The Government Accountability Office found agencies assigned a non-IT code to more than 15,000 IT positions.
Agencies are still struggling to identify which critical cybersecurity and IT jobs they need to fill.
A Government Accountability Office report released this week found most agencies miscategorized the work roles and functions of many vacant positions. GAO suggested that failing to correctly categorize their tech-related vacancies would add greater challenges as the agencies work to fill gaps in technology roles across the workforce.
“By assigning work role codes that are inconsistent with the IT, cybersecurity, and cyber-related functions performed by positions, the agencies in our review are diminishing the reliability of the information they will need to identify their workforce roles of critical need,” the report said.
The Office of Personnel Management directed agencies to identify filled and vacant positions with IT, cybersecurity, or cyber-related functions and assign work role codes to those positions as required by the Federal Cybersecurity Workforce Assessment Act of 2015.
The auditors found that at least 22 out of 24 agencies assigned a code designated for positions that do not perform IT, cybersecurity, or cyber-related functions—“000”—to positions that most likely do perform such functions. The agencies assigned this “non-IT” work code to 15,779 (about 19 percent) of their IT positions.
Human resource and IT officials from 10 agencies, including the Veterans Affairs and Homeland Security departments, said they assigned the code incorrectly in error. Others said the guidance provided by OPM was unclear and seven said they assigned the “000” code to positions that “did not perform cybersecurity duties for a certain percentage of their time.”
The report also noted that six agencies, including the Defense Department, Environmental Protection Agency, General Services Administration and NASA reported they were not able to assign codes or identify all of their vacancies.
The agencies cited different reasons. Defense blamed not having an “enterprise-wide capability to assign codes,” as well as time and funding constraints. “GSA human resources said that they assigned codes to vacant positions that had been authorized and funded. However, they did not code unfunded vacant positions because they did not anticipate filling them,” the report said.
“By not completing their efforts to identify and code their vacant IT, cybersecurity, and cyber-related positions, the six agencies lack important information about the state of their workforces,” the report said. “As a result, these agencies may be limited in their ability to identify work roles of critical need and improve workforce planning.”
GAO recommended that the six agencies that did not assign codes across all vacancies insert the codes for the IT and cyber-related positions. The report also recommended that 22 out of the 24 agencies review and reassign accurate codes to vacant IT, cybersecurity and cyber-related positions.
It also noted that additional guidance on tracking IT and cyber-related vacancies would be released by OPM and suggested challenges come from the lack of a streamlined process for agencies to track their openings.
Twenty of the agencies responded in agreement to GAO’s recommendations.
NASA was the only agency to submit a “non-concur” response, disagreeing with one of two GAO recommendations. In their response, Office of the Chief Information Officer officials said the agency did not identify and code vacant positions because it does not track open positions amongst its workforce.
“NASA non-concurs with the recommendation because our workforce planning process is decentralized and vacant positions are identified at the time of a critical immediate need,” the response said.
The report also said 24 agencies submitted preliminary reports to OPM identifying information systems security manager, IT project manager, and systems security analyst as the top three work roles of critical need.
“Nevertheless, until agencies accurately categorize their positions, their ability to effectively identify critical staffing needs will be impaired,” it concluded.