[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


   EXAMINING DHS'S EFFORTS TO STRENGTHEN ITS CYBERSECURITY WORKFORCE

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                           CYBERSECURITY AND
                       INFRASTRUCTURE PROTECTION

                                AND THE

                            SUBCOMMITTEE ON
                             OVERSIGHT AND
                         MANAGEMENT EFFICIENCY

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 7, 2018

                               __________

                           Serial No. 115-52

                               __________

       Printed for the use of the Committee on Homeland Security
                                     


[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


                                     

        Available via the World Wide Web: http://www.govinfo.gov

                               __________


                   U.S. GOVERNMENT PUBLISHING OFFICE                    
30-788 PDF                  WASHINGTON : 2018                     
          
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected]. 



                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Sheila Jackson Lee, Texas
Mike Rogers, Alabama                 James R. Langevin, Rhode Island
Lou Barletta, Pennsylvania           Cedric L. Richmond, Louisiana
Scott Perry, Pennsylvania            William R. Keating, Massachusetts
John Katko, New York                 Donald M. Payne, Jr., New Jersey
Will Hurd, Texas                     Filemon Vela, Texas
Martha McSally, Arizona              Bonnie Watson Coleman, New Jersey
John Ratcliffe, Texas                Kathleen M. Rice, New York
Daniel M. Donovan, Jr., New York     J. Luis Correa, California
Mike Gallagher, Wisconsin            Val Butler Demings, Florida
Clay Higgins, Louisiana              Nanette Diaz Barragan, California
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
Don Bacon, Nebraska
                   Brendan P. Shields, Staff Director
                    Steven S. Giaier, Chief Counsel
                    Michael S. Twinchek, Chief Clerk
                  Hope Goins, Minority Staff Director
                                 ------                                

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                    John Ratcliffe, Texas, Chairman
John Katko, New York                 Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York     Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin            James R. Langevin, Rhode Island
Brian K. Fitzpatrick, Pennsylvania   Val Butler Demings, Florida
Don Bacon, Nebraska                  Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
             Kristen M. Duncan, Subcommittee Staff Director
                                 ------                                

          SUBCOMMITTEE ON OVERSIGHT AND MANAGEMENT EFFICIENCY

                  Scott Perry, Pennsylvania, Chairman
                                     J. Luis Correa, California
John Ratcliffe, Texas                Kathleen M. Rice, New York
Clay Higgins, Louisiana              Nanette Diaz Barragan, California
Thomas A. Garrett, Jr., Virginia     Bennie G. Thompson, Mississippi 
Ron Estes, Kansas                        (ex officio)
Michael T. McCaul, Texas (ex 
    officio)
               Diana Bergwin, Subcommittee Staff Director
      Erica D. Woods, Interim Subcommittee Minority Staff Director
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on Cybersecurity 
  and Infrastructure Protection:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable Scott Perry, a Representative in Congress From the 
  State of Pennsylvania, and Chairman, Subcommittee on Oversight 
  and Management Efficiency:
  Oral Statement.................................................     4
  Prepared Statement.............................................     6
The Honorable J. Luis Correa, a Representative in Congress From 
  the State of California, and Ranking Member, Subcommittee on 
  Oversight and Management Efficiency:
  Oral Statement.................................................     3
  Prepared Statement.............................................     4
The Honorable Michael T. McCaul, a Representative in Congress 
  From the State of Texas, and Chairman, Committee on Homeland 
  Security:
  Oral Statement.................................................     7
  Prepared Statement.............................................     8
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     8
The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas:
  Prepared Statement.............................................     9
The Honorable Cedric L. Richmond, a Representative in Congress 
  From the State of Louisiana, and Ranking Member, Subcommittee 
  on Cybersecurity and Infrastructure Protection:
  Prepared Statement.............................................    12

                               Witnesses

Mr. Gregory Wilshusen, Director of Information Security Issues, 
  Government Accountability Office:
  Oral Statement.................................................    14
  Prepared Statement.............................................    15
Ms. Angela Bailey, Chief Human Capital Officer, Management 
  Directorate, U.S. Department of Homeland Security:
  Oral Statement.................................................    22
  Joint Prepared Statement.......................................    23
Ms. Rita Moss, Director, Office of Human Capital, National 
  Protection and Programs Directorate, U.S. Department of 
  Homeland Security:
  Oral Statement.................................................    28
  Joint Prepared Statement.......................................    23

                                Appendix

Questions From Chairman John Ratcliffe for Gregory C. Wilshusen..    47
Questions From Honorable Ron Estes for Gregory C. Wilshusen......    48
Questions From Chairman John Ratcliffe for the Department of 
  Homeland Security..............................................    48
Questions From Honorable Ron Estes for the Department of Homeland 
  Security.......................................................    51

 
   EXAMINING DHS'S EFFORTS TO STRENGTHEN ITS CYBERSECURITY WORKFORCE

                              ----------                              


                        Wednesday, March 7, 2018

       U.S. House of Representatives,      
        Committee on Homeland Security,    
                 Subcommittee on Cybersecurity and 
                     Infrastructure Protection, and
                             Subcommittee on Oversight and 
                                     Management Efficiency,
                                                    Washington, DC.
    The subcommittees met, pursuant to notice, at 2:05 p.m., in 
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe 
[Chairman of the Cybersecurity and Infrastructure Protection 
subcommittee] presiding.
    Present: Representatives Ratcliffe, Perry, Katko, Higgins, 
Donovan, Garrett, Estes, Fitzpatrick, Correa, Jackson Lee, 
Langevin, Barragan, and Demings.
    Also present: Representative McCaul.
    Mr. Ratcliffe. Good afternoon. The Committee on Homeland 
Security, Subcommittees on Cybersecurity and Infrastructure 
Protection and Oversight Management Efficiency will come to 
order.
    The subcommittees are meeting today to examine how the 
Department of Homeland Security is working to address its 
cybersecurity work force needs. I now recognize myself for an 
opening statement.
    I would like to begin by thanking our panel for taking the 
time to be here to testify today. Your thoughts and opinions 
certainly are important as we oversee the implementation of 
work force authorities at the Department of Homeland Security.
    We have seen cyber attacks affect almost every facet of our 
daily lives, with sometimes devastating impact. They remind us 
how vulnerable governments and economies are to the very real 
threat that our cyber adversaries pose.
    As the lead civilian agency for our Federal cybersecurity 
posture, the Department of Homeland Security is a key piece of 
this equation, especially the National Protection Programs 
Directorate. A knowledgeable and skilled cybersecurity work 
force at DHS is on the front lines of securing our Federal 
networks and protecting our critical infrastructure.
    It is against this backdrop that DHS must compete with the 
private sector to recruit and to retain the best talent 
possible, in order to carry out its cybersecurity mission and 
protect our critical infrastructure. In 2014 Congress passed 
several pieces of legislation in order to augment the 
cybersecurity work force at DHS, including the Homeland 
Security, Cybersecurity Workforce Assessment Act and the Border 
Patrol Agent Pay Reform Act.
    Among other effects, these laws expanded DHS's hiring 
authorities and allowed the Department to better recruit and 
hire qualified cyber professionals. Unfortunately, these new 
authorities have not yet been fully implemented.
    Last month, the Government Accountability Office released a 
report entitled, ``Urgent need for DHS to take actions to 
identify its position and critical skill requirements.'' The 
findings are pretty troubling. While DHS has taken actions to 
idetify, categorize, and assign employment codes to its 
cybersecurity positions, its efforts have been neither timely, 
nor complete.
    Identifying DHS work force capability gaps and recruiting 
to fill them, is a problem that this committee has long 
examined. However, GAO found that DHS has not identified its 
Department-wide security or cybersecurity critical needs. 
Ensuring that DHS collects complete and accurate data on all 
filled and vacant cybersecurity positions for identification 
and coding efforts is a task that DHS must not ignore, nor fail 
to complete. A scatter-shot approach to fulfilling work force 
needs without comprehensive data to back up those needs is not 
an effective use of Federal resources.
    In fact, there may even be the potential of delaying 
assistance to critical infrastructure sectors and State and 
local governments if DHS does not have an adequate amount of 
cyber workers with the correct skills. At the same time, I am 
pleased to hear that DHS acknowledged and agreed with all of 
the recommendations presented by GAO in this report.
    DHS will create a periodic review process for cyber roles 
by the end of next month, and, most importantly, DHS promised 
to develop Department-wide guidance for identifying areas and 
positions of critical need by this summer.
    While DHS must work to overcome slow hiring processes and 
work force pipeline issues in order to build the essential work 
force required to meet its cyber mission, at the end of the day 
DHS cannot bring people into the hiring pipeline if it does not 
have accurate accounting of what its current and future needs 
really are.
    NPPD is our Government's premier civilian cybersecurity 
agency, a distinction that I hope will soon be bolstered by its 
elevation to the Cybersecurity and Infrastructure Security 
Agency, with pending legislation over in the Senate.
    So let us look at some of the challenges we will be 
discussing today as collective opportunities to lead together. 
We must get this right, and I believe that we will.
    [The statement of Chairman Ratcliffe follows:]
                  Statement of Chairman John Ratcliffe
                             March 7, 2018
    I would like begin by thanking our panel for taking the time today 
to testify. Your thoughts and opinions are very important as we oversee 
the implementation of workforce authorities at the Department of 
Homeland Security.
    We have seen cyber attacks affect almost every facet of our daily 
lives with devastating impacts, and they remind us of how vulnerable 
governments and economies are to the very real threat that our cyber 
adversaries pose. As the lead civilian agency for our Federal 
cybersecurity posture, the Department of Homeland Security is a key 
piece of this equation, especially the National Protection and Programs 
Directorate. A knowledgeable and skilled cybersecurity workforce at DHS 
is on the front lines of securing our Federal networks and protecting 
critical infrastructure.
    Against this backdrop, DHS must compete with the private sector to 
recruit and retain the best talent possible in order to carry out its 
cybersecurity mission and protect our critical infrastructure. In 2014, 
Congress passed several pieces of legislation in order to augment the 
cybersecurity workforce at DHS, including the Homeland Security 
Cybersecurity Workforce Assessment Act and the Border Patrol Agent Pay 
Reform Act. Among other effects, these laws expanded DHS's hiring 
authorities and allowed the Department to better recruit and hire 
qualified cyber professionals. Unfortunately, these new authorities 
have not yet been fully implemented.
    Last month, the Government Accountability Office released a report 
entitled ``Urgent Need for DHS to Take Actions to Identify Its Position 
and Critical Skill Requirements''--and the findings are troubling. 
While DHS has taken actions to identify, categorize, and assign 
employment codes to its cybersecurity positions, its efforts have been 
neither timely nor complete. Identifying DHS workforce capability gaps 
and recruiting to fill them is a problem this committee has long 
examined; however, GAO found that DHS has not identified its 
Department-wide cybersecurity critical needs. Ensuring that DHS 
collects complete and accurate data on all filled and vacant 
cybersecurity positions for identification and coding efforts is a task 
that DHS must not ignore or fail to complete. A scattershot approach to 
fulfilling workforce needs without comprehensive data to back those 
needs up is not an effective use of Federal resources. In fact, there 
may even be the potential of delaying assistance to critical 
infrastructure sectors and State and local governments if DHS does not 
have an adequate amount of cyber workers with the correct skills.
    At the same time, I am pleased to hear that DHS acknowledged and 
agreed with all of the recommendations presented by GAO in this report. 
DHS will create a periodic review process for cyber roles by the end of 
next month, and, most significantly, DHS promised to develop 
Department-wide guidance for identifying areas and positions of 
critical need by this summer. While DHS must work to overcome slow 
hiring processes and workforce pipeline issues in order to build the 
essential workforce required to meet its cyber mission, at the end of 
the day, DHS cannot bring people into the hiring pipeline if it does 
not have accurate accounting of what its current and future needs are.
    NPPD is our Government's premier civilian cybersecurity agency--a 
distinction that I hope will soon be bolstered by its elevation to the 
Cybersecurity and Infrastructure Security Agency with pending 
legislation in the Senate. So let us look at some of the challenges we 
will be discussing today as collective opportunities to lead together. 
We must get this right, and I believe that we will.

    Mr. Ratcliffe. The Chair now recognizes the gentleman from 
California, Mr. Correa, for any statement that he may have.
    Mr. Correa. Thank you, Mr. Chairman. Want to thank you and 
Chairman Perry for holding this most important hearing today. 
Of course, I want to thank also our witnesses for being here 
today. All of you know, watching TV, watching news very 
frequently. You hear stories about China, Russia, and others 
targeting our cyber system, including our election system and, 
of course, our critical infrastructures.
    Our National security, our economy, in many ways our daily 
lives, depend on a stable, safe, and resilient cyber system. 
The Department of Homeland Security plays a critical role in 
protecting the Nation's cyber space, which includes not only 
our own DHS computers but also those belonging to other 
civilian agencies in our critical infrastructure and, of 
course, including our collection system.
    To fulfill this role, DHS must have cybersecurity work 
force that is knowledgeable, well-trained, and dedicated to our 
mission. Sadly and unfortunately, according to the GAO, DHS has 
not taken the proper and necessary steps to staff the 
Department with cyber professionals. Specifically, DHS has not 
identified or reported to Congress on its own Department-wide 
cybersecurity critical work force needs. Additionally, 
according to the GAO, DHS has overstated the number of filled 
positions.
    Without appropriate tracking DHS is not in the position to 
effectively examine its cybersecurity work force, identify its 
critical skills gaps or improve its work force planning. DHS 
has been given a number of tools to help bolster its work 
force, including special hiring authority, allowing DHS to 
expedite the hiring process and providing monetary incentives 
and also a flexible approach to recruiting and retention of 
cyber experts.
    I look forward to speaking with the witnesses today about 
the specifics of the GAO findings and I want to see how we can 
move forward and make sure we safeguard America's 
cybersecurity. Mr. Chair, I yield.
    [The statement of Ranking Member Correa follows:]
               Statement of Ranking Member J. Luis Correa
                             March 7, 2018
    Almost daily, we learn of nefarious attempts by Russia, China, and 
others to impact our cyber systems, including election systems and 
critical infrastructure.
    Our National security, our economy, and in many ways our daily 
lives depend on a stable, safe, and resilient cyber space.
    The Department of Homeland Security plays a critical role in 
protecting the Nation's cyber space, which includes not only DHS's own 
computer systems and information, but also those belonging to other 
Federal civilian agencies and our critical infrastructure, including 
election systems.
    To fulfill this role, DHS must have a cybersecurity workforce that 
is well-trained, resilient, and dedicated to the mission.
    However, according to the Government Accountability Office, DHS has 
not taken the steps necessary to staff the Department with cyber 
professionals properly.
    Specifically, DHS has not identified or reported to Congress on its 
Department-wide cybersecurity critical workforce needs.
    Additionally, according to GAO, DHS overstated the number of filled 
and vacant cybersecurity positions assigned with the proper 
identification codes for the specific role.
    Without appropriate tracking, DHS will not be positioned to 
effectively examine its cybersecurity workforce, identify its critical 
skill gaps, or improve its workforce planning.
    President Trump has claimed to be in support of strengthening 
Federal networks and critical infrastructure, which undoubtedly will 
require a more robust workforce.
    DHS has been given a range of tools to help bolster the cyber 
workforce, including special hiring authority for cybersecurity 
positions that allows DHS to expedite the hiring process, provide 
monetary incentives, and adopt a nimble approach to recruitment and 
retention.
    I look forward to speaking with witnesses today about the specifics 
of the GAO findings and ways we can move the Department in a positive 
direction.

    Mr. Ratcliffe. Thank the gentleman. The Chair now 
recognizes the Chairman of the subcommittee on Oversight and 
Management Efficiency, the gentleman from Pennsylvania, Mr. 
Perry, for his opening statement.
    Mr. Perry. Good afternoon. I would like to thank Chairman 
Ratcliffe for holding this hearing today and including the 
Oversight and Management Efficiency subcommittee in this very 
important and timely discussion of the Department of Homeland 
Security's efforts to strengthen its cybersecurity work force. 
I also thank the Ranking Member of the subcommittee, Mr. 
Correa, as well as the witnesses that are willing to be here 
today.
    In today's world our Nation and its critical infrastructure 
face an increasingly diverse and sophisticated array of 
cybersecurity threats from both State and non-State actors. 
Adversaries across the globe have invested heavily in building 
out cyber capabilities and have demonstrated an increasing 
capacity to successfully execute cyber attacks against the 
United States and our allies.
    As the lead civilian agency for securing the Nation's 
public and private critical infrastructure, which is dependent 
on IT systems and electronic data, the Department of Homeland 
Security and its work force play a critical role in protecting 
the Nation's cyber space.
    Given this role, data continuing to show cyber personnel 
shortages at DHS must remain a top concern for both DHS and 
this committee. Demand for cyber-related positions continues to 
outpace the number of individuals qualified to fill them and 
agencies like DHS must find a way to compete with the private 
sector in attracting highly-skilled cyber workers.
    To address these challenges the committee has passed 
several pieces of legislation in recent years that were signed 
into law, providing DHS with additional hiring authorities to 
better recruit and retain a qualified cyber work force. The 
Homeland Security Cybersecurity Workforce Assessment Act, 
enacted into law as part of the Border Patrol Agency Pay Reform 
Act of 2014, Public Law No. 113-277, required DHS to survey its 
work force and identify, categorize, and code all vacant and 
non-vacant cybersecurity positions.
    The Act aimed to help DHS assess its current cyber work 
force in order to identify skills gaps and critical needs and 
improve strategic work force planning to more effectively 
recruit, hire, train, and retain cyber personnel. 
Unfortunately, according to a recent U.S. Government 
Accountability Office Report, DHS has failed to implement the 
actions required by this Act in a timely, accurate, or complete 
manner.
    GAO audited 6 components and found that the Department has 
not met any, any of the deadlines established by the Act. Two-
and-a-half years after the statutory deadline to identify the 
code positions, 3 of the 6 components studied still have not 
identified all of their cyber positions and, as of August 2017, 
the Department has only assigned employment codes to 79 percent 
of its identified cyber positions. Further, while DHS has 
identified cyber work force capacity and capability gaps, it 
has not submitted to Congress and the U.S. Office of Personnel 
Management required reports on critical needs aligned with the 
National Initiative for Cybersecurity Education's National 
Cybersecurity Workforce Framework.
    Congress has acted to provide DHS with the tools to help 
meet the work force needs demanded by the current cyber threat 
environment. The Department's failure to utilize these tools is 
unacceptable.
    Bureaucratic delays in hiring the personnel needed to 
secure our Nation's cyber space are detrimental to our National 
security. Sadly, the failure to properly implement cyber-
related hiring authorities is emblematic of the systemic hiring 
issues continuing to plague the Department.
    A management report released by DHS's Office of the 
Inspector General last fall aptly summarized that the 
Department and its components continue to encounter significant 
hiring difficulties related to long hire times and a lack of 
human resource staff, automated system, and processes to 
determine needed staff.
    Just last week, the Oversight and Management Efficiency 
Subcommittee heard testimony on the ineffectiveness and delays 
associated with the Department's fitness determination process, 
an integral part of the contract work force's on-boarding 
process.
    These problems are especially alarming, given the 
significant responsibilities facing DHS as it prepares to meet 
cyber work force needs and undertake the border security-
related hiring surge mandated by the President.
    I want to thank our panel for testifying this afternoon and 
I look forward to hearing an update on the Department's 
implementation of Public Law 113-277's requirements, as well as 
how DHS's Management Directorate is working with components to 
improve hiring processes.
    I thank you and yield back the balance.
    [The statement of Chairman Perry follows:]
                   Statement of Chairman Scott Perry
                             March 7, 2018
    Good afternoon. I would like to thank Chairman Ratcliffe for 
holding this hearing today and including the Oversight and Management 
Efficiency Subcommittee in this very important and timely discussion on 
the Department of Homeland Security's efforts to strengthen its 
cybersecurity workforce.
    In today's world, our Nation and its critical infrastructure face 
an increasingly diverse and sophisticated array of cybersecurity 
threats from both state and non-state actors. Adversaries across the 
globe have invested heavily in building out cyber capabilities and have 
demonstrated an increasing capacity to successfully execute cyber 
attacks against the United States and our allies.
    As the lead civilian agency for securing the Nation's public and 
private critical infrastructure, which is dependent on IT systems and 
electronic data, the Department of Homeland Security (DHS) and its 
workforce play a critical role in protecting the Nation's cyber space. 
Given this role, data continuing to show cyber personnel shortages at 
DHS must remain a top concern for both DHS and this committee. Demand 
for cyber-related positions continues to outpace the number of 
individuals qualified to fill them and agencies like DHS must compete 
with the private sector in attracting highly-skilled cyber workers.
    To address these challenges, this committee has passed several 
pieces of legislation in recent years that were signed into law 
providing DHS with additional hiring authorities to better recruit and 
retain a qualified cyber workforce. The Homeland Security Cybersecurity 
Workforce Assessment Act, enacted into law as part of the Border Patrol 
Agent Pay Reform Act of 2014 (Public Law 113-277), required DHS to 
survey its workforce and identify, categorize, and code all vacant and 
non-vacant cybersecurity positions. The act aimed to help DHS assess 
its current cyber workforce in order to identify skills gaps and 
critical needs, and improve strategic workforce planning to more 
effectively recruit, hire, train, and retain cyber personnel.
    Unfortunately, according to a recent U.S. Government and 
Accountability Office (GAO) report, DHS has failed to implement the 
actions required by this act in a timely, accurate, or complete manner. 
GAO audited six components and found that the Department has not met 
any of the deadlines established by the act. Two-and-a-half years after 
the statutory deadline to identify and code positions, three of the six 
components studied still have not identified all of their cyber 
positions and, as of August 2017, the Department has only assigned 
employment codes to 79 percent of its identified cyber positions. 
Further, while DHS has identified cyber workforce capacity and 
capability gaps, it has not submitted to Congress and the U.S. Office 
of Personnel Management (OPM) required reports on critical needs 
aligned with the National Initiative for Cybersecurity Education's 
National Cybersecurity Workforce Framework.
    Congress has acted to provide DHS with the tools to help meet the 
workforce needs demanded by the current cyber threat environment. The 
Department's failure to utilize these tools is unacceptable. 
Bureaucratic delays in hiring the personnel needed to secure our 
Nation's cyber space are detrimental to our National security.
    Sadly, the failure to properly implement cyber-related hiring 
authorities is emblematic of the systemic hiring issues continuing to 
plague the Department. A management report released by DHS's Office of 
the Inspector General last fall aptly summarized that the Department 
and its components continue to encounter significant hiring 
difficulties related to long hire times and a lack of human resources 
staff, automated systems, and processes to determine needed staff. Just 
last week, the Oversight and Management Efficiency Subcommittee heard 
testimony on the ineffectiveness and delays associated with the 
Department's fitness determination process, an integral part of the 
contract workforce's on-boarding process.
    These problems are especially alarming, given the significant 
responsibilities facing DHS as it prepares to meet cyber workforce 
needs and undertake the border security-related hiring surge mandated 
by the President.
    I want to thank our panel for testifying this afternoon and I look 
forward to hearing an update on the Department's implementation of 
Public Law 113-277's requirements, as well as how DHS's Management 
Directorate is working with components to improve hiring processes.
    Thank you and I yield back the balance of my time.

