This report outlines a path for the National Cyber Director to strengthen the federal cyber workforce and recommends actions for Congress to support efforts to grow the cyber workforce.
Executive Summary
Nearly 10 years ago, researchers hypothesized that market forces would correct the U.S. shortage of cyber professionals over time. This has not occurred, and the cybersecurity community is out of time. The pervasiveness of avoidable cyber problems such as misconfigured systems, slow patching, and insufficient attention to risk management can frequently be directly tied to cyber staffing shortages. Not only are these problems expensive to remediate after incidents occur, but they are also a threat to national security, particularly when they occur in critical-infrastructure systems or in the supply chains upon which that infrastructure depends.
For more than a decade, report after report has documented the growing number of unfilled cyber positions, both in the U.S. government and nationwide, offering strategies and recommendations to address the shortfall. These strategies and recommendations have too often gone ignored. The congressionally mandated Cyberspace Solarium Commission published a white paper on the cyber workforce in September 2020, identifying systemic barriers stymieing existing workforce development efforts. A lack of centralized leadership, insufficient coordination across the federal government, a nonexistent federal strategy to guide priorities and resources, and ineffective organizational structures all combined to limit the potential of the very programs designed to strengthen and diversify the federal and national cyber workforces.
No clear focal point for interagency coordination existed at the time of the Commission’s report, but the July 2021 confirmation of the first-ever national cyber director (NCD) has created a new opportunity to overcome these pervasive barriers. The first section of this memorandum outlines a path forward for the NCD to grow and strengthen the federal cyber workforce and coordinate federal support for national cyber workforce development.
In many cases, the NCD will need legislative support, so the second section of the memorandum recommends actions Congress can take to support federal efforts to grow the cyber workforce. These actions include extending the Federal Cybersecurity Workforce Data Collection Act, establishing a Federal Cyber Workforce Development Institute, and authorizing a Federal Excepted Cyber Service
While these recommendations focus on the federal government in the first instance, the federal and national cyber workforces ultimately draw from the same community of professionals, so effective approaches must address both. Accordingly, the third section of this memorandum outlines actions that private-sector leaders can take to support the NCD’s priorities and national cyber workforce development more generally.
Recommendations for the National Cyber Director
Recommendation 1: Establish a Process for Ongoing Cyber Workforce Data Collection and Evaluation
- 1.1 – NCD and OPM should provide expanded support for cyber workforce data collection
- 1.2 – NCD should work with heads of federal departments and agencies to ensure accountability for data mandates
- 1.3 – NCD should work with OPM to share data on the federal cyber workforce
- 1.4 – NCD should work with NSF to add to data on the national cyber workforce
Recommendation 2: Establish Leadership and Coordination Structures
- 2.1 – NCD should establish and chair a cyber workforce steering committee
- 2.2 – NCD should establish a cyber workforce coordinating working group
Recommendation 3: Review and Align Cyber Workforce Budgets
- 3.1 – Working with OMB, NCD should review budgets for cyber workforce programs
Recommendation 4: Create a Cyber Workforce Development Strategy for the Federal Government
- 4.1 – NCD should establish a cyber workforce development strategy for the federal government
Recommendation 5: Revamp Cyber Hiring Authorities and Pay Flexibilities Government-Wide
- 5.1 – NCD should work with OPM to modernize cyber-specific coding structures, hiring authorities, and special pay rates government-wide
- 5.2 – NCD should work with OPM to establish a cadre of human resource specialists trained in cyber hiring and talent management
- 5.3 – NCD should work with OPM, OMB, and the appropriations committees to ensure adequate resourcing
Recommendations for Congress
- 6.1 – Congress should amend the federal cybersecurity workforce assessment act of 2015
- 6.2 – Congress should increase support for the CyberCorps: Scholarship for Service program
- 6.3 – Congress should provide incentives to develop entry-level employees into mid-career talent
- 6.4 – Congress should strive for clarity in roles and responsibilities for cyber workforce development
- 6.5 – Congress should exercise oversight of federal cyber workforce development in each department and agency
- 6.6 – Congress should establish cyber excepted service authorities government-wide
- 6.7 – Congress should expand appropriations for existing efforts in cyber workforce development
Recommendations for the Private Sector
- 7.1 – Partners in the private sector should increase their investment in the cyber workforce
- 7.2 – Partners in the private sector should develop shared resources