《美国网络空间日光浴委员会:2022年国家网络安全劳动力发展报告(英文版)(43页).pdf》由会员分享,可在线阅读,更多相关《美国网络空间日光浴委员会:2022年国家网络安全劳动力发展报告(英文版)(43页).pdf(43页珍藏版)》请在三个皮匠报告上搜索。
1、Workforce Development Agenda for the National Cyber DirectorLaura Bate RADM(Ret.)Mark MontgomeryJune 2022Workforce Development Agenda for the National Cyber DirectorTable of ContentsExecutive Summary.4A Vision for the Future of the Federal Cyber Workforce.6Characteristics of the Current Environment.
2、6 Efforts Currently in Motion.8Recommendations for the National Cyber Director.11Recommendations for Congress.19Recommendations for the Private Sector.22Appendix:Model Legislative Text.234Workforce Development Agenda for the National Cyber DirectorExecutive SummaryNearly 10 years ago,researchers hyp
3、othesized that market forces would correct the U.S.shortage of cyber professionals over time.1 This has not occurred,and the cybersecurity community is out of time.The pervasiveness of avoidable cyber problems such as misconfigured systems,slow patching,and insufficient attention to risk management
4、can frequently be directly tied to cyber staffing shortages.2 Not only are these problems expensive to remediate after incidents occur,but they are also a threat to national security,particularly when they occur in critical-infrastructure systems or in the supply chains upon which that infrastructur
5、e depends.For more than a decade,report after report has documented the growing number of unfilled cyber positions,both in the U.S.government and nationwide,offering strategies and recommendations to address the shortfall.These strategies and recommendations have too often gone ignored.The congressi
6、onally mandated Cyberspace Solarium Commission published a white paper on the cyber workforce in September 2020,identifying systemic barriers stymieing existing workforce development efforts.3 A lack of centralized leadership,insufficient coordination across the federal government,a nonexistent fede
7、ral strategy to guide priorities and resources,and ineffective organizational structures all combined to limit the potential of the very programs designed to strengthen and diversify the federal and national cyber workforces.No clear focal point for interagency coordination existed at the time of th
8、e Commissions report,but the July 2021 confirmation of the first-ever national cyber director(NCD)4 has created a new opportunity to overcome these pervasive barriers.The first section of this memorandum outlines a path forward for the NCD to grow and strengthen the federal cyber workforce and coord
9、inate federal support for national cyber workforce development.In many cases,the NCD will need legislative support,so the second section of the memorandum recommends actions Congress can take to support federal efforts to grow the cyber workforce.These actions include extending the Federal Cybersecu
10、rity Workforce Data Collection Act,establishing a Federal Cyber Workforce Development Institute,and authorizing a Federal Excepted Cyber Service While these recommendations focus on the federal government in the first instance,the federal and national cyber workforces ultimately draw from the same c
11、ommunity of professionals,so effective approaches must address both.Accordingly,the third section of this memorandum outlines actions that private-sector leaders can take to support the NCDs priorities and national cyber workforce development more generally.Recommendations for the National Cyber Dir
12、ectorRecommendation 1:Establish a Process for Ongoing Cyber Workforce Data Collection and Evaluation1.1 NCD and OPM should provide expanded support for cyber workforce data collection1.2 NCD should work with heads of federal departments and agencies to ensure accountability for data mandates 1.3 NCD
13、 should work with OPM to share data on the federal cyber workforce1.4 NCD should work with NSF to add to data on the national cyber workforce Recommendation 2:Establish Leadership and Coordination Structures2.1 NCD should establish and chair a cyber workforce steering committee2.2 NCD should establi
14、sh a cyber workforce coordinating working groupRecommendation 3:Review and Align Cyber Workforce Budgets3.1 Working with OMB,NCD should review budgets for cyber workforce programsRecommendation 4:Create a Cyber Workforce Development Strategy for the Federal Government4.1 NCD should establish a cyber
15、 workforce development strategy for the federal governmentRecommendation 5:Revamp Cyber Hiring Authorities and Pay Flexibilities Government-Wide5.1 NCD should work with OPM to modernize cyber-specific coding structures,hiring authorities,and special pay rates government-wide5.2 NCD should work with
16、OPM to establish a cadre of human resource specialists trained in cyber hiring and talent management5.3 NCD should work with OPM,OMB,and the appropriations committees to ensure adequate resourcing 5Workforce Development Agenda for the National Cyber DirectorRecommendations for Congress6.1 Congress s
17、hould amend the federal cybersecurity workforce assessment act of 20156.2 Congress should increase support for the CyberCorps:Scholarship for Service program6.3 Congress should provide incentives to develop entry-level employees into mid-career talent 6.4 Congress should strive for clarity in roles
18、and responsibilities for cyber workforce development6.5 Congress should exercise oversight of federal cyber workforce development in each department and agency 6.6 Congress should establish cyber excepted service authorities government-wide6.7 Congress should expand appropriations for existing effor
19、ts in cyber workforce developmentRecommendations for the Private Sector7.1 Partners in the private sector should increase their investment in the cyber workforce7.2 Partners in the private sector should develop shared resourcesAcronyms CBO Congressional Budget Office CEDI Cybersecurity Education Div
20、ersity Initiative CETAP Cybersecurity Education and Training Assistance Program CES Cyber Excepted Service CISA Cybersecurity and Infrastructure Security Agency CTMS Cybersecurity Talent Management System CySP Cyber Scholarship Program FCWAA Federal Cybersecurity Workforce Assessment Act of 2015 GAO
21、 Government Accountability Office NCAE-C National Centers of Academic Excellence in Cybersecurity NCD National Cyber Director,also used herein to refer to the Office of the National Cyber Director NCSES National Center for Science and Engineering Statistics NDAA National Defense Authorization Act NI
22、CCS National Initiative for Cybersecurity Careers and Studies NICE National Initiative for Cybersecurity Education NIST National Institute of Standards and Technology NSF National Science Foundation OMB Office of Management and Budget OPM Office of Personnel Management RAMPS Regional Alliances and M
23、ultistakeholder Partnerships Stimulating SFS CyberCorps:Scholarship for Service SRMA Sector Risk Management Agencies6Workforce Development Agenda for the National Cyber DirectorA Vision for the Future of the Federal Cyber WorkforceEffective cybersecurity relies on proper investments in technology,pr
24、ocesses,and people.These elements form a three-legged stool;without any one leg,the structure topples.The United States undeniably excels at fielding cutting-edge technology,and processes and policies governing the cybersecurity ecosystem are improving.5 However,these strengths alone cannot provide
25、meaningful protection from cyberattacks when the national cybersecurity workforce6 is less than two-thirds staffed.7 Ensuring cyber jobs are filled with highly competent individuals will not by itself guarantee success in protecting national cybersecurity,but not filling those positions will certain
26、ly result in failure.The countrys cyber professionals are dedicated and skilled,but there are not enough of them.In the United States,there are almost 600,000 open cybersecurity jobs across the private sector and federal,state,and local governments a remarkable gap considering that the field current
27、ly employs just over a million professionals.A comparable shortfall exists in the governments cyber workforce,with nearly 39,000 openings compared to a total employed public-sector cybersecurity workforce of just over 75,000.8 This gap continues to grow despite a decade of studies that identify the
28、same recurrent problems,9 and despite years of valuable initiatives by dedicated champions for cyber workforce development from the National Institute for Standards and Technology(NIST),the Department of Homeland Security(DHS),the Department of Defense(DoD),the National Science Foundation(NSF),and b
29、eyond.Meanwhile,lawmakers and their congressional committees have attempted to prioritize this issue for years,passing laws such as the Cybersecurity Enhancement Act of 201410 and the Federal Cybersecurity Workforce Assessment Act of 2015(FCWAA).11 Bills currently under consideration,such as the Ame
30、rica COMPETES Act of 202212 and the Federal Cybersecurity Workforce Expansion Act,13 also contain provisions designed to boost the cyber workforce.Similarly,congressional appropriators continue to demonstrate their ongoing support for cyber workforce development.14 The recommendations in this memora
31、ndum are driven by a vision for the future in which the U.S.governments approach to building a highly skilled and qualified cyber workforce is coordinated,prioritized,and diversified.The policies that shape this future workforce will be based on clear data and consistent metrics.Hiring managers in a
32、ll federal departments and agencies will have the authorities needed to exercise agility and flexibility in hiring team members and determining compensation.Policies and practices will be structured to foster inclusiveness,recognizing that teams perform better when they draw on demographically and g
33、eographically diverse populations with many sources of learning and professional experience.15 Employees will move fluidly between different federal agencies and follow career paths that cross back and forth between the private and public sectors.Human-capital officers across government will draw on
34、 shared resources for employee learning and professional development,which they can augment with additional options tailored to their organizations specific mission and needs.Finally,and critically,all these stakeholders will benefit from multiple,varied pathways into federal government jobs that dr
35、aw on entry-level candidates with an enthusiasm for the work,seasoned cyber employees,and the myriad professionals from diverse backgrounds that land in between.This vision builds on the Cyberspace Solarium Commissions 2020 findings.16 It also draws heavily on the important work of many others in go
36、vernment,the private sector,and the non-profit and academic spheres.In particular,many elements reflect the 2020 Federal CIO Councils drivers for the information technology(IT)workforce,17 the National Initiative for Cybersecurity Education(NICE)Strategic Plan,18 and the Federal Cyber Workforce Mana
37、gement and Coordinating Working Groups Strategy and Implementation Plan.19 Characteristics of the Current EnvironmentWhile many human resources(HR)teams often and understandably hesitate to treat talent management in any one field differently than the rest of an organization,a sense of exceptionalis
38、m in cyber workforce development is well-founded.The confluence of discipline-specific barriers to effective talent management and the urgent imperative to mitigate cybersecurity risks warrants extraordinary measures in cyber workforce development.The current federal cyber workforce development envi
39、ronment is characterized by challenges in the following areas:7Workforce Development Agenda for the National Cyber DirectorDiversity:As a whole,the cyber workforce struggles with diversity at all levels,particularly in leadership roles,as federal leaders have identified.20 While exact numbers vary b
