FCC misses E-rate deadline for school, library Internet upgrades

The Federal Communications Commission has missed its own deadline to funnel money into schools that need wireless and Internet upgrades as part of the federal E-rate program, which offers high-speed broadband discounts in schools and libraries.

The Universal Service Administrative Company, an independent arm of the FCC that tracks E-rate filings, originally set a deadline for Sept. 1 to get the funds — around $3.9 billion — to schools across the country so they can start installing access points and performing other work this school year. But the deadline has now been moved to Sept. 24, according to Funds for Learning, which helps schools navigate the process.

“Getting the funds out as quickly as possible is very important,” John Harrington, CEO of Funds for Learning, told FedScoop in an interview. “The sooner they can get the money committed to the schools, the sooner [the schools] can move forward with getting wireless access points installed.”

As of July 31, funding commitments for this school year totaled more than $930 million, according to USAC. There were roughly 26,000 applicants.

Harrington said in previous years, the FCC did not have a hard deadline to transfer money to schools — and sometimes the process would stretch out for a year or more, which meant schools did not have Internet access and upgrades they needed. Many times, schools would resubmit bids the next year for the same project.

The FCC changed its process and set a goal for money to switch hands early in the school year after analyses showed that schools would use the money more wisely if it came in a timely manner.

“There was a very strong correlation, if a funding commitment was issued in a few months, it got utilized,” Harrington said. “But once you got past that, the rate went down.”

School technology officers and administrators also have to deal with a new system through which to request funds for the 2016-17 academic year, which is becoming a burden for some, Harrington said.

“Only a third of applicants have been able to get signed up into system so far, so there are some startup challenges associated with this,” he said. “It’s an ‘off-the-shelf’ system they adopted to get it up and running quickly.”

As part of a “data cleanup” effort to provide more transparency of funding streams, applicants can follow and keep track of their yearly requests online, and applicants will be able to compare prices for similar services, which will help fuel more competition among providers.

“This effort will have no effect on the pace of funding decisions,” officials wrote of the new system. “Cleaning up the existing data — and working to supply accurate data going forward — will clearly have benefits for all applicants.”

For the current application window, the FCC granted 21 appeals and waivers and denied 36 appeals made by schools that missed deadlines or filed the forms incorrectly.

Successful appeals and waiver requests were granted if schools encountered unforeseen circumstances beyond their control. Appeals were denied if invoices were not submitted on time, or if there were clerical errors.

This year marked the first time funding was available for hardware purchases and wireless access points since 2012. E-rate was overhauled this year after the FCC approved a $1.5 billion annual funding increase for the program, raising the spending cap from $2 billion to about $4 billion.

Reach the reporter at corinne.lestch@fedscoop.com or follow her on Twitter @clestch.

Jason Matheny named IARPA director

Jason Matheny has been named director of the Intelligence Advanced Research Projects Activity, according a release from the Office of the Director of National Intelligence.

Matheny had been serving as director of IARPA’s new Office for Anticipating Surprise, overseeing research efforts to develop new capabilities for a range of events relevant to national security. He was also overseeing three IARPA programs: the Open Source Indicators (OSI) program, Foresight and Understanding from Scientific Exposition (FUSE) and Forecasting Science and Technology (ForeST).

Matheny joined IARPA in 2009, when he started off helping grow programs related to forecasting geopolitical events. He helped create SciCast, the world’s largest science and technology forecasting tournament, which was run in partnership with George Mason University.

Before joining IARPA, Matheny worked at Oxford University, Princeton University, the World Bank, the Center for Biosecurity and the Applied Physics Laboratory, and he is the co-founder of two biotechnology companies.

“Jason brings a wealth of knowledge and experience to the position and I’m confident that he will continue to maintain the high bar for technical excellence and relevance to our Intelligence Community mission,” Director of National Intelligence James Clapper said in a statement. “I look forward to him continuing to work closely with partners throughout the national security community to bring to bear our future capabilities.”

IARPA is known for high-risk, high-payoff research that looks to leverage forecasts or predictions to provide the country with a technological edge over adversaries. (We’ve written about some of their more recent projects and challenges.)

Matheny takes over for Peter Highnam, who left IARPA in July to run the National Geospatial Intelligence Agency’s InnoVision program.

Modular IT: Making the government a better customer

In June 2012, the White House issued guidance intended to make the U.S. government a better customer of information technology. This came in part from a document, Contracting Guidance to Support Modular Development. It showed the government’s attempt to encourage and embrace a variety of commercial industry trends that were yielding better results for IT investments.

