The Department of Homeland Security has dropped the ball in cybersecurity workforce development and without a “complete workforce assessment and strategy” is “not well positioned to carry out its critical cybersecurity functions in the face of ever-expanding cybersecurity threats,” the Office of Inspector General warned.
OIG audited DHS’ compliance with the Cybersecurity Workforce Assessment Act of 2014, which requires the department to assess its cyber staffing and come up with a strategy to fill the gaps.
There are currently about 14,000 DHS employees working in cybersecurity in some respect across at least 18 DHS components and in 96 programs. Seventy percent of the department’s cyber workforce is stationed in either the Cybersecurity and Infrastructure Security Agency (CISA), Immigration and Customs Enforcement, or the Secret Service.
“The supply of cybersecurity talent to meet the Federal Government’s increasing demand is not sufficient,” states the OIG report, citing competition with the private sector as a key hurdle to recruiting top talent. Fifty-nine percent of enterprises noted open cybersecurity positions, OIG noted, and many applicants aren’t sufficiently qualified. “Funding limitations and a lengthy hiring process also inhibit the Federal government’s hiring and retention of cybersecurity professionals. According to senior Federal IT and cybersecurity officials, they lack the money, organizational flexibility, and culture to close the workforce gap.”
OIG said DHS has missed deadlines the past four years for submitting to Congress its required Cybersecurity Workforce Assessment Act annual reports assessing the state of its cyber staffing, and left some information out of the assessments. DHS also didn’t submit a workforce development strategy to Congress from 2015 to 2018, and as of this February was still developing a strategy that had been due in December 2016.
“DHS’ lack of progress in meeting the requirements of the Act can be attributed to both external and internal factors. Numerous legislation was enacted in 2014 and 2015 that created new requirements for cybersecurity workforce planning and reporting. DHS fell behind in responding to these mandates because it did not have consistent and detailed information on its cybersecurity workforce readily available to comply with the new reporting requirements,” said the report.
Without an accurate assessment, the OIG stressed, DHS “cannot provide assurance that it has the appropriate skills, competencies, and expertise positioned across its components to address the multifaceted nature of DHS cybersecurity work” and “may not have an understanding of its future hiring or training needs to maintain a qualified and capable workforce to secure the Nation’s cyberspace.”
The assessments required by DHS are supposed to include an overall view of the department’s cyber workforce posture, a breakdown of cyber employees by location as well as how many are full-time government employees or contractors, reporting on the number of vacant positions, and information on what training was or wasn’t given to employees in specific cyber roles.
The first assessment DHS submitted, in 2016, was just three pages long. OIG said that even when DHS increased the comprehensiveness of the report to 41 pages the next year, it was still missing some required elements.
The cyber workforce strategy requirement entails that DHS include a multi-phased recruitment plan, a strategy for implementation at 5 and 10 years, a study of hurdles that have kept DHS from filling out the cyber workforce, and a plan to fill the gaps. OIG said it took a look at this year’s draft strategy and 5-year implementation plan and “found these still did not include all required elements, such as a cyber workforce projection or obstacles to hiring and developing DHS’ cybersecurity workforce.”
“DHS’ lack of progress can be attributed to the enactment of three new laws in a short timeframe that overburdened the Department’s ability to assess the readiness and capacity of its cybersecurity workforce,” the report said, citing the Border Patrol Agent Reform Act of 2014, the Cybersecurity Workforce Assessment Act, and the Federal Cybersecurity Workforce Assessment Act of 2015. “The overlapping nature of new requirements created additional work for those OCHCO personnel responsible for consolidating the associated data.”
DHS lacked the readily available data to meet the mandates, OIG said, noting that “information on the number of cybersecurity positions hired by each component, as well as the exact vacancy and attrition rates across each component was not centrally managed or readily available within DHS.”
About 35,000 federal agency information security incidents in fiscal year 2017 alone — involving threats such as hacking, phishing, and the loss or theft of computer equipment — “make it imperative that the Department intensify its efforts to retain current and recruit prospective cybersecurity employees to help manage this threat,” OIG found.
“Until DHS completes a detailed and updated workforce assessment and strategy, it cannot take steps toward ensuring it has the appropriate skills, competencies, and expertise positioned across its components to address the multifaceted nature of cybersecurity work,” the report added.
The OIG recommended that the DHS Chief Human Capital Officer “assign necessary staff resources to timely complete the required assessments and strategies regarding the DHS cyber workforce,” “establish a department-wide, coordinated approach to compiling centralized cybersecurity workforce data needed to fulfill reporting requirements in a timely manner,” and “conduct oversight of component stakeholders to ensure department-wide commitment to addressing legislative reporting and data submission requirements.”
DHS concurred with the recommendations and noted that the department has made progress and continues to implement improvements in properly assessing cyber workforce gaps.