    Mr. Ratcliffe. Thank the gentleman.
    The Chair now welcomes and recognizes the Chairman of the 
full committee, gentleman from Texas, Mr. McCaul.
    Mr. McCaul. Thank you, Chairman Ratcliffe and Ranking 
Member Correa for your leadership on this very vital issue. 
Every day nation-state actors, such as Russia, China, Iran, and 
other cyber criminals are increasingly hacking into U.S. 
companies and Government networks to conduct espionage or steal 
intellectual property.
    With tens of millions of Americans relying on computer 
networks and IT for both personal and professional reasons, the 
risks apply to almost everyone. Recognizing these threats, I 
made strengthening the cybersecurity mission at the Department 
of Homeland Security one of my top priorities as Chairman of 
the Committee on Homeland Security.
    It is an issue that has united both parties. I am proud to 
say that we have accomplished a great deal. Just this morning, 
the full committee passed a bill that would strengthen the 
ability of our cyber response teams to react to attacks on 
America's critical infrastructure.
    This past December, the House approved my landmark bill to 
create a stand-alone operational organization to elevate the 
cybersecurity mission of DHS. In recent years, we passed both 
bills that clarified the cybersecurity roles and authorities 
between the Department of Homeland Security and OMB, and the 
FBI and NSA and strengthened the cyber threat information-
sharing system with liability protection as well.
    In 2014, we passed an important bill to expedite hiring 
authority at the Department to bolster its cybersecurity work 
force. At the time, I believe it was made clear that this 
authority would help combat cyber threats.
    I must say though, unfortunately, the Department has never 
used this hiring authority. This hearing today will focus on 
some of the reasons for this delay. With the number of threats 
that continue to gather by the day, I do find this a bit 
disturbing. One of our responsibilities as Members of this 
committee is oversight and to make sure that the Department is 
fully implementing the work force authorities that we provided 
here in the Congress.
    To combat cybersecurity threats, we need DHS to hire the 
best possible work force because there is just too much at 
stake. I am hopeful, always in a positive productive way 
though, that we can learn why this delay has happened.
    I look forward to working with the Department as always and 
other Members of our committee to make sure that these 
authorities that have been granted the Department are being 
used.
    When it comes to Homeland Security, I think the American 
people need to have the best possible work force in place. 
While I do find this delay troubling, I also want to commend 
all three of you for the work that you do day in and day out at 
the NCCIC.
    I hope I am hearing positive things that the Senate will 
actually pass our Cybersecurity and Infrastructure Protection 
Agency Bill which will elevate and prioritize the mission of 
cybersecurity within the Department.
    With that, Mr. Chairman, I yield back.
    [The prepared statement of Chairman McCaul follows:]
                Statement of Chairman Michael T. McCaul
                             March 7, 2018
    Every day nation-state actors, such as Russia, China, and Iran, and 
other cyber criminals are increasingly hacking into U.S. companies and 
Government networks to conduct espionage or steal intellectual 
property.
    With tens of millions of Americans relying on computer networks and 
IT for both personal and professional reasons, the risks apply to 
almost everyone.
    Recognizing these threats, I made strengthening the cybersecurity 
mission at DHS one of my top priorities as Chairman of the Committee on 
Homeland Security. It's an issue that has united both parties and I am 
proud to say we have accomplished a great deal.
    Just this morning, the full committee passed a bill that would 
strengthen the ability of our cyber response teams to react to attacks 
on America's critical infrastructure.
    This past December, the House approved my landmark bill to create a 
stand-alone, operational organization to elevate the cybersecurity 
mission of DHS.
    In recent years, we passed bills that clarified the cybersecurity 
roles and authorities between DHS and OMB, and strengthened cyber-
threat information sharing.
    And in 2014, we passed important legislation to expedite hiring 
authority at DHS to bolster its cybersecurity workforce. At the time, 
it was made clear that this authority would help combat cyber threats.
    Unfortunately, the Department has never used this hiring authority. 
The hearing today will focus on some of the reasons for this delay. 
With the number of threats that continue to gather by the day, I find 
this pretty alarming.
    One of our responsibilities as Members of this Committee is to make 
sure DHS is fully implementing the workforce authorities provided by 
Congress.
    To combat cybersecurity threats, we need DHS to hire the best 
possible workforce. There is too much at stake.
    I am hopeful that we can learn why this delay has happened and I 
look forward to working with DHS and the other Members of our committee 
to make sure we are using the authorities that have been granted.
    When it comes to Homeland Security, the American people need to 
have the best possible workforce in place.

    Mr. Ratcliffe. Thank the Chairman.
    Other Members of the committee are reminded that opening 
statements may be submitted for the record. We are pleased to 
have a very distinguished panel of witnesses before us today on 
this important topic.
    [The statements of Ranking Members Thompson and Richmond 
and Honorable Jackson Lee follow:]
             Statement of Ranking Member Bennie G. Thompson
                             March 7, 2018
    Recruiting and retaining a qualified cybersecurity workforce at the 
Department of Homeland Security is a National security imperative.
    Every day, we learn more about the efforts of our adversaries--from 
Russia and Iran to North Korea and China--to use their cyber tools to 
attack our economy, our critical infrastructure, and the pillars of our 
democracy, including our election systems.
    In the wake of this evolving threat landscape, public and private-
sector critical infrastructure owners and operators to look to the 
Department of Homeland Security's National Protection and Programs 
Directorate (NPPD) to share information on cyber threats, to provide 
cybersecurity assessments, and to deploy incident response teams 
following an incident, among other things.
    Yet, when Assistant Secretary for Cybersecurity and Communications 
Jeanette Manfra testified before this panel last October, she told me 
that 24 percent of the fully-funded cybersecurity workforce billets at 
NPPD were unfilled.
    In 2014, Congress gave DHS hiring authorities on par with the 
Department of Defense to address cybersecurity staffing challenges. 
Although DHS clamored for these authorities for several years prior to 
2014, the Department does not plan to fully implement them until April 
2019--5 years after Congress authorized expedited hiring.
    We cannot afford to waste that kind of time.
    Last month, FBI Director Wray, CIA Director Pompeo, NSA Director 
Rogers, and Director of National Intelligence Coats, DIA Director 
Ashley, and NGA Director Cardillo all testified before the Senate 
Intelligence Committee and unanimously agreed that Russia would 
continue its election meddling efforts into the 2018 midterm elections.
    Last week, NSA Director Rogers again confirmed that the Russian 
government is actively targeting U.S. election systems.
    Secretary of State Tillerson also agrees that the Russians are 
targeting mid-term elections, yet has not spent any of the funds 
Congress appropriated to the agency to address the on-going threat to 
the integrity of our elections.
    Congress granted the State Department $120 million to counter 
Russian election meddling, including $60 million to coordinate anti-
propaganda efforts with agencies like the Department of Homeland 
Security.
    That said, NPPD has an important role to play in this space and 
has, in many ways, stepped up.
    I am pleased that it has prioritized services for election 
administrators, and that all of the 14 requested risk and vulnerability 
assessments will be concluded by next month.
    But I understand that NPPD had to shift resources to complete the 
assessments, and I am concerned that it will need more resources--and 
more trained cybersecurity professionals--to meet the on-going 
obligations of the critical infrastructure subsector designation. As 
threats to the homeland continue to evolve, NPPD and its partners 
throughout DHS, will need a strong, qualified cybersecurity workforce.
    Congress has given DHS the authorities and structures it needs to 
develop that workforce, and it is on DHS to implement them. Ultimately, 
as much as the increased demand for a qualified cybersecurity workforce 
poses a challenge, it also creates opportunities.
    When DHS finally completes the process for coding its cybersecurity 
workforce, it will be able to target recruiting at more diverse talent 
pools--from community colleges to veterans' groups. I will be 
interested in learning what efforts DHS is undertaking to recruit 
untapped talent, as well as cultivate and retain its workforce.
                                 ______
                                 
               Statement of Honorable Sheila Jackson Lee
                             March 7, 2018
    Chairman John Ratcliffe and Ranking Member Richmond, and Chairman 
Scott Perry and Ranking Member J. Luis Correa, thank you for this 
opportunity for the subcommittees to learn more about ``Examining DHS's 
Efforts to Strengthen Its Cybersecurity Workforce.''
    This hearing will provide Members with an opportunity to hear from 
officials at the Department of Homeland Security (DHS) and the 
Government Accountability Office (GAO) about the status of DHS's 
efforts to identify, recruit, and retain a skilled cybersecurity 
workforce.
    I look forward to the testimony of today's witnesses:
   Gregory Wilshusen, Director, Information Security, 
        Government Accountability Office;
   Angela Bailey, Chief Human Capitol Officer, Management 
        Directorate, Department of Homeland Security; and
   Rita Moss, Director, Office of Human Capital, National 
        Protection and Programs Directorate, Department of Homeland 
        Security.
    The cybersecurity field's expanding shortage of professionals with 
over a quarter-million positions remaining unfilled in the United 
States alone and a predicted shortfall of 1.5 million cybersecurity 
professionals by 2019.
    The solution must be to grow a greater pool of cybersecurity 
professionals that are prepared to fill positions within the Federal 
Government.
    The challenge before the Homeland Security Committee is finding the 
right policy that will accomplish the goal of attracting and retaining 
cybersecurity professionals within the Federal Government.
    I have focused on this problem and have mapped out a comprehensive 
approach to meeting the underlying problem: Increasing the pool of 
people who would receive essential education in science, technology, 
engineering, and mathematics from kindergarten through advanced degree 
programs.
    In 2017, I was pleased to have been awarded the Executive Women's 
Forum's Women in Cybersecurity Leadership Award for my work in 
promoting advances in our cybersecurity policy.
     congresswoman jackson lee's legislative efforts to close the 
                      cybersecurity workforce gap
    I introduced in the 114th and again in the 115th a compressive 
Cyber Security Education and the Workforce Enhancement Act, which seeks 
to prepare more women and minority students and early stage to mid-
career professionals within the Federal Government for cybersecurity 
jobs. [See accompanying section-by-section]
    In this Congress my bill is H.R. 1981, and it amends the Homeland 
Security Act to establish within the Department of Homeland Security's 
Office of Cybersecurity Education and Awareness Branch the goals of:
   Recruiting information assurance, cybersecurity, and 
        computer security professionals;
   Providing grants, training programs, and other support for 
        kindergarten through grade 12, secondary, and post-secondary 
        computer security education programs;
   Supporting guest lecturer programs in which professional 
        computer security experts lecture computer science students at 
        institutions of higher education;
   Identifying youth training programs for students to work in 
        part-time or summer positions at Federal agencies; and
   Developing programs to support underrepresented minorities 
        in computer security fields with programs at minority-serving 
        institutions, including Historically Black Colleges and 
        Universities, Hispanic-serving institutions, Native American 
        colleges, Asian-American institutions, and rural colleges and 
        universities.
    The goal of H.R. 1981 is to address under-representation of women 
and minorities in cybersecurity fields of employment.
                        cybersecurity statistics
    In 2016, the Bureau of Labor Statistics reported that African-
Americans comprised only 3 percent of the information security analysts 
in the United States, yet comprise nearly 13 percent of the National 
population.
    Just 2 years ago a security analyst, a position which required a 4-
year degree, was paid on average $88,890 per year.
    The top computing security salaries range from $175,000 to $230,00 
per year.
    The most senior position was chief information security officers 
(CISOs), which typically earns $400,000 or more per year.
    In 2017 the United States employed nearly 780,000 people in 
cybersecurity positions, with approximately 350,000 current 
cybersecurity employment vacancies.
    In 2017, nearly 65 percent of large U.S. companies have a Chief 
Information Security Officer, up from 50 percent in 2016.
    Women hold only 11 percent of cybersecurity positions globally, 
while filling 25 percent of tech jobs, and comprising 50 percent of the 
population.
    There is a similar situation with African Americans which comprise 
only 7 percent of the cybersecurity workforce, and Hispanics, who 
account for 5 percent of cybersecurity positions although they make up 
13 percent of the Nation's population.
    Finally, two out of three high school students indicate that no one 
has ever spoken to them about a career in cybersecurity.
    These facts mean that we should not have any shortages for 
computing security jobs, but that these vacancies exist because of 
barriers to entry like education.
       solution for expanding the federal cybersecurity workforce
    The solution is expanding the diversity of those who are 
cybersecurity professionals by tapping human capital already within the 
Federal Government in new hires or mid-career changes, when we identify 
that someone has the aptitude and desire to become a computing security 
professional.
             african american pioneers in computer science
    Katherine G. Johnson, of Hidden Figures fame, graduated from 
college at age 18. In 1952, she began working at NASA in its 
aeronautics area as a ``computer,'' where she performed the 
calculations that assured that when astronauts were sent into orbit 
they could be safely returned to earth.
    Roy Clay Sr. is known as the Godfather of Silicon Valley. Mr. Clay 
was at the cutting edge of computing and technology through his 
leadership of HP's first foray into the computer market with its 2116A 
computer.
    He was inducted into Silicon Valley Engineering Council's Hall of 
Fame in 2003.
    Mark Dean co-created the IBM personal computer and was instrumental 
in the development of the company's PC 5150, which was sold to the 
public in 1981.
    Mr. Dean also contributed to the development of the color PC 
monitor, the first gigahertz chip, and the industry standard 
Architecture (ISA) system bus.
    The personal computers' impact on our world is unmistakable.
    In the early days of the computing technology age, computers were 
only available to governments and large institutional organizations 
because of their size and complexity.
    The age of personal computing has paved the way for mobile 
computing and handheld computing devices like smart phones.
                   women and the history of computing
    Augusta Ada King-Noel, Countess of Lovelace was an English 
mathematician and writer, chiefly known for her work on Charles 
Babbage's proposed mechanical general-purpose computer.
    She was the first to recognize that the machine had applications 
beyond pure calculation, and created the first computer program to give 
Babbage's machine instructions to carry out a task.
    As a result, she is often regarded as the first to recognize the 
full potential of a ``computing machine,'' and the first computer 
programmer.
    Grace Hopper was an American computer scientist and United States 
Navy rear admiral, who became the first programmer of the Harvard Mark 
I computer and she invented the first compiler for a computer 
programming language.
    The Executive Women's Forum (EWF) recognizes the contributions 
women have made and seeks to expand opportunities for women.
    The Executive Women's Forum was founded in 2002, with a mission of 
inspiring leaders, transforming organizations, and building businesses 
through education, leadership development, and the creation of trusted 
relationships.
    Today, the EWF has over a thousand members Nation-wide--from 
emerging leaders to senior executives, all of whom benefit from the 
organization's programs and events.
    EWF members support each other in achieving their goals and 
advancing their careers by celebrating each other's accomplishments and 
acknowledging the ideas and contributions of the women around us.
    Most notably, each year EWF presents Women of Influence Awards to 
individuals who have made outstanding contributions in the corporate, 
Government/academic, and vendor sectors.
    The EWF's, ``2017 Global Information Security Workforce Study: 
Women in Cybersecurity'' report delivers troubling statistics on areas 
we are missing the mark in maximizing the participation of women in the 
cybersecurity workforce.
    Fifty-one percent of women report various forms of discrimination 
in the cybersecurity workforce.
    Women who feel valued in the workplace have also benefited from 
leadership development programs in greater numbers than women who feel 
undervalued.
    In 2016 women in cybersecurity earned less than men at every level.
    We know that cybersecurity expertise is a critical component of 
National security; however, Federal agencies have traditionally 
struggled to recruit, retain, and manage a robust cybersecurity 
workforce.
    The International Consortium of Minority Cybersecurity 
Professionals (IC-MCP) launched in 2014 with a mission to bridge this 
``great cyber divide'' in the cybersecurity profession. ICMCP offers 
programs and services to these groups to assist them in gaining skills 
and visibility to promote their careers, including:
   Mentoring opportunities for entry and mid-career 
        cybersecurity professionals
   Networking opportunities
   Skills workshops.
    In 2015, I was pleased to host the International Consortium of 
Minority Cybersecurity Professionals for its first meeting held on 
Capitol Hill.
    The vision of ICMCP is to build a pipeline of cybersecurity 
professionals at all levels, and support them throughout their careers.
    ICMCP efforts have the potential to broaden the pool of available 
experienced cybersecurity professionals.
    This Congress I introduced H.R. 1981, the Cyber Security Education 
and Federal Workforce Enhancement Act, which creates programs to 
support underrepresented minorities in computer security fields.
    I understand that the supply of educated and certified 
cybersecurity professionals is too few when compared with the thousands 
of positons that are in need of them.
    As a result, talented candidates can demand higher salaries, more 
flexible hours, and other benefits that are incompatible with the 
Federal hiring process.
    Priorities within the workforce have also changed.
    For instance, millennials change employers more frequently than 
their predecessors and place a high value on flexible work schedules 
and professional development opportunities.
    I strongly believe that we have untapped talent within the Federal 
workforce, and we have potential pools of talented young people who are 
in underrepresented communities around the Nation that we must reach 
during their formative education to prepare them for potential 
cybersecurity careers.
    We are not supporting DHS with a policy that would allow the agency 
to pursue talent regardless of where it might be found.
    So long as DHS attempts to compete for cybersecurity talent in the 
same market where the private sector businesses are competing, the 
results will not change.
    We must be creative and engage in broader thinking that does not 
limit our view of who can be a cybersecurity professional.
     potential for dhs to succeed in recruitment and retention of 
                      cybersecurity professionals
    The 2017 Global Information Security Workforce Study: Women in 
Cybersecurity issued by the Executive Women's Forum, stresses what we 
already know; some segments of the workforce are underrepresented--in 
the cybersecurity field. Women professionals make up only 11 percent of 
the cybersecurity workforce despite the escalating growth in the field.
    The participation of women in cybersecurity is at 11 percent 
although women reported higher levels of education.
    These underrepresented groups offer an opportunity to increase the 
cybersecurity workforce in the near and long term.
    This is important because both Gen Y and Gen Z have significant 
numbers of minorities who could significantly close the cybersecurity 
gap.
    I look forward to working with the Chair and Ranking Members on how 
H.R. 1981 might offer a path toward increasing diversity in the Federal 
cybersecurity workforce.
    Thank you.
                                 ______
                                 
             Statement of Ranking Member Cedric L. Richmond
                             March 7, 2018
    Since this is our third hearing on cyber workforce, I assume that 
most of us understand the gravity of failing to fill cybersecurity 
vacancies throughout the Federal Government and, in particular, at DHS. 
So, let me start by saying the same thing I have said at the last three 
hearings----
    First, if we're serious about ``right-sizing'' the Federal 
Government's cyber workforce we need to look beyond 4-year 
universities. There is untapped talent in unconventional places, and we 
will find it if we look for it.
    Second, we need strong and consistent leadership from the White 
House. The President must come out and say that the cybersecurity 
posture of the Federal Government has a direct impact on our economy, 
our National security priorities, our critical infrastructure, and even 
the integrity of our elections.
    And finally, we have to improve morale at DHS so it can recruit and 
retain that cybersecurity talent it needs to carry out its mission.
    With respect to DHS's cyber workforce, Congress has been 
responsive. We heard DHS when it told us that it was having trouble 
competing with the private sector for top cyber candidates, and in 2014 
we gave DHS the authority for faster, more flexible hiring.
    But we also realized that DHS can't manage what it doesn't 
measure--so, we directed it to perform a three-step process to assess 
its own cybersecurity needs:
    Step 1--identify its cybersecurity positions;
    Step 2--bring those positions into alignment with formal OPM data 
standards, so it can track where cyber positions are located within the 
Department and start to address skills gaps;
    And Step 3--identify any areas where there are serious gaps in 
workforce capabilities, or areas of ``critical need.''
    This assessment is supposed to inform a comprehensive cybersecurity 
workforce strategy that includes a multi-phased recruitment plan--
targeting a range of potential candidates from experienced 
professionals, the unemployed, and disadvantaged communities--to build 
a more robust cyber workforce at DHS. This workforce strategy would, in 
turn, inform the broader Department-wide Cybersecurity Strategy 
required under legislation I authored in 2015.
    But DHS has yet to complete its cybersecurity needs assessment and 
the deadlines for both these strategies has long passed--yet neither 
strategy has been delivered to Congress. In fact, this is the third 
Congressional hearing where I have asked about the status of the 
Department-wide Cybersecurity Strategy that was due in March 2017.
    I expect that today, I will hear the same excuses I have heard 
every other time I have asked about the DHS Cybersecurity Strategy: DHS 
plans to release the strategy soon, but the new leadership--and there 
is, once again, new leadership--needs a chance to review it. As much as 
I understand the need to let the new administration set its own policy, 
we cannot ignore the fact that these delays are undermining DHS's 
ability to carry out its mission.
    Moreover, I am troubled by the length of time we are being asked to 
wait for the reports we need to do our job as authorizers. Despite 
these on-going challenges, I look forward to a productive discussion 
about how we can work together to make sure DHS has the tools, 
resources, and authorities to maintain a qualified cybersecurity 
workforce--and do so in a manner that is timely and responsive to 
Congress.

