The eight federal agencies surveyed by the GAO had trouble determining the size of their cybersecurity workforce and defining common workforce roles, responsibilities, and compensation.
“Agencies reported challenges in filling highly technical positions, challenges due to the length and complexity of the federal hiring process, and discrepancies in compensation across agencies. Although most agencies used some form of incentives to support their cybersecurity workforce, none of the eight agencies had metrics to measure the effectiveness of these incentives”, the GAO found.
The government watchdog also criticized the agencies for wide variations in cybersecurity workforce training and development programs. The Departments of Commerce and Defense, for example, require cybersecurity personnel to obtain certifications and fulfill continuing education requirements, while other agencies have informal and ad hoc approaches to training, the report said.
“The Office of Management and Budget and DHS [Department of Homeland Security] have identified several agencies to be service centers for government-wide cybersecurity training, but none of the service centers or DHS currently evaluates the training for duplicative content, effectiveness, or extent of use by federal agencies”, the report noted.
The GAO is recommending that agencies address government-wide cybersecurity workforce challenges through better planning, coordination, and evaluation of government-wide activities.