It’s a case of “haves and have-nots.” Here’s an informal run down of agencies with special cyber pay authorities, including DoD, DHS, and the VA.
Federal agencies, along with many other organizations across the world, have all been grappling with a shortage of qualified cyber talent.
But not all agencies are alike when it comes to the tools they have available to recruit cybersecurity staff.
In recent years, a handful of agencies have gained authorities that allow them to offer special salary increases to in-demand cyber talent. Meanwhile, most agencies lack those authorities, while a White House legislative proposal to bridge the cyber pay gap has gone nowhere.
The result is a fragmented cyber pay landscape across the federal government, where many agencies still struggle to fill critical cyber roles.
“We’re at this inflection point between the haves and have-nots,” Ron Sanders, a former federal executive who served as chairman of the Federal Salary Council, said in an interview. “The agencies with their own authority are able to better compete in the market, whether it’s for entry-level talent or mid-career talent. The fact is, they can pay more.”
The special authorities help agencies like the Defense Department and the Department of Homeland Security better compete with the private sector for in-demand cyber chops. The disparity is something the Justice Department — which does not have special cyber pay — noted in its “Comprehensive Cyber Review” two years ago.
“The risk of personnel attrition is heightened by the fact that other departments within the U.S. government have recently begun to offer more competitive salaries to cyber experts,” the review states. “In many cases, hiring offices within the department do not appear to be aware of similar authorities. … Those pay scales highlight that the department’s ability to compensate its cyber-specialized workforce lags behind not only the private sector, but also the public sector.”
Federal News Network has compiled an informal review of agencies with special cyber pay authorities.
The Defense Department established the Cyber Excepted Service system in 2016 with congressional authorization. The special pay and personnel system allows DoD to target specific cyber and IT positions with more competitive salary rates.
Last year, DoD sent Congress a legislative proposal to expand the system to as many as 75,000 employees.
CES allows DoD to offer “targeted local market supplements” that are intended to compete with the pay rates for IT professionals in different areas.
DoD’s latest pay tables show that a recent college graduate just starting out in the CES in the Washington, D.C. area as a GG-07 Step 1 would make $82,673 a year.
Meanwhile, an employee at the same level working at another agency in the DC area would make $55,924 a year under the traditional federal compensation system with locality pay included.
In the DC area, the CES pay scale tops out at $191,900 for GS-13s and above.
Like the CES, DoD’s intelligence agencies can also use targeted local market supplements to pay higher salaries for employees in cyber and other technical positions. The Pentagon last year approved the supplement for positions across the defense civilian intelligence personnel system (DCIPS).
The system includes civilians working at agencies like the NSA, the National Geospatial Intelligence Agency, the Defense Intelligence Agency, and the intelligence branches of the military services, among other components.
According to the latest pay tables, an NSA employee in the D.C. area working in one of the qualifying cyber roles would make $79,735 as a GG-07 Step 1. The maximum adjusted pay for the DCIPS targeted local market supplement is $191,900.
DHS established the Cyber Talent Management System in late 2021. While it had some initial growing pains, DHS is starting to expand the system, including for artificial intelligence-related positions.
CTMS is exempt from many of the federal government’s traditional competitive hiring and compensation practices. So far, it’s been used by the DHS Office of the Chief information Officer, the Cybersecurity and Infrastructure Security Agency, and the Federal Emergency Management Agency.
A flyer for the CTMS shows the entry-level salary range is between $66,200 and $86,000, depending on the local labor market supplement. Meanwhile, a seasoned executive in the CTMS can make as much as $234,000 per year.
In 2023, the Department of Veterans Affairs implemented a historic 17% average pay raise for its IT and cybersecurity workforce. The VA led a coalition of agencies in getting the Office of Personnel Management to approve the new Special Salary Rate for IT and cyber positions.
But the VA has been the only agency to implement the SSR. Other agencies said they don’t have the budget to adopt the special pay rate.
The last published pay scales for 2024 shows under the VA’s special rate, an IT or cyber employee can make a $70,503 annual salary as a GS-7 Step 1 employee in the D.C. area. The highest salary under the VA’s SSR tops out at $191,900 in the local market.
Sanders said agencies that don’t have special pay authorities will struggle to recruit and retain top cyber talent. Instead, they likely rely more on contractors.
“Those agencies that don’t have the authority, whether they’re small, medium or large, are just not as competitive as they need to be for federal jobs,” Sanders said. “Do they have to use contractors in many cases? Yes. Do they pay top dollar indirectly for those contractors? Yes. And frankly, they should be paying for civil servants. This, to me, is about as close to an inherently governmental responsibility as you can get.”
OPM officials in recent years have acknowledged the growing patchwork of cyber pay authorities. Late last year, OPM worked with other offices to advance “civil service modernization legislation for cyber workforce positions.”
The proposal would allow OPM to create an alternative cyber workforce classification and pay systems. IT would give OPM wide latitude to establish higher pay rates and new skills-based qualification assessments for cyber workers.
But nearly a year after OPM submitted the legislative package, no lawmaker has picked it up. A new administration will likely have to re-assess the issue after January.
Sanders argues that OPM shouldn’t try to establish a new, “one-size-fits-all system” for cyber personnel across the federal government. Instead, he said OPM should create a common framework that would also allow agencies to pursue different pay strategies for their cyber personnel.
“You need to give agencies the flexibility to accommodate their own different missions, because the missions are all over the map,” Sanders said. “But there needs to be some commonality, some set of merit principles and merit procedures that ensure that even though agencies may have different pay systems and they pay different at different levels for cybersecurity professionals, there is some consistency in how they do it.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED