Delays cause insufficient reports from agencies on cyberattacks

Due to a delay from the Office of Personnel Management and the National Initiative for Cybersecurity Education (NICE), the Homeland Security Department is not fully prepared against cyberattacks. And it’s just one of many agencies that have yet to define what a qualified cybersecurity force is.

When checking in on the Federal Cybersecurity Workforce Assessment Act of 2015, the Government Accountability Office concluded that a majority of agencies did not complete the requirements of the act. Agencies were meant to properly define their cybersecurity force or have a comprehensive list of certifications from cybersecurity personnel.

OPM was to issue a coding structure by June 15, 2016, to identify all federal civilian cybersecurity positions, but the agency failed to get the coding structure in on time. OPM issued the coding structure five months later, on Nov. 15, 2016.

OPM claimed the structure was to be aligned with the NICE Framework — a list of appropriate industry-recognized certifications — which was delayed due to sensitive task and knowledge skills and abilities statements. NICE submitted their framework on Nov. 2, 2016.

Advertisement

Agencies were meant to get in their codes in December 2017 and report on critical needs by December 2018, but due to the delays, deadlines were extended by four months. Critical needs in cybersecurity personnel within agencies were meant to be assessed by April 2018.

Not only were many reports lacking in coding structure, possibly due to delays, but some agencies’ reports also failed to include the level of preparedness for personnel without certifications and strategies for mitigating certification gaps.

Three out of 24 agencies failed to get in a report to Congress at all.

DHS was one of three agencies that did not send a baseline assessment. The agency, instead, submitted a report that noted the agency’s shortcomings on the Federal Cybersecurity Workforce Assessment Act. But the report also stated that the agency was working with cybersecurity experts to understand which certifications are most important for their team.

In the end, GAO determined that the results from the assessments were unreliable.

GAO gave recommendations and comments to each agency that stated each agency should address all parts of the baseline assessment to see what the agency critically needs for cybersecurity measures, DHS  included.

Agencies are required to identify and begin reporting on critical needs by April 2019.