Print this page

General government > 12. Cybersecurity Human Capital

Governmentwide initiatives to enhance cybersecurity workforce in the federal government need better structure, planning, guidance, and coordination to reduce duplication.

Why This Area Is Important

Threats to federal information technology (IT) infrastructure and systems continue to grow in number and sophistication, posing a risk to the reliable functioning of government and highlighting the need to ensure that the federal and contractor workforce has the knowledge, skills, and abilities to maintain the security of federal IT infrastructure and systems.

In discussing his 2009 Cyberspace Policy Review,[1] President Obama declared the cyber threat to be “one of the most serious economic and national security challenges we face as a nation.” Because of the importance of federal information systems to government operations, as well as continuing weaknesses in the information security controls over these systems, GAO has identified federal information security as a governmentwide high-risk area since 1997.[2]

Cybersecurity professionals help to prevent or mitigate vulnerabilities that could allow malicious individuals and groups access to federal IT systems. Specifically, the ability to secure federal systems is dependent on the knowledge, skills, and abilities of the federal and contractor workforce that uses, implements, secures, and maintains these systems.



[1]President Barack Obama Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure (Washington, D.C.: May 29, 2009).

[2]See GAO, High Risk Series: An Update GAO-11-278 (Washington, D.C.: February 2011).

What GAO Found

GAO’s work and the work of other organizations suggest that there are leading practices that workforce planning for critical positions such as federal cybersecurity positions should address. These include defining roles, responsibilities, skills, and competencies for these positions and establishing a training and development program that supports the competencies an agency needs to accomplish its mission.

The Department of Commerce’s National Institute of Standards and Technology (NIST), Chief Information Officers (CIO) Council, Office of Personnel Management (OPM), and the Department of Homeland Security (DHS) have separate efforts intended to help agencies define roles, responsibilities, skills, and competencies for their cybersecurity workforce. However, it is unclear how or whether the aforementioned entities will effectively align their efforts and, if so, the timeframe for accomplishing that. The four efforts are discussed briefly below:

  • As part of its responsibilities under the Federal Information Security Management Act, NIST has defined cybersecurity roles and responsibilities in NIST Special Publications 800-16, 800-37, and 800-50.
  • In October 2010, the CIO Council released an updated version of 11 standard cybersecurity roles that agencies could use as a guideline in developing detailed position descriptions and training. For each role, the CIO Council plans to develop a workforce development matrix that lists suggestions for qualifications for entry, intermediate, and advanced performance levels for the role; additional sources for skill and competency materials; educational and professional credentials; and learning and development sources. While several of the NIST-defined cybersecurity roles map to the roles defined by the CIO Council, others do not. As of August 2011, NIST had not indicated plans to modify the roles identified in NIST publications to align with the CIO Council roles. According to NIST, its standards and guidance which include its definition of cybersecurity roles and responsibilities were issued based on its responsibilities under the Federal Information Security Management Act, and as such, do not need to be revised to align with the CIO Council roles. However, providing multiple unaligned sources of guidance to federal agencies limits their value as a tool for agencies.
  • OPM developed a governmentwide cybersecurity competency model that identified the most common job series used by cybersecurity professionals across the federal government; however, the identified competencies are not unique to cybersecurity work, and there is no mechanism in place to determine if agencies will use this model.
  • In support of the National Initiative for Cybersecurity Education,[1] DHS is developing a framework consisting of 31 specialties across seven categories of cybersecurity work, which is intended to provide a common language for describing the cybersecurity workforce. According to DHS, once the framework has been finalized, other federal documents, including relevant NIST Special Publications, will be revised to conform to it. However, no time frame was provided on when this will occur and it is unclear whether or not NIST will revise its publications to conform to the framework.

Although NIST guidelines are currently widely used throughout the federal government, it is unclear whether or how the results of the efforts of the CIO Council, OPM, or DHS will be used governmentwide. A more consolidated effort to develop one framework defining roles, responsibilities, skills, and competencies for the federal cybersecurity workforce rather than four separate efforts, would be a more efficient use of resources.

