DHS has not completely identified, categorized or assigned employment codes to its cybersecurity positions, according to a GAO report.
The study found that although the agency had taken some steps as directed by the Homeland Security Cybersecurity Workforce Assessment Act of 2014, these actions have not been timely or complete.
GAO found that DHS had not accurately identified all its cybersecurity positions, or assigned codes to them. In August of last year, DHS reported to Congress that it had coded 95 percent of its identified cybersecurity roles, but GAO’s analysis suggests that at this time it had only actually coded 79 percent. The agency’s figure excluded vacant positions but the act directed that they should be included.
The report also found that DHS has not reported to Congress on cybersecurity critical needs that align with speciality areas, or reported its cybersecurity critical needs to the OPM as required annually.
The report concluded that these failures are preventing DHS from ensuring it has adequate cybersecurity personnel to protect the nation and federal networks from cyber threats.
GAO recommends that DHS develop procedures and establish review processes for identifying and coding cybersecurity positions. It also recommends developing guidance to assist DHS components in identifying their cybersecurity work categories and specialty areas of critical need that align to the National Initiative for Cybersecurity Education framework, and implementing plans and time frames to identify critical actions.