Agencies have new guidelines for keeping track of their cybersecurity workforce, according to a provision in the 2016 omnibus spending package Congress passed Dec. 18.
The Federal Cybersecurity Workforce Assessment Act of 2015 is one of several cybersecurity measures bundled in the new budget, which requires each agency to identify all positions that carry out some kind of cyber function.
Agency leaders will assign each position an employment code under the creation of a new National Initiative for Cybersecurity Education. The bill also includes a timeline to implement this project.
First, the National Institute of Standards and Technology and Office of Personnel Management directors will develop the job-coding structure roughly by June.
Throughout the next nine months, the OPM and NIST directors, along with the Homeland Security Department secretary, will set up the implementation procedures agencies will use to identify cyber, cyber-related and IT-related civilian positions. A plan for non-civilian positions is scheduled sometime within the next 18 months.
Once implementation plans are set, agencies will be required to report the following to Congress:
The percentage of personnel with IT, cyber or cyber-related job functions who hold “industry-recognized certifications as identified under the National Initiative for Cybersecurity Education.”
Whether other civilian and noncivilian cyber personnel, who do not hold industry credentials, are prepared to take certification exams.
A strategy for filling any skills or certification gaps among their employees.
Agency leaders will assign a job code to cyber positions within a year.
They will also work with the OPM and NIST directors, and the DHS secretary, to identify roles that are “of critical need in the agency’s workforce.” The OPM director will give agencies guidance for filling those positions.
Within the next three years, the Government Accountability Office is required to update Congress on agencies’ progress and continuously monitor how well they’re implementing the initiatives.
The creation of the National Initiative for Cybersecurity Education comes as more agencies have gotten special authorizations to hire cyber professionals. In November, OPM gave DHS the green light to fill 1,000 cyber positions.
Filling critical talent gaps is also one of the main tenets of the Office of Management and Budget’s cybersecurity strategy and implementation plan, which OMB also released in November.
Multiple data breaches at OPM this year are also driving more congressionally mandated reports.
The President will also report on the impacts OPM data breaches had on all facets of the intelligence community and IC operations abroad. It should describe which agencies are using best cybersecurity practices, what agencies have done to fix cyber vulnerabilities post-breach and what best practices OPM failed to deploy.
That report is due to both congressional intelligence committees within the next four months.
In the meantime, the Director of National Intelligence is expected to report to Congress on possible options for responding to future cyber attacks.
Agencies posted significant progress in fixing cyber vulnerabilities in response to the Office of Management and Budget’s 30-day cybersecurity sprint.