Skip to main content

Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments and Procedures for Coding Positions

GAO-18-466 Published: Jun 14, 2018. Publicly Released: Jun 14, 2018.
Jump To:
Skip to Highlights

Highlights

What GAO Found

As required by the Federal Cybersecurity Workforce Assessment Act of 2015 (act), the Office of Personnel Management (OPM) developed a cybersecurity coding structure under the National Initiative for Cybersecurity Education (NICE) as well as procedures for assigning codes to federal civilian cybersecurity positions. However, OPM issued the coding structure and procedures 5 and 4 months later than the act's deadlines because OPM was working with the National Institute of Standards and Technology (NIST) to align the structure and procedures with the draft NICE Cybersecurity Workforce Framework , which NIST issued later than planned. OPM also submitted a progress report to Congress on the implementation of the act 1 month after it was due. The delays in issuing the coding structure and procedures have extended the expected time frames for implementing subsequent provisions of the act.

Most of the 24 agencies covered by the Chief Financial Officers (CFO) Act submitted baseline assessment reports to Congress but the results may not be reliable. As of March 2018, 21 of the 24 CFO Act agencies had conducted baseline assessments identifying the extent to which their cybersecurity employees held professional certifications and had submitted the assessment reports to Congress as required by the act. Three agencies had not conducted the assessments for various reasons, such as a lack of resources and tools to do so. Of the 21 agencies that did, 4 did not address all of the reportable information, such as the extent to which personnel without professional certifications were ready to obtain them or strategies for mitigating any gaps. Additionally, agencies were limited in their ability to obtain complete or consistent information about their cybersecurity employees and the certifications they held. This was because agencies had not yet fully identified all members of their cybersecurity workforces or did not have a consistent list of appropriate certifications for cybersecurity positions. As a result, the agencies had limited assurance that their assessment results accurately reflected all relevant employees or the extent to which those employees held appropriate certifications. This diminishes the usefulness of the assessments in determining the certification and training needs of these agencies' cybersecurity employees.

Most of the 24 CFO Act agencies established coding procedures, but 6 agencies only partially addressed certain activities required by OPM in their procedures. Of the 24 agencies reviewed, 23 had established procedures to identify their civilian cybersecurity positions and assign the appropriate employment codes to the positions as called for by the act. However, 6 of the 23 agencies did not address one or more of 7 activities required by OPM in their procedures, such as the activities to review all filled and vacant positions and annotate reviewed position descriptions with the appropriate employment code. These 6 agencies cited a variety of reasons for not addressing all of the required activities in their coding procedures. For example, these agencies stated that they addressed the activities in existing guidance or did not include activities that their components did not have the responsibility to perform. By not addressing all of the required activities in their coding procedures, the 6 agencies lack assurance that the activities will be performed or performed consistently throughout their agency.

Why GAO Did This Study

A key component of mitigating and responding to cyber threats is having a qualified, well-trained cybersecurity workforce. The Federal Cybersecurity Workforce Assessment Act of 2015 requires OPM and federal agencies to take several actions related to cybersecurity workforce planning.

GAO is to monitor agencies' progress in implementing the act's requirements. For this report, GAO assessed whether: (1) OPM developed a coding structure and procedures for assigning codes to cybersecurity positions and submitted a progress report to Congress; (2) CFO Act agencies submitted complete, reliable baseline assessments of their cybersecurity workforces; and (3) CFO Act agencies established procedures to assign codes to cybersecurity positions. GAO examined OPM's coding procedures and progress report on the act's implementation, and baseline assessments and coding procedures from the 24 CFO Act agencies. GAO also interviewed relevant OPM and agency officials about efforts to address the act's requirements.