Among the practices encouraged by the White House was agile, the collaborative and iterative development methodology that’s been adopted in private sector for some time. The guide also encouraged modularization. In part, that means acquiring and/or engineering software with reuse in mind and as a driving consideration. That can mean being ever conscious of the “build vs. buy” decision, with greater emphasis on the search for what is available before building. It also means, if “build” is the choice, to build and deliver IT investments based on modular frameworks that can be developed, delivered and tested in smaller chunks than has previously been the norm in government projects.

Taking agile to a higher level

The federal government guide references commonly available project-level information focused on execution of projects. It also applies that guidance to a higher program level, where it discusses how to structure acquisitions so that they benefit from agile and modular methodologies. The guide suggests improvements in the contract award structure, such as breaking large contract awards into a series of smaller ones, allowing acceptance criteria to be applied earlier in the process, with payment more solidly tied to success criteria.

One size does not fit all

Over the years, the Department of Defense, as an example, seems to have swung between extremes of strictly prescriptive versus only informative guidance regarding contract acquisition. The government’s attempts to be prescriptive were intended to promote best practices and avoid repeat failures of the worst kind, such as lack of using version control systems in software development.

A challenge with being prescriptive is that it assumes that “one size fits all” with respect to what is being prescribed. Best practices aren’t static. They evolve quickly over the years, far more so than federal government guidance information. The prescriptive and specific nature of earlier government contract guides might help bad vendors avoid the most obvious pitfalls — but it doesn’t make them good. Meanwhile, being prescriptive can stifle innovation of better vendors that have evolved their own practices to a state more mature than the government would prescribe (enter waivers).

The 2012 guidance information reflects a more intelligent and balanced approach. The guide discusses various factors, methodologies, contract styles and acquisition approaches that might previously have been prescribed by a contract. But it now does so in a way that is more amenable to interpretation. That approach strikes a balance between promoting and institutionalizing good practices while not falling prey to the illusion that good guidance can fix a bad vendor, the kind that contributes to boondoggles. The wording promotes awareness and taking advantage of new and emerging technologies and trends as part of acquiring IT.

Shenanigan reduction

In addition to guidelines related to modularization and agility, the guide discusses considerations to avoid contract situations that shift undue risk to the government customer or that give unfair advantage to particular vendors in competitive situations. For example, the guide suggests that a vendor helping develop requirements for IT acquisitions tries to avoid writing requirements in a way that unfairly drives business to that vendor.

Reading between the lines, one might read into the guidance information a set of war stories of a once-bitten, twice-shy customer. The hope is that better awareness will make the government customer wiser.

Continuing the theme of avoiding a once-size-fits-all mentality, the 2012 guide also discusses improving how the government leverages competition among vendors to benefit the taxpayer. It recognizes both the value of competition and the costs of arranging for competition. Delivering actual taxpayer benefits from competitive bidding remains a challenge for the government.

What’s missing? Security!

Other than referencing the Information Security Office in the User Acceptance Testing section of a sample Performance Work Session in the appendix, the guide does not promote security considerations. In an age of growing cyber warfare and potentially cyber terrorism, it seems that guidance discussing the acquisition of IT investments should at least reference security in a meaningful way. Security represents a risk to those investments that needs to be better understood.

Clearly, the security needs of various government agencies differ, and specific guidance on IT security comes from other government sources as well. But perhaps the next update of contract guides will include a discussion on the degree of security necessary in various contexts and stress its growing visibility and general importance.

So, is it working?

Three years later, it appears that at least some of the guidance is indeed having a beneficial impact. Although the information available to this author is related to only some government contract situations, some government agencies are clearly being smarter about purchasing IT services and working with IT vendors to manage projects according to modern, modular, and Agile tenets.

Changing the large-scale IT purchasing behaviors of so many government agencies takes time. In my work with both government agencies and vendors since mid-2012, there are clear signs that both government customers and vendors are focused on making better IT investments for at least some government agencies.

C. Thomas Tyler is a senior consultant at Perforce Software.

New VA CIO orders formation of cybersecurity strategy team

In one of her first official actions since assuming the duties of chief information officer at the Department of Veterans Affairs on July 6, LaVerne Council has ordered the formation of an Enterprise Cybersecurity Strategy Team and tasked them to deliver a strategy to Congress by mid-September.

“We have an aggressive schedule and we are focused on delivering this strategy to Congress within the next 45 days,” Council wrote in a July 31 email obtained by FedScoop.

