Cybersecurity Workforce:

Agencies Need to Improve Baseline Assessments and Procedures for Coding Positions

GAO-18-466: Published: Jun 14, 2018. Publicly Released: Jun 14, 2018.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

As required by the Federal Cybersecurity Workforce Assessment Act of 2015 (act), the Office of Personnel Management (OPM) developed a cybersecurity coding structure under the National Initiative for Cybersecurity Education (NICE) as well as procedures for assigning codes to federal civilian cybersecurity positions. However, OPM issued the coding structure and procedures 5 and 4 months later than the act's deadlines because OPM was working with the National Institute of Standards and Technology (NIST) to align the structure and procedures with the draft NICE Cybersecurity Workforce Framework , which NIST issued later than planned. OPM also submitted a progress report to Congress on the implementation of the act 1 month after it was due. The delays in issuing the coding structure and procedures have extended the expected time frames for implementing subsequent provisions of the act.

Most of the 24 agencies covered by the Chief Financial Officers (CFO) Act submitted baseline assessment reports to Congress but the results may not be reliable. As of March 2018, 21 of the 24 CFO Act agencies had conducted baseline assessments identifying the extent to which their cybersecurity employees held professional certifications and had submitted the assessment reports to Congress as required by the act. Three agencies had not conducted the assessments for various reasons, such as a lack of resources and tools to do so. Of the 21 agencies that did, 4 did not address all of the reportable information, such as the extent to which personnel without professional certifications were ready to obtain them or strategies for mitigating any gaps. Additionally, agencies were limited in their ability to obtain complete or consistent information about their cybersecurity employees and the certifications they held. This was because agencies had not yet fully identified all members of their cybersecurity workforces or did not have a consistent list of appropriate certifications for cybersecurity positions. As a result, the agencies had limited assurance that their assessment results accurately reflected all relevant employees or the extent to which those employees held appropriate certifications. This diminishes the usefulness of the assessments in determining the certification and training needs of these agencies' cybersecurity employees.

Most of the 24 CFO Act agencies established coding procedures, but 6 agencies only partially addressed certain activities required by OPM in their procedures. Of the 24 agencies reviewed, 23 had established procedures to identify their civilian cybersecurity positions and assign the appropriate employment codes to the positions as called for by the act. However, 6 of the 23 agencies did not address one or more of 7 activities required by OPM in their procedures, such as the activities to review all filled and vacant positions and annotate reviewed position descriptions with the appropriate employment code. These 6 agencies cited a variety of reasons for not addressing all of the required activities in their coding procedures. For example, these agencies stated that they addressed the activities in existing guidance or did not include activities that their components did not have the responsibility to perform. By not addressing all of the required activities in their coding procedures, the 6 agencies lack assurance that the activities will be performed or performed consistently throughout their agency.

Why GAO Did This Study

A key component of mitigating and responding to cyber threats is having a qualified, well-trained cybersecurity workforce. The Federal Cybersecurity Workforce Assessment Act of 2015 requires OPM and federal agencies to take several actions related to cybersecurity workforce planning.

GAO is to monitor agencies' progress in implementing the act's requirements. For this report, GAO assessed whether: (1) OPM developed a coding structure and procedures for assigning codes to cybersecurity positions and submitted a progress report to Congress; (2) CFO Act agencies submitted complete, reliable baseline assessments of their cybersecurity workforces; and (3) CFO Act agencies established procedures to assign codes to cybersecurity positions. GAO examined OPM's coding procedures and progress report on the act's implementation, and baseline assessments and coding procedures from the 24 CFO Act agencies. GAO also interviewed relevant OPM and agency officials about efforts to address the act's requirements.

What GAO Recommends

GAO is making 30 recommendations to 13 agencies to fully implement two of the act's requirements on baseline assessments and coding procedures. Of the 12 agencies to which we made recommendations that provided comments on the report, 7 agreed with the recommendations made to them, 4 did not state whether they agreed or disagreed, and 1 did not agree with one of two recommendations made to it. GAO continues to believe that the recommendation is valid as discussed in this report.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: Department of Commerce (Commerce) officials concurred with our recommendation and planned to evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams, and to identify strategies for mitigating any gaps identified. Commerce officials planned to report to Congress by the end of fiscal year 2018 and continue to provide updates in the following fiscal year. We will continue to monitor the situation.