    Mr. Ratcliffe. Mr. Greg Wilshusen is the director of 
information security issues for the Government Accountability 
Office. He leads cybersecurity and privacy-related audits of 
the Federal Government and critical infrastructure. Thank you 
for taking the time, for being here from what I am sure is very 
busy caseload.
    Ms. Angela Bailey is the chief human capital officer in the 
Management Directorate at DHS. Ms. Bailey came to DHS from the 
Office of Personnel Management. I look forward to hearing how 
OPM and DHS can work more in unison on cyber work force issues.
    Finally, Ms. Rita Moss is the director of the office of 
human capital at the National Protection and Programs 
Directorate at DHS. She attended the United States Naval 
Academy. We thank her for her service there and thank you for 
being here before our committees today.
    I would now ask all three of our witnesses to stand and 
raise your right hand so I can swear you in to testify.
    [Witnesses sworn.]
    Mr. Ratcliffe. Let the record reflect that the witnesses 
have answered in the affirmative. You all may be seated. The 
witnesses' full written statements will appear in the record.
    The Chair now recognizes, Mr. Wilshusen for 5 minutes for 
an opening statement.

    STATEMENT OF GREGORY WILSHUSEN, DIRECTOR OF INFORMATION 
       SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Wilshusen. Chairman Ratcliffe, Chairman Perry, Chairman 
McCaul, and Ranking Member Correa. Thank you for the 
opportunity to appear at today's hearing to discuss the 
Department of Homeland Security's efforts to strengthen its 
cybersecurity work force.
    My testimony is based on a report we issued last month on 
DHS's actions to identify and report on cybersecurity positions 
and specialty areas of critical need, as called for by the 
Homeland Security Cybersecurity Workforce Assessment Act of 
2014.
    Before I proceed, if I may, I would like to recognize 
members of the audit team who were instrumental in developing 
my statement and conducting the work underpinning it. Tamika 
Lutin and David Hong who are with me today, led this work while 
Chris Carrey, Ben Atwater, Alexander Andreg, Wayne Emillion, 
and Louis Rodriguez made significant contributions.
    DHS has made important progress in identifying, 
categorizing, and assigning the employment codes to its 
cybersecurity positions. For example, as of December 2016, it 
reported identifying about 10,725 positions.
    However, the Department's actions have neither been timely 
nor complete. Procedures established by DHS to perform these 
activities were issued 13 months past the due dates specified 
into 2014 Act and did not include steps for identifying 
position vacancies as the act required.
    The act also required DHS to assign employment codes 
created by OPM to all of its cybersecurity positions. This 
action was to be completed by September 2015. However, as of 
August 2017, 23 months after the due date, the Department had 
not completed the coding assignment process.
    In August 2017, the Office of Personnel Management reported 
to Congress that DHS had coded 95 percent of the Department's 
identified cybersecurity positions. Yet, we determined that 
only 79 percent of the positions were coded. The 95 percent 
estimate was overstated because DHS excluded uncoded vacant 
positions.
    DHS has taken steps to identify its work force capability 
gaps and reported these to Congress in March 2017. However, it 
did not identify or report to Congress its critical 
cybersecurity critical needs using the work categories and 
specialty areas defined in the National cybersecurity 
framework. In addition, the Department has not annually 
reported its critical needs to OPM as required and has not 
developed plans with clearly-defined time frames for reporting.
    To assist the Department, we made six recommendations in 
our February report. For example, we recommended that DHS 
develop procedures on how to identify and code vacant 
cybersecurity positions and develop guidance for identifying 
specialty areas of critical need.
    To help clarify responsibility and provide accountability, 
we recommended that the Department identify for each component 
the individual who is responsible for leading the component's 
efforts and in performing the work force assessment activities. 
We also recommended that each component's procedures for 
identifying and coding cyber positions be reviewed to ensure 
consistency with Departmental guidelines. DHS concurred with 
our recommendations and estimated that it would implement them 
all by June, 2018.
    Implementing our recommendations should better position the 
Department in meeting the requirements of the Homeland Security 
Cybersecurity Workforce Assessment Act and help DHS to better 
understand its needs for recruiting, hiring, developing, and 
retaining the cybersecurity work force with the skills 
necessary to accomplish the Department's varied and essential 
cybersecurity mission.
    Until it does, DHS may lack assurance that it has the data 
necessary to effectively manage the recruitment and retention 
of a cybersecurity work force that is responsible for 
protecting departmental and Federal networks as well as the 
Nation's critical infrastructure from cyber threats.
    This concludes my opening statement. I would be happy to 
answer your questions.
    [The prepared statement of Mr. Wilshusen follows:]
               Prepared Statement of Gregory C. Wilshusen
                             March 7, 2018
    Chairmen Ratcliffe and Perry, Ranking Members Richmond and Correa, 
and Members of the subcommittees: Thank you for the opportunity to 
appear at today's hearing to discuss the Department of Homeland 
Security's (DHS) efforts to strengthen its cybersecurity workforce. In 
its important role of securing the Nation's cyber space, DHS is 
responsible for protecting the confidentiality, integrity, and 
availability of its own computer systems and information, and for 
leading the coordination with partners in the public and private 
sectors to protect the computer networks of Federal civilian agencies 
and the Nation's critical infrastructure from threats. As such, having 
an effective cybersecurity workforce is essential to accomplishing the 
Department's mission.
    Toward ensuring that it has an effective workforce, the Homeland 
Security Cybersecurity Workforce Assessment Act of 2014 (hereafter 
referred to as ``the act'') \1\ required DHS to identify all 
cybersecurity workforce positions within the Department, determine the 
cybersecurity work category and specialty area of such positions, and 
assign the corresponding employment code to each cybersecurity 
position.\2\ The act also required DHS to identify and report on its 
cybersecurity workforce areas of critical need.
---------------------------------------------------------------------------
    \1\ The Homeland Security Cybersecurity Workforce Assessment Act of 
2014 was enacted as part of the Border Patrol Agent Pay Reform Act of 
2014, Pub. L. No. 113-277 Sec. 4,128 Stat. 2995, 3008-3010 (Dec. 18, 
2014), 6 U.S.C. Sec. 146.
    \2\ The employment codes are standard codes for Federal job 
classifications that were developed by the Office of Personnel 
Management (OPM), in alignment with the National Initiative for 
Cybersecurity Education's National Cybersecurity Workforce Framework. 
See Office of Personnel Management, The Guide to Data Standards 
(Washington, DC: November 15, 2014).
---------------------------------------------------------------------------
    In addition to the aforementioned requirements for DHS, the act 
included a provision for GAO to analyze and monitor the Department's 
efforts to address its requirements. My testimony today provides an 
overview of our recently-issued (February 2018) report, Cybersecurity 
Workforce: Urgent Need for DHS to Take Actions to Identify Its Position 
and Critical Skill Requirements, based on our review of the its 
efforts.\3\
---------------------------------------------------------------------------
    \3\ GAO, Cybersecurity Workforce: Urgent Need for DHS to Take 
Actions to Identify Its Position and Critical Skill Requirements, GAO-
18-175 (Washington, DC: Feb. 6, 2018).
---------------------------------------------------------------------------
    In preparing this statement, we relied on our work supporting the 
February report. This work included comparing the Department's actions 
to identify, categorize, and assign employment codes to its 
cybersecurity positions and to identify its cybersecurity workforce 
areas of critical need with the required activities specified in the 
act. We analyzed that information, including data on the coding of 
cybersecurity workforce positions, and also administered a data 
collection instrument to six components of DHS.\4\ Further, we 
interviewed relevant officials from the DHS Office of Chief Human 
Capital Officer (OCHCO) and from the selected DHS components. We also 
interviewed relevant officials at the Office of Personnel Management 
(OPM).
---------------------------------------------------------------------------
    \4\ The six components we reviewed are: Departmental Management and 
Operations, National Protection and Programs Directorate, Science and 
Technology Directorate, U.S. Customs and Border Protection, U.S. 
Citizenship and Immigration Services, and U.S. Secret Service.
---------------------------------------------------------------------------
    The work on which this statement is based was conducted in 
accordance with generally accepted Government auditing standards, which 
require audits to be planned and performed to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides such a reasonable basis for our findings and 
conclusions based on our audit objectives.
                               background
    DHS leads the Federal Government's efforts to secure our Nation's 
public and private critical infrastructure information systems against 
cyber threats. As part of these efforts, cybersecurity professionals 
can help to prevent or mitigate the vulnerabilities that could allow 
malicious individuals and groups access to Federal information 
technology (IT) systems. The ability to secure Federal systems depends 
on the knowledge, skills, and abilities of the Federal and contractor 
workforce that designs, develops, implements, secures, maintains, and 
uses these systems.
    The Office of Management and Budget has noted that the Federal 
Government and private industry face a persistent shortage of 
cybersecurity and IT talent to implement and oversee information 
security protections.\5\ This shortage may leave Federal IT systems 
vulnerable to malicious attacks. Experienced and qualified 
cybersecurity professionals are essential in performing DHS's work to 
mitigate vulnerabilities in its own and other agencies' computer 
systems and to defend against cyber threats.
---------------------------------------------------------------------------
    \5\ Office of Management and Budget, Federal Cybersecurity 
Workforce Strategy, Memorandum M-16-15 (Washington, DC: July 12, 2016).
---------------------------------------------------------------------------
    Since 1997, we have identified the protection of Federal 
information systems as a Government-wide high-risk area. In addition, 
in 2001, we introduced strategic Government-wide human capital 
management as another area of high risk.\6\ We have also identified a 
number of challenges Federal agencies are facing to ensure that they 
have a sufficient cybersecurity workforce with the skills necessary to 
protect their information and networks from cyber threats.\7\ These 
challenges pertain to identifying and closing skill gaps as part of a 
comprehensive workforce planning process, recruiting and retaining 
qualified staff, and navigating the Federal hiring process.
---------------------------------------------------------------------------
    \6\ GAO, High-Risk Series: Progress on Many High-Risk Areas, While 
Substantial Efforts Needed on Others, GAO-17-317 (Washington, DC: Feb. 
15, 2017).
    \7\ GAO, Cybersecurity: Federal Efforts Are Under Way That May 
Address Workforce Challenges, GAO-17-533T (Washington, DC: Apr. 4, 
2017).
---------------------------------------------------------------------------
Federal Initiative and Guidance Are Intended to Improve Cybersecurity 
        Workforces
    In recent years, the Federal Government has taken various steps 
aimed at improving the cybersecurity workforce. These include 
establishing a National initiative to promote cybersecurity training 
and skills and developing guidance to address cybersecurity workforce 
challenges.
    Founded in 2010, the National Initiative for Cybersecurity 
Education (NICE) is a partnership among Government, academia, and the 
private sector, and is coordinated by the National Institute of 
Standards and Technology (NIST). The NICE mission promotes 
cybersecurity education, training, and workforce development in 
coordination with its partners. The initiative's goal is to increase 
the number of skilled cybersecurity professionals in order to boost 
National IT security.
    In 2013, NICE published the National Cybersecurity Workforce 
Framework to provide a consistent way to define and describe 
cybersecurity work at any public or private organization, including 
Federal agencies.\8\ In 2014, OPM developed guidance for assigning 2-
digit employment codes for each cybersecurity work category and 
specialty area identified in the 2013 NICE framework.\9\ Federal 
agencies can use the codes to identify cybersecurity positions in 
personnel and payroll systems, such the system of the National Finance 
Center.\10\
---------------------------------------------------------------------------
    \8\ National Institute of Standards and Technology, NICE 
Cybersecurity Workforce Framework (Version 1.0) (Gaithersburg, MD: 
April 2013).
    \9\ Office of Personnel and Management, The Guide to Data Standards 
(Washington, DC: November 15, 2014).
    \10\ The National Finance Center personnel and payroll systems are 
used by DHS and other agencies for processing personnel and payroll 
information. In addition, they are DHS's system of record for 
employment codes assigned to cybersecurity employees.
---------------------------------------------------------------------------
    To further enhance efforts to strengthen the cybersecurity 
workforce, NICE subsequently revised the framework in 2017 to include 
33 cybersecurity-related specialty areas organized into 7 categories--
securely provision, operate and maintain, protect and defend, 
investigate, collect and operate, analyze, and oversee and govern. The 
revision defined work roles in specialty areas and cybersecurity tasks 
for each work role,\11\ as well as the knowledge, skills, and abilities 
that a person should have in order to perform each work role.\12\ Also, 
in 2017, OPM issued guidance creating a unique 3-digit employment code 
for each cybersecurity work role.\13\ In October 2017, NIST issued 
guidance that reflected the finalized 2017 NICE framework and included 
a crosswalk of OPM's 2-digit employment codes to the 3-digit codes.\14\
---------------------------------------------------------------------------
    \11\ National Institute of Standards and Technology, NICE 
Cybersecurity Workforce Framework, Special Publication 800-181 
(Gaithersburg, MD: August 2017).
    \12\ According to the National Institute of Standards and 
Technology, work roles are the most detailed groupings of IT, 
cybersecurity, or cyber-related work. Examples of work roles include an 
authorizing official, a software developer, or a system administrator.
    \13\ Office of Personnel Management, Guidance for Assigning New 
Cybersecurity Codes to Positions with Information Technology, 
Cybersecurity, and Cyber-Related Functions (Washington, DC: Jan. 4, 
2017).
    \14\ National Institute of Standards and Technology, OPM Federal 
Cybersecurity Coding Structure (Gaithersburg, MD: Oct. 18, 2017).
---------------------------------------------------------------------------
DHS's Cybersecurity Workforce Performs a Wide Range of Critical 
        Missions
    DHS is the third-largest department in the Federal Government, 
employing approximately 240,000 people, and operating with an annual 
budget of about $60 billion, of which about $6.4 billion was reportedly 
spent on IT in fiscal year 2017. In leading the Federal Government's 
efforts to secure our Nation's public and private critical 
infrastructure information systems, the Department, among other things, 
collects and shares information related to cyber threats and 
cybersecurity risks and incidents with other Federal partners to enable 
real-time actions to address these risks and incidents.
    The Department is made up of 15 operational and support components 
that perform its critical mission functions. Table 1 describes the 6 
components that we included in our review.

------------------------------------------------------------------------
        DHS Component                         Description
------------------------------------------------------------------------
U.S. Customs and Border        CBP is to safeguard America's borders,
 Protection (CBP)               thereby protecting the public from
                                dangerous people and materials while
                                enhancing the Nation's global economic
                                competitiveness by enabling legitimate
                                trade and travel. CBP's cybersecurity
                                workforce primarily protects the
                                component's internal systems, networks,
                                and data.
Departmental Management and    DMO is to provide support to the
 Operations (DMO)               Secretary and Deputy Secretary in the
                                overall leadership, direction, and
                                management of DHS and all of its
                                components. DMO is responsible for DHS's
                                budgets and appropriations, expenditure
                                of funds, information technology
                                systems, facilities and equipment, and
                                the identification and tracking of
                                performance measurements. DMO's
                                cybersecurity workforce is to develop
                                and implement DHS's cybersecurity-
                                related workforce policies and programs
                                and protect DHS's systems, networks, and
                                data. As part of DMO, the Office of
                                Chief Human Capital Officer (OCHCO) is
                                responsible for personnel policy
                                development and implementation. The
                                Office of the Chief Information Officer,
                                among other things, is to develop and
                                implement information security programs.
National Protection and        NPPD is expected to protect and enhance
 Programs Directorate (NPPD)    the resilience of the Nation's physical
                                and cyber infrastructure, working with
                                partners at all levels of government and
                                the private and nonprofit sectors, to
                                share information and build greater
                                trust to make physical and cyber
                                infrastructure more secure. NPPD is the
                                lead component for fulfilling the
                                Department's National, non-law
                                enforcement cybersecurity missions, as
                                well as providing crisis management,
                                incident response, and defense against
                                cyber attacks for Federal Government
                                networks.
U.S. Secret Service (USSS)     USSS is to protect designated protectees,
                                investigate threats against protectees,
                                as well as investigate financial and
                                computer-based crimes; it is also
                                expected to help secure the Nation's
                                banking and finance critical
                                infrastructure. USSS's cybersecurity
                                workforce primarily conducts criminal
                                investigations and protects its systems,
                                networks, and data.
Science and Technology         S&T is to conduct basic and applied
 Directorate (S&T)              research, development, demonstration,
                                testing, and evaluation activities
                                relevant to DHS. S&T's cybersecurity
                                workforce is expected to conduct
                                cybersecurity research and development
                                for the Homeland Security Enterprise,
                                and protect its systems, networks, and
                                data.
U.S. Citizenship and           USCIS is responsible for overseeing
 Immigration Services (USCIS)   lawful immigration to the United States.
                                Its mission is to provide accurate and
                                useful information to USCIS customers,
                                grant immigration and citizenship
                                benefits, promote an awareness and
                                understanding of citizenship, and ensure
                                the integrity of National immigration
                                system. USCIS's cybersecurity workforce
                                primarily protects its systems,
                                networks, and data.
------------------------------------------------------------------------
Source.--GAO analysis of DHS information./GAO-18-430T

