Skip to main content

Cybersecurity Workforce: Actions Needed to Improve Cybercorps Scholarship for Service Program

GAO-22-105187 Published: Sep 29, 2022. Publicly Released: Sep 29, 2022.
Jump To:

Fast Facts

The CyberCorps Scholarship for Service Program—managed by the National Science Foundation, Office of Personnel Management, and Department of Homeland Security—requires recipients to work in government jobs for a period of time after graduation.

We found:

  • NSF and OPM fully complied with 13 legal requirements for managing the program and partially complied with 6
  • NSF hasn't implemented a strategy to effectively manage risks and challenges, such as ensuring recipients meet their service obligation

Our recommendations address these issues. Ensuring the cybersecurity of the nation—including addressing workforce needs—is on our High Risk List.

A photo of the US Capitol building behind an illustration of cybersecurity padlocks

Skip to Highlights

Highlights

What GAO Found

The CyberCorps® Scholarship for Service Program provides participating institutions of higher education with scholarships to students in approved IT and cybersecurity fields of study. As a condition of receiving scholarships, students are required to enter agreements to work in qualifying full-time jobs upon graduation for a period equal in length to their scholarship. See the figure below for how recipients progress through the program.

Scholarship Recipients Progress through Three Phases in the CyberCorps® Program

Scholarship Recipients Progress through Three Phases in the CyberCorps® Program

GAO identified 19 selected legal requirements on how National Science Foundation (NSF) and the Office of Personnel Management (OPM) are to manage the program. GAO found that NSF and OPM fully complied with 13 of the requirements and partially complied with six. The partially complied with requirements include the following:

  • Scholarship recipients are required to provide OPM with annual verifiable documentation of post-award employment. OPM officials acknowledge that recipients provide verifiable employment documentation and up-to-date contact information only at the beginning and end of the service commitment period, rather than annually as required by law.
  • NSF is required to periodically report on program performance, including how long scholarship recipients stay in the positions they enter after graduation. OPM attempts to answer this by surveying recipients. However, recipient response rates ranging from 32 to 50 percent do not yield reliable and complete results.

NSF did not implement a risk management strategy and process to effectively identify, analyze, mitigate, and report on program risks and challenges. Absent such a strategy, NSF is not in a position to mitigate the adverse effects of risk events that do occur, which could negatively impact the accomplishment of program goals.

Why GAO Did This Study

GAO has previously reported that federal agencies faced challenges in ensuring that they have an effective cybersecurity workforce. What is now known as the CyberCorps® Scholarship for Service Program—operated by NSF in conjunction with OPM and the Department of Homeland Security (DHS)—was established in 2000 to increase the supply of new government cybersecurity employees. Since its inception, NSF reports that the program has awarded about $621 million in scholarships to over 4,707 recipients.

GAO was asked to review the Scholarship for Service Program. GAO determined the extent to which (1) NSF and OPM are complying with program legal requirements, and (2) NSF has identified, analyzed, mitigated, and reported on program risks.

GAO assessed program documentation and processes against legal requirements and industry best practices. Further, GAO interviewed NSF, OPM, and DHS officials as well as personnel from selected institutions of higher education participating in the program.

Recommendations

GAO is making three recommendations to NSF and two to OPM to comply with legal requirements and implement a risk management strategy. Both agencies agreed with GAO's recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status Sort descending
National Science Foundation The Director of the National Science Foundation, in coordination with the Director of the Office of Personnel Management, should periodically evaluate and make public, information on how long CyberCorps® Scholarship for Service Program scholarship recipients stay in the positions they enter upon graduation. (Recommendation 1)
Open
The National Science Foundation (NSF), concurred with the recommendation and plans to implement it by April 30, 2024, but as of February 2023 has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.
National Science Foundation The Director of the National Science Foundation should provide Congress with all required information in a timely manner for the CyberCorps® Scholarship for Service Program so Congress can use this information to make informed decisions regarding the SFS Program. (Recommendation 2)
Open
The National Science Foundation (NSF), concurred with the recommendation and plans to implement it by April 30, 2024, but as of February 2023 has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.
National Science Foundation The Director of the National Science Foundation should develop and implement a risk management strategy that includes a process to effectively identify, analyze, mitigate, and report CyberCorps® Scholarship for Service Program risks and challenges. (Recommendation 3)
Open
The National Science Foundation (NSF), concurred with the recommendation and plans to implement it by May 31, 2023, but as of February 2023 has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.
Office of Personnel Management The Director of the Office of Personnel Management, in coordination with the Director of the National Science Foundation, should establish a time frame for implementing a process to ensure that all CyberCorps® Scholarship for Service Program scholarship recipients provide their institutions of higher education and the Office of Personnel Management (in coordination with the National Science Foundation) with annual verifiable documentation of post-award employment and up-to-date contact information for a period of at least through the end of their work service obligation. (Recommendation 4)
Open
The Office of Personnel Management, concurred with the recommendation but as of February 2023 has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.
Office of Personnel Management The Director of the Office of Personnel Management, in coordination with the Director of the National Science Foundation, should ensure the collection of complete and consistent data that relate to the fulfillment of all post-award obligations or requirements pursuant to the CyberCorps® Scholarship for Service Program. (Recommendation 5)
Open
The Office of Personnel Management, concurred with the recommendation but as of February 2023 has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.

Full Report

Office of Public Affairs

Topics

CybersecurityHigher educationInformation technologyLabor forceProgram managementRisk managementStudentsWorkforce developmentWorkforce managementWorkforce planning