    Recommendation: The Secretary of Commerce should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams, identify strategies for mitigating any gaps identified, and report this information to Congress. (Recommendation 1)

    Agency Affected: Department of Commerce

  2. Status: Closed - Implemented

    Comments: Department of Defense (DOD) officials concurred with the recommendation. In fiscal year 2018, we verified that DOD, in response to our recommendation, had developed, documented, and implemented government-wide procedures for identifying information technology (IT), cybersecurity, and cyber-related non-civilian positions and assigned employment codes to those positions.

    Recommendation: The Secretary of Defense should develop, document, and implement government-wide procedures for identifying information technology (IT), cybersecurity, and cyberrelated noncivilian positions and assigning employment codes to those positions. (Recommendation 2)

    Agency Affected: Department of Defense

  3. Status: Closed - Implemented

    Comments: Department of Defense (DOD) officials concurred with the recommendation. In fiscal year 2018, we verified that DOD, in response to our recommendation, had developed, documented, and implemented internal departmental procedures for identifying IT, cybersecurity, and cyber-related non-civilian positions and assigning employment codes to those positions.

    Recommendation: The Secretary of Defense should develop, document, and implement internal departmental procedures for identifying IT, cybersecurity, and cyber-related noncivilian positions and assigning employment codes to those positions. (Recommendation 3)

    Agency Affected: Department of Defense

  4. Status: Closed - Implemented

    Comments: Department of Education (Education) officials concurred with the recommendation. In fiscal year 2018, we verified that Education, in response to our recommendation, had developed and implemented guidance that requires positions that do not perform substantial work in information technology, cybersecurity, or cyber-related functions to be assigned code '000'.

    Recommendation: The Secretary of Education should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in departmental procedures. (Recommendation 4)

    Agency Affected: Department of Education

  5. Status: Open

    Comments: Department of Energy (DOE) officials concurred with our recommendation and planned to evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams using the National Initiative for Cybersecurity Education (NICE) certification mapping that is due for release in November 2018. DOE officials plan to develop criteria to identify personnel who are prepared to take certification exams and will perform a department-wide evaluation, after which they plan to report to Congress by a target date of June 30, 2019. We will continue to monitor the situation.

    Recommendation: The Secretary of Energy should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 5)

    Agency Affected: Department of Energy

  6. Status: Closed - Implemented

    Comments: Department of Energy (DOE) officials concurred with the recommendation. In fiscal year 2018, we verified that DOE, in response to our recommendation, had developed and issued departmental procedures for identifying IT, cybersecurity, and cyberrelated positions and assigning employment codes to those positions, taking into account the key elements described in the Office of Personnel Management's (OPM's) instructions for agencies' procedures.

    Recommendation: The Secretary of Energy should develop, document, and implement departmental procedures for identifying IT, cybersecurity, and cyberrelated positions and assigning employment codes to those positions, taking into account the key elements described in OPM's instructions for agencies' procedures. (Recommendation 6)

    Agency Affected: Department of Energy

  7. Status: Open

    Comments: Department of Homeland Security (DHS) officials concurred with our recommendation. DHS officials plan to conduct a series of analyses with their components to review the population of three-digit coded positions, and finalize the percentage who hold certifications as well as the percentage prepared to take a relevant certification exam. In addition, DHS officials will identify and document strategies for mitigating any identified gaps. DHS officials' estimated completion date is January 31 , 2019. We will continue to monitor the situation.

    Recommendation: The Secretary of Homeland Security should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 7)

    Agency Affected: Department of Homeland Security

  8. Status: Open

    Comments: Department of Homeland Security (DHS) officials concurred with our recommendation. Upon final leadership review, DHS officials plan to send Congress a 2017 Comprehensive Cybersecurity Workforce Update report, which provides additional baseline information on DHS cybersecurity workforce. In addition, DHS officials plan to leverage analysis during the remainder of FY 2018 and into early FY 2019 to produce an additional report for Congress, addressing the requirements of the baseline assessment. DHS officials' estimated completion date is January 31 , 2019. We will continue to monitor the situation.

    Recommendation: The Secretary of Homeland Security should submit a report of the department's baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 8)

    Agency Affected: Department of Homeland Security

  9. Status: Open

    Comments: Department of Housing and Urban Development (HUD) concurred with our recommendation. The department had developed a survey assessment tool to gather information on certifications its cybersecurity workforce had obtained, which it would use to complete and submit a report of the baseline assessment by September 2019. We will continue to monitor the situation.

    Recommendation: The Secretary of Housing and Urban Development should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 9)

    Agency Affected: Department of Housing and Urban Development

  10. Status: Open

    Comments: Department of Housing and Urban Development (HUD) concurred with our recommendation. The department had developed a survey assessment tool to gather information on certifications its cybersecurity workforce had obtained, which it would use to complete and submit a report of the baseline assessment by September 2019. We will continue to monitor the situation.

