Skip to main content

Lapse in Appropriations

Please note that a lapse in appropriations has caused GAO to shut down its operations. Therefore, GAO will not be able to publish reports or otherwise update this website until GAO resumes operations. In addition, the vast majority of GAO personnel are not permitted to work. Consequently, calls or emails to agency personnel may not be returned until GAO resumes operations. For details on how the bid protest process will be handled during the shutdown, please see the legal decisions page. For information related to the GAO Personnel Appeals Board (PAB), please see the PAB webpage.

Cybersecurity Workforce: Departments Need to Fully Implement Key Practices

GAO-25-106795 Published: Jan 16, 2025. Publicly Released: Jan 16, 2025.
Jump To:

Fast Facts

Building and maintaining a cybersecurity workforce is vital to protecting the IT systems that support government operations. But a shortage of skilled workers has made that challenging.

We looked at how five departments have implemented key cybersecurity workforce practices. Homeland Security has fully implemented nearly all the practices, but the others implemented less than half.

Some departments described actions they've taken to address challenges like recruiting difficulties and inadequate funding. But none evaluated whether their actions have been effective in addressing these challenges.

Our 23 recommendations address these issues.

Lock icons superimposed over the U.S. Capitol building

Highlights

What GAO Found

The Office of Personnel Management's (OPM) Workforce Planning Guide outlines a five-step process for workforce planning efforts: (1) setting the strategic direction, (2) conducting workforce analyses, (3) developing workforce action plans, (4) implementing and monitoring workforce planning, and (5) evaluating and revising these efforts. Within the five steps are 15 applicable practices that are central to effectively managing the cybersecurity workforce. Of the 15 applicable practices, the Department of Homeland Security fully implemented 14 of them. However, the other four selected departments were not as consistent in their implementation of the practices (see figure).

Extent to Which Selected Departments Implemented the 15 Applicable Practices for Workforce Planning

Extent to Which Selected Departments Implemented the 15 Applicable Practices for Workforce Planning

Most of the selected departments reported that they had not fully implemented all 15 practices due, in part, to managing their cybersecurity workforces at the component level rather than the departmental level, as intended by OPM. Until the departments implement these practices, they will likely be challenged in having a cybersecurity workforce with the necessary skills to protect federal IT systems and enable the government's day-to-day functions.

Officials at the five selected departments cited three primary types of cybersecurity workforce management challenges: inadequate funding, difficulties with recruitment, and difficulties with retention. The departments described actions taken to mitigate these challenges. However, none of the departments had evaluated their actions taken to determine the extent to which they had been effective in addressing the challenges. Without evaluating the effectiveness of their mitigation actions, department officials will not know the extent to which their actions are addressing identified challenges and strengthening the cybersecurity workforce.

Why GAO Did This Study

Cybersecurity professionals are critical to developing, managing, and protecting the systems that support federal operations. The Federal Information Security Modernization Act (FISMA) of 2014 includes a provision for GAO to periodically evaluate federal agencies' information security practices. GAO's specific objectives were to (1) determine the extent to which selected departments implemented cybersecurity workforce practices, and (2) describe the selected departments' cybersecurity workforce challenges and mitigation actions and the extent to which they evaluated the effectiveness of those actions. To do so, GAO identified the five federal non-military departments with the largest number of cybersecurity employees. GAO assessed the departments' cybersecurity workforce documentation against applicable leading practices. Further, GAO interviewed officials from the selected departments regarding workforce practices and challenges.

