Cybersecurity Workforce:

Urgent Need for DHS to Take Actions to Identify Its Position and Critical Skill Requirements

GAO-18-175: Published: Feb 6, 2018. Publicly Released: Feb 6, 2018.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Christopher P. Currie
(404) 679-1875
curriec@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Department of Homeland Security (DHS) has taken actions to identify, categorize, and assign employment codes to its cybersecurity positions, as required by the Homeland Security Cybersecurity Workforce Assessment Act of 2014; however, its actions have not been timely and complete. For example, DHS did not establish timely and complete procedures to identify, categorize, and code its cybersecurity position vacancies and responsibilities. Further, DHS has not yet completed its efforts to identify all of the department's cybersecurity positions and accurately assign codes to all filled and vacant cybersecurity positions. In August 2017, DHS reported to the Congress that it had coded 95 percent of the department's identified cybersecurity positions. However, GAO's analysis determined that the department had, at that time, coded approximately 79 percent of the positions. DHS's 95 percent estimate was overstated primarily because it excluded vacant positions, even though the act required DHS to report these positions.

In addition, although DHS has taken steps to identify its workforce capability gaps, it has not identified or reported to the Congress on its department-wide cybersecurity critical needs that align with specialty areas. The department also has not reported annually its cybersecurity critical needs to the Office of Personnel Management (OPM), as required, and has not developed plans with clearly defined time frames for doing so. (See table).

The Department of Homeland Security's Progress in Implementing Requirements of the Homeland Security Cybersecurity Workforce Assessment Act of 2014 , as of December 2017

Required activity

Due date

Completion date

1. Establish procedures to identify, categorize, and code cybersecurity positions.

Mar. 2015

Apr. 2016

2. Identify all positions with cybersecurity functions and determine work category and specialty areas of each position.

Sept. 2015

Ongoing

3. Assign c odes to all filled and vacant cybersecurity positions.

Sept. 2015

Ongoing

4. Identify and report critical needs in specialty areas to Congress.

Jun. 2016

Not addressed

5. Report critical needs annually to OPM.

Sept. 2016

Not addressed

Source: GAO analysis of DHS documentation and the Homeland Security Cybersecurity Workforce Assessment Act of 2014. | GAO-18-175

Without ensuring that its procedures are complete and that its progress in identifying and assigning codes to its positions is accurately reported, DHS will not be positioned to effectively examine its cybersecurity workforce, identify its critical skill gaps, or improve its workforce planning. Further, until DHS establishes plans and time frames for reporting on its critical needs, the department may not be able to ensure that it has the necessary cybersecurity personnel to help protect the department's and the nation's federal networks and critical infrastructure from cyber threats. The commitment of DHS's leadership to addressing these matters is essential to helping the department fulfill the act's requirements.

Why GAO Did This Study

DHS is the lead agency tasked with protecting the nation's critical infrastructure from cyber threats. The Homeland Security Cybersecurity Workforce Assessment Act of 2014 required DHS to identify, categorize, and assign employment codes to all of the department's cybersecurity workforce positions. These codes define work roles and tasks for cybersecurity specialty areas such as program management and system administration. Further, the act required DHS to identify and report its cybersecurity workforce critical needs.

The act included a provision for GAO to analyze and monitor DHS's implementation of the requirements. GAO's objectives were to assess the extent to which DHS has (1) identified, categorized, and assigned employment codes to its cybersecurity positions and (2) identified its cybersecurity workforce areas of critical need. GAO analyzed DHS and OPM workforce documentation and administered a data collection instrument to six major DHS components. GAO also interviewed relevant DHS and OPM officials.

What GAO Recommends

GAO recommends that DHS take six actions, including ensuring that its cybersecurity workforce procedures identify position vacancies and responsibilities; reported workforce data are complete and accurate; and plans for reporting on critical needs are developed. DHS concurred with our six recommendations and described actions the department plans to take to address them. OPM did not have any comments.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, or Chris P. Currie at (404) 679-1875 or curriec@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: The Department of Homeland Security concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.

    Recommendation: The Secretary of Homeland Security should develop procedures on how to identify and code vacant cybersecurity positions. (Recommendation 1)

    Agency Affected: Department of Homeland Security

  2. Status: Open

    Comments: The Department of Homeland Security concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.

    Recommendation: The Secretary of Homeland Security should identify the individual in each component who is responsible for leading that component's efforts in identifying and coding cybersecurity positions. (Recommendation 2)

    Agency Affected: Department of Homeland Security

  3. Status: Open

    Comments: The Department of Homeland Security concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.

    Recommendation: The Secretary of Homeland Security should establish and implement a process to periodically review each component's procedures for identifying component cybersecurity positions and maintaining accurate coding. (Recommendation 3)

    Agency Affected: Department of Homeland Security

  4. Status: Open

    Priority recommendation

    Comments: DHS agreed with this priority recommendation. By June 29, 2018, DHS plans to issue memorandums to its components that include instructions, guidance, and plans to address this recommendation by periodically reviewing compliance and cybersecurity workforce data concerns with component leads to ensure data accuracy. If implemented, DHS's planned actions would fully address this recommendation.

    Recommendation: The Secretary of Homeland Security should ensure the DHS Office of Chief Human Capital Officer collects complete and accurate data from its components on all filled and vacant cybersecurity positions when it conducts its cybersecurity identification and coding efforts. (Recommendation 4)

    Agency Affected: Department of Homeland Security

  5. Status: Open

    Priority recommendation

    Comments: DHS agreed with this priority recommendation. By June 29, 2018, DHS plans to issue memorandums to its components that include instructions, guidance, and plans to address this recommendation by disseminating a reporting schedule for identifying cybersecurity critical needs. If implemented, DHS's planned actions would fully address this recommendation.

    Recommendation: The Secretary of Homeland Security should develop guidance to assist DHS components in identifying their cybersecurity work categories and specialty areas of critical need that align to the National Initiative for Cybersecurity Education framework. (Recommendation 5)

    Agency Affected: Department of Homeland Security

  6. Status: Open

    Comments: The Department of Homeland Security concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.

    Recommendation: The Secretary of Homeland Security should develop plans with time frames to identify priority actions to report on specialty areas of critical need. (Recommendation 6)

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Jul 12, 2018

Jun 14, 2018

May 14, 2018

Apr 24, 2018

Mar 7, 2018

Sep 28, 2017

Aug 3, 2017

Jul 27, 2017

Jul 26, 2017

May 31, 2017

Looking for more? Browse all our products here