Department of Education – WMO
The Client’s Need
The Department of Education, like other federal civilian agencies, is required by OPM to submit an annual assessment of the staff who perform cybersecurity functions across the department, as well as a plan for addressing any areas that needed strengthening. The OPM guideline used for this assessment, the “Work Roles of Critical Needs Report,” is based on the National Initiative for Cybersecurity Education (NICE) framework, which was developed by the National Institute of Standards (NIST). This framework provides a standard set of definitions of cybersecurity work roles, processes, and competencies. The Department of Education also required assistance in developing online tools to support their effort to promote these NIST standards and enable staff to identify, pursue, and track training opportunities that would enable them to address their needs for education and certification in cyber security competencies that are relevant to the work roles the perform. Further, the AG team assisted the Department in its position as a member of the cross-agency Cyber security Working Group, an intergovernmental committee that is collaborating on the build out of the definitions of NICE cyber security roles. The ultimate goal of this effort was to support continuous improvement of the knowledge and capabilities of the cyber security workforce and strengthen the ability of the Department to ensure the protection and privacy of the significant data resources that it maintains.
The AG team deployed a phased approach to support the Department, including data collection, analysis, reporting, and recommendations development. To meet the Department’s need, the AG Team tailored AG’s proprietary Workforce Management Office (WMO) tool to meet the specific needs and requirements of OPM’s cyber security workforce reporting requirements:
- Discovery: The AG Team collected and reviewed all existing documentation on the several hundred individuals across the Department who perform cyber security work roles. This included staff who performed these roles on a part time and a full time basis, as well as staff who performed multiple roles. Individuals in all operational units of the Department were included. In addition, we facilitated meetings with managers and executives with knowledge of this segment of the workforce to gain their perspective on areas of strength and possible competency and/or staffing gaps.
- Validation of Current Cyber security Coding: In order to identify the cyber security work roles staff were performing, the AG Team led an effort to review, validate, and update the results of a previously completed cyber security position coding study. The purpose of this validation effort was to ensure compliance with NIST standards for the coding of cyber security roles. All roles performed by all staff with cyber security responsibilities were included in the census that was produced.
- Human Capital Needs Assessment: Based on the NIST NICE framework and the coding study described above, the AG team developed and deployed a competency assessment of all staff performing cyber security roles. To do this, the AG team used our proprietary Workforce Management Office (WMO) platform. The WMO enabled the team to deploy two customized surveys. The first survey asked staff members to assess their own competencies and level of effort in cyber security work. The second survey asked managers to assess the competencies of their staff members and the extent to which their needs for staffing in this area were currently met. It also asked them to identify the most critical cyber security roles performed by their staff members and to assess the root causes of any gaps identified.
- Workforce Gap Analysis and Root Cause Identification: The AG Team analyzed the data produced by the WMO surveys and used it to identify identified current and forecasted staffing shortages in cyber security roles, along with strengths and gaps in cyber security competencies. This data was used to support the assessment of work roles of critical needs, as required by the OPM report. The AG Team also used the data uncovered through the surveys to conduct an analysis of the root causes of workforce capacity gaps, including current and future staffing and capability challenges. This information was also included in the OPM report.
- Workforce Planning and Support: To ensure that the information developed in this study was put to use in strengthening the capabilities of the Department, the AG team developed a Strategic Human Capital Plan, an Action Plan, and a Training and Certification Plan. These plans identified the goals, objectives, and actions that needed to be taken to enhance Departmental cyber security staffing levels and capabilities. The team also developed and deployed a SharePoint application that identified training and certification opportunities associated with each cyber security role performed by a staff member and provided staff with the ability to track completion of training and certification activities.
- Cross-agency Cyber security Working Group Support: Based on the knowledge the AG team developed during the project, the Department requested that it provide support for the Department in its role on the cross-agency Cyber security Working Group. Working with committee leadership and guidance, the AG team developed and facilitated a two-day working group session focused on the role of Cyber security Training Developer. Participants in the session included people from across the government. The results of the session were documented and provided to the working group for further review and approval.
This effort provided the Department of Education with a comprehensive understanding of strengths and gaps in its cyber security capabilities, as well as the planning tools needed to enhance its capabilities in this highly critical functional area. It increased the awareness across the organization of the nature and importance of cyber security roles and provided it with the ability to track progress in closing gaps and increasing capabilities. It enabled the Department to enhance its position as a member of the interagency working group and to demonstrate its commitment to safeguarding the critical data within its area of responsibility.