The Government Accountability Office (GAO) is urging the Office of the National Cyber Director (ONCD) to take swift action to improve how the federal government tracks and evaluates its cyber workforce, warning that current data on staffing and spending is incomplete, inconsistent, and unreliable.
Key findings: gaps in headcount and cost data
In a report released Thursday, GAO reviewed 23 federal civilian departments and agencies and found most could not fully identify who is performing IT, cybersecurity, and cyber-related work—or what that workforce costs. Agencies collectively reported at least 63,934 federal employees and 4,151 contractor personnel in cyber roles at an estimated annual cost of about $14.6 billion. GAO emphasized that these figures are likely understated due to missing and inconsistent reporting.
The watchdog highlighted several systemic issues undermining data quality and completeness across the government:
- Twenty-two agencies reported partial or no data on cyber contractors, a major blind spot given the scale of outsourced cyber work.
- Nineteen agencies lacked documented quality assurance processes to validate workforce and cost data.
- Seventeen agencies did not have standardized procedures to identify which employees perform cyber duties.
GAO warned that without dependable data on workforce size, composition, and costs, federal leaders cannot make informed decisions about hiring, reskilling, or investing in critical cyber capabilities. The stakes are even higher during administration transitions, when incoming leaders must quickly assess cyber readiness and risk.
Agencies are acting—but few measure what works
GAO found that 22 of the 23 agencies reported using a variety of initiatives to strengthen their cyber workforce, including targeted hiring, reskilling programs, training and upskilling, and retention incentives. However, the evaluation of those efforts is lagging:
- Nine agencies assessed certain aspects of costs, benefits, or performance of their initiatives.
- Five agencies reported using those assessments to scale or expand specific programs.
- The majority cited a lack of visibility into the underlying data needed to support robust evaluation.
In short, agencies are experimenting—often without the evidence needed to understand which approaches yield the best return on investment or how to prioritize limited resources.
Policy gap: no requirement to evaluate workforce initiatives
GAO noted that ONCD’s 2023 National Cyber Workforce and Education Strategy does not require agencies to evaluate the effectiveness of their cyber workforce initiatives. That omission, the report said, limits the ability of ONCD and agencies to identify, prioritize, and scale programs with the greatest impact.
What GAO wants from ONCD
To close the gaps, GAO made four recommendations to ONCD—working in coordination with the Office of Management and Budget (OMB) and other relevant entities. While the report excerpt does not list each recommendation in detail, GAO’s guidance centers on improving the quality and completeness of federal cyber workforce data, standardizing how agencies identify cyber roles, and establishing expectations for evaluating workforce initiatives so that leaders can direct resources to what works.
ONCD neither agreed nor disagreed with the recommendations.
Why it matters now
Cyber incidents continue to test federal resilience, and the demand for skilled talent far exceeds supply across government and industry. Without clear visibility into who is doing cyber work, what capabilities are missing, and how funds are being spent, agencies risk misallocating resources and missing opportunities to build the workforce needed to defend federal networks and critical services.
Reliable, comparable, and timely data enables:
- Strategic workforce planning across agencies and mission areas.
- Targeted investments in reskilling and training that close the highest-risk gaps.
- Stronger oversight and accountability for taxpayer dollars.
- Faster assessments during leadership transitions and incident response.
Long-standing challenges, unfinished business
GAO’s latest review builds on years of warnings about the federal cyber talent pipeline and data shortfalls. Since 2019, the watchdog has issued 64 recommendations aimed at strengthening cyber workforce management; 32 remain unimplemented.
That backlog underscores the urgency of establishing consistent data standards and evaluation practices. Until agencies and ONCD can see the whole picture—federal employees and contractors, roles and skills, costs and outcomes—policymakers will be hard-pressed to make evidence-based decisions in a fast-evolving threat environment.
The bottom line
GAO’s message is straightforward: the federal government cannot manage what it cannot measure. Improving the accuracy, completeness, and use of cyber workforce data—paired with routine evaluation of hiring, training, and retention initiatives—will be essential to building a resilient cyber defense posture across civilian agencies.
