Fast Facts

The federal government needs a qualified, well-trained cybersecurity workforce to protect vital IT systems. Not having enough of these workers is one reason why securing federal systems is on our High Risk list.

To help agencies identify their critical workforce needs, they were required to identify and categorize all of their IT and cyber-related positions.

However, most of the agencies we reviewed likely miscategorized the work involved in many positions. For example, 22 of 24 agencies assigned a "non-IT" code to 15,779 (about 19%) of their IT positions.

We recommended agencies improve how they track and code their IT and cyber workforce.

A shortage of cyber professionals in the federal workforce puts federal IT systems and data at risk.

An illustration of a full workforce under a locked padlock and an incomplete workforce under an unlocked padlock with a bug icon.

Skip to Highlights
Highlights

What GAO Found

The 24 reviewed federal agencies generally assigned work roles to filled and vacant positions that performed information technology (IT), cybersecurity, or cyber-related functions as required by the Federal Cybersecurity Workforce Assessment Act of 2015 (the act). However, six of the 24 agencies reported that they had not completed assigning the associated work role codes to their vacant positions, although they were required to do so by April 2018. In addition, most agencies had likely miscategorized the work roles of many positions. Specifically, 22 of the 24 agencies assigned a “non-IT” work role code to 15,779 (about 19 percent) of their IT positions within the 2210 occupational series. Further, the six agencies that GAO selected for additional review had assigned work role codes that were not consistent with the work roles and duties described in corresponding position descriptions for 63 of 120 positions within the 2210 occupational series that GAO examined (see figure).

Consistency of Assigned Work Role Codes with Position Descriptions for Random Sample of IT Positions Within the 2210 Occupational Series at Six Selected Agencies

Consistency of Assigned Work Role Codes with Position Descriptions for Random Sample of IT Positions Within the 2210 Occupational Series at Six Selected Agencies

Human resource and IT officials from the 24 agencies generally reported that they had not completely or accurately categorized work roles for IT positions within the 2210 occupational series, in part, because they may have assigned the associated codes in error or had not completed validating the accuracy of the assigned codes. By assigning work roles that are inconsistent with the IT, cybersecurity, and cyber-related positions, the agencies are diminishing the reliability of the information they need to improve workforce planning.

The act also required agencies to identify work roles of critical need by April 2019. To aid agencies with identifying their critical needs, the Office of Personnel Management (OPM) developed guidance and required agencies to provide a preliminary report by August 2018. The 24 agencies have begun to identify critical needs and submitted a preliminary report to OPM that identified information systems security manager, IT project manager, and systems security analyst as the top three work roles of critical need. Nevertheless, until agencies accurately categorize their positions, their ability to effectively identify critical staffing needs will be impaired.

Why GAO Did This Study

A key component of mitigating and responding to cyber threats is having a qualified, well-trained cybersecurity workforce. The act requires OPM and federal agencies to take several actions related to cybersecurity workforce planning. These actions include categorizing all IT, cybersecurity, and cyber-related positions using OPM personnel codes for specific work roles, and identifying critical staffing needs.

The act contains a provision for GAO to analyze and monitor agencies' workforce planning. GAO's objectives were to (1) determine the extent to which federal agencies have assigned work roles for positions performing IT, cybersecurity, or cyber-related functions and (2) describe the steps federal agencies took to identify work roles of critical need. GAO administered a questionnaire to 24 agencies, analyzed coding data from personnel systems, and examined preliminary reports on critical needs. GAO selected six of the 24 agencies based on cybersecurity spending levels to determine the accuracy of codes assigned to a random sample of IT positions. GAO also interviewed relevant OPM and agency officials.

Skip to Recommendations

Recommendations

GAO is making 28 recommendations to 22 agencies to review and assign the appropriate codes to their IT, cybersecurity, and cyber-related positions. Of the 22 agencies to which GAO made recommendations, 20 agreed with the recommendations, one partially agreed, and one did not agree with one of two recommendations. GAO continues to believe that all of the recommendations are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Agriculture To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Agriculture should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate National Initiative for Cybersecurity Education (NICE) framework work role codes. (Recommendation 1)
Open

Recommendation status is Open.

The Department of Agriculture concurred with the recommendation but as of January 2020, it has not yet provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.
Department of Commerce To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Commerce should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 2)
Open

Recommendation status is Open.

The Department of Commerce concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Department of Defense To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Defense should complete the identification and coding of vacant positions in the department performing IT, cybersecurity, or cyber-related functions. (Recommendation 3)
Open

Recommendation status is Open.

The Department of Defense concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Department of Defense To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Defense should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 4)
Open

Recommendation status is Open.

The Department of Defense concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Department of Education To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Education should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 5)
Closed - Implemented

Recommendation status is Closed - Implemented.

The Department of Education concurred with the recommendation. In fiscal year 2020, we verified that Education, in response to our recommendation, had reviewed the assignment of the "000" code to its positions in the 2210 IT management occupational series and had assigned appropriate NICE framework work roles to those positions. As a result, Education has ensured that its workforce data are significantly more reliable, improving its ability to identify cybersecurity work roles of critical need.
Department of Energy To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Energy should complete the identification and coding of vacant positions in the department performing IT, cybersecurity, or cyber-related functions. (Recommendation 6)
Open

Recommendation status is Open.

The Department of Energy concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Department of Energy To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Energy should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 7)
Closed - Implemented

Recommendation status is Closed - Implemented.

