Are Federal Cyber Workers Up to Snuff? Many Agencies Don't Know.

Den Rise/

Some still aren’t sure who counts as a cyber worker and who doesn’t.

Federal agencies have made mixed progress at ensuring their cybersecurity workers are properly trained and credentialed, according to a watchdog report released Thursday.

In some cases, agencies haven’t determined exactly who counts as a cybersecurity worker and who doesn’t, according to the Government Accountability Office report.

In other cases, agencies haven’t determined which certifications are appropriate or necessary for the cybersecurity employees they do have, the report found.

There’s no standard certification requirement for cybersecurity professionals, such as the bar degree for lawyers, but employers often require certifications offered by professional organizations—such as the Certified Information Systems Security Professional certification—or use those certifications to judge an applicants’ qualifications.

The Federal Cybersecurity Workforce Assessment Act, a 2015 law, required the Office of Personnel Management to develop a coding structure that defines government cyber jobs and the qualifications and certifications required for them.

The law also mandated agencies to apply those codes to their cyber workforces and to report back to Congress on whether their cyber workers were properly credentialed and, if not, what the agencies were doing about it.

After the law went into effect, however, the personnel office was late in developing the coding structure because of earlier delays at the Commerce Department’s cyber education office and that delayed agency assessments.

As of March, only 21 of the 24 major federal agencies had completed their assessments and four of those were missing important pieces of reportable information, the accountability office found.

Some of the reports that included all necessary information were likely partially inaccurate, because of incomplete cyber worker counts or inconsistent use of the codes, the office said.

“This diminishes the usefulness of the assessments in determining the certification and training needs of these agencies’ cybersecurity employees,” the report found.

Overall, 23 of the 24 agencies “had established procedures to identify their civilian cybersecurity positions and assign the appropriate employment codes,” but six of those agencies failed to address at least one of OPM’s coding or assessment requirements, the report found.

The accountability office made 30 separate recommendations to the 13 agencies that fell short in some way, most of which the agencies agreed with or, at least, didn’t disagree with.

The one exception was NASA, which disagreed with a recommendation that it should assess how ready its cyber workers who don’t hold certifications are to get those certifications.

“The agency stated that there is no federal or NASA requirement for employees in cybersecurity positions to hold and/or maintain a certification, and therefore the agency has no plans to assess the readiness of its cybersecurity personnel to take certification exams,” the report stated.

The accountability office stands firm in the recommendation, it said.