[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]
FINDING 500,000: ADDRESSING AMERICA'S CYBER WORKFORCE GAP
=======================================================================
HEARING
before the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTEENTH CONGRESS
SECOND SESSION
__________
JUNE 26, 2024
__________
Serial No. 118-71
__________
Printed for the use of the Committee on Homeland Security
GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
59-423 PDF WASHINGTON : 2025
COMMITTEE ON HOMELAND SECURITY
Mark E. Green, MD, Tennessee, Chairman
Michael T. McCaul, Texas Bennie G. Thompson, Mississippi,
Clay Higgins, Louisiana Ranking Member
Michael Guest, Mississippi Sheila Jackson Lee, Texas
Dan Bishop, North Carolina Eric Swalwell, California
Carlos A. Gimenez, Florida J. Luis Correa, California
August Pfluger, Texas Troy A. Carter, Louisiana
Andrew R. Garbarino, New York Shri Thanedar, Michigan
Marjorie Taylor Greene, Georgia Seth Magaziner, Rhode Island
Tony Gonzales, Texas Glenn Ivey, Maryland
Nick LaLota, New York Daniel S. Goldman, New York
Mike Ezell, Mississippi Robert Garcia, California
Anthony D'Esposito, New York Delia C. Ramirez, Illinois
Laurel M. Lee, Florida Robert Menendez, New Jersey
Morgan Luttrell, Texas Thomas R. Suozzi, New York
Dale W. Strong, Alabama Timothy M. Kennedy, New York
Josh Brecheen, Oklahoma Yvette D. Clarke, New York
Elijah Crane, Arizona
Stephen Siao, Staff Director
Hope Goins, Minority Staff Director
Sean Corcoran, Chief Clerk
C O N T E N T S
----------
Page
Statements
Honorable Andrew R. Garbarino, a Representative in Congress From
the State of New York.......................................... 1
Honorable Mark E. Green, a Representative in Congress From the
State of Tennessee, and Chairman, Committee on Homeland
Security:
Prepared Statement............................................. 3
Honorable Delia C. Ramirez, a Representative in Congress From the
State of Illinois.............................................. 5
Honorable Bennie G. Thompson, a Representative in Congress From
the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 7
Witnesses
Mr. Eric Hysen, Chief Information Officer, U.S. Department of
Homeland Security:
Oral Statement................................................. 9
Prepared Statement............................................. 10
Ms. Leslie A. Beavers, Principal Deputy Chief Information
Officer, U.S. Department of Defense:
Oral Statement................................................. 14
Prepared Statement............................................. 16
Mr. Rodney Petersen, Director, National Initiative for
Cybersecurity Education, National Institute of Standards and
Technology, U.S. Department of Commerce:
Oral Statement................................................. 19
Prepared Statement............................................. 20
Mr. Seeyew Mo, Assistant National Cyber Director, Cyber
Workforce, Training, and Education, Office of the National
Cyber Director:
Oral Statement................................................. 24
Prepared Statement............................................. 26
For the Record
Honorable Bennie G. Thompson, a Representative in Congress From
the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Statement of the International Federation of Professional and
Technical Engineers (IFPTE).................................. 35
Appendix I
Questions From Chairman Mark E. Green, MD for Eric Hysen......... 57
Questions From Chairman Mark E. Green, MD for Leslie Beavers..... 61
Questions From Chairman Mark E. Green, MD for Rodney Petersen.... 62
Questions From Chairman Mark E. Green, MD for Seeyew Mo.......... 62
Appendix II
Letter From the Society for Human Resource Management (SHRM)..... 65
Letter From the Western Governors' Association................... 65
FINDING 500,000: ADDRESSING AMERICA'S CYBER WORKFORCE GAP
----------
Wednesday, June 26, 2024
U.S. House of Representatives,
Committee on Homeland Security,
Washington, DC.
The committee met, pursuant to notice, at 10:03 a.m., in
room 310, Cannon House Office Building, Hon. Mark E. Green
(Chairman of the committee) presiding.
Present: Representatives Green, Higgins, Pfluger,
Garbarino, LaLota, Ezell, D'Esposito, Strong, Thompson, Carter,
Thanedar, Magaziner, Ivey, Ramirez, Suozzi, and Kennedy.
Mr. Garbarino [presiding]. The committee will come to
order.
Without objection, the Chair may declare a recess at any
time.
This hearing is to examine the challenges Federal agencies
face in recruiting, developing, and retaining a skilled cyber
work force that is prepared to secure, defend the homeland
against rapidly-evolving cyber threats. Specifically, this
hearing will identify strategies and solutions to bolster and
expand a capable cyber work force, including by examining the
effectiveness of on-going Federal efforts.
Unfortunately, Chairman Green is unable to join us today
due to a death in the family, so I'll be presiding over this
hearing in his place.
I now recognize myself to read Chairman Green's opening
statement on his behalf.
Experts predict that by the end of 2024, a cyber attack
will strike every 13 seconds. That's 6,822 attacks a day, or
about 2 million by the end of the year. It's easy to believe
those predictions by looking at where we are today. Whether
it's Chinese-backed Volt Typhoon infiltrating our critical
infrastructure or major ransomware attacks, such as Change
Healthcare--the Change Healthcare breach, today's complex and
growing cyber threat landscape has brought America to an
inflection point.
To stay ahead of our adversaries, we must improve our cyber
defenses. Throughout our history, America's best defense during
any conflict has been its people. Our fortitude, work ethic,
and dedication make us resilient in face of any threat.
Therefore, increasing competition in cyber space is not and
cannot be different. The challenge is too big for the public
and private sectors to address alone, and our cyber
professionals must be equipped with the right tools and skills
and offer the right incentives to succeed.
It is alarming, then, that our Nation is suffering from
such a major cyber work force gap. We currently need at least
500,000 cyber professionals if we hope to protect and defend
our way of life. Now that's not just any 500,000 people. We
need 500,000 skilled, talented cyber workers dedicated to
contending with the threats of today while preparing for the
threats of tomorrow.
