The US federal government employs tens of thousands of cybersecurity professionals at a cost of billions per year – or at least it thinks it does, as auditors have found the figures are incomplete and unreliable.
The Government Accountability Office (GAO) said that data it reviewed from 23 key US government agencies (out of 24, as the Pentagon was excluded from this report) indicated there were at least 63,934 full-time federal cybersecurity employees, costing the government around $9.3 billion per year. An additional 4,151 contractors were reported to the GAO, and those cost taxpayers an additional $5.2 billion.
Something is very wrong with that data, however.
“Most agencies did not have quality information on their component-level and contractor cyber workforce,” GAO said. “As a result, they could not accurately identify the size and cost of their cyber workforce.”
Twenty-two of the 23 agencies examined for the report told the GAO they had only “partial or no data on their contractor cyber workforce,” and 19 agencies lacked any quality assurance process to ensure the data they reported was actually accurate. To make matters worse, 17 agencies didn’t even have standardized practices in place to determine who qualifies as a cybersecurity employee.
If that sounds like a recipe for more preventable cybersecurity incidents at government agencies due to a lack of staffing or the hiring of unqualified, unvetted people for sensitive roles – well, at least you realized that.
The GAO did too, of course, but it’s not clear the Trump administration cares.
### National Cyber Director not directing
The Office of the National Cyber Director (ONCD), a White House-level position responsible for coordinating national cybersecurity policy, isn’t issuing proper guidance, the GAO found, which is part of the reason workforce data is such a mess.
According to the report, the Federal Cyber Workforce working group responsible for implementing changes to reporting and data gathering had its meetings suspended in February, with ONCD officials saying they were waiting for direction from a new National Cyber Director. Trump’s pick for that role, Sean Cairncross, was nominated that same month and confirmed by the Senate in August. He now occupies the position despite never having held a cybersecurity leadership role in his career. Prior to his appointment, Cairncross worked as a lawyer for the Republican Party.
GAO added that, even after Cairncross’s confirmation, it was unclear whether the working group’s efforts would continue, despite its role as “the lead for implementing” the White House’s cybersecurity workforce projects.
A GAO spokesperson told us that ONCD didn’t tell it whether the meetings had been restarted as of September, when GAO wrapped up its investigation for this report.
Even if those meetings had continued, GAO found that neither the ONCD nor the Office of Management and Budget (OMB) had identified any plans for how, exactly, to improve cyber workforce data quality.
The GAO isn’t happy with that, as it says cyber workforce decisions – like mass layoffs – can’t be made properly without accurate data.
The GAO made four specific recommendations to the ONCD in the report, saying it needs to address data gaps, ensure quality in data reporting, standardize identification of cybersecurity roles, and direct agencies to assess workforce effectiveness. The ONCD “did not agree or disagree” with the GAO’s recommendations, but it did have something to say about the whole mess: It’s Biden’s fault.
That is, according to the GAO, the ONCD “stated that the report will serve as a retrospective assessment of federal cyber workforce data collection efforts during the previous Administration.”
While the flimsy jobs data in the GAO report does come from the Biden era (GAO said data in the report is as of April 2024), the study itself – which included talking to current employees at multiple government agencies – didn’t wrap up until this month.
Blaming the Biden administration in this case may be fair when it comes to the old data, but it ignores that administration’s attempt to improve the reporting of that data. For instance, the GAO noted that the Biden administration started a number of initiatives to strengthen the cyber workforce and report more accurately on it – like the March 2023 White House National Cybersecurity Strategy and additional workforce initiative that kicked off that same year.
It’s not clear whether those Biden-era workforce programs, implemented to deal with the very issues the GAO is now concerned about – remain a priority, especially with the working group stuck in limbo.
“As we have found in multiple reports issued since 2019, the federal government has historically struggled to manage this important subset of government technology workers,” a GAO spokesperson told us in an email.
We reached out to the White House and ONCD, but didn’t hear back from either. ®
**Get our** Tech Resources
“Most agencies did not have quality information on their component-level and contractor cyber workforce,” GAO said.
“As a result, they could not accurately identify the size and cost of their cyber workforce.”
Even if those meetings had continued, GAO found that neither the ONCD nor the Office of Management and Budget (OMB) had identified any plans for how, exactly, to improve cyber workforce data quality.
