The House Homeland Security Committee will vote Oct. 29 on legislation aimed at strengthening the cybersecurity workforce at the Department of Homeland Security.
The legislation, HR 3107, is known as the Homeland Security Cybersecurity Boots-on-the-Ground Act, and would require DHS to develop:
- Occupation classifications for individuals performing activities to advance its cybersecurity mission. DHS would be required to ensure that the classifications be made available to other federal agencies.
- A workforce strategy that enhances the readiness, capacity, training, recruitment and retention of the DHS cybersecurity workforce, including a multi-phased recruitment plan and a 10-year projection of federal workforce needs.
- A process to verify that employees of independent contractors who serve in DHS cybersecurity positions receive initial and recurrent information security and role-based security training commensurate with assigned responsibilities.
The bill also directs DHS's chief human capital officer and chief information officer to assess the readiness and capacity of the department to meet its mission to protect government and private-sector IT. It requires the DHS secretary to provide Congress with updates on the development and implementations of cybersecurity strategies, assessments and training.
Jane Holl Lute, who stepped down in April as DHS deputy secretary, says provisions in the bill would reinforce steps taken by the department. Lute, chief executive of the Council on Cybersecurity, a not for profit promoting a secure Internet, says DHS had designated each of some 1,500 positions in the department into one of 11 critical cybersecurity skills.
Lute says future hiring will be based on those designated skills. "DHS has refined the job descriptions, standards of competency performance and other requirements of each of these positions," she says. "The plan was to offer this material to all federal departments."
Evolving InfoSec Workforce
Diana Burley, associate professor at George Washington University's Graduate School of Education and Human Development, says recruitment plans are valuable but they depend, in a large part, to the ability of each agency to define occupations (see Pitfalls of Professionalizing InfoSec).
But Burley says it will be very difficult for DHS to develop a 10-year projection for a cybersecurity workforce. "The full scope of the workforce has yet to be defined, and the nature of the work - and thus, the workforce - is constantly evolving."
The sponsor of the bill, Rep. Yvette Clarke, a New York Democrat who is the ranking member of the panel's cybersecurity subcommittee, says the legislation is aimed at helping battle cyberthreats "by establishing a process for recruiting and retaining high-level specialists in cybersecurity at the Department of Homeland Security that other federal agencies and private companies will have the ability to access."
DHS has had problems recruiting qualified IT security personnel. In September, the Government Accountability Office reported that DHS's National Protection and Programs Directorate's Office of Cybersecurity and Communications, which houses much of the department's cybersecurity personnel, had a vacancy rate of 22 percent as of June (see DHS's Huge Cybersecurity Skills Shortage).
Lack of Clearly Defined Skills
David Maurer, GAO director of homeland security and justice issues, says IT security recruitment at DHS is hampered by the lack of clearly defined skill sets or a unique occupational series. Maurer says DHS officials told the congressional auditors that they're working to better define and strengthen the required skills set for cybersecurity personnel, including pursuing a specific cybersecurity personnel jobs series, which could help improve recruiting and hiring.
Karen Evans, national director of U.S. Cyber Challenge, a group focused on building America's IT security workforce, says defining specific IT security occupations would help agencies, including DHS, determine what skills should be applied to particular jobs.
"If you came up with specific labor categories or these job classification series, then employers would be able to better provide worker balance and recruit," says Evans, who formerly served as the federal government's administrator for e-government and information technology, a post that now has the additional title of federal chief information officer.
Evans says most IT security personnel are classified in one of the few computer categories. "It's really hard to recruit [without occupation classifications] because you're not necessarily sure what people's experience level is because everybody is lumped into one series," she says.
The Office of Personnel Management is working with other federal agencies to implement a special workforce project to require agencies' cybersecurity, information technology and human resources organizations to build a statistical data set of existing and future cybersecurity positions to be stored in OPM's data warehouse by Sept. 30.
"The new databank will enable agencies to identify and address their needs for cybersecurity skill sets to meet their missions," OPM Acting Director Elaine Kaplan says in a memo issued in July.
Defining the Cybersecurity Workforce
In her memo, Kaplan referenced work being conducted by the National Initiative for Cybersecurity Education, which has issued the National Cybersecurity Workforce Framework, comprising 31 specialty IT security areas organized into seven categories:
- Securely provision: Conceptualizing, designing and building secure information technology;
- Operate and maintain: Providing support, administration and maintenance necessary to ensure effective and efficient information technology system performance and security;
- Protect and defend: Identifying, analyzing and mitigating threats to internal IT systems or networks;
- Investigate: Probing cyber-events and/or crimes of IT systems, networks and digital evidence;
- Collect and operate: Collecting cybersecurity information that could be used to develop intelligence;
- Analyze: Reviewing and evaluating incoming cybersecurity information to determine its usefulness for intelligence; and
- Oversight and development: Providing leadership, management, direction and/or development and advocacy so that individuals and organizations can effectively conduct cybersecurity work.