During World War I, walls were papered with the iconic
poster of Uncle Sam pointing his finger at every passerby,
declaring, I want you. It was a call to action that was born
out of a time of national crisis, and it was a call that
Americans answered.
We find ourselves in a similar moment today. Our Nation
needs a capable cyber work force to defend the digital
infrastructure we depend on daily. We need Americans in
critical areas like cloud computing, artifical intelligence,
machine learning, and zero trust. We need students with fresh
skills and bright ideas. We need tenured professionals with
deep-seated expertise. We need mid-career individuals who are
inspired to enter the cyber field and have the zeal to learn
new skills. We need Americans to fill entry-level positions
that shouldn't require a 4-year degree.
America's need for cyber talent is the greatest within the
Federal Government. Agencies are facing some of the toughest
threats in recent history, each with mounting sophistication
and frequency. While agencies work to protect themselves from
threats such as malicious insiders, supply chain exploitation,
and commercial spyware, they're also protecting, mitigating,
and defending against these threats for State and local
organizations, small businesses, and civilians. This is a large
mandate for such small ranks.
So why are we having trouble bringing talented cyber work
force into public service? Defending our networks requires us
to examine this question closely. There are a few key issues at
play that I hope our witnesses will discuss further today.
While cybersecurity positions are coveted and pay above-
average levels in many cases, Federal cybersecurity pay is just
not high enough to compete with similar private-sector
positions and attract the right talent. Additionally, Federal
agencies ex--Federal agencies experience an acute skills gap
because agencies have historically valued 4-year degrees over
practical experience.
This has unnecessarily narrowed the pool of prospective
hires to those who may not have on-the-paper knowledge but not
the requisite competencies. Federal hiring practices compound
the issue, often resulting in a bureaucratic burdensome process
that misaligns what agencies say they need with what they
actually need.
Finally, while career pathways into Federal cyber jobs are
improving, this simply isn't happening fast enough. The
pathways are few and notoriously slow. While much more is
needed to be done, both sides of the aisle have recognized that
a robust and prepared cyber work force is at the core of
protecting our cyber--our cybersecurity interests.
In 2017, President Trump issued an Executive Order on
Strengthening the Cybersecurity of Federal Networks and
Critical Infrastructure, which addressed the growth and
sustainment of a skilled cyber work force.
In July 2023, the White House released the National Cyber
Workforce Education Strategy, which outlines a road map to
expand the national cyber work force, including bolstering
access to cyber education and training.
Federal agencies have also taken this challenge upon
themselves. For example, NSA's National Centers of Academic
Excellence in Cyber Security collaborates with academia to
encourage cyber competency development among students and
actively engage in solutions to cyber work force challenges.
This program has become the gold standard in cybersecurity
education, which is why I think it is important we codify it
into law. While my NDAA amendment was not included this year to
do just that, I am now exploring other pathways.
As an Army veteran--that's Mr. Green, not me--I believe an
ROTC-like program would be an effective and rewarding way to
build a prepared cyber work force across the Federal
Government. Although we have programs that fall under this
category today, such as Cyber Corps Scholarship for Service
Program, we must maximize and scale these efforts, improve
retention, and potentially establish other ROTC-like programs
quickly to fill a specific skills gap and critical positions.
As Chairman of the Committee on Homeland Security, I know
that protecting the cyber border is just as important as our
efforts to secure our physical border. This is why accelerating
the United States' efforts to address the cyber work force gap
has been my top priority this year, so much so that I will soon
be introducing legislation to grow our cyber work force and
sustain a steady pipeline each year.
I want to thank our witnesses for being here to help us
understand the challenges you have experienced, initiatives you
have undertaken, and opportunities you see to strengthen our
cyber work force. Your agencies have played a leading role in
promoting cyber work force efforts, So I have no doubt that
your unique perspectives will help us chart the path to
cultivate a cyber work force that is prepared to protect and
defend our Nation from increasingly complex threats in cyber
space.
[The statement of Chairman Green follows:]
Statement of Chairman Mark E. Green, MD
June 26, 2024
Experts predict that by the end of 2024, a cyber attack will strike
every 13 seconds. That's 6,822 attacks a day, or about 2 million by the
end of the year.
It's easy to believe those predictions by looking at where we are
today. Whether it is Chinese-backed Volt Typhoon infiltrating our
critical infrastructure, or major ransomware attacks such as the Change
Healthcare breach, today's complex and growing cyber threat landscape
has brought America to an inflection point. To stay ahead of our
adversaries, we must improve our cyber defenses.
Throughout our history, America's best defense during any conflict
has been its people. Our fortitude, work ethic, and dedication make us
resilient in the face of any threat. Therefore, increasing competition
in cyber space is not--and cannot--be any different. The challenge is
too big for the public and private sectors to address alone, and our
cyber professionals must be equipped with the right tools and skills,
and offered the right incentives, to succeed.
It is alarming, then, that our Nation is suffering from such a
massive cyber work force gap. We currently need at least 500,000 cyber
professionals if we hope to protect and defend our way of life. Now,
that's not just any 500,000 people--we need 500,000 skilled, talented
cyber workers dedicated to contending with the threats of today while
preparing for the threats of tomorrow.
During World War I, walls were papered with the iconic poster of
Uncle Sam, pointing his finger at every passerby declaring ``I WANT
YOU.'' It was a call to action that was born out of a time of national
crisis. And it was a call that Americans answered.
We find ourselves in a similar moment today. Our Nation needs a
capable cyber work force to defend the digital infrastructure we depend
upon daily. We need Americans in critical areas like cloud computing,
artificial intelligence/machine learning (AI/ML), and Zero Trust. We
need students with fresh skills and bright ideas. We need tenured
professionals with deep-seated expertise. We need mid-career
individuals who are inspired to enter the cyber field and have the zeal
to learn new skills. And we need Americans to fill entry-level
positions that shouldn't require a 4-year degree.