The ECST comprises leaders, subject matter experts and support staff from different parts of VA’s Office of Information and Technology. The team is led by Susan McHugh-Polley and work has already commenced, according to Council.

The team’s scope includes management of current projects, such as the Continuous Readiness in Information Security Program as well as development and review of VA’s cybersecurity requirements and operations holistically — from desktop to software to network protection. The ECST is also coordinating its efforts with the Department of Homeland Security, the Government Accountability Office and the VA’s Office of the Inspector General.

“The ECST team members are working with their colleagues and managers to determine who will address their normal daily responsibilities while they focus on the cyber security mission,” Council said. “Please offer your support. We can no longer perform in an environment where we do not have the proper controls, processes and management to ensure that our technology data and environment are as secure as possible.”

McHugh-Polley joined VA in 2014 as the executive director for field operations for service delivery and engineering, which directs all operational and maintenance activities associated with VA’s IT environment. Prior to joining VA, McHugh-Polley served as the director of the operations division for U.S. Immigration and Customs Enforcement at the Department of Homeland Security.

Private task force calls for bold action on federal cybersecurity

If the federal government wants to make real progress on cybersecurity, it will need to make the sense of urgency seen in the recent 30-day cybersecurity sprint a standard component of agency operations moving forward and fundamentally rethink existing lines of responsibility and accountability, according to recommendations released Monday by a major industry group task force.

In a letter to acting Office of Personnel Management Director Beth Cobert, U.S. Chief Information Officer Tony Scott and White House Cybersecurity Coordinator Michael Daniel, members of the Information Technology Industry Council’s IT Alliance for Public Sector urged the federal government to “boldly act to alter the overall culture and approach the federal government currently uses to address cyber threats.”

The recommendations come in response to massive cybersecurity failures that led to the theft of background investigations on more than 21.5 million current and former federal employees at OPM. Although the White House has reported progress in the aftermath of the 30-day cybersecurity sprint ordered by Scott, the task force of technology and security experts from 20 leading IT companies said without bold action across the entire government enterprise the problems that led to the OPM breach and other incidents will persist.

“In the remaining time for this administration, the federal government must execute a series of initiatives and reforms to rapidly and comprehensively secure federal networks and data, urgently declaring our nation’s networks a national priority,” the ITIC report states.

Among the most disruptive and controversial recommendations is a call to alter the existing lines of responsibility and accountability in federal cybersecurity and create a central position to oversee governmentwide security policy and spending — something Scott said in a recent interview with FedScoop that he did not favor.

“The federal government too often has vague lines of responsibility and accountability. Understanding how business establishes clear lines of responsibility and whom to hold accountable in a cyber crisis would be beneficial to establishing better cybersecurity accountability in the federal government,” the task force report states. “The current lines of responsibility and accountability are not getting the desired results across the federal government as demonstrated through recent incidences occurring at federal agencies. Exact lines are blurred and in some cases may even present a potential conflict of interest, such as the [chief information security officer] reporting to the CIO.”

The ITIC task force recommends that the federal government escalate security from merely an IT concern to a business risk concern. And to do that, it suggests creating what would effectively become a chief information security officer for the entire government. “For example, make permanent a central Administration role with appropriate authorities and budgetary controls to direct and oversee cyber activities across the government, including leadership of a cybersecurity ‘council’ for interagency coordination; separate agency CISO functions from CIO functions; establish a mechanism to escalate agency CISO security concerns directly to the department and agency head or central cyber function for adjudication as appropriate.”

“Now more than ever information and technology are critical to how the government functions and cybersecurity can no longer be viewed as an isolated issue. It should be a top priority government wide,” Trey Hodgkins, ITIC’s senior vice president for the public sector, said in a statement.

The recently completed federal cybersecurity sprint manifests the sense of urgency that should be core to the cybersecurity culture and approach going forward, the task force argued.

“The government must move boldly with speed, transparency in action, unity of effort, and clarity in purpose,” the report states. “While these efforts should result in immediate enhancements, they will also set the foundation for the government’s future efforts. Most importantly these efforts will begin the long process of restoring the American people’s trust in the ability of the federal government to protect its networks and the information that resides in and transits those networks.”

Read the ITIC recommendations here (PDF).

Beleaguered patent office telework program gets high marks in independent report

The U.S. Patent and Trademark Office’s now-controversial telework program received a mostly positive appraisal in a highly anticipated independent review requested by the agency.

