Cybersecurity Workforce:

Agencies Need to Accurately Categorize Positions to Effectively Identify Critical Staffing Needs

GAO-19-144: Published: Mar 12, 2019. Publicly Released: Mar 12, 2019.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The federal government needs a qualified, well-trained cybersecurity workforce to protect vital IT systems. Not having enough of these workers is one reason why securing federal systems is on our High Risk list.

To help agencies identify their critical workforce needs, they were required to identify and categorize all of their IT and cyber-related positions.

However, most of the agencies we reviewed likely miscategorized the work involved in many positions. For example, 22 of 24 agencies assigned a "non-IT" code to 15,779 (about 19%) of their IT positions.

We recommended agencies improve how they track and code their IT and cyber workforce.

A shortage of cyber professionals in the federal workforce puts federal IT systems and data at risk.

An illustration of a full workforce under a locked padlock and an incomplete workforce under an unlocked padlock with a bug icon.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The 24 reviewed federal agencies generally assigned work roles to filled and vacant positions that performed information technology (IT), cybersecurity, or cyber-related functions as required by the Federal Cybersecurity Workforce Assessment Act of 2015 (the act). However, six of the 24 agencies reported that they had not completed assigning the associated work role codes to their vacant positions, although they were required to do so by April 2018. In addition, most agencies had likely miscategorized the work roles of many positions. Specifically, 22 of the 24 agencies assigned a “non-IT” work role code to 15,779 (about 19 percent) of their IT positions within the 2210 occupational series. Further, the six agencies that GAO selected for additional review had assigned work role codes that were not consistent with the work roles and duties described in corresponding position descriptions for 63 of 120 positions within the 2210 occupational series that GAO examined (see figure).

Consistency of Assigned Work Role Codes with Position Descriptions for Random Sample of IT Positions Within the 2210 Occupational Series at Six Selected Agencies

Consistency of Assigned Work Role Codes with Position Descriptions for Random Sample of IT Positions Within the 2210 Occupational Series at Six Selected Agencies

Human resource and IT officials from the 24 agencies generally reported that they had not completely or accurately categorized work roles for IT positions within the 2210 occupational series, in part, because they may have assigned the associated codes in error or had not completed validating the accuracy of the assigned codes. By assigning work roles that are inconsistent with the IT, cybersecurity, and cyber-related positions, the agencies are diminishing the reliability of the information they need to improve workforce planning.

The act also required agencies to identify work roles of critical need by April 2019. To aid agencies with identifying their critical needs, the Office of Personnel Management (OPM) developed guidance and required agencies to provide a preliminary report by August 2018. The 24 agencies have begun to identify critical needs and submitted a preliminary report to OPM that identified information systems security manager, IT project manager, and systems security analyst as the top three work roles of critical need. Nevertheless, until agencies accurately categorize their positions, their ability to effectively identify critical staffing needs will be impaired.

Why GAO Did This Study

A key component of mitigating and responding to cyber threats is having a qualified, well-trained cybersecurity workforce. The act requires OPM and federal agencies to take several actions related to cybersecurity workforce planning. These actions include categorizing all IT, cybersecurity, and cyber-related positions using OPM personnel codes for specific work roles, and identifying critical staffing needs.

The act contains a provision for GAO to analyze and monitor agencies' workforce planning. GAO's objectives were to (1) determine the extent to which federal agencies have assigned work roles for positions performing IT, cybersecurity, or cyber-related functions and (2) describe the steps federal agencies took to identify work roles of critical need. GAO administered a questionnaire to 24 agencies, analyzed coding data from personnel systems, and examined preliminary reports on critical needs. GAO selected six of the 24 agencies based on cybersecurity spending levels to determine the accuracy of codes assigned to a random sample of IT positions. GAO also interviewed relevant OPM and agency officials.