America's need for cyber talent is greatest within the Federal
Government. Agencies are facing some of the toughest threats in recent
history, each with mounting sophistication and frequency. While
agencies work to protect themselves from threats such as malicious
insiders, supply chain exploitation, and commercial spyware, they are
also protecting, mitigating, and defending against these threats for
State and local organizations, small businesses, and civilians.
This is a large mandate for such small ranks.
So why are we having trouble bringing talented cyber workers into
public service? Defending our networks requires us to examine this
question closely.
There are a few key issues at play that I hope our witnesses will
discuss further today. While cybersecurity positions are coveted and
pay above average levels in many cases, Federal cybersecurity pay is
just not high enough to compete with similar private-sector positions
and attract the right talent.
Additionally, Federal agencies experience an acute skills gap
because agencies have historically valued 4-year degrees over practical
experience. This has unnecessarily narrowed the pool of prospective
hires to those who may have the on-paper knowledge, but not the
requisite competencies. Federal hiring practices compound the issue,
often resulting in a bureaucratic, burdensome process that misaligns
what agencies say they need with what they actually need.
Finally, while career pathways into Federal cyber jobs are
improving, this simply isn't happening fast enough. The pathways are
few and notoriously slow.
While much more needs to be done, both sides of the aisle have
recognized that a robust and prepared cyber work force is at the core
of protecting our security interests.
In 2017, President Trump issued an ``Executive Order on
Strengthening the Cybersecurity of Federal Networks and Critical
Infrastructure,'' which addressed the growth and sustainment of a
skilled cyber work force. In July 2023, the White House released the
National Cyber Workforce and Education Strategy (NCWES) which outlines
a road map to expand the national cyber work force, including
bolstering access to cyber education and training.
Federal agencies have also taken this challenge upon themselves.
For example, NSA's National Centers of Academic Excellence in
Cybersecurity (NCAE-C) collaborates with academia to encourage cyber
competency development among students and actively engage in solutions
to cyber work force challenges. This program has become the gold
standard in cybersecurity education, which is why I think it is
important we codify it in law. While my NDAA amendment was not included
this year to do just that, I am now exploring other pathways.
As an Army veteran, I believe an ROTC-like program would be an
effective and rewarding way to build a prepared cyber work force across
the Federal Government. Although we have programs that fall under this
category today--such as the CyberCorps Scholarship for Service
program--we must maximize and scale these efforts, improve retention,
and potentially establish other ROTC-like programs quickly to fill
specific skills gaps and critical positions.
As Chairman of the Committee on Homeland Security, I know that
protecting the cyber border is just as important as our efforts to
secure our physical border. That is why accelerating the United
States's efforts to address the cyber work force gap has been my top
priority this year--so much so that I will soon be introducing
legislation to grow our cyber work force and sustain a steady pipeline
each year.
I want to thank our witnesses for being here to help us understand
the challenges you have experienced, initiatives you have undertaken,
and opportunities you see to strengthen our cyber work force. Your
agencies have played a leading role in promoting cyber work force
efforts, so I have no doubt that your unique perspectives will help us
chart the path to cultivate a cyber work force that is prepared to
protect and defend our Nation from increasingly complex threats in
cyber space.
Mr. Garbarino. I now recognize the Ranking Member, Mrs.
Ramirez, from----
Mrs. Ramirez. Illinois.
Mr. Garbarino [continuing]. Illinois for her opening
statement.
Mrs. Ramirez. Thank you, Chairman Garbarino.
Good morning. Before I begin, I want to extend my
condolences to Chairman Green and his family as they mourn the
passing of his mother-in-law.
Turning in today's topic, I would like to thank the
Chairman for holding this hearing on addressing our Nation's
cyber work force shortage. As we see, increased cyber threats
from adverse nation-states and criminal gangs, they continue
investing and develop--we continue to invest and developing our
cybersecurity talent pool, and it'll be essential in defending
the Federal Government and its critical infrastructure.
This committee has prioritized addressing the cyber work
force challenges for years, and it's passed important
legislation to ensure that DHS and CISA continue to support
cyber work force development.
Last Congress, for example, the committee secured the
enactment of Representative Swalwell's Industrial Controlled
Systems Cybersecurity Training legislation. Earlier this
Congress, the committee passed Representative Jackson Lee's
legislation authorizing CISA's effort to provide cybersecurity
training to DHS employees.
I really hope that we can work together to secure passage
of Representative Jackson Lee's important bill by the full
House this Congress.
While these legislative efforts have been helpful, we also
know that there's still a lot of work to be done. Fortunately,
the Biden administration has released a comprehensive cyber
work force and education strategy that sets a road map for how
the Executive branch and Congress can better support work force
development efforts.
Considering the wide range of Federal agencies, State, and
local governments, and private entities involved in
cybersecurity work force training and education, this is the
kind of leadership from the White House that is critical to
ensuring that we have a coordinated and we have a whole-of-
Government and whole-of-Nation effort.
I'm glad to see the administration's new report on the work
force strategy implementation, and I do look forward to hearing
more today about how the implementation is going and how
Congress can support this very critical effort.
In particular, I support the administration's commitment to
skill-based hiring and efforts like DHS's Cyber Internship
Program. I look forward to working with DHS and many of my
colleagues here to authorize the Cyber Internship Program
available to individuals from high school through grad school
so that we ensure the Department continues to develop its next
generation of cyber talent.
I appreciate if the Federal Government has some unique
challenges in recruiting and retaining top cyber talent. When
the Federal Government must compete with the private sector
that we know offers higher pay and more flexible hiring, we
know the Federal Government risks losing skilled cybersecurity
practitioners.
So I look forward to hearing from the Department of Defense
and Homeland Security today on how we can address this
challenge. I also hope to hear what authorities Congress can
provide to ensure the Federal department agencies responsible
for leading our cyber defense have the talent necessary to keep
our Nation secure.
As we consider efforts to address our cyber work force gap
going forward, there are some key points that I want to make
sure that we're keeping in mind.
