An Act To require the Secretary of Homeland Security to assess the cybersecurity workforce of the Department of Homeland Security and develop a comprehensive workforce strategy, and for other purposes.   Be it enacted by the Senate and House of Representa­tives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.  This Act may be cited as the “Cybersecurity Workforce Assessment Act”.

SEC. 2. DEFINITIONS.  In this Act—(1) the term “Cybersecurity Category” means a position’s or incumbent’s primary work function involving cybersecurity, which is further defined by Specialty Area;(2) the term “Department” means the Department of Homeland Security;(3) the term “Secretary” means the Secretary of Homeland Security; and(4) the term “Specialty Area” means any of the common types of cybersecurity work as recognized by the National Initiative for Cybersecurity Education’s National Cybersecurity Workforce Framework report.

SEC. 3. CYBERSECURITY WORKFORCE ASSESSMENT AND STRATEGY.(a) Workforce Assessment.—(1) In general.—Not later than 180 days after the date of enactment of this Act, and annually thereafter for 3 years, the Secretary shall assess the cybersecurity workforce of the Department.(2) Contents.—The assessment required under paragraph (1) shall include, at a minimum—(A) an assessment of the readiness and capacity of the workforce of the Department to meet its cybersecurity mission;(B) information on where cybersecurity workforce positions are located within the Department;(C) information on which cybersecurity workforce positions are—(i) performed by—(I) permanent full-time equivalent employees of the Department, including, to the greatest extent practicable, demographic information about such employees;(II) independent contractors; and(III) individuals employed by other Federal agencies, including the National Security Agency; or(ii) vacant; and(D) information on—(i) the percentage of individuals within each Cybersecurity Category and Specialty Area who received essential training to perform their jobs; and(ii) in cases in which such essential training was not received, what challenges, if any, were encountered with respect to the provision of such essential training.(b) Workforce Strategy.—(1) In general.—The Secretary shall—(A) not later than 1 year after the date of enactment of this Act, develop a comprehensive workforce strategy to enhance the readiness, capacity, training, recruitment, and retention of the cybersecurity workforce of the Department; and(B) maintain and, as necessary, update the comprehensive workforce strategy developed under subparagraph (A).(2) Contents.—The comprehensive workforce strategy developed under paragraph (1) shall include a description of—(A) a multi-phased recruitment plan, including with respect to experienced professionals, members of disadvantaged or underserved communities, the unemployed, and veterans;(B) a 5-year implementation plan;(C) a 10-year projection of the cybersecurity workforce needs of the Department;(D) any obstacle impeding the hiring and development of a cybersecurity workforce in the Department; and(E) any gap in the existing cybersecurity workforce of the Department and a plan to fill any such gap.(c) Updates.—The Secretary submit to the appropriate congressional committees annual updates on—(1) the cybersecurity workforce assessment required under subsection (a); and(2) the progress of the Secretary in carrying out the comprehensive workforce strategy required to be developed under subsection (b).

SEC. 4. CYBERSECURITY FELLOWSHIP PROGRAM.  Not later than 120 days after the date of enactment of this Act, the Secretary shall submit to the appropriate congressional committees a report on the feasibility, cost, and benefits of establishing a Cybersecurity Fellowship Program to offer a tuition payment plan for individuals pursuing undergraduate and doctoral degrees who agree to work for the Department for an agreed-upon period of time.