Skip to Highlights
Highlights

What GAO Found

As required by the Federal Cybersecurity Workforce Assessment Act of 2015 (act), the Office of Personnel Management (OPM) developed a cybersecurity coding structure under the National Initiative for Cybersecurity Education (NICE) as well as procedures for assigning codes to federal civilian cybersecurity positions. However, OPM issued the coding structure and procedures 5 and 4 months later than the act's deadlines because OPM was working with the National Institute of Standards and Technology (NIST) to align the structure and procedures with the draft NICE Cybersecurity Workforce Framework , which NIST issued later than planned. OPM also submitted a progress report to Congress on the implementation of the act 1 month after it was due. The delays in issuing the coding structure and procedures have extended the expected time frames for implementing subsequent provisions of the act.

Most of the 24 agencies covered by the Chief Financial Officers (CFO) Act submitted baseline assessment reports to Congress but the results may not be reliable. As of March 2018, 21 of the 24 CFO Act agencies had conducted baseline assessments identifying the extent to which their cybersecurity employees held professional certifications and had submitted the assessment reports to Congress as required by the act. Three agencies had not conducted the assessments for various reasons, such as a lack of resources and tools to do so. Of the 21 agencies that did, 4 did not address all of the reportable information, such as the extent to which personnel without professional certifications were ready to obtain them or strategies for mitigating any gaps. Additionally, agencies were limited in their ability to obtain complete or consistent information about their cybersecurity employees and the certifications they held. This was because agencies had not yet fully identified all members of their cybersecurity workforces or did not have a consistent list of appropriate certifications for cybersecurity positions. As a result, the agencies had limited assurance that their assessment results accurately reflected all relevant employees or the extent to which those employees held appropriate certifications. This diminishes the usefulness of the assessments in determining the certification and training needs of these agencies' cybersecurity employees.

Most of the 24 CFO Act agencies established coding procedures, but 6 agencies only partially addressed certain activities required by OPM in their procedures. Of the 24 agencies reviewed, 23 had established procedures to identify their civilian cybersecurity positions and assign the appropriate employment codes to the positions as called for by the act. However, 6 of the 23 agencies did not address one or more of 7 activities required by OPM in their procedures, such as the activities to review all filled and vacant positions and annotate reviewed position descriptions with the appropriate employment code. These 6 agencies cited a variety of reasons for not addressing all of the required activities in their coding procedures. For example, these agencies stated that they addressed the activities in existing guidance or did not include activities that their components did not have the responsibility to perform. By not addressing all of the required activities in their coding procedures, the 6 agencies lack assurance that the activities will be performed or performed consistently throughout their agency.

Why GAO Did This Study

A key component of mitigating and responding to cyber threats is having a qualified, well-trained cybersecurity workforce. The Federal Cybersecurity Workforce Assessment Act of 2015 requires OPM and federal agencies to take several actions related to cybersecurity workforce planning.

GAO is to monitor agencies' progress in implementing the act's requirements. For this report, GAO assessed whether: (1) OPM developed a coding structure and procedures for assigning codes to cybersecurity positions and submitted a progress report to Congress; (2) CFO Act agencies submitted complete, reliable baseline assessments of their cybersecurity workforces; and (3) CFO Act agencies established procedures to assign codes to cybersecurity positions. GAO examined OPM's coding procedures and progress report on the act's implementation, and baseline assessments and coding procedures from the 24 CFO Act agencies. GAO also interviewed relevant OPM and agency officials about efforts to address the act's requirements.

Skip to Recommendations

Recommendations

GAO is making 30 recommendations to 13 agencies to fully implement two of the act's requirements on baseline assessments and coding procedures. Of the 12 agencies to which we made recommendations that provided comments on the report, 7 agreed with the recommendations made to them, 4 did not state whether they agreed or disagreed, and 1 did not agree with one of two recommendations made to it. GAO continues to believe that the recommendation is valid as discussed in this report.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Commerce The Secretary of Commerce should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams, identify strategies for mitigating any gaps identified, and report this information to Congress. (Recommendation 1)
Open

Recommendation status is Open.

Department of Commerce (Commerce) officials concurred with our recommendation and planned to evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams, and to identify strategies for mitigating any gaps identified. As of August 2019, Commerce had not provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Department of Defense The Secretary of Defense should develop, document, and implement government-wide procedures for identifying information technology (IT), cybersecurity, and cyberrelated noncivilian positions and assigning employment codes to those positions. (Recommendation 2)
Closed - Implemented

Recommendation status is Closed - Implemented.