DHS Is Required to Assess Its Cybersecurity Workforce
    The Homeland Security Cybersecurity Workforce Assessment Act of 
2014 required DHS to perform workforce assessment-related activities to 
identify and assign employment codes to its cybersecurity positions. 
Specifically, the act called for DHS to:
    1. Establish procedures for identifying and categorizing 
        cybersecurity positions and assigning codes to positions 
        (within 90 days of law's enactment).
    2. Identify all filled and vacant positions with cybersecurity 
        functions and determine the work category and specialty area of 
        each.
    3. Assign OPM 2-digit employment codes to all filled and vacant 
        cybersecurity positions based on the position's primary 
        cybersecurity work category and specialty areas, as set forth 
        in OPM's Guide to Data Standards.\15\
---------------------------------------------------------------------------
    \15\ At the time the Homeland Security Cybersecurity Workforce 
Assessment Act of 2014 was enacted, DHS was to use OPM's 2014 data 
standards guide (Office of Personnel Management, The Guide to Data 
Standards (Washington, DC: November 2014). The purpose of the guide is 
to help agencies identify and code their cybersecurity positions. 
Employment codes can be used in human capital systems to measure areas 
of critical need.
---------------------------------------------------------------------------
    In addition, after completing the aforementioned activities, the 
act called for the Department to take steps to identify and report its 
cybersecurity workforce areas of critical need. Specifically, DHS was 
to:
    4. Identify the cybersecurity work categories and specialty areas 
        of critical need in the Department's cybersecurity workforce 
        and report to Congress.
    5. Submit to OPM an annual report through 2021 that describes work 
        categories and specialty areas of critical need and 
        substantiates the critical need designations.
    The act required DHS to complete the majority of these activities 
by specific due dates between March 2015 and September 2016.
    Within DHS, OCHCO is responsible for carrying out these provisions, 
including the coordination of the Department's overall efforts to 
identify, categorize, code, and report its cybersecurity workforce 
assessment progress to OPM and Congress.
   dhs has not fully identified cybersecurity positions or assigned 
           employment codes in a complete and reliable manner
    The act required DHS to establish procedures to identify and assign 
the appropriate employment code, in accordance with OPM's Guide to Data 
Standards, to all filled and vacant positions with cybersecurity 
functions by March 2015.\16\ In addition, DHS's April 2016 
Cybersecurity Workforce Coding guidance states that components should 
ensure procedures are in place to monitor and to update the employment 
codes as positions change over time.\17\
---------------------------------------------------------------------------
    \16\ Office of Personnel Management, The Guide to Data Standards 
(Washington, DC: November 15, 2014). OPM guidance created unique 2-
digit employment codes for categories and specialty areas identified in 
the NICE framework.
    \17\ U.S. Department of Homeland Security, Office of the Chief 
Human Capital Officer, Cybersecurity Workforce Coding (Washington, DC: 
April 22, 2016).
---------------------------------------------------------------------------
    Further, the Standards for Internal Control in the Federal 
Government recommends that management assign responsibility and 
delegate authority to key roles and that each component develop 
individual procedures to implement objectives. The standards also 
recommend that management periodically review such procedures to see 
that they are developed, relevant, and effective.\18\
---------------------------------------------------------------------------
    \18\ GAO, Standards for Internal Control in the Federal Government, 
GAO-14-704G (Washington, DC: Sep 10, 2014).
---------------------------------------------------------------------------
    DHS OCHCO developed Departmental procedures in May 2014 and 
recommended implementation steps for coding positions with 
cybersecurity functions for the Department's components. However, OCHCO 
did not update its procedures to include information on identifying 
positions and assigning codes until April 2016--13 months after the due 
date specified by the act.
    In addition, the procedures were not complete because they did not 
include information related to identifying and coding vacant positions, 
as the act required. Moreover, the Departmental procedures did not 
identify the individual within each DHS component who was responsible 
for leading and overseeing the identification and coding of the 
component's cybersecurity positions.
    Further, although components were able to supplement the 
Departmental procedures by developing their own component-specific 
procedures for identifying and coding their cybersecurity positions, 
OCHCO did not review those procedures for consistency with Departmental 
guidance. The Department could not provide documentation that OCHCO had 
verified or reviewed component-developed procedures. In addition, OCHCO 
officials acknowledged that they had not reviewed the components' 
procedures and had not developed a process for conducting such reviews.
    OCHCO officials stated that several factors had limited their 
ability to develop the procedures and to review component-developed 
procedures in a timely and complete manner. These factors were: (1) A 
delayed Departmental decision until April 2016 as to whether certain 
positions should be considered cybersecurity positions; (2) a belief 
that each component had the best understanding of their human capital 
systems, so procedure development was best left up to each component; 
(3) a condition where each of the six selected DHS components recorded 
and tracked vacant positions differently; and (4) cybersecurity 
specialty areas for vacant positions were not known until a position 
description was developed or verified and a hiring action was imminent. 
Without assurance that procedures are timely, complete, and reviewed, 
DHS cannot be certain that its components have the procedures to 
identify and code all positions with cybersecurity functions, as 
required by the act.
    Accordingly, our February 2018 report included recommendations that 
DHS: (1) Develop procedures on how to identify and code vacant 
cybersecurity positions, (2) identify the individual in each component 
who is responsible for leading that component's efforts in identifying 
and coding cybersecurity positions, and (3) establish and implement a 
process to periodically review each component's procedures for 
identifying component cybersecurity positions and maintaining accurate 
coding.\19\ DHS concurred with the recommendations and stated that it 
would implement them by April 30, 2018.
---------------------------------------------------------------------------
    \19\ GAO-18-175.
---------------------------------------------------------------------------
DHS Has Not Yet Completed Required Identification Activities
    The act required DHS to identify all of its cybersecurity 
positions, including vacant positions, by September 2015. Further, the 
act called for the Department to use OPM's Guide to Data Standards to 
categorize the identified positions and determine the work category or 
specialty area of each position.\20\
---------------------------------------------------------------------------
    \20\ Office of Personnel Management, The Guide to Data Standards 
(Washington, DC: November 15, 2014). OPM guidance outlined categories 
and specialty areas in alignment with the NICE framework.
---------------------------------------------------------------------------
    As of December 2016, the Department reported that it had identified 
10,725 cybersecurity positions, including 6,734 Federal civilian 
positions, 584 military positions, and 3,407 contractor positions.\21\ 
Nevertheless, as of November 2017, the Department had not completed 
identifying all of its cybersecurity positions and it had not 
determined the work categories or specialty areas of the positions. In 
explaining why the Department had not identified all its positions, 
OCHCO officials stated that components varied in reporting their 
identified vacant positions because the Department did not have a 
system to track vacancies.
---------------------------------------------------------------------------
    \21\ Department of Homeland Security, Comprehensive Cybersecurity 
Workforce Update: 2016 Report (Washington, DC: March 16, 2017).
---------------------------------------------------------------------------
    Of the 7 work categories and 33 specialty areas in the NICE 
framework, DHS reported that its 3 most common work categories were 
``protect and defend'', ``securely provision,'' and ``oversight and 
development;'' and its 2 most common specialty areas were ``security 
program management'' and ``vulnerability assessment and management.'' 
However, DHS could not provide data to show the actual numbers of 
positions in each of these categories and specialty areas.
    According to OCHCO officials, the Department was still in the 
process of identifying positions for the 2-digit codes and would 
continue this effort until the 3-digit codes were available in the 
National Finance Center personnel and payroll system in December 2017. 
At that time, OCHCO officials stated that the Department intends to 
start developing procedures for identifying and coding positions using 
the 3-digit codes.
DHS Has Not Completely and Accurately Assigned Employment Codes
    The act also required DHS to assign 2-digit employment codes to all 
of its identified cybersecurity positions. This action was to be 
completed by September 2015.\22\
---------------------------------------------------------------------------
    \22\ Identification and code assignment is inclusive of both filled 
and vacant positions with cybersecurity functions.
---------------------------------------------------------------------------
    However, as of August 2017--23 months after the due date--the 
Department had not completed the coding assignment process. Although, 
in August 2017, OPM provided a progress report to Congress containing 
DHS data which stated that 95 percent of DHS-identified cybersecurity 
positions had been coded,\23\ our analysis determined that the 
Department had assigned cybersecurity position codes to approximately 
79 percent of its identified Federal civilian cybersecurity 
positions.\24\ The primary reason for this discrepancy was that DHS did 
not include the coding of vacant positions, as required by the act. 
Further, OCHCO officials stated they did not verify the accuracy of the 
components' cybersecurity workforce data. Without coding cybersecurity 
positions in a complete and accurate manner, DHS will not be able to 
effectively examine its cybersecurity workforce; identify skill gaps; 
and improve workforce planning.
---------------------------------------------------------------------------
    \23\ Office of Personnel Management, Progress Report on the 
National Cybersecurity Workforce Measurement Initiative (Washington, 
DC: August 3, 2017). This report was 20 months late. OPM officials 
stated that they did not meet the December 2015 deadline because DHS 
had not provided sufficient data at that point.
    \24\ Per DHS's August 2017 coding progress dashboard, 5,298 of 
6,734 identified positions had been coded. Vacant position coding 
progress was not provided.
---------------------------------------------------------------------------
    Thus, in our recently-issued report, we recommended that OCHCO 
collect complete and accurate data on all filled and vacant 
cybersecurity positions when it conducts its cybersecurity 
identification and coding efforts. DHS concurred with the 
recommendation and stated that, by June 29, 2018, it intends to issue 
memorandums to its components that provide instructions for the 
components to periodically review compliance and cybersecurity 
workforce data concerns to ensure data accuracy.
dhs has not identified or reported its cybersecurity workforce areas of 
                             critical need
    According to the act, DHS was to identify its cybersecurity work 
categories and specialty areas of critical need in alignment with the 
NICE framework and to report this information to the appropriate 
Congressional committees by June 2016. In addition, a DHS directive 
required the DHS chief human capital officer to provide guidance to the 
Department's components on human resources procedures, including 
identifying workforce needs.\25\
---------------------------------------------------------------------------
    \25\ Department of Homeland Security, Human Capital Line of 
Business Integration and Management, Directive No. 258-01 (Feb. 6, 
2014).
---------------------------------------------------------------------------
    As of February 2018, the Department had not fulfilled its 
requirements to identify and report its critical needs. Although DHS 
identified workforce skills gaps in a report that it submitted to 
Congressional committees in March 2017, the Department did not align 
the skills gaps to the NICE framework's defined work categories and 
specialty areas of critical need.
    In September 2017, OCHCO developed a draft document that attempted 
to crosswalk identified Department-wide cybersecurity skills gaps to 
one or more specialty areas in the NICE framework. However, the 
document did not adequately help components identify their critical 
needs by aligning their gaps with the NICE framework because it did not 
provide clear guidance to help components determine a critical need in 
cases in which a skills gap is mapped to multiple work categories.
    According to OCHCO officials, DHS had not identified Department-
wide cybersecurity critical needs that aligned with the framework 
partly because OPM did not provide DHS with guidance for identifying 
cybersecurity critical needs. In addition, OCHCO officials stated that 
the components did not generally view critical skills gaps in terms of 
the categories or specialty areas as defined in the NICE framework, but 
instead, described their skills gaps using position titles that are 
familiar to them. In the absence of relevant guidance to help 
components identify their critical needs, DHS and the components are 
hindered from effectively identifying and prioritizing workforce 
efforts to recruit, hire, train, develop, and retain cybersecurity 
personnel.
    DHS also did not report cybersecurity critical needs to OPM in 
September 2016 or September 2017, as required. Instead, the Department 
first reported its cybersecurity coding progress and skills gaps in a 
March 2017 report that it sent to OPM and Congress to address several 
of the act's requirements.\26\ However, the report did not describe or 
substantiate critical need designations because DHS has not yet 
identified them.
---------------------------------------------------------------------------
    \26\ Department of Homeland Security, Comprehensive Cybersecurity 
Workforce Update: 2016 Report (Washington, DC: March 16, 2017).
---------------------------------------------------------------------------
    Additionally, DHS had not developed plans or time frames to 
complete priority actions--developing a DHS cybersecurity workforce 
strategy and completing its initial cybersecurity workforce research--
that OCHCO officials said must be completed before it can report its 
cybersecurity critical needs to OPM. According to OCHCO officials, the 
report that the Department submitted to Congress in March 2017 had 
contained plans and schedules. However, we found that the March 2017 
report did not capture and sequence all of the activities that DHS 
officials said must be completed in order to report critical needs. 
Until DHS develops plans and schedules with time frames for reporting 
its cybersecurity critical needs, DHS may not have insight into its 
needs for ensuring that it has the workforce necessary to carry out its 
critical role of helping to secure the Nation's cyber space.
    In our report, we recommended that DHS: (1) Develop guidance to 
assist DHS components in identifying their cybersecurity work 
categories and specialty areas of critical need that align to the NICE 
framework and (2) develop plans with time frames to identify priority 
actions to report on specialty areas of critical need.\27\ DHS 
concurred with the recommendations and stated that it plans to 
implement them by June 2018.
---------------------------------------------------------------------------
    \27\ GAO-18-175.
---------------------------------------------------------------------------
    In summary, DHS needs to act now to completely and accurately 
identify, categorize, and assign codes to all of its cybersecurity 
positions, and to identify and report on its cybersecurity workforce 
areas of critical need. Implementing the six recommendations we made in 
our February 2018 report should better position the Department to meet 
the requirements of the 2014 act. Further, doing so will help DHS 
understand its needs for recruiting, hiring, developing, and retaining 
a cybersecurity workforce with the skills necessary to accomplish the 
Department's varied and essential cybersecurity mission.\28\ Until DHS 
implements our recommendations, it will not be able to ensure that it 
has the necessary cybersecurity personnel to help protect the 
Department's and the Nation's Federal networks and critical 
infrastructure from cyber threats.
---------------------------------------------------------------------------
    \28\ GAO-18-175.
---------------------------------------------------------------------------
    Chairmen Ratcliffe and Perry, Ranking Members Richmond and Correa, 
and Members of the subcommittees, this concludes my statement. I would 
be pleased to respond to your questions.

    Mr. Ratcliffe. Thank you, Mr. Wilshusen.
    The Chair now recognizes Ms. Bailey for 5 minutes.

   STATEMENT OF ANGELA BAILEY, CHIEF HUMAN CAPITAL OFFICER, 
  MANAGEMENT DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY

