The U.S. Government Accountability Office recently issued a report ("CYBERSECURITY HUMAN CAPITAL - Initiatives Need Better Planning and Coordination") illustrating the way U.S. Federal Agencies have implemented and established workforce planning practices for cybersecurity personnel, as well as the status of and plans for governmentwide cybersecurity workforce initiatives.
The report shows that most of the efforts overlap and are potentially duplicative, although officials from these agencies reported beginning to take steps to coordinate activities. Furthermore, it appears that there is no plan to promote use of the outcomes of these efforts by individual agencies.
In June 2010, the DHS Inspector General reported that difficulties filling vacant positions at the department’s National Cyber Security Division were hampering its ability to achieve its mission. In March 2011, the Commander of the U.S. Cyber Command testified that the military did not have enough highly skilled personnel to address the current and future cyber threats to our infrastructure. Finally, in April 2011, the Inspector General at the Department of Justice reported that more than one-third of field agents interviewed for an audit reported that they lacked sufficient expertise to investigate the national security-related cyber intrusion cases that they had been assigned.
Of the eight agencies we reviewed, two agencies (DOD and DOT) have workforce plans that specifically define cybersecurity workforce needs. Two agencies (DHS and Justice) have departmentwide workforce plans that, although not specific to cybersecurity, do address cybersecurity personnel. One agency (VA) has a guide on implementing competency models that addresses elements of workforce planning, although it has neither a cybersecurity nor a departmentwide workforce plan. The remaining three agencies (Commerce, HHS, and Treasury) have neither departmental workforce plans nor workforce plans that specifically address cybersecurity workforce needs.
Even within an agency there is inconsistency in defining cybersecurity positions. For example, we previously reported that DOD lacked a common definition for cybersecurity personnel among the different services, which created challenges in determining adequate types and numbers of cybersecurity personnel.
The approaches taken by each agency to define cybersecurity roles, responsibilities, skills, and competencies vary considerably. Some of these differences can be attributed to differences in mission, goals, and organization. [...] However, many of the differences can be attributed to the multiple sources of governmentwide guidance and their lack of alignment. [...] Until these multiple governmentwide efforts are more clearly aligned, agencies may have difficulty consistently defining these areas for themselves and avoiding duplication of effort.
In order to build the capacity they need to achieve their missions and goals, federal agencies need to make wise decisions when investing in training and development programs for their workforce. We have previously reported that agencies need to evaluate their training programs to ensure that they are successfully enhancing the skills and competencies of their employees and that reducing or eliminating duplication in government programs could save billions of tax dollars annually and help agencies provide more efficient services. While one of the goals of the shared program is to reduce duplication, there are several areas in which the training roles overlap among the agencies, and no process exists for coordinating or eliminating duplication among the efforts. [...] As a result, an increased risk exists that training providers are offering duplicative training.
Read the Full Report