Civilian cybersecurity personnel assessments submitted by agencies under the Chief Financial Officers Act “may not be reliable,” according to a Government Accountability Office report released Thursday.
The report found that of the 24 agencies covered by the CFO Act only 21 had submitted the required baseline assessments of their cybersecurity staff to Congress as of March. The assessments aimed to identify “the extent to which their cybersecurity employees held professional certifications,” as a part of the Federal Cybersecurity Workforce Assessment Act of 2015.
Four of the agencies did not address all of the required information and generally the agencies were found to lack complete or consistent information in their assessments. This was because the agencies either had not “fully identified” all members of their cybersecurity staff or did not have a consistent list of all of the appropriate cybersecurity certifications.
The three agencies that did not submit these assessments included the Department of Homeland Security, the Department of Housing and Urban Development, and the Small Business Administration. These agencies cited issues such as “a lack of resources and tools” to complete their assessments.
DHS submitted a report to Congress in March of last year, but that report did not contain the required baseline assessments.
“The report noted that DHS’s Office of the Chief Human Capital Officer lacked the ability to view or easily produce consolidated reports on employee certifications from all DHS components,” said the GAO report.
DHS’s report did say that they were working with cybersecurity experts to solve these issues across all of their components.
The GAO made 30 recommendations to 13 of the agencies to fully implement the act.