Overall, the National Academy of Public Administration report recommended the agency continue to offer its telework programs while it works to strengthen the tools it uses and its management practices.

“The Panel determined that the telework program has provided important benefits to the USPTO, including saving money, enhancing employee quality of life, potentially increasing recruitment and retention, and ensuring on-going work during emergencies,” according to the report.

After reports of time fraud within the office’s award-winning telework program last summer, the office has pressed to restore the program’s reputation. Patent office officials, testifying at hearings last year and early this year, have touted the National Academy of Public Administration investigation as one effort to root out weaknesses in the program.

In the report, authors said they found “no differences between the teleworkers and non-teleworkers in their performance and conduct.” It also found that its teleworking policies were in line with those in the public and private sector — though it noted that most organizations view teleworking as a privilege, while the patent office has telework eligibly criteria built into its union agreement.

Despite the mostly positive findings, authors recommended that the office focus on improving the quality of the patents it issues.

“Patent quality needs further examination. The current system stresses quantitative production over quality,” according to the report. Authors recommended the office continue to work on its patent quality initiative that launched earlier this year.

The academy brought together a panel of five fellows to develop the report. They spent nine months reaching out to patent office staffers and senior officials. They also surveyed patent examiner supervisors on whether recent training and policy improvements have been beneficial.

The National Academy of Public Administration told FedScoop in December that it planned to release the report in May, however the report wasn’t published until Friday.

“[T]his report was (1) a large undertaking and (2) the Academy’s top priority was to ensure that the review was as thorough as possible, and that the findings and recommendations were as comprehensive as possible,” said Joe Mitchell, NAPA’s director of project development, in an email. “As a result, the work took a little longer than initially anticipated, but we believe that the final report is well-researched, comprehensive, and insightful.”

The report’s more than 30 recommendations include:

• Continue to review the procedures with supervisors to ensure that they are using available timekeeping and attendance tools.
• Offer refresher training on time and attendance management guidance.
• Establish separate probationary/conditional periods for beginning full-time teleworkers.
• Require teleworkers to re-sign their teleworking agreements every two years to acknowledge they accept current policies and procedures.

The Commerce Department’s Office of Inspector General, which acts as a watchdog for the patent office, said it was “pleased that USPTO reached out to the academy to assess its process for time and attendance, and we are currently reviewing the report.”

At the same time, the patent office is applauding the findings of the report.

“We are pleased that the report clearly affirms the strong business value and efficient operation of the agency’s telework programs, confirms the soundness of the agency’s time and attendance controls in place, and offers a number of recommendations by which the telework programs (although described by the report to already be an example of best practices in the public and private sector) could potentially continue to improve even further,” USPTO Chief Communications Officer Todd Elmer said in a statement.

Like 18F, but for Commerce: Introducing the Commerce Data Corps

Commerce Department Chief Data Officer Ian Kalin likes what the General Services Administration’s 18F office is doing so much, he’s stealing the idea.

Kalin announced Thursday the formation of the Commerce Data Corps, a group housed inside the Commerce Department that will be deployed to help its agencies rapidly create and develop projects to achieve their mission.

“I’m so inspired by the accomplishments, success, the spirit and initiative from 18F, the Presidential Innovation Fellows, the U.S. Digital Service, that when I came in as the new chief data officer, I took those experiences and they fueled my own perception of opportunities within my own department to improve the diverse missions and objections of the 12 bureaus in this holding company that we call the Commerce Department,” said Kalin during a Commerce Data Advisory Committee meeting in Santa Clara, California.

The to-be-assembled team will operate under a shared services model and be deployed within the department as problems or needs arise.

“The values to the bureaus will be that we will deliver experts to integrate with their teams to help them accomplish their goals on the projects they are already working on,” he said. “You’re not just going to get a genius, an enthusiastic expert. You are going to get a very clear return on investment.”

That investment is a crucial part of what Kalin wants this group to accomplish. He pressed that this corps will be operate like a startup within the agency, figuring out ways to stem the costs of bloated IT projects.

“We are mitigating otherwise inefficient IT procurements and saving at least $10 for every $1 [a bureau] spends on these new experts and shared service,” he said. “This is going to transform so much of the way the Department of Commerce does business.”

Kalin is creating the corps with a $3 million budget from Commerce and the ability to recruit talent from the pipelines created by the 18F and U.S. Digital Service. (U.S. Digital Service has a stack of resumes in the “low thousands,” FedScoop wrote earlier Friday.)

“We’re hunting and farming for the world’s greatest talent to do this type of work,” he said.

