It’s been five years since Congress began granting the Defense Department sweeping new authorities to compete in the race for cyber talent. But DoD is finally putting those tools to use in significant ways, onboarding thousands of new employees via direct-hire authorities and making a significant dent in how long the hiring process takes.
Defense officials say so far in fiscal 2021, 32% of their new hires for cyber positions were made via direct hiring authorities. Between 2019 and this year, those authorities, which let DoD components recruit new talent without going through the government’s traditional job advertisement and competitive hiring procedures, were used to onboard 4,200 new employees.
“We’re very appreciative of the direct hire authorities, because they enable us to get through the hurdles and the inefficiencies in Title 5 and really get to the talent and how we attract people without having to go through the overly burdensome hiring process,” Veronica Hinton, the acting deputy assistant secretary of Defense for civilian personnel policy told the Senate Armed Services Committee last week.
Insight by CyberArk: Learn how the CDC is using the least-privilege model to limit how much damage hackers can do in federal networks in this free webinar.
Congress granted DoD its latest batch of direct hiring authorities in the 2020 Defense authorization bill as part of a provision that consolidated several of the hiring workarounds that already existed in federal law. The 2020 NDAA also created a categorical exemption to traditional hiring rules that lets DoD engage in direct hiring for any cyber workforce position.
But that authority is set to terminate in 2025. It’s only meant to serve as a bridge until DoD fully establishes a new personnel system for its cyber workforce, called the Cyber Excepted Service.
Congress authorized CES in 2016, and DoD has been slow to implement it. But officials say 10 DoD organizations have now transitioned their cyber workforces to the new system; Army Cyber Command is set to become the 11th next year.
So far, 6,500 employees have voluntarily transitioned into the Cyber Excepted Service, which offers higher pay under some circumstances. The tradeoff, as in other specialty personnel systems in government, is a limitation on some of the civil service rules that govern most other federal jobs. CES, for example, extends a new employee’s probationary period for three years, and CES employees are easier to fire than most other civil servants.
“CES has given us incredible flexibilities that aren’t resident in traditional civil service authorities. In particular, we have found great use in the ability to target our recruitment opportunities to get the talent that we need,” Hinton said. “Another piece that has been beneficial has been the compensation authorities: we recently rolled out targeted local market supplements that enable us to compensate at a higher level for seven areas, which gives us the ability to compete with the industry. It also gives us some authorities to think about how we classify work, how we how we organize work, how we describe work, and how we look at the qualifications associated with the individuals that we need.”
But the excepted service still makes up a relatively small share of the department’s total cyber workforce. As of now, 65,000 civilian positions across the department are coded as “cyber” jobs. And those classifications themselves are due for an update.
A new DoD instruction, currently making its way through the latter stages of the department’s internal review process, would require every DoD position that involves cyber work to be coded with the work roles the department has defined under its Defense Cyber Workforce Framework. And a forthcoming manual will set department-wide qualification standards for those positions.
The new policies would also require DoD components to collect and report more data about vacancies and key cyber workforce positions. That data collection effort is meant to let the department do a better job of strategic planning, including determining the right mix of uniformed and civilian cyber personnel across its total force, said John Sherman, the acting DoD chief information officer.
As of now, those elements of the workforce are about equally proportioned: 67,000 military members are coded as members of the cyber workforce, just 2,000 more than exist on the civilian side.
“My personal view that’s about the right mix — about half and half,” he said. “We have certain skill sets that are very applicable to the [private sector] workforce. Cyber operators, network assessors, for example, are jobs that could get very quickly picked up by the private sector. And using this framework, if those vacancies get above a certain threshold, we can start amping up the hiring and using the Cyber Excepted Service to start doing things like targeted local market supplements for living in the National Capital Region, for example.”
Lt. Gen. Dennis Crall, the top IT official for the military’s Joint Staff, said he agrees the 50-50 mix of military and civilian personnel serves DoD well.
On one hand, uniformed servicemembers tend to stick around for longer periods, and also understand essential, military-unique requirements like how to bring their expertise to combatant commands and other Defense organizations. On the flip side, civilian employees — especially newly-hired ones — are more likely to help inculcate the latest expertise from industry and academia into the government.
But Crall cautioned there are aspects of both flavors of government service that aren’t well-suited to the types of candidates the department needs to recruit, based on some of his conversations with those prospective hires and private sector IT leaders.
“The number one area that came back to me was that people want to live where they want to live. The idea of moving to someplace they don’t want to live, no matter what other feature is offered, is quite unattractive. And if you look at some of the hubs that we have to offer, that’s going to be a challenge for us,” Crall said. “There are some interesting solutions we might need to explore about creating spaces where that work can be done literally anywhere, as long as the security environment is set for that. The other one was in team composition. The hierarchy of the government isn’t something that’s really motivating to them at all. They want a flat organization where everyone has equal input into driving an outcome. They like working from noon until 3 a.m. — those are their prime working hours. Our organizations typically don’t work like that.”