Federal Manager's Daily Report

All but three of the 24 departments and largest independent agencies completed baseline assessments of their cybersecurity workforces as required by the Federal Cybersecurity Workforce Assessment Act, but those assessments “may not be reliable,” GAO has said.

GAO said that compliance with the 2015 law—designed to help agencies get a better handle on the skills they have, lack and will need for the future in that field—already is behind. OPM was late in issuing procedures for assigning codes to positions because it was working with the National Institute of Standards and Technology to align the structure and procedures with policy, which NIST issued later than planned, and that in turn delayed implementation of the following steps, it said.

Three of the 24 CFO Act agencies had not conducted—“for various reasons, such as a lack of resources and tools to do so”—the required baseline assessments identifying the extent to which their cybersecurity employees hold professional certifications. Of those that did, four “did not address all of the reportable information, such as the extent to which personnel without professional certifications were ready to obtain them or strategies for mitigating any gaps” and six only partially addressed certain activities required by OPM in their coding procedures, a report said.

“Additionally, agencies were limited in their ability to obtain complete or consistent information about their cybersecurity employees and the certifications they held. This was because agencies had not yet fully identified all members of their cybersecurity workforces or did not have a consistent list of appropriate certifications for cybersecurity positions.

“As a result, the agencies had limited assurance that their assessment results accurately reflected all relevant employees or the extent to which those employees held appropriate certifications. This diminishes the usefulness of the assessments in determining the certification and training needs of these agencies’ cybersecurity employees,” it said.