CISA director sees progress on hiring at growing agency

The Cybersecurity and Infrastructure Security Agency hired hundreds of people last year and it plans to hire even more in 2023, as it works to stem attrition and burnout amid its mounting cybersecurity responsibilities.

CISA hired 516 people in fiscal 2022, and it’s on track to hire 600 people in 2023. Director Jen Easterly hold the House Appropriations Committee’s homeland security subcommittee Tuesday.

The Department of Homeland Security’s budget overview shows CISA now has about 3,300 full-time equivalent staff. CISA’s cybersecurity division alone is at about 1,155 staff, while its other divisions, like infrastructure security, also have positions responsible for cybersecurity work.

Easterly told lawmakers the agency is taking advantage of the Department of Homeland Security’s new Cybersecurity Talent Management System and other authorities. The CTMS is exempt from many of the government’s traditional competitive hiring, classification and compensation practices for cyber positions.

“We are maximizing everything we can do to be more agile, to be more effective and to drive down those vacancies in our workforce and to keep attrition low,” Easterly said.

Some lawmakers have expressed concerns CISA’s budget and authorities are outstripping its ability to grow its staff and technical capacity. Republicans have also pressed DHS to submit a congressionally mandated workforce plan for CISA.

Andrew Garbarino (R-N.Y.), the chairman of the cybersecurity and infrastructure protection subcommittee, pointed out that CISA’s budget has doubled since fiscal 2019, while it’s also taking on increased responsibility for the cybersecurity of federal networks, while also increasing engagement and collaboration with the private sector on cyber issues.

The Biden administration is requesting $3.1 billion for the agency in 2024.

“We need to take a step back and allow CISA to get a handle on their new responsibilities and ask pointed but productive questions about its efforts,” Garbarino said during a hearing last Thursday. “Like CISA is a partner to industry to help them improve their cyber posture, Congress should be a partner to CISA to help the agency mature and reach its full potential.”

OIG report finds CISA workforce issues

A recent DHS Office of the Inspector General report found CISA has struggled with burnout and attrition in recent years.

CISA “did not have enough staff to execute its mission,” the report states. As of last August, 1,201 of the 3,620 full-time positions CISA was authorized were unfilled, according to the report. And the vacancy rate within CISA’s cybersecurity division was even higher, at 38% as of last August.

CISA management told the OIG that recruiting personnel with sufficient experience and training is difficult due to the lower pay in government compared to the private sector, as well as the difficulty of obtaining a security clearance.

Hiring staff is also difficult due to the six-to-12 months it typically takes to bring newly cleared personnel onboard, management told the auditors.

CISA has also struggled to fill out hiring managers and other support staff positions, meaning “those in charge of hiring are also shortstaffed,” the report found.

“After employees do get hired, they work extra hours, burn out quickly, and often leave, which starts the hiring cycle over again,” the report states.

CISA told the OIG that the agency’s Office of Strategy, Policy, and Plans has been leading “a CISA-wide effort to conduct high-level force structure and capabilities assessments to better understand its gaps and support Congressional requirements.”

A report on those assessments will be done by the end of 2023, CISA added.

CISA focused on workforce issues in 2023

During Tuesday’s appropriations hearing, Easterly told lawmakers that CISA is making progress on filling open positions. She said CISA’s vacancy rate would be down to 8% by the end of fiscal 2024.

Easterly has also asked external advisors to help with ideas for addressing burnout and other workforce issues at the agency.

During a March 21 Cybersecurity Advisory Committee meeting, Easterly suggested she would lean on the “transforming the cyber workforce” subcommittee to consider the “effectiveness of this hybrid and remote workforce; how to build a vibrant, people-first culture, but also how do we continue to address burnout and workload and wellbeing issues.”

CISA has already responded to a previous recommendation from the advisory committee to hire a “Chief People Officer,” bringing in former NASA official Elizabeth Kolmstetter to serve in that position.

“We are focusing very internally this year . . . to ensure that we are able to sustain a people-first culture at CISA,” Easterly said.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.