Federal agencies struggle to define their cybersecurity workforce, finds GAO

Tools

Federal agencies with the largest information technology budgets do not know the size of their cybersecurity workforce because there is no cybersecurity occupational series, or even a standard set of definitions for IT jobs, writes the Government Accountability Office in a report (.pdf) published Nov. 29.

As part of its research, GAO evaluated cybersecurity workforce planning practices at the eight federal agencies with the highest IT budgets. Not one of the agencies could place an accurate number on their cybersecurity personnel, as different agency representatives cited different numbers.

Cybersecurity workforce plans were well formulated at some agencies--such as the departments of Commerce, Defense and Veterans Affair--but less strategic or even seemingly absent at others, says GAO. But a common theme among all agencies examined by auditors was difficulty consistently defining their cybersecurity workforce, determining IT personnel roles and hiring highly-technical personnel.

According to the report, there are 17 Office of Personnel Management occupational series commonly used for the cybersecurity workforce. "None of these series identifies cybersecurity as the only job responsibility. In many cases, employees with cybersecurity responsibilities also have other responsibilities, and some employees classified under a particular series may not have any cybersecurity responsibilities," notes the report.

The National Initiative for Cybersecurity Education released a draft taxonomy of the cybersecurity workforce Nov. 8, but GAO said NICE's workforce framework does not define tasks and milestones for implementation, include a list of agencies' work or measure progress on the initiative.

For more:
- see GAO-12-8 (.pdf)

Related Articles:
NICE releases cybersecurity workforce taxonomy
Public-private partnerships key to creating a cybersecure citizenry, says panel
NIST publishes draft cyber workforce plan