Department of Defense components have not accurately coded jobs for their civilian cybersecurity personnel, limiting the ability to recruit and retain the targeted cybersecurity positions they most need, according to an inspector general report.
While the DOD has followed mandates to issue guidance on coding civilian cybersecurity jobs per the 2015 Federal Cybersecurity Workforce Assessment Act, the application of those codes at the component level has been inconsistent or inaccurate, the IG found in a recent audit.
“As a result, the DoD may be unable to accurately determine the skill set and size of its civilian cyber workforce,” the watchdog said in a report made public Monday. “Without coding all positions (filled and unfilled), the DoD may develop incorrect workforce planning activities, such as recruitment and retention strategies, and incorrectly report on work roles of critical need.”
The report redacted exactly how many of the DOD’s core and non-core cybersecurity positions had coding issues across the three military departments and gave no specifics on how widespread the issues are with other components in the Fourth Estate.
The IG said quality assurance measures would ensure components comply with the DOD’s cyber workforce coding guidance. Though the Army has an automated quality assurance system in place for coding civilian cybersecurity roles, the Navy and Air Force lack full systems to ensure they are meeting the goals of the Pentagon.
The IG concluded the report by recommending the DOD Office of the CIO require components to code filled and unfilled cybersecurity roles in accordance with federal requirements and conduct a feasibility study on issuing a more thorough quality assurance system for proper coding.
Acting CIO John Sherman agreed with those recommendations, clarifying that DOD has required such coding since May 2020 and that as of June 2021, all components have at least primary work roles coded into their manpower and personnel systems.
On the matter of quality assurance, Sherman said the DOD has already conducted a feasibility study on the issue, leading to the department creating a “cyber workforce common data model” on DOD’s Advana data platform to make sure coding is accurate and complete. Using Advana, Sherman said, it will give the DOD “a dashboard view of appropriately configured systems and the corresponding coded populations of filled and unfilled positions and identify systems that are not yet compliant.”
Within the report, the IG acknowledged the DOD’s greater progress taking action “to meet strategic goals for the recruitment and retention programs of its civilian cyber workforce.” Specifically, the department has ramped up use of its Cybersecurity Scholarship Program and its Cyber Information Technology Exchange Program. It has also started work developing a Cyber Aptitude Test and implementing the Cyber Excepted Service framework and enhancements.
Despite such progress, in April, Lt. Gen. Dennis Crall, CIO of the Joint Staff, told the Senate Armed Services Subcommittee on Personnel that he was “concerned about the pace” at which DOD is hiring and training cyber personnel. “I think the divide between the need is growing compared to what we’re able to fulfill. I’m not sure we’re closing the gap, and time is ticking for us to do so.”