First, one key advantage we have over our adversaries, let
me say, is our diverse population. To fill cyber work force
positions we have to focus on outreach to women, to people of
color, to rural populations, and others who are not adequately
represented currently in the cyber work force. We can't simply
address cyber work force shortage without including everyone
and doing so with an intentional effort on the part of the
Government and the private sector.
That is why Ranking Member Thompson authored legislation to
establish a DHS Intelligence and Cybersecurity Diversity
Fellowship Program, and I'm glad to see diverse young people
who've already participated in the program. We must continue to
build and expand on similar efforts to bring more people from
all walks of life into the Federal Government's cyber work
force.
Additionally, we have seen rapid technological advances in
recent years with the growth of artificial intelligence,
showing how the skills necessary for cybersecurity are
constantly, constantly evolving.
We must ensure that our cybersecurity training efforts
reflect the latest skills and that our cybersecurity work force
continues to receive adequate training throughout their
careers.
AI will not solve our cyber work force shortage, but it
will change how cyber defenders do their jobs. So education and
training programs have to reflect that reality.
Keeping these considerations in mind, I hope that our
committee can work together in a bipartisan way to expand and
to strengthen our cyber talent pool. Our witness' expertise
will help inform our efforts, and I look forward to your
testimony.
Before I close, however, I do want to extend the
committee's well wishes to Congresswoman Jackson Lee as she
battles pancreatic cancer. As a long-standing Member of the
Cybersecurity and Infrastructure Protection Subcommittee,
Congresswoman Jackson Lee has been a leading advocate for
strengthening our Nation's cyber work force. I look forward to
her continued advocacy on this important issue.
Ranking--Chairman, I yield back.
Mr. Garbarino. Thank you, Mrs. Ramirez.
I share your thoughts and our prayers with Ms. Jackson Lee.
She is a great Member of the subcommittee that I chair. Always
has great questions and very thoughtful ones and sometimes ones
I wish I came up with myself. So we all wish her a speedy
recovery.
Other Members of the committee are reminded that opening
statements may be submitted for the record.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
June 26, 2024
As we see increased cyber threats from adversary nation-states and
criminal gangs, continued investment in developing our cybersecurity
talent pool will be essential to defending the Federal Government and
critical infrastructure.
This committee has prioritized addressing the cyber work force
challenge for years and has passed important legislation to ensure that
DHS and CISA continue to support cyber work force development. Last
Congress, for example, the committee secured the enactment of
Representative Swalwell's industrial control systems cybersecurity
training legislation. Earlier this Congress, the committee passed
Representative Jackson Lee's legislation authorizing CISA's efforts to
provide cybersecurity training to DHS employees. I hope we can work
together to secure passage of Representative Jackson Lee's important
bill by the full House this Congress.
While these legislative efforts have been helpful, we know that
more must be done. Fortunately, the Biden administration has released a
comprehensive cyber work force and education strategy that sets a road
map for how the Executive branch and Congress can better support work
force development efforts. Considering the wide range of Federal
agencies, State and local governments, and private entities involved in
cyber work force training and education, this kind of leadership from
the White House is critical to ensuring we have a coordinated, whole-
of-Government, and whole-of-Nation effort.
I am glad to see the administration's new report on the work force
strategy's implementation and look forward to hearing more today about
how implementation is going and how Congress can support this critical
effort. In particular, I support the administration's commitment to
skills-based hiring and efforts like DHS's cyber internship program.
I look forward to working with DHS and my colleagues to authorize
the cyber internship program--available to individuals from high school
through grad school--to ensure the Department continues to develop the
next generation of cyber talent. I appreciate that the Federal
Government has some unique challenges in recruiting and retaining top
cyber talent. When the Federal Government must compete with a private
sector that offers higher pay and more flexible hiring, we know the
Federal Government risks losing out on skilled cybersecurity
practitioners.
I look forward to hearing from the Departments of Defense and
Homeland Security today on how they are addressing this challenge. I
also hope to hear about what authorities Congress can provide to ensure
the Federal departments and agencies responsible for leading our cyber
defense have the talent necessary to keep our Nation secure.
As we consider efforts to address our cyber work force gap going
forward, there are some key points that we must keep in mind. First,
one key advantage we have over our adversaries is our diverse
population. To fill cyber work force positions, we must focus on
outreach to women, people of color, rural populations, and others who
are not adequately represented in our current cyber work force. We
simply cannot address the cyber work force shortage without including
everyone, and doing so requires an intentional effort on the part of
the Government and the private sector.
That is why I authored legislation to establish the DHS
Intelligence and Cybersecurity Diversity Fellowship Program, and I am
proud of the diverse young people who have participated. We must
continue to build and expand on similar efforts to bring more people
from all walks of life into the Federal Government's cyber work force.
Additionally, we have seen rapid technological advances in recent
years with the growth of artificial intelligence, showing how the
skills necessary for cybersecurity are constantly evolving. We must
ensure that our cybersecurity training efforts reflect the latest
skills and that our cybersecurity work force continues to receive
adequate training throughout their careers. AI will not solve our cyber
work force shortage, but it will change how cyber defenders do their
jobs, so education and training programs must reflect that reality.
Keeping these considerations in mind, I hope that our committee can
work together in a bipartisan way to expand and strengthen our cyber
talent pool. Our witnesses' expertise will help inform our efforts, and
I look forward to their testimony.
Mr. Garbarino. I'm pleased to have our distinguished
witnesses before us today. I ask that our witnesses please rise
and raise their right hands.
[Witnesses sworn.]
Mr. Garbarino. Let the record reflect that the witnesses
have answered in the affirmative.
Thank you. Please be seated.
I would now like to formally introduce our witnesses.
Eric Hysen serves as the chief information officer at the
Department of Homeland Security. As CIO, Mr. Hysen is
responsible for strategically aligning the Department's
information technology personnel resources and assets,
including security, infrastructure, and delivery, to support
core DHS missions and activities.
