Cybersecurity Workforce:

Agencies Need to Improve Baseline Assessments and Procedures for Coding Positions

GAO-18-466: Published: Jun 14, 2018. Publicly Released: Jun 14, 2018.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

As required by the Federal Cybersecurity Workforce Assessment Act of 2015 (act), the Office of Personnel Management (OPM) developed a cybersecurity coding structure under the National Initiative for Cybersecurity Education (NICE) as well as procedures for assigning codes to federal civilian cybersecurity positions. However, OPM issued the coding structure and procedures 5 and 4 months later than the act's deadlines because OPM was working with the National Institute of Standards and Technology (NIST) to align the structure and procedures with the draft NICE Cybersecurity Workforce Framework , which NIST issued later than planned. OPM also submitted a progress report to Congress on the implementation of the act 1 month after it was due. The delays in issuing the coding structure and procedures have extended the expected time frames for implementing subsequent provisions of the act.

Most of the 24 agencies covered by the Chief Financial Officers (CFO) Act submitted baseline assessment reports to Congress but the results may not be reliable. As of March 2018, 21 of the 24 CFO Act agencies had conducted baseline assessments identifying the extent to which their cybersecurity employees held professional certifications and had submitted the assessment reports to Congress as required by the act. Three agencies had not conducted the assessments for various reasons, such as a lack of resources and tools to do so. Of the 21 agencies that did, 4 did not address all of the reportable information, such as the extent to which personnel without professional certifications were ready to obtain them or strategies for mitigating any gaps. Additionally, agencies were limited in their ability to obtain complete or consistent information about their cybersecurity employees and the certifications they held. This was because agencies had not yet fully identified all members of their cybersecurity workforces or did not have a consistent list of appropriate certifications for cybersecurity positions. As a result, the agencies had limited assurance that their assessment results accurately reflected all relevant employees or the extent to which those employees held appropriate certifications. This diminishes the usefulness of the assessments in determining the certification and training needs of these agencies' cybersecurity employees.

Most of the 24 CFO Act agencies established coding procedures, but 6 agencies only partially addressed certain activities required by OPM in their procedures. Of the 24 agencies reviewed, 23 had established procedures to identify their civilian cybersecurity positions and assign the appropriate employment codes to the positions as called for by the act. However, 6 of the 23 agencies did not address one or more of 7 activities required by OPM in their procedures, such as the activities to review all filled and vacant positions and annotate reviewed position descriptions with the appropriate employment code. These 6 agencies cited a variety of reasons for not addressing all of the required activities in their coding procedures. For example, these agencies stated that they addressed the activities in existing guidance or did not include activities that their components did not have the responsibility to perform. By not addressing all of the required activities in their coding procedures, the 6 agencies lack assurance that the activities will be performed or performed consistently throughout their agency.

Why GAO Did This Study

A key component of mitigating and responding to cyber threats is having a qualified, well-trained cybersecurity workforce. The Federal Cybersecurity Workforce Assessment Act of 2015 requires OPM and federal agencies to take several actions related to cybersecurity workforce planning.

GAO is to monitor agencies' progress in implementing the act's requirements. For this report, GAO assessed whether: (1) OPM developed a coding structure and procedures for assigning codes to cybersecurity positions and submitted a progress report to Congress; (2) CFO Act agencies submitted complete, reliable baseline assessments of their cybersecurity workforces; and (3) CFO Act agencies established procedures to assign codes to cybersecurity positions. GAO examined OPM's coding procedures and progress report on the act's implementation, and baseline assessments and coding procedures from the 24 CFO Act agencies. GAO also interviewed relevant OPM and agency officials about efforts to address the act's requirements.

What GAO Recommends

GAO is making 30 recommendations to 13 agencies to fully implement two of the act's requirements on baseline assessments and coding procedures. Of the 12 agencies to which we made recommendations that provided comments on the report, 7 agreed with the recommendations made to them, 4 did not state whether they agreed or disagreed, and 1 did not agree with one of two recommendations made to it. GAO continues to believe that the recommendation is valid as discussed in this report.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Commerce should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams, identify strategies for mitigating any gaps identified, and report this information to Congress. (Recommendation 1)

    Agency Affected: Department of Commerce

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Defense should develop, document, and implement government-wide procedures for identifying information technology (IT), cybersecurity, and cyberrelated noncivilian positions and assigning employment codes to those positions. (Recommendation 2)

