A federal watchdog found that two government agencies in charge of reforming the federal cybersecurity workforce haven’t established dedicated teams to address challenges at a governmentwide scale.
According to an April 23 report from the Government Accountability Office, the Department of Homeland Security and White House’s Office of Management and Budget haven’t decided which agency is in charge of several tasks relating to a reform effort of the federal cybersecurity workforce.
DHS and OMB are working on several efforts to bolster the federal cybersecurity workforce, an area where there’s a shortage of qualified candidates. Reform efforts from the White House focus on standardizing cybersecurity training for employees, increasing the mobility of cybersecurity positions, planning a cybersecurity reservist program in case of emergency, and rationalizing the size and scope of cybersecurity education efforts, among other reforms.
But according to the report, DHS and OMB are struggling to divvy up who is in charge of this effort. DHS officials told the GAO that it was OMB’s job to lead the governmentwide effort, with DHS responsible for just a “subset” of projects in the reform package.
OMB staff told GAO that DHS’ Cybersecurity and Infrastructure Security Agency as well as the Federal Chief Information Security Officer Council have “some” responsibility for federal cybersecurity workforce issues; however, OMB officials “did not clarify which organization, team, or individuals were responsible for coordinating and implementing the reform government-wide," the GAO wrote.
“Our prior work has shown that establishing a strong and stable team that will be responsible for the transformation’s day-to-day management is important to ensuring that it receives the resources and attention needed to be successful,” the GAO wrote. “A dedicated leadership team responsible for overseeing and implementing the reform can also help ensure that various change initiatives are sequenced and implemented in a coherent and integrated way.”
The cybersecurity workforce evaluation effort is part of larger GAO report looking at the implementation of three pieces of a June 2018 federal reform proposal from the White House.
The results of the GAO’s cybersecurity-specific sections show that DHS and OMB have partially implemented several reforms, but lack plans and metrics to monitor the status of the reforms carried out across the entirety of the federal government. The lack of planning is likely slowing reform efforts.
“Without a government-wide implementation plan to track and communicate implementation progress, OMB and DHS will be unable to determine whether the reform is achieving its intended objectives, or whether unanticipated challenges or negative workforce trends are impeding efforts to close the cybersecurity workforce gaps across the government,” the GAO wrote.
DHS has its own internal cybersecurity workforce initiative that’s aiming to improve the cyber talent internally. This program is called the Cyber Talent Management System. DHS told GAO that it plans to hire 150 new employees into cyber jobs through the position in fiscal 2020. As of November 2019, the system was not operational, the GAO found.
DHS didn’t respond to a request seeking updated information on the Cyber Talent Management System.
DHS has implemented some internal mechanisms to track the implementation of agency-specific reforms, such as notifying Congress about progress on coding cybersecurity jobs to increase efficiency and effectiveness and on reviewing cyber workforce readiness.
According to data from CyberSeek, the public sector has more than 33,000 cybersecurity job openings. While OMB and DHS have taken steps to increase the cybersecurity workforce, the report found that the two agencies haven’t developed a strategic workforce plan to address the needs of all federal agencies.
OMB has also kicked off its own effort to improve the federal cybersecurity workforce through its cyber reskilling academy that graduated two cohorts last year. It’s been a small-scale project so far, and those who graduated have had difficulty getting hired into cybersecurity jobs because of requirements in the general schedule. In March, however, the Office of Personnel Management announced a cybersecurity detail program.
“Because this reform is focused on addressing a government-wide workforce shortage, it is particularly important that OMB and DHS complete their efforts to develop a strategic workforce plan for cybersecurity professionals that takes into account existing workforce capabilities, workforce trends, and shortages across the government,” the GAO wrote. “Without this information, DHS and OMB will not be able to determine if they are making progress or when they have addressed the government’s cybersecurity workforce shortage.”
The GAO made seven recommendations to OMB, five of which pertained to cybersecurity efforts, including establishing a leadership team to implement the reforms, creating governmentwide goals, and producing a workforce plan to tackle current and future cyber workforce challenges.
OMB didn’t provide comment to GAO about the report.