In September 2023, Mr. Hysen was named as the Department of
Homeland Security's first chief artificial intelligence
officer. He previously was a senior fellow at the National
Conference on Citizenship where he led projects to use
technology, data, and design to address pressing public policy
challenges.
He also worked in State government, helping to launch the
California Office of Digital Innovation and Philanthropy,
supporting nonprofits working to advance immigration and
criminal justice reform.
Mr. Hysen graduated with honors in computer science from
Harvard University, has published research in crowd sourcing
and workflow design.
Ms. Leslie Beavers is a career member of the Senior
Executive Service and the DOD's principal deputy CIO. In this
capacity, she assists the CIO in advising the Secretary of
Defense on information management, information technology, and
information assurance, as well as nonintelligence space
systems; critical satellite communications, navigation, and
timing programs; spectrum and telecommunications matters. Ms.
Beavers also leads engagements with the defense agencies and
field activity CIOs and drives strategic resource planning
across the IT and cybersecurity domains.
Prior to joining the CIO, Ms. Beavers served as the
director of Intelligence Surveillance and Reconnaissance
Enterprise Capabilities. In this capacity, she led OUSD's
Defense Intelligence Digital Transformation Campaign Plan,
known as Project Herald.
Additionally, Ms. Beaver has over--Ms. Beavers has over 15
years experience in the private sector, working in the film,
TV, health care, and oil and gas industries. She holds a
bachelor's degree in political science from the U.S. Air Force
Academy and an MBA in finance with honors from South
University.
Mr. Rodney Petersen is the director of the National
Initiative for Cybersecurity Education, advancing cybersecurity
education and work force development at the National Institute
of Standards and Technology in the United States. He previously
serves as the managing director of the EDUCAUSE Washington
office and is a senior government relations officer. He founded
and directed the EDUCAUSE Cybersecurity Program and was the
lead for the Higher Education Information Security Council.
He also worked at the University of Maryland as the
director of IT Policy and Planning in the office of the vice
president and chief information officer. He also held the role
of campus compliance officer in the office of the president.
He received his law degree from Wake Forest University and
bachelor's degrees in political science and business
administration from Alma College. He was awarded certificate as
an Advance Graduate Specialist in Education Policy, Planning,
and Administration from the University of Maryland.
Mr. Seeyew Mo serves as the assistant national cyber
director of Cyber Workforce, Training, and Education at the
Office of National Cyber Director. In his role, Mr. Mo leads
and coordinates the implementation of the White House's
National Cyber Workforce and Education Strategy. He believes in
taking a holistic view--doctrine, people, and technology--to
make advancements in cyber work force and digital safety
awareness.
Mr. Mo is an expert in the intersection of cybersecurity,
technology, and national security with 18 years of experience
spanning tech development, policy making, and political
campaigning.
I thank the witnesses for being here today.
I now recognize Mr. Hysen for 5 minutes to summarize his
opening statement.
STATEMENT OF ERIC HYSEN, CHIEF INFORMATION OFFICER, U.S.
DEPARTMENT OF HOMELAND SECURITY
Mr. Hysen. Chairman Garbarino, Congresswoman Ramirez, and
distinguished Members of the committee, thank you for the
opportunity to testify today.
Every day over 8,000 cybersecurity professionals across the
Department of Homeland Security put their skills to use
defending our Nation. CISA threat hunters search proactively
through networks to identify and stop suspicious activities.
Secret Service agents investigate complex cyber-enabled
financial crimes. Teams from Homeland Security Investigations
catch perpetrators of child sexual exploitation through
cutting-edge digital forensics techniques. Our IT specialists
across the Department work to secure our own networks' systems
and data and stay ahead of our adversaries.
Our cybersecurity professionals are deeply talented and
dedicated to serving their country, but they are too few. The
Department has nearly 2,000 vacancies for cybersecurity
positions and struggles like every Government agency to recruit
and retain talent in an incredibly competitive field.
I have dedicated much of my career to this challenge. After
working as a software engineer in Silicon Valley, I left the
private sector to cofound the United States Digital Service,
which has now recruited hundreds of technologists for
Government tours of duty.
There, I saw how recruiting and retaining tech talent in
Government requires a comprehensive approach: actively
recruiting out to communities, particularly those
underrepresented in our field, to build awareness of public
service pathways, leveraging flexible compensation and hiring
authorities, streamlining our hiring and on-boarding processes,
and building a culture that fosters innovation and
collaboration.
Today I will highlight how we are working through each of
those things in support of our own work force.
In November 2021, DHS launched the Cybersecurity Talent
Management System, or CTMS, a transformational effort that
offers hiring processes, compensation systems, and career
progression that are far closer to what I was used to seeing in
Silicon Valley than to traditional Federal HR.
Since its launch, we have received nearly 25,000
applications, issued over 345 offers, and currently have 189
employees at all levels working in my office, CISA, and FEMA.
While CTMS is delivering significant results, its rollout
was not without challenges. It took us too long from receiving
the authority to launch the program and begin hiring under it,
and our initial rate of hires has been slower than expected. We
are learning from these efforts and continuously improving CTMS
to position the Department for long-term success.
In addition, we've established a variety of internship and
fellowship programs to create pathways for students and early
career professionals, including the Secretary's Honors Program,
Cybersecurity Internship Program, and Intelligence and
Cybersecurity Diversity Fellowship. These programs have
welcomed hundreds of participants to date and are building the
future of our cyber work force.
We are also building innovative programs to attract talent
in critical cybersecurity-enabling fields, such as AI and
emerging technologies.
For example, this February, we launched the DHS AI Corps,
an effort to hire 50 experts to support the use of AI across
the Department. We've seen incredible interest so far and are
well on our way toward this hiring goal with new AI Corps
members coming from top technology companies and from across
Government and civil society.
Finally, training and development of our existing work
force is also vital. We are building a DHS IT Academy to create
standard technical orientations for all new employees, develop
a rigorous training and rotation program for entry-level hires,
and offer upskilling opportunities for employees to learn new
and emerging skills.
