Cybersecurity Workforce: National Initiative Needs to Better Assess Its Performance
Fast Facts
The National Institute of Standards and Technology leads a national initiative to help agencies and private sector organizations strengthen their cybersecurity workforces.
NIST has documented the skills needed for a cybersecurity workforce; set up collaborative, public-private groups to build a cybersecurity community; and held meetings and conferences to share information.
Having a well-trained cybersecurity workforce is a key government priority. So, it's important that NIST use objective, concrete data to assess and measure the initiative's progress toward its goals.
Our recommendations would help NIST better evaluate its initiative.
Highlights
What GAO Found
The National Institute of Standards and Technology's (NIST) National Initiative for Cybersecurity Education (NICE) program has taken steps to strengthen the cybersecurity workforce. For example:
- The program established an inventory or “framework” of necessary skills and work roles associated with cybersecurity and expanded it with stakeholder input.
- The program formed public and private collaborations to connect the cybersecurity community and promote cybersecurity training and education. This included working groups and communities of interest run in part by volunteers. These groups created projects based on one of the NICE program's strategic goals or the needs of a specific cybersecurity community.
- The program holds periodic webinars, quarterly forums, and multiple annual conferences to share information on cybersecurity issues.
In focus group discussions with program volunteers from industry, academia, and government, participants cited what they regarded as successes, including robust community benefits. However, some participants noted challenges with the program, such as an unclear scope.
NIST's process for assessing the NICE program included fully implementing the practice of involving stakeholders. However, other key practices for establishing a program-level performance process were not fully implemented. Specifically, of nine selected key performance assessment practices, NIST fully implemented one, partially implemented five, and did not implement three (see figure).
National Institute of Standards and Technology (NIST) Implementation of Selected Key Practices for Establishing a Program Performance Process
For example, NIST did not develop performance measures for the program. According to program officials, they relied on the program's volunteer working groups to develop such measures. However, the variability in skills and approaches of the volunteers made it too difficult to accomplish. As a result, NIST was unable to demonstrate program progress. Without reliable data to manage the NICE program's performance, NIST is not in a position to effectively and efficiently identify obstacles or opportunities to sustain and improve the initiative.
Why GAO Did This Study
A well-trained cybersecurity workforce is essential for government functioning. To bolster that workforce, NIST has developed the National Initiative for Cybersecurity Education (NICE). This program's mission is to foster more education and training through collaborative partnerships with private industry, academia, and government agencies.
GAO was asked to review the progress the NICE program is making against its stated goals and objectives. This report examines (1) the actions NIST has taken through the NICE program to strengthen the cybersecurity workforce and (2) the extent to which NIST established a process to assess the program's performance.
GAO analyzed documents related to NIST's program performance assessments and compared these to selected key performance practices identified in legislation and prior GAO work. GAO also conducted focus group interviews with active program participants about their experiences. Additionally, GAO interviewed NIST officials responsible for the program.
Recommendations
GAO is making eight recommendations to NIST to fully develop goals and performance measures, assess the program's environment and identify strategies, track reliable information and report to stakeholders on results, and use data to assess progress and identify improvement opportunities. The Department of Commerce agreed with the recommendations and suggested wording revisions, which GAO incorporated as appropriate.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE develops a program performance plan with goals that are measurable. (Recommendation 1) |
The Department of Commerce (Commerce) concurred with the recommendation. In February 2024, Commerce stated that the Director of NICE would publish an annual performance plan for the NICE program office in February 2024 after receiving and discussing input from NICE program staff and NICE community leadership. However, as of March 2024, the department had not yet provided sufficient evidence to demonstrate that the NICE program had developed a plan including goals that are measurable. To fully implement this recommendation, Commerce will need to provide evidence that the Director of NICE has developed a program performance plan with goals that are measurable.
|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE updates the program's environmental scan documentation to include an assessment of how the outcomes and impacts of the identified programs, projects, and initiatives may affect the program's achievement of its performance plan and the strategic plan goals. (Recommendation 2) |
The Department of Commerce (Commerce) concurred with the recommendation. In February 2024, Commerce stated that the NICE Director would assign responsibility for NICE program staff to maintain and update the program's environmental scan with new programs, projects, and initiatives as well as information documenting outcomes or impacts of these programs, projects, and initiatives on an ongoing basis. However, as of March 2024, the department had not yet provided sufficient evidence to demonstrate that the NICE program had updated its environmental scan document to assess these possible impacts on the program's achievement of its performance plan and strategic plan goals. To fully implement this recommendation, Commerce will need to provide evidence that the Director of NICE has updated the NICE program's environmental scan documentation to include an assessment of how the outcomes and impacts of identified programs, projects, and initiatives may affect the program's achievement of its performance plan and strategic plan goals.