What GAO Recommends

GAO is making 28 recommendations to 22 agencies to review and assign the appropriate codes to their IT, cybersecurity, and cyber-related positions. Of the 22 agencies to which GAO made recommendations, 20 agreed with the recommendations, one partially agreed, and one did not agree with one of two recommendations. GAO continues to believe that all of the recommendations are warranted.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Priority recommendation

    Comments: The Department of Agriculture concurred with our recommendation and stated that it was identifying an internal team of subject-matter experts to collaborate with organizations across the department to review the assignment of the "000" code to positions and assist in determining the appropriate work role codes. As of April 2020, USDA expected to complete this activity by fall 2020. To fully implement this recommendation, USDA will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Agriculture should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate National Initiative for Cybersecurity Education (NICE) framework work role codes. (Recommendation 1)

    Agency Affected: Department of Agriculture

  2. Status: Open

    Priority recommendation

    Comments: The Department of Commerce concurred with the recommendation, but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Commerce should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 2)

    Agency Affected: Department of Commerce

  3. Status: Open

    Comments: The Department of Defense concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Defense should complete the identification and coding of vacant positions in the department performing IT, cybersecurity, or cyber-related functions. (Recommendation 3)

    Agency Affected: Department of Defense

  4. Status: Open

    Priority recommendation

    Comments: The Department of Defense concurred with the recommendation. As of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. To fully implement this recommendation, DOD will need to provide evidence that it has assigned appropriate National Initiative for Cybersecurity Education framework work role codes to its positions in the 2210 Information Technology management occupational series and assessed the accuracy of position descriptions.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Defense should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 4)

    Agency Affected: Department of Defense

  5. Status: Closed - Implemented

    Comments: The Department of Education concurred with the recommendation. In fiscal year 2020, we verified that Education, in response to our recommendation, had reviewed the assignment of the "000" code to its positions in the 2210 IT management occupational series and had assigned appropriate NICE framework work roles to those positions. As a result, Education has ensured that its workforce data are significantly more reliable, improving its ability to identify cybersecurity work roles of critical need.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Education should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 5)

    Agency Affected: Department of Education

  6. Status: Closed - Implemented

    Comments: The Department of Energy concurred with the recommendation. In March 2020, we verified that Energy, in response to our recommendation, had implemented compensating controls to ensure that vacant positions in the department performing IT, cybersecurity, or cyber-related functions are assigned cybersecurity work role codes. Specifically, Energy implemented a process for assigning work role codes to positions performing IT, cybersecurity, or cyber-related functions as they are classified for recruitment action. As a result, Energy has improved its ability to identify and address work roles of critical need.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Energy should complete the identification and coding of vacant positions in the department performing IT, cybersecurity, or cyber-related functions. (Recommendation 6)

    Agency Affected: Department of Energy

  7. Status: Closed - Implemented

    Comments: The Department of Energy (Energy) concurred with the recommendation. In fiscal year 2019, we verified that Energy, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, Energy has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Energy should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 7)

    Agency Affected: Department of Energy

  8. Status: Open

    Priority recommendation

    Comments: The Department of Health and Human Services concurred with the recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. As of March 2020, HHS has made significant progress toward reviewing the assignment of work role codes to its positions in the 2210 IT management occupational series and ensuring that such positions are not coded with the "000" code. To fully implement this recommendation, HHS will need to provide evidence that it has assigned the appropriate NICE framework work role codes to all or nearly all of its remaining positions in the 2210 IT management occupational series. We will continue to monitor the situation.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Health and Human Services should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 8)

    Agency Affected: Department of Health and Human Services

  9. Status: Open

    Priority recommendation

    Comments: The Department of Homeland Security (DHS) concurred with our recommendation. DHS conducted an audit of its components' cybersecurity coding efforts in fiscal year 2018 and identified actions that components needed to take to complete the assignment of appropriate NICE framework work role codes and assess the accuracy of position descriptions; a second audit for fiscal year 2019 is underway, and the department expects to complete its coding efforts by June 2020. As of January 2020, DHS has not yet provided sufficient evidence to demonstrate that it has implemented this recommendation. To fully implement this recommendation, DHS will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Homeland Security should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 9)

    Agency Affected: Department of Homeland Security

  10. Status: Open

    Priority recommendation

    Comments: The Department of Housing and Urban Development (HUD) agreed with this recommendation. In January 2020, HUD stated that it was in the process of reviewing its positions in the 2210 IT management occupational series and assigning appropriate work role codes. To fully implement this recommendation, HUD will need to correctly categorize the work roles and functions performed by IT and cyber-related personnel in order to be able to identify critical cybersecurity staffing needs.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Housing and Urban Development should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 10)