40、y source,the available data indicates that Black,Hispanic,American Indian,Alaska Native,and Native Hawaiian professionals are underrepresented in the cyber workforce relative to their percentage of the U.S.population.21 Meanwhile,women make up only about 24 percent of the cybersecurity workforce.22
41、The average federal worker is more likely to be older,male,and possess a college degree relative to the rest of the U.S.labor force.23 Coordination:Across the federal government,there are many projects underway,communities of practice,and examples of good work.For example,NICE an office within NIST
42、has developed both community and interagency coordinating councils24 and an implementation plan toward shared goals.25 Likewise,the Federal Cyber Workforce Management and Coordinating Working Group focuses on modernizing cyber career development programs,tools,and resources to improve mobility and s
43、kill portability across the federal government.Accordingly,it would be inaccurate to say that there is no coordination across federal or national cyber workforce development efforts.However,existing efforts and practitioners generally sit within rather than across departments and agencies,meaning th
44、at while they provide a valuable channel for communication,none has the crosscutting authority needed to bring meaningful prioritization and high-level coordination.26 This has led to duplication of effort,conflicting guidance,and missed opportunities.Moreover,with no federal government-wide strateg
45、y,there is limited basis to determine how resources should be allocated across different lines of effort.Data:Cyber workforce development experts lack accurate data to measure and understand the impact of different efforts and policy interventions on the federal cyber workforce.CyberSeek a data visu
46、alization platform supported by NICE and industry partners provides high-level insight into the national cybersecurity hiring landscape,27 but more data is needed to understand,for example,demographic and retention trends in the workforce.The 2015 Federal Cybersecurity Workforce Assessment Act28 beg
47、an work toward this goal.In practice,however,inconsistencies in data collection between departments and agencies,along with the lack of a mechanism to share findings,limit the utility of existing data.Moreover,the legislation did not require departments and agencies to report their target hiring lev
48、el,making budgeting for future workforce needs an exercise in guesswork unless individual organizations implement their own data-gathering efforts beyond those required by law.The legislation is also limited to the federal,not national,cyber workforce.Talent Management Capabilities and Capacity:Some
49、 departments and agencies particularly DoD and DHS have developed their own systems to create greater agility in hiring and other personnel actions while still observing federal laws that,for example,ensure fair hiring practices.However,similar capabilities generally do not exist for other federal a
50、gencies,29 which exacerbates an already difficult cyber hiring challenge as those agencies compete for qualified people.30 Limited Hiring and Personnel Management Staff:Innovative hiring cannot happen at scale when the personnel management teams themselves are too small.This is true across the gover
51、nment,where a group of experts within the Office of Personnel Management(OPM)is charged with cultivating innovation from within a remarkably inflexible bureaucracy in order to build systems that work for the many and very different federal departments and agencies.Even federal agencies that focus on
52、 cyber hiring,particularly the Cybersecurity and Infrastructure Security Agency(CISA),simply do not have the mission support they need to hire at the requisite scale.Structural Constraints:Assumptions that candidates must have a certain academic degree or certification to qualify for a job or that p
53、romotions should be based on time-in-service rather than competence are a hindrance and unhelpful in most fields.Within the cyber workforce,these assumptions severely undermine hiring and effective talent management.Cyber professionals often come from unexpected backgrounds;skills are often self-tau
54、ght,acquired on the job,or an outgrowth of military service.Accordingly,cyber career paths can take many different turns,and professionals can advance at different speeds depending on their context and background.Conventional assumptions about hiring,pay,and advancement sharply limit the flexibility
55、 needed to adjust to these many variances and may create systems that disadvantage already underserved communities.In addition to these challenges,the public-sector and private-sector workforces are tightly interwoven because,ultimately,the federal workforce is just a subset of the national talent p
56、ool.The private sector faces similarly daunting challenges in filling cyber jobs.In recognition of the cyber talent pools interconnectedness,the NCD will need to focus beyond just the federal workforce because(1)national security and private-sector cyber resilience are mutually dependent and(2)cyber
57、 professionals do and should move between government and the private sector.8Workforce Development Agenda for the National Cyber DirectorEfforts Currently in MotionAlthough they are not operating at the scale needed to meet current,much less future,demand for cyber talent,many current programs insid
58、e and outside of government have the potential to grow to meet a considerable portion of that need if given appropriate authorities,provided with adequate funding,and held accountable.Examples in federal workforce development include:National Initiative for Cybersecurity Education:A federal office t
59、hat operates in partnership with other government stakeholders,academia,and industry,NICE works to“energize,promote,and coordinate”the cybersecurity education and workforce development community.31 Through the development of the Workforce Framework for Cybersecurity(NICE Framework),32 the office has
60、 created a shared lexicon to describe cybersecurity work and the knowledge and skills that cyber professionals must possess,not just in the federal government but across the private sector and even internationally.33 The NICE program office serves as a hub for cybersecurity education and workforce d
61、evelopment by hosting annual conferences,working groups,and communities of interest.The NICE program office has continued to undertake new initiatives(for example,the Cyber LEAP program)34 even as usage of its core product,the NICE Framework,grows.Both because congressional legislation has required
62、its use in federal workplaces and as a natural result of industry uptake,more stakeholders are using the NICE Framework,necessitating personnel dedicated to outreach and upkeep.Despite this track record of growth and success,NICEs budget has not changed since its original appropriation of$4 million
63、in FY14,35 making it overdue for an increase in funding to bolster personnel and right-size the office relative to its expanded body of work.Efforts by the Office of Personnel Management:As the federal agency tasked with HR functions,OPM has played a key role in federal cyber workforce development.M
64、ost notably,that includes defining the various qualifications,classifications,and requirements that give structure to federal cyber personnel actions,36 and establishing the rules for various flexibilities that help respond to the high demand for cyber professionals.For example,OPM has established d
65、irect-hire authority and pay flexibilities that can be used to alleviate some of the challenges of federal cyber hiring.37 OPM has also provided pivotal guidance to departments and agencies as they implement the requirements of the Federal Cyber Workforce Assessment Act of 2015,which leverages the N
66、ICE Framework to provide a count of federal cyber work roles of critical need.38 OPM also provides cybersecurity and IT program management competency models,interpretive guidance,and a range of training efforts to improve cyber hiring.Many of these can be improved,but it should be noted that it is o
67、nly because of OPMs years of commendable work on these topics that an incumbent system exists to improve upon.Moreover,the mission and particularly the hands-on experience that OPM experts have cultivated dictate that OPM must continue to be a core partner in federal cyber workforce development effo
68、rts.Federal Cyber Workforce Management and Coordinating Working Group:This working group serves as an interagency operational coordinating body that develops best practices,tools,and resources to address shared challenges,enhance workforce management capabilities,and reduce siloes.The working group
69、comprises the practical implementors of the Federal Cyber Workforce Management Act of 2015 and other cyber workforce policies from across the federal government.39 To date,the working group has produced a career pathway specific to each NICE Work Role,created a dynamic tool(called the“Career Pathway
70、 and Career Roadmap”)for the public and private sectors on the National Initiative for Cybersecurity Careers and Studies(NICCS)website,and shared resources across the interagency on guidance and procedures to implement requirements.The working groups Multi-Year Strategy and Implementation Plan is se
71、t for FY22-24,designed to build on these successes and drive high-priority,federal-wide cyber workforce initiatives.CyberCorps:Scholarship for Service:The CyberCorps:Scholarship for Service(SFS)program works through colleges and universities nationwide to provide scholarships to students in cyber fi
72、elds in exchange for a government service term.Most scholarship recipients serve this term working for federal agencies,but some support state,local,tribal,and territorial governments,where the demand for cyber professionals and educators is steep.The SFS program provides grants to universities,whic
73、h then provide both OPM plays a key role in federal cyber workforce development,including by establishing rules that help respond to the high demand for cyber professionals.9Workforce Development Agenda for the National Cyber Directorstipends and coursework directly to students.This approach allows
74、for an increased number of participating institutions and for an increased number of students per participating institution,graduating a total of about 400 students per year.40 SFS directly feeds into public-sector recruiting efforts while also helping participating institutions expand post-secondar
75、y educational offerings for all students.41 Despite the tens of thousands of cyber jobs currently unfilled in the public sector,42 the SFS budget has grown modestly in recent years,totaling$55.09 million in FY18,43$55.33 million in FY19,44$55 million in FY20,$60 million in FY21,45 and$63 million in
76、FY22.46 In fact,in many of those years,the presidents budget request did not include an increase for the program.The FY21 request actually would have shrunk the programs budget had congressional appropriators not decided otherwise.47 For 20 years,federal leaders across numerous administrations have
77、called cybersecurity workforce recruitment and development a priority and cited its importance for national security48 but failed to fund the SFS program appropriately.The Cyberspace Solarium Commission recommended that the program be resourced to graduate 2,000 students per year,with its budget gro
78、wing 20 percent annually for the next decade.49 Cybersecurity Education and Training Assistance Program(CETAP):CETAP is a grant awarded by CISA to a non-profit partner(currently Cyber.org)to support cybersecurity education in K-12 classrooms through the development of cybersecurity curricula and ins
79、tructor training.The program has been active for more than a decade,and Congress codified the program in the National Defense Authorization Act(NDAA)for Fiscal Year 2021.50 At its current funding level,the program provides training to approximately 5,000 new teachers per year,impacting 500,000 stude
