity of the federal hiring process, and discrepancies in compensation across agencies. Although most agencies used some form of incentives to support their cybersecurity workforce, none of the eight agencies had metrics to measure the effectiveness of these incentives. Finally, the robustness and availability of cybersecurity training and development programs varied significantly among the agencies. For example, the Departments of Commerce and Defense required cybersecurity personnel to obtain certifications and fulfill continuing education requirements. Other agencies used an informal or ad hoc approach to identifying required training. The federal government has begun several governmentwide initiatives to enhance the federal cybersecurity workforce. The National Initiative for Cybersecurity Education, coordinated by NIST, includes activities to examine and more clearly define the federal cybersecurity workforce structure and roles and responsibilities, and to improve cybersecurity workforce training. However, the initiative lacks plans defining tasks and milestones to achieve its objectives, a clear list of agency activities that are part of the initiative, and a means to measure the progress of each activity. The Chief Information Officers Council, NIST, Office of Personnel Management, and the Department of Homeland Security (DHS) have also taken steps to define skills, competencies, roles, and responsibilities for the federal cybersecurity workforce. However, these efforts overlap and are potentially duplicative, although officials from these agencies reported beginning to take steps to coordinate activities. Furthermore, there is no plan to promote use of the outcomes of these efforts by individual agencies. The Office of Management and Budget and DHS have identified several agencies to be service centers for governmentwide cybersecurity training, but none of the service centers or DHS currently evaluates the training for duplicative content, effectiveness, or extent of use by federal agencies. The Scholarship for Service program, run by the National Science Foundation, is a small though useful source of new talent for the federal government, but the program lacks data on whether its participants remain in the government long-term. GAO is making recommendations to enhance individual agency cybersecurity workforce planning activities and to address governmentwide cybersecurity workforce challenges through better planning, coordination, and evaluation of governmentwide activities. Agencies concurred with the majority of GAO's recommendations and outlined steps to address them. Two agencies did not provide comments on the report.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Commerce To improve individual agency cybersecurity workforce planning efforts, the Secretary of Commerce should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to develop and implement a departmentwide cybersecurity workforce plan or ensure that departmental components are conducting appropriate workforce planning activities.
Closed – Not Implemented
As of October 2017, Commerce has not provided sufficient evidence to demonstrate that it has developed a department-level workforce plan or that its components have developed workforce plans.
Department of Defense To improve individual agency cybersecurity workforce planning efforts, the Secretary of Defense should direct the department's Chief Information Officer, in consultation with the Deputy Assistant Secretary for Defense for Civilian Personnel Policy, to update its departmentwide cybersecurity workforce plan or ensure that departmental components have plans that appropriately address human capital approaches, critical skills, competencies, and supporting requirements for its cybersecurity workforce strategies.
Closed – Implemented
In fiscal year 2014, we verified that the Department of Defense, in response to our recommendation, updated its departmentwide cybersecurity workforce plan. The plan addressed human capital requirements, critical skills and competencies, and cybersecurity workforce strategies. This action enhances the ability of Defense's Chief Information Officer to ensure that cybersecurity staff are able to support information security goals.
Department of Health and Human Services To improve individual agency cybersecurity workforce planning efforts, the Secretary of Health and Human Services should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to develop and implement a departmentwide cybersecurity workforce plan or ensure that departmental components are conducting appropriate workforce planning activities.
Closed – Implemented
In fiscal year 2015, we verified that the Department of Health and Human Services, in response to our recommendation, issued a cybersecurity workforce plan in 2013. The plan outlines key workforce planning activities for Health and Human Services, and lists recommendations for addressing the department's near and long-term cybersecurity workforce needs. In addition, Health and Human Services has tracked outcomes of efforts it has taken to meet cybersecurity workforce goals.
Department of Transportation To improve individual agency cybersecurity workforce planning efforts, the Secretary of Transportation should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to update its departmentwide cybersecurity workforce plan or ensure that departmental components have plans that fully address gaps in human capital approaches and critical skills and competencies and supporting requirements for its cybersecurity workforce strategies.
Closed – Implemented
The Department of Transportation neither concurred nor disagreed with the recommendation. In fiscal year 2017, we verified that Transportation, in response to our recommendation, in January 2017 issued an updated workforce management program. This program is designed to be comprehensive and to allow the department's components to adapt its content to meet their human capital and workforce planning needs.