Recommendations

GAO is making a total of 23 recommendations to the five departments--Commerce, Homeland Security, Health and Human Services, Treasury, and Veterans Affairs--to fully implement applicable practices and determine the effectiveness of mitigation actions. Three departments agreed with the recommendations, one agreed with two and partially agreed with three, and one department did not agree or disagree. GAO maintains that all of its recommendations are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Commerce The Secretary of Commerce should ensure that the Department of Commerce fully addresses the practices described in our report associated with conducting workforce analyses. (Recommendation 1)
Open
The Department of Commerce (Commerce) concurred with the recommendation. In July 2025, Commerce stated that it will consult the Office of Personnel Management's Workforce Planning Guide and GAO's Key Principles for Effective Strategic Workforce Planning framework to develop and implement a strategy and complete an initial workforce analysis. Commerce estimated its actions needed to address this recommendation will be completed by December 20, 2026. To fully implement this recommendation, Commerce will need to provide evidence that it has fully addressed the practices described in our report associated with conducting workforce analyses.
Department of Commerce The Secretary of Commerce should ensure that the Department of Commerce fully addresses the practices described in our report associated with developing a workforce action plan. (Recommendation 2)
Open
The Department of Commerce (Commerce) concurred with the recommendation. In July 2025, Commerce stated that it will use information gathered through workforce analysis and develop a cybersecurity workforce action plan that includes strategies to close cybersecurity gaps, metrics to evaluate success, and implementation methodologies. Commerce estimated its actions needed to address this recommendation will be completed by August 20, 2027. To fully implement this recommendation, Commerce will need to provide evidence that it has fully addressed the practices described in our report associated with developing a workforce action plan.
Department of Commerce The Secretary of Commerce should ensure that the Department of Commerce fully addresses the practices described in our report associated with implementing and monitoring a workforce action plan. (Recommendation 3)
Open
The Department of Commerce (Commerce) concurred with the recommendation. In July 2025, Commerce stated that it will implement and monitor its cybersecurity workforce action plan and discuss the plan's implementation and metrics at recurring stakeholder meetings. Commerce estimated its actions needed to address this recommendation will be completed by February 20, 2029. To fully implement this recommendation, Commerce will need to provide evidence that it has fully addressed the practices described in our report associated with implementing and monitoring a workforce action plan.
Department of Commerce The Secretary of Commerce should ensure that the Department of Commerce fully addresses the practices described in our report associated with evaluating and revising a workforce action plan. (Recommendation 4)
Open
The Department of Commerce (Commerce) concurred with the recommendation. In July 2025, Commerce stated that it will assess the effectiveness and efficiency of its cybersecurity workforce action plan and adjust the plan and target performance metrics as necessary. Commerce estimated its actions needed to address this recommendation will be completed by February 20, 2030. To fully implement this recommendation, Commerce will need to provide evidence that it has fully addressed the practices described in our report associated with evaluating and revising a workforce action plan.
Department of Commerce The Secretary of Commerce should ensure that the Department of Commerce identify and analyze the effectiveness of its mitigation actions on the cybersecurity workforce challenges. (Recommendation 5)
Open
The Department of Commerce (Commerce) concurred with the recommendation. In July 2025, Commerce stated that it will analyze the extent to which the objectives of its cybersecurity workforce action plan were being achieved. Commerce estimated its actions needed to address this recommendation will be completed by February 20, 2030. To fully implement this recommendation, Commerce will need to provide evidence that it has fully addressed the practices described in our report associated with identifying and analyzing the effectiveness of the agency's mitigation actions on its cybersecurity workforce challenges.
Department of Homeland Security The Secretary of Homeland Security should ensure that the Department of Homeland Security fully addresses the practices described in our report associated with evaluating and revising a workforce action plan. (Recommendation 6)
Open
The Department of Homeland Security (DHS) concurred with the recommendation. In July 2025, DHS stated that its Office of the Chief Information Officer Business Management Directorate, remained committed to develop metrics to evaluate the effectiveness of its Cybersecurity Workforce Strategy to support DHS's cybersecurity hiring and retention efforts. However, DHS noted that there would be a delay in delivery of a plan to obtain metrics and assess the results in a written report. DHS stated that this delay was due to the agency first considering updates to its Cybersecurity Workforce Strategy to reflect the current administration's policies and priorities. DHS estimated its actions needed to address this recommendation will be completed by December 31, 2025. To fully implement this recommendation, DHS will need to provide evidence that it has fully addressed the practices described in our report associated with evaluating and revising a workforce action plan.
