The Cybersecurity and Infrastructure Security Agency is looking to streamline and speed up its hiring process based upon a suite of recommendations from agency advisors who found CISA is not moving quickly enough to address a critical dearth of cyber talent.
The subcommittee is recommending CISA conduct “a comprehensive review of its current workforce and talent needs to ensure that it is properly aligned with the agency’s strategic goals and future growth.” It is also urging CISA to cut in half the amount of time it takes to onboard job applicants and expand the agency’s recruiting efforts to a wider swath of potential candidates.
CISA Director Jen Easterly praised the subcommittee’s work and said she would consider the recommendations over the next 90 days. The agency will then produce an action plan that sketches out a path forward for the recommendations it adopts.
“I like the ambition,” Easterly said during Wednesday’s meeting. “I like the audacious nature of some of them.”
The committee acknowledges recent strides CISA has made in its hiring process, including the agency’s use of the new Cyber Talent Management System (CTMS). But it is urging CISA to “move with far greater speed and urgency” in improving its talent acquisition processes.
“The process is lengthy and difficult to navigate both internally and externally, and therefore places CISA at a tremendous disadvantage relative to private sector employers for this critical and highly sought-after talent pool,” the report states.
The committee is recommending CISA set a goal of 90 days for a cybersecurity candidate to go from offer to onboarding. The process currently takes an average of 198 days at CISA, according to the report.
Additionally, the committee is urging CISA to “move away from a rigid, inflexible job classification system to a flexible, adaptable, pool-based talent management approach better aligned with organizational needs and career paths for experienced professionals.”
CISA is already in the process of hiring a “chief people officer,” Easterly confirmed. The new position will work with agency leadership “to advance a unified approach to talent acquisition, establish workforce development priorities, and ensure alignment with professional career paths,” according to the advisory committee’s report.
“The CSAC strongly supports CISA’s current plans to do this,” it adds.
The panel is also recommending CISA develop “a systemic approach to collecting and analyzing data on candidate pools and hiring processes to benchmark, monitor and improve hiring cycles, using an organizational chart to monitor time to fill, time to hire, source of hire, recruitment funnel effectiveness and diversity of candidate slate metrics.”
Otherreports have highlighted the lack of good data as a barrier to the government’s cyber and IT personnel management.
During the meeting, Easterly said CISA needs more innovative hiring ideas. She also acknowledged the slow start of the CTMS. The talent system was launched in November following years of development. Last month, FCW reported that just one employee had started working under CTMS.
“It has had a slow start because it’s a brand new way of managing people. It’s an entire entirely different system,” Easterly said. “But we’re now starting to get our bearings and are starting to up the number of people we’re giving offers to.”
Remote and telework positions at CISA
One of CISA’s greatest strengths with hiring is its flexibility on location, according to Easterly. She said nearly 2,000 CISA positions are either remote or telework-eligible. CISA’s total workforce is approximately 2,500 employees, according to budget documents.
Easterly asked the workforce subcommittee to also take a closer look at recommendations around remote work and telework.
“I think it’s terrific, it really helps with recruiting,” Easterly said. “But as we allow for this important flexibility in our workforce, I want to make sure that we are in fact instilling the culture that we need to be successful, and that we are all embracing the values and the principles that define the culture that we’re at CISA.”
Security clearance hurdles
The panel also identified the security clearance process as a major sticking point in speeding up hiring for CISA. “The subcommittee heard consistently that the current, unpredictable suitability process is unnecessarily cumbersome and time-consuming, which is a significant obstacle to hiring,” the report states.
The panel is recommending CISA conduct a “thorough review of the interagency security clearing process to identify paths to streamline and speed up this critical path for CISA candidates.”
Easterly asked the committee to dive further into the security clearance issue as well. She says CISA is taking a look at all of its open job positions to make sure clearance requirements aren’t an unnecessarily high bar.
“We’re very much scrutinizing all of our open jobs to make sure if they really do need a level of clearance,” she said. “Not all need a [Top Secret] clearance.”
National cyber workforce plans
In addition to addressing its internal workforce challenges, the panel also says CISA must play a “key role” in building the national cyber workforce. “The agency’s future depends on it,” the report states. “There is a significant gap in availability of skilled cybersecurity professionals compared to the rapidly growing need.”
Cyberseek, a public-private partnership, estimates there are some 700,000 unfilled cybersecurity positions nationwide. That includes nearly 40,000 unfilled positions in the public sector.
The committee is recommending CISA focus on education, including by supporting a virtual National Cyber Academy, akin to a digital West Point, where attendees could participate in a “CISA Cadet Track” leading to a traditional degree along with a commitment to work at the agency.
The panel is also recommending CISA work with members in the Joint Cyber Defense Collaborative to establish a “Cyber Force” pilot program involving “tours of duty” at the agency. The JCDC was established last year. Its members include several major technology and cybersecurity firms.
“JCDC members should loan out top security practitioners/volunteers for a one-to-two-year tour of duty before returning to the private sector as designated CISA Liaisons to facilitate ongoing public-private collaboration such as threat sharing, especially during ‘Shields Up’ initiatives and cybersecurity crises,” the committee’s report states. “To further incentivize broad participation in this program, the CSAC recommends that CISA support legislation to offer tax credits and other similar benefits to participating organizations.”
The Office of the National Cyber Director at the White House is developing a national cyber workforce strategy, which will include CISA. The advisory committee says its ideas “align with their initial thinking.”