80、nts annually.This track record is impressive,especially for a relatively small program.Not only does it encourage the general population to be more conscientious about their personal security,but it also boosts awareness of career opportunities in cybersecurity,helping to put future cyber profession
81、als on the path to their careers.An estimated 1.2 million educators in the United States work in relevant specialties and thus would benefit from the training funded by CETAP.These are predominantly teachers in science,technology,engineering,mathematics(STEM)as well as career counselors and administ
82、rators.At the current funding rate,however,it would take roughly 95 years to train these educators.51 For an already established program with proven success,this timeline is unacceptable and represents an opportunity missed with each passing year.Despite these benefits and statements from government
83、 officials linking K-12 cybersecurity education to long-term national cyber resilience,52 the executive branch has regularly proposed eliminating funding for the program.53 Congressional appropriators have made clear that“any proposed reductions to cybersecurity education will not be considered unle
84、ss CISA provides a clear plan for how the previously funded activities would be fully realigned within other agencies in a manner that sustains the objectives of this critical effort.”54 In FY22,appropriators set aside$6.8 million for CETAP.55 CISAs FY23 budget request,however,again recommends elimi
85、nating the program,adding only that“CISA will work with the National Science Foundation(NSF)to build and strengthen the national cybersecurity workforce to include K-12 programs.”56 Given its discrepancy with the FY22 appropriation,CISAs request will likely be ignored by Congress.Though the increase
86、 in CETAPs FY22 appropriation is welcome,the programs budget will need to continue to increase dramatically.That additional funding is necessary both to allow for outreach to a much larger group of educators and potentially to expand the program to work with school administrators to support the upta
87、ke of cybersecurity education in schools.Incremental funding increases calculated to reach$20 million per year by FY26 would help achieve the needed scale.57Regional Alliances and Multistakeholder Partnerships:Section 9401(f)of the FY21 NDAA requires NIST to establish Regional Alliances and Multista
88、keholder Partnerships Stimulating(RAMPS)cybersecurity education,training,and workforce development.These partnerships,previously piloted by NICE,58 would identify and strive to fill local workforce needs.59 RAMPS can create a diverse and geographically distributed array of programs,all with the shar
89、ed goal of bolstering the cybersecurity workforce.The Congressional Budget Office(CBO)estimated that the HACKED Act the bill that originally proposed these partnerships before it was incorporated into the FY21 NDAA would require$50 million to implement over its first five years,with an obligation of
90、$12 million($10 million for grants and$2 million for administrative costs)in its first year of implementation.60 However,the Department of Commerce justification for the presidents FY22 budget request did not specify funding for this program,and overall increases in NISTs cybersecurity and privacy b
91、udget were modest relative to funding increases for other NIST priorities.61 The FY22 Consolidated Appropriations Act subsequently specified that no less than$500,000 should go toward the new program.62 The presidents FY23 budget request asked for$7 million to support the program in the coming year,
92、63 far below the original CBO estimate of program costs.National Centers of Academic Excellence in Cybersecurity(NCAE-C):This program has been operating since 1999 to promote high-quality cyber education at colleges and universities across the country.In the last five years,NCAE-C academic and stude
93、nt development requirements have shifted to emphasize collaboration between institutions,competency-based education,and development of graduates ready for careers in cybersecurity.Additional funding in the past three years has accelerated program 10Workforce Development Agenda for the National Cyber
94、 Directorgrowth and helped the NCAE-C program leverage collaboration with partner institutions to achieve workforce goals in communities across the nation and prepare teachers and faculty to teach cybersecurity.The funding has also allowed NCAE-C to create a curriculum repository,curate the quality
95、of cybersecurity curricula nationwide,create a career pathway from middle school to post-secondary education to the workforce,and begin nine community-based initiatives to develop local cybersecurity education and economic development.Through the NCAE-C program,an established community and network o
96、f regional hubs support more than 370 institutions.64 Recently,the program has also developed the Cybersecurity Education Diversity Initiative(CEDI),which works to connect minority-serving institutions with mentorship and assistance to advance their educational offerings in cybersecurity.65 The NCAE
97、-C Program Office is also the executive administrator for DoDs Cyber Scholarship Program(CySP).66 CySP provides support for education at NCAE-C institutions as a recruitment benefit to students who are not currently DoD employees and as a retention incentive to current employees and military members
98、.Across all these initiatives,the level of funding invested dictates the breadth and impact of the work.Additional funding can thus scale these initiatives to support the continued growth and innovation of this important driver of cybersecurity education.Notably,there is currently no authorizing leg
99、islation for the NCAE-C program,although Congress could address this gap to ensure the programs continuity.Additional highlights though not an exhaustive list are outlined in Figure 1.67FIGURE 1:A Selection of Federal Cyber Workforce InitiativesDepartment/AgencyK-12Post-SecondaryEmployee TrainingWor
100、kforce EcosystemCISA/DHSCETAPPublic Infrastructure Security Cyber Education System68Presidents Cup,Federal Virtual Training EnvironmentNICCS Website,Non-Traditional Training Providers,69Industrial Control Systems TrainingDepartment of EducationPresidential Educator Award,CTE CyberNet70Federal Chief
101、Information Officer(CIO)Reskilling Academy71(co-sponsored with DHS)NISTCybersecurity Career Awareness Week,NICE K12 Conference,NICE K12 Community of InterestNICE Challenge ProjectFederal Information Systems Security Educators72NICE Framework,NICE Conference,NICE Community Coordinating Council,CyberS
102、eek,U.S.Cyber Games,NICE RAMPSNSA/DoDGenCyber(co-sponsored with NSF)N-CAEC(co-sponsored with DHS),CEDI,CySPNCAE-C Community(co-sponsored with DHS)NSFCyberCorps:SFS(in collaboration with DHS and OPM)OPMFederal Cyber Workforce Assessment Act of 2015,Various GuidanceInteragencyFederal Rotational Progra
103、m(co-sponsored with OPM)Cyber Careers Pathway Tool,NICE Interagency Coordinating Council,Working Group Multi-Year Strategy and Implementation Plan,Federal Cybersecurity Workforce Summit and Webinar Series11Workforce Development Agenda for the National Cyber DirectorRecommendations for the National C
104、yber DirectorThe NCD position and associated office were established by the FY 2021 NDAA in order to“serve as the principal advisor to the President on cybersecurity and policy and strategy,”to include the personnel and management programs of federal departments and agencies.73 Congress intended for
105、 the NCD to have a leadership role in addressing the cyber workforce challenge.The following section provides recommendations to help the NCD address the challenges of cyber workforce development for the federal government and coordinate the federal role in nationwide workforce development:74 Recomm
106、endation 1:Establish a Process for Ongoing Cyber Workforce Data Collection and EvaluationEstablishing priorities and distributing resources across the interagency requires an accurate measure of cyber workforce requirements.75 To fulfill the NCDs statutory responsibility to make recommendations“rele
107、vant to changes in the organization,personnel,and resource allocation”of federal departments and agencies,76 the NCD must be able to identify components or mission areas that are experiencing particular limitations due to the quality or quantity of their staffs.Relatedly,identifying federal cyber wo
108、rkforce development programs that best address workforce gaps requires reliable longitudinal data on the workforce predating the programs and continuing through their interventions.77In an attempt to address the data gap,Congress passed FCWAA in 2015.78 Unfortunately,the legislation lacks a requirem
109、ent for projected vacancy data.Moreover,the data collected is inconsistent,in part because federal departments and agencies have struggled to map existing positions to work roles consistently.79 While FCWAA circumscribes cybersecurity work roles through the commonly-used NICE Framework,80 the hiring
110、 processes within departments and agencies have evolved based upon and largely continue to use OPMs occupational classifications,driving departments and agencies to navigate and interpret connections between the two.81 Furthermore,a full-time employee may fill more than one cybersecurity work role,s
111、o a particular work-role shortage likely represents less than one full-time employee.This nuance compounds the already significant challenge of producing an accurate count of federal workforce vacancies.OPM is making inroads in educating departments and agencies to adopt the new cyber designations,b
112、ut the challenge remains.Moreover,the legislation mandating this data collection effort has limited enforcement options.Federal departments and agencies are required to“identify information technology,cybersecurity,or other cyber-related work roles of critical need in the agencys workforce.”82 But a
113、s the Government Accountability Office(GAO)reported in 2019,not all actually did so accurately and according to the specified timeline.83 Beyond challenges in implementing FCWAA,Congress can improve the legislation itself to require the provision of data that is more useful and more consistent,as di
114、scussed in the following section.In its current form,the legislation requires department and agency heads to provide information only on work roles of critical need.The law does not actually mandate a count of the total number of all cyber professionals required to bring the department or agency up
115、to target staffing levels.84Simply identifying open cyber billets is useful but faces two limitations.First,such a count can be biased by a tendency to generalize position descriptions for the sake of creating flexibility in agency-wide staffing,leading to an undercount of positions that have cyber
116、work roles as compared to positions with IT work roles generally.Second,although the legislation is designed to identify gaps in the cyber workforce,the manner in which the data has been collected leaves elements of this goal unaddressed.In order to carry out long-range workforce planning,department
117、s and agencies will need to identify more than just work roles of critical need or even the scale of their staffing shortages(that is,their authorized and funded positions that are currently vacant).In addition to counting those current vacancies,departments and agencies must address the harder ques
118、tion of pinpointing the optimal number of cyber professionals needed to achieve their respective missions,both currently and in the future.This latter figure requires identifying unfunded positions,raising difficult questions for agency leadership about why the agency is underfunding cyber staffing.