    Agency Affected: Department of Housing and Urban Development

  11. Status: Closed - Implemented

    Comments: The Department of the Interior concurred with our recommendation. In fiscal year 2019, we verified that Interior, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, Interior has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Interior should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 11)

    Agency Affected: Department of the Interior

  12. Status: Closed - Implemented

    Comments: The Department of Justice concurred with the recommendation. In fiscal year 2020, we verified that Justice, in response to our recommendation, had completed the identification and coding of vacant positions performing IT, cybersecurity, or cyber-related functions. As a result, the department has greater assurance that it will be able to accurately identify work roles or critical need and improve workforce planning.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Attorney General should complete the identification and coding of vacant positions in the Department of Justice performing IT, cybersecurity, or cyber-related functions in the Department of Justice. (Recommendation 12)

    Agency Affected: Department of Justice

  13. Status: Closed - Implemented

    Comments: The Department of Justice concurred with the recommendation. In fiscal year 2020, we verified that Justice, in response to our recommendation, had reviewed the assignment of the "000" code to its positions in the 2210 IT management occupational series and had assigned appropriate NICE framework work roles to those positions. As a result, Justice has ensured that its workforce data are significantly more reliable, improving its ability to identify cybersecurity work roles of critical need.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Attorney General should take steps to review the assignment of the "000" code to any positions in the Department of Justice in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 13)

    Agency Affected: Department of Justice

  14. Status: Closed - Implemented

    Comments: The Department of Labor (Labor) concurred with the recommendation. In fiscal year 2019, we verified that Labor, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, Labor has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Labor should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 14)

    Agency Affected: Department of Labor

  15. Status: Open

    Priority recommendation

    Comments: The Department of State concurred with the recommendation. In January 2020, we confirmed that State had assigned National Initiative for Cybersecurity Education (NICE) framework work role codes to its positions in the 2210 IT management occupational series. However, the department has not yet provided sufficient evidence to demonstrate that it has completed its efforts to assess the accuracy of position descriptions. To fully implement this recommendation, State will need to provide evidence that it has assessed the accuracy of position descriptions.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of State should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 15)

    Agency Affected: Department of State

  16. Status: Closed - Implemented

    Comments: The Department of Transportation (DOT) concurred with the recommendation. In April 2020, we verified that DOT, in response to our recommendation, had reviewed the assignment of the "000" code to its positions in the 2210 IT management occupational series and had assigned appropriate NICE framework work roles to those positions. As a result, DOT has ensured that its workforce data are significantly more reliable, improving its ability to identify cybersecurity work roles of critical need

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Transportation should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 16)

    Agency Affected: Department of Transportation

  17. Status: Open

    Priority recommendation

    Comments: Treasury partially concurred with the recommendation and stated that some positions may not align to work roles in the National Initiative for Cybersecurity Education's (NICE) cybersecurity workforce framework. Treasury stated that it planned to review and validate the work role codes of its IT, cybersecurity, or cyber-related positions by March 2019. However, as of February 2020 Treasury had not provided evidence that it has implemented our recommendation. Until it assigns work role codes that are consistent with the IT, cybersecurity, and cyber-related functions performed by these positions, Treasury will continue to have unreliable information about its cybersecurity workforce that the department will need to identify its workforce roles of critical need.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Treasury should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 17)

    Agency Affected: Department of the Treasury

  18. Status: Open

    Priority recommendation

    Comments: The Department of Veterans Affairs concurred with the recommendation. As of February 2020, VA has provided evidence that it has reviewed its positions in the 2210 IT management occupational series and assigned appropriate work role codes in the Office of Information and Technology's Personnel Management System, and officials stated that the updated codes will be applied in the department's human resources system of record by March 31, 2020. To fully implement this recommendation, VA will need to provide evidence showing that it has recorded appropriate work role codes for positions performing IT, cybersecurity, or cyber-related functions in its human resources system of record.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Veterans Affairs should take steps review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE work role codes. (Recommendation 18)

