Cybersecurity Workforce: DHS Needs to Take Urgent Action to Identify Its Position and Critical Skill Requirements

What GAO Found

The Department of Homeland Security (DHS) has taken actions to identify, categorize, and assign employment codes to its cybersecurity positions, as required by the Homeland Security Cybersecurity Workforce Assessment Act of 2014 ; however, its actions have not been timely and complete. For example, DHS did not establish timely and complete procedures to identify, categorize, and code its cybersecurity position vacancies and responsibilities. Further, DHS did not complete efforts to identify all of the department's cybersecurity positions and accurately assign codes to all filled and vacant cybersecurity positions. In August 2017, DHS reported to Congress that it had coded 95 percent of the department's identified cybersecurity positions. However, the department had, at that time, coded approximately 79 percent of the positions. DHS's 95 percent estimate was overstated primarily because it excluded vacant positions, even though the act required DHS to report these positions.

In addition, although DHS has taken steps to identify its workforce capability gaps, it has not identified or reported to Congress on its departmentwide cybersecurity critical needs that align with specialty areas. The department also has not reported annually its cybersecurity critical needs to the Office of Personnel Management (OPM), as required, and has not developed plans with clearly defined time frames for doing so. (See table).

The Department of Homeland Security's Status In Implementing Requirements of the Homeland Security Cybersecurity Workforce Assessment Act of 2014, as of February 2018

Source: GAO analysis of DHS documentation and the Homeland Security Cybersecurity Workforce Assessment Act of 2014. | GAO-18-430T

Without ensuring that its procedures are complete and that its progress in identifying and assigning codes to its cybersecurity positions is accurately reported, DHS will not be positioned to effectively examine its cybersecurity workforce, identify critical skill gaps, or improve its workforce planning. Further, until DHS establishes plans and time frames for reporting on its critical needs, the department may not be able to ensure that it has the necessary cybersecurity personnel to help protect the department's and the nation's federal networks and critical infrastructure from cyber threats. The commitment of DHS's leadership to addressing these matters is essential to helping the department fulfill the act's requirements.

Why GAO Did This Study

DHS is the lead agency tasked with protecting the nation's critical infrastructure from cyber threats. The Homeland Security Cybersecurity Workforce Assessment Act of 2014 required DHS to identify, categorize, and assign employment codes to all of the department's cybersecurity workforce positions. These codes define work roles and tasks for cybersecurity specialty areas such as program management and system administration. Further, the act required DHS to identify and report its cybersecurity workforce critical needs.

GAO was asked to testify on the extent to which DHS has (1) identified, categorized, and assigned employment codes to its cybersecurity positions and (2) identified its cybersecurity workforce areas of critical need. To do so, GAO summarized the findings discussed in its February 2018 report on DHS's cybersecurity workforce ( GAO-18-175 ).