Military Cyber Personnel: Opportunities Exist to Improve Service Obligation Guidance and Data Tracking
Fast Facts
Military personnel who complete advanced cyber training—which may take a year or more and costs DOD hundreds of thousands of dollars—may not remain in the military for a significant time after training.
We found that 2 of the 4 military services are not positioned to ensure adequate return on their investment in advanced cyber training. While the Navy and Air Force require 3 years of active duty, the Marine Corps has no guidance for this area and Army guidance does not clearly define active duty service obligations.
We recommended clarifying these service obligations and more.
Ensuring the nation's cybersecurity is a topic on our High Risk List.
Highlights
What GAO Found
The Navy and the Air Force have guidance requiring a 3-year active-duty service obligation for military personnel who receive lengthy and expensive advanced cyber training. This training prepares personnel to fill the Interactive On-Net Operator (ION) work role, identified as critical by U.S. Cyber Command (USCYBERCOM). In contrast, the Marine Corps does not have such guidance. Additionally, the Army's guidance does not clearly define active duty service obligations. Rather, it sets general service obligations based on the length of training. Using the Army's guidance, GAO estimated that active-duty officers receiving ION training may incur a service obligation of about 1.88 years. However, Army officials stated that they lacked the information needed to calculate and implement service obligations for ION training because it is not specifically listed in Army guidance. Army, Marine Corps, and USCYBERCOM officials acknowledged that guidance with clearly defined service obligations for ION training would create a better return on investment for this critical cyber work role. The Army and the Marine Corps have taken steps to clearly define service obligations for ION training, but officials did not know when or if the guidance would be implemented. Until the revised guidance is implemented, the Army and the Marine Corps are unnecessarily limiting their return on investment in ION training.
Years of Service Obligation Required in Military Service Guidance for Interactive On-Net Operator (ION) Training
aGAO estimated these potential obligations, in part based on Army guidance, but ION training is not specifically listed in that guidance making this requirement challenging to implement, according to Army officials
bAccording to Navy documentation and Marine Corps officials, only enlisted personnel in those military services are eligible to train for the ION work role.
Staffing gaps—the difference between the number of personnel authorized and the number of personnel staffed—existed in some active-duty cyber career fields from fiscal years 2017 through 2021. Specifically, most of the Navy, Army, and Air Force cyber career fields were staffed at 80 percent or higher compared with the number of authorized personnel. However, four of the six Marine Corps career fields were below 80 percent of authorized levels in fiscal year 2021.
While the military services track cyber personnel staffing levels by career fields, USCYBERCOM uses work role designations to assign personnel to cyber mission teams. However, the Army, Air Force, and Marine Corps do not track staffing data by work role. As a result, military service officials cannot determine if specific work roles are experiencing staffing gaps. Tracking staffing data at the work role level would enable the military services to identify and address staffing challenges in providing the right personnel to carry out key missions at USCYBERCOM. This information is also essential for increasing personnel assigned to USCYBERCOM as planned by the Department of Defense (DOD).
Why GAO Did This Study
To accomplish its national security mission and defend a wide range of critical infrastructure, DOD must recruit, train, and retain a knowledgeable and skilled cyber workforce. However, DOD faces increasing competition from the private sector looking to recruit top cyber talent to protect systems and data from a barrage of foreign attacks.
Senate Report 117-39 accompanying a bill for the National Defense Authorization Act for Fiscal Year 2022 includes a provision for GAO to review retention challenges and service obligations for active-duty cyber personnel. Among other matters, GAO examines the extent to which (1) a service obligation exists for military cyber personnel receiving advanced cyber training and (2) DOD has experienced staffing gaps for active-duty military cyber personnel for fiscal year 2017 through fiscal year 2021 and tracked cyber work roles. GAO reviewed policies and guidance, analyzed staffing data from fiscal years 2017 through 2021, and interviewed DOD and military service officials.
Recommendations
GAO is making six recommendations, including that the Army and Marine Corps clearly define active-duty service obligations for advanced cyber training in guidance, and that the Army, Air Force and Marine Corps track cyber personnel data by work role. DOD concurred with the recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of the Army | The Secretary of the Army should ensure that the Office of the Deputy Chief of Staff for Personnel updates Army Regulation 614-200 in a timely manner to clearly define active-duty service obligations for ION training, for the Army's relevant cyber enlisted personnel. (Recommendation 1) |
Department of Defense (DOD) concurred with this recommendation. In February 2024, DOD provided actions that the Army had taken to implement this recommendation. First, the Army issued an Exception to Policy memo for Army Regulation 614-200. This Exception to Policy will act as the rule until the Army completes its updates to Regulation 614-200. In the Exception to Policy memo, the Army defines the active-duty service obligations for advanced cyber training, which would include ION training. Second, the Army stated that it will finalize the update to Regulation 614-200 in 2025. Based on the Army's actions, we believe they have met the intent of our recommendation.
|
Department of the Army | The Secretary of the Army should ensure that the Office of the Deputy Chief of Staff for Personnel updates Army Regulation 350-100 in a timely manner to clearly define active-duty service obligations for ION training, for the Army's relevant cyber officers. (Recommendation 2) |
The Department of Defense (DOD) concurred with this recommendation. In February 2024, DOD provided a copy of Army Regulation 350-100 that was revised and issued in August 2023. In the updated Regulation, the Army lays out clear active-duty service obligations for both officer and warrant officers that receive advanced cyber training, Based on the Army's actions, we believe they have met the intent of our recommendation.
|
Department of the Navy | The Secretary of the Navy should ensure that the Commandant of the Marine Corps develops guidance in a timely manner to establish active-duty service obligations for ION training. (Recommendation 3) |
The Department of Defense (DOD) concurred with this recommendation. In February 2024, DOD provided a copy of Marine Corps guidance that was issued in January 2023. In its guidance, the Marine Corps establishes active-duty service obligations for Marines completing ION training. Based on the Marine Corps actions, we believe they have met the intent of our recommendation.
|
Department of the Army | The Secretary of the Army should ensure that the Chief of Staff of the Army takes the necessary steps to integrate U.S. Cyber Command work roles into the Army's personnel system of record to track cyber personnel data by work role. (Recommendation 4) |
This recommendation remains open pending action from the Department of Defense (DOD). As of February 2024, DOD stated that the Army needs to evaluate solutions to meet both US Cyber Command and Army requirements. DOD indicated that action on implementing this recommendation may not occur until 2025.
|
Department of the Air Force | The Secretary of the Air Force should ensure that the Chief of Staff of the Air Force takes the necessary steps to integrate U.S. Cyber Command work roles into the Air Force's personnel system of record to track cyber personnel data by work role. (Recommendation 5) |
This recommendation remains open pending further action from the Department of Defense (DOD). As of February 2024, DOD stated that the Air Force was in the process of taking steps to create new Identifiers for its cyber personnel, which would enable the Air Force to track US Cyber Command's cyber work roles. Once this process is complete, according to DOD, the Air Force will updates its personnel system of record and code its personnel accordingly. Action is anticipated to be completed in 2024.
|
Department of the Navy | The Secretary of the Navy should ensure that the Commandant of the Marine Corps takes the necessary steps to integrate U.S. Cyber Command work roles into the Marine Corps' personnel system of record to track cyber personnel data by work role. (Recommendation 6) |
This recommendation remains open pending action from the Department of Defense (DOD). As of February 2024, DOD stated that the Marine Corps was still working to address this recommendation.
|