An influential commission says gaps in cybersecurity workforce data present a major roadblock to fixing a deficit of qualified personnel to fill cyber jobs, with the panel recommending the new White House national cyber director take charge on the issue.
The commission’s report identifies numerous challenges, including struggles with diversity across the national cyber workforce, a lack of coordination across federal initiatives, and limited hiring flexibilities at agencies.
But the primary challenge underlying many corresponding issues is the lack of data, according to Mark Montgomery, director of the commission and one of the authors of the report. The solarium commission is now housed in its “2.0” format at the Foundation for Defense of Democracies.
“The number one barrier that we identified is the lack of data,” Montgomery said during a June 2 event at FDD’s headquarters in Washington. “Government cannot make good decisions without good data. We all understand that, despite the fact that we actually have a legal statute saying, ‘collect the data,’ we do not have good data.”
The solarium report recommends the national cyber director lead a cyber workforce development strategy. Such an effort would establish priorities for workforce development efforts, including diversity efforts, as well as requirements and timelines to drive accountability at agencies. The strategy would also establish clear roles and responsibilities, according to the report.
National Cyber Director Chris Inglis, who also spoke at the FDD event, endorsed the broad outline of the report, without committing to adopting the recommendations wholesale. He mentioned several promising efforts at agencies, including the NICE Framework, the National Science Foundation’s Cybercorps Scholarship for Service, and the Department of Homeland Security’s new Cyber Talent Management System.
“What’s missing is not so much some of the piece parts — there’s some more to be done there — what’s missing is the strategy,” Inglis said. “We would then use that strategy to figure out, how do we connect those, give those the highest possible leverage, kind of amplify their efforts not within the stovepipes, but broadly across the federal government and join arm and arm with the private sector. Because the government can’t solve its end of this problem.”
Cyber workforce data challenges
Congress passed the Federal Cybersecurity Workforce Assessment Act in 2015. It requires agencies to identify positions that comprise cyber, IT and related functions.
But the commission’s report found that data collection under the law is inconsistent, with departments and agencies struggling to map existing positions to actual work roles.
The 2015 law directs agencies to categorize work roles using the National Institute of Standard and Technology’s Workforce Framework for Cybersecurity, commonly referred to as the NICE Framework. But with federal hiring processes driven by Office of Personnel Management occupational series designations, agencies have been left to interpret their own connections between OPM’s series and the NICE Framework, according to the report.
Furthermore, the law is set to sunset this year unless Congress takes action.
The report recommends Congress extend the 2015 workforce assessment law to at least 2027, and amend the law to require that agencies generate “an estimate of the number of cyber professionals needed to reach staffing goals and the number of vacant cyber positions, in addition to the currently required information on work roles of critical need.”
Such an amendment would lend some “forethought” to a law that currently counts existing positions, according to Montgomery.
“It doesn’t say, ‘what are you going to need three to five years from now?’” he said. “Most of our hiring programs take two, three, four years, so we really need to understand that.”
While the extension and amendment of the 2015 law is likely doable this year, other legislative proposals in the report may be more difficult to get through Congress, according to Montgomery.
He highlighted a recommendation for Congress to provide incentives to develop entry-level employees into mid-career talent. The report says employers’ generally avoid hiring entry-level employees that need training, instead opting for more experienced professionals, exacerbating a shortage of mid-career talent.
The report recommends creating a Federal Cyber Workforce Development Institute. It would not be a brick-and-mortar academy. Instead, it would “centralize workforce development resources such as curricula and providing work role-specific training, such a program can make it easier for federal employers to prepare newly hired early-career personnel for federal cyber work roles,” the report recommends.
The commission also recommends Congress establish a government-wide cyber-excepted service, similar to authorities that already exist at the Defense Department and for DHS’s Cyber Talent Management System. It would allow agencies to hire cyber professionals outside the confines of the existing competitive hiring system.
Montgomery called that the “Rosetta Stone” for cyber workforce development.
“There will be people who fight this, both in Congress and in federal government organizations, and it’s going to cost money,” he said. “But I think no one ever thought fixing federal cybersecurity workforce was going to be a cheap endeavor. And I think having a federal cyber excepted service is probably the key.”
NCD continues to take shape
Inglis’s office is still in its early days. He joined the White House last July and didn’t have a budget until November.
The office is now up to 40 people, heading toward a peak staff of between 95 and 100 personnel, according to Inglis.
The commission’s report recommends his office work with OPM and the Office of Management and Budget to revamp cyber hiring authorities and pay flexibilities across government, regardless of whether Congress authorizes an expanded cyber-excepted service.
The report in particular focuses on how cyber expertise isn’t captured by the traditional federal hiring process that puts a premium on educational attainment and experience.
Inglis endorsed the idea of making it easier for agencies to hire early career cyber professionals
“People who show up today at the front door of a government organization with a Bachelor’s of Science in computer science, but no experience in hand, typically are turned away,” he said. “We need to figure out how do we actually do the internships, the co-ops, the cyber clinics to get them that experience.”
He also said agencies need to continue investing in cybersecurity professionals once they get in the door to grow the pool of mid-career talent, rather than the current approach of poaching experienced cyber professionals in both government and industry.
“How do we take computer kind of personnel, IT personnel, cyber personnel, and give them that sense that they have a very rich career field in front of them?” Inglis said. “And they’re not being poached from job to job, but rather, they’re being progressed from job to job and getting all the stronger as they make their way from one responsibility to the next. And so in that regard, something that actually cuts horizontally across the federal government, I think, will be extremely valuable.”