Unveiled Lack of Clarity Regarding Cyber Contractor Personnel Across Most Government Agencies, According to GAO Report

The Government Accountability Office (GAO) has released a new report detailing that most federal agencies lack control over their cybersecurity contractor workforce, with significant data gaps, quality assurance issues, and inconsistencies in identifying cyber personnel.

According to the report, 22 out of 23 Chief Financial Officers Act agencies did not provide data on the size and costs of their contractor cyber workforce. The Office of Personnel Management was the only exception, providing a comprehensive picture of its contractor cyber workforce to the GAO.

The report also found that 17 agencies lacked uniform methods for identifying cyber workers, and 19 of the 23 agencies did not have a documented quality assurance process for their cyber workforce data. As a result, 14 agencies submitted partial data, and 8 agencies had no data to report.

The GAO emphasized the importance of having quality data on the cyber workforce, stating that it is crucial for ensuring the federal government is prepared and cyber-ready during administration transitions. The GAO noted that agencies attributed their data gaps to a lack of an agency-wide reporting mechanism or the structure of their contracts.

To bolster data-informed decision making, the Office of National Cyber Director (ONCD) and the Office of Management and Budget have created working groups. However, the GAO noted that the White House Office of the National Cyber Director has not mandated agencies such as the Federal Trade Commission (FTC), the Federal Aviation Administration (FAA), the Department of Homeland Security (DHS), the Federal Energy Regulatory Commission (FERC), the Department of Energy (DOE), the Department of Health and Human Services (HHS), and the Office of the Comptroller of the Currency (OCC) to improve the quality of cybersecurity personnel data used by agency-level Chief Human Capital Officers and Chief Information Officers.

The GAO delivered four recommendations to ONCD, urging it to work with OMB and agencies on formalizing various data-collection processes and assessing the cost-effectiveness of cyber workforce initiatives. However, ONCD did not agree or disagree with the GAO’s recommendations.

The GAO warned that these figures are incomplete and unreliable and do not reflect the full size and cost of the cyber workforce. As of April 2024, agencies reported employing at least 63,934 federal cyber practitioners and an additional 4,151 contractor staff, at a cost of approximately $9.3 billion and $5.2 billion, respectively.

The GAO concluded that until ONCD addresses the factors related to data quality, agencies will not have the information needed to support workforce decisions, particularly during administration transitions. The report serves as a call to action for the federal government to improve the management and oversight of its cybersecurity contractor workforce.

Unveiled Lack of Clarity Regarding Cyber Contractor Personnel Across Most Government Agencies, According to GAO Report