Department of the Treasury To improve individual agency cybersecurity workforce planning efforts, the Secretary of Treasury should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to develop and implement a departmentwide cybersecurity workforce plan or ensure that departmental components are conducting appropriate workforce planning activities.
Closed – Implemented
In fiscal year 2016, we verified that the Department of Treasury, in response to our recommendation, produced a departmentwide policy for workforce planning, and is ensuring that departmental components are developing workforce plans. Within Treasury, workforce planning is decentralized, so the Department has developed a draft desk guide to help standardize efforts. Components within Treasury are using the guide to produce workforce action plans that address their specific needs. In addition, the Department has performed a cybersecurity workforce gap analysis.
Department of Veterans Affairs To improve individual agency cybersecurity workforce planning efforts, the Secretary of Veterans Affairs should direct the department's Chief Information Officer, in consultation with its Chief Human Capital Officer, to update its departmentwide cybersecurity competency model or establish a cybersecurity workforce plan that fully addresses gaps in human capital approaches and critical skills and competencies, supporting requirements for its cybersecurity workforce strategies, and monitoring and evaluating agency progress.
Closed – Implemented
In fiscal year 2015, we verified that the Department of Veterans Affairs, in response to our recommendation, has issued two documents that address cybersecurity workforce planning. Veterans Affairs' 2013-2015 Information Resources Management Strategic Plan outlines how the department supports and implements competency models. These models build on the Office of Personnel Management's Information Technology Roadmap, but are customized to reflect the specific needs of Veterans Affairs. The competency models set the baseline of knowledge, skills, and abilities for information technology roles, and identify training needs for professional development. The department's Human Capital Strategic Plan 2014-2020 describes how Veterans Affairs will remediate competency gaps, promote workforce strategies to build a well-trained, appropriately skilled cybersecurity staff, and monitor and evaluate implementation of these efforts.
Office of Management and Budget To help federal agencies better identify their cybersecurity workforce, the Director of the Office of Personnel Management, in coordination with the Director of the Office of Management and Budget, should collaborate with the CIO Council to identify and develop governmentwide strategies to address challenges federal agencies face in tracking their cybersecurity workforce.
Closed – Implemented
In fiscal year 2014, we verified that the Office of the Personnel Management (OPM) and Office of Management and Budget (OMB), in response to our recommendation, collaborated with the CIO Council to identify and developed governmentwide strategies to address challenges federal agencies face in tracking their cybersecurity workforce. OMB has partnered with OPM to guide several actions by interagency workgroups and councils, including the CIO Council. These efforts involve improving federal personnel systems by implementing uniform definitions of cybersecurity staff positions. By defining cybersecurity occupations for the federal workforce, OMB's efforts with OPM and the CIO Council help federal agencies better identify and track their cybersecurity workforces.
Office of Personnel Management To help federal agencies better identify their cybersecurity workforce, the Director of the Office of Personnel Management, in coordination with the Director of the Office of Management and Budget, should collaborate with the CIO Council to identify and develop governmentwide strategies to address challenges federal agencies face in tracking their cybersecurity workforce.
Closed – Implemented
In fiscal year 2014, we verified that the Office of the Personnel Management (OPM), in response to our recommendation, has collaborated with other federal organizations to develop tools for agencies to track their cybersecurity workforces. In May 2013, OPM issued guidance on cybersecurity job category and specialty area codes using definitions that matched those developed by the National Cybersecurity Workforce Framework. By defining cybersecurity occupations for the federal workforce, OPM and the National Initiative for Cybersecurity Education (NICE) Framework help increase assurance that agencies will consistently identify and track their cybersecurity workforces.
Department of Homeland Security To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities.
Closed – Implemented
In fiscal year 2014, we verified that the Department of Homeland Security (DHS), has collaborated through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities. For example, DHS has assumed leadership roles in some components of the National Initiative for Cybersecurity Education (NICE). Additionally, NICE's strategic plan clarifies the organization's governance structure. These steps increase assurance that NICE will achieve its goals, including improving cybersecurity education for the federal government.
Department of Commerce To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities.