119、The dynamic makes this data both very difficult to get and very important for planning for the future.For any metric to be useful,data collected across departments and agencies must strike a careful balance between consistency and relevance to the source.Because each department and agency has been r
120、esponsible for delivering its own count in response to FCWAA,the data is susceptible to systematic inconsistencies.This is partly a reflection of the tension between designing metrics that are useful for a particular organization versus for the government as a whole.For a metric to be useful within
121、a particular department or agency,the organization in question should be measuring criteria specific to its individual challenges and mission.However,to be useful across agencies,metrics must also be standardized.12Workforce Development Agenda for the National Cyber DirectorTo address the necessity
122、for standardization,FCWAA tasks departments and agencies with mapping their current positions to work roles outlined in the NICE Framework.While the intended goal of standardization is clear,the exercise is more complicated in practice.Position descriptions have evolved according to individual agenc
123、y needs and an incumbent system of occupational classifications.As a result,individual position descriptions rarely map neatly onto standards and often draw on competencies that may apply to a number of different work roles(as described by a 2020 revision to the NICE Framework that introduced compet
124、ency areas as another application of the framework).85 Although OPM has worked with NIST to provide guidance,86 most decisions on whether and how to code these many hybrid positions fall to the judgment of the individual,office,agency,and department accounting for that position.As each link in the c
125、hain of data collection makes these determinations,the data as a whole becomes subject to inconsistencies even though each decision is informed by the same implementation guidance.87 Accordingly,the datas usefulness comes into question.Since the federal government recruits from a talent pool shared
126、by every other cyber employer and funds efforts to grow and sustain that shared talent pool,the NCD will also need detailed,reliable longitudinal data on the entire national cyber workforce,particularly data that provides information on the outcomes and impacts of federally funded efforts.In pursuin
127、g this objective,the NCD will be able to draw on existing exemplars of data tools“helping to close the cybersecurity talent gap.”88 CyberSeek,a NIST-funded project,has already begun to leverage job postings nationwide to gain insight into what employers are seeking in their hiring.89 Whether through
128、 expansion of that effort or the development of complementary initiatives,the NCD can support nationwide cyber workforce development by addressing remaining data gaps.The need for better data has been a key part of the Cyberspace Solarium Commissions workforce development recommendations.In its Marc
129、h 2020 report,the Commission called for research“into the current state of the cyber workforce,paths to entry,and demographics.”90 A subsequent Commission white paper encouraged NSF to fund further research.91 Similarly,the National Academy of Public Administration called on the NCD to“ensure data r
130、elevant to cyber workforce challenges and needs are collected and available for use in developing strategy,creating educational programs,and assessing the impact and effectiveness of workforce development initiatives.”92 That report suggested that the Bureau of Cyber Statistics,an organization recom
131、mended by the Commission but not yet established,could be a good source for this data.Until the bureau is established,however,there are still very impactful steps the NCD can take to improve the quality of data on the cyber workforce.Specific actions include:1.1 NCD and OPM Should Provide Expanded S
132、upport for Cyber Workforce Data CollectionTo the greatest extent possible,the NCD working with federal department and agency heads and hiring managers must strive for consistent standards in classifying occupations,job requirements,93 and other means of measuring the workforce.Doing so will require
133、an ongoing review of the data collected as well as centralized,easily accessible support for departments and agencies conducting that review.OPM has filled this role in the past,but the NCD can help bolster resources to ensure OPM has the personnel necessary to rapidly address requests for support o
134、r information from departments and agencies.1.2 NCD Should Work With Heads of Federal Departments and Agencies to Ensure Accountability for Data Mandates As departments and agencies continue to conduct and improve data collection efforts,the NCD can ensure that high-level attention is directed to re
135、solving challenges that may emerge,addressing barriers causing delays in the provision of data,and improving accountability across government.In particular,the NCD can work with OPM,departments,and agencies to ensure that workforce assessments include a count of the number of cyber professionals nee
136、ded to reach staffing goals(funded and unfunded),in addition to a count of open billets(vacancies)and work roles of critical need.1.3 NCD Should Work With OPM to Share Data on the Federal Cyber WorkforceHigh-level,aggregated data on federal cyber workforce trends should be made publicly available to
137、 allow partners in education,stakeholders across government,and jobseekers to identify areas of greatest need.For federal stakeholders,a more detailed version of this data should be shared on a regular basis.An interactive federal cyber workforce dashboard would provide hiring managers with a much-n
138、eeded baseline for evaluating the effectiveness of current workforce development efforts and would provide data-driven insights into new recruitment and workforce development initiatives.A digital dashboard could also be coupled with a reporting platform to assist OPM in gathering data on the cyber
139、workforce from federal departments and agencies.The NCD can work with OPM to expand existing nascent efforts to build a dashboard,identify and overcome bureaucratic and budgetary hurdles to implementation,and ensure adequate resourcing to maintain the initiative.13Workforce Development Agenda for th
140、e National Cyber Director 1.4 NCD Should Work With NSF to Add to Data on the National Cyber Workforce As is true in the federal government,across the national cyber workforce,data on workforce composition and dynamics is sparse.To their credit,industry and professional associations have made strides
141、 in addressing this gap.94 But industry surveys are not designed to evaluate the impacts of federal policy over time.In particular,evaluating the dynamics of demographic underrepresentation has been challenging,95 which significantly hampers data-driven efforts to promote diversity in the cyber work
142、force.NSF is home to the National Center for Science and Engineering Statistics(NCSES),which Congress tasked with providing statistical information on the science and engineering workforce.96 The NCD should work with NSF to ensure NCSES has the personnel needed to provide statistical information on
143、the national cyber workforce.97 In addition,the NCD should work with NSF to ensure that grant funding is made available to enable academic study of the drivers and dynamics of the cyber workforce.In each of these initiatives,a key priority should be ensuring that collected data is aligned to the NIC
144、E Framework to the greatest extent possible and is complementary to the existing NIST-funded CyberSeek efforts.98 By engaging with the Office of Management and Budget(OMB),the NCD can work to ensure that resourcing needs are reflected in the presidents budget requests.Congressional appropriators can
145、 further enable progress by ensuring that these efforts are properly resourced.Recommendation 2:Establish Leadership and Coordination StructuresAs shown in Figure 1 above,the federal government has built many cyber education and workforce development initiatives.Leadership of these efforts is diffus
146、e.The structure is further complicated by the array of congressional committees that can claim jurisdiction over a component of cyber workforce development.As the National Academy of Public Administration noted,“Congress has not been given a coherent picture of federal goals for national workforce d
147、evelopment or the funds and support needed to accomplish those goals because there has not been a single leader in the executive branch to provide clarity and consistency of goals and coordinate funding to support them.”99 Many committees to their credit are eager to authorize new work on this topic
148、.The ad hoc structure of federal cyber workforce efforts is a function of motivated stakeholders devising innovative and impactful solutions based on the resources at hand in their respective organizations.These efforts do not align with a centralized plan.Despite many genuine attempts to share info
149、rmation,collaborate,reduce duplication,and increase effectiveness across the interagency,problems persist.Unproductive competition for resources,missed opportunities,and duplication of efforts all erode the effectiveness of the work as a whole.In the extreme,they can even inhibit progress as stakeho
150、lder groups jostle over which department or agency should hold jurisdiction for a particular project.To get the most out of available resources and pave the way for more efficient interagency coordination,the NCD should create leadership and coordination structures for federal cyber workforce develo
151、pment efforts.To provide high-level alignment of efforts while still allowing the innovative ecosystem of current initiatives to flourish,the new structure needs to provide both a capability for authoritative direction and a forum to foster transparency and participation.As recommended by a Septembe
152、r 2020 Cyberspace Solarium Commission white paper titled“Growing a Stronger Federal Cyber Workforce,”and in alignment with the National Academy of Public Administrations January 2022 recommendation for increased leadership,100 the NCD should establish a two-part structure for providing leadership an
153、d coordination:2.1 NCD Should Establish and Chair a Cyber Workforce Steering CommitteeThe steering committee would provide leadership-level strategic guidance while“coordinating with and specifying roles and responsibilities between and among agencies,”as noted by the National Academy of Public Admi
154、nistration.101 The committee would also advise on the distribution of resources and ensure accountability for and progress toward strategic priorities.The committee would be composed of a fixed membership with representation from the NCD(chair),OMB,OPM,NIST(NICE),DHS(CISA),NSF,DoD,the Department of
155、Education,and the Department of Labor.“The NCD should create leadership and coordination structures for federal cyber workforce development efforts.To provide high-level alignment of efforts while still allowing the innovative ecosystem of current initiatives to flourish,the new structure needs to p
156、rovide both a capability for authoritative direction and a forum to foster transparency and participation.”14Workforce Development Agenda for the National Cyber Director 2.2 NCD Should Establish a Cyber Workforce Coordinating Working GroupThe working group would be responsible for ensuring that cybe
157、r workforce development efforts are implemented in concert with one another,taking advantage of collaborative opportunities,sharing information and resources when possible,and identifying potential new lines of effort.The working group would also be responsible for ensuring that the steering committ
158、ee charters all new cyber workforce development programs,and that all efforts are aligned with the steering committees strategic guidance and are resourced appropriately given their role with respect to an overall strategy(as outlined in Recommendation 4).The steering committee would appoint the wor
159、king groups chair(s),who would serve on a rotating basis,and the working groups membership would be open to all federal departments and agencies.The NCD may also consider providing mechanisms for the working group to engage with partners from outside the federal government.Recognizing the potential
