Employees hired under the Department of Homeland Security’s new cybersecurity service will see different career paths, benefits and salaries compared to their colleagues on the traditional General Schedule.
The department on Thursday offered up some long-awaited details on its cyber talent management system (CTMS), which it said is designed to address “historical and ongoing challenges” recruiting and retaining individuals with hotly-desired cybersecurity skills.
DHS has experienced a “spike” in attrition and longstanding cybersecurity vacancies as the number of breaches and the scope of the threat has grown in recent years, the department said. And it’s in a fierce competition for talent.
The country has some 500,000 unfilled cybersecurity positions, the Biden administration said earlier this week ahead of a White House summit with tech, finance and insurance executives.
DHS published interim final regulations describing the new cyber talent management system Thursday, and they go into effect Nov. 15. Members of the public will have an opportunity to comment on the new system, however, through the end of the calendar year.
The cyber talent management system has been in the works for years. Congress gave DHS the authority to design its own talent management system — one that’s exempt from many of the government’s traditional competitive hiring, classification and compensation practices — for cybersecurity positions in 2014.
The Defense Department got a similar authority back in 2015 and is using it to hire thousands of new cyber specialists. The Pentagon in April said it’s used direct-hire authorities to onboard 4,200 new hires between 2019 and this year as part of the cyber excepted service.
With the new cyber talent management system, DHS will create a new kind of job in the excepted service known as a “qualified position.” Individuals appointed to these positions will serve in DHS’ Cybersecurity Service, the department said.
New cybersecurity service hires will work for the Cybersecurity and Infrastructure Security Agency or the DHS chief information officer to start, with the possibility to expand to other departmental subcomponents later.
DHS will only hire new employees into the cybersecurity service, the department said. It won’t convert current DHS employees into the new system, although interested staff can apply to be a part of the program.
Under the cyber talent management system, the DHS secretary has the discretion to create and appoint individuals to as many qualified positions as he chooses, as long as there’s appropriated funding available.
To recruit new hires to the cybersecurity service, DHS can forego the usual job posting requirements and strategically target candidates to apply for a qualified position. It’ll ask prospective candidates to participate in simulations, tests and other interviews to demonstrate their expertise, the department said.
Notably, the department said it anticipates working with professional associations and Historically Black Colleges and Universities and other minority-serving institutions to find a diverse workforce. DHS said it’s looking for entry-level, mid-career and experienced cyber professionals.
A group of DHS officials involved in the department’s cybersecurity activities will evaluate the agency’s mission, work needs and the qualifications needed to accomplish them on an ongoing basis. That approach will allow the department to tailor specific jobs to the individual and their unique skills, DHS said.
“Qualifications are the core of CTMS and its elements, and on an ongoing basis, DHS updates the set of CTMS qualifications to ensure they continue to reflect the collective cybersecurity expertise DHS requires,” the regulations read. “DHS establishes work and career structures based on CTMS qualifications, and DHS creates qualified positions based on DHS-CS employees’ CTMS qualifications. DHS-CS employees execute the DHS cybersecurity mission by applying their CTMS qualifications to perform DHS-CS cybersecurity work.”
The department will appoint employees to jobs in the cybersecurity service through a renewable appointment, which is time-limited and can be repeated, or a continuing appointment, considered a more permanent job.
Pay will likely be higher for some cybersecurity service employees
Salaries for DHS cybersecurity service employees will be based on an evaluation of salaries in the market, but bounded by an overall pay cap. To remain competitive in certain geographic areas, some employees will also be eligible for a local talent market supplement, similar to a locality payment, the department said.
Salaries will max out at the vice president’s annual pay, $255,800 in 2021, though some employees could make more under limited circumstances, DHS said.
Employees who have a noticeable impact on the mission may receive additional recognition, either through time off or a monetary award. Cybersecurity service salaries will be subject to an aggregate compensation cap, the department said.
Cybersecurity service employees may also receive recognition for working in special circumstances, like long or unexpected hours.
Today, the General Schedule rewards the vast majority of federal employees for longevity. The longer individuals stay, the higher their rank and pay through the General Schedule.
“Throughout DHS-CS employees’ service, DHS considers increasing employees’ compensation based primarily on their mission impact,” the department wrote. “Compensation increases occur mainly through CTMS recognition as either recognition adjustments or recognition payments. CTMS does not feature automatic salary increases or payments; moreover, longevity in position or prior federal government service are not factors in CTMS compensation.”
For DHS, longevity isn’t a top concern for the cybersecurity service. The department has acknowledged it’s no longer looking for a 30-year employee, and it isn’t opposed to its cybersecurity service employees dipping in and out of public service to take on new opportunities in the private sector.
The department said it will guide their employees’ careers by giving them professional development opportunities, training and assignments, which will give them chances to earn new qualifications and subsequent raises.
Like most other specialty personnel systems in government, cybersecurity service employees won’t have all the usual job protections that most other Title 5 workers enjoy.
Cybersecurity service employees, for example, will serve under a three-year probationary period, compared to the one-year trial period most other federal workers have.