Closed – Implemented
In fiscal year 2014, we verified that the Department of Commerce, in response to our recommendation, has a lead role in the governance structure of the National Initiative for Cybersecurity Education (NICE), as described in the NICE Strategic Plan. This plan was developed through the cooperation of the various member agencies. A defined governance structure increases assurance that NICE will achieve its goals to educate and improve the nation's cybersecurity workforce.
Office of Management and Budget To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities.
Closed – Implemented
In fiscal year 2014, we verified that the Office of Management and Budget, in response to our recommendation, has taken steps to clarify the governance structure of the National Initiative for Cybersecurity Education (NICE). OMB's role was one of leadership and guidance to accomplish specific tasks, including the issuance of the NICE Cybersecurity Framework. In particular, OMB was responsible for finalizing and approving the Framework before issuance.
Office of Personnel Management To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities.
Closed – Implemented
In fiscal year 2015, we verified that the Office of Personnel Management (OPM), in response to our recommendation and in concert with other agencies, has defined the governance structure of the National Initiative for Cybersecurity Education (NICE) in the organization's strategic plan. The plan identifies OPM's leadership roles as a member of NICE. These actions increase assurance that NICE is able to perform its mission effectively.
Department of Homeland Security To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to develop and finalize detailed plans allowing agency accountability, measurement of progress, and determination of resources to accomplish agreed-upon activities.
Closed – Implemented
In fiscal year 2015, we verified that the Department of Homeland Security (DHS), in response to our recommendation, in concert with other agencies, developed and finalized a National Initiative for Cybersecurity Education (NICE) strategic plan that lays out the program goals for cybersecurity education. The plan also mentions various performance measures and supporting metrics for NICE's cybersecurity goals.
Department of Commerce To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to develop and finalize detailed plans allowing agency accountability, measurement of progress, and determination of resources to accomplish agreed-upon activities.
Closed – Implemented
In fiscal year 2016, we verified that the Department of Commerce, in response to our recommendation, developed and finalized a National Initiative for Cybersecurity Education (NICE) strategic plan that lays out the program goals for cybersecurity education. The plan also mentions various performance measures and supporting metrics for NICE's cybersecurity goals. In fiscal year 2016 we verified that Commerce's National Institute of Standards and Technology (NIST), acted as the lead agency to produce the revised NICE strategic plan, and that NIST's leadership team at NICE documented various performance measures and supporting metrics for NICE's cybersecurity goals.
Office of Management and Budget To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to develop and finalize detailed plans allowing agency accountability, measurement of progress, and determination of resources to accomplish agreed-upon activities.
Closed – Implemented
In fiscal year 2016 we verified that the Office of Management and Budget (OMB), in response to our recommendation, developed and finalized a Initiative for Cybersecurity Education (NICE) strategic plan that lays out the program goals for cybersecurity education. The plan also mentions various performance measures and supporting metrics for NICE's cybersecurity goals. Additionally, in October 2015 OMB issued a memorandum, M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government, that offers detailed plans for agency accountability, measurement of progress, and determination of resources to improve the federal cybersecurity workforce.
Office of Personnel Management To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to develop and finalize detailed plans allowing agency accountability, measurement of progress, and determination of resources to accomplish agreed-upon activities.
Closed – Implemented
In fiscal year 2014, we verified that the Office of Personnel Management (OPM), in response to our recommendation, developed and finalized a Initiative for Cybersecurity Education (NICE) strategic plan that lays out the program goals for cybersecurity education. The plan also mentions various performance measures and supporting metrics for NICE's cybersecurity goals.
Department of Homeland Security To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to consolidate and align efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce.
Closed – Implemented
In fiscal year 2014, we verified that the Department of Homeland Security (DHS), in response to our recommendation, is a member of The National Initiative for Cybersecurity Education (NICE), an interagency effort to increase awareness and knowledge of information security, including efforts directed at the federal workforce. NICE has launched the National Cybersecurity Workforce Framework, which describes roles, responsibilities, skills, and competencies for the cybersecurity workforce. These job descriptions are used by the Office of Personnel Management to define job codes for federal employees. In February 2013, Homeland Security launched the National Initiative for Cybersecurity Careers and Studies (NICCS), an online resource that incorporates the National Cybersecurity Workforce Framework and its definitions of duties and skills for cybersecurity professionals.
