GAO Blasts Federal Management of Cyber Security Work Force

Friday, December 02, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

The Government Accountability Office (GAO) has submitted a report to the Congress which criticizes Federal management of the cybersecurity workforce.

The report, titled Cybersecurity Human Capital - Initiatives Need Better Planning and Coordination, concludes that the government is facing significant challenges in its effort to better define the role of cybersecurity and attract viable candidates for key positions.

The report examined eight agencies including the Department of Defense, the Department of Homeland Security, the Department of Health and Human Services, the Treasury, Veterans Affairs, the Department of Commerce, the Department of Transportation and the Department of Justice.

"All of the agencies GAO reviewed faced challenges determining the size of their cybersecurity workforce because of variations in how work is defined and the lack of an occupational series specific to cybersecurity. With respect to other workforce planning practices, all agencies had defined roles and responsibilities for their cybersecurity workforce, but these roles did not always align with guidelines issued by the federal Chief Information Officers Council and National Institute of Standards and Technology (NIST)," the report states.

The GAO report also found significant variance across agencies where training and certifications were concerned, and suggested that more uniform prerequisites be implemented.

"The robustness and availability of cybersecurity training and development programs varied significantly among the agencies. For example, the Departments of Commerce and Defense required cybersecurity personnel to obtain certifications and fulfill continuing education requirements. Other agencies used an informal or ad hoc approach to identifying required training," the report noted.

The report also found a great deal of inconsistencies where compensation and incentives were concerned, and pointed out the lack of meaningful metrics to determine impact where incentives are being implemented.

"Use of incentives for cybersecurity positions varied widely by agency, with DOD offering the widest range of incentives. However, no data exist on the effectiveness of incentives, in part because of the lack of guidance on tracking such data from OPM. Differences in compensation systems also affected agency perceptions of their ability to recruit cybersecurity personnel," the report states.

Another key finding is the prevalence of duplicative efforts that indicate a need for greater inter-departmental coordination.

"Multiple efforts by the CIO Council, NIST, OPM, and DHS have defined cybersecurity roles, responsibilities, skills, and competencies, but these efforts are potentially duplicative and could be better coordinated. Similarly, multiple efforts to assess and provide training needs are under way, but lack coordination," the report concludes.

Specific recommendations issued in the GAO report include:

  • That the Secretary of Commerce direct the department’s Chief Information Officer, in consultation with its Chief Human Capital Officer, to develop and implement a departmentwide cybersecurity workforce plan or ensure that departmental components are conducting appropriate workforce planning activities.
  • That the Secretary of Defense direct the department’s Chief Information Officer, in consultation with the Deputy Assistant Secretary for Defense for Civilian Personnel Policy, to update its departmentwide cybersecurity workforce plan or ensure that departmental components have plans that appropriately address human capital approaches, critical skills, competencies, and supporting requirements for its cybersecurity workforce strategies.
  • That the Secretary of Health and Human Services direct the department’s Chief Information Officer, in consultation with its Chief Human Capital Officer, to develop and implement a departmentwide cybersecurity workforce plan or ensure that departmental components are conducting appropriate workforce planning activities.
  • That the Secretary of Transportation direct the department’s Chief Information Officer, in consultation with its Chief Human Capital Officer, to update its departmentwide cybersecurity workforce plan or ensure that departmental components have plans that fully address gaps in human capital approaches and critical skills and competencies and supporting requirements for its cybersecurity workforce strategies.
  • That the Secretary of Treasury direct the department’s Chief Information Officer, in consultation with its Chief Human Capital Officer, to develop and implement a departmentwide cybersecurity workforce plan or ensure that departmental components are conducting appropriate workforce planning activities.
  • That the Secretary of Veterans Affairs direct the department’s Chief Information Officer, in consultation with its Chief Human Capital Officer, to update its departmentwide cybersecurity competency model or establish a cybersecurity workforce plan that fully addresses gaps in human capital approaches and critical skills and competencies, supporting requirements for its cybersecurity workforce strategies, and monitoring and evaluating agency progress.

The brunt of the GAO report comes down to improving coordination of efforts between agencies, a tough task for the infamously turf-war prone Federal government which often sees agencies vying for influence and limited resource.

"In an era of limited financial resources, better coordinated efforts to address both cybersecurity-specific and broader federal workforce challenges are crucial to cost-effectively ensuring that the government has the people it needs to continue to deal with evolving cyber threats," the report concludes.

The full GAO report can be examined here:

Source:  http://www.gao.gov/new.items/d128.pdf

Possibly Related Articles:
13581
Network->General
Employment Government Cyber Security Headlines report Skill Set GAO Federal Cyber Security Work Force audit
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.