To start this type of work, Kalin announced two new hires: Tyrone Grandison will be the department’s deputy chief data officer while Jeff Chen will become the department’s chief data scientist. Both are currently Presidential Innovation Fellows, serving at the Census Bureau and NASA respectively.

Kalin hopes that those who work for the corps do not consider it a short-term gig. He hopes the progress that comes from the corps sets standards for work within the agency that last for decades.

“The hope is that this becomes the standard way that people build data products,” Kalin said. “The next people who are going down the digital path, they should be asking, ‘Have we made sure that folks are taking a look at this’ or ‘have we ensured that we are doing it the Data Corps way.’ That is a measure of success beyond the return on investment, to ensure that we can, like any other startup, grow and can continue to thrive and become an institution itself within this historical institution.”

Watch Kalin talk more about the Commerce Data Corps during the Commerce Data Advisory Council meeting.

White House: ‘Significant progress’ made on user authentication during sprint

A number of federal agencies have greatly increased their use of strong authentication measures for network users in the wake of the Obama administration’s 30-Day Cybersecurity Sprint.

According to a blog post by U.S. Chief Information Officer Tony Scott, “significant progress” has been made in increasing the use of personal identity verification cards or other forms of strong authentication at federal civilian agencies.

According to Scott, there has been a 30 percent increase (from 42 to 72 percent) in the use of authentication for privileged and unprivileged users. Privileged users saw a 40 percent jump (from 33 to 75 percent) since agencies last reported their quarterly data on Performance.gov.

Thirteen agencies, including the departments of Transportation, Veterans Affairs and the Interior, now also have deployed strong authentication for 95 percent of privileged users.

Tightening user privileges was one of the key directives of the cybersecurity sprint, issued in the wake of the hack at the Office of Personnel Management that saw data stolen on more than 22 million current and federal employees, and federal background check investigation applicants.

Scott wrote in the blog post that a team of 100 experts from across the government and private industry are now leading a review of the information gathered from the sprint, using their findings to craft the federal Cybersecurity Sprint Strategy and Implementation Plan. The plan will be released in the coming months.

“While these statistics are just a few examples of a marked improvement in identifying and closing the gaps in the Federal cyber infrastructure, we still have more work to do,” Scott wrote. “Malicious actors aren’t slowing down. As their efforts become more sophisticated, frequent, and impactful, so must ours. Although the sprint may have come to a conclusion, it is only one leg of a marathon to build upon progress made, identify challenges and continuously strengthen our defenses.”

Scott also calls on Congress to help the government meet its cybersecurity needs, mainly by lifting sequestration and passing legislation. The Senate has been weighing whether to take up the Cybersecurity Information Sharing Act, which could see a vote as early as next week or as late as the fall.

“Let me be clear: there are no one-shot silver bullets,” Scott wrote. “Cyber threats cannot be eliminated entirely, but they can be managed much more effectively. We can best do this by aligning and focusing our efforts, by properly funding necessary cyber investments, by building strong partnerships across government and industry and by drawing on the best ideas and talent from across the country to tackle this quintessential problem of the 21st century.”

Read the full blog on the White House’s website.

Why FDA’s new CIO is focusing on mobility

Standing in a vegetable processing plant in California last week, the Food and Drug Administration’s new chief information officer caught a glimpse of why his agency needs to focus on mobility.

While trying to take a photo for her report, an FDA inspector placed her notebook between her knees, only to drop it seconds later into a pool of chlorine while juggling her camera. Todd Simpson watched as the inspector struggled to wipe off her notes through her plastic gloves. All in a frigid facility that had been causing the ink on the inspector’s pen to freeze as she jotted down notes.

“I’m watching this and I’m thinking — wow, all this cumbersome activity and all this time we’re spending doing business on paper is fixable,” he told FedScoop.

What that inspector needed, Simpson said, was a tablet with applications that can gather all her notes and pictures, and automatically beam it into the agency’s systems. He’s aiming to have field inspectors pilot such devices within 12 to 15 months.

It’s part of a larger strategic IT plan Simpson is soon publishing to improve the systems of the 20,000-person agency. Simpson, who came to the job in May by way of the Department of Transportation where he served as an associate chief information officer, said he wants to make FDA the leader in government IT.

But FDA’s focus on mobility isn’t new. Walter Harris, the chief operations officer who served as the agency’s acting CIO, told FedScoop earlier this year that it could cut weeks off the time needed to conduct inspections. In his acting role, Harris already debuted an e-filing pilot to digitize prior inspection records that FDA workers could access in the field. Currently, inspection reports are submitted and stored on paper.

