Cybersecurity Workforce: Urgent Need for DHS to Take Actions to Identify Its Position and Critical Skill Requirements

Highlights

What GAO Found

The Department of Homeland Security (DHS) has taken actions to identify, categorize, and assign employment codes to its cybersecurity positions, as required by the Homeland Security Cybersecurity Workforce Assessment Act of 2014; however, its actions have not been timely and complete. For example, DHS did not establish timely and complete procedures to identify, categorize, and code its cybersecurity position vacancies and responsibilities. Further, DHS has not yet completed its efforts to identify all of the department's cybersecurity positions and accurately assign codes to all filled and vacant cybersecurity positions. In August 2017, DHS reported to the Congress that it had coded 95 percent of the department's identified cybersecurity positions. However, GAO's analysis determined that the department had, at that time, coded approximately 79 percent of the positions. DHS's 95 percent estimate was overstated primarily because it excluded vacant positions, even though the act required DHS to report these positions.

In addition, although DHS has taken steps to identify its workforce capability gaps, it has not identified or reported to the Congress on its department-wide cybersecurity critical needs that align with specialty areas. The department also has not reported annually its cybersecurity critical needs to the Office of Personnel Management (OPM), as required, and has not developed plans with clearly defined time frames for doing so. (See table).

The Department of Homeland Security's Progress in Implementing Requirements of the Homeland Security Cybersecurity Workforce Assessment Act of 2014 , as of December 2017

Required activity	Due date	Completion date
1. Establish procedures to identify, categorize, and code cybersecurity positions.	Mar. 2015	Apr. 2016
2. Identify all positions with cybersecurity functions and determine work category and specialty areas of each position.	Sept. 2015	Ongoing
3. Assign c odes to all filled and vacant cybersecurity positions.	Sept. 2015	Ongoing
4. Identify and report critical needs in specialty areas to Congress.	Jun. 2016	Not addressed
5. Report critical needs annually to OPM.	Sept. 2016	Not addressed

Source: GAO analysis of DHS documentation and the Homeland Security Cybersecurity Workforce Assessment Act of 2014. | GAO-18-175

Without ensuring that its procedures are complete and that its progress in identifying and assigning codes to its positions is accurately reported, DHS will not be positioned to effectively examine its cybersecurity workforce, identify its critical skill gaps, or improve its workforce planning. Further, until DHS establishes plans and time frames for reporting on its critical needs, the department may not be able to ensure that it has the necessary cybersecurity personnel to help protect the department's and the nation's federal networks and critical infrastructure from cyber threats. The commitment of DHS's leadership to addressing these matters is essential to helping the department fulfill the act's requirements.

Why GAO Did This Study

DHS is the lead agency tasked with protecting the nation's critical infrastructure from cyber threats. The Homeland Security Cybersecurity Workforce Assessment Act of 2014 required DHS to identify, categorize, and assign employment codes to all of the department's cybersecurity workforce positions. These codes define work roles and tasks for cybersecurity specialty areas such as program management and system administration. Further, the act required DHS to identify and report its cybersecurity workforce critical needs.

The act included a provision for GAO to analyze and monitor DHS's implementation of the requirements. GAO's objectives were to assess the extent to which DHS has (1) identified, categorized, and assigned employment codes to its cybersecurity positions and (2) identified its cybersecurity workforce areas of critical need. GAO analyzed DHS and OPM workforce documentation and administered a data collection instrument to six major DHS components. GAO also interviewed relevant DHS and OPM officials.

Recommendations

GAO recommends that DHS take six actions, including ensuring that its cybersecurity workforce procedures identify position vacancies and responsibilities; reported workforce data are complete and accurate; and plans for reporting on critical needs are developed. DHS concurred with our six recommendations and described actions the department plans to take to address them. OPM did not have any comments.

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Department of Homeland Security	The Secretary of Homeland Security should develop procedures on how to identify and code vacant cybersecurity positions. (Recommendation 1)	Closed – Implemented The Department of Homeland Security (DHS) concurred with the recommendation. In fiscal year 2019, we verified that DHS has completed actions to address this recommendation. Specifically, in April 2019, we verified that DHS, in response to our recommendation, developed procedures to address how vacant cybersecurity positions should be identified and coded.
Department of Homeland Security	The Secretary of Homeland Security should identify the individual in each component who is responsible for leading that component's efforts in identifying and coding cybersecurity positions. (Recommendation 2)	Closed – Implemented The Department of Homeland Security (DHS) concurred with the recommendation. In fiscal year 2019, we verified that DHS has completed actions to address this recommendation. Specifically, in April 2019, we verified that DHS, in response to our recommendation, identified individuals in each component who are responsible for leading cybersecurity position identification and coding efforts.
Department of Homeland Security	The Secretary of Homeland Security should establish and implement a process to periodically review each component's procedures for identifying component cybersecurity positions and maintaining accurate coding. (Recommendation 3)	Closed – Implemented The Department of Homeland Security (DHS) concurred with the recommendation. In fiscal year 2019, we verified that DHS has completed actions to address this recommendation. Specifically, in April 2019, we verified that DHS, in response to our recommendation, established and implemented a process in March 2019 to review each component's procedures for identifying cybersecurity positions and maintaining accurate coding.
Department of Homeland Security	Priority Rec. The Secretary of Homeland Security should ensure the DHS Office of Chief Human Capital Officer collects complete and accurate data from its components on all filled and vacant cybersecurity positions when it conducts its cybersecurity identification and coding efforts. (Recommendation 4)	Closed – Implemented The Department of Homeland Security (DHS) concurred with this priority recommendation. In November 2019, we verified that DHS has established and implemented a process to ensure the Office of Chief Human Capital Officer collects complete and accurate data from its components on all filled and vacant cybersecurity positions and associated identification and coding efforts.
Department of Homeland Security	Priority Rec. The Secretary of Homeland Security should develop guidance to assist DHS components in identifying their cybersecurity work categories and specialty areas of critical need that align to the National Initiative for Cybersecurity Education framework. (Recommendation 5)	Closed – Implemented The Department of Homeland Security (DHS) concurred with this priority recommendation. In fiscal year 2019, we verified that DHS has completed actions to address this recommendation. Specifically, in August 2019, we verified that DHS, in response to our recommendation, developed guidance to assist DHS components in identifying their cybersecurity work categories and specialty areas of critical need that align to the National Initiative for Cybersecurity Education framework.
Department of Homeland Security	The Secretary of Homeland Security should develop plans with time frames to identify priority actions to report on specialty areas of critical need. (Recommendation 6)	Closed – Implemented The Department of Homeland Security (DHS) concurred with the recommendation. In fiscal year 2019, we verified that DHS has completed actions to address this recommendation. Specifically, in June 2019, we verified that DHS, in response to our recommendation, developed plans with time frames to identify priority actions to report on specialty areas of critical need.

See All 6 Recommendations

Full Report

Highlights Page (1 page)

Full Report (47 pages)

Accessible PDF (58 pages)

GAO Contacts

Christopher P. Currie

Director

curriec@gao.gov

(404) 679-1875

Gregory C. Wilshusen

Director

wilshuseng@gao.gov

(202) 512-4800

Office of Public Affairs

Chuck Young

Managing Director

youngc1@gao.gov

(202) 512-4800

Topics

Information Security

Critical infrastructureCybersecurityHuman capital managementInformation systemsInternal controlsNeeds assessmentPayroll systemsPersonnel managementPolicies and proceduresWorkforce planningWorkforce assessmentReporting requirements