OPM Says Agencies Have One Year To ID Cyber Workforce Gaps


The Office of Personnel Management started the clock Monday for agencies to identify, report and mitigate cybersecurity workforce shortfalls.

Federal agencies have one year from today to identify the gaps in their cybersecurity workforces and report their needs and reasons for the skill shortages to the Office of Personnel Management, the department said Monday.

The government’s human resources department issued a memorandum Monday with guidance and milestones for reporting on critical cyber workforce needs over the next four years. The guidance aligns with the National Initiative for Cybersecurity Education, or NICE, framework for categorizing the cyber workforce and instructs agencies on how to comply with mandates in the Federal Cybersecurity Workforce Assessment Act of 2015.

“I am pleased to provide guidance that will help federal agencies pinpoint their cybersecurity workforce’s most critical skill shortages,” Mark Reinhold, associate director for employee services at OPM, said in an April 2 memo to agency human resources directors. OPM’s guidance is the first benchmark for the four-year effort.

With the guidance out, agencies have until April 2019 to “identify information technology, cybersecurity and other cyber-related work roles of critical need in the workforce,” and submit a detailed report to OPM “describing the roles identified and substantiating the critical need designation.”

The various work roles are described in the NICE framework developed by the National Institute of Standards and Technology, which gives each role a three-digit code used for categorization.

Within those roles, agencies will have to determine which represent “critical need.” The guidance establishes critical need based on two criteria:

  • Greatest skill shortages, in terms of staffing levels and/or proficiency and competency levels, and current and emerging shortages.
  • Mission criticality or importance, such as roles critical to meeting the agency’s most significant organizational missions, priorities, challenges, etc.

Agencies will also have to produce a report on the “root causes” of their skill shortages to accompany the 2019 report. The guidance offers some viable reasons—the talent pipeline, hiring and retention issues, performance management and resources and budget—and suggests that a range of issues could contribute to a skill shortage in any given office or mission area.

Finally, agencies will need to submit an action plan to “address and mitigate the root causes,” including metrics and goals.

Agency officials can find templates and additional guidance on the Federal Cybersecurity Workforce Assessment Act MAX website.

The reports will be due every April through to 2022, and OPM expects agencies to regularly evaluate and update work roles, particularly around critical needs. Agencies are also expected to immediately report to OPM any changes to their work roles assessment, action plans, metrics or targets, rather than waiting for the annual reporting deadline.

Agencies are already preparing to meet this requirement. The Education Department, for example, recently released a request for information on how best to track and report its cyber workforce needs using the NICE framework.