These programs are just some of the tools we are using
across DHS to strengthen our cybersecurity work force. There is
no single initiative or policy to address all work force
challenges, and every organization that relies on this talent
across the public and private sectors is similarly looking at a
combination of efforts.
I look forward to our continued partnership with Congress
to enable us to attract and retain talent in this incredibly
competitive market.
Thank you for the opportunity to testify today. I look
forward to your questions.
[The prepared statement of Mr. Hysen follows:]
Prepared Statement of Eric Hysen
June 26, 2024
Chairman Green, Ranking Member Thompson, and distinguished Members
of the committee: thank you for the opportunity to testify at today's
hearing, ``Finding 500,000: Addressing America's Cyber Workforce Gap,''
a critical issue impacting our national security.
Every day, over 8,000 cybersecurity professionals across the
Department of Homeland Security (DHS or the Department) put their
skills to use defending our Nation from all manner of threats and
vulnerabilities. Threat hunters at the Cybersecurity and Infrastructure
Security Agency (CISA) search proactively through Federal and partner
networks to identify and stop suspicious activities. U.S. Secret
Service Special Agents investigate complex, cyber-enabled financial
crimes and combat the illicit use of digital assets. Teams from
Homeland Security Investigations identify victims and catch
perpetrators of child sexual exploitation and abuse by employing
cutting-edge digital forensics techniques. And, Information Technology
Specialists across DHS and its operational components work to stay
ahead of our adversaries and secure the Department's own networks,
systems, and data.
Our cybersecurity professionals are deeply talented and dedicated
to serving their country, but they are too few. The Department has
nearly 2,000 vacancies for cybersecurity positions and struggles, like
every Government agency, to recruit and retain talent in an incredibly
competitive field. As technology and our adversaries are constantly
evolving, particularly with rapid advances in artificial intelligence
(AI) and other emerging technologies, we must ensure our work force
continuously builds new skills to maintain its competitive edge.
I have first-hand experience when it comes to attracting private-
sector workers to careers in public service. After working in Silicon
Valley as a software engineer and project manager, I left the private
sector to co-found the United States Digital Service (USDS), which has
now recruited hundreds of technologists for government ``tours of
duty'' and will celebrate its tenth birthday later this year. At USDS,
I saw how recruiting and retaining tech talent in Government requires a
comprehensive approach: actively reaching out to communities to build
awareness of public service pathways; leveraging flexible compensation
and hiring authorities; streamlining hiring and on-boarding processes;
and building a culture that fosters innovation and collaboration. I am
honored to bring this perspective as the DHS chief information officer
(CIO) and its first chief artificial intelligence officer (CAIO).
We have successfully used many of the authorities passed into law
under this committee's leadership to strengthen our efforts. Today, I
will highlight some of the programs and initiatives specifically
designed to address our cybersecurity work force challenges at DHS by
bringing more people with diverse backgrounds and experiences into
Government service and by strengthening development opportunities to
build skills across existing personnel.
the department's cybersecurity service
Armed with authority passed into law with the strong support of
this committee, the Department, through the Office of the Chief Human
Capital Officer (OCHCO), launched one of its most innovative and
successful tools for attracting cybersecurity talent in November 2021--
the Cybersecurity Talent Management System (CTMS). CTMS authority
offers flexibilities to proactively identify, source, and recruit
individuals, even if they are not active job seekers, to create ready-
made pools of pre-qualified, selectable talent when needs arise. We now
maintain a talent pool of over 1,000 pre-assessed applicants. CTMS
offers flexible, capability-focused career paths based upon the NICE
Workforce Framework for Cybersecurity that promote career longevity,
reducing costs associated with on-going attrition and recruitment. The
product of CTMS, the DHS Cybersecurity Service, offers a diverse,
preeminent team working throughout DHS to protect the Nation's
information technology infrastructure and the American people from
cybersecurity risks.
Employees in the DHS Cybersecurity Service work across our
cybersecurity missions and operational components in jobs currently
spanning 17 different cybersecurity specializations. Through our
authority, the Department can regularly adjust to emerging needs by
expanding CTMS hiring across wide arrays of specializations, including
those related to AI. Every day, DHS Cybersecurity Service employees are
on the front line--protecting the systems, networks, and information
Americans rely on. While a Federal employment opportunity may not
bridge the salary differentials between Government and private sector,
CTMS combines Federal benefits with competitive market-sensitive
compensation, meaningful work, and career mobility to attract a unique
blend of next generation talent, technical experts, and leaders that
collectively advance our dynamic cybersecurity mission.
Since its launch in November 2021, DHS received nearly 25,000
applications from persons seeking to join the Cybersecurity Service and
fill high-priority jobs in my office, CISA, and the Federal Emergency
Management Agency. As of May 2024, the Department issued over 345
initial job offers and on-boarded 189 employees--spanning entry-level
to executives and distinguished technical experts. These latest figures
represent exponential growth in this program.
Employees who participate in the Cybersecurity Service produce
significant results. In fewer than 9 months, one DHS Cybersecurity
Service employee implemented an enterprise-wide, remote penetration
testing capability, resulting in a 70 percent reduction in related
costs. Another employee's contributions led to a provisional patent for
the Department's Unified Cybersecurity Maturity Model, which helps
align cybersecurity spending and new capability requests across the
Department. Other cyber employees have expanded capacity-building and
threat-hunting capabilities, written CISA's Open Source Software
Security Roadmap, and produced a decryptor for an emerging ransomware
strain, among other accomplishments.
This new pool of talent represents significant geographic
diversity, with employees hailing from over 29 States and the District
of Columbia. Over half of current employees are at the entry and
developmental level, and we are capitalizing on CTMS's flexibilities to
enable these employees to move into more senior roles as their careers
progress. Our 2-year retention rate is currently 94 percent, compared
to an average of 80 percent in the technology industry. Although we are
still new and need more longitudinal data, if this rate continues, we
will see reduced labor time and costs associated with recruitment and
backfilling.
