GAO: Cybersecurity workforce management falls short, impacting security across the board

A new U.S. Government Accountability Office (GAO) audit found that despite notable advancements, federal departments still face substantial barriers to implementing effective workforce strategies, particularly in cybersecurity, an area that is central to safeguarding federal IT systems. The audit emphasizes that addressing privacy, authentication, and security challenges is inextricably linked to the effective management of a robust federal cybersecurity workforce.
GAO’s audit report, Cybersecurity Workforce: Departments Need to Fully Implement Key Practices, underscores that a skilled cybersecurity workforce is essential to maintaining privacy and protecting sensitive federal data. It says privacy risks are exacerbated by skill gaps and the inability to maintain a consistent talent pool within federal departments. GAO highlighted that departments such as the Departments of Commerce, Health and Human Services, and Veterans Affairs (VA) lacked comprehensive strategies to address these challenges.
GAO made 23 recommendations aimed at helping federal departments fully implement workforce practices and improve their evaluation processes. Some departments agreed with the recommendations, while others partially agreed or did not comment. The report concludes that until all recommended practices are adopted, achieving a skilled and resilient cybersecurity workforce will remain a challenge.
While the Department of Homeland Security (DHS) serves as a model for best practices, the uneven implementation across other federal departments highlights the need for urgent reforms, the audit found. By adopting GAO’s recommendations, federal agencies can bridge workforce gaps, enhance security, and protect the privacy of sensitive federal data. GAO said these steps are imperative for ensuring that the federal government is equipped to defend against the growing threats in the cybersecurity landscape.
A key privacy issue lies in the management of workforce data. Departments rely on dashboards, such as the Cyber Workforce Dashboard developed by the Office of Personnel Management (OPM), to analyze and project workforce requirements. However, gaps in data collection and analysis impede accurate forecasting of workforce needs and the ability to address vulnerabilities in data protection. Without rigorous data governance frameworks, sensitive employee and system data remain at risk of breaches or misuse, compromising not only privacy but the integrity of federal operations.
“Most of the selected departments reported that they had not fully implemented all 15 practices due, in part, to managing their cybersecurity workforces at the component level rather than the departmental level, as intended by OPM,” GAO reported, noting that “until the departments implement these practices, they will likely be challenged in having a cybersecurity workforce with the necessary skills to protect federal IT systems and enable the government’s day-to-day functions.”
Authentication, a fundamental aspect of cybersecurity, is directly impacted by the expertise of the cybersecurity workforce. GAO’s audit report highlights significant gaps in training and preparedness in this area. GAO said most federal departments fail to conduct sufficient analyses of skills and competencies, which hinders their ability to identify and fill gaps related to authentication technologies.
Authentication systems are only as strong as the professionals designing and maintaining them. When federal agencies such as DHS implement strong governance and training programs, they succeeded in filling many critical roles related to authentication, GAO said.
Conversely, other departments, like the Department of Treasury and the VA, lagged in developing workforce plans that include comprehensive training in authentication technologies. This disparity reveals the need for a department-wide approach to addressing skill shortages, particularly in emerging authentication frameworks like biometric systems and zero-trust architectures.
Security lapses in federal systems are often linked to inadequacies in workforce planning and execution. GAO identified that none of the evaluated departments fully implemented a cybersecurity workforce action plan, which includes metrics to measure progress in enhancing security capabilities. These shortcomings create vulnerabilities in federal systems, potentially exposing them to cyberattacks, data breaches, and other security threats.
DHS emerged as a leader in workforce planning, implementing 14 of the 15 identified best practices. GAO said DHS’s success is attributed to a centralized governance model and robust communication strategies that ensure alignment across departmental components. Other departments, however, struggled due to decentralized planning and insufficient monitoring mechanisms. This disjointed approach prevents timely identification of security risks and undermines federal efforts to strengthen its cyber defense posture.
To address these challenges, GAO provided actionable recommendations aimed at improving privacy, authentication, and security practices within the cybersecurity workforce. Key recommendations include:
Centralized Governance: Departments are urged to adopt a centralized approach to workforce planning. This involves developing department-wide strategies that align with overarching federal cybersecurity goals, addressing privacy and security holistically.
Enhanced Workforce Analytics: Effective use of data dashboards and analytical tools to forecast workforce supply and demand is essential. By identifying gaps in real-time, departments can proactively address vulnerabilities in privacy and security.
Training and Development: Investments in specialized training for cybersecurity professionals in areas like authentication technologies and privacy management are critical. These initiatives should be designed to evolve with emerging threats and technologies.
Monitoring and Evaluation: Departments must establish metrics and evaluation frameworks to measure the success of their workforce strategies. Regular assessments of workforce effectiveness will enable timely course corrections and help sustain security improvements.
Collaboration Across Agencies: A collaborative approach to recruitment and retention can mitigate challenges such as pay disparity and competition with the private sector. GAO said shared initiatives like the federal Pathways Program for hiring recent graduates can expand the talent pool.
Article Topics
biometric authentication | cybersecurity | data privacy | GAO (Government Accountability Office) | identity management | U.S. Government
Comments