160、to trigger the Federal Advisory Committee Act,the NCD should consider existing engagement through the NICE Community Coordinating Councils as a means to engage with such stakeholders.102 The NCD,the steering committee,and the working group should seek input from state,local,tribal,and territorial go
161、vernments as well as from academia and members of the private sector involved in federal workforce issues(major federal contracting firms,for example).103 They should also engage with the Federal CIO Council,the Chief Human Capital Officer Council,and the Chief Learning Officer Council.A strong mode
162、l for the working group already exists.In recent years,the Federal Cyber Workforce Management and Coordinating Working Group has been drawing input from across the interagency to address shared problems,such as a tool to clarify possible federal cyber career pathways.104 In establishing the proposed
163、 Cyber Workforce Coordinating Working Group,the NCD should work with the existing group to ensure continuity and a smooth transition to the structure described in this recommendation.If the existing group can serve as the foundation for the new working group,the NCD will be better positioned to enab
164、le the current groups future progress and benefit from its deep experience and working relationships.Recommendation 3:Review and Align Cyber Workforce BudgetsBy law,the NCD is responsible for“monitoring and assessing the effectiveness,including cost-effectiveness,”of the implementation of cyber poli
165、cies,and also for“reviewing the annual budget proposals for relevant Federal departments and agencies.”105 Furthermore,the NCDs deputy for federal cybersecurity also serves as the federal chief information security officer,based in OMB.This“dual-hat”arrangement allows that official to leverage their
166、 expertise when“reviewing agencies cybersecurity budgets and recommending changes that will align spending plans”across the federal government.106 This will be a powerful collaboration for ensuring the federal government is maximizing its investment in the cyber workforce.Because cyber workforce ini
167、tiatives have tended to take root and grow wherever stakeholders found resources available,the availability of funding rather than overall strategic impact has been a primary driver of program growth.As the expenditure of funding becomes further entrenched through budgeting and appropriations proces
168、ses that refer heavily to prior years expenditures,changing these patterns once established takes very deliberative action.The NCD,in cooperation with OMB,107 should ensure the dynamic is flipped to enable strategy,rather than availability,to be the primary driver of resource allocation.Moreover,to
169、the greatest extent possible,evidence and data should inform the NCDs assessment of strategically aligned and impactful programs,as outlined in Recommendation 1 above.Impactful programs also include those that support specific,often underserved or underrepresented communities and aim for long-term i
170、mpact rather than short-term return.The current ecosystem of programs benefits from this diversity of efforts and approaches.The review of budgets should also look for opportunities to bolster support for initiatives that advance the ecosystem of efforts as a whole,whether by advocating for tools th
171、at can drive greater coordination,platforms that can be shared,or other efficiencies stemming from greater coherency.To provide several examples,a program such as CETAP has the potential to provide long-term benefit to the entire national cyber workforce,not least the federal workforce.However,CETAP
172、s budget has regularly been recommended for elimination.Similarly,the White Houses FY22 budget request did not include the NICE RAMPS program,and the FY23 request asked for only about half of what the CBO estimated the project would cost.108 Finally,the CyberCorps:Scholarship for Service program inf
173、uses the entire federal government with cyber talent while strengthening cybersecurity educational programs nationwide,yet for decades the program has seen only limited funding growth.109 15Workforce Development Agenda for the National Cyber Director3.1 Working With OMB,NCD Should Review Budgets for
174、 Cyber Workforce ProgramsThe NCD should work with OMB to highlight and address misalignments between strategic goals,outcomes,and current expenditures through a thorough review of project budgets for cyber workforce programs.Moreover,by providing a clearer picture of the overall connection between f
175、unding and strategic goals,the executive branch through the NCD can better explain to congressional appropriators where and how funding can be used.Leveraging the NCDs perspective is all the more necessary because quantifying return on investment in the cyber workforce a critical part of building an
176、y budget requires a firm grasp of the strategic landscape of American cybersecurity.Assigning a dollar figure to the risk incurred by federal cyber staffing shortages requires extensive knowledge of the potential cost of cyber incidents and the manner in which each department,agency,component,office
177、,and individual contributes to incident prevention,response,and resilience.OMB and congressional appropriations committees must balance many competing priorities,and the comprehensive insight the NCD provides on cyber risk will be essential for identifying and advocating for appropriate levels of in
178、vestment in the cyber workforce.Recommendation 4:Create a Cyber Workforce Development Strategy for the Federal GovernmentThe call for a cyber workforce development strategy for the federal government is not an especially new one.Research going back more than a decade,110 as well as a recent report f
179、rom the National Academy of Public Administration,has called for the same.111 The NCDs cyber workforce development strategy for the federal government can draw on the important foundational work of other stakeholders.In particular,the NCD should leverage a July 2016 OMB memo that set forth the first
180、 Federal Cybersecurity Workforce Strategy.The memo outlined general aims(such as“Identify Cybersecurity Workforce Needs”and“Expand the Cybersecurity Workforce through Education and Training”)and improvements to existing programs.112 The CIO Council Workforce Committee,which has continued to bring gr
181、eater attention and energy to federal IT workforce issues,113 also deserves commendation,as does the NICE Strategic Plan,which draws on the wider national cybersecurity workforce development community for input.114 The NCDs strategy must be distinct from the work done by these prior and current effo
182、rts.In particular,the NCD must observe the difference between a strategy for the federal government and a national strategy.Whereas the former is created by the federal government to set plans,priorities,and areas of responsibility for the federal government,the latter brings together perspectives f
183、rom the full gamut of national workforce development stakeholders,including the private sector;academia;state,local,tribal,and territorial governments;and the federal government.The NICE Strategic Plan serves the latter function,engaging extensively with partners and working with interagency and com
184、munity coordinating councils to develop“the vision,mission,values,goals,and objectives for both the organization and the greater NICE community.”115 The NCD should take care to avoid duplicating NICEs community-driven work on national cybersecurity workforce development.However,the NICE strategic pl
185、an and the priorities articulated by the national cybersecurity workforce development community should help inform the NCDs work to establish a strategy for cyber workforce development efforts across the federal government.Such a plan should not(and in all practicality cannot)come from within a sing
186、le department or agency,because successfully establishing priorities,roles,and resources among departments and agencies requires the imprimatur of the White House.To illustrate,if two agencies,both operating within their congressionally authorized role,undertake initiatives that fulfill very similar
187、(or,conversely,conflicting)functions,neither is in a position to dictate which effort should be prioritized.In such cases,a strategy determined within one department is unlikely to significantly change the planned activities of another department.While there certainly are many situations where multi
188、ple departments and agencies can work toward similar goals with positive effects,the NCD can greatly improve the overall effectiveness of the system by working with departments and agencies to produce a federal government-wide strategy to bring clarity,prioritization,and coherence to cyber workforce
189、 education and development efforts(including efforts to benefit both the federal workforce and the national workforce).Others have observed this lack of clarity surrounding the way efforts fit together as a part of a larger federal whole.For example,the National Academy of Public Administration note
190、d that“CISA could benefit from a clear understanding of its role in cybersecurity workforce development in relation to other federal agencies.”116 The NCD can help provide this clarity by developing a cyber workforce strategy for the federal government that establishes priorities among many lines of
191、 effort,ameliorates questions 16Workforce Development Agenda for the National Cyber Directorregarding areas of responsibility between different departments when congressionally authorized roles overlap or converge,establishes and enforces requirements and common practices across departments,and make
192、s recommendations regarding the distribution of resources.Such issues can best(and often only)be addressed at the White House level.The NCD can also provide the powerful advocacy needed to ensure that the United States is making plans now to educate the professionals who will defend federal networks
193、 decades into the future.4.1 NCD Should Establish a Cyber Workforce Development Strategy for the Federal GovernmentWorking with OMB,Congress,and the steering committee and in consultation with the working group proposed in Recommendations 2.1 and 2.2,the NCD should develop a new strategy that should
194、,at a minimum:Establish priorities in federal cyber workforce development efforts,including efforts to promote diversity in the federal cyber workforce;Clarify roles and responsibilities across federal departments and agencies;Set requirements and timelines outlining expectations for cyber workforce
195、 development efforts to drive accountability within departments and agencies and ensure feasibility given available resources;Outline long-term investments to build educational capacity and bolster cyber career awareness;Identify outside stakeholder groups that may be developing adjacent strategies
196、such as state,local,tribal,and territorial governments and provide a plan to engage and coordinate with these efforts;Highlight priority areas for potential innovation in cyber workforce development approaches;and Identify resourcing requirements to support the strategy.Given the many stakeholders a
197、nd initiatives in this space,a cyber workforce development strategy for the federal government may tend to gravitate toward cataloging all the various programs underway117 and articulating support for each.It may also tend toward establishing major lines of effort in cyber workforce development gene
198、rally.While cataloging efforts and defining general goals are necessary parts of developing a strategy,much of this work has already been done,as discussed above.Moreover,a strategy that achieves only these two functions will miss the opportunity to bring real coordination and focus to federal effor
199、ts.By comparison,the process of establishing clear priorities and roles particularly if done with participation by key stakeholders and with full transparency will allow champions for cyber workforce development across departments and agencies to maximize comparative advantages and plan around long-
200、term investments.In turn,this will allow the federal government as a whole to continue pursuing a diverse portfolio of efforts but with maximum efficiency and impact.118 Recommendation 5:Revamp Cyber Hiring Authorities and Pay Flexibilities Government-WideDHS made news in 2021 by bringing online the
