Title page

Contents

Highlights 2

Letter 6

Background 9

OPM Established a Cyber Workforce Dashboard 11

Selected Workforce Management Practices Are Key to Effective Cybersecurity Management 12

GAO Has Previously Reported on Challenges to Effective Federal IT Workforce Planning 14

Selected Departments Did Not Fully Implement Applicable Cybersecurity Workforce Management Practices 16

Departments Largely Set the Strategic Direction 17

Most Departments Partially Conducted Workforce Analyses 19

Most Departments Did Not Fully Develop Workforce Action Plans 21

Most Departments Did Not Fully Implement and Monitor Action Plans 23

Departments Did Not Fully Evaluate and Revise Action Plans 25

Most Departments Took Steps to Mitigate Identified Workforce Challenges, but No Departments Evaluated Their Actions 28

Selected Departments Identified Cybersecurity Workforce Challenges 28

Selected Departments Took Actions to Mitigate Cybersecurity Workforce Challenges 30

None of the Selected Departments Evaluated the Effectiveness of their Mitigation Actions 32

Conclusions 33

Recommendations for Executive Action 33

Agency Comments and Our Evaluation 36

Appendix I: Objectives, Scope, and Methodology 41

Appendix II: Comments from the Department of Homeland Security 44

Appendix III: Comments from the Department of Health & Human Services 47

Appendix IV: Comments from the Department of Veterans Affairs 50

Appendix V: Comments from the Department of Treasury 54

Appendix VI: GAO Contact and Staff Acknowledgments 55

Table 1. Office of Personnel Management's (OPM) Workforce Planning Guide Five-Step Process and the 15 Selected Applicable Practices for Cybersecurity Workforce Management 13

Table 2. Assessment of Five Selected Departments' Implementation of Selected Applicable Practices for Step One: Set Strategic Direction 18

Table 3. Assessment of Five Selected Departments' Implementation of Selected Applicable Practices for Step Two: Conduct Workforce Analyses 19

Table 4. Assessment of Five Selected Departments' Implementation of Selected Applicable Practices for Step Three: Develop Workforce Action Plan 22

Table 5. Assessment of Five Selected Departments' Implementation of Selected Applicable Practices for Step Four: Implement and Monitor the Workforce Action Plan 23

Table 6. Assessment of Five Selected Departments' Implementation of Selected Applicable Practices for Step Five: Evaluate and Revise the Workforce Action Plan 25

Table 7. Selected Departments' Reported Cybersecurity Workforce Challenges 28

Figure 1. Extent to Which Selected Departments Implemented the Practices Within Each of the Five Cybersecurity Workforce Management Steps 17