Cyber contractor workforce details a mystery to most agencies, GAO finds
The vast majority of agencies do not have a handle on their cybersecurity contractor workforce, according to a new report from the Government Accountability Office that paints a broader picture of lackluster data collection on federal cyber staffing.
Per the GAO’s audit, 22 out of 23 Chief Financial Officers Act agencies reported either partial or no data on the size and costs of their contractor cyber workforce. The review, conducted from February 2024 to September 2025, did not include the Department of Defense.
The Office of Personnel Management was the lone agency that reported to GAO what it believed to be a comprehensive picture of its contractor cyber workforce, while 14 agencies submitted partial data and eight agencies had no data to report at all.
“Generally, agencies attributed their data gaps to either the lack of an agency-wide reporting mechanism or the structure of their contracts,” the GAO noted. “Agency officials stated that obtaining data on their contractor cyber workforce required an agency-wide data call or manual review.”
As of April 2024, agencies reported employing at least 63,934 federal cyber practitioners plus an additional 4,151 contractor staff, at a cost of approximately $9.3 billion and $5.2 billion, respectively. But the GAO warned that those figures were “incomplete and unreliable and do not reflect the full size and cost of the cyber workforce.”
The GAO laid much of the blame for shoddy data quality on the White House’s Office of the National Cyber Director, writing that it “has not identified steps that are needed to improve the quality of cyber workforce data used by agency-level” chief human capital officers and chief information officers.
ONCD and the Office of Management and Budget have created working groups to bolster data-informed decision making, the GAO noted, in addition to recognizing “the importance of having quality data on the cyber workforce,”
“Nonetheless, issues remain with respect to data gaps, quality assurance processes, and variances in identifying cyber personnel,” according to the watchdog, which found that 19 of the 23 agencies didn’t have a documented quality assurance process and 17 lacked uniform methods for identifying cyber workers.
The GAO delivered four recommendations to ONCD, calling on it to work with OMB and agencies on formalizing various data-collection processes and assessing the cost-effectiveness of cyber workforce initiatives. The office did not agree or disagree with the recommendations.
“Until ONCD addresses these factors, it cannot ensure that agencies will have the information needed to support workforce decisions,” the GAO concluded. “This is especially important during administration transitions when new leadership needs assurance that the federal government is prepared and cyber-ready.”