Recommendations

GAO is making 30 recommendations to 13 agencies to fully implement two of the act's requirements on baseline assessments and coding procedures. Of the 12 agencies to which we made recommendations that provided comments on the report, 7 agreed with the recommendations made to them, 4 did not state whether they agreed or disagreed, and 1 did not agree with one of two recommendations made to it. GAO continues to believe that the recommendation is valid as discussed in this report.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Commerce The Secretary of Commerce should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams, identify strategies for mitigating any gaps identified, and report this information to Congress. (Recommendation 1)
Closed – Implemented
Department of Commerce (Commerce) officials concurred with our recommendation and planned to evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams, and to identify strategies for mitigating any gaps identified. Commerce officials concurred with our recommendation and planned to evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams using the National Initiative for Cybersecurity Education (NICE) certification mapping and identify strategies for mitigating gaps to include in a report to Congress. In fiscal year 2022, we verified that Commerce, in response to our recommendation, had evaluated the level of preparedness of personnel that did not hold certifications to take certification exams, identified a strategy for mitigating gaps, and reported this information to Congress. As a result of taking this action, the department has ensured that it has valuable information about the knowledge and skills of its cybersecurity employees, enhancing the department's ability to effectively gauge the competency of individuals who are charged with ensuring the confidentiality, integrity, and availability of its information and information systems.
Department of Defense The Secretary of Defense should develop, document, and implement government-wide procedures for identifying information technology (IT), cybersecurity, and cyberrelated noncivilian positions and assigning employment codes to those positions. (Recommendation 2)
Closed – Implemented
Department of Defense (DOD) officials concurred with the recommendation. In fiscal year 2018, we verified that DOD, in response to our recommendation, had developed, documented, and implemented government-wide procedures for identifying information technology (IT), cybersecurity, and cyber-related non-civilian positions and assigned employment codes to those positions.
Department of Defense The Secretary of Defense should develop, document, and implement internal departmental procedures for identifying IT, cybersecurity, and cyber-related noncivilian positions and assigning employment codes to those positions. (Recommendation 3)
Closed – Implemented
Department of Defense (DOD) officials concurred with the recommendation. In fiscal year 2018, we verified that DOD, in response to our recommendation, had developed, documented, and implemented internal departmental procedures for identifying IT, cybersecurity, and cyber-related non-civilian positions and assigning employment codes to those positions.
Department of Education The Secretary of Education should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in departmental procedures. (Recommendation 4)
Closed – Implemented
Department of Education (Education) officials concurred with the recommendation. In fiscal year 2018, we verified that Education, in response to our recommendation, had developed and implemented guidance that requires positions that do not perform substantial work in information technology, cybersecurity, or cyber-related functions to be assigned code '000'.
Department of Energy The Secretary of Energy should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 5)
Closed – Implemented
Department of Energy (DOE) officials concurred with our recommendation and planned to evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams using the National Initiative for Cybersecurity Education (NICE) certification mapping. In fiscal year 2022, we verified that DOE, in response to our recommendation, had evaluated the level of preparedness of personnel that did not hold certifications to take certification exams and reported this information to Congress. As a result of taking this action, the department has ensured that it has valuable information about the knowledge and skills of its cybersecurity employees, enhancing the department's ability to effectively gauge the competency of individuals who are charged with ensuring the confidentiality, integrity, and availability of its information and information systems.
Department of Energy The Secretary of Energy should develop, document, and implement departmental procedures for identifying IT, cybersecurity, and cyberrelated positions and assigning employment codes to those positions, taking into account the key elements described in OPM's instructions for agencies' procedures. (Recommendation 6)
Closed – Implemented
Department of Energy (DOE) officials concurred with the recommendation. In fiscal year 2018, we verified that DOE, in response to our recommendation, had developed and issued departmental procedures for identifying IT, cybersecurity, and cyberrelated positions and assigning employment codes to those positions, taking into account the key elements described in the Office of Personnel Management's (OPM's) instructions for agencies' procedures.
Department of Homeland Security The Secretary of Homeland Security should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 7)
Closed – Implemented
Department of Homeland Security (DHS) officials concurred with our recommendation. In fiscal year 2020, we verified that DHS, in response to our recommendation, had conducted a baseline assessment of its cybersecurity workforce. The assessment identified the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications, the level of preparedness of personnel without existing credentials to take certification exams, and a strategy for mitigating any gaps identified with appropriate training. As a result of taking this action, DHS has ensured that it has valuable information about the knowledge and skills of its cybersecurity employees, enhancing the department's ability to effectively gauge the competency of individuals who are charged with ensuring the confidentiality, integrity, and availability of its information and information systems.
Department of Homeland Security The Secretary of Homeland Security should submit a report of the department's baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 8)
Closed – Implemented
