A shortage of cyber professionals in the federal workforce puts federal IT systems and data at risk. The Federal Cybersecurity Workforce Assessment Act of 2015 requires the Office of Personnel Management (OPM) and federal agencies to take several actions related to cybersecurity workforce planning. These actions include categorizing all IT, cybersecurity, and cyber-related positions using OPM personnel codes for specific work roles, and identifying critical staffing needs.
The act contains a provision for the Government Accountability Office (GAO) to analyze and monitor agencies’ workforce planning. In a report published March 12, GAO’s determined the extent to which federal agencies have assigned work roles for positions performing IT, cybersecurity, or cyber-related functions and described the steps federal agencies took to identify work roles of critical need. To conduct the investigation, GAO administered a questionnaire to 24 agencies, analyzed coding data from personnel systems, and examined preliminary reports on critical needs. GAO selected six of the 24 agencies based on cybersecurity spending levels to determine the accuracy of codes assigned to a random sample of IT positions. GAO also interviewed relevant OPM and agency officials.
The investigation found that the 24 reviewed federal agencies generally assigned work roles to filled and vacant positions that performed information technology (IT), cybersecurity, or cyber-related functions as required by the Federal Cybersecurity Workforce Assessment Act of 2015. However, six of the 24 agencies reported that they had not completed assigning the associated work role codes to their vacant positions, although they were required to do so by April 2018.
In addition, GAO found most agencies had likely miscategorized the work roles of many positions. Specifically, 22 of the 24 agencies assigned a “non-IT” work role code to 15,779 (about 19 percent) of their IT positions within the 2210 occupational series.
Further, the six agencies that GAO selected for additional review had assigned work role codes that were not consistent with the work roles and duties described in corresponding position descriptions for 63 of 120 positions within the 2210 occupational series that GAO examined. These six agencies were the Department of Homeland Security (DHS), Department of State, Department of Defense (DOD), the Environmental Protection Agency, the General Services Administration and the National Aeronautics and Space Administration.
DHS human resources officials said that its position descriptions may not have been consistent with coding because the assignment of the work role codes could be based on specific tasks that are described in separate documents (e.g., job analyses or employee performance plans) outside of the position descriptions.
Human resource and IT officials from the 24 agencies generally reported that they had not completely or accurately categorized work roles for IT positions within the 2210 occupational series, in part, because they may have assigned the associated codes in error or had not completed validating the accuracy of the assigned codes. The GAO report says that by assigning work roles that are inconsistent with the IT, cybersecurity, and cyber-related positions, the agencies are diminishing the reliability of the information they need to improve workforce planning. Even where agencies had categorized work roles, anomalies remained. For example, DOD had not established procedures for identifying and assigning work role codes to noncivilian (i.e., military) positions.
The act also required agencies to identify work roles of critical need by April 2019. To aid agencies with identifying their critical needs, OPM developed guidance and required agencies to provide a preliminary report by August 2018. The 24 agencies have begun to identify critical needs and submitted a preliminary report to OPM that identified information systems security manager, IT project manager, and systems security analyst as the top three work roles of critical need. However, until agencies accurately categorize their positions, their ability to effectively identify critical staffing needs will be impaired. OPM has recently provided agencies with further guidance that should assist them in their efforts to identify critical needs by April 2019.
GAO recommends 22 agencies review and assign the appropriate codes to their IT, cybersecurity, and cyber-related positions. Of the 22 agencies to which GAO made recommendations, most agreed. DHS expressed concern with GAO’s finding that it had miscategorized the work roles for some positions. The department stated that its position descriptions are often written in a generalized format, and are static, baseline, point-in-time documents. The department added that, several positions may align with the same position description, yet have specific duties and content captured in other human capital documents such as employee performance plans. Thus, some positions may have the same position description yet require different cybersecurity codes.
While GAO agreed that position descriptions do not detail every possible activity, according to OPM, the position descriptions should document the major duties and responsibilities of a position. However, the investigation found that DHS did not always assign codes consistent with major duties and responsibilities described in the position descriptions. For example, the department assigned a Network Operational Specialist code to a position with major duties associated with a Cyber Instructional Curriculum Developer.
The federal government needs a qualified, well-trained cybersecurity workforce to protect vital IT systems. Not having enough of these workers is one reason why GAO placed securing federal systems on its High Risk list.
This week’s White House budget proposal earmarks just over $1 billion in cybersecurity funding for DHS, to protect federal networks and critical infrastructure, including elections equipment.
In addition to modernizing infrastructure, the DHS funding would also be used to address the federal cybersecurity workforce shortage by establishing a unified cyber-workforce capability across the civilian enterprise, with the goal of hiring at least 150 new cybersecurity employees by the end of 2020, according to the proposal.