    Ms. Bailey. Good afternoon Chairman Ratcliffe, Chairman 
Perry, Ranking Member Richmond, and Ranking Member Correa, and 
distinguished Members of the subcommittees. Thank you for the 
opportunity to appear before you today to address cybersecurity 
work force issues at the Department of Homeland Security.
    As Secretary Nielsen described during her November 2017 
confirmation hearing, cyber attacks against our Federal 
networks and the control systems that run our critical 
infrastructure are continually increasing, with attacks growing 
ever more complex and each more sophisticated than the last. 
Cyber criminals and nation-states are continually looking for 
ways to exploit our hyper-connectivity in reliance on IT 
systems.
    Our enemies will not rest and neither will we. The 
Department cannot strengthen the Nation's cybersecurity and 
successfully confront the threats Secretary Nielsen described 
without the creativity, intellect, and dedication of world 
class cybersecurity experts.
    For that reason, supporting the human capital needs of the 
Department's cybersecurity work force is a top priority for 
senior leadership including me. I recognize the difficulty of 
securing the right cybersecurity talent today and tomorrow. But 
we must proceed with urgency and ingenuity. I am committed to 
thoroughly understanding our work force requirements and 
implementing the best possible human capital solutions to 
recruit, retain, and manage the cybersecurity talent our 
mission demands.
    My team and I are working closely with human capital and 
cybersecurity leadership across the Department, including the 
National Protection and Programs Directorate, the DHS chief 
information officer, and our component CIOs on three 
priorities.
    No. 1, analyze and plan for our complex set of 
cybersecurity talent needs. No. 2, recruit and retain the 
highly-qualified employees with capabilities vital to mission 
success. No. 3, innovate by implementing a new 21st-Century 
personnel system to revolutionize cybersecurity talent 
management.
    I am working with the deputy undersecretary for management, 
the assistant secretary for cybersecurity and communications, 
the CIO, and the Cybersecurity Workforce Coordinating Council 
to finalize the personnel system. The Secretary in coordination 
with the director of OPM is also working to prescribe 
regulations for the administration of the new system.
    While we engage in the regulatory process, we are dedicated 
to a host of technical human capital analysis, policy 
development, and change management activities to ensure we 
launch a system that will be legally defensible, better reflect 
the needs of high-caliber cybersecurity talent, and enhance the 
Department's ability to execute its mission.
    The implementation effort has momentum. I am committed to 
making our new cybersecurity personnel system operational. I 
would like to increase our collaboration with Congress, 
including these subcommittees, to keep you informed to the 
progress.
    Thank you, again, for our continued support of the 
Department's cybersecurity responsibilities and the employees 
charged with executing them. I look forward to your questions.
    [The joint prepared statement of Ms. Bailey and Ms. Moss 
follows:]
        Joint Prepared Statement of Angela Bailey and Rita Moss
                             March 7, 2018
                              introduction
    Chairman Ratcliffe, Chairman Perry, Ranking Member Richmond, 
Ranking Member Correa, and distinguished Members of the subcommittees, 
thank you for the opportunity to appear before you today to address 
cybersecurity workforce issues at the Department of Homeland Security 
(DHS).
    We are the Department's chief human capital officer and director of 
human resources for the National Protection and Programs Directorate 
(NPPD). Together, we have over 50 years of experience in Federal human 
resources.
    We both support the Department's human capital program, which 
includes human resources policies and programs; strategic workforce 
planning and analysis; recruitment and hiring; pay and leave; 
performance management; employee development; executive resources; 
employee and labor relations; workforce health and safety; diversity 
and inclusion; and human resources information technology. We also 
oversee the human resources operational offices delivering all of the 
aforementioned services to Headquarters and NPPD employees.
    As Secretary Nielsen stated during her November 2017 confirmation 
hearing, `` . . . one of the most significant [aspects of the 
Department's mission] for our Nation's future is cybersecurity . . . 
The scope and pace of cyber attacks against our Federal networks and 
the control systems that run our critical infrastructure are 
continually increasing, with attacks growing ever more complex and each 
more sophisticated than the last. Cyber criminals and nation-states are 
continually looking for ways to exploit our hyper connectivity and 
reliance on IT systems.''
    The Department cannot strengthen the Nation's cybersecurity and 
successfully confront the threats Secretary Nielsen described without 
the creativity, intellect, and dedication of world-class cybersecurity 
experts. For that reason, supporting the human capital needs of the 
Department's cybersecurity workforce is a top priority for senior 
leadership, including the Secretary.
    The Department faces intense competition for cybersecurity talent, 
and studies continue to make headlines by quantifying current shortages 
of specific cybersecurity skills and projecting future talent gaps. We 
recognize the difficulty of securing the right cybersecurity talent 
today and tomorrow, but we must proceed with urgency and ingenuity. We 
are committed to thoroughly understanding our workforce requirements 
and implementing the best possible human capital solutions to recruit, 
retain, and manage the cybersecurity talent our mission demands. Our 
teams work closely with human capital and cybersecurity technical 
leadership across the Department, including within NPPD, and with the 
chief information officer (CIO), and our component CIOs on three 
priorities:
    1. Analyze and Plan for our complex set of cybersecurity talent 
        needs;
    2. Recruit and Retain highly-qualified employees with capabilities 
        vital to mission success; and
    3. Innovate by implementing a new 21st Century personnel system to 
        revolutionize cybersecurity talent management.
                            analyze and plan
    To effectively manage a workforce, one must begin with a 
comprehensive analysis of mission and talent requirements. We would 
like to thank Congress for your attention to cybersecurity workforce 
planning through the passage of several laws since 2014, and we would 
like to thank the Government Accountability Office (GAO) for their 
recent review of the Department's implementation of one of those laws, 
the Homeland Security Cybersecurity Workforce Assessment Act of 2014. 
Emphasizing the importance of these issues helps us focus all of DHS on 
a path forward.
    Over the last decade, DHS has taken a variety of steps to better 
understand and document our cybersecurity workforce, but as GAO 
outlined in their February 6, 2018 report (Cybersecurity Workforce: 
Urgent Need for DHS to Take Actions to Identify Its Position and 
Critical Skill Requirements), there is more work to be done--and done 
quickly.
    As described in the Department's response letter, we concur with 
GAO's six recommendations, and we have taken a series of actions to 
address each of them. Each component designated a lead cybersecurity 
workforce official, developed updated position coding guidance, and 
stepped up communications with component stakeholders critical to 
ensuring positions are accurately identified, coded, and tracked. 
Additionally, we continue to engage component senior leaders through 
the Cyber Workforce Coordinating Council, comprised of senior 
membership from both the component CIO and human resources communities, 
and the Cybersecurity Technical Review Board, a working-level, cross-
component group to reinforce accountability and awareness. We also 
reach out quarterly to advise components of their coding progress, 
validate coding data, and address problems in an effort to improve our 
progress and the accuracy of our data in this area.
    Notably, the Department's cybersecurity workforce planning efforts 
and GAO's report focus heavily on the National Initiative for 
Cybersecurity Education (NICE) Workforce Framework (NICE Framework). 
NICE, led by the National Institute of Standards and Technology (NIST) 
of the U.S. Department of Commerce, is a partnership between 
Government, academia, and the private sector working to energize and 
promote cybersecurity education, training, and workforce development. 
The NICE Framework is a reference structure that describes the 
interdisciplinary nature of cybersecurity, and it uses a common, 
consistent lexicon to categorize and describe cybersecurity work, 
including information key knowledge, skills, and abilities. In 2013, 
the Office of Personnel Management (OPM) and NICE began collaborating 
to ensure agencies could code their Federal positions according to the 
NICE Framework in the human resources information technology (HRIT) 
systems of shared service providers.
    Currently, the Department is focused on transitioning from 2-digit 
position codes based on the original version of the Framework to the 
new 3-digit, role-based position codes aligned to the latest version of 
the Framework. In doing so, DHS is revising personnel records with our 
shared service provider (the National Finance Center) that made system 
updates to accommodate 3-digit codes at the end of 2017.
    We acknowledge GAO's focus on the importance of coding vacant 
positions associated with cybersecurity work, and we have charted a 
path to do so. Fortunately, the Department has broader efforts under 
way to ensure accurate documentation of all DHS position requirements, 
including vacant positions. While DHS does not have an enterprise-wide, 
automated solution to support such work, we continue to set and refine 
data standards with components, patch together multiple datasets, and 
lay the groundwork for a future solution as part of our Strategic 
Improvement Opportunities (SIOs) process for the DHS HRIT program. We 
believe that linking cybersecurity position identification, coding, and 
tracking with our ambitious position management project will help to 
accelerate both initiatives.
    In the coming months, we have a series of actions planned with 
components to ensure they enter, validate, and then analyze their data 
to determine critical gaps. On-going workforce planning efforts have 
demonstrated that the DHS cybersecurity workforce is complex and 
varied. We have identified a total population of over 7,400 Federal 
civilian positions, as well as over 2,800 United States Coast Guard 
military positions and 4,800 contractor positions. The Federal civilian 
population includes 18 components and organizations and covers over 40 
Federal occupational series, and all 33 specialty areas of the NICE 
Cybersecurity Workforce Framework. When we apply the NICE Framework, 
the most populous category and specialty area codes at DHS--each 
associated with more than 250 positions/employees--are Investigation, 
Information Assurance/Compliance, Digital Forensics, Securely 
Provision, and Operate and Maintain.
    Past data calls have identified a great deal of information about 
component recruitment and retention challenges and staffing gaps. For 
the population of 7,400 civilian positions, we are averaging a vacancy 
rate of 10 percent and an attrition rate of 5 percent, but in some 
components, both rates are regularly above 20 percent. In addition, 
components have cited all portions of the NICE Cybersecurity Workforce 
Framework to describe their current and projected shortages of 
positions/employees.
    DHS must now dig deeper to isolate and monitor priority skills and 
mission roles, including those where shortages exist or are 
anticipated. The Framework is a helpful tool for describing critical 
roles and shortages, but we cannot stop there. Some DHS cybersecurity 
work is highly specialized, requiring industry, sector, or mission-
specific skills and knowledge not captured by the Framework's general 
structures and definitions. In cases where DHS work is unique or 
specificity is critical to describing the talent needed to meet the 
Department's mission objectives, DHS will document such detail, and, as 
appropriate, report it to Congress along with the data elements 
outlined in statute.
                           recruit and retain
    Our understanding of both our current and future workforce needs 
informs our recruitment and retention strategy. The Department must 
ensure we are attracting, hiring, and keeping the best cybersecurity 
talent, and given the competitive cybersecurity labor market, DHS must 
leverage all available tools to ensure we keep attrition and vacancy 
rates at acceptable levels. OCHCO has a team dedicated to attracting 
talent to the Department by improving our employment brand and 
developing and implementing Department-wide recruitment strategies, to 
include the use of available hiring flexibilities such as the DHS 
Schedule A cybersecurity hiring authority and the Government-wide IT 
(information security) direct hire authority.
    OCHCO works closely with recruiters and human capital leadership 
from across components, and holds regular meetings of our Corporate 
Recruiting Council. This Council oversees the creation and monitoring 
of targeted recruitment plans for specific DHS mission-critical 
occupations, including cybersecurity. As part of a long-term effort to 
improve cybersecurity recruiting, our staffs manage cybersecurity 
pipeline development and outreach activities focused on 2- and 4-year 
academic institutions, including the National Centers of Academic 
Excellence in Cyber Defense and Cyber Operations, National and local 
community organizations, and professional associations. In fiscal year 
2017 and fiscal year 2018 to date, we have engaged with over 1,300 
students from 122 academic institutions, including 40 National Centers 
of Academic Excellence.
    In addition, OCHCO operates the Secretary's Honors Program Cyber 
Student Volunteer Initiative, which offers students temporary 
assignments in DHS cybersecurity-focused field offices. Approximately 
6,500 students from over 400 academic institutions have applied to the 
program since its inception in 2013, and 258 have completed assignments 
alongside our cybersecurity professionals. While this is a great 
starter program, we are enhancing and expanding component-specific and 
Government-wide programs, such as the Intelligence & Analysis 
Internship Program and the CyberCorps: Scholarship for Service 
program. Now, thanks to Congressional support, all are paid internships 
that lead to full-time Federal/DHS cyber-specific jobs.
    Creating interest in DHS cybersecurity work and attracting top 
applicants is only part of the recruitment equation. Reducing the 
burden and length of the hiring process for candidates is equally 
critical. DHS is focusing on hiring process improvement for all 
occupations, including those related to cybersecurity and information 
technology. Our teams have worked to gather all available hiring 
process data to assist components in identifying barriers, 
reengineering steps, setting better operational targets, and 
identifying opportunities for additional automation. We are also 
focusing on forging smart partnerships across DHS components, lines of 
business, and Federal agencies to ensure that DHS human resources 
personnel are aware of leading practices and can collaborate to achieve 
economies of scale.
    One of the key hiring improvement strategies we have deployed is 
joint recruiting and special hiring events. The Department has held 
successful joint cybersecurity, veterans, intern, and recent graduate 
events that brought together multiple components to a single location 
enabling on-site interviews and on-the-spot tentative job offers in the 
same day. As a direct result of these events, the Department was able 
to hire nearly 700 new employees with a reduced time-to-hire. With the 
cybersecurity event alone, we were able to bring on board approximately 
300 employees, cutting the time-to-hire by up to 6 weeks in most cases. 
The Department has also ramped up participation in similar hiring 
events with Federal partners, including the CyberCorps: Scholarship 
for Service Job Fair and Federal CIO Council's Federal Tech/Cyber 
Hiring and Recruitment Event. Based on previous success, the Department 
will hold another DHS cybersecurity hiring event later this year in 
Washington, DC.
    Innovative interventions to speed hiring and reduce vacancies are 
just the first part of a larger Departmental strategy to do 
cybersecurity human capital better and smarter. Human capital 
flexibilities are most useful when human resources practitioners 
understand them and deploy them appropriately to target the 
Department's most critical job candidates and personnel. We remain 
committed to ensuring that the DHS human resources community receives 
additional cybersecurity-focused training and guidance.
    Since 2016, OCHCO has released over 15 simplified guidance 
documents to help human capital and cybersecurity personnel across the 
Department understand existing human capital tools, such as direct hire 
authority and recruitment incentives; dispel myths; and identify how 
these human capital tools can best support cybersecurity talent. 
Furthermore, we are working closely with OPM and other DHS component 
human resources directors to ensure human resources specialists across 
DHS stay on the forefront of any new developments and understand the 
full set of recruitment and retention tools at their disposal. For 
example, we are building a DHS H.R. Academy with both formal and 
informal training as well as rotational and internship opportunities. 
The Department rolled out the first Academy course in data analytics in 
the fall of 2017, and we anticipate delivering career path guides by 
the summer of 2018.
    In addition to increased training on all available retention 
flexibilities, we are working with human capital leadership across 
components on specific retention interventions. In 2017, OCHCO built 
upon successful NPPD practices and released a Department-wide retention 
incentive plan for cybersecurity employees, which should help 
components retain highly skilled talent by financially recognizing the 
significant training and certification accomplishments of employees. We 
are also exploring ways to increase the use of student loan repayment 
and tuition assistance, and with OPM and the rest of the Federal human 
resources community, we are considering possible compensation 
flexibilities.
    Despite current and past efforts, we find that attrition rates for 
cybersecurity professionals in some DHS organizations remain much 
higher than the rates for other occupations. Our analysis indicates 
that work in the field of cybersecurity is increasingly project-based, 
and we recognize that the prospect of a decades-long Federal civil 
service career may not appeal to cybersecurity professionals. We are 
passionate about continuing to explore these retention challenges with 
experts in both human capital and cybersecurity across components.
                                innovate
    While we are committed to developing some immediate fixes with DHS 
human capital and cybersecurity leadership, our primary cybersecurity 
human capital focus is accelerating the implementation of a new 
cybersecurity-focused personnel system, which will change the methods, 
policies, and process used to recruit, hire, retain, and develop 
cybersecurity employees. We believe this will revolutionize how DHS 
hires, manages, and retains our best cybersecurity talent.
    The Department appreciates that Congress passed the Border Patrol 
Agent Pay Reform Act of 2014. Section 3 amended the Homeland Security 
Act of 2002 to grant the Secretary the authority to create a 
cybersecurity focused personnel system exempt from many of the 
restrictions governing the conventional civil service. This authority 
allows for a variety of human capital management changes, including 
alternative methods for defining jobs, conducting hiring, and 
compensating employees.
    Department leadership is aware of the time that has elapsed since 
the law's passage. We also recognize that implementing such an 
authority represents new territory and is a significant personnel 
transformation for the Department. Successful design, implementation, 
and maintenance of a new Federal personnel system is extremely complex, 
and requires highly specialized Federal human capital expertise. The 
design and subsequent implementation and execution of such a system all 
present unique challenges that require technical knowledge related to 
pay setting and administration, labor market analysis, psychometric 
research, regulation drafting, change management, etc. Despite these 
challenges, we are making progress in implementing such a system.
    After Congress granted the Secretary this additional authority, the 
Department began an initial research and analysis process that included 
benchmarking with other Federal agencies, fact-finding with the 
Department of Defense and OPM, and the development of a slate of 
possible human capital changes. Since both of us arrived at DHS in 
2016, we have redoubled the effort to source specialized talent for the 
project, and OCHCO established a dedicated human capital policy team, 
which includes a well-experienced, senior advisory cadre. We have 
strengthened the Department's collaboration with OPM, and established 
regular working meetings between OCHCO, OPM, and the DHS Office of the 
General Counsel. In addition, the deputy under secretary for management 
reinitiated the Cyber Workforce Coordinating Council, which as 
previously mentioned, includes membership from both the component CIO 
and human resources communities.
    Our teams have completed research on all the major alternative 
personnel systems since the 1970's, and by combining leading practices 
and many new ideas, have designed a flexible, 21st Century personnel 
system tailored to the evolving, project-based field of cybersecurity. 
Our conclusion is that the current civil service system cannot 
adequately address the cybersecurity talent challenges the Department 
faces, and making simple modifications or cosmetic changes to the 
current Title 5, will not suffice.
    The General Schedule (GS) was created by the Classification Act of 
1949, during the Truman administration, but in reality, many of its 
foundational principles date back to the Classification Act of 1923. 
The Federal workforce is no longer primarily composed of narrowly-
defined, clerical jobs, and we are not using long tables of clerks or a 
secretarial pool to combat cybersecurity threats. If we are to attract, 
hire, compensate, and retain top cybersecurity talent, we need to 
recognize a variety of truths, including:
   Jobs are becoming increasingly non-standard and complex;
   Employee expectations no longer map to the 30-year Federal 
        career; and
   A highly competitive labor market exists for cybersecurity 
        talent--of which the Federal Government is only one employer.
    To modernize the civil service for cybersecurity work, we need to 
revisit some of the foundational theories and structures that underlie 
how we have managed Federal human capital for decades, and we need to 
update them for the 21st Century. Some key shifts include:
   Streamlined, Proactive Hiring
     20th Century: Recruitment is focused on posting a 
            position-specific announcement, praying the right 
            candidates apply, allowing candidates to self-rate their 
            skills, and comparing applicants to rigid--often outdated--
            occupation-based standards
     21st Century: Strategically recruit from a variety of 
            sources on an on-going basis, and use up-to-date, 
            cybersecurity-focused standards and validated tools to 
            screen, assess, and select talent
   Market-Sensitive Pay
     20th Century: GS pay rules are based on tenure, and apply 
            regardless of the field of work
     21st Century: Increase the focus on an individual's 
            knowledge, skills, and capabilities and use a pay structure 
            and compensation procedures that are designed with the 
            cybersecurity labor market in mind
   Flexible, Dynamic Career Paths
     20th Century: Temporary assignments and details are 
            exceptions to the norm, and static career paths limit 
            advancement to a single occupational series or vertical, 
            tenure-based career ladder
     21st Century: Accommodate dynamic careers with streamlined 
            movement between the Government and private sector, across 
            components, and through a variety of permanent/non-
            permanent assignments
   Development-Focused Performance Management
     20th Century: The annual performance assessment is the 
            main opportunity for award and pay progression, and the 
            process has become complex and burdened with paperwork
     21st Century: Simplify annual performance ratings, and 
            focus more on continuous, development-focused feedback 
            about employee contributions and skills increases to inform 
            adjustments to pay, assignments, etc.
    We are working with the deputy under secretary for management, the 
assistant secretary for cybersecurity and communications, the CIO, and 
the Cyber Workforce Coordinating Council to finalize the personnel 
system. The new system will ultimately serve front-line cybersecurity 
professionals, so it is critical that all interested parties at the 
Department provide input and have a stake in our shared solution. The 
Secretary, in coordination with the acting director of OPM, is also 
working to prescribe regulations for the administration of the new 
system. While we engage in the regulatory process, we are dedicated to 
a host of technical human capital analysis, policy development, and 
change management activities to ensure that we launch a system that 
will be legally defensible, better reflect the needs of high-caliber 
cybersecurity talent, and enhance the Department's ability to execute 
its mission.
    The implementation effort has momentum, but we are seeking to 
increase our pace. The cybersecurity threats facing our Nation will not 
pause while we evolve the Department's approach to cybersecurity human 
capital. We are committed to making our new cybersecurity service 
personnel system operational and we would like to increase our 
collaboration with Congress, including these subcommittees, to keep you 
informed of the progress we make and the obstacles we encounter.
    Thank you again for your interest in our Nation's cybersecurity and 
your continued support of the Department's cybersecurity 
responsibilities and the employees charged with executing them.

    Mr. Ratcliffe. Thank you, Ms. Bailey.
    The Chair now recognizes Ms. Moss for 5 minutes.

  STATEMENT OF RITA MOSS, DIRECTOR, OFFICE OF HUMAN CAPITAL, 
NATIONAL PROTECTION AND PROGRAMS DIRECTORIATE, U.S. DEPARTMENT 
                      OF HOMELAND SECURITY

