The officials who built the Department of Homeland Security’s new cybersecurity talent management system acknowledge that there were times when the development process seemed long to them too.
The initiative was nearly seven years in the making. The new system, known as CTMS, officially went live in mid-November, and the department is now accepting applications.
Congress gave DHS the authority back in late 2014 to design its own talent management system — one that’s exempt from many of the government’s traditional competitive hiring, classification and compensation practices — for cybersecurity positions.
“We took the bold, brave step of completely walking away from OPM’s classification, OPM qualifications, the General Schedule, the way that we do pay, everything,” Angie Bailey, chief human capital officer for the Department of Homeland Security, said in an interview with Federal News Network. “We walked away from all of that and we said, ‘Congress gave us a blank sheet of paper. Why don’t we take that blank sheet of paper, and why don’t we, from scratch, actually build something that’s going to last, not just for today, but way, way into the future?'”
New employees hired under the DHS cyber talent management system will join what’s known as the “cybersecurity service.” They department will recruit, hire, pay and promote cybersecurity talent in different ways from their colleagues on traditional General Schedule.
If it sounds simple, Bailey and her team at DHS want to assure you: It wasn’t.
“If you want to actually meaningful make change in the way that we think about describing work, about hiring people and how we pay them — especially in a space that’s moving as fast as cybersecurity — you’re signing yourself up for quite a bit of work to untangle the way that we currently employ people across most federal agencies, which wasn’t designed for work like that,” Travis Hoadley, director of innovation for the cyber talent management system at DHS, said. “It was designed for more predictable, clerical work in the middle of the 20th century.”
When DHS set out to design the new cyber talent management system, Bailey said she made a few things clear.
She didn’t want to recreate a cybersecurity occupational series and tack it onto the existing General Schedule. And she didn’t want to create an alternative that mimicked aspects of the traditional Title 5 personnel system.
To meet those goals, it meant DHS had to find experts in everything from federal employment law to the history of the civil service.
“We were very diligent about looking at all of the studies on the civil service and all the recommendations about how to update things, including for technology and cybersecurity, that have been done in the last several decades,” Hoadley said. “The real challenge was then taking those ideas and turning them into action.”
It also meant conducting market assessments of cybersecurity and tech salaries across the country, and using the data to set different pay for CTMS jobs. Salaries range from $56,950 for certain entry-level positions to $240,800 for an executive job, according to DHS.
But the amount of time it took to create a brand new personnel system from scratch was often baffling to those at DHS who were knee-deep in the process.
Changing the way DHS pays cybersecurity talent unraveled more challenges and more debate over how, for example, employees might progress in their careers and receive compensation in retirement, Hoadley said.
“There are very few things in Title 5 and in traditional federal HR that aren’t connected to something else,” he said. “When you start to make changes to the hiring process, you’re affecting other things for folks. When you start to change things about how people progress through their careers, it has ripple effects for just about everything, whether you’re taking about people’s compensation for retirement, or their eligibility for retirement, or the way that their benefits are calculated, or the way that their leave works. I could talk to you for two weeks about how complicated leave is in the federal space; it’s pretty dang complicated.”
Designing the cyber talent management system also meant DHS had to develop new code for the National Finance Center, the department’s payroll provider, so the department can properly pay new CTMS recruits.
That means working within NFC’s decades-old systems, a process that Bailey said took years.
“It’s mind blowing,” she said of the complexity of those tasks, as Erin Hayes, the director of operations for CTMS, sighed and held her head in frustration.
“It’s not just the code.” Hayes added. “It’s how to describe it so that it actually operates in a way so that we can pay somebody the way we want to do it. It’s writing the requirements, and then being able to take those requirements and then turn it into the actual code, COBOL, so that the systems function.”
The cyber talent management system has been live since mid-November, and applications are rolling in.
DHS is looking for talent to fill about 150 positions, where the new hires will work within the department’s chief information officer shop and for the Cybersecurity Infrastructure Security Agency.
