DHS has yet to crack the code on its cyber workforce

employee data (kentoh/ 

A Department of Homeland Security official told Congress that it is getting closer to complying with a 2014 law directing the agency to classify and code its cybersecurity positions.

The 2014 Homeland Security and Cybersecurity Workforce Assessment Act requires DHS to classify and code all IT security positions as outlined by the Office of Personnel Management, the National Initiative for Cybersecurity Education and the National Institute of Standards and Technology to identify its greatest areas of need in cyber human capital. The law also required DHS to begin annually reporting those needs to Congress and OPM starting in 2016 in order to inform stakeholders and facilitate further action.

However, a February 2018 audit by the Government Accountability Office found that the department was well behind schedule identifying and coding its IT security workforce and had relayed inaccurate information to Congress about how far along it was in the process.

At an April 3 House Homeland Security Oversight, Management and Accountability Subcommittee hearing, Chip Fulghum, deputy undersecretary for management, said the department had assigned two-digit codes to each cyber position at the department in line with 2014 OPM guidance, but said a switch to a new 3-digit code framework in 2017 caused delays in the project.

"We coded those positions down the [National Institute of Standards and Technology] standard in terms of two digits," said Fulghum. "We have coded them down now to three digits as required, but there's still some [data] cleanup to do."

The figures are designed to help guide DHS hiring and retention policies during a time when the importance of its cybersecurity mission is rising but overall morale of employees at the department has consistently ranked among the lowest in the federal government in annual surveys.

Rep. Bennie Thompson (D-Miss.), chair of the House Homeland Security Committee, introduced legislation earlier this year that would, among other things, establish a steering group within the department to identify and address the root causes of those findings.

Fulghum, who is leaving DHS this summer after six and a half years, did not provide the committee with a timeline for finalizing its work.

The department could wind up undertaking a cybersecurity hiring spree without the benefit of the data. The latest budget request for the Cybersecurity and Infrastructure Security Agency at DHS calls for $11.4 million to support the hiring of 150 additional cybersecurity positions by the end of fiscal 2020.

Editor's note: This article was changed April 4 to correct the name of the National Initiative for Cybersecurity Education.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.