201、 Cybersecurity Talent Management System(CTMS).119 The system is based on legislation authorizing the secretary of homeland security to“establish,as positions in the excepted service,such qualified positions in the Department as the Secretary determines necessary to carry out the responsibilities of
202、the Department relating to cybersecurity,”“appoint an individual to a qualified position,”and“fix the compensation of an individual for service in a qualified position.”120 Similarly,DoD also has specific authorizing legislation that allows for the creation of excepted service positions,direct-hire
203、authority,and pay flexibilities to fulfill the Pentagons cyber mission.121 DoDs authorization forms the basis of its Cyber Excepted Service(CES).122 While these systems have their own challenges for example,CTMS was established without dedicated vacant billets,limiting its immediate impact,and hirin
204、g into the new system has been slow they are nevertheless very powerful tools.Outside DHS and DoD,departments and agencies have more difficulty using cyber-specific hiring authorities,exacerbating hiring and retention challenges.Organizations such as the FBI,State Department,and Treasury Department
205、all must rely on more limited hiring authorities and pay flexibilities.Per 5 U.S.C.3304,the president,acting through OPM,has the authority to establish direct-hire authority when there is a critical hiring need or a severe shortage of candidates.OPM has used this authority to provide agencies with g
206、reater flexibility when hiring IT and cyber professionals,but these authorities are far more limited than those DoD and DHS have used to establish a cyber-specific excepted service system.OPM has also established government-wide guidelines for direct hiring for positions that fall within designated
207、IT-specific categories,known as federal occupational series:17Workforce Development Agenda for the National Cyber Director 2210 IT management(information security)at the GS-9 level and above 2210 IT cybersecurity specialist at the GS-12 level and above when they“require IT knowledge and IT competenc
208、ies,”the work is coded to include cybersecurity functions according to both the NICE Framework-aligned codes and OPMs Guide to Data Standards,and cybersecurity work is performed the majority of the time 0854 computer engineers(cybersecurity)at the GS-12 level and above 1550 computer scientists(cyber
209、security)at the GS-12 level and above 0855 electronics engineers(cybersecurity)at the GS-12 level and above123While these direct-hire authorities cover many positions,qualification requirements limit their real-world impact.In all four categories,candidates must qualify at the GS-9 level or above,me
210、aning candidates must have relevant education(typically a masters or doctorate degree),experience,or training(such as certifications or skills training).Officially,OPM stipulates that entry-level candidates may qualify for 2210 cyber positions with an associates or bachelors degree or even with info
211、rmal education.124 However,in practice,many hiring managers report that the GS-9 floor to qualify for cyber direct-hiring authorities is interpreted as a degree requirement.Three of the four categories require GS-12 qualifications,an even higher bar.Although the underlying problem may be a misapplic
212、ation of classification and qualifications policy related to cyber work,the overall effect is that departments and agencies have struggled to develop effective entry-level hiring pathways that align with the types of candidates they are designed to attract.Given that often unavoidable security clear
213、ance requirements already narrow the field of potential applicants in federal cyber hiring,degree-and experience-based requirements for cyber positions(whether due to misinterpretation of guidance or actual bureaucratic limitations)serve only to further shrink the applicant pool and limit the opport
214、unity to develop entry-level hiring pathways.These requirements are unnecessarily constraining in a field where associates degrees,industry certifications,and other informal education are both common and valued,and where demonstrations of experience come in vastly different forms and timelines.They
215、also compound the challenge of promoting diversity in the federal workforce by steering hiring toward graduates of STEM degree programs,which also struggle with diversity.125 Additionally,the existing direct-hire authorities do not help hiring managers fill roles that fall outside these occupational
216、 series but work on cyber policy,privacy,stakeholder engagement,or many other fields that are core to the cyber mission and are reflected as such in the NICE Framework.These positions often require specialized experience or technical competencies but usually do not require technical work.Finally,the
217、 occupational coding structure for cyber positions often drives hiring managers to label many of these non-technical roles as“2210 IT specialist,”which deters potentially qualified applicants from considering these federal cyber jobs because the job announcements are off-putting,implying that applic
218、ants need to write code,analyze malware,or architect a secure IT network,for example.Officially,policy does permit departments and agencies to prescribe alternative titling to be used.In particular,a series of parenthetical designations can add some clarity to position titles.126 However,hiring mana
219、gers continue to report concerns that the titles assigned to their vacant positions do not accurately reflect the work.Much like how some direct-hire authorities exist but fall short of the mark,compensation flexibilities exist but do not fully meet the needs of departments and agencies.OPM has crea
220、ted pay flexibilities that serve as important tools for cyber recruitment and retention.Benefits such as federal student loan repayment programs and other incentives can be tied to criteria outside of these IT-specific occupational series.For example,federal employers can offer a group of positions
221、aligned to the NICE Framework a retention incentive of up to 10 percent of basic pay.127 However,recruitment and retention incentives are distinct from special pay rates,which would raise the base pay rate for a subset of employees.Without a pre-established special pay rate,hiring managers have a li
222、mited ability to increase the base rate of pay for their cyber workforce,despite the competition for these in-demand employees from the private sector.OPM staff are to be sincerely commended for providing the direct-hire authorities and pay flexibility options currently available while still meeting
223、 the complex system of requirements and constraints that govern federal hiring.Amid frustrations in cyber hiring,this achievement often goes unrecognized but reflects sincere dedication,persistence,and knowledge.However,the process of implementing direct-hire authority and pay flexibilities continue
224、s to stymie cyber hiring managers,especially those attempting to hire cyber professionals who fall outside IT-specific positions.Direct-hire authorities for many positions in cyber policy,risk management,or partner engagement remain unavailable.Where direct-hire authorities and pay flexibility are a
225、vailable,further support is needed to help understaffed offices and their HR teams navigate the process.18Workforce Development Agenda for the National Cyber Director5.1 NCD Should Work With OPM to Modernize Cyber-Specific Coding Structures,Hiring Authorities,and Special Pay Rates Government-WideThe
226、 NCD,OMB,and OPM should,working together and in continual consultation with department and agency leaders,implement one of the following three options to improve the flexibility and agility of federal cyber hiring,engaging Congress as needed:Expand the coverage of existing government-wide cyber dire
227、ct-hire authorities to include all positions that carry at least one NICE Framework cybersecurity work role,thus expanding the authority beyond the 2210,0854,1550,and 0855 occupational series.128 With the support of the NCD and department and agency leaders,OPM would need to significantly expand out
228、reach to hiring and HR managers to ensure that experience,industry certifications,and other indicators are actively used to help applicants without a bachelors degree meet qualification standards for 2210 cyber positions and related direct-hire authorities.The resulting system would also need to be
229、augmented with special pay rates for the most in-demand roles.Create an entirely new family of occupational classifications for cyber work,dispensing with 2210 as an umbrella for cyber work.The new classifications would encompass positions working on cyber issues that fall within other existing clas
230、sifications(federal professionals working on policy,law,etc.)and should align with the NICE Framework for these areas to the greatest extent possible.In this case,direct-hire authorities and special pay rates would need to be expanded across all the newly created positions(except those already consi
231、dered to be excepted service positions).This could be reinforced with a congressional mandate.In this option,special attention should be given to the ability of individuals to move in and out of the new job family.Because cyber work spans numerous existing occupational series,an individuals career p
232、ath might move between some roles within a cyber series and others outside of it.Accordingly,the establishment of a new occupational series that groups those many cyber roles together would require very carefully designed,flexible requirements.Similarly,adjacent roles in non-cyber classification ser
233、ies would likely also require adjustment to accommodate this increased flexibility.Work with congressional authorizers to create an overarching program for cyber excepted service positions,decoupling hiring and pay from educational and time-in-job requirements.In essence,this option would take the a
234、uthorities that underpin CTMS and CES and expands them to the whole of the federal government.The first solution improves the incumbent system by alleviating a major challenge to federal hiring managers but does not fundamentally change the structural challenges with the system.The second would alle
235、viate many of those challenges by updating the existing system.Both of these options would be significant,yet nevertheless partial,fixes.The third solution,while initially the most difficult to enact,would provide useful and lasting results.5.2 NCD Should Work With OPM to Establish a Cadre of Human
236、Resources Specialists Trained in Cyber Hiring and Talent ManagementIn any of the pathways for restructuring policies,tools,and flexibilities described above,federal HR experts across departments and agencies will need a thorough understanding of the new systems to use them to best effect.As such,the
237、 NCD and OPM should expand efforts to build a cadre of HR specialists government-wide who are responsible for filling positions with cyber talent and for providing HR support to those positions.Having these HR specialists would reinforce many of the recommendations in this section.For example,they w
238、ould help improve consistency in data collection and strengthen the connective tissue between departments and agencies needed to advance the work of the leadership structures proposed above.Departments and agencies can further support this cadre and the overall effort by ensuring HR offices are staf
239、fed adequately to enable knowledge transfer throughout staff turnover.The NCD should work with OPM and in consultation with the Chief Human Capital Officers Council,the Chief Information Officers Council,and the Chief Learning Officers Council to establish a training program for this cadre of HR spe
240、cialists.Furthermore,the NCD should work with OMB to provide additional funding,program administration personnel,and other resources to establish and maintain the program.5.3 NCD Should Work With OPM,OMB,and the Appropriations Committees to Ensure Adequate Resourcing In any of the three options pres
241、ented in Recommendation 5.1,OPM will need support from congressional appropriators to fund the additional personnel and resourcing needed to create these new structures.OPM will also need the NCD to serve as its champion as it works to reconcile discrepancies between how hiring has conventionally be
242、en done in the federal government and the agility that departments and agencies require in their cyber talent management.Recommendation 5.2 will be key to ensuring that new structures are implemented effectively but will also add to the staffing requirements stacking up on OPMs doorstep.19Workforce