Department of Defense (DOD) officials concurred with the recommendation. In fiscal year 2018, we verified that DOD, in response to our recommendation, had developed, documented, and implemented government-wide procedures for identifying information technology (IT), cybersecurity, and cyber-related non-civilian positions and assigned employment codes to those positions.
Department of Defense The Secretary of Defense should develop, document, and implement internal departmental procedures for identifying IT, cybersecurity, and cyber-related noncivilian positions and assigning employment codes to those positions. (Recommendation 3)
Closed - Implemented

Recommendation status is Closed - Implemented.

Department of Defense (DOD) officials concurred with the recommendation. In fiscal year 2018, we verified that DOD, in response to our recommendation, had developed, documented, and implemented internal departmental procedures for identifying IT, cybersecurity, and cyber-related non-civilian positions and assigning employment codes to those positions.
Department of Education The Secretary of Education should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in departmental procedures. (Recommendation 4)
Closed - Implemented

Recommendation status is Closed - Implemented.

Department of Education (Education) officials concurred with the recommendation. In fiscal year 2018, we verified that Education, in response to our recommendation, had developed and implemented guidance that requires positions that do not perform substantial work in information technology, cybersecurity, or cyber-related functions to be assigned code '000'.
Department of Energy The Secretary of Energy should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 5)
Open

Recommendation status is Open.

Department of Energy (DOE) officials concurred with our recommendation and planned to evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams using the National Initiative for Cybersecurity Education (NICE) certification mapping that is due for release in November 2018. DOE officials plan to develop criteria to identify personnel who are prepared to take certification exams and will perform a department-wide evaluation, after which they plan to report to Congress by a target date of September 30, 2019. As of August 2019, DOE had not provided evidence that it had implemented this recommendation. We will continue to monitor the situation.
Department of Energy The Secretary of Energy should develop, document, and implement departmental procedures for identifying IT, cybersecurity, and cyberrelated positions and assigning employment codes to those positions, taking into account the key elements described in OPM's instructions for agencies' procedures. (Recommendation 6)
Closed - Implemented

Recommendation status is Closed - Implemented.

Department of Energy (DOE) officials concurred with the recommendation. In fiscal year 2018, we verified that DOE, in response to our recommendation, had developed and issued departmental procedures for identifying IT, cybersecurity, and cyberrelated positions and assigning employment codes to those positions, taking into account the key elements described in the Office of Personnel Management's (OPM's) instructions for agencies' procedures.
Department of Homeland Security The Secretary of Homeland Security should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 7)
Open

Recommendation status is Open.

Department of Homeland Security (DHS) officials concurred with our recommendation. DHS officials plan to conduct a series of analyses with their components to review the population of three-digit coded positions, and finalize the percentage who hold certifications as well as the percentage prepared to take a relevant certification exam. In addition, DHS officials will identify and document strategies for mitigating any identified gaps. DHS officials' estimated completion date was May 31 , 2019. As of August 2019, DHS had not provided evidence that it had implemented this recommendation. We will continue to monitor the situation.
Department of Homeland Security The Secretary of Homeland Security should submit a report of the department's baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 8)
Open

Recommendation status is Open.

Department of Homeland Security (DHS) officials concurred with our recommendation. Upon final leadership review, DHS officials plan to send Congress a 2017 Comprehensive Cybersecurity Workforce Update report, which provides additional baseline information on DHS cybersecurity workforce. In addition, DHS officials plan to leverage analysis during the remainder of FY 2018 and into early FY 2019 to produce an additional report for Congress, addressing the requirements of the baseline assessment. DHS officials' estimated completion date was May 31, 2019. As of August 2019, DHS had not provided evidence that it had implemented this recommendation. We will continue to monitor the situation.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 9)
Closed - Implemented

Recommendation status is Closed - Implemented.

The Department of Housing and Urban Development (HUD) concurred with our recommendation. In fiscal year 2020, we verified that HUD, in response to our recommendation, had conducted a baseline assessment of its cybersecurity workforce. The assessment identified the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications, and a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. While the assessment did not identify the level of preparedness of other cyber personnel without existing credentials to take certification exams, it identified that significant proficiency gaps had been identified in its IT specialist employees, and outlined a plan for using that information to assess the ability of employees without certifications, which meets the intent of our recommendation. As a result of taking this action, HUD has ensured that it has valuable information about the knowledge and skills of its cybersecurity employees, enhancing the department's ability to effectively gauge the competency of individuals who are charged with ensuring the confidentiality, integrity, and availability of its information and information systems.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should submit a report of the department's baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 10)
Closed - Implemented

Recommendation status is Closed - Implemented.

