Eric Chabrow, Executive Editor, GovInfoSecurity.com
The lack of government-wide definitions for information security occupations means the agencies with the largest IT budgets don’t know how many cybersecurity experts they employ.
That’s one finding in a Government Accountability Office report released Tuesday that details how eight surveyed agencies have taken varied steps to implement workforce planning for IT security personnel. The report, entitled Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination, also revealed:
- All surveyed agencies had defined roles and responsibilities for their cybersecurity workforce, but these roles did not always align with guidelines issued by the federal Chief Information Officers Council and National Institute of Standards and Technology.
- Some agencies had few problems recruiting qualified IT security personnel while others had a hard time hiring infosec experts. One department, Veterans Affairs, said it can find qualified personnel, but once they’ve been trained, they leave for higher paying jobs, often with government contractors.
- Most agencies employed some form of incentives to support their IT security workforce, but none of the eight agencies had metrics to measure the effectiveness of those inducements.
- The robustness and availability of cybersecurity training and development programs varied significantly among the agencies. For example, the departments of Commerce and Defense required cybersecurity personnel to obtain certifications and fulfill continuing education requirements. Other agencies used an informal or ad hoc approach to identifying required training.
None of the agencies could precisely enumerate the number of IT security personnel they employed. In fact, estimates within agencies varied widely, based on who was reporting and analyzing employment data. When GAO auditors examined the Defense Department’s Federal Information Security Management Act report for 2010, they counted 87,846 employees with significant information security responsibilities. But when they reviewed the Office of Management and Budget’s analysis of Defense’s FISMA data, it showed 66,000 fulltime equivalent IT security employees. A much lower estimate, 18,955 infosec employees, came from the Office of Personnel Management. Similar variations can be found in data provided by other agencies.
“The difficulty in identifying the size of the cybersecurity workforce is partly due to the challenge of defining a cybersecurity worker,” wrote the GAO authors of the report, Gregory Wilshusen, director of information security issues, and Valerie Melvin, director of information management and human capital issues.
“FISMA-related guidance asks federal agencies to track the number of personnel who have significant information security responsibilities and have received role-based security training each year,” they wrote. “It is possible for an employee to perform a significant security responsibility, such as authorizing operation of a system, without that being the majority of his or her work. In addition, many employees may perform cybersecurity responsibilities as an additional duty.”
Need for Cybersecurity Occupational Series, or Not
Since there is no federal occupational series that identifies federal cybersecurity positions, many agencies use the occupational series developed by OPM, but they generally reflect information technology – not specific IT security – occupations, such as security administration, program management and intelligence.
Several agency officials told GAO that a single occupational series for cybersecurity would make collecting information on their cybersecurity workforce easier, but they and OPM said a cybersecurity occupational series would present other problems such as not accurately reflecting the non-cybersecurity work particular employees may perform that could limit their career mobility.
That doesn’t surprise Melissa Hathaway, who surveyed the government’s cybersecurity capabilities when she led President Obama’s cyberspace initiative in 2009. “The challenge is that there are a lot of different jobs associated with cybersecurity and none are necessarily binned as cyber when it comes to headcount,” Hathaway said. “Jobs range from analyst, system administrator, chief information security officer, operations planner, policy coordinator, etc. They also associate with a wide range of missions: law enforcement, homeland security, critical infrastructure protection, counter-intelligence, information system security, and so on.”
Still, OPM officials agreed that there is no way other than creating an occupational series to allow easy identification of cybersecurity employees government-wide, yet it has no plans to create such a job series. OPM officials told GAO that determining a way to track federal cybersecurity personnel will be part of some future efforts to reform federal personnel systems.
The eight agencies GAO reviewed varied in their ability to fill cybersecurity positions. Officials at four agencies told GAO that they were generally able to recruit and hire to fill needed cybersecurity positions. Officials at several agencies reported challenges in filling more technical positions, and officials at two agencies reported being under a hiring freeze.
The GAO report pointed out that the federal government has begun several government-wide initiatives to enhance the federal cybersecurity workforce. The National Initiative for Cybersecurity Education, known as NICE and coordinated by NIST, includes activities to examine and more clearly define the federal cybersecurity workforce structure and roles and responsibilities, and to improve cybersecurity workforce training.
“The initiative lacks plans defining tasks and milestones to achieve its objectives, a clear list of agency activities that are part of the initiative, and a means to measure the progress of each activity,” Wilshusen and Melvin wrote.
While the Federal CIO Council, NIST, Office of Personnel Management and Department of Homeland Security have taken steps to define skills, competencies, roles and responsibilities for the federal cybersecurity workforce, the GAO report said, these efforts overlap and are potentially duplicative, although officials from these agencies reported beginning to take steps to coordinate activities. Still, there is no plan to promote use of the outcomes of these efforts by individual agencies.
OMB and DHS have identified several agencies to be service centers for government-wide cybersecurity training, but none of the service centers or DHS evaluates the training for duplicative content, effectiveness or extent of use by federal agencies, GAO said. The Scholarship for Service program, run by the National Science Foundation, is a small though useful source of new talent for the federal government, but the program lacks data on whether its participants remain in the government long-term, the report said.