HR 2721 Introduced – Cybersecurity Apprenticeships

Earlier this month Rep. Lee (D,NV) introduced HR 2721, the Cyber Ready Workforce Act. The bill would require the Department of Labor to establish a grant program “to support the establishment, implementation, and expansion of registered apprenticeship programs in cybersecurity” {§4(a)}.

Apprenticeship Programs

The program to be established would {§4(b)}:

• Lead to industry-recognized certification in cybersecurity;

• Encourage stackable and portable credentials; and

• Lead to occupations such as computer support specialists, cybersecurity support technicians, cloud computing architects, computer programmers, computer systems analysts, or security specialists.

The bill provides a list of potential certificates that would include {§4(b)(1)}:

• CompTIA Network+;

• CompTIA A+;

• CompTIA Security+;

• Microsoft Windows 10 Technician;

• Microsoft Certified System Administrator;

• Certified Network Defender;

• Certified Ethical Hacker;

• ISACA Cybersecurity Nexus (CSX);

• (ISC)2’s Certified Information Systems Security Professional (CISSP); or

• Other industry-recognized certification in cybersecurity

The bill would “such sums as may be necessary to carry out this Act” {§6}.

Moving Forward

Lee and of her three cosponsors {Rep. Stefanik (R,NY)} are members of the House Education and Labor Committee to which this bill was assigned for consideration. This means that there should be enough influence to see this bill considered in Committee.

There is nothing in this bill that would engender any significant opposition. The vague ‘such funds as may be necessary’ authorization included in the bill may be weasel-worded enough to prevent spending issues from clouding the consideration of the bill. If the bill receives substantial bipartisan support in Committee, this bill would likely move to the floor of the House under the suspension of the rules process.

Commentary

The list of ‘cybersecurity certifications’ in the bill is rather interesting. Most of the certs listed are not directly cybersecurity related, though they could be useful to cybersecurity professionals. What is disappointing is that there is not a single certification listed that specifically addresses control system security (or design). I would have liked to have seen something like the Global Industrial Cyber Security Professional (GICSP) program listed. Control system security programs could be included in the catch-all ‘other industry recognized certification’, but the lack of mention of even one such program again shows how little knowledge congresscritters (and their staffs) have about control system security issues.