Department of Homeland Security The Secretary of Homeland Security should ensure that the Department of Homeland Security identify and analyze the effectiveness of its mitigation actions on the workforce challenges. (Recommendation 7)
Open
The Department of Homeland Security (DHS) concurred with the recommendation. In July 2025, DHS stated that its Office of the Chief Information Officer Business Management Directorate will conduct a lessons-learned assessment to determine the effectiveness of its Cybersecurity Workforce Strategy in meeting each of the strategy's goals and in mitigating the agency's workforce challenges. DHS also stated it will create a report that included recommendations for improvements and provide it to DHS stakeholders and the U.S. Office of Personnel Management. DHS estimated its actions needed to address this recommendation will be completed by December 31, 2025. To fully implement this recommendation, DHS will need to provide evidence that it has fully addressed identifying and analyzing the effectiveness of its mitigation actions on its workforce challenges.
Department of Health and Human Services The Secretary of Health and Human Services should ensure that the Department of Health and Human Services fully addresses the practices described in our report associated with setting the strategic direction for the cybersecurity workforce. (Recommendation 8)
Open
The Department of Health and Human Services (HHS) concurred with the recommendation. In August 2025, HHS stated it anticipates initiating a cybersecurity workforce analysis during fiscal year 2026. HHS said the results of this analysis as well as other information, will be used by HHS to implement, monitor, and evaluate future relevant strategic and workforce plans. HHS noted that these plans will also address practices referenced in the GAO report. Finally, HHS stated it will continue to provide future updates to GAO. To fully implement this recommendation, HHS will need to provide evidence that it has fully addressed the practices described in our report associated with setting the strategic direction for the cybersecurity workforce.
Department of Health and Human Services The Secretary of Health and Human Services should ensure that the Department of Health and Human Services fully addresses the practices described in our report associated with conducting workforce analyses. (Recommendation 9)
Open
The Department of Health and Human Services (HHS) concurred with the recommendation. In August 2025, HHS stated it anticipates initiating a cybersecurity workforce analysis during fiscal year 2026. HHS said the results of this analysis as well as other information, will be used by HHS to implement, monitor, and evaluate future relevant strategic and workforce plans. HHS noted that these plans will also address practices referenced in the GAO report. Finally, HHS stated it will continue to provide future updates to GAO. To fully implement this recommendation, HHS will need to provide evidence that it has fully addressed the practices described in our report associated with conducting workforce analyses.
Department of Health and Human Services The Secretary of Health and Human Services should ensure that the Department of Health and Human Services fully addresses the practices described in our report associated with developing a workforce action plan. (Recommendation 10)
Open
The Department of Health and Human Services (HHS) concurred with the recommendation. In August 2025, HHS stated it anticipates initiating a cybersecurity workforce analysis during fiscal year 2026. HHS said the results of this analysis as well as other information, will be used by HHS to implement, monitor, and evaluate future relevant strategic and workforce plans. HHS noted that these plans will also address practices referenced in the GAO report. Finally, HHS stated it will continue to provide future updates to GAO. To fully implement this recommendation, HHS will need to provide evidence that it has fully addressed the practices described in our report associated with developing a workforce action plan.
Department of Health and Human Services The Secretary of Health and Human Services should ensure that the Department of Health and Human Services fully addresses the practices described in our report associated with implementing and monitoring a workforce action plan. (Recommendation 11)
Open
The Department of Health and Human Services (HHS) concurred with the recommendation. In August 2025, HHS stated it anticipates initiating a cybersecurity workforce analysis during fiscal year 2026. HHS said the results of this analysis as well as other information, will be used by HHS to implement, monitor, and evaluate future relevant strategic and workforce plans. HHS noted that these plans will also address practices referenced in the GAO report. Finally, HHS stated it will continue to provide future updates to GAO. To fully implement this recommendation, HHS will need to provide evidence that it has fully addressed the practices described in our report associated with implementing and monitoring a workforce action plan.