Department of Homeland Security (DHS) officials concurred with our recommendation. In fiscal year 2020, we verified that DHS, in response to our recommendation, had submitted a report of its baseline assessment of its cybersecurity workforce to Congress. As a result, DHS has provided Congress with the information it required in the Act regarding existing credentials and certifications of personnel with information technology, cybersecurity, or other cyber-related job functions.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 9)
Closed – Implemented
The Department of Housing and Urban Development (HUD) concurred with our recommendation. In fiscal year 2020, we verified that HUD, in response to our recommendation, had conducted a baseline assessment of its cybersecurity workforce. The assessment identified the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications, and a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. While the assessment did not identify the level of preparedness of other cyber personnel without existing credentials to take certification exams, it identified that significant proficiency gaps had been identified in its IT specialist employees, and outlined a plan for using that information to assess the ability of employees without certifications, which meets the intent of our recommendation. As a result of taking this action, HUD has ensured that it has valuable information about the knowledge and skills of its cybersecurity employees, enhancing the department's ability to effectively gauge the competency of individuals who are charged with ensuring the confidentiality, integrity, and availability of its information and information systems.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should submit a report of the department's baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 10)
Closed – Implemented
The Department of Housing and Urban Development (HUD) concurred with our recommendation. In fiscal year 2020, we verified that HUD, in response to our recommendation, had submitted a report of its baseline assessment of its cybersecurity workforce to Congress. As a result, HUD has provided Congress with the information it required in the Act regarding existing credentials and certifications of personnel with information technology, cybersecurity, or other cyber-related job functions.
Department of the Interior The Secretary of the Interior should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 11)
Closed – Implemented
Department of the Interior (Interior) concurred with our recommendation. In fiscal year 2021, we verified that Interior, in response to our recommendation, had evaluated the level of preparedness of personnel that did not hold certifications to take certification exams and reported this information to Congress. As a result of taking this action, Interior has ensured that it has valuable information about the knowledge and skills of its cybersecurity employees, enhancing the department's ability to effectively gauge the competency of individuals who are charged with ensuring the confidentiality, integrity, and availability of its information and information systems.
Department of Labor The Secretary of Labor should include requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in departmental procedures. (Recommendation 12)
Closed – Implemented
Department of Labor (DOL) officials concurred with our recommendation. In fiscal year 2018, we verified that DOL officials, in response to our recommendation, had included requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in departmental procedures.
Department of Labor The Secretary of Labor should ensure that departmental procedures fully account for the fact that IT, cybersecurity, and cyber-related positions will extend beyond the Information Technology Management 2210 occupational series. (Recommendation 13)
Closed – Implemented
Department of Labor (DOL) officials concurred with our recommendation. In fiscal year 2018, we verified that DOL officials, in response to our recommendation, had revised their departmental procedures to fully account for the fact that IT, cybersecurity, and cyber-related positions will extend beyond the Information Technology Management 2210 occupational series.
Department of Labor The Secretary of Labor should fully clarify requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in departmental procedures. (Recommendation 14)
Closed – Implemented
Department of Labor (DOL) officials concurred with our recommendation. In fiscal year 2018, we verified that DOL officials, in response to our recommendation, had revised their departmental procedures to fully clarify requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions.
Department of Labor The Secretary of Labor should include requirements to assign up to three employment codes per position in order of their criticality in departmental procedures. (Recommendation 15)
Closed – Implemented
Department of Labor (DOL) officials concurred with our recommendation. In fiscal year 2018, we verified that DOL officials, in response to our recommendation, had revised their departmental procedures to include requirements to assign up to three employment codes per position in order of their criticality.
National Aeronautics and Space Administration The Administrator of the National Aeronautics and Space Administration should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 16)
Closed – Not Implemented
National Aeronautics and Space Administration (NASA) did not concur with our recommendation and has not implemented it. Agencies were required to report the results of baseline assessments by December 2016. The absence of NICE identified appropriate industry-recognized certifications may have contributed to uncertainty for agencies in their efforts to report on the level of preparedness for obtaining certifications. The timeframe for implementing this recommendation has passed and it is no longer applicable.
National Aeronautics and Space Administration The Administrator of the National Aeronautics and Space Administration should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 17)
Closed – Implemented
National Aeronautics and Space Administration (NASA) officials concurred with our recommendation. In fiscal year 2018, we verified that NASA officials, in response to our recommendation, had revised their departmental procedures to fully clarify requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions.
National Science Foundation The Director of the National Science Foundation should fully clarify requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 18)
Closed – Implemented
National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had fully clarified requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions.
National Science Foundation The Director of the National Science Foundation should include requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in agency procedures. (Recommendation 19)
Closed – Implemented
