The skills gap poses a persistent challenge to organizations. Enterprises need a qualified workforce if they are to adequately defend against digital threats. This is true for every industry and is especially so for the public sector.
Acknowledging that fact, Congress enacted the Federal Cybersecurity Workforce Assessment Act (Act) in 2015. This piece of legislation requires the Office of Personnel Management (OPM) to develop a coding structure under the National Initiative for Cybersecurity Education (NICE) for cybersecurity positions and create procedures that facilitate the coding structure’s implementation for civilian cybersecurity positions. It also stipulates that 24 agencies covered by the Chief Financial Officers (CFO) Act must submit baseline assessments of their workforces and establish processes to apply OPM’s coding structure to their workforces.
Most of the CFO Act agencies submitted baseline assessments. In an effort to examine the OPM’s coding procedures and understand the progress of the Act’s implementation, the U.S. Government Accountability Office (GAO) reviewed the baseline assessments and coding procedures from the reporting agencies. It also interviewed personnel at both the OPM and the CFO Act agencies and published its findings in a report to congressional committees.
What it learned was less than encouraging.
Of the 24 CFO Act agencies that were required to submit baseline assessments, 21 of them complied with the Act and sent their analyses to Congress. Three agencies—the Department of Homeland Security, the U.S. Department of Housing and Urban Development and the Small Business Administration—did not submit assessments due to a lack of tools and resources, among other reasons. Even then, four of the agency assessments didn’t contain all relevant information, namely, they didn’t discuss the level of preparedness of employees without certifications to take certification exams. Additionally, one agency failed to discuss in its assessment how it planned to mitigate certification gaps.
These findings point to a larger trend: agencies struggled to obtain certification information in general. For six of the 21 agencies that submitted assessment, the response rate on questions concerning certifications for cybersecurity positions was only 15-42 percent. Two agencies in particular said employees’ responses were voluntary due to union and legal concerns. Then again, participating agencies couldn’t expect much better. At the time of release for the GAO’s report, there was no government-wide requirement for cybersecurity employees to have certifications. Most agencies didn’t individually require certifications, six said they had some requirements and only the Department of Defense (DoD) required certifications for all cybersecurity jobs. However, the DOD still failed to establish coding procedures for non-civilian cybersecurity positions.
Timing likely played a role in all of these shortcomings. First, NICE had not identified a list of certifications by the December 2016 deadline for CFO Act agencies to submit their reports. As a result, agencies were forced to develop their own approaches to mapping cybersecurity certifications. Second, OPM didn’t submit its coding guidance until January 2017, and it specified that agencies weren’t supposed to complete their assignment of 3-digit codes for cybersecurity positions until April 2018. This means CFO Act agencies had to submit reports on cybersecurity employees’ certifications before having the chance to properly evaluate their workforce, a reality which forced them to come up with their own criteria for assessing their employees’ qualifications.
Given these findings, the GAO concluded in its report that agencies’ assessments might not reflect their workforce accurately:
…[B]ecause agencies have not consistently defined the workforce and NICE had not developed a list of appropriate certifications, efforts such as conducting the baseline assessment to determine the percentage of cybersecurity personnel that hold appropriate certifications have yielded inconsistent and potentially unreliable results. By not conducting assessments or including all required information in the assessments, some of these agencies may lack valuable information that could help them identify the certification and training needs of their cybersecurity employees that are charged with protecting federal information and information systems from cyberattacks.
The GAO therefore proposed 30 recommendations to 13 agencies that will help them fulfill the Act’s requirements on baseline assessments and coding procedures. The specific details of those recommendations are available in the GAO’s report, which is available for download here.
Outside of the Federal Cybersecurity Workforce Assessment Act, federal agencies across the board need to take proper safeguards to protect themselves against digital threats and maintain compliance with federal information security standards. To learn how Tripwire can help with both of these objectives, click here.