In addition to efforts to define roles, responsibilities, skills and competencies, there are multiple governmentwide cybersecurity training efforts under way. In 2005, the Office of Management and Budget (OMB) and DHS began to collaborate on an initiative, called the Information Systems Security Line of Business, to address common information systems security needs across the government, including cybersecurity training. As part of this collaboration, DHS designated five agencies—the Departments of Defense, State, and Veterans Affairs (VA), the National Aeronautics and Space Administration (NASA), and OPM—to be security training shared service centers available to all federal agencies so as to reduce duplication and improve the quality of information security training. The training courses that these agencies offer are organized into two training tiers: general security awareness training and role-based security training. While one of the goals of the shared program is to reduce duplication, there are several areas in which the training roles overlap among the agencies, and no process exists for coordinating or eliminating duplication among the efforts. For example, NASA, VA, and State all have training for employees in system administrator roles. Additionally, both NASA and VA offer training for CIOs, and NASA and State both offer training directed at the system owner role. However, neither the individual agencies nor DHS evaluate the training for duplicative content, effectiveness, or extent of use.



[1]The National Initiative for Cybersecurity Education began in March 2010 as an expansion of Initiative 8 of the Comprehensive National Cybersecurity Initiative, which focused on efforts to educate and improve the federal cybersecurity workforce. According to the interagency committee recommendations establishing the National Initiative for Cybersecurity Education, it is to provide program management support and promote intergovernmental efforts to improve cybersecurity awareness, education, workforce structure, and training.

Actions Needed

To ensure that governmentwide cybersecurity workforce initiatives are better coordinated, GAO recommended in November 2011 that Directors of OMB and OPM and the Secretaries of the Departments of Commerce and Homeland Security should

  • consolidate and align efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce.

Regarding the Information Systems Security Line of Business initiative, GAO also recommended in November 2011 that the Secretary of DHS should

  • implement a process for tracking agency use of training, gather feedback from agencies on the training’s value and opportunities for improvement, and develop a process to coordinate training offered to minimize the production and distribution of duplicative products.

Implementation of these recommendations could help the government more efficiently and effectively develop the federal cybersecurity workforce in a constrained fiscal environment.

How GAO Conducted Its Work

The information contained in this analysis is based on findings from the product in the related GAO product section. GAO identified governmentwide initiatives based on interviews with subject matter experts at federal agencies and private organizations, and a review of publicly released information on the initiatives. GAO reviewed plans, performance measures, and status reports. GAO also interviewed officials at agencies responsible for these initiatives, such as NIST, OPM, the National Science Foundation, and OMB. GAO assessed the status and plans of these efforts against GAO’s prior work on strategic planning, training and development, and efficient government operations.

Agency Comments & GAO Contact

GAO provided a draft of its November 2011 report to OMB, OPM, the Department of Commerce, and DHS, for review and comment. OPM, the Department of Commerce, and DHS generally agreed with GAO’s recommendation to consolidate and align efforts to define roles and responsibilities, skills, and competencies for the federal cybersecurity workforce. OMB provided technical comments, which were incorporated as appropriate. In addition, DHS officials agreed with GAO’s recommendations regarding improvements to the Information Systems Security Line of Business and stated that the department is developing a mechanism for gathering input to address GAO’s recommendation and will work with other shared service centers to ensure that they align with the National Initiative for Cybersecurity Education activities and findings. As part of GAO’s routine audit work, GAO will track agency actions to address these recommendations and report to Congress.

GAO provided a draft of this report section to OMB for review and comment. OMB provided additional technical comments. However, GAO did not revise its findings based on these comments. In one instance, OMB indicated that GAO’s statement that the CIO Council released an updated version of 11 standard cybersecurity roles in October 2010 was not completely accurate and that the CIO Council document we referenced did not update the 11 roles. GAO disagrees. The CIO document clearly shows that the roles were updated on October 29, 2010. OMB also noted that the October 2010 CIO Council document contained additional information discussing efforts at NIST and the National Initiative for Cybersecurity Education. GAO was not provided this additional information at the time of its review, but to the extent this information supports better coordination of federal cybersecurity workforce development efforts, this is a positive step. Furthermore, OMB commented that it is intended that NIST will account for the cybersecurity workforce framework developed by the National Initiative for Cybersecurity Education in its follow on work. Any steps OMB and NIST take to better coordinate federal cybersecurity efforts will be helpful. Nevertheless, we continue to believe that consolidating and aligning efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce will help the government more efficiently and effectively develop the workforce in a fiscally constrained environment.

For additional information about this area, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Valerie C. Melvin at
(202) 512-6304 or melvinv@gao.gov.

Related Products

Explore Other Areas

Jump to another area below related to this mission.