The department said it settled on 150 positions as a starting point, and more DHS subcomponents will eventually hire cybersecurity service talent in the coming months.
“Our goal is to start small, build on successes and then really accelerate beyond that 150 to other priority roles that we have at the department,” Hoadley said.
Hayes said DHS will spend the next few weeks sifting through the applications and scheduling interviews and times for candidates to take the skills-based assessments that the department designed specifically for CTMS. The department is looking for candidates who are serious about working for DHS, though applicants don’t need knowledge or experience with the department or the federal government.
The assessments, Hayes said, are designed to find talent that truly has the cybersecurity and technology skills that DHS is looking for, not necessarily candidates with a specific degree or certification.
“A lot of the talent… it’s homegrown,” she said. “Often times on the General Schedule our emphasis is on a degree, or it’s on the skills that we’ve learned in the workplace or through certifications or other training programs. This one, I think, is a little different.”
To design the assessments, DHS gathered insights from CIOs and subject matter experts, another process that took some time. Those same stakeholders eventually took the completed assessments to test them out, Bailey said.
Collecting feedback from the CIO community, updating Congress on their progress and conferring with the Office of Management and Budget and OPM — where political leadership changed with three different administrations — also took time.
“For OPM it was hard to wrap their minds around how far away from Title 5 that we went, but ultimately at the end of the day everyone concurred on it, including OMB, who really saw us as being a leader on all of this,” Bailey said.
A framework for civil service modernization?
The six-year experience has taught Bailey, Hoadley and Hayes a thing or two about what it takes to modernize the civil service, the topic of numerous studies and congressional hearings over the decades.
“I’m not sure anyone needs to write another study about how the civil service should be reformed; there are some pretty darn good ones,” Hoadley said. “But when you look at those studies, what you see is that studying the problem is one thing. Actually making the meaningful change to how you do business each day is the hard part. If someone wants to do a study in this space, they should do it about how you build a team that can actually implement your civil service reform versus studying the problem again.”
Bailey agreed. Agencies and their chief human capital officers have ideas about how to tackle challenges with recruiting, hiring and retaining top talent in the 21st century, she said. But they often lack the bandwidth and support to put those ideas into action.
“If you’re going to have a vision then surround yourself with people who can actually make that vision a reality,” she said.
It’s up to leadership, she added, to create a space where the team feels supported — and encourage them to stick with it when challenges, tension and pressure from other stakeholders inevitably arise.
“We live in a pretty immediate world. People are expecting results to be delivered on certain timelines,” Hoadley said. “The timelines of our politics influence that too; people are looking for things to be done. But this type of project is not about what happens in the next six-to-12 months. It’s really about what’s going to happen at DHS in cybersecurity for the next 15, 20 years.”
The advice sounds simple, but it’s easier said than done, Hayes said.
“It’s going to take awhile to build the team that gets this done. It’s not going to be just anybody that you can hire. You’re going to have to hire folks who believe in a start-up. There were folks who found this project intellectually challenging and were excited for us and wanted to see us succeed,” she said. “You have to get folks who are willing to take that risk and do it, but you also have to have folks who are willing to challenge each other.”
Bailey said DHS, along with the Office of Management and Budget, often saw the cyber talent management system as a proof of concept for other, potential attempts at modernizing the civil service.
For Bailey, the launch of the cyber talent management system is a satisfying culmination of a 40-year career in public service. She said she plans to retire later this month.
She’d like to see the cyber talent management system expand to other agencies — or see others in government create their own modern personnel systems that are responsive to their own mission needs.
But Congress, of course, would have to give other agencies the same or a similar kind of authority that DHS received to create its cyber talent management system.
Agencies that want to take that challenge on will find a willing partner in DHS, Bailey and Hoadley said.
“We’ll hand over everything. We’ll help them be as successful as they can possibly be,” Bailey said. “But make no mistake about it, they’re going to have to put the effort that we put into this. It won’t take them six years, because we figured out a lot of things. But it wouldn’t surprise me if it takes them a good three years.”