A new report from the Government Accountability Office (GAO) says the National Institute of Standards and Technology’s (NIST) has taken steps to strengthen the cybersecurity workforce.
NIST leads the National Initiative for Cybersecurity Education (NICE) program, a national initiative to help agencies and private sector organizations strengthen their cybersecurity workforces. The program has a $4 million annual budget and has a staff comprised of eight full-time equivalent employees and part-time contractors who work on a task-related basis.
GAO has found that NICE has established an inventory or “framework” of necessary skills and work roles associated with cybersecurity and expanded it with stakeholder input. The government watchdog determined that NICE formed public and private collaborations to connect the cybersecurity community and promote cybersecurity training and education. This included working groups and communities of interest run in part by volunteers. These groups created projects based on one of the NICE program’s strategic goals or the needs of a specific cybersecurity community.
GAO’s review also found that the program holds periodic webinars, quarterly forums, and multiple annual conferences to share information on cybersecurity issues.
Focus group participants largely agreed that NICE provides helpful customer service, robust community benefits, and useful products, but some told GAO of challenges with the program, such as an unclear scope. Participants also noted a lack of performance metrics, limited communication and outreach, and inconsistent internal communication as program challenges.
GAO found NIST’s process for assessing the NICE program included fully implementing the practice of involving stakeholders. However, the watchdog noted that other key practices for establishing a program-level performance process were not fully implemented. For example, NIST did not develop performance measures for the program. According to program officials, they relied on the program’s volunteer working groups to develop such measures. However, the variability in skills and approaches of the volunteers made it too difficult to accomplish. As a result, GAO found NIST was unable to demonstrate program progress. Without reliable data to manage the NICE program’s performance, GAO believes that NIST is not in a position to effectively and efficiently identify obstacles or opportunities to sustain and improve the initiative.
GAO is making eight recommendations to NIST to fully develop goals and performance measures, assess the program’s environment and identify strategies, track reliable information and report to stakeholders on results, and use data to assess progress and identify improvement opportunities. The Department of Commerce agreed with the recommendations.