The implementation of leading practices for improving the federal cyber security workforce varies from agency to agency and in some cases some of these practices aren’t being used at all, the Government Accountability Office (GAO) says in a new report.

Of the departments that GAO examined, “Five agencies have addressed several key principles in their workforce plans, but three agencies did not have any workforce plans that addressed cybersecurity needs,” says the report, Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination (GAO-12-8). Moreover, the report says, “Agencies reported mixed results in filling cybersecurity positions, with specific challenges in filling highly technical positions and with hiring and security clearance processes, but are taking steps to address these challenges.”

GAO, the federal Office of Personnel Management and other organizations have shown that there are best practices for workforce planning that can be applied to the needs for cyber security personnel, the report says. These leading practices include linking workforce plans to a department’s strategic plan, identifying the type and number of staff to achieve mission goals, defining skills and competencies for key positions, having hiring strategies, utilizing compensation incentives, and having training programs that support an agency’s missions.

The agencies reviewed in the report are the Departments of Commerce, Defense, Homeland Security (DHS), Health and Human Services (HHS), Justice, Transportation, Treasury, and Veterans Affairs. GAO says DoD and Transportation have plans that define their cyber security workforce needs while DHS and Justice have workforce plans that address cyber security personnel but are not specific to cyber security.

Veterans has no cyber security workforce plans but does have a guide on implementing parts of workforce planning, GAO says. Three agencies, Commerce, HHS and Treasury, lack departmental workforce plans and workforce plans that address cyber security workforce needs, it says.

As for hiring cyber security personnel, GAO says that Commerce, HHS, DHS and Veterans have been able to fill their open positions for qualified personnel, although these agencies and others have difficulty finding personnel for certain specialized areas.

DoD has had trouble recruiting qualified personnel due to processing time for security clearances, difficulty finding qualified candidates, and in the case of the National Security Agency, concerns that the future pipeline of talent by not be able to meet its needs.