HR 117 Introduced – Cybersecurity OJT

Earlier this month Rep Jackson-Lee introduced HR 117, the DHS Cybersecurity On-the-Job Training and Employment Apprentice Program Act. The bill would require DHS to establish a program to “identify Department employees for work in matters relating to cybersecurity at the Department” {new §230A(a)}. The new program would be administered by the Cybersecurity and Infrastructure Security Agency.

NOTE: Congress.gov has added a new feature to their listings for bill language. I can now provide links to specific parts of the .txt version of the bills on their web site. That is not a major asset for a short bill like this, but for longer pieces of legislation this will be a great tool.

The Program

In carrying out this program CISA would be required to {new §230A(b)} :

• Identify diagnostic tools that can accurately and reliably measure an individual’s capacity to perform cybersecurity related jobs or serve in positions associated with network or computing security,

• In consultation with relevant Department component heads, identify a roster of positions that may be a good fit for the Program and make recommendations to the Secretary relating to such identified positions,

• Develop a curriculum for the Program, which may include distance learning instruction, in- classroom instruction within a work location, on-the-job instruction under the supervision of experienced cybersecurity staff, or other means of training and education as determined appropriate by the Secretary,

• Recruit individuals employed by the Department to participate in the Program, and

• Determine the best means for training and retention of Department employees enrolled in the Program.

No funds are appropriated for the new program.

Moving Forward

While official committee assignments have not yet been made to the House Homeland Security Committee to which this bill was assigned for consideration, Jackson-Lee has been an influential member of this Committee for a number of sessions. This bill is likely to be considered by the Committee and will probably receive bipartisan support.

If the bill makes it to the floor of the House, it will almost certainly be considered under the suspension of the rules process; limited debate, no floor amendments and a supermajority required for passage. I suspect that this bill would pass with a strong bipartisan majority.

NOTE: In the 117^th Congress, that ‘supermajority’ requirement is going to be more problematic for a lot of bills. The narrower majority that the Democrats have this session combined with the larger number of more radical conservatives on Republican side will likely mean that there will be fewer bills passed under this process. Just how many fewer remains to be seen.

Commentary

This bill will only apply to federal agencies. As such I would not normally consider covering the bill in this blog. There are, however, two provisions for the OJT program that would be developed by CISA that may have practical impact on cybersecurity training in the private sector:

• Identify diagnostic tools that can accurately and reliably measure an individual’s capacity to perform cybersecurity related jobs or serve in positions associated with network or computing security, and

• Develop a curriculum for the Program, which may include distance learning instruction, in- classroom instruction within a work location, on-the-job instruction under the supervision of experienced cybersecurity staff, or other means of training and education as determined appropriate by the Secretary,

It will be interesting to see where they get (or develop in house?) “diagnostic tools that can accurately and reliably measure [emphasis added] an individual’s capacity to perform cybersecurity related jobs”. If such tools actual exist or can be developed they will be a boon hiring managers and trainers in the private sector. I would be very interested in seeing documentation supporting the contention of being able to ‘accurately and reliably’ measure this capacity in humans.

On a personal note, I took an early version of such a test that was provided by ITI (a 1970’s technology training company) just before I graduated from high school in 1971. As a result of the test results, I was offered a full scholarship for their two-year computer programming course. I wanted (then) to be a lawyer and politician, so I turned them down. Anyway, I have subsequently learned programming, but lack the attention-to-detail skills necessary to really become a programmer. That early aptitude test did not even try to capture that skill requirement.

The development of an actual OJT component as described in the bill would be a valuable contribution to the resolving the problem of increasing the number of entry level cybersecurity professionals. Now if they could get hiring managers to look for entry level folks, it would be an even greater contribution.

A final note here. This bill was introduced on January 4^th. It was just published last night. The GPO is apparently still having COVID related problems processing bills. This is going to be an increasing problem as the pandemic continues to get worse and Congress writes more bills as their operations become more normalized.