Department of Commerce To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to consolidate and align efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce.
Closed – Implemented
In fiscal year 2014, we verified that the Department of Commerce, in response to our recommendation, is a member of The National Initiative for Cybersecurity Education (NICE), an interagency effort to improve the nation's cybersecurity education, including efforts directed at the federal workforce. As a member of NICE, Commerce worked with the IT Workforce Assessment for Cybersecurity to establish category and specialty job descriptions for cybersecurity professionals. These job descriptions are used by the Office of Personnel Management to define job codes for federal employees. Commerce's National Institute of Standards and Technology hosts the NICE Web site with its National Cybersecurity Workforce Framework, which defines roles, responsibilities, skills, and competencies for cybersecurity professionals.
Office of Management and Budget To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to consolidate and align efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce.
Closed – Implemented
In fiscal year 2014, we verified that the Office of Management and Budget (OMB), in response to our recommendation, has provided leadership and guidance for the National Initiative for Cybersecurity Education's (NICE) Cybersecurity Workforce Framework, which defines roles, responsibilities, skills, and competencies for the cybersecurity workforce. In addition, OMB worked with OPM to build a databank in OPM's Enterprise Human Resources Integration (EHRI) data warehouse. The databank defines and catalogs those federal positions performing cybersecurity work as a major duty.
Office of Personnel Management To ensure that governmentwide cybersecurity workforce initiatives are better coordinated and planned, and to better assist federal agencies in defining roles, responsibilities, skills, and competencies for their workforce, the Secretary of Commerce, Director of the Office of Management and Budget, Director of the Office of Personnel Management, and Secretary of Homeland Security should collaborate through the NICE initiative to consolidate and align efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce.
Closed – Implemented
In fiscal year 2014, we verified that the Office Personnel Management(OPM), in response to our recommendation, has worked with OMB and the CIO Council, along with other agencies and interagency groups, to coordinate and align efforts to define roles, responsibilities, skills, and competencies for the cybersecurity workforce. In May 2013, OPM issued guidance on cybersecurity job category and specialty area codes using definitions that matched those developed by the National Initiative for Cybersecurity Education (NICE) in its Cybersecurity Workforce Framework. By defining cybersecurity occupations for the federal government, OPM and the NICE Framework help agencies consistently identify and track their cybersecurity workforces.
Office of Personnel Management To improve governmentwide cybersecurity workforce planning efforts, the Director of the Office of Personnel Management should finalize and issue guidance to agencies on how to track the use and effectiveness of incentives for hard-to-fill positions, including cybersecurity positions.
Closed – Implemented
In fiscal year 2014, we verified that the Office Personnel Management(OPM), in response to our recommendation, has issued final regulations for pay and incentives that give agencies the authority to authorize retention incentives in order to meet strategic needs. The regulations also define how incentives are to be tracked, assessed, and reported, and specify that incentives cannot be offered unless agencies can show a need to use them for hard-to-fill positions.
Office of Personnel Management To improve governmentwide cybersecurity workforce planning efforts, the Director of the Office of Personnel Management should maximize the value of the cybersecurity competency model by (1) developing and implementing a method for ensuring that the competency model accurately reflects the skill set unique to the cybersecurity workforce, (2) developing a method for collecting and tracking data on the use of the competency model, and (3) creating a schedule for revising or updating the model as needed.
Closed – Not Implemented
In fiscal year 2015, we verified that the Office of Personnel Management (OPM) will not take action on this recommendation. OPM did not concur with the recommendation when the GAO report was issued. According to an agency official, OPM's standard job-analysis methodology is sufficient for ensuring that the competency model accurately reflects the skills of the cybersecurity workforce. The official also said it is not feasible to develop a method for collecting and tracking data on the use of the competency model because many different types of entities use and modify the model. Further, OPM has stated that it has not had a reason to revise or update the model, so the agency has not created a schedule for doing so.
Office of Management and Budget To improve governmentwide cybersecurity workforce planning efforts, the Director of the Office of Management and Budget should direct the CIO Council to develop a strategy for and track agencies' use of the IT Workforce Capability Assessment data.
