Cybersecurity Workforce: National Initiative Needs to Better Assess Its Performance
Fast Facts
The National Institute of Standards and Technology leads a national initiative to help agencies and private sector organizations strengthen their cybersecurity workforces.
NIST has documented the skills needed for a cybersecurity workforce; set up collaborative, public-private groups to build a cybersecurity community; and held meetings and conferences to share information.
Having a well-trained cybersecurity workforce is a key government priority. So, it's important that NIST use objective, concrete data to assess and measure the initiative's progress toward its goals.
Our recommendations would help NIST better evaluate its initiative.
Highlights
What GAO Found
The National Institute of Standards and Technology's (NIST) National Initiative for Cybersecurity Education (NICE) program has taken steps to strengthen the cybersecurity workforce. For example:
- The program established an inventory or “framework” of necessary skills and work roles associated with cybersecurity and expanded it with stakeholder input.
- The program formed public and private collaborations to connect the cybersecurity community and promote cybersecurity training and education. This included working groups and communities of interest run in part by volunteers. These groups created projects based on one of the NICE program's strategic goals or the needs of a specific cybersecurity community.
- The program holds periodic webinars, quarterly forums, and multiple annual conferences to share information on cybersecurity issues.
In focus group discussions with program volunteers from industry, academia, and government, participants cited what they regarded as successes, including robust community benefits. However, some participants noted challenges with the program, such as an unclear scope.
NIST's process for assessing the NICE program included fully implementing the practice of involving stakeholders. However, other key practices for establishing a program-level performance process were not fully implemented. Specifically, of nine selected key performance assessment practices, NIST fully implemented one, partially implemented five, and did not implement three (see figure).
National Institute of Standards and Technology (NIST) Implementation of Selected Key Practices for Establishing a Program Performance Process
For example, NIST did not develop performance measures for the program. According to program officials, they relied on the program's volunteer working groups to develop such measures. However, the variability in skills and approaches of the volunteers made it too difficult to accomplish. As a result, NIST was unable to demonstrate program progress. Without reliable data to manage the NICE program's performance, NIST is not in a position to effectively and efficiently identify obstacles or opportunities to sustain and improve the initiative.
Why GAO Did This Study
A well-trained cybersecurity workforce is essential for government functioning. To bolster that workforce, NIST has developed the National Initiative for Cybersecurity Education (NICE). This program's mission is to foster more education and training through collaborative partnerships with private industry, academia, and government agencies.
GAO was asked to review the progress the NICE program is making against its stated goals and objectives. This report examines (1) the actions NIST has taken through the NICE program to strengthen the cybersecurity workforce and (2) the extent to which NIST established a process to assess the program's performance.
GAO analyzed documents related to NIST's program performance assessments and compared these to selected key performance practices identified in legislation and prior GAO work. GAO also conducted focus group interviews with active program participants about their experiences. Additionally, GAO interviewed NIST officials responsible for the program.
Recommendations
GAO is making eight recommendations to NIST to fully develop goals and performance measures, assess the program's environment and identify strategies, track reliable information and report to stakeholders on results, and use data to assess progress and identify improvement opportunities. The Department of Commerce agreed with the recommendations and suggested wording revisions, which GAO incorporated as appropriate.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE develops a program performance plan with goals that are measurable. (Recommendation 1) |
The Department of Commerce concurred with the recommendation. In September 2025, the National Institute of Standards and Technology (NIST) provided a calendar year 2025 performance plan for the National Initiative for Cybersecurity Education (NICE) program that included performance goals. However, the NICE program's 2025 performance plan did not fully describe how annual performance goals were linked to strategic plan goals and the achievement of broader program outcomes, which might inhibit the program's ability to fully measure the impact of progress toward achieving short-term goals on long-term program outcomes. To fully implement this recommendation, NIST will need to provide evidence that the goals within the NICE program performance plan are linked to goals in the NICE Strategic Plan. We will follow up with NIST for additional information and continue to monitor its efforts to fully implement this recommendation.
|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE updates the program's environmental scan documentation to include an assessment of how the outcomes and impacts of the identified programs, projects, and initiatives may affect the program's achievement of its performance plan and the strategic plan goals. (Recommendation 2) |
The Department of Commerce (Commerce) concurred with the recommendation. In December 2025, the National Institute of Standards and Technology (NIST) provided an updated environmental scan linking external programs to relevant National Initiative for Cybersecurity Education (NICE) Strategic Plan goals and objectives. However, this environmental scan did not assess the impact of programs, projects, or initiatives on the NICE program's achievement of its performance plan and strategic plan goals. To fully implement this recommendation, NIST will need to provide evidence that the Director of NICE has updated the NICE program's environmental scan documentation to include an assessment of how the outcomes and impacts of identified programs, projects, and initiatives may affect the program's achievement of its performance plan and strategic plan goals. We will follow up with NIST for additional information and continue to monitor its efforts to fully implement this recommendation.
