Skip to main content

Cybersecurity Workforce: Agencies Need to Accurately Categorize Positions to Effectively Identify Critical Staffing Needs

GAO-19-144 Published: Mar 12, 2019. Publicly Released: Mar 12, 2019.
Jump To:

Fast Facts

The federal government needs a qualified, well-trained cybersecurity workforce to protect vital IT systems. Not having enough of these workers is one reason why securing federal systems is on our High Risk list.

To help agencies identify their critical workforce needs, they were required to identify and categorize all of their IT and cyber-related positions.

However, most of the agencies we reviewed likely miscategorized the work involved in many positions. For example, 22 of 24 agencies assigned a "non-IT" code to 15,779 (about 19%) of their IT positions.

We recommended agencies improve how they track and code their IT and cyber workforce.

A shortage of cyber professionals in the federal workforce puts federal IT systems and data at risk.

An illustration of a full workforce under a locked padlock and an incomplete workforce under an unlocked padlock with a bug icon.

Skip to Highlights

Highlights

What GAO Found

The 24 reviewed federal agencies generally assigned work roles to filled and vacant positions that performed information technology (IT), cybersecurity, or cyber-related functions as required by the Federal Cybersecurity Workforce Assessment Act of 2015 (the act). However, six of the 24 agencies reported that they had not completed assigning the associated work role codes to their vacant positions, although they were required to do so by April 2018. In addition, most agencies had likely miscategorized the work roles of many positions. Specifically, 22 of the 24 agencies assigned a “non-IT” work role code to 15,779 (about 19 percent) of their IT positions within the 2210 occupational series. Further, the six agencies that GAO selected for additional review had assigned work role codes that were not consistent with the work roles and duties described in corresponding position descriptions for 63 of 120 positions within the 2210 occupational series that GAO examined (see figure).

Consistency of Assigned Work Role Codes with Position Descriptions for Random Sample of IT Positions Within the 2210 Occupational Series at Six Selected Agencies

Consistency of Assigned Work Role Codes with Position Descriptions for Random Sample of IT Positions Within the 2210 Occupational Series at Six Selected Agencies

Human resource and IT officials from the 24 agencies generally reported that they had not completely or accurately categorized work roles for IT positions within the 2210 occupational series, in part, because they may have assigned the associated codes in error or had not completed validating the accuracy of the assigned codes. By assigning work roles that are inconsistent with the IT, cybersecurity, and cyber-related positions, the agencies are diminishing the reliability of the information they need to improve workforce planning.

The act also required agencies to identify work roles of critical need by April 2019. To aid agencies with identifying their critical needs, the Office of Personnel Management (OPM) developed guidance and required agencies to provide a preliminary report by August 2018. The 24 agencies have begun to identify critical needs and submitted a preliminary report to OPM that identified information systems security manager, IT project manager, and systems security analyst as the top three work roles of critical need. Nevertheless, until agencies accurately categorize their positions, their ability to effectively identify critical staffing needs will be impaired.

Why GAO Did This Study

A key component of mitigating and responding to cyber threats is having a qualified, well-trained cybersecurity workforce. The act requires OPM and federal agencies to take several actions related to cybersecurity workforce planning. These actions include categorizing all IT, cybersecurity, and cyber-related positions using OPM personnel codes for specific work roles, and identifying critical staffing needs.

The act contains a provision for GAO to analyze and monitor agencies' workforce planning. GAO's objectives were to (1) determine the extent to which federal agencies have assigned work roles for positions performing IT, cybersecurity, or cyber-related functions and (2) describe the steps federal agencies took to identify work roles of critical need. GAO administered a questionnaire to 24 agencies, analyzed coding data from personnel systems, and examined preliminary reports on critical needs. GAO selected six of the 24 agencies based on cybersecurity spending levels to determine the accuracy of codes assigned to a random sample of IT positions. GAO also interviewed relevant OPM and agency officials.