    Recommendation: The Secretary of Housing and Urban Development should submit a report of the department's baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 10)

    Agency Affected: Department of Housing and Urban Development

  11. Status: Open

    Comments: Department of the Interior (DOI) concurred with our recommendation. Officials from the department stated they were developing a plan to assess the workforce's preparedness to complete and maintain certifications. The department estimated it would address the recommendation by January 2019. We will continue to monitor the situation.

    Recommendation: The Secretary of the Interior should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 11)

    Agency Affected: Department of the Interior

  12. Status: Closed - Implemented

    Comments: Department of Labor (DOL) officials concurred with our recommendation. In fiscal year 2018, we verified that DOL officials, in response to our recommendation, had included requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in departmental procedures.

    Recommendation: The Secretary of Labor should include requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in departmental procedures. (Recommendation 12)

    Agency Affected: Department of Labor

  13. Status: Closed - Implemented

    Comments: Department of Labor (DOL) officials concurred with our recommendation. In fiscal year 2018, we verified that DOL officials, in response to our recommendation, had revised their departmental procedures to fully account for the fact that IT, cybersecurity, and cyber-related positions will extend beyond the Information Technology Management 2210 occupational series.

    Recommendation: The Secretary of Labor should ensure that departmental procedures fully account for the fact that IT, cybersecurity, and cyber-related positions will extend beyond the Information Technology Management 2210 occupational series. (Recommendation 13)

    Agency Affected: Department of Labor

  14. Status: Closed - Implemented

    Comments: Department of Labor (DOL) officials concurred with our recommendation. In fiscal year 2018, we verified that DOL officials, in response to our recommendation, had revised their departmental procedures to fully clarify requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions.

    Recommendation: The Secretary of Labor should fully clarify requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in departmental procedures. (Recommendation 14)

    Agency Affected: Department of Labor

  15. Status: Closed - Implemented

    Comments: Department of Labor (DOL) officials concurred with our recommendation. In fiscal year 2018, we verified that DOL officials, in response to our recommendation, had revised their departmental procedures to include requirements to assign up to three employment codes per position in order of their criticality.

    Recommendation: The Secretary of Labor should include requirements to assign up to three employment codes per position in order of their criticality in departmental procedures. (Recommendation 15)

    Agency Affected: Department of Labor

  16. Status: Open

    Comments: National Aeronautics and Space Administration (NASA) did not concur with our recommendation and has not yet provided evidence that it has implemented the recommendation as of 6/28/18. We will continue to monitor the situation.

    Recommendation: The Administrator of the National Aeronautics and Space Administration should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 16)

    Agency Affected: National Aeronautics and Space Administration

  17. Status: Closed - Implemented

    Comments: National Aeronautics and Space Administration (NASA) officials concurred with our recommendation. In fiscal year 2018, we verified that NASA officials, in response to our recommendation, had revised their departmental procedures to fully clarify requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions.

    Recommendation: The Administrator of the National Aeronautics and Space Administration should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 17)

    Agency Affected: National Aeronautics and Space Administration

  18. Status: Closed - Implemented

    Comments: National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had fully clarified requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions.

    Recommendation: The Director of the National Science Foundation should fully clarify requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 18)

    Agency Affected: National Science Foundation

  19. Status: Closed - Implemented

    Comments: National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had included requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in departmental procedures.

    Recommendation: The Director of the National Science Foundation should include requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in agency procedures. (Recommendation 19)

    Agency Affected: National Science Foundation

  20. Status: Closed - Implemented

    Comments: National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had revised its agency procedures to account for the fact that IT, cybersecurity, and cyber-related positions will extend beyond the Information Technology Management 2210 occupational series.

    Recommendation: The Director of the National Science Foundation should ensure that agency procedures account for the fact that IT, cybersecurity, and cyberrelated positions will extend beyond the Information Technology Management 2210 occupational series. (Recommendation 20)

    Agency Affected: National Science Foundation

  21. Status: Closed - Implemented

    Comments: National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had revised its agency procedures to include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and other cyber-related functions.

    Recommendation: The Director of the National Science Foundation should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 21)

    Agency Affected: National Science Foundation

  22. Status: Closed - Implemented

    Comments: National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had revised agency procedures to include requirements to assign up to three employment codes per position in order of their criticality.

