The GAO made six recommendations to the Department of Homeland Security (DHS) to routinely review and update guidance, fully incorporate key training practices, and identify workforce cybersecurity needs:
DHS should implement a documented process for reviewing and, if deemed necessary, revising its guidance for implementing cybersecurity measures at regularly defined intervals.
DHS should incorporate measures to assess the contribution that its cybersecurity training is making to program goals, such as inspector – or program-specific – performance improvement goals.
DHS should track delivery and performance data for its cybersecurity training, such as the completion of courses, webinars, and refresher trainings.
DHS should develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms.
DHS should develop a workforce plan that addresses the program’s cybersecurity-related needs, which should include an analysis of any gaps in the program’s capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them.
DHS should maintain reliable, readily available information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise. This could include updating the program’s inspection database system to better track facilities’ cyber integration levels.