Agencies have one-year deadline to identify cyber workforce shortages

The Office of Personnel Management (OPM) is giving federal agencies a one-year deadline to identify and report on skill shortages in their cybersecurity workforces.

A memorandum unveiled Monday requires each agency to tell the government’s human resource office what their “critical needs” are in a broad range of cyber workforce areas, including security and information technology.

They must submit their findings by April 2019 and provide reports for three more years after.

“I am pleased to provide guidance that will help federal agencies pinpoint their cybersecurity workforce’s most critical skill shortages,” Mark Reinhold, OPM’s associate director for employee services, wrote in a memo sent to human resources directors at different federal agencies. {mosads}

“Based on these agency reports, the U.S. Office of Personnel Management will identify common needs to address from the Governmentwide perspective,” he continued.

The guidance says agencies must determine whether there is a critical need based on two criteria.

The first criteria includes what an agency deems its most glaring skill shortages in terms of staffing as well as proficiency and competency levels — both current and emerging.

The second criteria is what an agency decides is “critical to meeting the agency’s most significant organizational missions, priorities, challenges,” or its mission importance.

According to the guidance, agencies will need to conduct a self-examination to determine the “root causes” of their skill shortages in their report, including reasons like the talent pipeline, recruitment and retention, training, performance management, as well as resources and budget.

Once the agency uncovers those core issues, they must then submit a plan that lays out how they will “address and mitigate the root causes,” partly through establishing metrics and goals for mitigating such workforce shortages.

The Federal Cybersecurity Workforce Assessment Act of 2015 serves as the basis for this guidance because it outlined how the federal government would identify and then assess the critical needs for its cybersecurity workforce — specifically the National Initiative for Cybersecurity Education Workforce Framework (NICE Framework). 

“The NICE Framework establishes a common lexicon that describes cybersecurity work,” Reinhold wrote.