National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had included requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in departmental procedures.
National Science Foundation The Director of the National Science Foundation should ensure that agency procedures account for the fact that IT, cybersecurity, and cyberrelated positions will extend beyond the Information Technology Management 2210 occupational series. (Recommendation 20)
Closed – Implemented
National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had revised its agency procedures to account for the fact that IT, cybersecurity, and cyber-related positions will extend beyond the Information Technology Management 2210 occupational series.
National Science Foundation The Director of the National Science Foundation should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 21)
Closed – Implemented
National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had revised its agency procedures to include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and other cyber-related functions.
National Science Foundation The Director of the National Science Foundation should include requirements to assign up to three employment codes per position in order of their criticality in agency procedures. (Recommendation 22)
Closed – Implemented
National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had revised agency procedures to include requirements to assign up to three employment codes per position in order of their criticality.
Nuclear Regulatory Commission The Chairman of the Nuclear Regulatory Commission should ensure that agency procedures account for the fact that IT, cybersecurity, and cyberrelated positions will extend beyond the Information Technology Management 2210 occupational series. (Recommendation 23)
Closed – Implemented
Nuclear Regulatory Commission (NRC) officials concurred with the recommendation. In fiscal year 2018, we verified that NRC, in response to our recommendation, had revised its cybersecurity coding procedures to ensure that agency procedures account for the fact that IT, cybersecurity, and cyberrelated positions will extend beyond the Information Technology Management 2210 occupational series.
Nuclear Regulatory Commission The Chairman of the Nuclear Regulatory Commission should fully clarify requirements to assign up to three employment codes per position in order of their criticality in agency procedures. (Recommendation 24)
Closed – Implemented
Nuclear Regulatory Commission (NRC) officials concurred with the recommendation. In fiscal year 2018, we verified that NRC, in response to our recommendation, had revised its cybersecurity coding procedures to fully clarify requirements to assign up to three employment codes per position in order of their criticality in agency procedures.
Small Business Administration The Administrator of the Small Business Administration should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 25)
Closed – Implemented
Small Business Administration (SBA) officials concurred with our recommendation. In fiscal year 2021, we verified that SBA, in response to our recommendation, had conducted a baseline assessment of its cybersecurity workforce. The assessment identified the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications, the level of preparedness of other cyber personnel without existing credentials to take certification exams, and a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. As a result of taking this action, SBA has ensured that it has valuable information about the knowledge and skills of its cybersecurity employees, enhancing the department's ability to effectively gauge the competency of individuals who are charged with ensuring the confidentiality, integrity, and availability of its information and information systems.
Small Business Administration The Administrator of the Small Business Administration should submit a report of its baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 26)
Closed – Implemented
Small Business Administration (SBA) officials concurred with our recommendation. In fiscal year 2021, we verified that SBA, in response to our recommendation, had submitted a report of its baseline assessment of its cybersecurity workforce to Congress. As a result, SBA has provided Congress with the information it required in the Act regarding existing credentials and certifications of personnel with information technology, cybersecurity, or other cyber-related job functions.
U.S. Agency for International Development The Administrator of the U.S. Agency for International Development should fully clarify requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 27)
Closed – Implemented
United States Agency for International Development (USAID) officials concurred with our recommendation. In fiscal year 2018, we verified that USAID, in response to our recommendation, had revised its cybersecurity coding procedures to fully clarify requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions.
U.S. Agency for International Development The Administrator of the U.S. Agency for International Development should fully clarify requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in agency procedures. (Recommendation 28)
Closed – Implemented
United States Agency for International Development (USAID) officials concurred with our recommendation. In fiscal year 2018, we verified that USAID, in response to our recommendation, had revised its cybersecurity coding procedures to fully clarify requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s).
U.S. Agency for International Development The Administrator of the U.S. Agency for International Development should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 29)
Closed – Implemented
United States Agency for International Development (USAID) officials concurred with our recommendation. In fiscal year 2018, we verified that USAID, in response to our recommendation, had revised its cybersecurity coding procedures to include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions.
U.S. Agency for International Development The Administrator of the U.S. Agency for International Development should include requirements to assign up to three employment codes per position in order of their criticality in agency procedures. (Recommendation 30)
Closed – Implemented
United States Agency for International Development (USAID) officials concurred with our recommendation. In fiscal year 2018, we verified that USAID, in response to our recommendation, had revised its cybersecurity coding procedures to include requirements to assign up to three employment codes per position in order of their criticality.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

CybersecurityDocumentationHuman capital managementInformation systemsInformation technologyPersonnel managementPolicies and proceduresRequirements definitionWorkforce assessmentWorkforce planning