Recommendations

GAO is making 28 recommendations to 22 agencies to review and assign the appropriate codes to their IT, cybersecurity, and cyber-related positions. Of the 22 agencies to which GAO made recommendations, 20 agreed with the recommendations, one partially agreed, and one did not agree with one of two recommendations. GAO continues to believe that all of the recommendations are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Agriculture
Priority Rec.
To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Agriculture should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate National Initiative for Cybersecurity Education (NICE) framework work role codes. (Recommendation 1)
Closed – Implemented
The Department of Agriculture (USDA) concurred with our recommendation and stated that it was identifying an internal team of subject-matter experts to collaborate with organizations across the department to review the assignment of the "000" code to positions and assist in determining the appropriate work role codes. In April 2021, we verified that USDA, in response to our recommendation, had reviewed the assignment of the "000" code to its positions in the 2210 IT management occupational series and had assigned appropriate NICE framework work roles to those positions. As a result, USDA has ensured that its workforce data are significantly more reliable, improving its ability to identify cybersecurity work roles of critical need
Department of Commerce
Priority Rec.
To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Commerce should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 2)
Closed – Implemented
The Department of Commerce concurred with the recommendation. In July 2023, we verified that Commerce, in response to our recommendation, had reviewed the assignment of '000' codes to its positions in the 2210 IT management occupational series and had assigned appropriate NICE framework work roles to those positions. As a result, Commerce has ensured that its workforce data are significantly more reliable, improving its ability to identify cybersecurity work roles of critical need.
Department of Defense To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Defense should complete the identification and coding of vacant positions in the department performing IT, cybersecurity, or cyber-related functions. (Recommendation 3)
Closed – Implemented
The Department of Defense concurred with the recommendation. In Fiscal Year 2023, we verified that DOD had assigned codes to vacant positions and according to officials, the department was continuing ongoing data remediation efforts to allow for the ongoing validation, identification, and coding for vacant positions, in response to our recommendation. As a result, the department has greater assurance that it will be able to accurately identify work roles or critical need and improve workforce planning.
Department of Defense
Priority Rec.
To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Defense should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 4)
Open
The Department of Defense concurred with the recommendation. In September 2020, DOD stated that it had taken steps to decrease the number of positions that were assigned inappropriate codes and were continuing to monitor and track coding with the aim of addressing the recommendation. As of March 2024, according to the DOD Chief Information Officer, the department had a coding remediation initiative underway and the coding of cyber positions would evolve over time to keep pace with changes to the mission, the addition or deletion of positions, and advances in cyber technology. However, as of March 2024, DOD had not adequately demonstrated that appropriate and accurate work role codes had been assigned. To fully implement this recommendation, DOD will need to provide evidence that it has assigned appropriate National Initiative for Cybersecurity Education framework work role codes to its positions in the 2210 Information Technology management occupational series and assessed the accuracy of position descriptions.
Department of Education To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Education should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 5)
Closed – Implemented
The Department of Education concurred with the recommendation. In fiscal year 2020, we verified that Education, in response to our recommendation, had reviewed the assignment of the "000" code to its positions in the 2210 IT management occupational series and had assigned appropriate NICE framework work roles to those positions. As a result, Education has ensured that its workforce data are significantly more reliable, improving its ability to identify cybersecurity work roles of critical need.
Department of Energy To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Energy should complete the identification and coding of vacant positions in the department performing IT, cybersecurity, or cyber-related functions. (Recommendation 6)
Closed – Implemented
The Department of Energy concurred with the recommendation. In March 2020, we verified that Energy, in response to our recommendation, had implemented compensating controls to ensure that vacant positions in the department performing IT, cybersecurity, or cyber-related functions are assigned cybersecurity work role codes. Specifically, Energy implemented a process for assigning work role codes to positions performing IT, cybersecurity, or cyber-related functions as they are classified for recruitment action. As a result, Energy has improved its ability to identify and address work roles of critical need.
Department of Energy To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Energy should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 7)
Closed – Implemented
The Department of Energy (Energy) concurred with the recommendation. In fiscal year 2019, we verified that Energy, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, Energy has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.
Department of Health and Human Services
Priority Rec.
To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Health and Human Services should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 8)
Closed – Implemented
The Department of Health and Human Services concurred with the recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. In fiscal year 2021, we verified that HHS had made significant progress toward reviewing the assignment of work role codes to its positions in the 2210 IT management occupational series and ensuring that such positions are not coded with the "000" code and had assigned an appropriate NICE framework work role codes to most of its positions in the 2210 IT management occupational series.
Department of Homeland Security
Priority Rec.
To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Homeland Security should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 9)
Closed – Implemented