Department of Health and Human Services The Secretary of Health and Human Services should ensure that the Department of Health and Human Services fully addresses the practices described in our report associated with evaluating and revising a workforce action plan. (Recommendation 12)
Open
The Department of Health and Human Services (HHS) concurred with the recommendation. In August 2025, HHS stated it anticipates initiating a cybersecurity workforce analysis during fiscal year 2026. HHS said the results of this analysis as well as other information, will be used by HHS to implement, monitor, and evaluate future relevant strategic and workforce plans. HHS noted that these plans will also address practices referenced in the GAO report. Finally, HHS stated it will continue to provide future updates to GAO. To fully implement this recommendation, HHS will need to provide evidence that it has fully addressed the practices described in our report associated with evaluating and revising a workforce action plan.
Department of Health and Human Services The Secretary of Health and Human Services should ensure that the Department of Health and Human Services identify and analyze the effectiveness of its mitigation actions on the cybersecurity workforce challenges. (Recommendation 13)
Open
The Department of Health and Human Services (HHS) concurred with the recommendation. In August 2025, HHS stated it anticipates initiating a cybersecurity workforce analysis during fiscal year 2026. HHS said the results of this analysis as well as other information, will be used by HHS to implement, monitor, and evaluate future relevant strategic and workforce plans. HHS noted that these plans will also address practices referenced in the GAO report. Finally, HHS stated it will continue to provide future updates to GAO. To fully implement this recommendation, HHS will need to provide evidence that it has fully identified and analyzed the effectiveness of its mitigation actions on the cybersecurity workforce challenges.
Treasurer of the United States The Secretary of the Treasury should ensure that the Department of the Treasury fully addresses the practices described in our report associated with conducting workforce analyses. (Recommendation 14)
Open
The Department of Treasury (Treasury) did not state whether it agreed or disagreed with the recommendation. As of September 2025, Treasury has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.
Treasurer of the United States The Secretary of the Treasury should ensure that the Department of the Treasury fully addresses the practices described in our report associated with developing a workforce action plan. (Recommendation 15)
Open
The Department of Treasury (Treasury) did not state whether it agreed or disagreed with the recommendation. As of September 2025, Treasury has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.
Treasurer of the United States The Secretary of the Treasury should ensure that the Department of the Treasury fully addresses the practices described in our report associated with implementing and monitoring a workforce action plan. (Recommendation 16)
Open
The Department of Treasury (Treasury) did not state whether it agreed or disagreed with the recommendation. As of September 2025, Treasury has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.
Treasurer of the United States The Secretary of the Treasury should ensure that the Department of the Treasury fully addresses the practices described in our report associated with evaluating and revising a workforce action plan. (Recommendation 17)
Open
The Department of Treasury (Treasury) did not state whether it agreed or disagreed with the recommendation. As of September 2025, Treasury has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.
Treasurer of the United States The Secretary of the Treasury should ensure that the Department of the Treasury identify and analyze the effectiveness of its mitigation actions on the cybersecurity workforce challenges. (Recommendation 18)
Open
The Department of Treasury (Treasury) did not state whether it agreed or disagreed with the recommendation. As of September 2025, Treasury has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the Department of Veterans Affairs fully addresses the practices described in our report associated with conducting workforce analyses. (Recommendation 19)
Closed – Implemented
The Department of Veterans Affairs (VA) partially concurred with the recommendation. In September 2025, we verified that VA, in response to our recommendation, provided GAO with workforce analyses documentation including identification of VA's current cybersecurity workforce skills and competencies, mission critical occupations projections, and workforce gaps. As a result, VA is in a better position to have a cybersecurity workforce with the necessary skills to protect their IT systems and enable the department's day-to-day functions.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the Department of Veterans Affairs fully addresses the practices described in our report associated with developing a workforce action plan. (Recommendation 20)
Open
