S 2007 Introduced – Federal Cybersecurity Personnel Management

Just before the summer recess Sen Bennet (D,CO) introduced S 2007, the Federal Cybersecurity Workforce Assessment Act. This bill specifically deals with the federal employees that hold positions that “require the performance of information technology, cybersecurity, or other cyber-related functions”, but it would have both short term and long term consequences for the civilian job market in these areas.

Workforce Measurement

Section 3 of the bill would establish the National Cybersecurity Workforce Measurement Initiative. It would require:

∙ The Secretary of Commerce to update the National Initiative for Cybersecurity Education’s Cybersecurity Workforce Framework to include establishing employment codes for positions that require the performance of information technology, cybersecurity, or other cyber-related functions {§3(b)(1)(A)};

∙ The Secretary to establish procedures to identify all federal positions meeting the coding requirements established above {§3(b)(1)(A)}; and

∙ All Federal government agency heads would be required to identify positions within their agencies that meet those coding requirements under the procedures established above {§3(a)};

The section then goes on to require each agency to report to their respective congressional oversight committee an assessment of their workforce meeting the newly established employment coding requirements. That assessment would include {§3(b)(1)(D)}:

∙ The percentage of those personnel that “currently hold the appropriate industry-recognized certifications as identified in the National Initiative for Cybersecurity Education’s Cybersecurity Workforce Framework;

∙ The level of preparedness of other civilian and non-civilian cyber personnel without existing credentials to pass certification exams; and

∙ A strategy for mitigating any gaps identified in clause (i) or (ii) with the appropriate training and certification for existing personnel.

Cyber-Related Roles of Critical Need

Section 4 of the bill would require each Federal agency head to report to the Office of Personnel Management identifying and justifying the “information technology, cybersecurity, or other cyber-related roles of critical need in the agency’s workforce” {§4(a)}. In turn the Director of OPM would provide agencies with procedures for identifying those critical need positions with ‘acute skill shortages’ or ‘emerging skill shortages’.

Finally two years after the enactment of this bill OPM would prepare a report to Congress on the implementation of this process.

Moving Forward

While Sen. Bennet is not a member of the Senate Homeland Security and Governmental Affairs Committee (the Committee designated to consider this bill) his co-sponsor, Sen. Portman (R,OH) is a relatively senior member of that Committee. Thus, there may be enough political pull to get this bill considered in the Committee.

Since there are no new funds included in the bill, and it essentially only requires reporting to Congress about the well-known problems in the Federal cybersecurity workforce, there would be little opposition to passage of this bill if it were to make its way to the floor of the Senate. I don’t see any quick action in that direction with all of the other priorities that the congress faces in the next couple of months.

Commentary

This bill has an unfortunately common failure of not defining critical terms. One important term used here is ‘appropriate industry-recognized certifications’. It leaves that term to be defined by the Cybersecurity Workforce Initiative. Looking at their web site they turn to the Department of Labor for a listing of such certifications. The list provided for certifications of ‘information security analysts’ includes 148 certifications from over 30 different organizations.

If this bill were to be enacted, there would obviously be a push by most agency heads to increase the number of IT and cybersecurity personnel had ‘appropriate’ certifications. Since no additional funding would be provided, efforts would be focused on those certification programs that cost the least amount of money. Even so, the money would have to come from someplace in the agency budgets so other discretionary budget items would be adversely affected.

This emphasis on certifications would also have a significant impact on the hiring process. With this being a reportable statistic it is almost certain that if the bill passes all new hires would be required to have some sort of IT or cybersecurity certification.

All of this ignores the ongoing discussion within the cybersecurity community about certifications and qualifications in general. The control system security community in particular is still a fairly young community with a significant percentage of practitioners either being self-trained or having learned their craft in an informal apprenticeship program. At this stage in the development of the field reputation still counts more than degrees or certifications.

But this bill does point out, by default, the problems that hiring managers are facing as the field grows at a tremendous pace, with job postings increasing every day. How does a hiring manager ensure that a candidate is qualified for a job? The IT side of the house is a little bit easier as there have been degree programs for IT specialists for quite some time. This is much less true in the cybersecurity realm and degree programs for control system security practioners are few and far between.

If the Federal government moves to relying on certification programs (and I think that is almost inevitable whether or not this bill passes) industry is going to follow in those footsteps. The cybersecurity community needs to start thinking about how it wants that certification process to look like and how it will be controlled. Is it practical for there to be 30 different certifying organizations putting out 148 certification programs for information security analysts? Do we eliminate ineffective certification programs or do we need a ranking system that points to the certificates that imply a higher level of skill and working knowledge?

This debate needs to be seriously undertaken and resolved by the cybersecurity community now or the Federal government is going to step in and establish their own rules. We have all seen how effective that can be.