Developing a skilled cyber workforce is imperative to the Department of Defense (DOD) achieving its offensive and defensive missions, and in 2013 it began developing Cyber Mission Force (CMF) teams to fulfill these missions. The U.S. Cyber Command (CYBERCOM) announced that the first wave of 133 such teams achieved full operational capability in May 2018. The Government Accountability Office (GAO) has assessed DOD’s current and planned state of cyber training and its March 6 publicly available report examines the extent to which DOD has trained and maintained the CMF teams.
GAO found that CYBERCOM has taken a number of steps—such as establishing consistent training standards—to develop its CMF teams. To train CMF teams rapidly, CYBERCOM used existing resources where possible, such as the Navy’s Joint Cyber Analysis Course and the National Security Agency’s National Cryptologic School.
However, as of November 2018, many of the 133 CMF teams that initially reported achieving full operational capability no longer had the full complement of trained personnel, and therefore did not meet CYBERCOM’s readiness standards. CYBERCOM has since implemented new readiness procedures that emphasize readiness rather than achieving interim milestones, such as full operational capability.
DOD has begun to shift focus from building to maintaining a trained CMF. The department has developed a transition plan for the CMF that transfers (phase two) foundational training responsibility to the services. However,the GAO investigation found that the Army and Air Force do not have time frames for required validation of foundational courses to CYBERCOM standards. Further, services’ plans do not include all CMF training requirements, such as the numbers of personnel that need to be trained. Also, CYBERCOM does not have a plan to establish required independent assessors to ensure the consistency of collective (phase three) CMF training.
Between 2013 and 2018, CMF personnel made approximately 700 requests for exemptions from training based on their experience, and about 85 percent of those applicants had at least one course exemption approved. However, GAO found that CYBERCOM has not established training task lists for foundational training courses. The services need these task lists to prepare appropriate course equivalency standards.
As a result of the investigation, GAO has made eight recommendations to DOD, and the department has concurred with all.
- The Secretary of Defense should ensure that the Army, in coordination with CYBERCOM and the National Cryptologic School, where appropriate, establish a time frame to validate all of the phase two foundational training courses for which it is responsible.
- The Secretary of Defense should ensure that the Air Force, in coordination with CYBERCOM and the National Cryptologic School, where appropriate, establish a time frame to validate all of the phase two foundational training courses for which it is responsible.
- The Secretary of the Army should ensure that Army Cyber Command coordinate with CYBERCOM to develop a plan that comprehensively assesses and identifies specific CMF training requirements for phases two (foundational), three (collective), and four (sustainment), in order to maintain the appropriate sizing and deployment of personnel across the Army’s CMF teams.
- The Secretary of the Navy should ensure that Fleet Cyber Command coordinate with CYBERCOM to develop a plan that comprehensively assesses and identifies specific CMF training requirements for phases three (collective) and four (sustainment) in order to maintain the appropriate sizing and deployment of personnel across the Navy’s CMF teams.
- The Secretary of the Air Force should ensure that Air Forces Cyber coordinate with CYBERCOM to develop a plan that comprehensively assesses and identifies specific CMF training requirements for phases two (foundational), three (collective), and four (sustainment), in order to maintain the appropriate sizing and deployment of personnel across the Air Force’s CMF teams.
- The Commandant of the Marine Corps should ensure that Marine Corps Forces Cyberspace coordinate with CYBERCOM to develop a plan that comprehensively assesses and identifies specific CMF training requirements for phases two (foundational), three (collective), and four (sustainment), in order to maintain the appropriate sizing and deployment of personnel across the Marine Corps’ CMF teams.
- The Secretary of Defense should ensure that the commander of CYBERCOM develops and documents a plan for establishing independent assessors to evaluate CMF phase three collective training certification events.
- The Secretary of Defense should ensure that the commander of CYBERCOM establishes and disseminates the master training task lists covered by each phase two foundational training course and convey them to the military services, in accordance with the CMF Training Transition Plan.
