Cybersecurity Workforce: National Initiative Needs to Better Assess Its Performance
| Report Type |
Reports and Testimonies |
| Report Date |
July 27, 2023 |
| Release Date |
July 27, 2023 |
| Report No. |
GAO-23-105945 |
Summary:
What GAO Found
The National Institute of Standards and Technology's (NIST) National Initiative for Cybersecurity Education (NICE) program has taken steps to strengthen the cybersecurity workforce. For example:
The program established an inventory or “framework” of necessary skills and work roles associated with cybersecurity and expanded it with stakeholder input.
The program formed public and private collaborations to connect the cybersecurity community and promote cybersecurity training and education. This included working groups and communities of interest run in part by volunteers. These groups created projects based on one of the NICE program's strategic goals or the needs of a specific cybersecurity community.
The program holds periodic webinars, quarterly forums, and multiple annual conferences to share information on cybersecurity issues.
In focus group discussions with program volunteers from industry, academia, and government, participants cited what they regarded as successes, including robust community benefits. However, some participants noted challenges with the program, such as an unclear scope.
NIST's process for assessing the NICE program included fully implementing the practice of involving stakeholders. However, other key practices for establishing a program-level performance process were not fully implemented. Specifically, of nine selected key performance assessment practices, NIST fully implemented one, partially implemented five, and did not implement three (see figure).
National Institute of Standards and Technology (NIST) Implementation of Selected Key Practices for Establishing a Program Performance Process
For example, NIST did not develop performance measures for the program. According to program officials, they relied on the program's volunteer working groups to develop such measures. However, the variability in skills and approaches of the volunteers made it too difficult to accomplish. As a result, NIST was unable to demonstrate program progress. Without reliable data to manage the NICE program's performance, NIST is not in a position to effectively and efficiently identify obstacles or opportunities to sustain and improve the initiative.
Why GAO Did This Study
A well-trained cybersecurity workforce is essential for government functioning. To bolster that workforce, NIST has developed the National Initiative for Cybersecurity Education (NICE). This program's mission is to foster more education and training through collaborative partnerships with private industry, academia, and government agencies.
GAO was asked to review the progress the NICE program is making against its stated goals and objectives. This report examines (1) the actions NIST has taken through the NICE program to strengthen the cybersecurity workforce and (2) the extent to which NIST established a process to assess the program's performance.
GAO analyzed documents related to NIST's program performance assessments and compared these to selected key performance practices identified in legislation and prior GAO work. GAO also conducted focus group interviews with active program participants about their experiences. Additionally, GAO interviewed NIST officials responsible for the program.
« Return to search Government Accountability Office reports
