The U.S. Government Accountability Office (GAO) recently testified on the extent to which the Department of Homeland Security (DHS) has identified, categorized, and assigned employment codes to its cybersecurity positions and identified its cybersecurity workforce areas of critical need.
The Homeland Security Cybersecurity Workforce Assessment Act of 2014 requires DHS to complete these actions. GAO found that while has taken actions meet the act’s requirements, the actions have not been timely and complete.
GAO found that DHS did not establish timely and complete procedures to identify, categorize, and code its cybersecurity position vacancies and responsibilities, did not identify all of its cybersecurity positions and accurately assign codes to all filled and vacant cybersecurity positions and has not identified or reported to Congress on its department-wide cybersecurity critical needs that align with specialty areas.
In August 2017, DHS reported to Congress that it had coded 95 percent of the department’s identified cybersecurity positions. GAO found that the department had, at that time, coded approximately 79 percent of the positions. DHS’s overestimated its progress primarily because it excluded vacant positions, which the act requires DHS to report.
DHS has also not reported annually its cybersecurity critical needs to the Office of Personnel Management (OPM) or developed plans with clearly defined time frames for doing so, GAO said.
GAO recommended that DHS ensure that its cybersecurity workforce procedures identify position vacancies and responsibilities, workforce data are complete and accurate and that plans for reporting on critical needs are developed.
DHS concurred with GAO’s six recommendations and described actions the department plans to take to address them.