While CTMS is a major value-add to the Department, its rollout was
not without challenges. It took us too long from receiving this
authority to launch the program and begin hiring under it, and our
initial rate of hires have not met our aggressive targets. Designing
and launching an entirely new personnel system in the Federal
Government is an extremely difficult task, and we learned from these
efforts. We are continuously improving CTMS in partnership with hiring
managers to make it a more effective tool. We knew that simply
eliminating a step in the hiring process or adding a pay grade would
not do enough to make DHS competitive, so we designed CTMS as a true
attempt at civil service reform. It is a complex, transformative, and
challenging effort, but necessary to position the Department for long-
term success.
Additionally, many cybersecurity positions require security
clearances at various levels, and this vetting process sometimes sets
the pace at which we can on-board new employees to Government service.
As one of the Security, Suitability, and Credentialing Performance
Accountability Council (PAC) members spearheading the Trusted Workforce
(TW) 2.0 initiative, DHS is working on implementing relevant policy
changes to benefit from recent gains made in clearance processing.
Looking ahead, the Department has committed to expanding CTMS. In
fact, one primary objective in my fiscal year 2024-2028 IT Strategic
Plan includes implementing CTMS across all operational components and
expanding CTMS applicability as a hiring mechanism for a wider array of
cybersecurity-related professionals, including those specializing in
data science, AI, and other emerging technologies.
internships and fellowships
In addition to CTMS, the Department has established a variety of
internship and fellowship programs to create pathways for students and
those early in their career to begin their professional journeys at
DHS. In 2021, we established the Secretary's Honors Program, modeled
after a long-standing successful program at the Department of Justice,
which builds cohorts of new employees in priority fields and provides
them with access to training, leadership engagements, and exposure to
various mission areas across the Department. To date, almost 80
employees have participated in the first 3 cybersecurity classes of the
Secretary's Honors Program. This includes 46 CTMS employees who
participated in the third class that ended in April 2024.
Last summer, we welcomed the first 16 participants into the
Department's new Intelligence & Cybersecurity Diversity Fellowship
program, which was authorized by Congress. Fellows worked for 12 weeks
in offices across DHS and had an opportunity to engage with leaders
across Government, including Secretary Mayorkas and the Ranking Member
of this committee. I was impressed by the talent and passion of this
inaugural cohort when I met with them last year, and I am looking
forward to meeting with the fellows we are welcoming this summer.
I am also very proud of the Cybersecurity Intern Program (CSIP)
launched in my office in the summer of 2022. CSIP provides internships
for students ranging from high school to graduate school to bring
diverse talent to fields spanning cybersecurity, data management, cloud
services, and network operations. The program grew from 52 interns in 7
DHS offices and operational components in 2022 to 85 in over a dozen
DHS offices and operational components this summer. We saw over 1,000
applications in just a single day this year and had to close our
application window early given the enormous interest.
ai corps
In September 2023, the Secretary named me as the Department's first
CAIO. As both the new CAIO and the current CIO responsible for
strengthening the Department's cybersecurity posture, I immediately
recognized the synergies between my two roles. A portion of my focus
quickly turned to attracting new talent to harness AI technology in
support of the Department's missions.
As AI becomes more powerful and widely used, it is evident that the
Department needs AI experts to ensure we leverage this technology
responsibly and safeguard against its malicious use. To meet this need,
the Secretary announced the creation of the DHS AI Corps in February
2024, during a trip to Silicon Valley. Modeled after the USDS, this
group will support the use of AI across DHS, working on critical
efforts ranging from countering fentanyl and combating child sexual
exploitation and abuse to enhancing our cybersecurity. AI Corps members
will identify and mitigate safety and security considerations for AI to
ensure its responsible use at DHS.
Demand for personnel with AI technical skills relevant to missions,
such as cybersecurity, is immense across all sectors. When attracting
such talent, the Department makes a simple argument: now is the time
for technology experts to make a real difference for our Nation by
joining the Federal Government. Although the AI Corps and the
accompanying hiring sprint to bring it to 50 personnel is still new,
our straightforward message has already produced dramatic results. We
received over 6,000 applications for this first-of-its-kind program and
have already on-boarded 7 individuals with another 19 in the on-
boarding process. AI Corps members come from the country's top
technology firms and from across Government and civil society, bringing
skillsets in data science, machine learning, product and program
management, software engineering, and human-centered design to
accelerate our efforts.
training and development
The Department prioritizes attracting, hiring, and retaining top
technical talent, but we also understand the need to consistently train
our existing work force to confront evolving challenges in
cybersecurity and technology. For this reason, the first goal of the
DHS IT Strategic Plan is ``Invest in the DHS IT Workforce.''
We are building a DHS IT Academy to ensure every DHS IT and
cybersecurity employee is competent in core skillsets and to assist
employees in developing new technical skills. The DHS IT Academy will
create standard technical orientations for all DHS IT employees,
develop a rigorous training and rotation program for entry-level hires,
and offer upskilling opportunities for employees to learn new and
emerging skills. As a first step, we launched a standardized IT
Immersion Program for all new DHS IT professionals. IT Immersion
provides new hires with a shared understanding of how IT enables the
DHS mission and instructs them in core IT concepts including zero trust
implementation, cybersecurity risk management, continuous monitoring
and security authorizations, privacy concerns, and customer experience.
The inaugural IT Immersion Program included 140 attendees from across
the Department, and a second Program held last month for employees who
joined the Department after our inaugural session included an
additional 72 attendees. We only expect interest to grow as we move
ahead.
The DHS IT Academy effort also led to the development of role-based
training minimum standards for roles with significant cybersecurity
responsibility: information systems security manager, information
systems security officer, system owner, and authorizing official. These
DHS minimum standards are aligned with the National Institute of
Standards and Technology's NICE Workforce Framework for Cybersecurity
and include minimum specified knowledge standards and typical tasks for
each role. We anticipate launching the initial set of role-based
trainings by the end of this fiscal year.
