A new GAO report identifies a critical cybersecurity skills gap across 133 federal agencies, with 68 percent lacking sufficient qualified personnel to implement mandated security controls.
The Government Accountability Office released a sobering assessment on May 3, 2026, identifying a critical cybersecurity workforce shortage affecting 133 of the 156 federal agencies surveyed. The report found that 68 percent of agencies lack the qualified personnel necessary to fully implement FISMA-mandated security controls.
The GAO defined critical shortage as fewer than one qualified cybersecurity professional per 50 IT users, a threshold that 91 agencies failed to meet. Small and medium-sized agencies were disproportionately affected, with several operating with zero dedicated cybersecurity staff despite maintaining sensitive IT systems.
The report attributes the gap to several compounding factors: a 23 percent increase in required security controls since NIST SP 800-53 Rev. 5 adoption, annual attrition rates of 18 percent for federal cybersecurity positions, and salary constraints that make federal positions 31 percent less competitive than private sector equivalents.
GAO recommended that OPM and OMB establish a federal cybersecurity upskilling fund, expand use of the NICE Workforce Framework for position classification, and mandate role-mapped training for all IT staff within 18 months.
The report specifically endorsed scenario-based online training as a cost-effective workforce development strategy, noting that agencies using structured certificate programs reported 34 percent better outcomes on FISMA assessments than those relying solely on vendor training.
GovAcademy's cybersecurity catalog — covering 18 courses from foundational awareness through advanced SOC operations — directly addresses the skills categories identified in the GAO report. The academy's role-mapped learning paths align to all NICE Framework work roles cited in the GAO's recommendations.
Several agency training directors contacted GovAcademy following the report's publication seeking cohort licensing proposals. The academy is currently processing requests from twelve agencies for enterprise seat agreements covering 50 to 500 employees.