DHS has yet to crack the code on its cyber workforce

employee data (kentoh/ 

A Department of Homeland Security official told Congress that it is getting closer to complying with a 2014 law directing the agency to classify and code its cybersecurity positions.

The 2014 Homeland Security and Cybersecurity Workforce Assessment Act requires DHS to classify and code all IT security positions as outlined by the Office of Personnel Management, the National Initiative for Cybersecurity Education and the National Institute of Standards and Technology to identify its greatest areas of need in cyber human capital. The law also required DHS to begin annually reporting those needs to Congress and OPM starting in 2016 in order to inform stakeholders and facilitate further action.

However, a February 2018 audit by the Government Accountability Office found that the department was well behind schedule identifying and coding its IT security workforce and had relayed inaccurate information to Congress about how far along it was in the process.

At an April 3 House Homeland Security Oversight, Management and Accountability Subcommittee hearing, Chip Fulghum, deputy undersecretary for management, said the department had assigned two-digit codes to each cyber position at the department in line with 2014 OPM guidance, but said a switch to a new 3-digit code framework in 2017 caused delays in the project.

"We coded those positions down the [National Institute of Standards and Technology] standard in terms of two digits," said Fulghum. "We have coded them down now to three digits as required, but there's still some [data] cleanup to do."

The figures are designed to help guide DHS hiring and retention policies during a time when the importance of its cybersecurity mission is rising but overall morale of employees at the department has consistently ranked among the lowest in the federal government in annual surveys.

Rep. Bennie Thompson (D-Miss.), chair of the House Homeland Security Committee, introduced legislation earlier this year that would, among other things, establish a steering group within the department to identify and address the root causes of those findings.

Fulghum, who is leaving DHS this summer after six and a half years, did not provide the committee with a timeline for finalizing its work.

The department could wind up undertaking a cybersecurity hiring spree without the benefit of the data. The latest budget request for the Cybersecurity and Infrastructure Security Agency at DHS calls for $11.4 million to support the hiring of 150 additional cybersecurity positions by the end of fiscal 2020.

Editor's note: This article was changed April 4 to correct the name of the National Initiative for Cybersecurity Education.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Budget
    Stock photo ID: 134176955 By Richard Cavalleri

    House passes stopgap spending bill

    The current appropriations bills are set to expire on Oct. 1; the bill now goes to the Senate where it is expected to pass.

  • Defense
    concept image of radio communication (DARPA)

    What to look for in DOD's coming spectrum strategy

    Interoperability, integration and JADC2 are likely to figure into an updated electromagnetic spectrum strategy expected soon from the Department of Defense.

Stay Connected