The Cybersecurity and Infrastructure Security Agency has hired approximately 80 people through the Department of Homeland Security’s new personnel system for cyber personnel, while a new DHS subcomponent is now looking to also take advantage of the system.
CISA Director Jen Easterly provided the updated numbers during a House Homeland Security cybersecurity and infrastructure protection subcommittee hearing.
“We’re at about 80 people with the cyber talent management system, and some really extraordinary talent at this point in time,” Easterly said.
DHS officially launched CTMS in late 2021, initially opening up the program for new hires to work at CISA and the department’s chief information officer shop. The system is exempt from many of the federal government’s traditional competitive hiring, classification and compensation practices. Hires under the system, for instance, can make a salary as high as the vice president’s in some cases.
“Actually implementing [CTMS] has been something that’s been a real project that we continuously have to look at how it’s working, and ensure it truly streamlines our ability to bring on more talent,” Easterly said.
But CISA is on pace to hire even greater numbers in 2023, Easterly said, and the new talent system may play a key role in the process. For instance, Easterly said CISA is setting up a “counter-[People’s Republic of China] effort” that will be led by an unnamed individual brought to the agency through CTMS.
“We are hoping to use CTMS more aggressively this year,” she said.
FEMA to start using CTMS
Meanwhile, the Federal Emergency Management Agency was recently granted authority to start using CTMS, according to Charles Armstrong, FEMA’s chief information officer. That means FEMA can start tapping into what DHS calls its “cybersecurity service.”
Armstrong, however, noted that CTMS features a “rigorous process” for hiring.
“It’s not quite as easy as just hiring a regular employee,” Armstrong said during an April 21 breakfast hosted by AFCEA Bethesada. “There’s a lot of deep dive into what their skill sets are, and lots of interviews. So it’s much more rigorous, but the idea is that you get a higher talent or quality of employee. So we’re working through that.”
FEMA is also considering how else it can offer higher salaries to retain its existing cyber workforce, Armstrong said.
“We’re looking at different ways to incentivize people to come in and stay with us long term,” he said.
CTMS rollout ‘painfully slow’
Congress granted DHS the authority to set up an excepted service for cyber personnel in 2014. It took DHS seven years to establish the process, with officials taking a deliberative approach to designing a completely revamped way of hiring cyber talent outside of the legacy Title 5 pay and benefits system.
But the system’s slow roll out comes at a time when there’s major urgency behind expanding the national cyber workforce, and in particular, increasing the number of staff at CISA.
“While CISA has made some progress toward improving its talent acquisition process, including the launch of the Cyber Talent Management System, CISA must move with far greater speed and urgency to meet the nation’s cybersecurity crisis,” the committee’s workforce subcommittee noted in a report last year.
And earlier this year, the DHS inspector general reported, “CISA did not have enough staff to execute its mission,” with 38% of the agency’s cybersecurity division’s positions unfilled as of last August.
During a hearing before the full House Homeland Security Committee last week, Rep. Andrew Garbarino (R-N.Y.) referenced the “painfully slow” rollout of CTMS, and noted Congress rescinded approximately $53 million in previously appropriated funds because of how slow hiring is at CISA.
Garbarino asked Homeland Security Secretary Alejandro Mayorkas why DHS is more than a year late in delivering a congressionally required report on a force structure assessment for CISA.
Mayorkas acknowledged, “we do have vacancies,” and he pledged to look into the late force structure assessment.
Despite the challenges, Easterly noted CISA has grown quickly in just the five years since it was established as a standalone agency. And while CISA is requesting relatively few additional positions in its fiscal 2024 budget, she said the agency is focused on filling its existing authorized positions.
“And then we’ll focus on retention,” Easterly said during the hearing this week. “But to be frank, I am okay if somebody comes work to work at CISA for three to five years and then goes off to a hospital or a power company or a bank to help them with their critical infrastructure security. Because at the end of the day, this is really about collective cyber defense and we need to work together, hand in hand.”