    Ms. Moss. Chairman Ratcliffe, Chairman Perry, Ranking 
Member Correa, and distinguished Members of the subcommittee, 
thank you for the opportunity to appear before you today.
    The Department of Homeland Security serves a critical role 
in safeguarding and securing cyber space, a core homeland 
mission. DHS's National Protection and Programs Directorate, 
NPPD leads the Nation's efforts to ensure the security and 
resilience of our cyber and physical infrastructure.
    I am the human resources director for NPPD, with almost 25 
years of leadership experience in Federal human capital. I came 
to DHS just over a year ago. In this role I am responsible for 
planning, developing, directing, and evaluating NPPD's human 
capital strategy and operations.
    As a component of DHS, we are very much aligned with the 
Department's approach and guidance in effectively recruiting 
and retaining cybersecurity talent, which is in high demand in 
Government as well as in the private sector and is a key 
imperative of the NPPD mission.
    NPPD has been working closely with the Department in 
developing systems and programs to effectively recruit and 
retain cybersecurity talent. We are thoroughly engaged at every 
level in the design and development of the new personnel system 
for cyber positions.
    NPPD is represented at the SES level by our deputy 
assistant secretary for cybersecurity and communications who 
co-leads the Cybersecurity Workforce Coordinating Council. I 
support the council as NPPD's human capital expert.
    NPPD cybersecurity managers and employees at the working 
level are also engaged in numerous working groups and focus 
groups to inform the design and impact of the new system. We 
believe that our needs are well-represented and our input is 
valued.
    In my role as H.R. director for NPPD, I have made data 
analytics a priority. As an organization, we cannot figure out 
where we are going, what barriers exist or develop effective 
solutions without first understanding what is working and what 
is not working in our efforts to recruit and retain cyber 
talent.
    Over the last year, we have invested a lot of energy and 
effort in developing our metrics such as stats on internal 
movement, location of lag times in hiring, grade distribution, 
et cetera, and analyzing our processes. We are now utilizing 
that data to determine what gaps exist and develop new 
strategies to address them.
    NPPD has also been very adept and creative in leveraging 
the various authorities granted to us as well as existing OPM 
regulations and workplace flexibilities to attract and retain 
our talent. We are actively exercising various hiring 
authorities such as direct hire, internships, and 
noncompetitive hiring, incentive programs such as student loan 
repayment, and retention incentives and recruitment strategies 
such as social media and on-site interviewing to attract and 
retain our cyber work force. We will continue to do so and 
provide those insights into the development of the new 
personnel system.
    I want to conclude my testimony by thanking the committee 
for passing the Cybersecurity and Infrastructure Security 
Agency Act of 2017. Earlier today, your colleagues in the 
Senate took the next step to move this bill forward. If 
enacted, this legislation will mature and streamline NPPD. 
Importantly, it will rename our organization to clearly reflect 
our essential mission.
    Establishing our brand under a renamed agency is essential 
to our work force, our recruitment efforts and effective 
stakeholder engagement. We must ensure that NPPD is 
appropriately organized to address cybersecurity threats both 
now and in the future.
    We appreciate this committee's leadership. Thank you for 
your interest in growing and developing the Nation's 
cybersecurity work force. I look forward to your questions as 
well.
    Mr. Ratcliffe. Thank you, Ms. Moss.
    We will turn now to questions from the Members. The Chair 
now recognizes the gentleman from Virginia, Mr. Garrett for 5 
minutes.
    Mr. Garrett. Thank you, Mr. Chairman.
    I am incredibly frustrated and I have a finite amount of 
time and Mr. Wilshusen, I presume I am close to pronouncing 
that correctly. You are going to miss the brunt of this because 
you are from GAO.
    You attended the Naval Academy. You understand the concept 
that a leader is responsible for all unit he accomplishes or 
fails to accomplish, right? They taught that in the Army 
leadership. I am sure the Navy is no different.
    Ms. Bailey, you said our enemies will not rest and neither 
will we. But as I look at this list of GAO findings, there were 
at least 395 nights that we went to bed and rested before we 
accomplished items on this list.
    So you have people on this committee--Ms. Demings, who has 
a carrier in law enforcement, so too Mr. Higgins. Chairman 
McCaul, he was a Federal prosecutor. Mr. Perry, he was in the 
military. We have an FBI agent. I was in the military and was a 
prosecutor and I can darn guarantee you that there were a lot 
of nights that we had stuff that we were mandated to do that we 
didn't go to bed. That we literally didn't rest because we were 
mandated to do it.
    So while I look at Public Law 13277, and I look at these 
bullets, established procedures to identify and categorize and 
cybersecurity positions within 90 days March 2015, 13 months 
behind. Identify all positions with cyber functions and 
determine specialty areas within 9 months, still incomplete. 
Assign 2-digit codes to all cybersecurity positions based on 
priority work category within 9 months, incomplete.
    Identify cybersecurity--and this is from September 2015, 
identify cybersecurity work rules to the critical needs of 
Congress, June, 2016, not yet identified. There is one more. 
Report critical needs to OPM annually, assigned September 2016. 
Not yet addressed.
    Now, I got a series of questions for each of you and again 
you escaped this. Again, thank you for your service, right? I 
know what you do isn't easy, but if our enemies aren't resting 
and they are not. I just was fortunate enough to meet with the 
foreign ministers from the Baltic States, right--Estonia, 
Latvia, Lithuania--who understand something about cyber 
attacks.
    I have spoken with people from the Ukraine who understand 
something about cyber attacks. I understand that there are a 
lot of people who really concerned with things like EMP. The 
reality is as you all know; a cascading cyber threat could kill 
50 percent of the population in this country in 12 months.
    I am not making this stuff up. So these are the laws passed 
by Congress under the Constitution of the United States and 
here are my questions. I am going to give them to you in a 
litany and then give each of you time.
    What is your level of accountability? What is your fear if 
you miss a date that's established by law? What is the worst 
thing you think can happen? When was the last time someone was 
fired for not accomplishing a task mandated by law?
    I am dead serious. I want to know who and what did they 
fail to do? Has anyone who is previously responsible for a 
legally-mandated task subsequently been promoted after having 
failed to accomplish that task in a timely manner?
    I am dead serious. Because in the world from which I come 
as a prosecutor, as an elected official, and as a soldier, you 
get an assignment with a drop-dead date and you do the 
assignment. You guys are great. I apologize that my enmity is 
attacking you. But we serve the American people. These threats 
are not anything to worry about until they happen. So has 
anyone who is responsible for one of these tasks that haven't 
been accomplished subsequently been promoted, who failed to 
accomplish the task and what were they promoted to? Why?
    So, again, what is your level of accountability? What is 
your greatest fear that could happen possibly if you don't do 
something Congress directs you by law to do? Have we promoted 
anyone who failed to accomplish these tasks?
    What do we intend to do to be more responsive in the 
future? I hate to think that it is like being the parent to a 
17-year-old who goes, ``Yes, sir, I will do it.'' Then never 
does it and giggles behind your back.
    Because Congress is supposed to matter and I think in our 
hearts we want the same thing. So I got--I am sorry about 45 
seconds for each of you.
    Thank you for you indulgence. I am not--and again, it is 
not a personal attack. But I mean you get it. You all know this 
is wrong, 13, 16, 18 months out.
    Ms. Bailey. I was scrambling to write down your questions, 
sir. So I don't fully----
    Mr. Garrett. OK. Well, here is my biggest one. Has anyone 
failed to accomplish a legally-mandated task by virtue of 
Public Law 13277 been subsequently promoted?
    Ms. Bailey. No, sir.
    Mr. Garrett. Has anyone ever been fired for failure to make 
a time line mandated by law by Congress?
    Ms. Bailey. No.
    Mr. Garrett. So what is the greatest fear of an individual 
who is tasked with these particular responsibilities should 
they fail to accomplish that task? What is their fear? I won't 
get promoted. In the Army it was I want a good evaluation, so 
that I can get promoted ahead of my peers.
    What is the fear of someone who goes home one night 
thinking, well, I am not going to finish this today knowing 
that it is past the deadline?
    Ms. Bailey. I think if I could answer it this way. I don't 
know that it is fear. I think it is actually just 
disappointment that they don't have the ability to perhaps get 
everything done in a given day that they try to get it done.
    So they have got a lot of competing priorities sitting on 
their plate. This is by far one of their most important. But 
they have to do that in context of everything else that they 
are trying to do at the same time.
    So the very same work force that is trying to do the coding 
and which by the way we have as of today over 6,000 positions 
are coded into 3-digit. I realize that that is not the 
substantial progress that you are looking for, but----
    Mr. Garrett. I don't want progress. Pardon, I don't try to 
be mean to you and I know I am over. I want completion by the 
assigned date or you coming to us going here is why we are not 
going to finish in time.
    Ms. Bailey. Understand, Sir.
    Mr. Garrett. Again, I am not trying to beat you guys up.
    Ms. Bailey. We have a time----
    Mr. Garrett. I know it is not easy.
    OK, again, I thank the Chair for his indulgence. But please 
take this sense of urgency. This is a bipartisan thing where we 
are protecting the same people. We need to be better about 
holding you to account and you need to be better about looking 
at this timing going, ``Darn, this is hard. We are going to get 
it done.''
    Because that is what we do in law enforcement, that is what 
we do in the military, that is what our teachers do when they 
are first year teachers, lesson planning. It is what we owe all 
the citizens we serve.
    Thank you. Apologize for going over.
    Mr. Ratcliffe. The gentleman yields back.
    The Chair recognizes the gentleman from California, Mr. 
Correa.
    Mr. Correa. Thank you, Mr. Chairman.
    Just a question to DHS, my colleague stated the issues and 
I, we have given you flexibility. We have given you incentives 
to hire folks, to get people on-line, to fill these vacancies.
    Ms. Bailey, you pointed out there is a lot of--it sounds 
like you don't have the resources, individuals that are 
supposed to execute just aren't getting around to executing. I 
am not going to put words in your mouth, but my question to you 
is what other resources do you need to fill these vacancies?
    Of course, the other question if you can, there are some 
errors I would imagine, errors in coding of some of these 
positions. Do we know how many vacancies we actually have?
    Ms. Moss. Ms. Bailey, please.
    Ms. Moss. In terms of hiring, I looked at our numbers right 
before while preparing for this. Over the last 2 years, we have 
approximately 1,077--I am sorry, 1,087 cyber positions.
    We actually hired over 500 during that time frame. So we 
were actually hiring a lot of people throughout the course of 
the last few years. We also are suffering attrition along with 
the rest of the cyber work force in Government and out of 
Government. So although hiring is occurring, attrition is also 
occurring. So it is not that we are not hiring individuals. We 
are also trying to overcome the deficit----
    Mr. Correa. That is a plausible explanation.
    Ms. Moss. Yes.
    Mr. Correa. So my question is: How do we get you over? How 
do we help you get there to make sure that we are fully staffed 
in this critical area of Government?
    Ms. Moss. I am not certain that any new legislation is 
needed. We are implementing, as Ms. Bailey said, new cyber 
talent management system I think will give us more 
flexibilities. We are also hiring people that are younger 
interns that we are growing and developing within the 
organization.
    So, I think that will help shape our work force. When NPPD 
first stood up, the urgency was to hire people that are 
competent and skilled. There is a limited number of people that 
are competent and skilled in cyber talent. So now, we are 
trying to grow people from within by hiring people at lower 
grade level----
    Mr. Correa. Ms. Moss and Ms. Bailey, I am not going to put 
any words in your mouth, but it sounds to me that you are going 
through a growth process here.
    Ms. Moss. Yes.
    Mr. Correa. It is still going to take time to get there?
    Ms. Moss. We are growing, yes.
    Mr. Correa. It is a critical area and we are still going to 
have some problems getting there. What about the issue of 
miscoding on some of these positions? Do we actually know how 
many positions are vacant? Or is that something that is still a 
floating number out there?
    Ms. Moss. We actually know how many positions are vacant. 
We are in the process now of updating our coding to the 3-digit 
code. So, we are training our managers in how to use the new 
NICE framework to code their positions so that is under way 
currently as we speak.
    Mr. Correa. The same question to the GAO, sir. In your 
opinion, what can we do to speed up hiring of some of these 
folks to see these most important positions that we need to 
have filled right away?
    Mr. Wilshusen. Well, I think one of the first things is to 
identify what your critical needs are to make sure that you are 
hiring the right people with the----
    Mr. Correa. Prioritizing?
    Mr. Wilshusen. Skills that you need. Prioritizing----
    Mr. Correa. Can we do that? Or is that----
    Mr. Wilshusen. Well, that is one of the things that have 
yet to be done----
    Mr. Correa. Has failed to be done.
    Mr. Wilshusen [continuing]. To identify the specialty areas 
of critical need. So, I think that is going to be key, it's 
being able to know what type of staff, what type of skillsets 
do you need and then go out and try to hire them. Recognize 
that is going to be challenging in terms of hiring those types 
of individuals because they are in demand, not only across 
Federal agencies, but also in the private sector.
    So it is going to really be imperative to make sure that we 
know exactly what type of individual with the skillsets that we 
need in order to accomplish our mission. That is one of the 
steps that DHS still needs to do.
    Mr. Correa. I would like to look at both of these agencies, 
come up with a list of recommendations to what is it that we 
need to do to help you get there to finish your job. Again, 
this is not a finger pointing, but rather trying to figure out 
what the bottlenecks are and trying to move past them.
    Mr. Chair, I yield the remainder of my time.
    Mr. Ratcliffe. Thank the gentleman.
    The Chair now recognizes the gentleman from Pennsylvania, 
Mr. Perry.
    Mr. Perry. Thanks, Mr. Chairman.
    Ms. Bailey, I am looking at some information from the GAO 
study here that says that as a requirement of the act of 2014, 
you are supposed to--your agency is supposed to assign the 2-
digit employment codes and that as far as I can tell for this, 
it is still on-going.
    Now, I understand there is subsequent legislation that 
requires a 3-digit code. So in light of that, are you still 
trying to assign the 2-digit codes or have you abandoned that 
and now are moving to the 3-digit code? Or is there a reason to 
have both? Or is that----
    Ms. Bailey. Yes, sir. So the 3-digit code builds off the 2-
digit code and what it does is it just makes it a further 
refinement, I think is the best way to describe this.
    Mr. Perry. OK.
    Ms. Bailey. So the 2-digit code work has continued, always 
will continue. What we are doing is refining that by adding in 
the 3-digit code.
    Mr. Perry. So when you say--I just want to understand this, 
so when you say always will continue, does that mean it will 
never be done or----
    Ms. Bailey. Correct. Our cyber work force as people move in 
and out, as positions move in and out, as our enemy comes up 
with new and advanced ways of doing things, we are always going 
to be redefining what it is to be cybersecurity.
    Mr. Perry. OK. I agree with you and I get that. I figured 
that would be your answer. But at some point you have a base of 
information and then you are modifying from that to keep up 
with the current times, right? I mean----
    Ms. Bailey. Correct.
    Mr. Perry. So to me, at some point, everything is going to 
be assigned to 2- or 3-digit code, everything. Then you are 
going to have to change it to keep up.
    Ms. Bailey. Right.
    Mr. Perry. So my question is when is that going to happen, 
because the due date was September 2015 for the 2-digit code. 
It is March 2018 right now, so----
    Ms. Bailey. Right. We have assigned--we actually, I just 
want to clarify something. Although, we have not been provided 
I think what you would say formal guidance in everything, we 
have been at this since 2011. So we meet in almost a monthly 
basis in working with the components to put together the kinds 
of guidance that they actually need, which is why Ms. Moss is 
able to continue on. They are not sitting around waiting on 
formal guidance.
    So by April, the end of April, 2018, which is to be next 
month, this Department will have all of its cyber positions 
coded under the 3-digit code. We have a commitment to do that. 
We have talked to both the DAS and the under secretary within 
management along with component leadership. Everybody 
understands that this is something that we have got to finalize 
by April 2018.
    Mr. Perry. So we are talking about at the end of April, 
because we are talking a month away.
    Ms. Bailey. Yes.
    Mr. Perry. Less than a month away.
    Ms. Bailey. Correct.
    Mr. Perry. So you are saying at the end of April this is 
not going to be an issue.
    Ms. Bailey. At the end of April.
    Mr. Perry. At least this component of it.
    Ms. Bailey. Correct.
    Mr. Perry. Which is, well, I think it is way too long. I 
empathize with Mr. Garrett's position because I feel the same 
way. It just takes too long. We had a hearing last week 
regarding the hiring practices, including for cybersecurity 
positions and as it relates to the fitness determination as a 
part of the on-boarding process.
    What I came away with is that the Department--this is my 
impression, for whatever reason has some aversion to the risk 
of hiring somebody. If there is anything at all that is 
flagged, they just drag their feet.
    The contractor can't find out what the problem is. Nobody 
knows what the fitness standard is. There is nothing published. 
It is amorphous, it changes from position to position. It costs 
the American taxpayer a huge amount of money. It puts everybody 
further and further behind. The cybersecurity issue is an 
issue, believe it or not, I imagine other Members do, I go home 
to my district and people ask me about it. They are concerned 
about it and then they want to know what they can do and what 
is being done. Quite honestly, I don't have a lot of good 
answers for them.
    So, what I also got out of that hearing is that there is 
nothing required legislatively for the Department to change its 
procedures and practices. I see absolutely no reason why the 
contracting officer needs to be involved in that part of the 
process, right?
    The contracting officer makes sure that the contract is fit 
and the contractor is performing the work as appropriate. He 
doesn't need to be involved, he or she doesn't need to be 
involved in the hiring process, yet, a would-be contractor has 
to go to them to find out what the issue is. Why they can't 
hire somebody.
    They go to somebody else and then they come back and they 
say, ``Well, we can't tell you. And we don't know when it is 
going to get better and we can't tell you why.'' Why can't you? 
Why can't you--you are the CHCO, right? That's the chief human 
capital officer.
    Ms. Bailey. Yes.
    Mr. Perry. You are the CHCO.
    Ms. Bailey. Right.
    Mr. Perry. Why can't you just change that and streamline 
that? That we put you in charge because you are smart, you are 
capable, and you can make decisions. Why is that not happening?
    Ms. Bailey. Well, if it is contractors, it doesn't actually 
fall under my----
    Mr. Perry. But the process, the process of hiring.
    Ms. Bailey. Right. So the process of hiring, yes, does fall 
under me, but I partner with our chief security officer with 
regard to that.
    Mr. Perry. OK. Who is in charge, you or the security 
officer?
    Ms. Bailey. With regard to the security process, it would 
be Rich McComb, our chief security officer. But we have 
partnered, I will tell you in the 2 years since I have been at 
DHS, we have issued reciprocity guidance that has gone out to 
everyone.
    We are now at the 70 to 80 percent of our cases in which we 
can do reciprocity. We actually do it. We have issued guidance 
to say that if somebody is not going to be able to pass their 
security clearance and you know that, then revoke the offer and 
move on to the next----
    Mr. Perry. But this is before the clearance, right? This is 
before the--this is fitness. These are the fitness standards. I 
forget the other one, one is for contractors and one for 
employees.
    Ms. Bailey. Right.
    Mr. Perry. With all due respect, the hearing I had last 
week tells me that whatever process you implemented 2 years ago 
is not sufficiently working. With all due respect.
    Ms. Bailey. OK.
    Mr. Perry. So I would invite you to revisit that. I am 
happy to have a discussion with you.
    Mr. Chairman, I yield.
    Mr. Ratcliffe. Chair now recognizes the gentlelady from 
Florida, Ms. Demings, for 5 minutes.
    Mrs. Demings. Thank you so much, Mr. Chairman.
    Thank you to our witnesses for being here. It is a tough 
job. But I do share the sense of urgency with my colleagues. It 
is an important job. I was in another place this morning 
talking about we have enemies in this country who spend every 
waking minute trying to figure out how they can defeat our 
systems, and so this is an important work.
    Ms. Bailey, you indicated that you are not sitting around 
waiting for guidance, but I would think that some guidance 
would be helpful in terms of recruiting and training and 
retaining, preparing our current work force. So could you 
please describe for the committee any guidance that has been 
developed and dispersed at the Department to assist in 
identifying cyber work force needs?
    Ms. Bailey. Yes. I mean, what I should have said is the 
components weren't sitting around waiting for formal guidance. 
But with regard to the guidance, we have actually, in working 
with the Human Capital Leadership Council, we have put out 
several, at least 15 different pieces of guidance quite frankly 
on what are all the hiring authorities that you can use today, 
what are some of the best recruiting methods that we can 
actually use, how do we go ahead and retain these folks given 
the authorities that we currently have in place today, what are 
the things that we know that we need to actually implement with 
regard to our new personnel system and where we want to go.
    So we actually have been holding design sessions with the 
subject-matter experts along with the hiring, or the H.R. 
specialists to actually make sure that we are identifying what 
the specific needs are, because we do know what our critical 
needs are. We have over 33 different specialty areas that have 
been identified for cybersecurity, which ranges within 40 
different occupations.
    We are using a 21st-Century NICE framework of coding and 
then we have to take that after we code these positions. We 
have to turn around and try to recruit, hire, and pay people on 
a first part of the 20th-Century system, because the two aren't 
actually matched together. So while we have all this good 
coding that is going on every hearing, and it is absolutely 
critical and it is important, we have to live in the system in 
which we have to operate until today.
    So when I go out and we try recruit somebody, we have a 
question that we ask ourselves all the time. How are you going 
to get top talent when in some cases if they have a bachelor's 
degree they are only equivalent to a GS-5, which means that I 
can only pay them about $3 more than the minimum wage in most 
States.
    So we are absolutely going to have a recruiting problem 
when we have those kinds of pay scales associated with the GS 
schedule, which is why we have put a tremendous amount of 
effort into designing this new personnel system that we plan to 
roll out in the very near future. We have to go through the 
regulatory process, make sure that everything is aligned. We 
have briefed OMB on it. We have briefed the CIO council at the 
White House on it. We brief OPM on it next week. So we are 
making significant----
    Mrs. Demings. So you are encouraged by the new process that 
you hope to roll out very soon.
    Ms. Bailey. I am extremely encouraged, because what we have 
done, as we have said, we live in a 21st-Century world. We can 
no longer just put Band-Aids on a 20th-Century system and call 
it a day, because it is not working. So if we are going to do 
all this work over here in coding in the 21st-Century codes, 
which make absolutely perfect sense, makes no sense to me 
whatsoever that we have to turn around and try to recruit, 
hire, and retain and pay people in a system that was designed 
in the 1940's. So those are some of the things that we are 
actually working on together to make sure that we can get 
implemented.
    Mrs. Demings. Ms. Moss, anything you would like to add to 
that statement?
    Ms. Moss. I would say in terms of actual operations, that 
is certainly true. We have a hard time. We do leverage OPM 
flexibilities in terms of recruitment incentives, retention 
incentives, but that is a paper process. There are a lot of 
hoops to jump through so that elongates our hiring process. So 
we have found workarounds, but we are looking for a long-term 
solution, which we are going to get with the new system that is 
being developed.
    Mrs. Demings. OK.
    Thank you, Mr. Chairman. I yield back.
    Mr. Ratcliffe. I thank the gentlelady.
    Chair now recognizes the gentleman from New York, Mr. 
Donovan, for 5 minutes.
    Mr. Donovan. Thank you, Mr. Chairman.
    You answered most of my questions just now, because the 
Chairman held a roundtable with some other people from industry 
a while back. We had folks from Microsoft, Intel, Facebook, 
Google, a couple of other companies. Just to put things in 
perspective, you are talking to a guy whose VCR still flashes 
12, so I do not understand any of this stuff.
    But they told us the difficulty they are having recruiting. 
They have 500,000 jobs right now that they cannot fill and I 
think in 10 years it will be a million. They are looking to 
start trying to get interest in young people into the jobs that 
are going to be needed to be filled by industry. I can't even 
imagine how difficult it is for you to recruit at the pay 
scales.
