The Government Accountability Office (GAO) issued a report Thursday that found many Federal agencies are not entirely up to speed in classifying members of their cybersecurity workforce, although many of them have traveled well down the road toward compliance.
GAO said it issued a total of 30 recommendation to 13 agencies aimed at prodding them into compliance with the Federal Cybersecurity Workforce Assessment Act of 2015 and its provisions requiring development of a coding structure for the cyber workforce and procedures for assigning codes to Federal civilian cybersecurity positions.
Contributing to the lack of agency compliance as of March 2018, GAO said, was a slow start by the Office of Personnel Management (OPM) in issuing the coding structure and procedures to agencies. OPM, GAO said, was up to five months late in those tasks as it worked to align the structure with a draft cybersecurity workforce framework being developed by the National Institute of Standards and Technology (NIST).
“The delays in issuing the coding structure and procedures have extended the expected time frames for implementing subsequent provisions of the act,” GAO said.
As of March, 21 out of the 24 CFO Act Federal agencies had conducted and submitted to Congress “baseline assessments” covering the extent to which their cybersecurity employees held professional certifications in the field, but GAO said some of those agency reports may not be “reliable” for a variety of reasons including that agencies “had not yet fully identified all members of their cybersecurity workforces or did not have a consistent list of appropriate certifications” for cyber positions.
As a result, GAO said, agencies had “limited assurance” of the results of their baseline assessments, which “diminishes the usefulness of the assessments in determining the certification and training needs of these agencies’ cybersecurity employees.”
The three agencies that did not submit baseline assessments were the Small Business Administration (SBA), Department of Housing and Urban Development (HUD), and the Department of Homeland Security (DHS), GAO said. It added that DHS submitted a 2016 cyber workforce update document to Congress, but that this did not include a baseline assessment as called for the by 2015 law.
On the separate issue of establishing coding procedures for Federal civilian cyber positions, GAO found that 23 of 24 CFO Act agencies had put in place procedures to identify those positions and assign them appropriate employment codes, but that six agencies “only partially addressed” activities required by OPM to be part of the procedures.
The one agency that had not established coding procedures was the Department of Energy (DoE), which told GAO that “because responsibility for IT is not centralized under the department-level CIO organization (but rather, is distributed throughout the component agencies)… [the agency] had not determined who had the authority to issue coding procedures for the entire department.”
“By not establishing coding procedures, the Department of Energy faces increased risk that it will not fully identify its cybersecurity workforce or assign the appropriate employment codes to each position, limiting its ability to identify cybersecurity skills gaps or work roles of critical need,” GAO said.
According to GAO, those six agencies that only partially addressed all of the required activities in the coding procedures cited a variety of reasons for doing so–including use of existing guidance or omitting activities that their components did not have responsibility to perform–but GAO said as a result those agencies “lack assurance that the activities will be performed or performed consistently throughout the agency.”
The six agencies cited by GAO are DoE, National Science Foundation (NSF), National Aeronautics and Space Administration (NASA), Department of Labor (DoL), Nuclear Regulatory Commission, and U.S. Agency for International Development (USAID).
The 13 agencies to which GAO gave recommendations to fully implement the law’s requirements on baseline assessments and coding procedures are:
- Department of Commerce, with one recommendation;
- Department of Defense, with two recommendations;
- Department of Education, with one recommendation;
- DoE, with two recommendations;
- DHS, with two recommendations;
- HUD, with two recommendations;
- Department of Interior, with one recommendation;
- DoL, with four recommendations;
- NASA, with two recommendations;
- NSF, with five recommendations;
- NRC, with two recommendations;
- SBA, with two recommendations; and
- USAID, with four recommendations.