|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE assesses and justifies the resources that the program requires to achieve its performance plan and the strategic plan goals. (Recommendation 3) |
The Department of Commerce (Commerce) concurred with the recommendation. In February 2024, Commerce stated that the Director of NICE, after consulting with NICE program staff to prepare an annual spend plan, would provide an annual budget proposal to NIST leadership in March 2024 justifying the resources required for the program to achieve its performance plan and strategic plan goals. However, as of March 2024, the department had not yet provided sufficient evidence to demonstrate that the NICE program had assessed or justified these required resources. To fully implement this recommendation, Commerce will need to provide evidence that the Director of NICE has assessed and justified the resources required by the NICE program to achieve its performance plan and strategic plan goals.
|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE establishes performance measures with a plan to collect the data needed to assess progress toward each performance goal. (Recommendation 4) |
The Department of Commerce (Commerce) concurred with the recommendation. In February 2024, Commerce noted that NICE program staff would include performance measures in the program office's performance plan and establish a data collection plan in February 2024 before scheduling quarterly meetings to review goals, performance measures, and data collection processes. However, as of March 2024, Commerce had not yet provided sufficient evidence to demonstrate that the Director of NICE had established performance measures or a plan to collect the data necessary to assess progress toward program performance goals. To fully implement this recommendation, Commerce will need to provide evidence that the Director of NICE has established performance measures and a plan collect data needed to measure the NICE program's progress toward each performance goal.
|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE regularly collects program performance information that is measurable, timely, accurate, and useful. (Recommendation 5) |
The Department of Commerce (Commerce) concurred with the recommendation. In February 2024, Commerce stated that NICE program staff would regularly collect measurable, timely, accurate, and useful program performance information; the Director of NICE would regularly review the process for collecting this information; and the NICE program office would regularly seek NICE community feedback on effective practices for collecting this information, all on an ongoing basis. However, as of March 2024, the department had not yet provided sufficient evidence demonstrating the program's collection of measurable, timely, accurate, and useful program performance information. To fully implement this recommendation, Commerce will need to provide evidence that the Director of NICE has regularly collected program performance information that is measurable, timely, accurate, and useful.
|
| National Institute of Standards and Technology | The Director of NIST should ensure the Director of NICE reports measurable program performance information to stakeholders. (Recommendation 6) |
The Department of Commerce (Commerce) concurred with the recommendation. In February 2024, Commerce noted that the NICE program office would share measurable program performance information with NICE community leadership quarterly and develop and disseminate to the NICE community an annual impact report in January 2025. Additionally, the department stated that the Director of NICE would report this information annually to NIST management as part of the personnel performance management process. However, as of March 2024, the department had not yet provided sufficient evidence to demonstrate that the NICE program had reported this program performance information to stakeholders. To fully implement this recommendation, Commerce will need to provide evidence that the Director of NICE has reported measurable program performance information to stakeholders.
|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE assesses progress toward achieving program performance goals with measurable performance information. (Recommendation 7) |
The Department of Commerce (Commerce) concurred with the recommendation. In February 2024, the department stated that the NICE program office and NICE community leadership would convene quarterly beginning in March 2024 to assess the program's progress toward achieving performance goals. However, as of March 2024, Commerce had not yet provided sufficient evidence demonstrating that the NICE program had assessed progress toward achieving program performance goals. To fully implement this recommendation, Commerce will need to provide evidence that the Director of NICE has assessed the program's progress toward achieving its performance goals with measurable performance information.
|
| National Institute of Standards and Technology | The Director of NIST should ensure that the Director of NICE uses performance information to manage the program, including to identify opportunities to improve program results, as appropriate. (Recommendation 8) |
The Department of Commerce (Commerce) concurred with the recommendation. In February 2024, Commerce noted that the NICE program office and NICE community leadership would convene quarterly beginning in March 2024 to assess the program's progress toward achieving its performance goals and identify opportunities to improve program results. However, as of March 2024, Commerce had not yet provided sufficient evidence to demonstrate that the NICE program had used performance information to identify appropriate opportunities to improve program results. To fully implement this recommendation, Commerce will need to provide evidence that the Director of NICE has used performance information to manage the program, including to identify opportunities to improve program results, as appropriate.
|