The Department of Housing and Urban Development (HUD) concurred with our recommendation. In fiscal year 2020, we verified that HUD, in response to our recommendation, had submitted a report of its baseline assessment of its cybersecurity workforce to Congress. As a result, HUD has provided Congress with the information it required in the Act regarding existing credentials and certifications of personnel with information technology, cybersecurity, or other cyber-related job functions.
Department of the Interior The Secretary of the Interior should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 11)
Open

Recommendation status is Open.

Department of the Interior (Interior) concurred with our recommendation. Officials from the department stated they were developing a plan to assess the workforce's preparedness to complete and maintain certifications. Interior officials stated that they were planning to leverage its learning and performance management system for assessing the level of preparedness of cybersecurity personnel to take certification exams and planned to report to Congress by March 2021. As of August 2019, HUD had not provided evidence that it had implemented this recommendation. We will continue to monitor the situation.
Department of Labor The Secretary of Labor should include requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in departmental procedures. (Recommendation 12)
Closed - Implemented

Recommendation status is Closed - Implemented.

Department of Labor (DOL) officials concurred with our recommendation. In fiscal year 2018, we verified that DOL officials, in response to our recommendation, had included requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in departmental procedures.
Department of Labor The Secretary of Labor should ensure that departmental procedures fully account for the fact that IT, cybersecurity, and cyber-related positions will extend beyond the Information Technology Management 2210 occupational series. (Recommendation 13)
Closed - Implemented

Recommendation status is Closed - Implemented.

Department of Labor (DOL) officials concurred with our recommendation. In fiscal year 2018, we verified that DOL officials, in response to our recommendation, had revised their departmental procedures to fully account for the fact that IT, cybersecurity, and cyber-related positions will extend beyond the Information Technology Management 2210 occupational series.
Department of Labor The Secretary of Labor should fully clarify requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in departmental procedures. (Recommendation 14)
Closed - Implemented

Recommendation status is Closed - Implemented.

Department of Labor (DOL) officials concurred with our recommendation. In fiscal year 2018, we verified that DOL officials, in response to our recommendation, had revised their departmental procedures to fully clarify requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions.
Department of Labor The Secretary of Labor should include requirements to assign up to three employment codes per position in order of their criticality in departmental procedures. (Recommendation 15)
Closed - Implemented

Recommendation status is Closed - Implemented.

Department of Labor (DOL) officials concurred with our recommendation. In fiscal year 2018, we verified that DOL officials, in response to our recommendation, had revised their departmental procedures to include requirements to assign up to three employment codes per position in order of their criticality.
National Aeronautics and Space Administration The Administrator of the National Aeronautics and Space Administration should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 16)
Open

Recommendation status is Open.

National Aeronautics and Space Administration (NASA) did not concur with our recommendation and has not yet provided evidence that it has implemented the recommendation as of August 2019. We will continue to monitor the situation.
National Aeronautics and Space Administration The Administrator of the National Aeronautics and Space Administration should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 17)
Closed - Implemented

Recommendation status is Closed - Implemented.

National Aeronautics and Space Administration (NASA) officials concurred with our recommendation. In fiscal year 2018, we verified that NASA officials, in response to our recommendation, had revised their departmental procedures to fully clarify requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions.
National Science Foundation The Director of the National Science Foundation should fully clarify requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 18)
Closed - Implemented

Recommendation status is Closed - Implemented.

National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had fully clarified requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions.
National Science Foundation The Director of the National Science Foundation should include requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in agency procedures. (Recommendation 19)
Closed - Implemented

Recommendation status is Closed - Implemented.

National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had included requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in departmental procedures.
National Science Foundation The Director of the National Science Foundation should ensure that agency procedures account for the fact that IT, cybersecurity, and cyberrelated positions will extend beyond the Information Technology Management 2210 occupational series. (Recommendation 20)
Closed - Implemented

Recommendation status is Closed - Implemented.

National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had revised its agency procedures to account for the fact that IT, cybersecurity, and cyber-related positions will extend beyond the Information Technology Management 2210 occupational series.
National Science Foundation The Director of the National Science Foundation should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 21)
Closed - Implemented

Recommendation status is Closed - Implemented.

National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had revised its agency procedures to include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and other cyber-related functions.
National Science Foundation The Director of the National Science Foundation should include requirements to assign up to three employment codes per position in order of their criticality in agency procedures. (Recommendation 22)
Closed - Implemented

Recommendation status is Closed - Implemented.