    In some places and many of my colleagues here have served 
in the military and military seems to have difficulty, but some 
incentives to retain talent in especially special areas that 
are needed. Is there a category for like essential services in 
our Government that we could get out of the GS classification 
ratings and say this is a need that we have to fill? And maybe 
we don't follow those protocols.
    As you said, Ms. Bailey, that was set up in 1940. Is there 
a mechanism in place now for that?
    Ms. Bailey. Well, actually Congress gave us--thank you--
gave us that authority to actually write our own rules. So what 
we are doing right now is we are completely not just 
reinvigorating, we are redesigning and stepping away from the 
traditional classification and qualification system, because it 
does not work for what we are trying to hire today.
    I would tell you, with respect to the military, in fact, 
NPPD has over a 50 percent of NPPD's staff in this area are 
veterans, so that is remarkable. It is a highly sought-after 
source for us to recruit from, is from the veteran population.
    But thank you to the Congress we do have the authority now 
to go ahead and actually do what you are suggesting, because we 
are never going to be able to make the significant progress we 
want to make by putting another step on the GS, right, or by 
raising something by just one degree. That is never going to 
work. You have to re-think.
    First of all, the talent we are trying to hire does not 
want a 30-year career with the Federal Government. They just 
don't. That is OK. So we have to figure out ways to have 
legislation, which it wouldn't necessarily take for in the 
competitive side. But with our new authority that we have been 
given, we are actually baking into that disability for folks to 
go in and out of Government without having to be restrained by 
time in grade and all the ridiculous rules that folks are under 
these days, that really actually is a detraction for them to 
actually want to come back into the Government.
    We want them to work for us for 3 to 5 years. We want them 
to leave and go to the companies that you just mentioned. But 
then we want to stay in touch with them and we want to bring 
them back, so that we can have this infusion of both private 
sector and Federal sector, and that is what our new personnel 
system will actually allow us to do.
    Mr. Donovan. The other thought I had was possibly if 
industry, again, is having their own difficulties in 
recruiting. But I do not know if you would call it on a loan 
basis or something, but the real talented people whose are 
getting paid these very reasonable salaries in the private 
sector would be able to come in and work for their Government 
as a--I do not want to say a loaner from J.P. Morgan, but a 
program where we could take some talent from industry and for 
some, whether it is a love of country or whatever incentive we 
could give companies to loan us some of their talented people 
to help us in some of the things that you are dealing with 
might be another idea.
    Mr. Chairman, after Ms. Bailey I will yield the remainder 
of my time.
    Yes, Ms. Bailey, would you comment on that?
    Ms. Bailey. I was just going to say that, yes, like the 
Loaned Executive Program is something that we use. We also 
bring folks into what is called IPA, which is basically 
academic talent and stuff. So there are different hiring 
authorities that we can use to have an infusion of that talent 
come in and we do make use of those, so thank you.
    Mr. Donovan. Wonderful. Thank you very much.
    I yield the remainder of my time, Mr. Chairman.
    Mr. Ratcliffe. I thank the gentleman.
    Chair now recognize the gentlelady from Texas, Ms. Sheila 
Jackson Lee, for 5 minutes.
    Ms. Jackson Lee. I thank the Chairman very much and I 
appreciate very much this particular hearing.
    I want to thank the full committee, the subcommittee Chair, 
and subcommittee Ranking Member and full committee Chair and 
full committee Ranking Member on working with me on my zero-day 
legislation, which I think is the underpinning of what we are 
talking about in terms of having that staff, that experienced 
staff to deal with the ultimate events that may happen both in 
the public sector and the private sector, and having them be 
qualified and having a continuing channeling of staff.
    I would like to--staff personnel that are dealing with the 
issue of cybersecurity, which some years ago, Mr. Chairman, as 
you well know, cybersecurity was under Transportation Security 
and Infrastructure. We began looking at where cyber impacts us, 
which is everywhere from water systems, sewer systems, the 
electric grid and beyond. So I believe that it is important to 
take note of a number of statistics that I hope to get a 
hearing on particular legislation that I have.
    Just like to cite the Bureau of Labor Statistics in 2016 
reported that African-Americans comprise only 3 percent of the 
information security analysts in the United States yet comprise 
13 percent of the population. The numbers at one time, top 
computing security salaries, $175,000, $230,000. I think we had 
positions in the Government at $88,000. In 2017, the United 
States employed nearly 780,000 people in cybersecurity 
positions with approximately 350,000 vacancies. In 2017, nearly 
65 percent of large U.S. companies had a chief information 
security officer, which is good. It is up from 50 percent. 
Women hold only 11 percent of cybersecurity positions globally 
filling 25 percent of tech jobs and comprising 50 percent of 
the population. There is a similar situation with African-
Americans, Hispanics, who account for 5 percent of 
cybersecurity positions, African-Americans 7 percent.
    Those numbers are simply to look or give us the parameters 
of the space that we should be in in our recruiting and 
collaboration on the question of providing a pathway for 
individuals. So, Mr. Chairman, I am interested in having a 
hearing on H.R. 1981, the Cyber Security Education Workforce 
Enhancement Act, which I have introduced. But I do want to ask 
both Ms. Bailey and Ms. Moss, and I want to thank Mr. Wilshusen 
for his product of DHS's needs to take urgent action to 
identify its position in critical skills requirements.
    So I see that there is a beginning structure that you all 
are working on. This legislation penetrates outside of the 
immediate need and begins to build a farm team. So recruiting 
information, assuring cybersecurity, and providing computer 
security professionals, this particular office would be called 
the Office of Cyber Security Education Awareness branch 
providing grants training and other support for kindergarten 
through grade 12, secondary and post-secondary computer 
security education programs, guest lecturer programs, 
identifying youth training programs, developing programs to 
support the underrepresented and working with a number of 
organizations that would have outreach to those organizations.
    So, Ms. Bailey and Ms. Moss, I would hope that those kinds 
of outreach, though you may have them, having them more 
established and getting the farm team established, that will 
ultimately fit into the scheme of young people coming in from a 
diverse background, staying a couple of years and then going 
out and coming back in, which I think is an excellent model. 
Could you work with that added outreach that my legislation 
speaks of?
    Ms. Bailey. I will start and then Rita can elaborate on 
this a little bit more. So the answer is yes. We actually have 
been having these conversations with regard to where do you 
start the outreach, where do you actually start the recruiting? 
I am of the belief that really we need to start this actually 
in elementary school and then we need to build it from there.
    The public school systems are actually begging us to help 
them establish what the curriculum is that we need for these 
folks to be successful, because not everybody is going to be on 
a 2- or 4-year college track. Some are going to come straight 
out of high school. But when we have a system today that when 
you come out of high school, the most that you can probably 
make is around minimum wage, it is not going to help them 
sustain or actually be able to support their families or 
anything else.
    If we are going to hire from all segments of society, which 
is what our basic merit principle--not suggest--require as part 
of the statute, then I think that, to your point, we need to 
establish programs and such in which we can actually attract 
from all segments of society.
    Ms. Jackson Lee. Thank you.
    Ms. Moss.
    Ms. Bailey. So getting into the schools I think is 
important.
    Ms. Jackson Lee. Thank you.
    Ms. Moss.
    Ms. Moss. OK. Yes, cybersecurity education is part of our 
mission at NPPD, so we are certainly passionate about that and 
we are happy to see that you are passionate about it as well. 
In the mean time, one of the things that we have started doing 
is looking at the Scholarship For Service, pathway intern 
programs to reach out to a more diverse population of students. 
So we are using those tools right now to leverage diversity 
across our cyber work force.
    Ms. Jackson Lee. Thank you.
    Mr. Chairman, I am prepared to yield back. I wanted to ask 
unanimous consent to put H.R. 1981 in the record.
    Mr. Ratcliffe. Without objection.*
---------------------------------------------------------------------------
    * The information has been retained in comittee files and is also 
available at https://www.congress.gov/115/bills/hr1981/BILLS-
115hr1981ih.pdf.
---------------------------------------------------------------------------
    Ms. Jackson Lee. And would further encourage discussions 
about hearings on the very points that the two witnesses have 
made that expands the opportunity. I just mention coding is 
something that can be taught out of high school and they can go 
into a very, very productive employment that would have young 
people supporting families and being very productive. So I look 
forward to it.
    I thank the witnesses very much for their testimony. I 
yield back.
    Mr. Ratcliffe. I thank the gentlelady.
    The Chair now recognizes the gentleman from Louisiana, Mr. 
Higgins, for 5 minutes.
    Mr. Higgins. Thank you, Mr. Chairman.
    I thank the Americans before us for testifying today.
    Ms. Bailey, thank you for your service. In your written 
statement, you identified three priorities, the second of which 
was to recruit and retrain, and retain, highly-qualified 
employees with capabilities vital to mission success. The 
relationship with DHS and your effort to recruit and retain, is 
there any mechanism to recruit out of our college campuses?
    Ms. Bailey. Oh, absolutely. I mean, that is----
    Mr. Higgins. Can you share that with us, please?
    Ms. Bailey. So with regard to our college campuses, some of 
the things that we make sure that we do is last year alone, we 
actually spoke to over 1,300 students at 122 different 
universities and colleges across the United States, and that 
includes both 2-year and 4-year colleges. So to that extent----
    Mr. Higgins. That is encouraging. That is the answer we 
anticipated and hoped to hear. It states that DHS has reported 
at least 12 of 15 components as having cybersecurity positions. 
However, DHS could not provide data to show the actual numbers 
of positions in each of these categories in specialty areas.
    So how are we, and this means you, how are you connecting 
the dots between the jobs that you are discussing with our 
students at American universities and connecting the location 
of the residents of these young Americans to the jobs that 
would be associated in the specialty areas of cybersecurity if 
you don't know what those specialty areas are? How are you 
having a complete conversation with a young American that is, 
say, a sophomore or junior in college and will consider 
entering a career with DHS and serving the country in that way?
    Might I add that money for a soldier, sailor, airman, or 
Marine is not the motivating factor of serving, it is service 
to country. I would suggest that service in protecting our 
homeland should be reflective of that same patriotic spirit. I 
believe these positions can be filled despite the lack of 
funding as it is referred to today, and if we can appeal to the 
patriotic spirit of young Americans in colleges. These are the 
young men and women that are coming out of there which have 
21st-Century cyber skills that none of us have.
    If you haven't been able to identify the specialty 
positions within the various components of DHS, then how are 
you having a complete conversation with a young American man or 
woman at a college university in Louisiana or Alabama or 
Florida or California?
    Ms. Bailey. Well, sir, we have identified. We have 
identified that we have over 33 specialty areas. We have mapped 
them to the NICE framework. What we have not done timely is 
coded all those positions into our payroll system and make sure 
that we have accounted for them, but we have done that work. We 
know exactly what our specialty areas are. We know exactly 
where the different--and we have had to map those against the 
40 different occupational series, so we know exactly what it is 
that we need.
    We know where those positions are in every single 
component. We know that the top series are things like IT 
specialist info, computer forensics, coders, law enforcement. 
We have a law enforcement element of this. We have intel 
analysts that are part of this and we have management and 
program analysts, just to name a few.
    Mr. Higgins. That is also an encouraging answer. So you are 
helping us here fill in some blanks. Let me just ask. If I am a 
student in the IT field at University of Louisiana in 
Lafayette, one of the top IT universities in the country, and 
there is a component of DHS in my area where I live and I speak 
to a recruiter for DHS, can you identify a job for me when I 
graduate in 2019 or 2020 that I may want to pursue? Because 
from our hearing last week, it takes a year to get hired. So if 
I wanted to pursue that job, can you connect me with that job 
if I am a student right now at a university in America?
    Ms. Bailey. Absolutely. To what Ms. Moss was speaking 
about, that is where we use things like the Pathways Program, 
which is the internship program. So we can actually hire that 
student out of the university as you suggested. We can hire 
them today. We can get them trained where they can work for us 
over the summers, they can work for us on their spring breaks, 
their winter breaks. Then at the end of that, we can what is 
called convert them today, convert them full-time into the 
position of which we need into that future.
    Mr. Higgins. All right. Well, these are encouraging 
answers.
    I have several other questions. Mr. Chairman, permission to 
submit my answers in writing to the witnesses. I yield back.
    Mr. Ratcliffe. I thank the gentleman.
    Chair now recognizes the gentleman from Rhode Island, Mr. 
Langevin, for 5 minutes.
    Mr. Langevin. Thank you, Mr. Chairman.
    I want to thank all of our witnesses for your testimony 
here today on a very important topic.
    Ms. Bailey and Ms. Moss, I know that we have touched on the 
topic I want to address on work force, but your testimony 
describes DHS's initiatives to accelerate recruiting and hiring 
for cybersecurity professionals and to retain cyber staff 
through financial incentives. Yet, DHS cannot hire its way out 
of its work force shortages obviously, nor can it hope to 
compete with the private sector on compensation. So what 
investment is DHS making to train its work force and to develop 
cybersecurity skills in-house?
    Ms. Moss. At NPPD, one of the things that we utilize is the 
NICE framework to identify certifications that are critical for 
the success of the cyber mission. So we incentivize our 
employees to get those certifications through retention 
incentives. We currently have a number of employees. I would 
say a majority of our cybersecurity work force that get 
incentives to get certain certifications. So we are very much 
encouraging certification and additional training for our cyber 
work force.
    Ms. Bailey. We then used that, their excellent work that 
they did. We actually rolled this out Department-wide because 
one of the things we want to make sure of is that within the 
cybersecurity community within DHS that we did not have the 
haves and the have-nots. So we took the excellent work that 
NPPD did and we work with our cyber council with the component 
leadership.
    To Ms. Moss' point, we actually have identified all the 
kinds of certifications whether it is specific ones to a cyber 
or it is things like critical thinking, decision making, 
teamwork, those kinds of things because they go hand-in-hand 
with this. So we made sure that outlined everything that we 
expect of our work force, and then we provide that through 
their individual development plans and then through tuition 
assistance and things like that to ensure that they get the 
accreditation that we actually need for them to accomplish 
their mission.
    Mr. Langevin. OK. Thank you. What about investments is DHS 
making into rotational job assignments to develop and retain 
cybersecurity staff?
    Ms. Bailey. I am sorry, sir. Vocational?
    Mr. Langevin. Rotational.
    Ms. Bailey. Oh, rotational?
    Mr. Langevin. Yes.
    Ms. Bailey. Do you know if you are--OK. So for rotational--
we were just conversing here just to see which. Rotational 
assignments, actually, what we just started was a joint duty 
program, which is an excellent way for us to do these 
rotational assignments, to take people even sometimes outside 
of their cybersecurity and introduce them maybe to law 
enforcement or introduce them to intelligence or human 
resources for that matter. Because what we are really trying to 
do is create well-rounded professionals that can perform a 
variety of functions within DHS.
    So we also do have a robust rotational program as well, and 
that includes rotations inside DHS and outside DHS. But we are 
large enough and our components are diverse enough that we can 
really provide folks with a very robust rotational experience 
that gives them I think things that would be needed for their 
career advancement.
    Mr. Langevin. Have you considered expanding those 
experiences to include positions in State government, for 
example? I know that my State of Rhode Island and other States 
around the country are hungry for DHS professionals to come in 
and either them to learn from State experience and what are the 
challenges they are facing and as well as learning from DHS 
staff.
    Ms. Bailey. I will take that back, sir. It is an excellent 
idea. We just kind of got it going, but I tell you, folks are 
extremely excited about this so I would be glad to take that 
back.
    Mr. Langevin. Thank you.
    Go ahead.
    Ms. Moss. I am sorry. I would also add. I am surprised Ms. 
Bailey did not mention this because we have talked about it 
several times. As part of the new cyber personnel system, part 
of that will be project management--I am sorry--project-based 
assignments, so that is going to be a huge part of the new 
cyber personnel system as well as a concept for that program.
    Mr. Langevin. Great. Thank you.
    Ms. Bailey, I know that many of the Members here including 
the Chairman are supporters of the Scholarship For Service 
program run by NSF and OPM and the Department. I have certainly 
been consistently impressed by the caliber of participants and 
alumni in the program that I have met. I must say that the 
annual D.C. job fair, in fact, it is one of my favorite events 
to attend. How has SFS student helped alleviate the cyber work 
force deficit facing the Department?
    Ms. Bailey. I am going to let Rita speak to the specifics 
because NPPD knocks it out of the park when it comes to SFS. It 
is something that go back to whenever I worked even in the 
Department of Defense for something that I have been a huge 
supporter of. So you are absolutely right, this is high-caliber 
folks that we have been able to get in. It is starting to, I 
think, chip away especially at the entry level. We are using 
this quite significantly.
    Ms. Moss. We participated in the virtual job fairs and the 
in-person job fairs and have been able to hire on the spot a 
number of individuals into this program. We do not have the 
long-term results of that yet, but it is very effective in 
terms of getting them in and familiarizing them with our 
mission and DHS.
    Mr. Langevin. Very good. Thank you. I know that when I have 
been to those job fairs as you just pointed out, they are 
offering jobs on the spot we have had some 75 or 80 Government 
departments and agencies there with actual job offers and hired 
pretty quickly. So great opportunity for these young people and 
we are getting return on investment by having them in the 
Government for a period of time, and so part of their payback 
for their Scholarship For Service program.
    So I have other questions, Mr. Chairman, that I will submit 
for the record. But thank you and I will yield back.
    Mr. Ratcliffe. I thank the gentleman.
    I now recognize myself for 5 minutes.
    Mr. Wilshusen, I will start with you. Both the Government 
and the private sector used a NICE framework to chart out work 
roles so that cybersecurity workers as well as the people 
responsible for hiring them can better develop their career 
paths in cybersecurity.
    Your report, the GAO report, points to misalignments 
between what DHS has identified as a skill gap and the 
specialty areas in the NICE framework. For instance, the DHS 
work role entitled development operations is related to 12 
different specialty areas in the NICE framework. So I guess my 
question is, since the overarching goal is matching DHS work 
roles with the NICE framework and not the other way around, 
shouldn't DHS maybe consider changing the categorization of the 
specialty areas to reflect that and to simplify the process?
    Mr. Wilshusen. Well, the specialty areas are actually part 
of the National cybersecurity framework that NICE program and 
NIST have set up and that is one that is in use throughout the 
entire Federal Government.
    What DHS has done is identified I guess the competencies 
and proficiency levels as part of its technical capability gaps 
in its program. There is, you are correct, between those 
competencies a, I guess, a one-to-many relationship. I think 
DHS has come up with a mapping, if you will, from our 
conversion table from their competencies to the work in 
specialty areas of the NICE program.
    The reason why I guess the specialty areas are important in 
categorizing the positions according to that is the fact that 
that is something that provides a common lexicon and something 
that can be used throughout the Federal Government as well as 
throughout the Department. So that was one of the reasons why 
OPM and indeed the law requires agencies to use the specialty 
areas identified in the NICE National cybersecurity framework 
for identifying their cybersecurity positions.
    Mr. Ratcliffe. OK. Thanks for that.
    Ms. Bailey, you said something and I want to make sure that 
the record is clear, because I thought it was maybe 
inconsistent with what I read in this report. So on page No. 8 
of the report it says as of November 2017 the Department had 
not completed identifying all of its cybersecurity positions 
and it had not determined the work categories or specialty 
areas of the positions. That is from the report. Did I hear you 
testify differently?
    Ms. Bailey. We have gone through and we have identified the 
33 different specialty areas and used this crosswalk and mapped 
things to that. So I think in some ways there is a smidge of a 
disagreement here perhaps with how it is being characterized.
    So for us, our positions, they are all coded, but we have 
identified the positions that we are aware of. We have 
identified these positions. I can't even remember the date, but 
we had almost 95 percent of the positions that were filled.
    You correct me if I am wrong, but I think what part of the 
issue here is that we hadn't actually identified our vacant 
positions. We had identified our filled positions. So of our 
filled positions, we had mapped those to the 33 different 
specialty areas, the critical need areas and also then the 40 
different occupations. So I just want to be careful in how I am 
saying this, that of the positions that we coded and we took 
care of, we have mapped all of them against that.
    Mr. Ratcliffe. OK. I want to make sure the record is clear.
    Ms. Bailey. Yes.
    Mr. Ratcliffe. So there is that smidge of a difference 
accurately characterized in your opinion, Mr. Wilshusen?
    Mr. Wilshusen. I would say there is a couple of things, one 
is Ms. Bailey is correct, it is part of the reason why there is 
a difference between what was coded in terms of 95 percent 
versus 79 percent had to do with the vacant positions that were 
not being coded. But at the same time, we are still noting 
throughout the time that the number of cybersecurity positions 
were also supposed to be identified at a certain time by law.
    What we are finding is that these numbers keep increasing. 
For example, back in I think it was--let me just get the exact 
date here. It was back in I would say it was December 2016 they 
had identified about 10,725 cybersecurity positions. More 
recently, we saw a draft report where DHS has identified over 
14,000 cybersecurity positions. So any part of that could be 
the vacancies that are now being recognized but also I think it 
is the Department that is also expanding the identification of 
these cybersecurity positions throughout the Department.
    Mr. Ratcliffe. OK. Thank you.
    Ms. Moss, I want to wrap up and ask you a question. You 
have had a number of questions from other members about cyber 
work force development and how that ties into educational 
effort. So I wanted to get on the record, and if someone asked 
you this specifically, I did not catch it. But I am interested 
to hear how your office works with SECIR, the Stakeholder 
Engagement and Cyber Infrastructure Resilience, office in its 
education and outreach efforts and how or whether those enhance 
the cybersecurity initiatives in your organization.
    Ms. Moss. SECIR is heavily involved in the centers for 
academic excellence, which is the driver for the Scholarship 
For Service program. As I noted before, we are heavily engaged 
in the Scholarship For Service and we do a lot of hirings 
surrounding Scholarship For Service.
    There is one other point. Also with the NICE framework, 
they are involved in the development of the NICE framework, 
identifying the certifications that are important for the cyber 
mission. As I noted, we use those certifications to incentivize 
our folks through incentive pay.
    Mr. Ratcliffe. Terrific. OK.
    Thank you all for being here today. We really appreciate 
your testimony. I thank the Members for being here and for 
their questions. As you have heard, Members of the committee do 
have some additional questions for some of you, so we will ask 
them to submit those and ask you to respond to those in 
writing. Pursuant to the committee Rule VII(D), the hearing 
record will remain open for a period of 10 days and----
    Mr. Correa. Mr. Chair, before you--just a couple of 
comments, if I may.
    Mr. Ratcliffe. You bet.
    Mr. Correa. I just wanted to reiterate my question which is 
how can we help you get there, how can we help you do your job? 
No. 2, hopefully we will have another committee hearing soon to 
follow up on how we can help DHS fulfill their mission. Thank 
you.
    Mr. Ratcliffe. You bet. I think that is a sentiment that 
has been expressed by a number of Members, but I appreciate the 
gentleman's comments. With that, that will conclude our 
hearing. Without objection, the subcommittee stands adjourned.
    [Whereupon, at 3:25 p.m., the subcommittee was adjourned.]