The GAO isn’t happy with that, as it says cyber workforce decisions – like mass layoffs – can’t be made properly without accurate data.
That is, according to the GAO, the ONCD “stated that the report will serve as a retrospective assessment of federal cyber workforce data collection efforts during the previous Administration.”
The US federal government employs tens of thousands of cybersecurity professionals at a cost of billions per year – or at least it thinks it does, as auditors have found the figures are incomplete and unreliable.
The Government Accountability Office (GAO) said that data it reviewed from 23 key US government agencies (out of 24, as the Pentagon was excluded from this report) indicated there were at least 63,934 full-time federal cybersecurity employees, costing the government around $9.3 billion per year. An additional 4,151 contractors were reported to the GAO, and those cost taxpayers an additional $5.2 billion.
Something is very wrong with that data, however.
“Most agencies did not have quality information on their component-level and contractor cyber workforce,” GAO said. “As a result, they could not accurately identify the size and cost of their cyber workforce.”
Twenty-two of the 23 agencies examined for the report told the GAO they had only “partial or no data on their contractor cyber workforce,” and 19 agencies lacked any quality assurance process to ensure the data they reported was actually accurate. To make matters worse, 17 agencies didn’t even have standardized practices in place to determine who qualifies as a cybersecurity employee.
If that sounds like a recipe for more preventable cybersecurity incidents at government agencies due to a lack of staffing or the hiring of unqualified, unvetted people for sensitive roles – well, at least you realized that.
The GAO did too, of course, but it’s not clear the Trump administration cares.
National Cyber Director not directing
The Office of the National Cyber Director (ONCD), a White House-level position responsible for coordinating national cybersecurity policy, isn’t issuing proper guidance, the GAO found, which is part of the reason workforce data is such a mess.
According to the report, the Federal Cyber Workforce working group responsible for implementing changes to reporting and data gathering had its meetings suspended in February, with ONCD officials saying they were waiting for direction from a new National Cyber Director. Trump’s pick for that role, Sean Cairncross, was nominated that same month and confirmed by the Senate in August. He now occupies the position despite never having held a cybersecurity leadership role in his career. Prior to his appointment, Cairncross worked as a lawyer for the Republican Party.
GAO added that, even after Cairncross’s confirmation, it was unclear whether the working group’s efforts would continue, despite its role as “the lead for implementing” the White House’s cybersecurity workforce projects.
A GAO spokesperson told us that ONCD didn’t tell it whether the meetings had been restarted as of September, when GAO wrapped up its investigation for this report.
Even if those meetings had continued, GAO found that neither the ONCD nor the Office of Management and Budget (OMB) had identified any plans for how, exactly, to improve cyber workforce data quality.
The GAO isn’t happy with that, as it says cyber workforce decisions – like mass layoffs – can’t be made properly without accurate data.
The GAO made four specific recommendations to the ONCD in the report, saying it needs to address data gaps, ensure quality in data reporting, standardize identification of cybersecurity roles, and direct agencies to assess workforce effectiveness. The ONCD “did not agree or disagree” with the GAO’s recommendations, but it did have something to say about the whole mess: It’s Biden’s fault.
That is, according to the GAO, the ONCD “stated that the report will serve as a retrospective assessment of federal cyber workforce data collection efforts during the previous Administration.”
While the flimsy jobs data in the GAO report does come from the Biden era (GAO said data in the report is as of April 2024), the study itself – which included talking to current employees at multiple government agencies – didn’t wrap up until this month.
Blaming the Biden administration in this case may be fair when it comes to the old data, but it ignores that administration’s attempt to improve the reporting of that data. For instance, the GAO noted that the Biden administration started a number of initiatives to strengthen the cyber workforce and report more accurately on it – like the March 2023 White House National Cybersecurity Strategy and additional workforce initiative that kicked off that same year.
It’s not clear whether those Biden-era workforce programs, implemented to deal with the very issues the GAO is now concerned about – remain a priority, especially with the working group stuck in limbo.
“As we have found in multiple reports issued since 2019, the federal government has historically struggled to manage this important subset of government technology workers,” a GAO spokesperson told us in an email.
We reached out to the White House and ONCD, but didn’t hear back from either. ®
Get our Tech Resources