National Science Foundation (NSF) officials concurred with our recommendation. In fiscal year 2018, we verified that NSF, in response to our recommendation, had revised agency procedures to include requirements to assign up to three employment codes per position in order of their criticality.
Nuclear Regulatory Commission The Chairman of the Nuclear Regulatory Commission should ensure that agency procedures account for the fact that IT, cybersecurity, and cyberrelated positions will extend beyond the Information Technology Management 2210 occupational series. (Recommendation 23)
Closed - Implemented

Recommendation status is Closed - Implemented.

Nuclear Regulatory Commission (NRC) officials concurred with the recommendation. In fiscal year 2018, we verified that NRC, in response to our recommendation, had revised its cybersecurity coding procedures to ensure that agency procedures account for the fact that IT, cybersecurity, and cyberrelated positions will extend beyond the Information Technology Management 2210 occupational series.
Nuclear Regulatory Commission The Chairman of the Nuclear Regulatory Commission should fully clarify requirements to assign up to three employment codes per position in order of their criticality in agency procedures. (Recommendation 24)
Closed - Implemented

Recommendation status is Closed - Implemented.

Nuclear Regulatory Commission (NRC) officials concurred with the recommendation. In fiscal year 2018, we verified that NRC, in response to our recommendation, had revised its cybersecurity coding procedures to fully clarify requirements to assign up to three employment codes per position in order of their criticality in agency procedures.
Small Business Administration The Administrator of the Small Business Administration should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 25)
Open

Recommendation status is Open.

Small Business Administration (SBA) officials concurred with our recommendation. SBA officials stated that they have made significant progress in the workforce assessment area, and have recently completed an assessment of the SBA's IT workforce and reported on existing skills gaps. SBA officials stated that they plan to execute against the IT workforce plan to include addressing requirements within the Federal Cybersecurity Workforce Assessment Act of 2015. As of August 2019, SBA had not provided evidence that it had implemented the recommendation. We will continue to monitor the situation.
Small Business Administration The Administrator of the Small Business Administration should submit a report of its baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 26)
Open

Recommendation status is Open.

Small Business Administration (SBA) officials concurred with our recommendation. SBA officials stated that they have made significant progress in the workforce assessment area, and have recently completed an assessment of the SBA's IT workforce and reported on existing skills gaps. SBA officials stated that they plan to execute against the IT workforce plan to include addressing requirements within the Federal Cybersecurity Workforce Assessment Act of 2015. As of August 2019, SBA had not provided evidence that it had implemented the recommendation. We will continue to monitor the situation.
United States Agency for International Development The Administrator of the U.S. Agency for International Development should fully clarify requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 27)
Closed - Implemented

Recommendation status is Closed - Implemented.

United States Agency for International Development (USAID) officials concurred with our recommendation. In fiscal year 2018, we verified that USAID, in response to our recommendation, had revised its cybersecurity coding procedures to fully clarify requirements to review all encumbered and vacant positions performing IT, cybersecurity, and cyber-related functions.
United States Agency for International Development The Administrator of the U.S. Agency for International Development should fully clarify requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s) in agency procedures. (Recommendation 28)
Closed - Implemented

Recommendation status is Closed - Implemented.

United States Agency for International Development (USAID) officials concurred with our recommendation. In fiscal year 2018, we verified that USAID, in response to our recommendation, had revised its cybersecurity coding procedures to fully clarify requirements to annotate reviewed position descriptions with the appropriate cybersecurity data standard code(s).
United States Agency for International Development The Administrator of the U.S. Agency for International Development should include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions in agency procedures. (Recommendation 29)
Closed - Implemented

Recommendation status is Closed - Implemented.

United States Agency for International Development (USAID) officials concurred with our recommendation. In fiscal year 2018, we verified that USAID, in response to our recommendation, had revised its cybersecurity coding procedures to include requirements to assign code "000" to positions that do not perform IT, cybersecurity, and cyber-related functions.
United States Agency for International Development The Administrator of the U.S. Agency for International Development should include requirements to assign up to three employment codes per position in order of their criticality in agency procedures. (Recommendation 30)
Closed - Implemented

Recommendation status is Closed - Implemented.

United States Agency for International Development (USAID) officials concurred with our recommendation. In fiscal year 2018, we verified that USAID, in response to our recommendation, had revised its cybersecurity coding procedures to include requirements to assign up to three employment codes per position in order of their criticality.

Full Report