The Department of Veterans Affairs (VA) concurred with the recommendation. In December 2024, VA stated that its Office of Information Technology initiated full implementation of the five workforce planning steps outlined in the Office of Personnel Management's Workforce Planning Guide beginning in 2024 and started performing comprehensive workforce analyses for each of VA's Office of Information Technology service organizations. VA stated it is on a 3-year workforce analysis study schedule, in accordance with VA Directive 5010, VA Manpower Management Policy. In July 2025, VA noted that ongoing workforce reshaping efforts have impacted the target recommendation implementation date, with VA expecting to complete all five workforce planning steps for approximately 6 of the existing 11 Office of Information Technology organizations by December 31, 2026. To fully implement this recommendation, VA will need to provide evidence that it has fully addressed the practices described in our report associated with developing a workforce action.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the Department of Veterans Affairs fully addresses the practices described in our report associated with implementing and monitoring a workforce action plan. (Recommendation 21)
Open
The Department of Veterans Affairs (VA) concurred with the recommendation. In December 2024, VA stated that its Office of Information Technology initiated full implementation of the five workforce planning steps outlined in the Office of Personnel Management's Workforce Planning Guide beginning in 2024 and started performing comprehensive workforce analyses for each of VA's Office of Information Technology service organizations. VA stated it is on a 3-year workforce analysis study schedule, in accordance with VA Directive 5010, VA Manpower Management Policy. In July 2025, VA stated that its Office of Information Technology workforce planning group developed a staffing structure to complete all five of the workforce planning guide steps. VA noted that ongoing workforce reshaping efforts have impacted the target recommendation implementation date, with the department expecting to complete all five workforce planning steps for approximately 6 of the existing 11 Office of Information Technology organizations by December 31, 2026. To fully implement this recommendation, VA will need to provide evidence that it has fully addressed the practices described in our report associated with implementing and monitoring a workforce action plan.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the Department of Veterans Affairs fully addresses the practices described in our report associated with evaluating and revising a workforce action plan. (Recommendation 22)
Open
The Department of Veterans Affairs (VA) concurred with the recommendation. In December 2024, VA stated that its Office of Information Technology initiated full implementation of the five workforce planning steps outlined in the Office of Personnel Management's Workforce Planning Guide beginning in 2024 and started performing comprehensive workforce analyses for each of VA's Office of Information Technology service organizations. VA stated it is on a 3-year workforce analysis study schedule, in accordance with VA Directive 5010, VA Manpower Management Policy. In July 2025, VA stated that its Office of Information Technology workforce planning group developed a staffing structure to complete all five of the workforce planning guide steps. VA noted that ongoing workforce reshaping efforts have impacted the target recommendation implementation date, with the department expecting to complete all five workforce planning steps for approximately 6 of the existing 11 Office of Information Technology organizations by December 31, 2026. To fully implement this recommendation, VA will need to provide evidence that it has fully addressed the practices described in our report associated with evaluating and revising a workforce action plan.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the Department of Veterans Affairs identify and analyze the effectiveness of its mitigation actions on the cybersecurity workforce challenges. (Recommendation 23)
Open
The Department of Veterans Affairs (VA) concurred with the recommendation. In December 2024, VA stated that the department evaluates the effectiveness of its mitigation actions on cybersecurity workforce challenges and barriers and provides a score to inform its Office of Information Technology if the analysis and mitigation strategies are appropriately aligned. In July 2025, VA stated its Office of the Chief Human Capital Officer will identify and analyze the effectiveness of the mitigation actions on the cybersecurity workforce challenges by June 30, 2026. To fully implement this recommendation, VA will need to provide evidence that it has fully addressed the practices described in our report associated with identifying and analyzing the effectiveness of the agency's mitigation actions on its cybersecurity workforce challenges.
See All 23 Recommendations

Full Report

View Full Report Online
Highlights Page (1 page)
Full Report (56 pages)
Accessible PDF (63 pages)

GAO Contacts

David (Dave) Hinchman
Director
Information Technology and Cybersecurity
HinchmanD@gao.gov

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs
media@gao.gov

Public Inquiries

Contact Us

Topics

Human Capital
CybersecurityFederal agenciesHomeland securityHuman capital managementInformation securityInformation technologyLessons learnedPersonnel managementWorkforce planningLabor force