Publicly Released: August 2, 2021
The objective of this audit was to determine the extent to which the DoD is meeting Federal requirements, DoD guidance, and DoD strategic goals related to recruitment and retention programs for its civilian cyber workforce.
In 2015, the Federal Cybersecurity Workforce Assessment Act required the coding of encumbered (filled) and vacant (unfilled) cyber positions across the Government based on the National Institute for Standards and Technology's cyber work role coding structure. According to the DoD civilian work role coding guidance (referred to in this report as the "DoD Coding Guide"), cyber work roles describe a set of responsibilities required to execute a function and consists of a definition as well as a representative list of tasks, knowledge, skills, and abilities. The DoD Coding Guide states that the selection of a cyber-work role may provide enough information to ensure the identification and maintenance of the right skill set. In 2013, before the enactment of the Federal Cybersecurity Workforce Assessment Act, the DoD issued the DoD Cyberspace Workforce Strategy, which identifies multiple focus areas with critical elements for building and maintaining a competent and resilient cyber workforce. The 2013 strategy formed the foundation of follow-on DoD cyber strategies issued in 2015 and 2018.
To assist in the recruitment and retention of the cyber workforce, the Office of the DoD Chief Information Officer (CIO) further implemented programs such as the DoD Cyber Scholarship Program, the DoD Cyber Information Technology Exchange Program, and initiated the Cyber Excepted Service (CES) personnel system.
The Office of the DoD CIO took action to comply with the Federal Cybersecurity Workforce Assessment Act requirements by implementing the DoD Cyber Workforce Framework, issuing civilian work role coding guidance (DoD Coding Guide) to DoD Components, and submitting work roles of critical need to the Office of Personnel Management. However, the DoD Components did not code all positions in accordance with the DoD Coding Guide. Specifically:
- filled positions were not coded in accordance with the DoD Coding Guide; and
- unfilled positions were not coded in accordance with the DoD Coding Guide.
With the exception of the Department of the Army, the DoD Components we reviewed did not always comply with work role coding requirements because the DoD Components did not have a quality assurance process that ensured compliance with the DoD Coding Guide. The DoD may be unable to properly target its recruitment and retention efforts without completely and accurately coding all of its civilian cyber positions. We also found that the DoD took action to meet strategic goals related to recruitment and retention programs for its civilian cyber workforce. The Office of the DoD CIO further implemented the DoD Cyber Scholarship Program and the DoD Cyber Information Technology Exchange Program, began developing an enterprise-level aptitude test, and initiated the CES personnel system. However, until the DoD Components' application of work role codes is complete and accurate, the DoD may not have the information needed to identify and target the recruitment and retention programs to meet its greatest cyber workforce needs.
We recommend that the DoD CIO:
- require DoD Components to code filled and unfilled positions to meet Federal requirements and comply with the DoD Coding Guide;
- in coordination with the Under Secretary of Defense for Personnel and Readiness and the Office of the Chief Data Officer, conduct a feasibility study of including quality assurance checks in systems used for coding civilian cyber workforce positions to ensure that work role coding is in accordance with the DoD Coding Guide; and
- based on the results of the feasibility study, establish and implement a manual or automated (or combination of both) quality assurance process to determine compliance with the DoD Coding Guide.
Management Comments and Our Response
The Acting DoD CIO agreed with the recommendations stating that DoD Components will complete work role coding by the end of 2021. He also stated that the DoD is developing an automated dashboard to show the status of the DoD Component configured manpower and personnel systems and the corresponding coded populations of the filled and unfilled cyber workforce positions. We will close the recommendations once we verify that the agreed-upon actions are complete.
This report is the result of Proj. No. D2020-D000CX-0032.000.