The Department of Homeland Security is not “well-positioned” to carry out its cybersecurity role, according to the agency inspector general.
The agency watchdog wrote in a Sept. 23 report that the Cabinet agency’s lack of a cybersecurity workforce strategy and insufficient workforce assessments prevent the agency from being prepared for its duty in federal cybersecurity.
“Lacking an assessment, DHS cannot provide assurance that it has the appropriate skills, competencies and expertise positioned across its components to address the multifaceted nature of DHS’ cybersecurity work,” the IG wrote.
DHS manages several programs that are supposed to secure federal networks across federal civilian agencies.
Under the Cybersecurity Workforce Assessment Act, DHS is required to assess its cybersecurity workforce and create a workforce strategy to address shortfalls in its workforce. According to the DHS IG, the department did not submit a comprehensive cybersecurity workforce strategy to Congress between 2015 and 2018. In 2016, it did submit a workforce strategy, but it did not contain all the required information.
During its investigation, the IG found that the department is still developing its second workforce strategy. It was due in December 2016.
DHS has submitted three workforce assessments to Congress, which have all had missing details and were, on average, submitted one year late. The fourth one was due in June 2018 and has not been submitted as of February 2019.
The three reports that have been sent to Congress lacked information “pertaining to the readiness, capacity, recruitment, and training of its cybersecurity workforce.”
The department also doesn’t have the capability of determining accurate workforce statistics. In its November 2018 workforce assessment, which was due to Congress in June 2017, the DHS Office of the Chief Human Capital Officer (OCHCO) told the IG that “its existing human resources systems did not contain all data required for complete and accurate workforce analysis.” All numbers in the report were compiled from different DHS entities.
DHS saw an increase in cybersecurity job vacancies from 9 percent to 12 percent between 2017 and 2018, and there is a significant shortage of cybersecurity professionals across both the public and private sector. The government has a particularly hard time competing with the public sector because it can’t match the salaries or benefits of the private sector.
The IG stated that DHS fell behind all the mandates because it lacked detailed information on its cybersecurity workforce, in addition to the burden of overlapping requirements from new legislation all passed around the same time.
“Specifically, OCHCO lacked sufficient, centralized data for all components on cybersecurity workforce recruiting, hiring and training to comply with the new reporting requirements," the watchdog wrote.
Though the threat landscape is increasing, the federal government experienced over 31,000 “cyber incidents" in fiscal 2018, a 12 percent decrease from the previous year. Fiscal 2018 was the first year where the federal government didn’t experience a “major breach.”
To better prepare the DHS workforce going forward, the IG recommended that DHS assign necessary staff resources to complete assessments and strategies on time, establish a coordinated approach to compiling centralized data on workforce and conduct oversight on different internal departments to ensure that a commitment to data reporting and submission.
DHS concurred with all three recommendations and has already started to address them, the IG wrote.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.