The agency doesn’t fully understand the strengths and weaknesses of its cyber personnel, and it’s more than two years behind on developing a workforce planning strategy, the inspector general found.
Homeland Security Department officials are struggling to assess the strengths and weaknesses of their cybersecurity workforce, and the department is years behind on developing a strategy to bolster that workforce in the years ahead, according to an internal watchdog.
The department, which leads most of the civilian government’s cybersecurity operations, employed roughly 14,000 cyber personnel as of December 2017. But with digital threats on the rise, burdensome legal requirements and far-flung data sources are hindering the agency’s efforts to plan for the workforce’s future, according to the Homeland Security Inspector General.
Every year, the agency is required to submit two comprehensive reports on its cyber workforce to Congress—an updated workforce planning strategy and an assessment of its employees’ capabilities and skill gaps. However, officials have missed every single reporting deadline since the requirements were enacted in 2015, auditors said in a report published Wednesday.
In fact, Congress has only ever received one workforce planning strategy from the agency. Homeland Security officials told auditors they were still working on the 2017 strategy in February 2019, more than two years after it was due.
Furthermore, the reports they’ve submitted so far have all been missing critical information, the IG said. None of the workforce assessments included information “pertaining to the readiness, capacity, recruitment, and training of its cybersecurity workforce,” auditors said, and the agency’s single workforce strategy document was missing information about skills gaps and recruitment efforts, among other long-term plans.
“Without a complete workforce assessment and strategy, [Homeland Security] is not well positioned to carry out its critical cybersecurity functions in the face of ever expanding cybersecurity threats,” the IG said. “Lacking an assessment, DHS cannot provide assurance that it has the appropriate skills, competencies, and expertise positioned across its components to address the multifaceted nature of DHS cybersecurity work.
“In addition, the Department may not have an understanding of its future hiring or training needs to maintain a qualified and capable workforce to secure the nation’s cyberspace,” auditors added.
But they were also careful to note the shortcomings aren’t entirely the fault of the agency. Between 2014 and 2015, Congress passed three different laws that mandated some type of workforce reporting, and these overlapping requirements “overburdened the department’s ability to assess the readiness and capacity of its cybersecurity workforce,” the IG said.
Additionally, the byzantine categorization of the agency’s cybersecurity jobs—which include some 50 job titles and almost 20 occupational series across 12 different components—makes it difficult for the agency to keep tabs on its cyber personnel. To get a complete view of the workforce, officials needed to manually collect data from different components, which consumes both significant time and resources, they said.
Auditors recommended officials create an enterprisewide database for compiling information on its cyber workforce and also devote more resources and oversight to the reporting process.
The report comes as the agency prepares to roll out a new system for building and managing its cybersecurity workforce. The Cyber Talent Management System, set to debut in early 2020, will do away with the entire General Schedule system and give Homeland Security officials more flexibility in the jobs, salaries and benefits it can offer to cybersecurity personnel. The system would also make it easier to determine which employees are serving in a cyber role, which could assist the agency in consolidating its workforce data.