|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE assesses and justifies the resources that the program requires to achieve its performance plan and the strategic plan goals. (Recommendation 3) |
The Department of Commerce concurred with the recommendation. As of February 2026, the National Institute of Standards and Technology (NIST) had not provided sufficient evidence to demonstrate it has addressed this recommendation. Specifically, NIST officials did not demonstrate linkage of required resources to the achievement of performance and strategic plan goals and did not assess or justify the resources required to achieve these goals as part of documentation it provided. To fully implement this recommendation, NIST will need to provide evidence that the Director of NICE has assessed and justified the resources required by the NICE program to achieve its performance plan and strategic plan goals. We will follow up with NIST for additional information and continue to monitor its efforts to fully implement this recommendation.
|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE establishes performance measures with a plan to collect the data needed to assess progress toward each performance goal. (Recommendation 4) |
The Department of Commerce (Commerce) concurred with the recommendation. In December 2025, the National Institute of Standards and Technology (NIST) provided dates of the program's prior planning and assessment meetings, a description of plans to hold subsequent meetings biannually, and a template to be used to track the status of National Initiative for Cybersecurity Education (NICE) program activities and actions related to success measures. However, as of February 2026, NIST had not provided evidence demonstrating how NICE program officials used or planned to use the performance tracker and meetings to collect data to assess progress toward performance goals. To fully implement this recommendation, NIST will need to provide evidence demonstrating how it plans to gather the data necessary to measure program performance relative to performance goals. We will follow up with NIST for additional information and continue to monitor its efforts to fully implement this recommendation.
|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE regularly collects program performance information that is measurable, timely, accurate, and useful. (Recommendation 5) |
The Department of Commerce (Commerce) concurred with the recommendation. In December 2025, National Institute of Standards and Technology (NIST) officials documented that the National Initiative for Cybersecurity Education (NICE) program recorded event attendance to track trends and that it gathered feedback from community members during periodic meetings. However, as of February 2026, NIST had not yet provided sufficient evidence demonstrating that the program collected measurable, timely, accurate, and useful program performance information or specified targets or timelines for performance plan measures that would yield the collection of useful, measurable data. To fully implement this recommendation, NIST will need to provide evidence that the Director of NICE has regularly collected program performance information tied to the program performance plan that is measurable, timely, accurate, and useful. We will follow up with NIST for additional information and continue to monitor its efforts to fully implement this recommendation.
|
| National Institute of Standards and Technology | The Director of NIST should ensure the Director of NICE reports measurable program performance information to stakeholders. (Recommendation 6) |
The Department of Commerce (Commerce) concurred with the recommendation. In December 2025, National Initiative of Standards and Technology (NIST) officials provided evidence that the National Initiative for Cybersecurity Education (NICE) has mechanisms in place to gather and report some measurable program performance information, such as council and event attendance, to community members and gathers feedback. However, NIST did not provide evidence that the NICE program fully collected measurable performance information in line with the NICE program performance plan or that all metrics noted in the NICE program performance plan specified a target or timeline. To fully implement this recommendation, NIST will need to provide evidence that the Director of NICE regularly collects program performance information tied to the program performance plan that is measurable, timely, accurate, and useful and subsequently reports it to stakeholders. We will follow up with NIST for additional information and continue to monitor its efforts to fully implement this recommendation.
|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE assesses progress toward achieving program performance goals with measurable performance information. (Recommendation 7) |
The Department of Commerce (Commerce) concurred with the recommendation. As of February 2026, the National Institute of Standards and Technology (NIST) had not provided evidence that the National Initiative for Cybersecurity Education (NICE) program fully collected measurable performance information in line with goals in the NICE program performance plan, that the program assessed its progress toward performance goals, or that all metrics noted in the NICE program performance plan specified a target or timeline. To fully implement this recommendation, NIST will need to provide evidence that the Director of NICE regularly collects program performance information tied to the program performance plan that is measurable, timely, accurate, and useful and that it is used to assess progress toward program goals. We will follow up with NIST for additional information and continue to monitor its efforts to fully implement this recommendation.
|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE uses performance information to manage the program, including to identify opportunities to improve program results, as appropriate. (Recommendation 8) |
The Department of Commerce (Commerce) concurred with the recommendation. As of February 2026, the National Institute of Standards and Technology (NIST) provided dates of meetings it stated are used to assess and discuss National Initiative for Cybersecurity Education (NICE) program performance. However, NIST did not provide evidence that the NICE program fully collected measurable performance information in line with goals in the NICE program performance plan, assessed its progress toward performance goals it identified, or used related performance information to manage the program and identify opportunities for improvement, either in these meetings or through other means. To fully implement this recommendation, NIST will need to provide evidence that the Director of NICE has used performance information to manage the program, including to identify opportunities to improve program results, as appropriate.
|