HR 5942 Introduced – DHS Cybersecurity Training

Last week Rep Jackson-Lee introduced HR 5942, the DHS Cybersecurity On-the-Job Training and Employment Apprentice Program Act. The bill would require DHS to establish a cybersecurity on-the-job training and apprenticeship program with the Cybersecurity and Infrastructure Security Agency (CISA) to fill cybersecurity vacancies within the Agency.

The Program

The bill would amend the Homeland Security Act of 2002 to include a new §2215, DHS Cybersecurity on-the-Job Training and Employment Apprentice Program. CISA would be required to {new §2215(b)}:

• Submit to the Secretary a monthly report on the status of vacancies in cybersecurity positions throughout the Department;

• Identify diagnostic tools that can accurately and reliably measure an individual’s capacity to perform cybersecurity related jobs or serve in positions associated with network or computing security;

• In consultation with relevant Department component heads, identify a roster of positions that may be a good fit for the Program and make recommendations to the Secretary relating to such identified positions;

• Develop a curriculum for the Program, which may include distance learning instruction, in classroom instruction within a work location, on-the-job instruction under the supervision of experienced cybersecurity staff, or other means of training and education as determined appropriate by the Secretary;

• Recruit individuals employed by the Department to participate in the Program;

• Determine the best means for training and retention of Department employees enrolled in the Program;

• Maintain an accurate numeration and description of all filled and unfilled cybersecurity positions within the Department by office and component;

• Keep up-to-date a roster of open positions relating to cybersecurity, as determined and approved by the Secretary, and the skills applicants must attain to qualify to fill such positions;

• Maintain information on individuals enrolled in the Program; and

• Annually submit to Congress a report containing information relating to the duties specified in this subsection.’’.

Moving Forward

Johnson-Lee is an influential member of the House Homeland Security Committee to which this bill was assigned for consideration. It is very likely that this bill will be considered in Committee. I do not see anything in this bill that would engender any significant opposition and I suspect that the bill will receive significant bipartisan support both in the Committee and on the floor of the House. If it makes it to the floor, it will be considered under the suspension of the rules process; with limited debate, no floor amendments and requiring a supermajority for passage.

Commentary

On-the-job training and apprenticeship programs are certainly well-established mechanisms to build a technically trained workforce. Who could possibly be against such a program where there is a well-known skill shortage as there is in the cybersecurity field? Okay, I am not against the idea, but this implementation is flawed.

First, I have to acknowledge that this bill is almost certainly deliberately lite on details for the Program. This provides maximum leeway for experts on the ground to craft a program that will provide an effective training development process; too much political control from Congress will certainly impede innovation. This is a good thing.

Having said that, there are some flaws in the approach taken in this bill. My first concern is the assignment of this program to CISA. CISA is not a training management organization nor does it have human resources authority over other agencies within DHS. If this is going to be a Department wide training effort then it needs to be run out of the Office of the Secretary, probably under the Assistant Secretary for Cyber Policy.

Any federal cybersecurity training effort that does not utilize the expertise and programs established by the National Institute of Standards is going to spend a great deal of time and effort reinventing programs, technologies and techniques already perfected by NIST. Any training program authorization should include, somewhere, “in consultation with the Director of the National Institute of Science and Technology”.

Another problem with this proposal is that it takes people out of existing positions within the Department and moves them into cybersecurity positions. This is good for the shortages in cybersecurity, but with the ongoing problems that agencies in DHS have in hiring and retaining people, this is only going to exacerbate the problems in other job categories within the agency. Provisions need to be made in a bill like this to include hire folks, probably specifically including recently released veterans, to move into these training slots.

A bill like this would also be a good place to require the development of a cybersecurity training program for personnel not working in a cybersecurity position. That may be asking a bit much, but it is becoming increasingly obvious that too many attack vectors utilize actions by inadequately trained personnel to gain a network foothold.

Finally, and you knew it was coming, I am concerned about the lack of definitions, particularly of the term ‘cybersecurity’ in this bill. Lacking definitions in this new proposed §2215, we would have to rely on definitions from 6 USC 651. There are two ‘cybersecurity’ related definitions in section; one relies on the IT restrictive definition of ‘information system’ in §659 and the other on the control system inclusive definition in §1501. That poses some potential problems down the road.

While I would prefer to see a total revamping of the cybersecurity definitions (see my rant) that would not really be appropriate here; so I would propose using the following definitions to be included in an newly inserted §2215(b):

(b) Definitions – In this section:

(1) Cybersecurity - the term ‘cybersecurity’ means actions, skills, policies or procedures that fulfill a cybersecurity purpose as that term is defined in 6 USC 1501; and

(2) Cybersecurity Position – the term ‘cybersecurity position’ means any position within the Department of Homeland Security where the principle duties include:

(A) Developing, implementing or inspecting defensive measures as that term is defined in §1501; or

(B) Directly supervising one or more personnel performing duties described in (A).