Cybersecurity Workforce: Actions Needed to Improve Cybercorps Scholarship for Service Program
The CyberCorps Scholarship for Service Program—managed by the National Science Foundation, Office of Personnel Management, and Department of Homeland Security—requires recipients to work in government jobs for a period of time after graduation.
- NSF and OPM fully complied with 13 legal requirements for managing the program and partially complied with 6
- NSF hasn't implemented a strategy to effectively manage risks and challenges, such as ensuring recipients meet their service obligation
Our recommendations address these issues. Ensuring the cybersecurity of the nation—including addressing workforce needs—is on our High Risk List.
What GAO Found
The CyberCorps® Scholarship for Service Program provides participating institutions of higher education with scholarships to students in approved IT and cybersecurity fields of study. As a condition of receiving scholarships, students are required to enter agreements to work in qualifying full-time jobs upon graduation for a period equal in length to their scholarship. See the figure below for how recipients progress through the program.
Scholarship Recipients Progress through Three Phases in the CyberCorps® Program
GAO identified 19 selected legal requirements on how National Science Foundation (NSF) and the Office of Personnel Management (OPM) are to manage the program. GAO found that NSF and OPM fully complied with 13 of the requirements and partially complied with six. The partially complied with requirements include the following:
- Scholarship recipients are required to provide OPM with annual verifiable documentation of post-award employment. OPM officials acknowledge that recipients provide verifiable employment documentation and up-to-date contact information only at the beginning and end of the service commitment period, rather than annually as required by law.
- NSF is required to periodically report on program performance, including how long scholarship recipients stay in the positions they enter after graduation. OPM attempts to answer this by surveying recipients. However, recipient response rates ranging from 32 to 50 percent do not yield reliable and complete results.
NSF did not implement a risk management strategy and process to effectively identify, analyze, mitigate, and report on program risks and challenges. Absent such a strategy, NSF is not in a position to mitigate the adverse effects of risk events that do occur, which could negatively impact the accomplishment of program goals.
Why GAO Did This Study
GAO has previously reported that federal agencies faced challenges in ensuring that they have an effective cybersecurity workforce. What is now known as the CyberCorps® Scholarship for Service Program—operated by NSF in conjunction with OPM and the Department of Homeland Security (DHS)—was established in 2000 to increase the supply of new government cybersecurity employees. Since its inception, NSF reports that the program has awarded about $621 million in scholarships to over 4,707 recipients.
GAO was asked to review the Scholarship for Service Program. GAO determined the extent to which (1) NSF and OPM are complying with program legal requirements, and (2) NSF has identified, analyzed, mitigated, and reported on program risks.
GAO assessed program documentation and processes against legal requirements and industry best practices. Further, GAO interviewed NSF, OPM, and DHS officials as well as personnel from selected institutions of higher education participating in the program.
GAO is making three recommendations to NSF and two to OPM to comply with legal requirements and implement a risk management strategy. Both agencies agreed with GAO's recommendations.
The status of these recommendations is tracked in this table.