                            A P P E N D I X

                              ----------                              

    Questions From Chairman John Ratcliffe for Gregory C. Wilshusen
    Question 1. Across all GAO's recommendations for action, how would 
you recommend DHS prioritize accomplishing these recommendations given 
the overarching task of addressing critical workforce needs?
    Answer. To address its critical cybersecurity workforce needs, DHS 
should give top priority to accomplishing the six recommendations in 
our February 2018 report on the Department's efforts to identify its 
cybersecurity workforce positions and critical needs.\1\ Further, of 
the six recommendations, I recommend that the Department first 
implement our recommendations to:
---------------------------------------------------------------------------
    \1\ GAO, Cybersecurity Workforce: Urgent Need for DHS to Take 
Actions to Identify Its Position and Critical Skills Requirements, GAO-
18-175 (February 6, 2018).
---------------------------------------------------------------------------
   Collect complete and accurate data from its components on 
        all filled and vacant cybersecurity positions when it conducts 
        its cybersecurity identification and coding efforts, and
   Develop guidance to assist DHS components in identifying 
        their cybersecurity work categories and specialty areas of 
        critical need that align to the National Initiative for 
        Cybersecurity Education Framework.
    Implementing these two recommendations is especially important 
because they are essential to helping DHS identify the critical skills 
and cybersecurity personnel that the Department will need. Earlier this 
month, we sent a letter to Secretary Nielsen highlighting the two 
recommendations as priorities for the Department to address.\2\ Beyond 
these two recommendations, however, DHS should also implement the other 
four recommendations that we made in in the report to bolster its 
cybersecurity workforce assessment efforts.
---------------------------------------------------------------------------
    \2\ Comptroller General of the United States Gene Dodaro, 2018 
Homeland Security Priority Recommendations, letter to the Honorable 
Kirstjen Nielsen, Secretary of Homeland Security (Washington, DC: April 
3, 2018). This letter is not publicly available.
---------------------------------------------------------------------------
    The six recommendations are aligned with the requirements presented 
in the Homeland Security Workforce Assessment Act of 2014, which 
required DHS to identify, categorize, and code its cybersecurity 
positions.\3\ We found that the Department did not complete these 
activities by their statutorily-defined due dates, and efforts to do so 
are still on-going.
---------------------------------------------------------------------------
    \3\ The Homeland Security Cybersecurity Workforce Assessment Act of 
2014 was enacted as part of the Border Patrol Agent Pay Reform Act of 
2014, Pub. L. No. 113-277,  4,128 Stat. 2995, 3008-3010 (Dec. 18, 
2014), 6 U.S.C.  146.
---------------------------------------------------------------------------
    Without sufficiently completing all of these activities, the 
Department will not be positioned to effectively examine its 
cybersecurity workforce, identify skill gaps, and improve workforce 
planning to address its critical workforce needs. DHS concurred with 
each of our recommendations and stated that it plans to complete 
actions to address all six of the recommendations by June 29, 2018.
    Question 2. GAO's report points to the commitment of DHS leadership 
as essential to successfully address the issues and management 
weaknesses identified in its audit. What more can DHS do, at the 
Secretary level, as well as the CHCO level, to ensure that 
implementation of cybersecurity authorities is a Department-wide 
priority?
    Answer. DHS can take several actions to ensure that the 
implementation of cybersecurity authorities is a Department-wide 
priority. Specifically, the Secretary can: (1) Communicate the 
importance of maximizing the use of its existing hiring authorities and 
flexibilities for filling cybersecurity needs; and (2) hold senior 
managers and leaders, such as the Chief Human Capital Officer (CHCO), 
accountable for fulfilling their responsibilities. Identifying the 
individual in each component who is responsible for leading that 
component's efforts in identifying and coding cybersecurity positions 
as we recommended in our February 2018 report is an important step for 
establishing that accountability. By setting the tone at the top, the 
Secretary will underscore the imperative of implementing the 
Department's cybersecurity authorities.
    In addition, consistent with the recommendations in our February 
2018 report, the CHCO can: (1) Ensure that the components report 
accurate and timely information to leadership so that leadership will 
be informed of the extent to which the Department is making progress in 
identifying its cybersecurity positions and critical skills 
requirements; and (2) provide more guidance to components on the 
importance of using the National Initiative for Cybersecurity Education 
Cybersecurity Workforce Framework and how the work roles align to DHS's 
cybersecurity positions. By taking urgent and diligent action now to 
implement the recommendations in our February 2018 report, DHS should 
be better positioned to fulfill the requirements of the Homeland 
Security Workforce Assessment Act of 2014; accurately identify its 
cybersecurity positions and critical needs; and implement its 
cybersecurity authorities.
       Question From Honorable Ron Estes for Gregory C. Wilshusen
    Question. What do continuing hiring issues, like those identified 
by GAO's report, say about the overall maturity of DHS as a cohesive 
agency, 15 years after the Department's formation?
    Answer. DHS's challenges in identifying its cybersecurity workforce 
positions and critical skill requirements indicate that the Department 
has not matured to the point where its human capital management 
functions are fully integrated and cohesive across the Department. As 
we reported in February 2018,\4\ DHS did not completely and reliably 
identify and assign employment codes for cybersecurity positions 
because its processes were manual, undocumented, and resource-
intensive. For example, the Department used manual data calls to 
collect information and understand components' coding efforts. In 
addition, the Department did not have documented processes to collect 
and verify data from its component agencies. Officials in the 
Department's Office of the Chief Human Capital Officer stated that the 
number of cybersecurity workforce personnel frequently changed, they 
could not review workforce data for reliability, as such a review was 
resource-intensive.
---------------------------------------------------------------------------
    \4\ GA0-18-175.
---------------------------------------------------------------------------
    If implemented, the six recommendations that we made to DHS in our 
February 2018 report should help address the concerns we noted with 
regard to the Department's identification of its cybersecurity 
workforce positions and critical skill requirements, and the associated 
management weaknesses. DHS concurred with all of our recommendations 
and stated that it was working to implement them.
 Questions From Chairman John Ratcliffe for the Department of Homeland 
                                Security
    Question 1a. One of the key reforms signed into law in 2014 were 
expedited hiring authorities for mission-critical cybersecurity 
positions that allowed DHS the flexibility to better recruit qualified 
cybersecurity personnel. However, those legislatively-mandated 
authorities have yet to be used to on-board a single cybersecurity 
worker nearly 4 years later.
    When do you anticipate these expedited hiring authorities to be 
used for the first time?
    Answer. DHS leadership and components are pushing to launch the new 
personnel system as quickly as possible, with a goal of hiring the 
first cadre of employees in 2019. In the Border Patrol Agent Pay Reform 
Act of 2014 (Pub. L. No. 113-277), which added a new section (codified 
at 6 United States Code (U.S.C.) Sec. 147) to the Homeland Security Act 
of 2002, Congress granted the Secretary new cybersecurity-focused human 
capital authority. The Secretary's authority allows DHS to create a new 
personnel system with alternative methods for defining jobs, conducting 
hiring, and compensating employees.
    We have taken the time to craft a solution that we believe will 
allow the Department to compete in the competitive market for 
cybersecurity talent, and will solve our cybersecurity recruitment and 
retention challenges for the long term. The Department is grateful to 
Congress for this opportunity, and we are excited about the new 
personnel system. Due to the complex nature of implementing a new 
personnel system in the Federal Government, the Department's 
examination of comparable efforts by other Federal agencies has shown 
that it generally takes several years to complete.
    As the Office of the Chief Human Capital Officer finalizes the 
design and prepares new policies and business processes, the Secretary 
is working to prescribe required regulation, in coordination with the 
Director of the Office of Personnel Management.
    Question 1b. Why has it taken so long for the expedited hiring 
process to be implemented?
    Answer. From a historical perspective, our examination of 
comparable efforts by other Federal agencies has shown that 
implementing a new Federal personnel system is complex, and can often 
take several years. There are a variety of factors that make 
implementing a new personnel system, including new processes for 
hiring, especially challenging.
    First, the talent required to build a new personnel system is 
specialized and rare. DHS had to recruit and contract to build a team 
of expert industrial and organizational psychologists, Federal human 
capital policy experts, certified compensation specialists, economists, 
and employment and regulatory attorneys.
    Second, DHS is working to update some foundational human resources 
concepts dating back to the first half of the 20th Century. Our systems 
for defining or classifying jobs, conducting hiring, and administering 
pay are based on laws from the 1940's. The Federal workforce has 
evolved from being predominantly clerical, and much of the 
cybersecurity workforce DHS requires is highly technical, with valuable 
senior-level expertise.
    In replacing hundreds of pages of human capital regulation and 
policy that took decades to develop, and creating a system that looks 
to the future, DHS has to be methodical, avoiding the re-creation of 
bureaucratic barriers that impede us today. In the conventional civil 
service world (governed by title 5 U.S.C. and title 5 of the Code of 
Federal Regulations), so much is automatic and mechanical. An agency 
hires a person based on a brief assessment against rigid--often 
outdated--standards. A fixed table sets their pay, and pay increases 
are directly linked to time. As such, the payroll system has been 
programmed to automatically execute many pay increases. The 
conventional, tenure-based civil service assumes that someone gets 
better at doing a job after the passage of time, and will be their best 
at the job after 30 years. With cybersecurity and most work today, 
years of experience matter, but they are not the sole determinant of 
whether someone will be successful. To replace tenure as the main 
measurement tool, it is necessary to more thoroughly analyze 
candidates' skills prior to hiring them.
    Third, DHS must take great care to ensure its new approaches to 
hiring and pay setting are fair and consistent. There are Merit System 
Principles to be upheld, and a variety of laws and regulations 
governing employment in the United States that must be taken into 
consideration. For example, the Uniform Guidelines on Employee 
Selection Procedures guide compliance of hiring and selection processes 
with requirements of Federal law prohibiting employment practices that 
discriminate on grounds of race, color, religion, sex, and National 
origin. Similarly, Title VII of the Civil Rights Act of 1964 prohibits 
employment-related discrimination against any individual because of 
race, color, religion, sex, or National origin. Also, the Equal Pay Act 
requires that men and women in the same workplace be given equal pay 
for equal work, which informs pay policies. In implementing new hiring 
and pay processes, DHS must incorporate the requirements of such laws, 
which often requires careful study, testing, and the generation of a 
variety of official documentation.
    Fourth, DHS is trying to learn from the prior human capital 
experiments and failures. Many agencies that received similar authority 
in the past yielded to the inertia of the conventional civil service 
system, and made modest--sometimes cosmetic--changes to their 
approaches to hiring, compensation, etc. They have often seen modest 
results. There are also several examples of more innovative personnel 
systems that, after great investment, were summarily canceled due to 
litigation. DHS is focused on learning from these mistakes of the past 
so as not to repeat them.
    Question 2a. You testified that ``by the end of April 2018, this 
Department will have all of its cyber positions coded under the three-
digit code.'' However, GAO noted that the number of identified cyber 
positions continues to increase over the years as this identification 
process moves along. I am concerned that positions cannot be coded if 
they continue to change or increase.
    How certain are you that all cyber positions across components have 
been identified?
    Answer. Cybersecurity workforce planning and analysis--of which 
position coding is one element--is an on-going activity. For several 
years, DHS has been tracking a core of several thousand positions with 
cybersecurity responsibilities, but as definitions have changed and 
Government-wide awareness of the criticality of cybersecurity has 
increased, the population has fluctuated. In the transition to 3-digit 
position codes, components are closely scrutinizing their workforces 
and refining past analyses. Our new processes will yield accurate and 
current counts, ensure newly-created positions are appropriately coded, 
and monitor the accuracy of aggregate and component-level position data 
over time.
    Question 2b. Will these positions be coded with only 3-digit codes 
or both 3-digit and 2-digit codes?
    Answer. DHS will only use the 3-digit codes from which data about 
2-digit codes can be extrapolated. DHS will code positions using 3-
digit, Work Role codes in accordance with Pub. L. No. 114-113, but will 
continue to collect and report data about the Specialty Areas and 
Categories (2-digit codes) associated with cybersecurity positions 
required by Pub. L. No. 113-246 and Pub. L. No. 113-277 (see response 
to 3b).
    Question 3a. The GAO report states that ``According to OPM 
officials within Employee Services, agencies are not expected to 
continue coding to the 2-digit data standard and, instead, are to adopt 
the 3-digit data standard and complete coding the 3-digit standard by 
April 2018.'' However, in your testimony you said that DHS will 
continue to work on 2-digit codes.
    Is producing both 2-digit and 3-digit codes a duplication of effort 
and efficient use of resources?
    Answer. Starting in 2018, DHS will only be coding positions using 3 
digits, but we will also be monitoring and reporting data by the 2-
digit coding structure, as required by statute (see response to 3b). 
While the Department would welcome Congress' assistance in streamlining 
and simplifying its current set of overlapping cybersecurity workforce 
planning requirements, which result in largely duplicative work and 
multiple oversight reviews, DHS does not expect this 2- versus 3-digit 
code issue itself to be problematic. The National Initiative for 
Cybersecurity Education (NICE) Workforce Framework has a nested 
structure, with Work Roles (3-digit codes) representing the most 
granular level. Coding at the Work Role-level should allow for easy 
analysis of the necessarily aligned, higher-level Specialty Areas and 
Categories of the NICE Framework.
    Question 3b. Why is the 2-digit coding effort continuing?
    Answer. DHS is in the unique position of managing a series of 
cybersecurity workforce planning actions in alignment with three laws: 
The Border Patrol Agent Pay Reform Act of 2014 (Pub. L. No. 113-277); 
the Cybersecurity Workforce Assessment Act (Pub. L. No. 113-246); and 
the Federal Cybersecurity Workforce Assessment Act of 2015 (Pub. L. No. 
114-113).
    While Pub. L. No. 114-113 requires 3-digit coding by the Work Roles 
outlined in the latest version of the NICE Workforce Framework, Pub. L. 
Nos. 113-277 and 113-246 both require on-going reporting organized 
around the NICE Specialty Areas and Categories, which were the basis 
for 2-digit codes.
    DHS will code positions using 3-digit, role-based codes, but will 
continue to collect and report data about the Specialty Areas and 
Categories associated with cybersecurity positions. As mentioned 
earlier, it would be more effective and practical if these requirements 
were streamlined.
    Question 4. GAO reported that DHS components record and track 
vacant positions differently, and DHS responded that because of this 
issue, OCHCO could therefore not issue Department-wide guidance on 
vacant cyber positions. What are the specific changes that your office 
is making to standardize guidance so that all components are working 
from the same playbook?
    Answer. DHS does not have a Department-wide information technology 
solution to track vacant positions, but the Office of the Chief Human 
Capital Officer (OCHCO) identified this issue as a Human Resources 
Information Technology (HRIT) Strategic Improvement Opportunity (SIO). 
In addressing this SIO, OCHCO established a process for components to 
report standardized position data tables for all vacant and filled 
Federal civilian positions.
    DHS released revised cybersecurity position coding guidance on 
March 19, 2018. The guidance includes instructions for components to 
code both vacant and filled cybersecurity positions in the Department's 
National Finance Center (NFC) personnel system, but it also requires 
components to report filled and vacant cybersecurity positions via the 
position data table process. New position coding guidance will ensure 
OCHCO has consistent visibility into each component's coding of vacant 
cybersecurity positions via NFC and the position data table process.
    Question 5a. Describe your interactions with OCHCO in fulfilling 
the requirements of Public Law No. 113-277. How has OCHCO helped NPPD 
in recruiting and retaining the workforce necessary for NPPD to carry 
out its essential cybersecurity mission?
    Question 5b. In what ways do you feel that the interactions between 
OCHCO and NPPD's Office of Human Capital could be improved?
    Answer. OCHCO has shown commitment to NPPD in its effort to recruit 
and retain the workforce necessary to carry out our essential 
cybersecurity mission. Our teams work closely together, across human 
capital and the cybersecurity technical leadership (across the 
Department), this includes the chief human capital officer, the chief 
information officer (CIO), and the component CIOs on three priorities:
    1. Analyze and plan for our complex set of cybersecurity talent 
        needs;
    2. Recruit and retain highly qualified employees with capabilities 
        vital to mission success; and
    3. Innovate by implementing a new 21st Century personnel system to 
        revolutionize cybersecurity talent management.
    Additionally, NPPD CS&C leadership along with the NPPD CHCO are 
active members on the DHS Cyber Workforce Coordination Council. As a 
collaborative team, we are committed to thoroughly understanding our 
workforce requirements and implementing the best possible human capital 
solutions to recruit, retain, and manage the cybersecurity talent our 
mission demands.
    Additionally, OCHCO supports NPPD's use of incentives (e.g., 
retention, recruitment, and student loan repayment) to attract and 
retain talent.
    We've also leveraged authorities that provide flexibilities in our 
hiring, such as the DHS Schedule A cybersecurity hiring authority and 
the Government-wide IT (information security) direct hire authority. We 
maximize these authorities through open and continuous announcements or 
at hiring events. OCHCO has led joint hiring events for the Department 
which has assisted NPPD in filling critical cybersecurity roles across 
the organization. NPPD works closely together with other DHS human 
capital leaders and recruiters across components. NPPD participates in 
the OCHCO-led Corporate Recruiting Council, which oversees the creation 
and monitoring of targeted recruitment plans for specific DHS mission-
critical occupations, including cybersecurity. As part of a long-term 
effort to improve cybersecurity recruiting, the OCHCO staff manages the 
cybersecurity pipeline development and outreach activities focused on 
2- and 4-year academic institutions, including the National Centers of 
Academic Excellence in Cyber Defense and Cyber Operations, National and 
local community organizations, and professional associations. NPPD has 
leveraged these outreach events; in fiscal years 2016--fiscal year 2017 
to date, we've had more than 58 CyberCorps Scholarship for Service 
(SFS) students in our program and anticipate hiring more than 70 
students for fiscal year 2018. We've also had great success in 
leveraging the Pathways Intern Program, the PMF Program, and volunteer 
intern programs.
    NPPD's Office of Human Capital and OCHCO have a very collaborative 
relationship and we are consistently engaged on major DHS initiatives. 
Examples of interactions include our involvement in the development of 
the competencies to support the DHS Cyber Talent Management System 
(CTMS); NPPD subject-matter experts served on panels to develop 
competencies for the cyber workforce alongside other cyber SMEs across 
DHS. Also, CHCO leadership has conducted a 2-day listening tour at 
NPPD, visiting every NPPD subcomponent to be briefed on each of their 
missions and human capital challenges. OCHCO has also leveraged the 
opportunity to meet with NPPD employees, affording them the opportunity 
to have an open dialog.
   Questions From Honorable Ron Estes for the Department of Homeland 
                                Security
    Question 1. What do continuing hiring issues, like those identified 
by GAO's report, say about the overall maturity of DHS as a cohesive 
agency, 15 years after the Department's formation?
    Answer. The Department continues to mature and identify 
opportunities for increased collaboration and coordination among 
components. The Department's recruiting and hiring processes have 
matured significantly since its inception. DHS improved its time-to-
hire in many of our mission-critical occupations. DHS is committed to 
creating a good applicant experience throughout the process from first 
point of contact to the final job offer and even through the employee 
life cycle. Our recent joint hiring events in cyber, veterans, 
students, and women in law enforcement are good examples of the 
Department's cohesive approach to hiring, as are our HRIT project, 
Human Capital Operational Plan (HCOP), Primary Mission Critical 
Occupations (PMCO) charts, Recruitment Outreach and Marketing Matrix 
(ROMM), and Strategic Outreach and Recruitment (SOAR) Plan.
    Question 2. With data continuing to show shortages of specific 
cyber skills and talent gaps in the Department's cybersecurity 
workforce, what hiring improvement strategies, programs, and incentives 
has OCHCO developed to help recruit and retain highly-skilled 
professionals in the Federal workforce?
    Answer. While OCHCO focuses on accelerating the implementation of a 
new cybersecurity-focused personnel system, the office simultaneously 
has looked at ways to improve cybersecurity recruitment and retention 
within the current system.
    OCHCO developed and released over 15 simplified guidance documents 
to help human capital and cybersecurity personnel across the Department 
understand existing human capital tools (such as direct hire authority 
and recruitment incentives), dispel myths, and identify how these human 
capital tools can best support cybersecurity talent. We are also 
working closely with OPM and other DHS component human resources 
directors to ensure human resources specialists across DHS stay on the 
forefront of any new developments and understand the full set of 
recruitment and retention tools at their disposal. This effort includes 
the new DHS H.R. Academy, which is aimed at training human resources 
professionals to improve the human capital support provided to all 
critical missions, including cybersecurity.
    To address the cyber skills and talent gap challenges, OCHCO 
continues to focus its cyber recruitment and hiring efforts in several 
targeted areas. The first is increasing the recruitment of GS 5-9 
employees. Attracting young professionals requires a targeted 
engagement and outreach program with post-secondary academic 
institutions as well as K-12. In fiscal years 2017 and 2018, OCHCO 
engaged with more than 1,300 students from 122 academic institutions, 
which includes 40 Centers of Academic Excellence. Additionally, OCHCO 
operates the Corporate Recruiting Council, which ensures cross-
component coordination of recruitment activities and strategy 
development for mission-critical occupations, including cybersecurity. 
OCHCO also leads an outreach program focused on academic institutions 
and associations, including the National Centers of Academic Excellence 
in Cyber Defense and Cyber Operations. To improve the pipeline for 
talent, OCHCO is focused on providing greater internship offerings 
across DHS, including opportunities associated with the CyberCorps: 
Scholarship for Service.
    The Department plans to continue engagement with industry partners 
in 2018 to meet our human capital needs. The proposed plans include:
   Partnering with the Department of Defense to pilot their 
        cybersecurity skills training program at DHS; and
   Engaging with industry stakeholders and science, technology, 
        engineering, and math organizations to develop a comprehensive 
        cyber pipeline curriculum for post-secondary and K-12 schools.
    With regard to retention, OCHCO collaborated with the Office of the 
Chief Information Officer and other components to develop the 
Department's Cybersecurity Retention Incentive Plan, which helps 
components financially recognize significant training and certification 
accomplishments of cybersecurity employees. In addition, OCHCO assists 
components in their understanding of retention tools, such as tuition 
assistance, and is exploring strategies for encouraging their increased 
use across the Department.
    Question 3a. I want to ensure that DHS has the proper workforce to 
carry out its cybersecurity mission. What is NPPD's biggest 
cybersecurity skill gap or critical need?
    Question 3b. Would you say that NPPD has the adequate resources, 
manpower in particular, to function at the peak of its capability on a 
day-to-day basis?
    Answer. The National Protection and Programs Directorate (NPPD) 
continues to evaluate the needs and requirements of its workforce, 
particularly in the face of new and emerging threats. We have reviewed 
every position in our workforce, aligning and coding all cybersecurity 
positions alongside the National Initiative for Cybersecurity Education 
(NICE) Cybersecurity Workforce Framework. Based on the NICE work roles, 
NPPD's greatest cyber skill gap/need includes:
   Cyber Defense Analyst;
   Cyber Forensics Analyst;
   Cyber Incident Responder; and
   Cyber Operator.
    NPPD, like other Federal and private-sector organizations, strives 
to recruit and retain qualified cybersecurity personnel. To that end, 
NPPD continues to face challenges in quickly hiring qualified employees 
to join its cybersecurity workforce. Potential hires must go through a 
lengthy clearance and internal suitability process, which delays on-
boarding qualified individuals. Coupled with attrition due to the pay 
and fringe benefits for cybersecurity positions in the private sector, 
the result is significant competition for high-performing and qualified 
employees. NPPD continues to assess its resources, particularly in line 
with the authorities it has been granted to execute across the various 
cybersecurity mission areas.

                                 [all]