Threats to federal information technology (IT) infrastructure and systems continue to grow in number and sophistication, posing a risk to the reliable functioning of government and highlighting the need to ensure that the federal and contractor workforce has the knowledge, skills, and abilities to maintain the security of federal IT infrastructure and systems.
In discussing his 2009 Cyberspace Policy Review, President Obama declared the cyber threat to be one of the most serious economic and national security challenges we face as a nation. Because of the importance of federal information systems to government operations, as well as continuing weaknesses in the information security controls over these systems, GAO has identified federal information security as a governmentwide high-risk area since 1997.
Cybersecurity professionals help to prevent or mitigate vulnerabilities that could allow malicious individuals and groups access to federal IT systems. Specifically, the ability to secure federal systems is dependent on the knowledge, skills, and abilities of the federal and contractor workforce that uses, implements, secures, and maintains these systems.
GAOs work and the work of other organizations suggest that there are leading practices that workforce planning for critical positions such as federal cybersecurity positions should address. These include defining roles, responsibilities, skills, and competencies for these positions and establishing a training and development program that supports the competencies an agency needs to accomplish its mission.
The Department of Commerces National Institute of Standards and Technology (NIST), Chief Information Officers (CIO) Council, Office of Personnel Management (OPM), and the Department of Homeland Security (DHS) have separate efforts intended to help agencies define roles, responsibilities, skills, and competencies for their cybersecurity workforce. However, it is unclear how or whether the aforementioned entities will effectively align their efforts and, if so, the timeframe for accomplishing that. The four efforts are discussed briefly below:
Although NIST guidelines are currently widely used throughout the federal government, it is unclear whether or how the results of the efforts of the CIO Council, OPM, or DHS will be used governmentwide. A more consolidated effort to develop one framework defining roles, responsibilities, skills, and competencies for the federal cybersecurity workforce rather than four separate efforts, would be a more efficient use of resources.
In addition to efforts to define roles, responsibilities, skills and competencies, there are multiple governmentwide cybersecurity training efforts under way. In 2005, the Office of Management and Budget (OMB) and DHS began to collaborate on an initiative, called the Information Systems Security Line of Business, to address common information systems security needs across the government, including cybersecurity training. As part of this collaboration, DHS designated five agenciesthe Departments of Defense, State, and Veterans Affairs (VA), the National Aeronautics and Space Administration (NASA), and OPMto be security training shared service centers available to all federal agencies so as to reduce duplication and improve the quality of information security training. The training courses that these agencies offer are organized into two training tiers: general security awareness training and role-based security training. While one of the goals of the shared program is to reduce duplication, there are several areas in which the training roles overlap among the agencies, and no process exists for coordinating or eliminating duplication among the efforts. For example, NASA, VA, and State all have training for employees in system administrator roles. Additionally, both NASA and VA offer training for CIOs, and NASA and State both offer training directed at the system owner role. However, neither the individual agencies nor DHS evaluate the training for duplicative content, effectiveness, or extent of use.
The National Initiative for Cybersecurity Education began in March 2010 as an expansion of Initiative 8 of the Comprehensive National Cybersecurity Initiative, which focused on efforts to educate and improve the federal cybersecurity workforce. According to the interagency committee recommendations establishing the National Initiative for Cybersecurity Education, it is to provide program management support and promote intergovernmental efforts to improve cybersecurity awareness, education, workforce structure, and training.
To ensure that governmentwide cybersecurity workforce initiatives are better coordinated, GAO recommended in November 2011 that Directors of OMB and OPM and the Secretaries of the Departments of Commerce and Homeland Security should
Regarding the Information Systems Security Line of Business initiative, GAO also recommended in November 2011 that the Secretary of DHS should
Implementation of these recommendations could help the government more efficiently and effectively develop the federal cybersecurity workforce in a constrained fiscal environment.
The information contained in this analysis is based on findings from the product in the related GAO product section. GAO identified governmentwide initiatives based on interviews with subject matter experts at federal agencies and private organizations, and a review of publicly released information on the initiatives. GAO reviewed plans, performance measures, and status reports. GAO also interviewed officials at agencies responsible for these initiatives, such as NIST, OPM, the National Science Foundation, and OMB. GAO assessed the status and plans of these efforts against GAOs prior work on strategic planning, training and development, and efficient government operations.
GAO provided a draft of its November 2011 report to OMB, OPM, the Department of Commerce, and DHS, for review and comment. OPM, the Department of Commerce, and DHS generally agreed with GAOs recommendation to consolidate and align efforts to define roles and responsibilities, skills, and competencies for the federal cybersecurity workforce. OMB provided technical comments, which were incorporated as appropriate. In addition, DHS officials agreed with GAOs recommendations regarding improvements to the Information Systems Security Line of Business and stated that the department is developing a mechanism for gathering input to address GAOs recommendation and will work with other shared service centers to ensure that they align with the National Initiative for Cybersecurity Education activities and findings. As part of GAOs routine audit work, GAO will track agency actions to address these recommendations and report to Congress.
GAO provided a draft of this report section to OMB for review and comment. OMB provided additional technical comments. However, GAO did not revise its findings based on these comments. In one instance, OMB indicated that GAOs statement that the CIO Council released an updated version of 11 standard cybersecurity roles in October 2010 was not completely accurate and that the CIO Council document we referenced did not update the 11 roles. GAO disagrees. The CIO document clearly shows that the roles were updated on October 29, 2010. OMB also noted that the October 2010 CIO Council document contained additional information discussing efforts at NIST and the National Initiative for Cybersecurity Education. GAO was not provided this additional information at the time of its review, but to the extent this information supports better coordination of federal cybersecurity workforce development efforts, this is a positive step. Furthermore, OMB commented that it is intended that NIST will account for the cybersecurity workforce framework developed by the National Initiative for Cybersecurity Education in its follow on work. Any steps OMB and NIST take to better coordinate federal cybersecurity efforts will be helpful. Nevertheless, we continue to believe that consolidating and aligning efforts to define roles, responsibilities, skills, and competencies for the federal cybersecurity workforce will help the government more efficiently and effectively develop the workforce in a fiscally constrained environment.