Closed – Implemented
In fiscal year 2016, we verified that the Office of Management and Budget (OMB) participates in the National Initiative for Cybersecurity Education (NICE), and supports agencies' use of the NICE Framework to map cybersecurity jobs. However, events overcame GAO's recommendation that OMB direct the CIO Council to develop a strategy for and track agencies' use of the IT Workforce Capability Assessment data. In 2015, after a major security breach in a federal agency's network systems, OMB took steps to strengthen cybersecurity practices across the government. In October 2015 OMB issued a memorandum, M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government. This memorandum directs agencies to participate in OPM's Special Cyber Workforce Project to identify their cyber talent and address gaps. The memorandum also lists several mechanisms for tracking agencies' efforts to improve their cybersecurity workforces, thereby addressing the intent of GAO's recommendation.
Department of Homeland Security To ensure that the benefits of the training provided through the Information Systems Security Line of Business are maximized, and resources are used most efficiently, the Secretary of the Department of Homeland Security should implement a process for tracking agency use of line of business training and gathering feedback from agencies on the training's value and opportunities for improvement.
Closed – Implemented
In fiscal year 2015, we verified that the Department of Homeland Security (DHS) developed a survey instrument to track the line of business training and to gather agencies' assessments of the training including ways in which it can be improved. DHS confirmed that it began distributing the survey in November 2014, and will continue to send the survey to agencies on a quarterly basis. Additionally, DHS developed a tracking tool to collect information on agencies' use of line of business training. This tracking tool is used to provide metrics and cost data on security awareness training and risk management framework training. The Information Systems Security Line of Business (ISSLOB) is managed by the Department of Homeland Security (DHS). This initiative tracks Shared Service Centers (SSC), which procure training for federal agencies.  
Department of Homeland Security To ensure that the benefits of the training provided through the Information Systems Security Line of Business are maximized, and resources are used most efficiently, the Secretary of the Department of Homeland Security should develop a process to coordinate training offered through the line of business to minimize the production and distribution of duplicative products.
Closed – Implemented
In fiscal year 2015, we verified that the Department of Homeland Security (DHS), in response to our recommendation, collaborated through the National Initiative for Cybersecurity Education (NICE) initiative to clarify the governance structure for NICE to specify responsibilities and processes for planning and monitoring of initiative activities. DHS began distributing a survey in November 2014, and will continue to send the survey to agencies on a quarterly basis. This survey gives DHS a procedure for periodically gathering information on the effectiveness of available training and determining where duplicative services exist. Survey results will allow the department and other agencies to coordinate and streamline training offered through the ISSLoB program. The Information Systems Security Line of Business (ISSLoB) is managed by the Department of Homeland Security. This initiative tracks Shared Service Centers, which procure training for federal agencies. ISSLOB reports on the performance of the Shared Service Centers in several areas, including agencies' use of these centers, and cost avoidance. Homeland Security developed a survey instrument to track line of business training and to gather agencies' assessments of the training including ways in which it can be improved.
National Science Foundation To better determine the value to the government of the Scholarship for Service program, the Director of the National Science Foundation should develop and implement a mechanism to track the retention rate of program participants beyond their contractual obligation to the government.
Closed – Implemented
In fiscal year 2015, we verified that the National Science Foundation (NSF), in response to our recommendation, added a paragraph to the Cyber Corps Scholarship for Service (SFS) service agreement requiring scholarship recipients to update their contact information as needed and complete annual surveys for 8 years after they have completed their service commitments. The SFS Graduate Retention Survey that NSF developed asks participants for their employment history from the time that they were enrolled in the SFS program to the present. It also asks participants whether they are considering leaving their jobs within the next 12 months, and if so, why. Survey results allow the agency to track the number of scholarship recipients who continue to work in government cybersecurity positions after they have completed their contractual obligations. These steps increase assurance that the agency will be able to quantify the benefits of the Scholarship for Service program in relation to other such initiatives in the federal government.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

CompensationEmployee developmentEmployee incentivesEmployee trainingEmployeesFederal agenciesFederal employeesHiring policiesHuman capitalInformation securityInformation technologyPersonnel recruitingStaff utilizationStrategic planningTraining utilizationCybersecurity