Federal efforts to develop a well-trained cyber workforce are ramping up, due in large part to the edicts of President Donald Trump’s cybersecurity executive order.
Trump signed the much anticipated and long-awaited executive order on May 11, refocusing the federal cybersecurity efforts around three broad categories:
Protecting federal networks.
Protecting critical infrastructure.
Securing the nation through deterrence, international cooperation and the workforce.
But Rodney Peterson, director of the National Institute of Science and Technology’s National Initiative on Cybersecurity Education, said the wording of the EO belies the importance of development of the workforce.
“It’s not last, it’s first and most important, because it’s the foundation to make all those other things happen,” he said, as part of Training Cyber Workforce month. “We need that knowledgeable and skilled cybersecurity workforce in order that we can protect those networks and critical infrastructure. So it’s really seen as the key enabler, a foundation for the rest of the executive order.”
“I think we’re clearly building momentum to promote and energize a robust and integrated ecosystem of cybersecurity education, training and workforce development,” Peterson told the Federal Drive with Tom Temin. “I think it’s that momentum that both allows us to create a community across both the public and private sector, as well as our foundational resource, which is the NICE Cybersecurity Workforce Framework, which was published for the first time as a draft, NIST Special Publication 800-181 last November, and after a comment period, we’re expecting a final version to be released this summer. And that NICE workforce framework really provides a common way to think about cybersecurity work, a taxonomy, a reference tool that can really help align our diverse and complex community together toward a common vision.”
He said one of the important effects of the EO has been to elevate the development of a cyber workforce to a national security concern among agencies.
That’s why the Homeland Security Department has created an Information Security Training working group to develop agencywide cybersecurity training programs and standards.
Hemant Baidwan, the leader of the working group, said that the group was created to unify efforts across the department and provide a collaborative training program. Currently, it has launched two training programs revolving around cybersecurity awareness and social engineering, two subjects he said apply to everyone.
“Our policy states that upon arrival, every DHS employee must take the training within 24 hours of onboarding,” Baidwan told the Federal Drive with Tom Temin. “Also, each DHS employee, no matter if it’s a contractor or federal staff, is required to take general cybersecurity awareness training every year. And then we also have other mandatory role-based training.”
Eventually, Baidwan said he wants to move toward a system where DHS puts out a basic training module and the individual components add to it based on their needs.
But this push to improve the cybersecurity workforce isn’t unique to the public sector; federal contractors have both work to do and roles to play in this movement.
As cybersecurity requirements upon the federal workforce increase, so too are requirements for contractors increasing. This is particularly true for those that require clearances. And it’s becoming increasingly clear to those who pay attention to the world of private sector mergers and acquisitions.
“I would say that cybersecurity and insider threats are becoming more and more significant in M&A,” Addie Cliffe, partner at the law firm Crowell & Moring, told the Federal Drive with Tom Temin. “I would say there’s two different buckets we think about when we’re talking about M&A and cybersecurity: first, there’s government contracts and regulatory requirements that apply when the target is in the government contract space. … The second is cybersecurity as a consideration just in run-of-the-mill commercial acquisitions.”
All this to say that a robust cyber workforce is increasingly a key factor in driving the value of a contractor’s company.
“Buyers are focusing a lot more on compliance with the DFAR safeguarding rule, FEDRAMP certification, those types of requirements,” Cliffe said.
But driving company value isn’t the only incentive for contractors to develop their workforce. There’s also openings for contractors to take on the role as a provider of cybersecurity education, training and tools.
“This could be a growth area both as they implement these programs for federal agencies, who also have to worry about insider threat and threat mitigation, but also for defense companies that have to be implementing this,” Evan Wolff, another Crowell & Moring partner, told the Federal Drive with Tom Temin. “Not everyone is going to be able to build their own governance structure, so they’re going to turn to other government contractors and other consultants to help build this.”