The latest executive order from the White House blends old ideas with new incentives to help attract and retain information security talent in the federal workforce, but the lack of details makes it difficult to assess the effectiveness of these plans.
There are more than 300,000 open cybersecurity position the U.S., and security experts have been increasingly alarmed at what they perceive as a growing skills gap, and the difficulty in finding enough people to fill the jobs. Add in the fact that private sector jobs typically pay more than the public sector, and government jobs don't look as appealing.
The executive order’s plans include creating more training opportunities such as work-based training, apprenticeships, and “blended learning” programs for both newcomers to information security and seasoned practitioners. The proposed “cybersecurity rotational assignment program” would temporarily assign federal employees between different agencies and departments to build expertise and learn skills.
The order calls for federal agencies to adopt NIST's Cybersecurity Workforce Framework and the National Initiative for Cybersecurity Education (NICE) framework to add some consistency in how security professionals are recruited. The order also instructed the Director of the Office of Personnel Management to compile a list of aptitude tests that agencies should use to evaluate security practitioners.
Can DHS Deliver?
It’s a positive sign that the government is providing incentives to build up its security workforce, but prior decisions may hamper the government’s ability to carry out the plans. The order directed the Department of Homeland Security to run several of the programs, but the agency’s ability to carry out its cybersecurity mission is far from certain at this time. With the abrupt departure of Kirstjen Nielsen as DHS secretary, the government has a gap in security expertise among its civilian leaders.
Cybersecurity and Infrastructure Security Agency director Chris Krebs is one of the few people left in the government with the background and expertise to speak about civilian security initiatives. The other is the former director of the Secret Service, Randolph Alles, who oversaw investigations into online fraud and other cyberattacks. Alles will bring that experience to his new role as DHS acting deputy under-secretary for management.
Over the past two years, the role of the White House cybersecurity coordinator was eliminated, a number of security experts left the Federal Bureau of Investigation after James Comey was fired, and Homeland Security advisor Tom Bossert left last year. A wave of departures in DHS may be possible in the aftermath of Nielsen’s resignation, which could impact the agency’s ability to handle its current workload, let alone taking on new roles.
DHS and CISA have said they will be able to keep up with their security work. “Professionals will keep doing their job regardless of the politics,” Jeanette Manfra, CISA’s assistant director for cybersecurity, said on April 10, at an event hosted by the Atlantic. Manfra acknowledged the leadership changes were disruptive, but said "it really has no impact on our mission," she said.
DHS is responsible for coordinating cybersecurity and infrastructure security efforts and supporting all of the functions relating to critical infrastructure. Any departures could impact the government's ability to respond to cyber threats.
DHS may wind up being one of the early beneficiaries of these programs outlined in the executive order.
The rotational assignment program outlined in the order will temporarily reassign federal IT and digital security practitioners to work in DHS and other agencies to encourage knowledge sharing, expose employees to agency-specific challenges, and develop risk-management experience. This kind of a program would give existing IT employees access to security training they may otherwise not get.
The program will be led by the the Department of Homeland Security, along with directors of the Office of Personnel Management and Office of Management and Budget. The order calls for this program to be developed within 90 days.
If this idea sounds familiar, it’s because the Senate just unanimously passed the bipartisan Federal Rotational Cyber Workforce Program Act of 2019. In the Senate legislation, federal employees would rotate between different agencies for terms between 180 days to one year. The legislation directed DHS and OPM to first “develop a list of rotational cyber workforce positions” and update the list annually.
The executive order may get the program started without waiting for the House to vote on the legislation.
The program will be based on National Institute of Standards and Technology (NIST)’s NICE cybersecurity workforce framework for identifying, recruiting, developing, and retaining security talent. NICE’s guidelines on how to move between public and private sector jobs may be the basis of whatever plan the government develops to carry out the executive order’s directive to make it easier for professionals to move between sectors. NICE defines a standard terminology and taxonomy for describing functions and roles, which will help different groups clarify what they are looking for when drawing up IT and security service contracts.
Cup, Aptitude Tests
The order describes an annual tournament, the President’s Cup Cybersecurity Competition, which will let government employees and armed service members to compete in individual and team events to win cash awards, honorary awards, time off, and other types of compensation. The PCCC, which will be held sometime in 2019, will reward top professionals, the order said. The secretary of the Department of Homeland Security will manage the competition.
The Presidential Cybersecurity Education Awards will recognize elementary and secondary school educators who teach cybersecurity.
The directive to the OPM director to work with Commerce, DHS, and other agencies to develop aptitude assessments in order to identify employees who should receive security training will help existing employees interested in switching roles. This kind of assessment will be promising as it can bring in individuals who otherwise may not have the opportunity.
The goal of the executive order is to create a larger pool of skilled security talent between private businesses and the federal government and the plans and incentives have the potential to create some excitement. There are other ongoing pilot programs, such as the Federal Cybersecurity Reskilling Academy from the Department of Education and CIO Council’s Workforce Committee, which provides non-IT employees with hands-on security training to become defense analysts within the government.
However, the biggest draw for candidates—other than appealing to individual civic duty—to public sector jobs was stability. The funding fight that shut down portions of the federal government for 35 days in December and January is expected to impact recruitment and retention. The threat of not getting paid is a risk many people don't want to deal with. The current leadership changes and the salary discrepancies don’t help, either.