Skip to main content

Cybersecurity Workforce: National Initiative Needs to Better Assess Its Performance

GAO-23-105945 Published: Jul 27, 2023. Publicly Released: Jul 27, 2023.
Jump To:

Fast Facts

The National Institute of Standards and Technology leads a national initiative to help agencies and private sector organizations strengthen their cybersecurity workforces.

NIST has documented the skills needed for a cybersecurity workforce; set up collaborative, public-private groups to build a cybersecurity community; and held meetings and conferences to share information.

Having a well-trained cybersecurity workforce is a key government priority. So, it's important that NIST use objective, concrete data to assess and measure the initiative's progress toward its goals.

Our recommendations would help NIST better evaluate its initiative.

Photo showing two people working side by side. We only see their hands. One is typing on a laptop. The other is pointing to a desktop computer screen.

Skip to Highlights

Highlights

What GAO Found

The National Institute of Standards and Technology's (NIST) National Initiative for Cybersecurity Education (NICE) program has taken steps to strengthen the cybersecurity workforce. For example:

  • The program established an inventory or “framework” of necessary skills and work roles associated with cybersecurity and expanded it with stakeholder input.
  • The program formed public and private collaborations to connect the cybersecurity community and promote cybersecurity training and education. This included working groups and communities of interest run in part by volunteers. These groups created projects based on one of the NICE program's strategic goals or the needs of a specific cybersecurity community.
  • The program holds periodic webinars, quarterly forums, and multiple annual conferences to share information on cybersecurity issues.

In focus group discussions with program volunteers from industry, academia, and government, participants cited what they regarded as successes, including robust community benefits. However, some participants noted challenges with the program, such as an unclear scope.

NIST's process for assessing the NICE program included fully implementing the practice of involving stakeholders. However, other key practices for establishing a program-level performance process were not fully implemented. Specifically, of nine selected key performance assessment practices, NIST fully implemented one, partially implemented five, and did not implement three (see figure).

National Institute of Standards and Technology (NIST) Implementation of Selected Key Practices for Establishing a Program Performance Process

National Institute of Standards and Technology (NIST) Implementation of Selected Key Practices for Establishing a Program Performance Process

For example, NIST did not develop performance measures for the program. According to program officials, they relied on the program's volunteer working groups to develop such measures. However, the variability in skills and approaches of the volunteers made it too difficult to accomplish. As a result, NIST was unable to demonstrate program progress. Without reliable data to manage the NICE program's performance, NIST is not in a position to effectively and efficiently identify obstacles or opportunities to sustain and improve the initiative.

Why GAO Did This Study

A well-trained cybersecurity workforce is essential for government functioning. To bolster that workforce, NIST has developed the National Initiative for Cybersecurity Education (NICE). This program's mission is to foster more education and training through collaborative partnerships with private industry, academia, and government agencies.

GAO was asked to review the progress the NICE program is making against its stated goals and objectives. This report examines (1) the actions NIST has taken through the NICE program to strengthen the cybersecurity workforce and (2) the extent to which NIST established a process to assess the program's performance.

GAO analyzed documents related to NIST's program performance assessments and compared these to selected key performance practices identified in legislation and prior GAO work. GAO also conducted focus group interviews with active program participants about their experiences. Additionally, GAO interviewed NIST officials responsible for the program.

Recommendations

GAO is making eight recommendations to NIST to fully develop goals and performance measures, assess the program's environment and identify strategies, track reliable information and report to stakeholders on results, and use data to assess progress and identify improvement opportunities. The Department of Commerce agreed with the recommendations and suggested wording revisions, which GAO incorporated as appropriate.

Recommendations for Executive Action

Agency Affected Recommendation Status
National Institute of Standards and Technology The Director of NIST should ensure that the Director of NICE develops a program performance plan with goals that are measurable. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institute of Standards and Technology The Director of NIST should ensure that the Director of NICE updates the program's environmental scan documentation to include an assessment of how the outcomes and impacts of the identified programs, projects, and initiatives may affect the program's achievement of its performance plan and the strategic plan goals. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institute of Standards and Technology The Director of NIST should ensure that the Director of NICE assesses and justifies the resources that the program requires to achieve its performance plan and the strategic plan goals. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institute of Standards and Technology The Director of NIST should ensure that the Director of NICE establishes performance measures with a plan to collect the data needed to assess progress toward each performance goal. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institute of Standards and Technology The Director of NIST should ensure that the Director of NICE regularly collects program performance information that is measurable, timely, accurate, and useful. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institute of Standards and Technology The Director of NIST should ensure the Director of NICE reports measurable program performance information to stakeholders. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institute of Standards and Technology The Director of NIST should ensure that the Director of NICE assesses progress toward achieving program performance goals with measurable performance information. (Recommendation 7)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institute of Standards and Technology The Director of NIST should ensure that the Director of NICE uses performance information to manage the program, including to identify opportunities to improve program results, as appropriate. (Recommendation 8)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Full Report

Office of Public Affairs

Topics

CybersecurityEducational standardsHuman capital managementIT trainingLabor forcePerformance goalsPerformance managementPerformance measurementPerformance plansWorkforce development