The Department of Homeland Security (DHS) concurred with our recommendation. DHS conducted an audit of its components' cybersecurity coding efforts in fiscal year 2018 and identified actions that components needed to take to complete the assignment of appropriate NICE framework work role codes and assess the accuracy of position descriptions; a second audit for fiscal year 2019 was underway, and the department expected to complete its coding efforts by December 2020. In fiscal year 2021, we verified that DHS had assigned appropriate NICE framework work role codes to most of its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.
Department of Housing and Urban Development
Priority Rec.
To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Housing and Urban Development should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 10)
Closed – Implemented
The Department of Housing and Urban Development (HUD) agreed with this recommendation. In January 2020, HUD stated that it was in the process of reviewing its positions in the 2210 IT management occupational series and assigning appropriate work role codes. To fully implement this recommendation, HUD will need to correctly categorize the work roles and functions performed by IT and cyber-related personnel in order to be able to identify critical cybersecurity staffing needs. In March 2022, we verified that HUD, in response to our recommendation, had reviewed its positions in the 2210 IT management occupational series and assigned appropriate work role codes to those positions.
Department of the Interior To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Interior should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 11)
Closed – Implemented
The Department of the Interior concurred with our recommendation. In fiscal year 2019, we verified that Interior, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, Interior has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.
Department of Justice To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Attorney General should complete the identification and coding of vacant positions in the Department of Justice performing IT, cybersecurity, or cyber-related functions in the Department of Justice. (Recommendation 12)
Closed – Implemented
The Department of Justice concurred with the recommendation. In fiscal year 2020, we verified that Justice, in response to our recommendation, had completed the identification and coding of vacant positions performing IT, cybersecurity, or cyber-related functions. As a result, the department has greater assurance that it will be able to accurately identify work roles or critical need and improve workforce planning.
Department of Justice To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Attorney General should take steps to review the assignment of the "000" code to any positions in the Department of Justice in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 13)
Closed – Implemented
The Department of Justice concurred with the recommendation. In fiscal year 2020, we verified that Justice, in response to our recommendation, had reviewed the assignment of the "000" code to its positions in the 2210 IT management occupational series and had assigned appropriate NICE framework work roles to those positions. As a result, Justice has ensured that its workforce data are significantly more reliable, improving its ability to identify cybersecurity work roles of critical need.
Department of Labor To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Labor should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 14)
Closed – Implemented
The Department of Labor (Labor) concurred with the recommendation. In fiscal year 2019, we verified that Labor, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, Labor has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.
Department of State
Priority Rec.
To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of State should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 15)
Closed – Implemented
The Department of State concurred with the recommendation. In January 2020, we confirmed that State had assigned National Initiative for Cybersecurity Education (NICE) framework work role codes to its positions in the 2210 IT management occupational series. In March 2024, we confirmed that State, in response to our recommendation, had instituted a process for reviewing position descriptions for cyber work role coding, and had improved the accuracy of its cyber work role coding of its position descriptions in the 2210 IT Management occupational series. As a result, State has increased the reliability of the information it needs to identify its workforce roles of critical need.
Department of Transportation To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Transportation should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 16)
Closed – Implemented
The Department of Transportation (DOT) concurred with the recommendation. In April 2020, we verified that DOT, in response to our recommendation, had reviewed the assignment of the "000" code to its positions in the 2210 IT management occupational series and had assigned appropriate NICE framework work roles to those positions. As a result, DOT has ensured that its workforce data are significantly more reliable, improving its ability to identify cybersecurity work roles of critical need
Department of the Treasury
Priority Rec.
To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Treasury should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 17)
Closed – Implemented
Treasury partially concurred with the recommendation and stated that some positions may not align to work roles in the National Initiative for Cybersecurity Education's (NICE) cybersecurity workforce framework. In March 2021, Treasury provided an action plan for addressing the recommendation. According to the plan, Treasury planned to work with its bureaus to review and validate the work role codes of its positions in the 2210 IT Management occupational series. In March 2024, we verified that Treasury, in response to our recommendation, had reviewed its positions in the 2210 IT Management occupational series and assigned appropriate NICE framework work role codes. As a result, Treasury has more reliable information about its cybersecurity workforce that the department needs to identify its workforce roles of critical need.
Department of Veterans Affairs
Priority Rec.
To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Veterans Affairs should take steps review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE work role codes. (Recommendation 18)
Closed – Implemented
The Department of Veterans Affairs concurred with the recommendation. In September 2020, we verified that VA, in response to our recommendation, had reviewed the assignment of the "000" code to its positions in the 2210 IT management occupational series and had assigned appropriate NICE framework work roles to those positions. As a result, VA has ensured that its workforce data are significantly more reliable, improving its ability to identify cybersecurity work roles of critical need