243、Development Agenda for the National Cyber DirectorRecommendations for CongressWhile this report focuses predominantly on recommendations for the NCD,the executive branch cannot operate without authorization and appropriation from Congress.Historically,Congress has played a central role in specific a
244、reas of cyber workforce development.For example,congressional appropriators have annually stepped up to reject CISAs request to eliminate the CETAP budget.However,Congress could take a more active role in other areas.For example,the GAO has twice reported concerns about department and agency efforts
245、 to implement FCWAA and has separately raised issues regarding DHS implementation of the Homeland Security Cybersecurity Workforce Assessment Act of 2014.129 GAO issued these reports in 2018 and 2019,yet Congress has neither authorized nor demanded major changes in the subsequent years.The GAO furth
246、er notes that“none of the 24 Chief Financial Officers(CFO)Act agencies have fully implemented best practices for information technology(IT)or cybersecurity workforce planning,including ensuring staff have the skills to address cybersecurity risks and challenges in areas such as industrial control sy
247、stems supporting the electric grid and avionics cybersecurity.”130 Congress track record in establishing and continuing existing programs is strong;however,there is much more Congress could do in terms of providing oversight,improvement,and growth for cyber workforce activities in the federal govern
248、ment.As such,to support federal cyber workforce development,Congress should take the following actions:6.1 Congress Should Amend the Federal Cybersecurity Workforce Assessment Act of 2015As discussed in Recommendation 1,changes to FCWAA would significantly improve the quality of data available on th
249、e federal cyber workforce.As a first order,Congress should extend FCWAA,which is due to sunset this year,131 to at least 2027.Congress should then require departments and agencies to include an estimate of the number of cyber professionals needed to reach staffing goals(funded and unfunded)and the n
250、umber of vacant cyber positions,in addition to the currently required information on work roles of critical need.This requirement to estimate the number of personnel needed to reach target staffing levels would help improve long-term workforce planning efforts.To the extent that there is a gap betwe
251、en funded positions and target staffing levels,Congress should anticipate funding requests from department and agency leaders working to close those gaps.6.2 Congress Should Increase Support for the CyberCorps:Scholarship for Service ProgramTo advance this critical program,Congress can take several
252、individual actions:Appropriate for Long-Term Growth:Adjusting for inflation,the SFS program saw a total budget increase of$5.81 million from FY12 to FY22.132 In light of the obvious national security implications of the current cyber workforce shortage,such limited program growth for a central pilla
253、r of the federal response to that shortage is alarming.The programs structure scales well,building long-term capacity for cyber education even as it graduates workers in the immediate future.It is long past time for Congress to appropriate funds to enable real growth of the SFS program.H.R.5421,the
254、America COMPETES Act of 2022,outlines an appropriations plan that would reach$90 million by FY26.133 The Cyberspace Solarium Commission previously recommended a much more ambitious increase,growing the programs budget by$20 million in a single year rather than over five.134 Nevertheless,any signific
255、ant increase is welcome after years of minimal growth in this critical cyber workforce development program.Expand Rather Than Replicate:As a testament to the success of SFS,proposals have emerged to replicate the idea in adjacent fields of study.135 Rather than creating redundant core structures and
256、 risking dividing already scarce resources,NSF should incorporate other areas of emerging technology into the existing SFS program.In fact,SFS has already added new programs incorporating these topics.For example,Oakland University is now home to Cyber Defense of Intelligent Systems;136 Fordham Univ
257、ersity received a grant for a program called Preparing Future Cybersecurity Professionals with Data Science Expertise;137 and Georgia State University now hosts a program for Cybersecurity Workforce Preparation in the Age of Artificial Intelligence.138 Not only can the current program be adapted to
258、incorporate new fields of study it is already moving in that direction.However,every addition of new fields of study must be accompanied by additional funding increases for the overall SFS program.20Workforce Development Agenda for the National Cyber Director Focus on Distributed,Not Centralized,Edu
259、cation:SFS is known for graduating federal cyber talent,but it also serves a secondary function.Through SFS,grants are awarded to institutions,which in turn may use a small portion of the award to build their cyber programs.The rest must go to scholarships for participating students.While the progra
260、m-building portion may be smaller than the scholarship,139 it can significantly improve national cyber educational capacity when used to build on participating institutions existing infrastructure.Using this distributed model to build capacity across all its grantees,the SFS program offers benefits
261、to students and communities across the country.Moreover,by improving the cybersecurity programs of participating institutions,the program serves to infuse talent throughout the national cybersecurity ecosystem at no extra cost to taxpayers.Most importantly,it does all this using existing academic in
262、frastructure,with no need to invest in new construction or start-up costs.6.3 Congress Should Provide Incentives to Develop Entry-Level Employees Into Mid-Career TalentWhile many elements of cyber workforce development have presented persistent challenges,one of the most intractable has been employe
263、rs reticence to hire and train entry-level candidates,instead focusing on the perceived shortage of experienced professionals.This preference for mid-career talent is visible in industry surveys indicating overwhelming preference for hands-on experience relative to other job candidate qualities.140
264、It also appears in patterns of demand for professional certifications,with mid-and late-career certifications far more in-demand than their early-career counterparts.141 The effect is a disconnect between jobseeker qualifications and the experience employers are seeking.To increase the supply of mid
265、-career talent,employers necessarily must invest in hiring and developing entry-level employees until those employees become mid-career talent.Congress can incentivize employers to hire and invest in early-career employees as a way to increase the future pool of mid-career professionals.Examples of
266、such incentives could include grants for employers that invest in cyber training programs targeting early-career individuals.142 In particular,grant funding could prioritize non-traditional programs that would provide a beneficial proof-of-concept for other employers.Similarly,Congress could direct
267、funding to a training partner rather than to employers to spur the development of experienced partners and make such options more available to other private-sector employers.Other incentives could include awarding federal contracting preference to companies that invest in significant training capabi
268、lities.Much like their private-sector counterparts,federal employers would also benefit from a push to invest in early-career talent development.To address this,Congress could authorize a Federal Cyber Workforce Development Institute.By centralizing cyber workforce development resources such as curr
269、icula and providing work role-specific training,such a program can make it easier for federal employers to prepare newly hired early-career personnel for federal cyber work roles.Federal programs could also include additional support for upskilling and reskilling.143 In any of these options,a key co
270、nsideration must be outreach and engagement to ensure potential beneficiaries are aware of the incentive.6.4 Congress Should Strive for Clarity in Roles and Responsibilities for Cyber Workforce Development As discussed above,one of the major challenges facing the NCD regarding cyber workforce develo
271、pment is the lack of clarity between the respective roles of different federal departments and agencies.Through a clear strategy and leadership structures,the 00162018Fiscal YearSFS Eependiture(in$M)20202022203040506070SFS Expenditure(in 2012 Constant$M)SFS Expenditure(in Real$M)44.9840.6
272、143.4843.6847.8251.2950.3849.8248.3351.9850.79Annual SFS Expenditures Adjusted for Inflation(in$M)Data sourced from the National Science Foundation21Workforce Development Agenda for the National Cyber DirectorNCD can address much of this challenge;however,it cannot be done without congressional supp
273、ort,because the authorization of these roles is fundamentally congressional jurisdiction.As different committees and members work to address the cyber workforce gap,an abundance of good intentions and informed efforts can still manifest as the authorization of duplicative and competing programs.Much
274、 as there is no clear committee of jurisdiction for cyber issues,there is no clear committee of jurisdiction for cyber workforce issues,which exacerbates the intermingling of roles currently playing out among departments and agencies.The Cyberspace Solarium Commission recommended the establishment o
275、f House Permanent Select and Senate Select Committees on Cybersecurity.144 Cyber workforce development is one of many examples that illustrate the necessity of such a drastic change.Recognizing that such a change is not imminent,Congress can still work to build greater awareness across committees of
276、 existing cyber workforce development efforts underway in different departments and agencies.The consolidation of coordination under the auspices of the NCD can serve as a key resource for ensuring Congress has a single point of contact from which to obtain the information necessary to avoid duplica
277、tion or confusion of federal roles in cyber workforce development.6.5 Congress Should Exercise Oversight of Federal Cyber Workforce Development in Each Department and AgencyIn the absence of a single congressional authorizing committee for cybersecurity,congressional focus on federal cyber workforce
278、 development tends to fall to a collection of committees that have a major oversight role in various aspects of cybersecurity.However,these are not the only committees that have a responsibility for cyber workforce oversight.Every federal department and agency has a role to play in cybersecurity,and
279、 thus each should be considering its resources for cyber workforce development.In the larger federal agencies,this role can grow to encompass hundreds or even thousands of cyber-specific employees.In addition,departments that serve as Sector Risk Management Agencies(SRMAs)in support of national crit
280、ical infrastructure cybersecurity need specific in-house cyber talent to manage public-private collaboration.SRMAs include organizations as diverse as the Department of Agriculture,the Environmental Protection Agency,and the General Services Administration.In execution of its oversight role,Congress
281、 should be asking each federal department and agency about its cyber workforce capabilities and resource requirements.Congress can further support the NCD by exercising its oversight role to encourage cross-agency workforce practices,awareness,collaboration,and innovation.6.6 Congress Should Establi
282、sh Cyber Excepted Service Authorities Government-WideAs discussed in Recommendation 5,the structure of OPMs occupational designations for cybersecurity work significantly limits the utility of existing direct-hire authorities.Recommendation 5.1 lays out three possible paths forward for OPM and the N
283、CD.Two of these three options could be carried out without new authorizing legislation(although a congressional mandate could be helpful in any case).However,the most beneficial option,creating a government-wide cyber excepted service,cannot be done without new authorizing legislation from Congress.
