Section 1652 of the fiscal year 2020 National Defense Authorization Act tasks the U.S. Department of Defense (DoD) to perform a zero-based review (ZBR) — a detailed review rather than a simple comparison with previous size or budget — of its cybersecurity and information technology workforces. The ZBR process described in this report constitutes a transparent, repeatable process with which DoD can conduct ZBRs across the DoD cyber enterprise.

Support to the DoD Cyber Workforce Zero-Based Review

Developing a Repeatable Process for Conducting ZBRs Within DoD

Molly F. McIntosh, Sasha Romanosky, Thomas Deen, Samantha E. DiNicola, Christopher Ferris, Jonathan Fujiwara, Priya Gandhi, Henry Hargrove, Kirsten M. Keller, Maria C. Lytell, et al.

ResearchPublished Sep 19, 2022

Section 1652 of the fiscal year 2020 National Defense Authorization Act (NDAA) tasks the U.S. Department of Defense (DoD) to perform a zero-based review (ZBR) — a detailed review rather than a simple comparison with previous size or budget — of its cybersecurity and information technology (IT) workforces. DoD engaged the RAND National Defense Research Institute to produce a process for validating and ensuring the consistency of data and analysis used for its ZBR.

The authors organize the NDAA requirements into five themes: current workforce, current work performed, manning and capability gaps, potential barriers to efficiency and effectiveness, and potential future changes in work performed or requirements. Organizations across the four DoD services — the U.S. Air Force, Army, Marine Corps, and Navy — plus the Defense Information Systems Agency were selected to participate in the DoD cyber ZBR. Collectively, the participating organizations reported a total of almost 18,000 cybersecurity and IT personnel, 84 percent of whom are civilians and 16 percent of whom are military personnel.

The authors use quantitative and qualitative research methods to analyze multiple data sources, such as DoD workforce data, subject-matter expert interviews with organizational leadership, a work analysis data call, a comparison of DoD and private sector cyber workforces, and a sample of cybersecurity and IT position descriptions. They present key findings, aggregated across the participating organizations and arranged by theme. The ZBR process described in this report constitutes a transparent, repeatable process with which DoD can conduct ZBRs across the DoD cyber enterprise.

Key Findings

  • Overall, organizations that participated in the DoD cyber ZBR reported a total of almost 18,000 cybersecurity and IT personnel, 84 percent of whom are civilians and 16 percent of whom are military personnel.
  • The participating DoD organizations are still working to align their hiring practices (as expressed through position descriptions [PDs]) with the DoD Cyber Workforce Framework (DCWF) taxonomy of cybersecurity and IT positions: 16 percent of PDs were clearly and uniquely mapped to a unique DCWF work role, while about 20 percent of PDs mapped to multiple DCWF work roles and about 20 percent of PDs did not map to any DCWF work role.
  • Most DoD cybersecurity and IT personnel in the participating organizations perform core DCWF tasks weekly or monthly, and they typically view these tasks as being very important to their individual job performance.
  • The participating organizations have approximately 2.5 times the number of personnel allocated to basic IT functions, relative to such personnel in the private sector. And yet, the participating organizations still experience personnel gaps for these basic IT functions at much higher percentages than in the private sector. Moreover, private sector organizations appear to experience much higher rates of personnel gaps for cybersecurity work roles, relative to gaps in the participating DoD organizations.
  • DoD cybersecurity and IT personnel cited military processes, access to technology, and budget as being the leading constraints to their efficiency and effectiveness.

Order a Print Copy

Format
Paperback
Page count
116 pages
List Price
$28.00
Buy link
Add to Cart

Topics

Document Details

  • Copyright: RAND Corporation
  • Availability: Available
  • Year: 2022
  • Print Format: Paperback
  • Paperback Pages: 116
  • Paperback Price: $28.00
  • Paperback ISBN/EAN: 978-1-9774-0951-5
  • DOI: https://doi.org/10.7249/RRA660-6
  • Document Number: RR-A660-6

Citation

RAND Style Manual

McIntosh, Molly F., Sasha Romanosky, Thomas Deen, Samantha E. DiNicola, Christopher Ferris, Jonathan Fujiwara, Priya Gandhi, Henry Hargrove, Kirsten M. Keller, Maria C. Lytell, Mace Moesner IV, Isabelle Nazha, Zhan Okuda-Lim, Nina Ryan, Karen Schwindt, and Amanda Wicker, Support to the DoD Cyber Workforce Zero-Based Review: Developing a Repeatable Process for Conducting ZBRs Within DoD, RAND Corporation, RR-A660-6, 2022. As of April 8, 2025: https://www.rand.org/pubs/research_reports/RRA660-6.html

Chicago Manual of Style

McIntosh, Molly F., Sasha Romanosky, Thomas Deen, Samantha E. DiNicola, Christopher Ferris, Jonathan Fujiwara, Priya Gandhi, Henry Hargrove, Kirsten M. Keller, Maria C. Lytell, Mace Moesner IV, Isabelle Nazha, Zhan Okuda-Lim, Nina Ryan, Karen Schwindt, and Amanda Wicker, Support to the DoD Cyber Workforce Zero-Based Review: Developing a Repeatable Process for Conducting ZBRs Within DoD. Santa Monica, CA: RAND Corporation, 2022. https://www.rand.org/pubs/research_reports/RRA660-6.html. Also available in print form.
BibTeX RIS

Research conducted by

This research was sponsored by the Principal Advisor for Cybersecurity, Strategy, Planning, and Oversight in the Office of the DoD Chief Information Officer (DoD CIO), and conducted within the Forces and Resources Policy Center of the RAND National Security Research Division (NSRD).

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.