The Murky Numbers Behind the Federal Government’s Cybersecurity Force

Screenshot 2015-07-31 10.22.10It’s no secret that the federal government doesn’t have enough skilled cybersecurity professionals. There have been countless reports about it, and senior leaders have been on the circuit for years talking about the dire need for more experienced security experts in their ranks.

But just how big is the skills gaps, and what skills does the government need? How many cyber pros work in government, and what are the current demographics around this segment of the workforce? These were among the flurry of questions GovLoop posed to the Office of Personnel Management with the hope of better understanding the government’s cybersecurity needs.

One of the first things we learned is that OPM does not know how many cybersecurity professionals currently work in the federal government, let alone what that breakdown looks like by agency. At OPM, for the federal workforce as a whole, “I don’t think we have that answer just yet,” OPM Press Secretary Samuel Schumach told GovLoop. But he suggested that the data does exists at the individual agency level.

Part of the challenge for OPM and the federal government as a whole is “cybersecurity functions are embedded within a wide range of federal positions that span more than 100 federal occupational series,” according to a January report by the Congressional Research Service. Most of those jobs are embedded in the 2210 job series for information technology professionals, and according to OPM’s public workforce database, FedScope, there are more than 83,000 civilian positions covered by the IT management series (excluding active military personnel and the intelligence community).

OPM has been working to build a new data bank that will identify which of those jobs focus on cybersecurity. In 2014, OPM officials said most agencies were on track to having those jobs properly code by year’s end. But the governmentwide database is still incomplete.

Top 5 Cybersecurity Talent Gaps in Government

Although OPM couldn’t say how many cyber professionals work in the federal government, the agency did provide details on the government’s greatest cybersecurity needs.

The information OPM provided to GovLoop is based on an analysis of staffing resource charts agencies submitted as part of the Cybersecurity Strategy and Implementation Plan (CSIP).  The White House released the plan in the wake of the massive OPM data breach last year with the goal of improving how the government identifies and responds to cyberthreats, as well as its hiring of security professionals.

Agencies were asked to include short- and long-term employee hiring targets, projected attrition and estimated contractor support using a nationwide framework established by the National Initiative for Cybersecurity Education. The framework details 31 common functions performed by cyber professionals.

Listed below are the top five cybersecurity functions with the largest gaps to close in the federal government, along with a brief description from the NICE framework.

Customer service and technical support

Addresses problems, installs, configures, troubleshoots, and provides maintenance and training in response to customer requirements or inquiries (e.g., tiered-level customer support). Related jobs titles include service desk operator, computer support specialist, and help desk representative.

System administration

Installs, configures, troubleshoots and maintains server configurations (hardware and software) to ensure their confidentiality, integrity and availability. Also manages accounts, firewalls, and patches. Responsible for access control, passwords and account creation and administration. Related jobs include platform specialist, website administrator and systems administrator.

Network services

Installs, configures, tests, operates, maintains and manages networks and their firewalls, including hardware and software that permit the sharing and transmission of all spectrum transmissions of information to support the security of information and information systems. Related jobs include network system engineer, network designer and network administrator.

Information systems security operations

Oversees the information assurance program of an information system in or outside the network environment; may include procurement duties (e.g., ISSO). Related jobs include contracting officer, contracting officer technical representative, information systems security operations and information assurance manager.

Operate and maintain

Is one of the seven overarching categories that comprises several of the specialty areas previously listed, including system administration, network services and customer service and technical support. Employees that fall under this category are responsible for providing the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security.

The majority of the cybersecurity workforce functions performed in the federal government fall under the operate and maintain category. This includes work performed by federal cybersecurity workers and contractors.

For contractors, the top five areas with the largest needs are operate and maintain; customer service and technical support; securely provision, which includes conceptualizing, designing, and building secure IT systems; system administration and system development.

Cyber Workforce Demographics

Before we dive into demographics, let’s clarify a few things. As stated earlier, OPM did not provide numbers on how many cyber professionals are in government, but the agency did provide demographics data that it says pertains to the cyber workforce.

This is where the data gets hazy. OPM could not clarify if the data GovLoop received was based solely on data about the cyber workforce or if these are general numbers pertaining to the 2210 IT job series, which comprises many cybersecurity positions.

What is clear is that the data was gathered from the staffing resource charts that agencies submitted as part of the administration’s cyber implementation plan. Here’s some insight into what we learned: The average age of a federal cybersecurity worker is 47, with white males making up a significant portion of the cyber workforce.

In fiscal 2015, 11 percent of federal cybersecurity employees hired were under the age of 30. Thirty-four percent of new hires, which includes transfers between agencies, were between 30 and 39. Another 34 percent were between ages 40 and 49. Twenty percent were 50 and older.

More than half — 69 percent — of cybersecurity positions are at the GS-12 through GS-14 grade levels. Of the permanent, non-seasonal, full-time cybersecurity professionals hired in fiscal 2015, 23 percent were at the GS-11 level, 31 percent were classified as GS-12 and 18 percent were hired at the GS-13 level.

“The Federal Government has already hired 3,000 new cybersecurity and IT professionals in the first 6 months of this fiscal year,” according to a joint blog post by Office of Management and Budget Director Shaun Donovan; Beth Cobert, OPM’s Acting Director; Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator; and Federal Chief Information Officer Tony Scott. “However, there is clearly more work to do, and we are committed to a plan by which agencies would hire 3,500 more individuals to fill critical cybersecurity and IT positions by January 2017.”

What’s Next?

The White House released a Federal Cybersecurity Workforce Strategy in July that outlined four key initiatives to attract and retain cyber pros. Agencies were directed to use the NICE framework going forward to  identify, recruit, assess and hire cyber workers.

Ensuring that workforce data is accurate and reliable will be key to building the government’s cyber talent. “Overall, the data… indicates that the cadre of senior, more experienced cybersecurity professionals in the government is strong,” according to workforce documents provided by OPM. “However, significant efforts to improve the integrity, reliability and validity of the data must occur.”

Leave a Comment

Leave a comment

Leave a Reply