The Department of Energy (Energy) concurred with the recommendation. In fiscal year 2019, we verified that Energy, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, Energy has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.
Department of Health and Human Services To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Health and Human Services should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 8)
Open

Recommendation status is Open.

The Department of Health and Human Services concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Department of Homeland Security To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Homeland Security should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 9)
Open

Recommendation status is Open.

The Department of Homeland Security concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Department of Housing and Urban Development To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Housing and Urban Development should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 10)
Open

Recommendation status is Open.

The Department of Housing and Urban Development concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Department of the Interior To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Interior should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 11)
Closed - Implemented

Recommendation status is Closed - Implemented.

The Department of the Interior concurred with our recommendation. In fiscal year 2019, we verified that Interior, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, Interior has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.
Department of Justice To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Attorney General should complete the identification and coding of vacant positions in the Department of Justice performing IT, cybersecurity, or cyber-related functions in the Department of Justice. (Recommendation 12)
Closed - Implemented

Recommendation status is Closed - Implemented.

The Department of Justice concurred with the recommendation. In fiscal year 2020, we verified that Justice, in response to our recommendation, had completed the identification and coding of vacant positions performing IT, cybersecurity, or cyber-related functions. As a result, the department has greater assurance that it will be able to accurately identify work roles or critical need and improve workforce planning.
Department of Justice To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Attorney General should take steps to review the assignment of the "000" code to any positions in the Department of Justice in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 13)
Closed - Implemented

Recommendation status is Closed - Implemented.

The Department of Justice concurred with the recommendation. In fiscal year 2020, we verified that Justice, in response to our recommendation, had reviewed the assignment of the "000" code to its positions in the 2210 IT management occupational series and had assigned appropriate NICE framework work roles to those positions. As a result, Justice has ensured that its workforce data are significantly more reliable, improving its ability to identify cybersecurity work roles of critical need.
Department of Labor To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Labor should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 14)
Closed - Implemented

Recommendation status is Closed - Implemented.

The Department of Labor (Labor) concurred with the recommendation. In fiscal year 2019, we verified that Labor, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, Labor has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.
Department of State To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of State should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 15)
Open

Recommendation status is Open.

The Department of State concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Department of Transportation To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Transportation should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 16)
Open

Recommendation status is Open.

The Department of Transportation concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Department of the Treasury To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Treasury should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 17)
Open

Recommendation status is Open.

The Department of the Treasury partially concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Department of Veterans Affairs To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Veterans Affairs should take steps review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE work role codes. (Recommendation 18)
Open

Recommendation status is Open.

The Department of Veterans Affairs concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Environmental Protection Agency To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Environmental Protection Agency should complete the identification and coding of vacant positions in the agency performing IT, cybersecurity, or cyber-related functions. (Recommendation 19)
Open

Recommendation status is Open.

The Environmental Protection Agency concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Environmental Protection Agency To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Environmental Protection Agency should take steps to review the assignment of the "000" code to any positions in the agency in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 20)
Open

Recommendation status is Open.

The Environmental Protection Agency concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
General Services Administration To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the General Services Administration should complete the identification and coding of vacant positions at GSA performing IT, cybersecurity, or cyber-related functions. (Recommendation 21)
Open

Recommendation status is Open.

The General Services Administration concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
General Services Administration To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the General Services Administration should take steps to review the assignment of the "000" code to any positions at GSA in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 22)
Closed - Implemented

Recommendation status is Closed - Implemented.

The General Services Administration (GSA) concurred with the recommendation. In fiscal year 2019, we verified that GSA, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, GSA has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.
National Aeronautics and Space Administration To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the National Aeronautics and Space Administration should complete the identification and coding of vacant positions at NASA performing IT, cybersecurity, or cyber-related functions. (Recommendation 23)
Open

Recommendation status is Open.

The National Aeronautics and Space Administration did not concur with the recommendation. As of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
National Aeronautics and Space Administration To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the National Aeronautics and Space Administration should take steps to review the assignment of the "000" code to any positions at NASA in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 24)
Open

Recommendation status is Open.

The National Aeronautics and Space Administration concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Nuclear Regulatory Commission To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Chairman of the Nuclear Regulatory Commission should take steps to review the assignment of the "000" code to any positions at NRC in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 25)
Closed - Implemented

Recommendation status is Closed - Implemented.

The Nuclear Regulator Commission (NRC) concurred with the recommendation. In fiscal year 2019, we verified that NRC, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, NRC has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.
Office of Personnel Management To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Director of the Office of Personnel Management should take steps to review the assignment of the "000" code to any positions at OPM in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 26)
Closed - Implemented

Recommendation status is Closed - Implemented.

The Office of Personnel Management (OPM) concurred with the recommendation. In fiscal year 2019, we verified that OPM, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, OPM has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.
Small Business Administration To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Small Business Administration should take steps to review the assignment of the "000" code to any positions at SBA in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 27)
Open

Recommendation status is Open.

The Small Business Administration concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.
Social Security Administration To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Commissioner of the Social Security Administration should take steps to review the assignment of the "000" code to any positions at SSA in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 28)
Closed - Implemented

Recommendation status is Closed - Implemented.

The Social Security Administration (SSA) concurred with the recommendation. In fiscal year 2019, we verified that SSA, in response to our recommendation, reviewed and assigned appropriate cybersecurity codes to information technology management positions. As a result, SSA has greater assurance that it has reliable information on its cybersecurity workforce to serve as a basis for improved workforce planning.

Full Report