Are US Federal Cyber Workers Good Enough?

Federal agencies have made mixed progress at ensuring their cybersecurity workers are properly trained and credentialed, according to a watchdog report released Thursday.

In some cases, agencies haven’t determined exactly who counts as a cybersecurity worker and who doesn’t, according to the Government Accountability Office report. In other cases, agencies haven’t determined which certifications are appropriate or necessary for the cybersecurity employees they do have, the report found.

There’s no standard certification requirement for cybersecurity professionals, such as the bar degree for lawyers, but employers often require certifications offered by professional organizations—such as the Certified Information Systems Security Professional certification—or use those certifications to judge an applicants’ qualifications.

The Federal Cybersecurity Workforce Assessment Act, a 2015 law, required the Office of Personnel Management to develop a coding structure that defines government cyber jobs and the qualifications and certifications required for them.

The law also mandated agencies to apply those codes to their cyber workforces and to report back to Congress on whether their cyber workers were properly credentialed and, if not, what the agencies were doing about it.

After the law went into effect, however, the personnel office was late in developing the coding structure because of earlier delays at the Commerce Department’s cyber education office and that delayed agency assessments.

As of March, only 21 of the 24 major federal agencies had completed their assessments and four of those were missing important pieces of reportable information, the accountability office found.

Some of the reports that included all necessary information were likely partially inaccurate, because of incomplete cyber worker counts or inconsistent use of the codes, the office said.

“This diminishes the usefulness of the assessments in determining the certification and training needs of these agencies’ cybersecurity employees,” the report found.

Overall, 23 of the 24 agencies “had established procedures to identify their civilian cybersecurity positions and assign the appropriate employment codes,” but six of those agencies failed to address at least one of OPM’s coding or assessment requirements, the report found.

The accountability office made 30 separate recommendations to the 13 agencies that fell short in some way, most of which the agencies agreed with or, at least, didn’t disagree with.

The one exception was NASA, which disagreed with a recommendation that it should assess how ready its cyber workers who don’t hold certifications are to get those certifications.

“The agency stated that there is no federal or NASA requirement for employees in cybersecurity positions to hold and/or maintain a certification, and therefore the agency has no plans to assess the readiness of its cybersecurity personnel to take certification exams,” the report stated.

The accountability office stands firm in the recommendation, it said.

Nextgov:

You Might Also Read:

In Demand: Cybersecurity Specialists

« World First Police 3D Security Scanner
EC-Council Sets New Application Security Training Standards »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Tripwire

Tripwire

Tripwire are a leading provider of risk-based security, compliance and vulnerability management solutions.

Social-Engineer

Social-Engineer

Social-Engineer is a team of outside–the–box thinkers that share a common focus on human-to-human social engineering.

ThaiCERT

ThaiCERT

ThaiCERT is the national Computer Security Incident Response Team (CSIRT) for Thailand.

Subex

Subex

Subex leverages its award-winning telecom analytics solutions in areas such as Revenue Assurance, Fraud Management, Asset Assurance and Partner Management, and IoT Security.

Sternum

Sternum

Sternum provides reliable and effective endpoint security for any IoT device, using robust technology and seamless integration.

Macquarie Telecom Group

Macquarie Telecom Group

Macquarie Telecom is Australia's datacentre, cloud, cyber security and telecom company for mid-large business and government customers.

Sparrow

Sparrow

Sparrow specializes in application security testing solutions to cope with new technology trends such as cloud, mobile, and DevSecOps.

PA Consulting

PA Consulting

PA Consulting Group is a consultancy that specialises in strategy, technology and innovation. Our cyber security experts work with you to spot digital and technology security risks and reduce them.

SecAlliance

SecAlliance

SecAlliance is a cyber threat intelligence product and services company.

Tentacle

Tentacle

Tentacle has developed a configurable data management tool that helps organizations to improve their information security programs and overall security posture.

Crayon

Crayon

Crayon is a customer-centric innovation and IT services company. We provide guidance on the best solutions for our clients’ business needs and budget with software, cloud, AI and big data.

Somos

Somos

From voice to messaging to fraud prevention and beyond, Somos are committed to developing innovative solutions that ensure that our ability to maintain trustworthy connections never stops.

Dryad Global

Dryad Global

Dryad Global offers a comprehensive suite of maritime intelligence solutions, including a best-in-class situational awareness, planning and security system and industry-leading cyber protection tools.

LEPHISH

LEPHISH

LePhish is a French cybersecurity solution specializing in automated phishing campaigns.

Softsource vBridge

Softsource vBridge

Softsource vBridge are an ICT systems integrator providing specialist technology solutions, professional services, technical expertise and data centre services.

Secure Domains

Secure Domains

Secure Domains is the first company in the GCC to offer cloud-based DNS firewall services and security through its flagship SaaS product, DNS Armor.