    Recommendation: The Director of the National Science Foundation should include requirements to assign up to three employment codes per position in order of their criticality in agency procedures. (Recommendation 22)

    Agency Affected: National Science Foundation

  23. Status: Closed - Implemented

    Comments: Nuclear Regulatory Commission (NRC) officials concurred with the recommendation. In fiscal year 2018, we verified that NRC, in response to our recommendation, had revised its cybersecurity coding procedures to ensure that agency procedures account for the fact that IT, cybersecurity, and cyberrelated positions will extend beyond the Information Technology Management 2210 occupational series.

    Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that agency procedures account for the fact that IT, cybersecurity, and cyberrelated positions will extend beyond the Information Technology Management 2210 occupational series. (Recommendation 23)

    Agency Affected: Nuclear Regulatory Commission

  24. Status: Closed - Implemented

    Comments: Nuclear Regulatory Commission (NRC) officials concurred with the recommendation. In fiscal year 2018, we verified that NRC, in response to our recommendation, had revised its cybersecurity coding procedures to fully clarify requirements to assign up to three employment codes per position in order of their criticality in agency procedures.

    Recommendation: The Chairman of the Nuclear Regulatory Commission should fully clarify requirements to assign up to three employment codes per position in order of their criticality in agency procedures. (Recommendation 24)

    Agency Affected: Nuclear Regulatory Commission

  25. Status: Open

    Comments: Small Business Administration (SBA) officials concurred with our recommendation. SBA officials stated that they have made significant progress in the workforce assessment area, and have recently completed an assessment of the SBA's IT workforce and reported on existing skills gaps. SBA officials stated that they plan to execute against the IT workforce plan to include addressing requirements within the Federal Cybersecurity Workforce Assessment Act of 2015. SBA planned to conduct a baseline assessment by January 2019. We will continue to monitor the situation.

    Recommendation: The Administrator of the Small Business Administration should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 25)

    Agency Affected: Small Business Administration

  26. Status: Open

    Comments: Small Business Administration (SBA) officials concurred with our recommendation. SBA officials stated that they have made significant progress in the workforce assessment area, and have recently completed an assessment of the SBA's IT workforce and reported on existing skills gaps. SBA officials stated that they plan to execute against the IT workforce plan to include addressing requirements within the Federal Cybersecurity Workforce Assessment Act of 2015. SBA planned to report to congressional committees in February 2019. We will continue to monitor the situation.

    Recommendation: The Administrator of the Small Business Administration should submit a report of its baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 26)

    Agency Affected: Small Business Administration

  27. Status: Closed - Implemented

    Comments: United States Agency for International Development (USAID) officials concurred with our recommendation. In fiscal year 2018, we verified that USAID, in response to our recommendation, had revised its cybersecurity coding procedures to fully clarify requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions.

    Recommendation: The Administrator of the U.S. Agency for International Development should fully clarify requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 27)

    Agency Affected: United States Agency for International Development

  28. Status: Closed - Implemented

    Comments: United States Agency for International Development (USAID) officials concurred with our recommendation. In fiscal year 2018, we verified that USAID, in response to our recommendation, had revised its cybersecurity coding procedures to fully clarify requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s).

    Recommendation: The Administrator of the U.S. Agency for International Development should fully clarify requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in agency procedures. (Recommendation 28)

    Agency Affected: United States Agency for International Development

  29. Status: Closed - Implemented

    Comments: United States Agency for International Development (USAID) officials concurred with our recommendation. In fiscal year 2018, we verified that USAID, in response to our recommendation, had revised its cybersecurity coding procedures to include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions.

    Recommendation: The Administrator of the U.S. Agency for International Development should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 29)

    Agency Affected: United States Agency for International Development

  30. Status: Closed - Implemented

    Comments: United States Agency for International Development (USAID) officials concurred with our recommendation. In fiscal year 2018, we verified that USAID, in response to our recommendation, had revised its cybersecurity coding procedures to include requirements to assign up to three employment codes per position in order of their criticality.

    Recommendation: The Administrator of the U.S. Agency for International Development should include requirements to assign up to three employment codes per position in order of their criticality in agency procedures. (Recommendation 30)

    Agency Affected: United States Agency for International Development

 

Explore the full database of GAO's Open Recommendations »

Nov 13, 2018

Sep 17, 2018

Sep 7, 2018

Sep 6, 2018

Jul 31, 2018

Jul 25, 2018

Jul 12, 2018

May 14, 2018

Apr 24, 2018

Mar 7, 2018

Looking for more? Browse all our products here