    Agency Affected: Department of Veterans Affairs

  19. Status: Open

    Comments: The Environmental Protection Agency concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Environmental Protection Agency should complete the identification and coding of vacant positions in the agency performing IT, cybersecurity, or cyber-related functions. (Recommendation 19)

    Agency Affected: Environmental Protection Agency

  20. Status: Open

    Priority recommendation

    Comments: The Environmental Protection Agency concurred with the recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. As of January 2020, EPA has not yet provided sufficient evidence to demonstrate that it has implemented this recommendation. To fully implement this recommendation, EPA will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Environmental Protection Agency should take steps to review the assignment of the "000" code to any positions in the agency in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 20)

    Agency Affected: Environmental Protection Agency

  21. Status: Closed - Implemented

    Comments: The General Services Administration (GSA) concurred with the recommendation. In April 2020, we confirmed that GSA, in response to our recommendation, has completed identifying and coding of vacant positions performing IT, cybersecurity, or cyber-related functions. As a result, GSA has improved its ability to identify and address work roles of critical need.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the General Services Administration should complete the identification and coding of vacant positions at GSA performing IT, cybersecurity, or cyber-related functions. (Recommendation 21)

    Agency Affected: General Services Administration

  22. Status: Closed - Implemented

    Comments: The General Services Administration (GSA) concurred with the recommendation. In fiscal year 2019, we verified that GSA, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, GSA has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the General Services Administration should take steps to review the assignment of the "000" code to any positions at GSA in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 22)

    Agency Affected: General Services Administration

  23. Status: Open

    Comments: The National Aeronautics and Space Administration did not concur with the recommendation. As of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the National Aeronautics and Space Administration should complete the identification and coding of vacant positions at NASA performing IT, cybersecurity, or cyber-related functions. (Recommendation 23)

    Agency Affected: National Aeronautics and Space Administration

  24. Status: Open

    Priority recommendation

    Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. In March 2020, NASA indicated that it expected to implement the recommendation by September 30, 2020. To fully implement this recommendation, NASA will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the National Aeronautics and Space Administration should take steps to review the assignment of the "000" code to any positions at NASA in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 24)

    Agency Affected: National Aeronautics and Space Administration

  25. Status: Closed - Implemented

    Comments: The Nuclear Regulator Commission (NRC) concurred with the recommendation. In fiscal year 2019, we verified that NRC, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, NRC has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Chairman of the Nuclear Regulatory Commission should take steps to review the assignment of the "000" code to any positions at NRC in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 25)

    Agency Affected: Nuclear Regulatory Commission

  26. Status: Closed - Implemented

    Comments: The Office of Personnel Management (OPM) concurred with the recommendation. In fiscal year 2019, we verified that OPM, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, OPM has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Director of the Office of Personnel Management should take steps to review the assignment of the "000" code to any positions at OPM in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 26)

    Agency Affected: Office of Personnel Management

  27. Status: Closed - Implemented

    Comments: The Small Business Administration (SBA) concurred with the recommendation. In February 2020, we verified that SBA, in response to our recommendation, had reviewed the assignment of the "000" code to its positions in the 2210 IT management occupational series and assigned appropriate NICE framework work role codes. As a result, SBA has improved the reliability of the information it needs to identify its workforce roles of critical need.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Small Business Administration should take steps to review the assignment of the "000" code to any positions at SBA in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 27)

    Agency Affected: Small Business Administration

  28. Status: Closed - Implemented

    Comments: The Social Security Administration (SSA) concurred with the recommendation. In fiscal year 2019, we verified that SSA, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, SSA has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.

    Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Commissioner of the Social Security Administration should take steps to review the assignment of the "000" code to any positions at SSA in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 28)

    Agency Affected: Social Security Administration

 

Explore the full database of GAO's Open Recommendations »

Sep 16, 2020

Feb 25, 2020

Dec 30, 2019

Oct 10, 2019

Oct 2, 2019

Sep 25, 2019

Sep 11, 2019

Aug 15, 2019

Jul 30, 2019

May 23, 2019

Looking for more? Browse all our products here