The Office of Personnel Management seeks to develop a framework for the classification, hiring, performance management, and development of federal cybersecurity pros.
On the heels of a report that raised concerns about the competency of cybersecurity pros at the Department of the Interior, the Office of Personnel Management plans to develop better ways to ensure that the federal cybersecurity workforce is up to snuff.
In a recent memo to federal HR directors, OPM director John Berry said the effort will include developing policies and guidance on job classification, hiring, performance management, and workforce education and development. He implied that the work was brought on by a consensus among OPM, the federal CIO Council, and federal Chief Human Capital Officers Council that cybersecurity workforce development required a government-wide framework.
That bears out with other findings. Earlier this year, Booz Allen Hamilton surveyed 69 officials from 18 federal agencies and concluded that among other challenges to federal cybersecurity, "fragmented governance and uncoordinated leadership" hinder the ability to meet the government's cybersecurity needs.
A report issued this month by the Department of the Interior highlights the problems Barry and OPM plan to address. Among cybersecurity staff, Interior requires only self-certified training, and the inspector general found that only 13.5% of self certifications were relevant and complete.
Furthermore, the report found a pipeline coordinator officer and a supervisory land examiner among many with non-security titles whose jobs were entirely focused on cybersecurity. Among the other problems identified in the report: several Interior CISOs don't hold top-security clearances as policy requires.
In the memo, Barry asked federal HR directors to send OPM information about cybersecurity job descriptions, vacancies, accreditation, training, performance management, and any governance frameworks they have in place, as well as details of the challenges they face.
It's unclear when final policies might be released, but OPM plans to organize the models around three categories of cybersecurity pros: IT operations, law enforcement, and specialized operations that include classified work on "collection, exploitation and response."
Finding the flaws in your operating systems and applications is only the beginning. You then need to plot a path to security and ensure that no new weaknesses find their way onto your network. This Dark Reading report focuses on how to do that. Download the report here (registration required).
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.