OPM pushes agencies to report cyber workforce gaps

The Office of Personnel Management wants to know exactly what cybersecurity positions agencies need to fill to protect themselves and carry out their missions.

In accordance with the 2015 Federal Cybersecurity Workforce Assessment Act, OPM is requiring Chief Human Capital Officer Act agencies to submit a preliminary report by the August 31 outlining the cybersecurity roles in need and the root causes of the skills shortages.

"Strengthening our cybersecurity workforce remains critical for securing our nation's financial systems, energy grids, intelligence and defense systems, and safeguarding the personally identifiable information of hundreds of millions of Americans," OPM associate director of employee services Mark Reinhold wrote.

The shortage of cybersecurity workers isn't confined to government. A May 2017 report from the Center for Cyber Safety and Education predicted a global shortage of 1.8 million cybersecurity personnel by 2021. Government agencies are considering fast-hire authority, specialty pay and flexibility to move from public to private sector, to get the federal cybersecurity workforce up to speed.

In the memo, which follows the April 2 OPM guidance for coding and classifying jobs with IT and cyber functions, to help agencies address workforce shortages.

The template directs agencies to mark positions of need — ranging from software developer and security architect to data analyst and system administrator to legal advisers, defense analysts, data collectors and cyber investigators. It also asks agencies to mark whether the skill shortage is due to staffing or proficiency levels, determine whether the shortage is current or emerging and identify possible root causes of the shortage.

"This information is critical as it provides the administration with cybersecurity needs from a government-wide perspective and may enable future resources to be dedicated accordingly," the memo states.

Following the preliminary report, a comprehensive agency report is due April 30, 2019.

The full report "must include the completion of action plans with metrics and targets to address and mitigate root causes identified for the cybersecurity work roles of critical need," writes Reinhold.