Agencies struggle to grasp the specifics of cyber contractor workforce, according to GAO's findings

The Government Accountability Office (GAO) has released a new report detailing a lack of control over the cybersecurity contractor workforce in most federal agencies. The report, which was delivered to the Office of the National Cyber Director (ONCD), highlights that 22 out of 23 Chief Financial Officers Act agencies still have either partial or no data on the size and costs of their contractor cyber workforce.

The GAO noted that issues remain with respect to data gaps, quality assurance processes, and variances in identifying cyber personnel, despite the creation of working groups by ONCD and the Office of Management and Budget to bolster data-informed decision making.

According to the report, 14 agencies submitted partial data, and 8 agencies had no data to report at all to GAO. Agency officials stated that obtaining data on their contractor cyber workforce required an agency-wide data call or manual review.

The cost of these federal cyber practitioners was approximately $9.3 billion, and the cost of contractor staff was approximately $5.2 billion. As of April 2024, agencies reported employing at least 63,934 federal cyber practitioners and an additional 4,151 contractor staff, with a combined cost of approximately $14.5 billion.

The GAO delivered four recommendations to ONCD, urging it to work with OMB and agencies on formalizing various data-collection processes and assessing the cost-effectiveness of cyber workforce initiatives. However, ONCD did not agree or disagree with the recommendations from the GAO.

The Office of Personnel Management was the only agency that reported a comprehensive picture of its contractor cyber workforce to GAO. The GAO found that 19 of the 23 agencies lack a documented quality assurance process, and 17 lack uniform methods for identifying cyber workers. Agencies lacked an agency-wide reporting mechanism or the structure of their contracts contributed to data gaps.

The Department of Defense was not included in the GAO's review. The Government Accountability Office report on improving federal cyber workforce data collection does not mention the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).

The GAO emphasized the importance of having quality data on the cyber workforce. The GAO's report warned that the reported figures are incomplete and unreliable and do not reflect the full size and cost of the cyber workforce. Until ONCD addresses the factors related to data gaps, quality assurance processes, and variances in identifying cyber personnel, it cannot ensure that agencies will have the information needed to support workforce decisions.

Agencies struggle to grasp the specifics of cyber contractor workforce, according to GAO's findings