“They actually cut out an entire file room of real estate and made it digital,” Simpson said of the pilot. He plans to employ it across the agency.

David Dyjack, executive director of the National Environmental Health Association, an organization that represents public health practitioners, like local public health department workers, supported efforts to digitize and automate inspections.

“To be able to automate the inspection system would be helpful in most jurisdictions,” Dyjack said. Automation, he said, held the potential to make processes more efficient.

Also part of the mobility strategy are plans to start up a “choose your own device” program. The agency’s tech gurus will identify three to five phones that conform to existing user requirements and couple them with mobile device management technology, Simpson said. The agency has plans to roll out that program as early as September.

But the three- to five-year strategic plan encompasses a range of initiatives, like refining how well the IT office is satisfying the needs of the workers in the agency, improving workflow processes, getting into the cloud using a hybrid model, and conducting a rationalization exercise for data and software to make sure the agency isn’t duplicating its own efforts.

The agency is also restructuring its IT staff. Simpson brought on Farhan Khan, who he has worked with in past positions at the Justice Department, as the new chief technology officer. And the FDA has plans to hire a chief data officer.

At the same time, Simpson is diving into scientific computing, making sure that FDA workers have access to the high-tech resources they need to do their work.

“Twenty year ago, you’d go into a lab and see a microscope on the desk. Today you go into a lab and everything’s got Ethernet plugged into it,” he said.

The federal government has been slow to move into the realm of supporting a complicated device that has an IP address, Simpson said. He added that he must balance the need to keep the systems secure with making sure researchers have access to the technology they need.

“I don’t think there’s ever been a situation in my entire career where meeting the requirements of business and keeping the business secure have been at such an intersection point,” he said.

The Food and Drug Administration had been without a permanent CIO for more than two years by the time Simpson came on board, and before that, the job had a high turnover. But Simpson said the agency has more progressive systems than other federal agencies he’s seen. It’s well positioned, he thinks, to be the IT leader in government.

“We don’t have that deficit, that IT crater that needs to be filled in,” he said. “We kind of have a green field.”

Low salaries, background checks hinder FBI’s cybersecurity recruitment

The FBI’s Next Generation Cyber Initiative is facing financial roadblocks.

In the wake of FBI Director James Comey’s July 8 testimony before the Senate Select Committee on Intelligence — in which he emphasized that the agency’s ability to battle encryption has never been more critical — a report released Thursday by the FBI Office of the Inspector General indicates the bureau is failing to meet some projections in its flagship effort to bolster cybersecurity.

The NGCI was launched in 2011 on the heels of an OIG audit that addressed the FBI’s preparedness for a national cybersecurity threat. It set staunch expectations for establishing cyber superiority: Lawmakers appropriated $314 million to 1,333 new personnel to staff cyber task forces at 56 field offices around the U.S., and additional funds were devoted to developing new training programs.

Although the report acknowledged the FBI has made progress, it said the bureau has failed to meet a number of important benchmarks. It didn’t fill 52 of the 134 computer scientist positions it was authorized to create. Critically, five of the field offices did not even have one computer scientist.

The reasons for this, the report claims, are not complex: The pay doesn’t cut it.

“The recruitment and retention of cyber personnel is an ongoing challenge for the FBI … private sector entities are able to offer technically trained, cyber professionals higher salaries than the FBI can offer,” the report stated.

The report also cited the FBI’s exhaustive background check system as prohibitive for many qualified candidates.

“[T]he FBI loses a significant number of people who may be interested because of the FBI’s extensive background check process and other requirements, such as all employees must be United States citizens and must not have used marijuana in the past 3 years, and cannot have used any other illegal drug in the past 10 years,” it says.

These factors result in an exaggerated “funneling process,” where recruitment events that attract scores of applicants result in piecemeal job offers.

“[T]he process may start with a recruitment event attended by 5,000 interested candidates, [but] the inability of candidates to meet the FBI’s specific eligibility criteria reduces that number to approximately 2,000 eligible candidates,” the report reads. “Subsequently … only about 2 candidates out of such a group are actually hired by the FBI.”

In a response to the audit, Joseph M. Demarest, associate executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, defended the bureau’s efforts and assured that the FBI would continue working diligently toward arraying a fully manned cybersecurity division.

“The FBI will continue to develop creative strategies for recruiting, hiring and retaining highly skilled cyber professionals,” he said.