Cybersecurity Workforce: Departments Need to Fully Implement Key Practices
Fast Facts
Building and maintaining a cybersecurity workforce is vital to protecting the IT systems that support government operations. But a shortage of skilled workers has made that challenging.
We looked at how five departments have implemented key cybersecurity workforce practices. Homeland Security has fully implemented nearly all the practices, but the others implemented less than half.
Some departments described actions they've taken to address challenges like recruiting difficulties and inadequate funding. But none evaluated whether their actions have been effective in addressing these challenges.
Our 23 recommendations address these issues.
Highlights
What GAO Found
The Office of Personnel Management's (OPM) Workforce Planning Guide outlines a five-step process for workforce planning efforts: (1) setting the strategic direction, (2) conducting workforce analyses, (3) developing workforce action plans, (4) implementing and monitoring workforce planning, and (5) evaluating and revising these efforts. Within the five steps are 15 applicable practices that are central to effectively managing the cybersecurity workforce. Of the 15 applicable practices, the Department of Homeland Security fully implemented 14 of them. However, the other four selected departments were not as consistent in their implementation of the practices (see figure).
Extent to Which Selected Departments Implemented the 15 Applicable Practices for Workforce Planning
Most of the selected departments reported that they had not fully implemented all 15 practices due, in part, to managing their cybersecurity workforces at the component level rather than the departmental level, as intended by OPM. Until the departments implement these practices, they will likely be challenged in having a cybersecurity workforce with the necessary skills to protect federal IT systems and enable the government's day-to-day functions.
Officials at the five selected departments cited three primary types of cybersecurity workforce management challenges: inadequate funding, difficulties with recruitment, and difficulties with retention. The departments described actions taken to mitigate these challenges. However, none of the departments had evaluated their actions taken to determine the extent to which they had been effective in addressing the challenges. Without evaluating the effectiveness of their mitigation actions, department officials will not know the extent to which their actions are addressing identified challenges and strengthening the cybersecurity workforce.
Why GAO Did This Study
Cybersecurity professionals are critical to developing, managing, and protecting the systems that support federal operations. The Federal Information Security Modernization Act (FISMA) of 2014 includes a provision for GAO to periodically evaluate federal agencies' information security practices. GAO's specific objectives were to (1) determine the extent to which selected departments implemented cybersecurity workforce practices, and (2) describe the selected departments' cybersecurity workforce challenges and mitigation actions and the extent to which they evaluated the effectiveness of those actions. To do so, GAO identified the five federal non-military departments with the largest number of cybersecurity employees. GAO assessed the departments' cybersecurity workforce documentation against applicable leading practices. Further, GAO interviewed officials from the selected departments regarding workforce practices and challenges.
Recommendations
GAO is making a total of 23 recommendations to the five departments--Commerce, Homeland Security, Health and Human Services, Treasury, and Veterans Affairs--to fully implement applicable practices and determine the effectiveness of mitigation actions. Three departments agreed with the recommendations, one agreed with two and partially agreed with three, and one department did not agree or disagree. GAO maintains that all of its recommendations are warranted.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Commerce | The Secretary of Commerce should ensure that the Department of Commerce fully addresses the practices described in our report associated with conducting workforce analyses. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Commerce | The Secretary of Commerce should ensure that the Department of Commerce fully addresses the practices described in our report associated with developing a workforce action plan. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Commerce | The Secretary of Commerce should ensure that the Department of Commerce fully addresses the practices described in our report associated with implementing and monitoring a workforce action plan. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Commerce | The Secretary of Commerce should ensure that the Department of Commerce fully addresses the practices described in our report associated with evaluating and revising a workforce action plan. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Commerce | The Secretary of Commerce should ensure that the Department of Commerce identify and analyze the effectiveness of its mitigation actions on the cybersecurity workforce challenges. (Recommendation 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Homeland Security | The Secretary of Homeland Security should ensure that the Department of Homeland Security fully addresses the practices described in our report associated with evaluating and revising a workforce action plan. (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Homeland Security | The Secretary of Homeland Security should ensure that the Department of Homeland Security identify and analyze the effectiveness of its mitigation actions on the workforce challenges. (Recommendation 7) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Department of Health and Human Services fully addresses the practices described in our report associated with setting the strategic direction for the cybersecurity workforce. (Recommendation 8) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Department of Health and Human Services fully addresses the practices described in our report associated with conducting workforce analyses. (Recommendation 9) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Department of Health and Human Services fully addresses the practices described in our report associated with developing a workforce action plan. (Recommendation 10) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Department of Health and Human Services fully addresses the practices described in our report associated with implementing and monitoring a workforce action plan. (Recommendation 11) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Department of Health and Human Services fully addresses the practices described in our report associated with evaluating and revising a workforce action plan. (Recommendation 12) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Department of Health and Human Services identify and analyze the effectiveness of its mitigation actions on the cybersecurity workforce challenges. (Recommendation 13) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Treasurer of the United States | The Secretary of the Treasury should ensure that the Department of the Treasury fully addresses the practices described in our report associated with conducting workforce analyses. (Recommendation 14) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Treasurer of the United States | The Secretary of the Treasury should ensure that the Department of the Treasury fully addresses the practices described in our report associated with developing a workforce action plan. (Recommendation 15) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Treasurer of the United States | The Secretary of the Treasury should ensure that the Department of the Treasury fully addresses the practices described in our report associated with implementing and monitoring a workforce action plan. (Recommendation 16) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Treasurer of the United States | The Secretary of the Treasury should ensure that the Department of the Treasury fully addresses the practices described in our report associated with evaluating and revising a workforce action plan. (Recommendation 17) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Treasurer of the United States | The Secretary of the Treasury should ensure that the Department of the Treasury identify and analyze the effectiveness of its mitigation actions on the cybersecurity workforce challenges. (Recommendation 18) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the Department of Veterans Affairs fully addresses the practices described in our report associated with conducting workforce analyses. (Recommendation 19) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the Department of Veterans Affairs fully addresses the practices described in our report associated with developing a workforce action plan. (Recommendation 20) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the Department of Veterans Affairs fully addresses the practices described in our report associated with implementing and monitoring a workforce action plan. (Recommendation 21) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the Department of Veterans Affairs fully addresses the practices described in our report associated with evaluating and revising a workforce action plan. (Recommendation 22) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the Department of Veterans Affairs identify and analyze the effectiveness of its mitigation actions on the cybersecurity workforce challenges. (Recommendation 23) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|