    Agency Affected: Department of Defense

  3. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Defense should develop, document, and implement internal departmental procedures for identifying IT, cybersecurity, and cyber-related noncivilian positions and assigning employment codes to those positions. (Recommendation 3)

    Agency Affected: Department of Defense

  4. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Education should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in departmental procedures. (Recommendation 4)

    Agency Affected: Department of Education

  5. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Energy should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 5)

    Agency Affected: Department of Energy

  6. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Energy should develop, document, and implement departmental procedures for identifying IT, cybersecurity, and cyberrelated positions and assigning employment codes to those positions, taking into account the key elements described in OPM's instructions for agencies' procedures. (Recommendation 6)

    Agency Affected: Department of Energy

  7. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Homeland Security should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 7)

    Agency Affected: Department of Homeland Security

  8. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Homeland Security should submit a report of the department's baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 8)

    Agency Affected: Department of Homeland Security

  9. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Housing and Urban Development should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 9)

    Agency Affected: Department of Housing and Urban Development

  10. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Housing and Urban Development should submit a report of the department's baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 10)

    Agency Affected: Department of Housing and Urban Development

  11. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of the Interior should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 11)

    Agency Affected: Department of the Interior

  12. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Labor should include requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in departmental procedures. (Recommendation 12)

    Agency Affected: Department of Labor

  13. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Labor should ensure that departmental procedures fully account for the fact that IT, cybersecurity, and cyber-related positions will extend beyond the Information Technology Management 2210 occupational series. (Recommendation 13)

    Agency Affected: Department of Labor

  14. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Labor should fully clarify requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in departmental procedures. (Recommendation 14)

    Agency Affected: Department of Labor

  15. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Labor should include requirements to assign up to three employment codes per position in order of their criticality in departmental procedures. (Recommendation 15)

    Agency Affected: Department of Labor

  16. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Administrator of the National Aeronautics and Space Administration should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 16)

    Agency Affected: National Aeronautics and Space Administration

  17. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Administrator of the National Aeronautics and Space Administration should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 17)

    Agency Affected: National Aeronautics and Space Administration

  18. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of the National Science Foundation should fully clarify requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 18)

    Agency Affected: National Science Foundation

  19. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of the National Science Foundation should include requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in agency procedures. (Recommendation 19)

    Agency Affected: National Science Foundation

  20. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of the National Science Foundation should ensure that agency procedures account for the fact that IT, cybersecurity, and cyberrelated positions will extend beyond the Information Technology Management 2210 occupational series. (Recommendation 20)

    Agency Affected: National Science Foundation

  21. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of the National Science Foundation should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 21)

    Agency Affected: National Science Foundation

  22. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of the National Science Foundation should include requirements to assign up to three employment codes per position in order of their criticality in agency procedures. (Recommendation 22)

    Agency Affected: National Science Foundation

  23. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that agency procedures account for the fact that IT, cybersecurity, and cyberrelated positions will extend beyond the Information Technology Management 2210 occupational series. (Recommendation 23)

    Agency Affected: Nuclear Regulatory Commission

  24. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the Nuclear Regulatory Commission should fully clarify requirements to assign up to three employment codes per position in order of their criticality in agency procedures. (Recommendation 24)

    Agency Affected: Nuclear Regulatory Commission

  25. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Administrator of the Small Business Administration should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 25)

    Agency Affected: Small Business Administration

  26. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Administrator of the Small Business Administration should submit a report of its baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 26)

    Agency Affected: Small Business Administration

  27. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Administrator of the U.S. Agency for International Development should fully clarify requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 27)

    Agency Affected: United States Agency for International Development

  28. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Administrator of the U.S. Agency for International Development should fully clarify requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in agency procedures. (Recommendation 28)

    Agency Affected: United States Agency for International Development

  29. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Administrator of the U.S. Agency for International Development should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 29)

    Agency Affected: United States Agency for International Development

  30. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Administrator of the U.S. Agency for International Development should include requirements to assign up to three employment codes per position in order of their criticality in agency procedures. (Recommendation 30)

    Agency Affected: United States Agency for International Development

 

Explore the full database of GAO's Open Recommendations »

Jul 12, 2018

May 14, 2018

Apr 24, 2018

Mar 7, 2018

Feb 6, 2018

Sep 28, 2017

Aug 3, 2017

Jul 27, 2017

Jul 26, 2017

May 31, 2017

Looking for more? Browse all our products here