284、This option would maximize the federal governments flexibility in hiring and managing cyber talent,by creating systems built for the cyber workforce.Such an approach could dramatically improve the federal governments ability to attract and retain self-taught talent,community college graduates,and th
285、e many public service-minded professionals for whom the greatest recruitment incentive is the ability to constantly develop and improve their skills but who cannot justify the pay cut that leaving the private sector would entail.When aligned to the NICE Framework to the greatest extent possible,this
286、 system would also mitigate challenges in measuring and planning for the cyber workforce.Although this option has its own drawbacks for example,employees hired into excepted service roles may encounter difficulties moving to competitive service jobs later in their careers ultimately,the flexibility
287、outweighs the drawbacks given the magnitude and urgency of the cyber hiring challenge.There is strong precedent for this change,as DHS and DoD have enjoyed similar authorities since 2014 and 2015,respectively.145 Drawing on these precedents,Congress should make these authorities available across the
288、 federal workforce.6.7 Congress Should Expand Appropriations for Existing Efforts in Cyber Workforce DevelopmentWhile innovation and the establishment of new federal workforce programs will be essential,Congress should also focus on supporting programs it has already authorized.Recommendation 6.1 ab
289、ove discusses appropriations for the CyberCorps:Scholarship for Service program.Congress has authorized several other very promising programs,but many still lack sufficient funding.For example,in 2020,the Cyberspace Solarium Commission recommended that Congress codify CETAP within CISA.146 With the
290、hard work and support of members of Congress and their staffs,lawmakers did so under Section 1719 of the FY21 National Defense Authorization Act147 and reinstated the budget for the program in the FY22 omnibus bill.148 As discussed above,however,funding for this program has often been in question.As
291、 the National Academy of Public Administration recommends,DHS,CISA,and OMB“should sustain funding for CETAP in the Presidents budget request.”149 Such funding,of course,requires support from congressional appropriators,who will need to continue to set aside the executive branchs inexplicable decisio
292、ns to eliminate the program or move it to NSF.150 Similarly,22Workforce Development Agenda for the National Cyber Directorthe newly authorized RAMPS program will require attention from congressional appropriators in order to achieve results.The CBO estimated this program would cost$12 million per ye
293、ar,151 but the FY22 omnibus bill report specified only$500,000 for the new program.152 As with many cyber workforce development provisions,real progress will take real investment.Recommendations for the Private SectorProgress on cyber workforce development cannot advance in a government silo.The pub
294、lic-sector cyber workforce is a subset of the larger national workforce,so the NCD must be a part of the community of federal departments and agencies working with private-sector partners to address national cyber workforce challenges.Moreover,the NCDs strategic intent includes working with“the priv
295、ate sector to inform and drive initiatives that depend on the expertise,authorities,and resources of all parties.”153 This is a fundamentally two-sided exercise,and so this memo offers the recommendations below for private-sector partners.The private sector can play an important role in providing jo
296、b experience,hiring entry-level talent,and growing these employees into mid-career professionals.To a certain extent,this will require the private sector to accept a greater degree of risk in its HR functions as companies incorporate new hiring and professional development practices.Spending more to
297、 develop each employee increases the risk of losing that investment to poaching by a competing employer.But as more employers invest in the cyber workforce,particularly in the early-career years,the risk to the community as a whole is diminished.By facilitating collaboration across sectors and inter
298、facing with other elements of the federal government,the NCD can reduce the risk to the community as a whole and support this transition.7.1 Partners in the Private Sector Should Increase Their Investment in the Cyber WorkforceThe NCD cannot address the shortfall of cyber professionals without proac
299、tive and invested partners in the private sector.Some exemplary companies are already rising to this challenge:Microsoft,for example,has pledged to provide financial assistance to students pursuing community college degrees and industry certifications.154 The company will also offer training for fac
300、ulty at community colleges and provide them with free cybersecurity curricula and materials.This endeavors ultimate goal is to recruit an ambitious 250,000 people into the workforce by 2025.155 The Microsoft Philanthropies Technology Education and Literacy in Schools program sets another valuable pr
301、ecedent by bringing computer science educational resources to over 500 high schools per year.156 The Cyber Talent Initiative,a collaborative effort between Accenture,Mastercard,Microsoft,and Workday,is a public-private coalition that offers tuition assistance and work experience in both public-and p
302、rivate-sector workplaces.157 As a part of its Global University Programs,IBM has provided training on technology-related topics,including cybersecurity,to more than 247 faculty members at Historically Black Colleges and Universities.158 As private-sector leaders begin to distinguish themselves by in
303、vesting in their early-career cyber workforce,the NCD can help pave the way for others to join.For example,the NCD could ensure that contracting requirements do not limit federal contractors ability to hire graduates from community colleges,apprenticeship programs,or other alternatives to a bachelor
304、s degree.By helping to cut through this type of red tape,which inhibits the federal government from aligning with innovative solutions emerging from academia and the private sector,the NCD can help these new private-sector investments and solutions achieve success.7.2 Partners in the Private Sector
305、Should Develop Shared ResourcesOne of the best ways that employers can lower the costs of investing in their own workforce,and particularly in early-career talent,is to collaborate with one another.Many small companies that require only small teams of cyber professionals may not have the time or mon
306、ey to invest in a bespoke in-house training program.But when that burden is shared across several similar organizations with a shared geography,industry,or personnel need,consortium-based investment in the cyber workforce becomes more viable.Pockets of innovative workforce investments are already em
307、erging.For example,apprenticeship programs are beginning to gain real traction nationally.159 Many of these programs are sponsored by an educational institution often a university,community college,or local workforce development agency that partners with several local employers to provide on-the-job
308、 training for early-career professionals.By participating in such programs,even small employers can develop a process for building early-career employees into seasoned,mid-career assets to their companies.Employers who are ready to step up to the challenge and grow cyber talent internally should rea
309、ch out to their local cyber apprenticeship program sponsors.23Workforce Development Agenda for the National Cyber DirectorAppendix:Model Legislative TextFederal Cybersecurity Workforce Data CollectionLegend:This proposal extends the Federal Cybersecurity Workforce Assessment Act of 2015 and adds a r
310、equirement that federal departments and agencies shall provide information not only on the number of cybersecurity professionals employed and the number of posted jobs open,but also on the number of cybersecurity employees needed by the department or agency to optimally staff cybersecurity mission a
311、reas.The proposal also tasks the National Cyber Director,in cooperation with the Director of the Office of Personnel Management,with reviewing the assignment of cyber-specific employment codes to ensure consistent application of the codes across departments and agencies,and requires a GAO report aft
312、er three years.SEC._.FEDERAL CYBERSECURITY WORKFORCE DATA COLLECTION(a)The Federal Cybersecurity Workforce Assessment Act of 2015(5 U.S.C.301 note)is amended(1)In Section 304 in the matter preceding Subsection(a)by adding“And Projected Vacancy Data”before the period at the end;(2)In Section 304(a)(A
313、)in the matter preceding paragraph(1)by(i)striking“2022”and inserting“2028”;and(ii)inserting“the National Cyber Director,”after“in consultation with the Director,”;(B)redesignating paragraph(2)as paragraph(3);(C)in paragraph(1)striking the word“and”;and(D)adding the following new paragraph(2):“(2)pr
314、ovide a count of projected funded and unfunded vacancies,regardless of critical need,for positions that“(A)require the incumbent to perform,manage,or supervise functions that execute information technology,cybersecurity,or cyber-related responsibilities,and“(B)have been assigned an employment code a
315、ccording to Section 303 of this Title;and”(3)In Section 304(a)(3)(as so designated)(A)in the matter preceding subparagraph(A)by inserting“and the National Cyber Director”after“to the Director”;(B)in subparagraph(A),by striking“and”at the end;(C)in subparagraph(B),by striking the“.”at the end and ins
316、erting“;”at the end;and(D)by inserting after subparagraph(B)the following new subparagraphs(C)and(D):“(C)provides the number of vacancies identified per paragraph(2);and24Workforce Development Agenda for the National Cyber Director“(D)provides the number of additional positions within the agency tha
317、t would need to be funded in order to enable the agency to fulfill its cybersecurity mandate to the fullest extent possible.”.(4)By adding after Section 304(c)(2),a new Subsection(d):“(d)Federal Cybersecurity Workforce Data Dashboard.Not later than one year after the enactment of this act,the Direct
318、or,in coordination with the National Cyber Director,will establish and make available to federal departments and agencies an interactive digital resource to share information gathered pursuant to Subsection(a).The digital resource shall“(1)Present data updated no less frequently than once per year t
319、o align with the reports submitted per Subsection(a),and the Director is encouraged to work with departments and agencies to update the data with greater frequency;“(2)Provide data on each cybersecurity work role in the federal government coded according to the structure established in Section 303(b
320、)including vacancy rates and skill gaps;“(3)To the greatest extent possible,provide the data needed to inform department and agency cybersecurity workforce policies with empirical analytics;“(4)Provide a central repository of Office of Personnel Management materials relevant to cybersecurity workfor
321、ce management,including relevant guidance,tools,coding structures,resources,and other materials as the Director,in coordination with the National Cyber Director,deems appropriate;and“(5)Such other functions as the Director,in coordination with the National Cyber Director,deems necessary.”.(b)Review
322、of Employment Coding.Not later than 18 months after the date of enactment of this section,the National Cyber Director,in coordination with the Director of the Office of Personnel Management,shall provide an assessment of the process for,and findings of,the National Cybersecurity Workforce Measuremen
323、t Initiative required by Section 303 of the Federal Cybersecurity Workforce Assessment Act of 2015 that(1)describes the degree of consistency in the process used by heads of Federal departments and agencies in identifying the positions required and assigning employment codes;(2)identifies barriers t
324、o applying the required employment codes according to a consistent interpretation of the work roles described in the coding structure;(2)outlines any limitations on the utility of the employment codes and subsequent data collection efforts resulting from the methodology and consistency of the initia
325、tive;and(3)recommends actions,legislative changes,and/or policy changes that may be taken to improve consistency in the assignment of the employment codes and improve data collection on the federal cybersecurity workforce.(c)GAO Review.Not later than three years after the date of enactment of this s
326、ection,the Comptroller General of the United States shall submit a report to the appropriate congressional committees that describes the status of(1)implementation of the Federal Cybersecurity Workforce Assessment Act of 2015;and(2)any changes recommended by the National Cyber Director and Director
327、of the Office of Personnel Management pursuant to the reporting requirement in Subsection(b).25Workforce Development Agenda for the National Cyber DirectorFederal Cyber Workforce Development InstituteLegend:This proposal requires the National Cyber Director to develop a plan to establish an institut
328、e within the federal government that will serve as a centralized resource and training center for federal cyber workforce development.SEC._.FEDERAL CYBER WORKFORCE DEVELOPMENT INSTITUTE(a)RequiRement.(1)in GeneRal.Not later than 180 days from the date of enactment of this section,the National Cyber
329、Director,in consultation with the Secretary of Homeland Security,the Secretary of Defense,the Secretary of Commerce,the Director of the Office of Personnel Management,and such other department and agency heads as the National Cyber Director determines necessary,shall produce a plan for a federal ins
330、titute to provide training for personnel hired for cyber work roles and other federal cyber workforce development tools.(2)institute Functions.The federal workforce development institute described in the plan required under paragraph(1)shall(A)provide work role-specific training,including hands-on l
331、earning and skill-based assessments,to prepare personnel from a wide variety of academic and professional backgrounds to perform effectively in federal cyber work roles;(B)coordinate with the Secretary of Homeland Security,the Secretary of Defense,and other federal department and agency heads as the
332、 Director deems necessary to develop work role-specific curriculum for the training required in subparagraph(A);(D)prioritize entry-level positions in the provision of curriculum and training,but may also include curriculum development and training for mid-to late-career positions,and may include up
333、skilling and reskilling efforts;(D)incorporate work-based learning in personnel training;and(E)develop a badging system to communicate qualification and proficiency for individuals who successfully complete training through the institute.(3)Plan elements.The plan required under paragraph(1)shall(A)recommend an organizational placement for the institute,which may include a single federal department