Environmental Protection Agency To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Environmental Protection Agency should complete the identification and coding of vacant positions in the agency performing IT, cybersecurity, or cyber-related functions. (Recommendation 19)
Closed – Implemented
The Environmental Protection Agency (EPA) concurred with the recommendation. In fiscal year 2021, we verified that EPA, in response to our recommendation, had completed the identification and coding of vacant positions performing IT, cybersecurity, or cyber-related functions. As a result, the agency has greater assurance that it will be able to accurately identify work roles or critical need and improve workforce planning.
Environmental Protection Agency
Priority Rec.
To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Environmental Protection Agency should take steps to review the assignment of the "000" code to any positions in the agency in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 20)
Closed – Implemented
The Environmental Protection Agency concurred with the recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. In fiscal year 2021, we verified that EPA had assigned appropriate NICE framework work role codes to nearly all of its positions in the 2210 IT management occupational series and had reviewed position descriptions for accuracy. As a result, EPA has taken steps to improve the reliability of the information it needs to identify its workforce roles of critical need.
General Services Administration To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the General Services Administration should complete the identification and coding of vacant positions at GSA performing IT, cybersecurity, or cyber-related functions. (Recommendation 21)
Closed – Implemented
The General Services Administration (GSA) concurred with the recommendation. In April 2020, we confirmed that GSA, in response to our recommendation, has completed identifying and coding of vacant positions performing IT, cybersecurity, or cyber-related functions. As a result, GSA has improved its ability to identify and address work roles of critical need.
General Services Administration To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the General Services Administration should take steps to review the assignment of the "000" code to any positions at GSA in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 22)
Closed – Implemented
The General Services Administration (GSA) concurred with the recommendation. In fiscal year 2019, we verified that GSA, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, GSA has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.
National Aeronautics and Space Administration To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the National Aeronautics and Space Administration should complete the identification and coding of vacant positions at NASA performing IT, cybersecurity, or cyber-related functions. (Recommendation 23)
Closed – Implemented
The National Aeronautics and Space Administration did not concur with the recommendation. In an update from November 2020, NASA stated that it had conducted workforce planning and identified vacant cybersecurity positions. In fiscal year 2021, we verified that NASA, in response to our recommendation, had identified and coded vacant positions performing cybersecurity functions. As a result, the agency has greater assurance that it will be able to accurately identify work roles or critical need and improve workforce planning.
National Aeronautics and Space Administration
Priority Rec.
To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the National Aeronautics and Space Administration should take steps to review the assignment of the "000" code to any positions at NASA in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 24)
Closed – Implemented
The National Aeronautics and Space Administration (NASA) concurred with our recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. As of April 2022, NASA has provided evidence showing that it has assigned appropriate NICE framework role codes to its positions in the 2210 IT management occupational series. In April 2024, we confirmed that NASA, in response to our recommendation, had assessed the accuracy of position descriptions.
Nuclear Regulatory Commission To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Chairman of the Nuclear Regulatory Commission should take steps to review the assignment of the "000" code to any positions at NRC in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 25)
Closed – Implemented
The Nuclear Regulator Commission (NRC) concurred with the recommendation. In fiscal year 2019, we verified that NRC, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, NRC has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.
Office of Personnel Management To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Director of the Office of Personnel Management should take steps to review the assignment of the "000" code to any positions at OPM in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 26)
Closed – Implemented
The Office of Personnel Management (OPM) concurred with the recommendation. In fiscal year 2019, we verified that OPM, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, OPM has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.
Small Business Administration To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Small Business Administration should take steps to review the assignment of the "000" code to any positions at SBA in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 27)
Closed – Implemented
The Small Business Administration (SBA) concurred with the recommendation. In February 2020, we verified that SBA, in response to our recommendation, had reviewed the assignment of the "000" code to its positions in the 2210 IT management occupational series and assigned appropriate NICE framework work role codes. As a result, SBA has improved the reliability of the information it needs to identify its workforce roles of critical need.
Social Security Administration To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Commissioner of the Social Security Administration should take steps to review the assignment of the "000" code to any positions at SSA in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 28)
Closed – Implemented
The Social Security Administration (SSA) concurred with the recommendation. In fiscal year 2019, we verified that SSA, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, SSA has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.

Full Report

GAO Contacts

Topics

CybersecurityCybersecurity professionalsCyberspace threatsFederal agenciesHuman capital managementInformation technologyIT human capitalPosition descriptionsStaff utilizationStaffing levelsVacant positionsWorkforce planning