Navy updates IT workforce rules, making commanders more accountable for cyber defense

The Defense Department has been publicly pushing the military services to make cybersecurity a job for their entire rank-and-file information technology workforces, not just employees with “cyber” in their duty titles. The Navy Department just took a few big steps in that direction, including by making clear that military members and civilians can be reassigned or dismissed from government service altogether if they don’t stay current on their cyber defense training.

An instruction signed by Navy secretary Ray Mabus on Feb. 10 and posted publicly last week makes several updates to how the Navy and Marine Corps manage their IT workforces, including by getting local commanders more involved in monitoring the qualifications of their own people.

Commanders at all levels will have to delineate precisely which positions under their charge meet the Navy’s new definition of the “cyberspace information technology workforce.” The definition is extremely broad: “Personnel who design, build, configure, operate, and maintain information technology, networks, and capabilities.”

Advertisement

From there, the order requires those commanders to assign a military or government civilian program manager as the single person in charge of the cyber workforce, preferably as that person’s full-time job. The program manager will be in charge of ensuring the entire local IT staff is trained and qualified in line with current Navy and DoD standards, either through military-provided training or through commercial certifications.

The precise levels of cyber training each member of the IT workforce will need to attain will be defined via a “qualification matrix,” which the Navy Department says will be based on a cybersecurity workforce framework set up by the DoN’s chief information officer and broken down by the specific roles each worker needs to perform.

Each member of the workforce will also have to show they’ve undergone continuing education, and the Navy and Marine Corps will track whether they’ve done so in their respective personnel databases as one measure of each service’s overall military readiness.

Military and civilian IT personnel who don’t meet the department’s updated training standards will only be able to stay in their current jobs if they’re under the constant watch of a coworker or supervisor whose certifications are up-to-date and qualified for the same position.

“The continuing failure of a civilian employee to meet required qualifications may be grounds for reassignment or separation under adverse action procedures,” Mabus wrote in the instruction.