Support to the Dod Cyber Workforce Zero-Based Review

Section 1652 of the fiscal year 2020 National Defense Authorization Act (NDAA) tasks the U.S. Department of Defense (DoD) to perform a zero-based review (ZBR)-a detailed review rather than a simple comparison with previous size or budget-of its cybersecurity and information technology (IT) workforces. DoD engaged the RAND National Defense Research Institute to produce a process for validating and ensuring the consistency of data and analysis used for its ZBR. The authors organize the NDAA requirements into five themes: current workforce, current work performed, manning and capability gaps, potential barriers to efficiency and effectiveness, and potential future changes in work performed or requirements. Organizations across the four DoD services-the U.S. Air Force, Army, Marine Corps, and Navy-plus the Defense Information Systems Agency were selected to participate in the DoD cyber ZBR. Collectively, the participating organizations reported a total of almost 18,000 cybersecurity and IT personnel, 84 percent of whom are civilians and 16 percent of whom are military personnel. The authors use quantitative and qualitative research methods to analyze multiple data sources, such as DoD workforce data, subject-matter expert interviews with organizational leadership, a work analysis data call, a comparison of DoD and private sector cyber workforces, and a sample of cybersecurity and IT position descriptions. They present key findings, aggregated across the participating organizations and arranged by theme. The ZBR process described in this report constitutes a transparent, repeatable process with which DoD can conduct ZBRs across the DoD cyber enterprise.