Congress Left in the Dark about Government’s Cyber Workforce Shortages

Federal officials have been meticulously counting up the federal information security workforce over the past two years in pursuit of a single database of cybersecurity jobs in the federal government

The feds hope the database will better quantify persistent shortages in tech talent -- and eventually help fill them.

But the effort might benefit from a check-in by Congress.

Lawmakers still lack good data on the federal government’s efforts because the database has not been made public and the Office of Personnel Management -- which is leading the cyber job census -- is not required to report its progress to Congress.

That’s according to a Jan. 8 Congressional Research Service report posted online recently by the Federation of American Scientists’ Project on Government Secrecy.

The report stopped short of issuing recommendations but said if Congress wanted to beef up oversight, it could ask the Government Accountability Office to audit OPM’s cyber workforce data and evaluate how effectively the database is being used to spot shortages, plot future staffing needs and fill gaps.

Cyber job functions are scattered across 100 different federal job categories at last count.  

That’s often led to confusion and made apples-to-apples comparisons hard to calculate. For example, in 2011, DOD officials tallied up about 19,000 cybersecurity employees at the department -- 69,000 fewer than the number identified by GAO that same year.

In 2013, OPM announced it would build a database of cybersecurity jobs by recoding federal job descriptions to align with a framework developed by the National Initiative for Cybersecurity Education.

As of November, about 95 percent of all federal positions had been re-coded using the new approach. But the database, which ostensibly contains the makings of the first consistent governmentwide count of the civilian cyber workforce --  has not yet been made public.

Efforts to tally up the information security experts in government ratcheted up again after the OPM hack drew attention to the lack of qualified information security personnel in government.

As part of a long-term plan for shoring up cybersecurity initiated by the White House, agencies faced an end-of-2015 deadline to report the five most common cybersecurity skills gaps to the Office of Management and Budget, which is planning to release the first-ever governmentwide cybersecurity HR strategy in April.

But again, that data does not have to be submitted to Congress, the CRS report noted.

“Congressional knowledge of the progress of these evolving efforts, therefore, might be limited or incomplete,” which may make it difficult for Congress to assess the capabilities of the federal cybersecurity workforce, the CRS report concluded.

In addition, researchers said lawmakers have little visibility into the use and effectiveness of pay and hiring flexibilities that have been offered at some agencies -- the departments of Defense and Homeland Security, for example -- to speed the hiring of cyber experts.

Last March, for example, the Pentagon was granted the authority to fast track the hiring of 3,000 infosec professionals to staff up U.S. Cyber Command.

And in November, DHS announced plans to hire up to 1,000 new cyber experts under special hiring authorities.  

But agencies that use the hiring shortcuts are not required to report to Congress on how they’re being used or the total number of employees ultimately hired using them.

In the absence of good data, “Congress might find it difficult to ensure that these flexibilities are being used to fill appropriate positions,” the report stated.

Alan Paller, the founder and director of research at the SANS Institute, who has studied DHS’ cyber-expert shortage, has criticized the agency in the past for “hijacking” the hiring authority to fill regular IT roles.

FedScoop first reported on the CRS memo.

(Image via Orhan Cam/Shutterstock.com)