The Office of Personnel Management has finalized long-awaited “interpretive” guidance designed to help agencies more easily identify, classify and then recruit and retain qualified cybersecurity professionals.
The guidance should also help agencies clarify roles and responsibilities for cybersecurity professionals, OPM said in a memo to HR directors dated Oct. 15.
Most cybersecurity positions will fall within the job family standard for administrative work in the information technology group, 2200, OPM said.
Specifically, OPM has prescribed the basic title of “IT cybersecurity specialist” to the “IT 2210 management series” when titling positions that include cyber work.
Agencies can include a cybersecurity designation as a parenthetical title for other occupations that perform this work the majority of the time, which may help organizations meet recruiting or other mission goals, OPM added.
The guidance builds off of at least 19 different laws, directives, executive orders, national strategies and NIST frameworks since 2004, OPM said.
OPM has been working with other agencies, as well as the Chief Information Officers Council and Chief Human Capital Officers Council and other stakeholders to get a better understanding of the governmentwide cybersecurity workforce.
It’s been a challenge, and it’s one of the reasons why the Homeland Security Department had struggled to identify all cybersecurity positions within the agency and assign them a code on the National Initiative for Cybersecurity Education’s (NICE) National Cybersecurity Workforce Framework.
As the definition of a “cybersecurity job” continued to shift and expand, DHS identified more cyber positions that required a code on the NICE framework.
OPM’s new guidance recognizes just how challenging this task has been.
“The cybersecurity workforce is occupationally cross-cutting, multi-faceted and encompasses a variety of contexts, roles and occupations,” the guidance reads. “It requires a cadre of different backgrounds and experience to perform the cybersecurity work required by agencies.”
This guidance will also help agencies act on the direct-hire authorities OPM recently granted for cybersecurity positions, as well as science, technology, engineering and math (STEM) jobs.
Who’s qualified for a cybersecurity job?
Agencies must continue to follow traditional procedures to qualify and rank potential cybersecurity candidates, unless direct-hire authority says otherwise.
OPM will still largely leave it up to individual agencies to decide whether they should add additional knowledge, skills and abilities (KSA) requirements or competencies to their qualification standards for cybersecurity positions.
The guidance doesn’t establish specific certification requirements for the cybersecurity workforce.
“However, agencies may specify a particular type of certification (or equivalency) in establishing selective criteria or in defining quality ranking factors,” OPM wrote. “Subject matter experts must determine that the certification is necessary for satisfactory job performance [and] the certification is related to the duties/tasks and requires KSAs/competencies of the job. The certification may then be used as evidence validated by a job analysis that a person has the KSAs/competencies needed to perform cybersecurity work at a satisfactory level.”
OPM also described a series of general and technical competencies that ideal candidates to federal cybersecurity positions should have.
Customer service, creative and strategic thinking are among key general competencies for cybersecurity professionals.
Knowledge of data management systems, computer forensics, logical systems design and surveillance and counter-intelligence techniques are among the technical skills OPM suggested agencies look for in their candidate pool.