Cybersecurity Workforce: Actions Needed to Improve Cybercorps Scholarship for Service Program
Fast Facts
The CyberCorps Scholarship for Service Program—managed by the National Science Foundation, Office of Personnel Management, and Department of Homeland Security—requires recipients to work in government jobs for a period of time after graduation.
We found:
- NSF and OPM fully complied with 13 legal requirements for managing the program and partially complied with 6
- NSF hasn't implemented a strategy to effectively manage risks and challenges, such as ensuring recipients meet their service obligation
Our recommendations address these issues. Ensuring the cybersecurity of the nation—including addressing workforce needs—is on our High Risk List.
Highlights
What GAO Found
The CyberCorps® Scholarship for Service Program provides participating institutions of higher education with scholarships to students in approved IT and cybersecurity fields of study. As a condition of receiving scholarships, students are required to enter agreements to work in qualifying full-time jobs upon graduation for a period equal in length to their scholarship. See the figure below for how recipients progress through the program.
Scholarship Recipients Progress through Three Phases in the CyberCorps® Program
GAO identified 19 selected legal requirements on how National Science Foundation (NSF) and the Office of Personnel Management (OPM) are to manage the program. GAO found that NSF and OPM fully complied with 13 of the requirements and partially complied with six. The partially complied with requirements include the following:
- Scholarship recipients are required to provide OPM with annual verifiable documentation of post-award employment. OPM officials acknowledge that recipients provide verifiable employment documentation and up-to-date contact information only at the beginning and end of the service commitment period, rather than annually as required by law.
- NSF is required to periodically report on program performance, including how long scholarship recipients stay in the positions they enter after graduation. OPM attempts to answer this by surveying recipients. However, recipient response rates ranging from 32 to 50 percent do not yield reliable and complete results.
NSF did not implement a risk management strategy and process to effectively identify, analyze, mitigate, and report on program risks and challenges. Absent such a strategy, NSF is not in a position to mitigate the adverse effects of risk events that do occur, which could negatively impact the accomplishment of program goals.
Why GAO Did This Study
GAO has previously reported that federal agencies faced challenges in ensuring that they have an effective cybersecurity workforce. What is now known as the CyberCorps® Scholarship for Service Program—operated by NSF in conjunction with OPM and the Department of Homeland Security (DHS)—was established in 2000 to increase the supply of new government cybersecurity employees. Since its inception, NSF reports that the program has awarded about $621 million in scholarships to over 4,707 recipients.
GAO was asked to review the Scholarship for Service Program. GAO determined the extent to which (1) NSF and OPM are complying with program legal requirements, and (2) NSF has identified, analyzed, mitigated, and reported on program risks.
GAO assessed program documentation and processes against legal requirements and industry best practices. Further, GAO interviewed NSF, OPM, and DHS officials as well as personnel from selected institutions of higher education participating in the program.
Recommendations
GAO is making three recommendations to NSF and two to OPM to comply with legal requirements and implement a risk management strategy. Both agencies agreed with GAO's recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
National Science Foundation | The Director of the National Science Foundation, in coordination with the Director of the Office of Personnel Management, should periodically evaluate and make public, information on how long CyberCorps® Scholarship for Service Program scholarship recipients stay in the positions they enter upon graduation. (Recommendation 1) |
The National Science Foundation (NSF) concurred with the recommendation. In June 2024, we verified that NSF, in response to our recommendation, provided GAO with evidence it had addressed this recommendation by evaluating and making public information on how long CyberCorps@ Scholarship for Service (SFS) Program scholarship recipients stay in the positions they enter upon graduation. As a result, the CyberCorps@ Scholarship for Service program is in a better position of achieving its goal of attracting and retaining high-quality graduates in the public sector cybersecurity workforce and supporting the U.S. government's strategy to develop a superior cybersecurity workforce.
|
National Science Foundation | The Director of the National Science Foundation should provide Congress with all required information in a timely manner for the CyberCorps® Scholarship for Service Program so Congress can use this information to make informed decisions regarding the SFS Program. (Recommendation 2) |
The National Science Foundation (NSF) concurred with the recommendation. In June 2024, we verified that NSF, in response to our recommendation, provided GAO with evidence it had addressed this recommendation by providing Congress with all required information in a timely manner for the CyberCorps@ Scholarship for Service Program so Congress can use this information to make informed decisions regarding the SFS Program. As a result, the CyberCorps@ Scholarship for Service program is in a better position of achieving its goal of attracting and retaining high-quality graduates in the public sector cybersecurity workforce and supporting the U.S. government's strategy to develop a superior cybersecurity workforce.
|
National Science Foundation | The Director of the National Science Foundation should develop and implement a risk management strategy that includes a process to effectively identify, analyze, mitigate, and report CyberCorps® Scholarship for Service Program risks and challenges. (Recommendation 3) |
The National Science Foundation (NSF) concurred with the recommendation. In June 2024, we verified that NSF, in response to our recommendation, provided GAO with evidence it had addressed this recommendation by developing and implementing a risk management strategy that included a process to effectively identify, analyze, mitigate, and report CyberCorps@ Scholarship for Service Program risks and challenges. As a result, NSF is in a better position to mitigate the adverse effects of CyberCorps@ Scholarship for Service (SFS) Program risk events that do occur.
|
Office of Personnel Management | The Director of the Office of Personnel Management, in coordination with the Director of the National Science Foundation, should establish a time frame for implementing a process to ensure that all CyberCorps® Scholarship for Service Program scholarship recipients provide their institutions of higher education and the Office of Personnel Management (in coordination with the National Science Foundation) with annual verifiable documentation of post-award employment and up-to-date contact information for a period of at least through the end of their work service obligation. (Recommendation 4) |
The Office of Personnel Management (OPM) concurred with the recommendation. In June 2024, we verified that OPM, in response to our recommendation, provided GAO with a detailed plan to address this recommendation, including the establishment of a time frame for implementing a process to ensure that all CyberCorps@ Scholarship for Service (SFS) Program scholarship recipients provide their institutions of higher education and OPM (in coordination with the National Science Foundation) with annual verifiable documentation of post-award employment and up-to-date contact information for a period of at least through the end of their work service obligation. As a result, OPM will be able to verify that recipients are meeting the SFS Program legal requirements.
|
Office of Personnel Management | The Director of the Office of Personnel Management, in coordination with the Director of the National Science Foundation, should ensure the collection of complete and consistent data that relate to the fulfillment of all post-award obligations or requirements pursuant to the CyberCorps® Scholarship for Service Program. (Recommendation 5) |
The Office of Personnel Management, concurred with the recommendation but as of June 2024 has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.
|