A GAO report has found that DHS needs to take urgent action to identify critical skill requirements within its cyber workforce.
The latest report also found that although DHS reported to Congress that it had coded 95 percent of its identified cybersecurity positions last August, it had actually only coded around 79 percent. The estimate was overstated because it excluded vacant positions even though the Homeland Security Cybersecurity Workforce Assessment Act did specify to include them.
GAO undertook the report as, under the Act, DHS is required to identify, categorize and assign employment codes to all its cybersecurity positions. It should also identify and report all its cybersecurity critical needs.
The report and GAO’s testimony to the congressional subcommittees found that DHS has not reported to Congress its critical needs in specialty areas, and it has not submitted the required annual report to the Office of Personnel Management, despite both recommendations having been due in 2016.
GAO recommends that DHS develops guidance to assist DHS components in identifying their cybersecurity work categories and specialty areas of critical need that align to the NICE framework, and develop plans with timeframes to identify priority actions to report on specialty areas of critical need. DHS agrees with these points and plans to implement them by June 2018.
“DHS needs to act now to completely and accurately identify, categorize, and assign codes to all of its cybersecurity positions, and to identify and report on its cybersecurity workforce areas of critical need,” the report concludes. “Until DHS implements our recommendations, it will not be able to ensure that it has the necessary cybersecurity personnel to help protect the department’s and federal networks and the nation’s critical infrastructure from cyber threats.”