GAO Finds Federal Agencies Ignore Cyber Workforce Dashboard

Five of six agencies examined don't use OPM's tool meant to address critical cybersecurity staffing shortages.

Federal agencies are largely ignoring a government dashboard designed to help address the nation’s critical cybersecurity workforce shortage, according to a Government Accountability Office (GAO) report released in October 2024.

The GAO found that five of six agencies examined — and the Office of Personnel Management (OPM) itself — don’t use the Cyber Workforce Dashboard that OPM launched in April 2023. Only the General Services Administration was using it, primarily for workforce planning.

In conducting its audit from January 2023 to March 2024, GAO was told by OPM officials that the human capital agency was not using the dashboard for its own cyber workforce planning purposes. “OPM officials did not provide reasons as to why the agency did not use it,” the report stated.

The findings underscore a persistent challenge facing the federal government: building and maintaining a talented cyber workforce amid what the Office of Management and Budget, the Office of the National Cyber Director, and prior GAO reports have described as “a persistent shortage of cyber and IT professionals” that represents “one of the federal government’s most important challenges.”

The dashboard was developed to “inform cyber workforce planning efforts and support agencies in data-driven decision making on current and future cyber workforce requirements,” according to OPM. The intended purpose was to provide a comprehensive government-wide view of federal cyber workforce data and allow agencies to benchmark their workforce data against other agencies.

But all six agencies GAO examined reported issues with the functionality and usefulness of the data in the dashboard. Officials from the five agencies not using the dashboard said they instead rely on other workforce planning methods, such as internally developed reports and applications. Unlike the dashboard, these agency-specific planning methods “provided functionality the agencies needed, such as the ability to filter and format cyber workforce data.”

The agencies GAO examined included the departments of Justice, State, and Treasury; the General Services Administration; the National Science Foundation; and the Small Business Administration. GAO randomly selected the six agencies, dividing them into three tiers based on their reported fiscal year 2024 IT spending.

The Treasury Department and Small Business Administration used the dashboard in the past but have stopped, GAO said. The Justice Department, State Department, and National Science Foundation have never used it.

The dashboard covers cyber workforce data for all 24 Chief Financial Officers Act agencies, plus OMB, the Smithsonian Institution, and the National Archives and Records Administration, according to GAO.

The broader federal cybersecurity workforce challenge is massive in scope. Federal agencies continue to report difficulty recruiting and retaining experienced cyber professionals across the government. The Department of Defense faces one of the largest cyber talent shortages in the federal government sector, with workforce assessments identifying significant gaps in cybersecurity professionals across the defense enterprise.

The problems extend beyond individual agencies. “OPM does not know the extent of non-use by the almost 20 other federal agencies that have access to the Dashboard. Additionally, OPM has not solicited feedback on it,” GAO said. “Without information on the extent of use among the more than 20 federal agencies, OPM is limited in knowing whether it should continue or terminate the effort.”

In response to GAO’s findings, GAO recommended that OPM either terminate the dashboard or address feedback from agencies and continue offering it with needed improvements. Specifically, GAO recommended that OPM “collect and analyze information on Dashboard use, solicit agency feedback on Dashboard limitations, determine the costs, and make an evidence-based decision to either terminate the Dashboard or continue offering it to agencies with needed improvements.”

In a response contained in the report, OPM officials said the agency would review GAO’s findings and determine appropriate next steps for the dashboard’s future. OPM partially concurred with the recommendations, stating it will work with the Office of the National Cyber Director and the Office of Management and Budget to determine next steps.

The dashboard’s troubles come as cybersecurity workforce management remains on GAO’s High-Risk List. GAO’s most recent high-risk report “identified four major cybersecurity challenges and 10 critical actions that federal agencies need to take to address them. One of these actions was to address cyber workforce management challenges,” noting that the issue has been the subject of several laws and numerous sets of guidance from OPM, the White House and the National Institute of Standards and Technology over the last decade.

The report highlights the ongoing struggle federal agencies face in coordinating cybersecurity workforce planning despite various government-wide initiatives. While agencies have developed their own internal systems and processes for managing cyber talent, the lack of adoption of OPM’s centralized dashboard suggests potential gaps in government-wide coordination and strategic planning.

The GAO report represents the latest in a series of critiques about federal cyber workforce management, underscoring the complexity of addressing cybersecurity staffing challenges across the sprawling federal bureaucracy.