DHS has taken steps to identify, categorize, and assign employment codes to its cybersecurity positions as required by the Homeland Security Cybersecurity Workforce Assessment Act of 2014 but its actions “have not been timely and complete,” GAO has said.
DHS reported to Congress last August that it had coded 95 percent of the department’s identified cybersecurity positions; however, GAO said the actual number was 79 percent–the difference being that DHS excluded vacant positions even though the act required DHS to report these positions, GAO said in testimony to a House hearing.
“In addition, although DHS has taken steps to identify its workforce capability gaps, it has not identified or reported to Congress on its department wide cybersecurity critical needs that align with specialty areas. The department also has not reported annually its cybersecurity critical needs to the Office of Personnel Management as required, and has not developed plans with clearly defined time frames for doing so,” GAO said.
Until it takes such actions, DHS “may not be able to ensure that it has the necessary cybersecurity personnel to help protect the department’s and the nation’s federal networks and critical infrastructure from cyber threats,” it said.