The process federal agencies are supposed to use to categorize and account for cybersecurity workforce skills gaps has been hobbled by missed deadlines and reporting shortfalls, the Government Accountability Office has found.
The Office of Personnel Management fell behind schedule on establishing a coding structure to track the cybersecurity positions within the federal government, causing a domino effect of delays, according to a GAO report examining the how agencies are complying with the Federal Cybersecurity Workforce Assessment Act of 2015.
The report also noted that the progress made by the 24 Chief Financial Officer Act agencies in analyzing their cybersecurity workforces was varied and, in some cases, analysis has been unreliable. Some agencies had not assessed the professional certifications of cybersecurity workers and others had not reported all of the information needed to establish a baseline, the report said.
“Unless those agencies address all of the activities, they may not have reasonable assurance that they are comprehensively identifying the cybersecurity workforce,” the report said. “As such, increased risk exists that the federal government will not meet its intended goal to define the cybersecurity workforce and address the critical mission needs for a qualified cybersecurity workforce.”
The Cybersecurity Workforce Assessment Act required OPM to establish a three-digit coding structure to designate cyber job roles within the federal government while working with various agency partners to define and standardize the duties of those roles.
The goal of the law is to make it easier for federal agencies to identify the talent they have, as well as any skills gaps that may occur at a time when such personnel is in high demand.
OPM, in conjunction with the National Institute of Standards and Technology, was supposed to develop the coding structure by June 15, 2016, but delivered the first version of it five months later.
Agency officials told the GAO the delay resulted from OPM’s efforts to align the new structure with NIST’s National Initiative for Cybersecurity Education (NICE) Workforce Framework, which was required by the Cybersecurity Workforce Assessment Act.
But NIST updated the NICE framework and didn’t issue a draft version until November 2016, which OPM officials said caused the delay. NIST officials said the framework’s release was held up while the intelligence community removed sensitive designations about knowledge, skills and abilities from earlier versions.
The initial delay rippled through subsequent preparations, causing OPM to miss a deadline for issuing guidance for implementing the framework by four months and to submit a progress report to Congress by one month.
Those delays also trickled down to federal agencies, which had to shift multiple deadlines because they did not have the procedures and guidance required to meet them.
The report also found that while most of the CFO act agencies had conducted baseline assessments of their workforce, the departments of Homeland Security and Housing and Urban Development, as well as the Small Business Administration, had not, citing a lack of resources and tools.
Four agencies failed to report information such as “the extent to which personnel without certifications were ready to obtain them or strategies for mitigating any gaps.” Twenty-one agencies had incomplete or inconsistent information about the cybersecurity certifications of its workforce, saying they didn’t have the ability to collect it all.
The report notes that the NICE framework hadn’t defined industry-recognized certifications for fear of endorsing some private certifying bodies over others. While NIST is working to address the issue, certification mapping is not expected until November. Meanwhile, 75 percent of the agencies lack a requirement for cyber professionals to hold any certifications.
The report issued 30 recommendations to 13 agencies regarding certification, baseline assessment and coding issues. Most agencies concurred with the recommendations. NASA didn’t concur with one recommendation for it to evaluate preparedness for personnel without certifications.
The agency said there was not a federally established requirement for a cybersecurity employee to hold a certification and therefore, it would not establish a readiness procedure. Four agencies didn’t say if they agreed or disagreed with the recommendations.