GAO: Cybercom and services not on same page tracking personnel

Gaps exist in how the military services and U.S. Cyber Command track personnel, potentially leading to staffing issues, according to a new Government Accountability Office report.

The report, commissioned by Congress as part of last year’s annual defense authorization bill, notes that the services use a different model for tracking personnel than Cybercom.

“While the military services track cyber personnel staffing levels by career fields, USCYBERCOM uses work role designations to assign personnel to cyber mission teams,” GAO said. “As a result, military service officials cannot determine if specific work roles are experiencing staffing gaps. Tracking staffing data at the work role level would enable the military services to identify and address staffing challenges in providing the right personnel to carry out key missions at USCYBERCOM. This information is also essential for increasing personnel assigned to USCYBERCOM as planned by the Department of Defense (DOD).”

The Navy is the only service that tracks personnel by work roles, meaning the Army, Air Force and Marine Corps “may not be equipped to identify staffing gaps and project staffing needs for critical work roles,” GAO found.

This is especially important as Cybercom is expected to gain 11 more teams in the next two years — the first such growth since the cyber mission force was built in 2012 — making the tracking and understanding of where personnel, work role and career field gaps exist critical.

Each of the services trains their cyber warriors to a joint standard set forth by Cybercom whereby each person at their respective school house receives notionally the same level of training regardless of if they’re going to an offensive, defensive or support team. They’ll typically get additional training and guidance once they get to their operational unit.

Despite these joint standards, the services still exercise their own service-unique flavor to how they organize and manage forces within their ranks, though once presented to Cybercom, they will typically work in a joint fashion.

Cybercom’s work roles have specific requirements and certifications needed to perform the function and can be filled by the services through a variety of career fields. For example, the Army’s 17C career field for enlisted cyber operators was used to fill eight different Cybercom work roles, which can mask staffing shortages for some roles.

GAO explained that Army officials described the approach to filling work roles as a “best athlete” model focusing on skills versus career field.

Given how relatively new Cybercom and its cyber mission force are, several of the cyber career fields and work roles are new, with Cybercom making several revisions over the last few years resulting in changes to guidance.

GAO did state that the services and Cybercom are working to better align work roles in fiscal 2023.

“USCYBERCOM officials stated that tracking personnel data by work role would provide them and the military services with greater visibility of current and projected staffing levels for work roles,” the report found. “[O]fficials with the office of the DOD Chief Information Officer stated that tracking data by work role allows for identifying gaps in the workforce. For example, officials provided a demonstration of the system they use to track civilian cyber positions by work role. In this system, some occupations appeared healthy when viewed at the occupation level, but when sorted by work role, gaps in specific work roles were identified.”

If DOD is able to address these issues, GAO said, it will be better postured to recruit and retain a knowledgeable and skilled force in the face of competition from the private and public sectors.

GAO recommended that the secretaries of the Army and Air Force take steps to integrate Cybercom’s work roles into their personnel systems to track cyber personnel data by work role. GAO made the same recommendation for the secretary of the Navy to ensure the Marine Corps does the same.

Return “ION” investment

The report also pointed out that some of the services have not ensured adequate return on investment for lengthy and costly training for a critical work role identified by Cybercom: Interactive On-Net Operator (ION).

The training for this work role — which is largely associated with offensive operations that break into adversaries’ systems for either effects or reconnaissance — is advanced, requires a significant time investment of between one to three years to complete and can cost between $220,000 to $500,000 per service member.

“[T]wo of the four military services are not positioned to ensure adequate return on their investment in lengthy and expensive cyber training,” GAO said. “Personnel who complete training to fill the ION work role—which may take a year or more and costs the department hundreds of thousands of dollars—may not remain in the military to use those skills for a significant length of time after training.”

Given that commitment of resources needed, the Navy and Air Force have worked to ensure a return on their investment instituting a three-year obligation for ION work roles.

The Army has some challenges associated with service obligations for IONs, which along with general ION training, dates back several years.

Advanced cyber courses, including ION training, are not listed in Army regulations, making it difficult to calculate or implement obligations.

“U.S. Army Cyber Command officials noted that at times this has resulted in an officer attending a year-long course costing hundreds of thousands of dollars —such as the training for ION certification—and then leaving the military soon after completing certification, leaving the Army without an adequate return on its investment,” GAO found.

The Army is working to revise its regulations to clearly define a service obligation of 36 months for completion of the training, though, when GAO reviewed a revised draft, it did include a designated service obligation for advanced cyber training to include ION training.

The Marine Corps, however, does not require any service obligation for IONs.

“Without developing guidance in a timely manner to clearly define service obligations for advanced cyber training—particularly ION training—the Marine Corps may continue to forego an adequate return on its investment in such training,” GAO said. “In addition, the Marine Corps may find itself understaffed in critical cyber skills as a result of investing in training for personnel who may take those skills elsewhere immediately after completing the training and certification.”

The Marines have requested to have a service obligation of 54 months from the start of ION training, though a Marine Corps Forces Cyberspace Command official told GAO they were unsure if this would be approved and implemented.

GAO recommended that the secretary of the Army ensure updates to relevant Army regulations to clearly define active duty obligations for ION training for both enlisted and officer personnel and the secretary of the Navy ensure the commandant of the Marine Corps develops guidance to establish active duty obligations for ION training.