The Office of Management and Budget (OMB) has issued a new Federal Cybersecurity Workforce Strategy to address the government’s shortfall in cybersecurity professionals,OMB sent a memo to all Departments and Agencies identifying workforce needs and laying out a strategy to recruit, train, develop, and retain and sustain “a capable and competent workforce in key functional areas” of a cybersecurity workforce. The memo was signed by OMB Director Shaun Donovan, Office of Personnel Management (OPM) Acting Director Beth Colbert, and the Federal Chief Information Officer (CIO) Tony Scott.
The strategy seeks to respond to what OMB calls “increasingly sophisticated and persistent cyber threats that pose strategic, economic, and security challenges” to the United States. These threats, according to OMB, require a “Federal cybersecurity workforce with the necessary knowledge, skills, and abilities to use those tools to enhance the security of the Federal digital infrastructure and improve the ability to detect and respond to cyber incidents when they occur.”
Development of the Strategy was directed by OMB Memorandum M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Government, issued October, 2015. OMB coordinated the actions of four teams composed of experts from government, the private sector, and academia, that reviewed “existing and forward-leaning strategies for recruiting, developing, and retaining Cybersecurity professionals.” OMB, along, with OPM, used this work to prepare the workforce strategy.
The National Cybersecurity Workforce Framework (issued last year) outlines how agencies should look at cybersecurity work and the workforce requirements and establish training and development programs. Agencies should examine cyber work roles and determine skill gaps when filling vacancies, according to the memo. The Framework directs agencies to improve cybersecurity workforce requirements by: 1) educating Human Resources and Chief Information Officer staff on the tools available from the Workforce Framework; 2) expanding cybersecurity position coding to align with vacancies; and 3) working with the private sector to look at future workforce needs.
The Strategy provides guidance on how agencies should expand the cybersecurity talent pipeline, recruit and hire skilled talent; and retain and develop that talent. The appendix to the memo sets deadlines from 3 months to one year for completion of the requirements in each of these areas.
To expand the cybersecurity talent pipeline, the government should make long-term investments in cybersecurity education to establish “a sustainable cybersecurity workforce.” Government initiatives, such as “Computer Science for All” (aimed at P-12 students), can be used to stimulate interest in cyber-related fields. The government should also develop a cybersecurity core curriculum and agencies should work with academic institutions to identify and address skill gaps, according to the Strategy.
To recruit and hire skilled cybersecurity talent, the Strategy directs agencies to “engage in strategic recruitment and awareness campaigns” and go after talented students who may not seek out government careers. The Department of Homeland Security (DHS) will stand up a “Cybersecurity Surge Corps” that will send experts to help agencies with “incident response, systems engineering, and enterprise security.” Agencies are also directed to recruit diverse talent from veterans and current civil servants and develop a program of rotational assignments for private sector employees to share expose them to federal service and share their skills with federal staff. The Strategy also states that the government should also explore the use of existing compensation flexibilities new pay program opportunities.
To retain cybersecurity talent, OMB, OPM, DHS, and other agencies are directed to) focus on retaining top performers; 2) develop a government-wide cybersecurity orientation program; 3) develop and promote career paths, rotational assignments, and mentoring and coaching programs; 4) develop and utilize existing cybersecurity training programs in related career fields; 5) develop and utilize existing competitions and credentialing programs to assist employees in qualifying for pay increases or promotions; and 6) develop a common program for training in specific professional categories of employment.