Initiative Would Define Infosec OccupationsOPM Plan Aimed to Help Agencies Hire, Retain IT Security Experts
A major problem the federal government faces in attracting and keeping cybersecurity experts is a lack of occupational classifications for information security professionals. But with the need to recruit thousands of cybersecurity professionals to the federal service, Office of Personnel Management Director John Berry deemed as a high priority the development of competency models that would lead to IT security occupational classifications.
In a memo Thursday to departmental and agency chief human capital officers, Berry unveiled the OPM initiative to develop competency models that would identify critical elements of a cybersecurity workforce throughout the federal government.
"Because cybersecurity work is performed in many different positions and places throughout the federal government, it is not easy to identify them by looking solely at job titles or organization charts," Berry wrote in the memo.
Berry is asking the chief human capital officers to provide his office by Jan. 15 documents that describe IT security positions, vacancy announcements, crediting plans, training plans, performance management plans and any studies or competency models of cybersecurity work in their departments or agencies, as well as information about agency recruitment efforts, challenges and outcomes.
OPM is partnering with the National Security Council Interagency Policy Committee Working Group on the competency model development process. Because of the many types of cybersecurity work, OPM will develop competency models using categories outlined by the NSC working group. They include:
- IT Infrastructure, Operations, Maintenance and Information Assurance: Personnel who have significant responsibilities for designing, developing, operating or maintaining the security of federal IT infrastructures, systems, applications and networks. This model includes individuals who have responsibility for maintaining the confidentiality, integrity and availability of the information contained in and transmitted from those systems and networks.
- Domestic Law Enforcement and Counterintelligence: Personnel who analyze cyber events and environments to investigate potential threats and individuals who participate in law enforcement, counterintelligence and other types of investigatory activities involving IT systems, networks and/or digital information/evidence.
- Specialized Cybersecurity Operations: Personnel employed by departments and agencies that are engaged in highly specialized and largely classified cybersecurity operations focused on collection, exploitation and response.
By late spring, Berry said he hopes have subject matter experts review draft task and competency lists.
Recruiting cybersecurity experts has been a long-time challenge for federal recruiters, one highlighted in a report issued this summer by the not-for-profit Partnership for Public Service and the management consultancy firm Booz Allen Hamilton, which said the lack of occupational classification for IT security hampers recruiting and retention efforts.
"How are classified impacts managers' ability to bring in people with the right skills, but government is operating with an outdated and often vague job classification scheme for information security," the report states. "One of government's computer science job categories was last updated in 1988, before the Internet was even invented. In addition, there are no uniform governmentwide certification standards for specific jobs categories, no federal career path for cybersecurity specialists, insufficient specialized training for workers to upgrade skills and salary caps that lag the private sector."