The issue with cybersecurity workforce size stems in part from variations in how agencies define work and the lack of an occupational series specific to cybersecurity, GAO said.
“A series is used to identify a specific occupation and generally includes all jobs in that particular kind of work at all grade levels,” the report said. “However, [the Office of Personnel Management’s] 2010 cybersecurity data collection showed that federal agencies used multiple series for their cybersecurity workforce. None of these series identifies cybersecurity as the only job responsibility. In many cases, employees with cybersecurity responsibilities also have other responsibilities, and some employees classified under a particular series may not have any cybersecurity responsibilities.”
GAO also found problems with the way the agencies conduct cybersecurity workforce planning.
“All agencies had defined roles and responsibilities for their cybersecurity workforce,” GAO said. “But these roles did not always align with guidelines issued by the federal Chief Information Officers Council and National Institute of Standards and Technology (NIST).”
Information security made it onto GAO’s high-risk list 14 years ago, in 1997. Since then, auditors inside and outside of government have, on numerous occasions, exposed critical gaps in the cybersecurity workforce.
Agencies still struggle to fill highly technical positions, mainly because of a lengthy and complicated federal hiring process and discrepancies in compensation across agencies, according to the GAO report.
“Although most agencies used some form of incentives to support their cybersecurity workforce, none of the eight agencies had metrics to measure the effectiveness of these incentives,” GAO said.
GAO also reported problems with cybersecurity training and development programs, citing a lack of consistency among agencies.
“For example, the Departments of Commerce and Defense required cybersecurity personnel to obtain certifications and fulfill continuing education requirements,” the report said. “Other agencies used an informal or ad hoc approach to identifying required training.”
Auditors developed 17 recommendations, to address the shortfalls they flagged. For example, to improve cybersecurity workforce planning, GAO said the CIO Council should create a strategy for agencies’ use of data from the IT Workforce Capability Assessment, which OPM will use to help create a specialized career path for IT program managers.
To address the training issues, GAO recommended DHS track how much agencies use and value educational programs in the Information Systems Security Line of Business. Auditors also recommended DHS improve efforts to reduce duplication in the programs.
The GAO report also recommended improvements to the NIST National Initiative for Cybersecurity Education (NICE), which includes projects to improve cybersecurity workforce training and duties. GAO said, among other things, NICE lacks a clear list of agency activities under the initiative and a means to measure the progress of each activity. The agency recommended leaders clarify NICE’s governance structure, to specify responsibilities for planning and monitoring the activities.