Section 1652 of the fiscal year 2020 National Defense Authorization Act tasks the U.S. Department of Defense (DoD) to perform a zero-based review (ZBR) — a detailed review rather than a simple comparison with previous size or budget — of its cybersecurity and information technology workforces. The ZBR process described in this report constitutes a transparent, repeatable process with which DoD can conduct ZBRs across the DoD cyber enterprise.
Support to the DoD Cyber Workforce Zero-Based Review
Developing a Repeatable Process for Conducting ZBRs Within DoD
- How many and what types of personnel make up the DoD cybersecurity and IT workforces?
- What roles and functions do the DoD cybersecurity and IT workforces currently perform?
- How often do DoD personnel perform core cybersecurity or IT tasks described in the DoD Cyber Workforce Framework (DCWF) and how important are such tasks to the organizational missions?
- How does DoD cybersecurity and IT manning compare with the private sector?
- What are potential barriers to efficiency and effectiveness among DoD cybersecurity and IT personnel?
Section 1652 of the fiscal year 2020 National Defense Authorization Act (NDAA) tasks the U.S. Department of Defense (DoD) to perform a zero-based review (ZBR) — a detailed review rather than a simple comparison with previous size or budget — of its cybersecurity and information technology (IT) workforces. DoD engaged the RAND National Defense Research Institute to produce a process for validating and ensuring the consistency of data and analysis used for its ZBR.
The authors organize the NDAA requirements into five themes: current workforce, current work performed, manning and capability gaps, potential barriers to efficiency and effectiveness, and potential future changes in work performed or requirements. Organizations across the four DoD services — the U.S. Air Force, Army, Marine Corps, and Navy — plus the Defense Information Systems Agency were selected to participate in the DoD cyber ZBR. Collectively, the participating organizations reported a total of almost 18,000 cybersecurity and IT personnel, 84 percent of whom are civilians and 16 percent of whom are military personnel.
The authors use quantitative and qualitative research methods to analyze multiple data sources, such as DoD workforce data, subject-matter expert interviews with organizational leadership, a work analysis data call, a comparison of DoD and private sector cyber workforces, and a sample of cybersecurity and IT position descriptions. They present key findings, aggregated across the participating organizations and arranged by theme. The ZBR process described in this report constitutes a transparent, repeatable process with which DoD can conduct ZBRs across the DoD cyber enterprise.
- Overall, organizations that participated in the DoD cyber ZBR reported a total of almost 18,000 cybersecurity and IT personnel, 84 percent of whom are civilians and 16 percent of whom are military personnel.
- The participating DoD organizations are still working to align their hiring practices (as expressed through position descriptions [PDs]) with the DCWF taxonomy of cybersecurity and IT positions: 16 percent of PDs were clearly and uniquely mapped to a unique DCWF work role, while about 20 percent of PDs mapped to multiple DCWF work roles and about 20 percent of PDs did not map to any DCWF work role.
- Most DoD cybersecurity and IT personnel in the participating organizations perform core DCWF tasks weekly or monthly, and they typically view these tasks as being very important to their individual job performance.
- The participating organizations have approximately 2.5 times the number of personnel allocated to basic IT functions, relative to such personnel in the private sector. And yet, the participating organizations still experience personnel gaps for these basic IT functions at much higher percentages than in the private sector. Moreover, private sector organizations appear to experience much higher rates of personnel gaps for cybersecurity work roles, relative to gaps in the participating DoD organizations.
- DoD cybersecurity and IT personnel cited military processes, access to technology, and budget as being the leading constraints to their efficiency and effectiveness.
Table of Contents
Methods and Data Sources
Findings Across All Selected Organizations
Subject-Matter Expert Interview Protocol
Work Analysis Data Call Protocol
Deskside Interview Protocol and Example Data Call Results
Additional Information on the DoD and Private Sector Cyber Workforce Comparison
Median Task Frequency and Importance for Specific Work Roles