Finally, we are working to ensure all DHS employees are building
basic technical awareness and skills, not just those working in
securing technology and cybersecurity. We are redesigning our annual
Cybersecurity Awareness Training and have launched regular phishing
exercises to keep all employees sharp on their personal contributions
to the Department's cybersecurity. Last year, we were the first
Department to launch training for employees seeking to use
commercially-available generative AI tools in their work. Over 5,000
employees have taken this training and have permission to use these
cutting-edge tools responsibly and safely.
federal cohesion and coordination
To support the administration's effort in modernizing Federal
hiring and strengthening the Federal work force, DHS is also aligning
its cyber work force effort with the President's Management Agenda;
National Cyber Workforce and Education Strategy implementation;
National Security Memoradum-3 (``Memorandum on Revitalizing America's
Foreign Policy and National Security Workforce, Institutions, and
Partnerships''); Executive Order 14119 (``Scaling and Expanding the Use
of Registered Apprenticeships in Industries and the Federal Government
and Promoting Labor-Management Forums''); and Executive Order 14110
(``Safe, Secure, and Trustworthy Development and Use of Artificial
Intelligence'').
conclusion
The programs I have outlined today are just some of the tools we
are using across DHS to strengthen our cybersecurity work force. There
is no single initiative or policy to address all work force challenges,
and every organization that relies on this talent across the public and
private sectors is similarly looking at a combination of efforts
spanning recruitment, hiring, training, and retention. I look forward
to our continued partnership with Congress, and especially this
committee, to deliver flexible authorities needed to attract talent in
an extremely competitive market. I also urge the committee to take an
expansive view of cybersecurity talent. Cybersecurity is a vital part
of every stage of the software and technology development life cycle.
We must ensure all employees involved in this process are equipped to
understand how their role contributes to cybersecurity, from designers
and program managers through network operators and help desk
technicians. While cybersecurity-focused programs are critical,
complementary efforts such as the DHS AI Corps, which bakes
cybersecurity into programs for recruiting adjacent talent, also have
an important role to play. We acknowledge the importance of diversity,
equity, and inclusion in building a robust cybersecurity team. By
actively recruiting from underrepresented communities and ensuring an
inclusive work environment, we can leverage a wider range of
perspectives and skills, which are crucial in addressing the complex
challenges of cybersecurity today. I am proud of the progress the
Department has made, but there is still work to be done. As we move
forward, we remain dedicated to continuously improving our programs and
learning from our challenges so that DHS remains at the forefront of
our Nation's cybersecurity protections. Thank you for the opportunity
to testify today. I welcome your questions.
Mr. Garbarino. Thank you, Mr. Hysen.
I now recognize Ms. Beavers for 5 minutes to summarize her
opening statement.
STATEMENT OF LESLIE A. BEAVERS, PRINCIPAL DEPUTY CHIEF
INFORMATION OFFICER, U.S. DEPARTMENT OF DEFENSE
Ms. Beavers. Good morning, Chairman Garbarino and
Congresswoman Ramirez and distinguished Members of the
subcommittee. Thank you for the opportunity to address you
today on an issue of critical importance to our national
security, the Department of Defense's efforts to cultivate and
strengthen our cyber work force.
As the principal deputy chief information officer, I lead a
team dedicated to providing strategic direction, oversight, and
technical expertise to secure and modernize the Department's
information technology, enhancing warfighting command, control,
and communications, and cultivate a digital work force. Each of
these missions is critical to our warfighters and would be
impossible without the right people.
The Department of Defense must adapt to emerging threats
and develop a skilled work force to tackle national security
challenges in the global landscape. Cyber threats, cloud
computing, and software modernization are crucial for
safeguarding national interests and supporting warfighters. A
skilled work force is needed to innovate, develop, and
implement cyber capabilities for sustained superiority.
Last year, the Department of Defense released the DOD Cyber
Workforce Strategy, developed in coordination with various
components: the Joint Chiefs of Staff, U.S. Cyber Command, and
the military services. This strategy aligns with the 2022
National Defense Strategy's imperative to cultivate the work
force we need.
The strategy identifies a pressing need for a cultural
shift in managing the Department's most valuable asset--our
people--and laid the groundwork for a nationwide transformation
in cyber education through collaboration among academia,
employers, and Government leaders.
It also creates an opportunity for innovation in the
Department's approach to recruiting, training, educating, and
certifying our work force. The strategy aims to achieve success
through regular work force capability assessments, talent
management programs, cultural shift, and partnerships to
enhance operational effectiveness and career growth.
A keystone effort within the Cyber Workforce Strategy is
the cyber defense work force framework, which is a catalogue of
cyber space skills and roles needed across the Department. This
framework helps us identify and focus on critical, hard-to-fill
specialties, recognizing that it will evolve as it adapts with
technology.
We are also excited about our newly-established Cyber
Academic Engagement Office, which will be the consolidated
focal point for cyber-related activities carried out between
the Department, academic stakeholders and, in the future, with
Federal partners such as the Department of Education, NIST,
FBI, and DHS's Cybersecurity and Infrastructure Security
Agency, to collaborate on cyber education programs for the
benefit of the whole of Government.
We also have educational initiatives like the DOD Cyber
Service Academy, which offers scholarships and grants to
bolster the Nation's cyber work force and grant scholarships to
non-DOD students enrolled in National Centers of Academic
Excellence in Cybersecurity, as well as to DOD civilians and
service members pursuing master's and doctoral degrees.
In 2024, the Cybersecurity Academy awarded recruitment
scholarships to 174 nongovernment students, supporting their
studies in cyber space-related competencies. To that end, the
Department of Defense actively participates in the Office of
the National Cyber Director's Federal Cyber Workforce Group. We
align our cyber work force strategies in partnership with the
Department of Homeland Security and the Department of Commerce
to ensure a whole-of-Government approach.
DOD understands that interagency collaboration not only
establishes standards for cyber across the Federal Government,
it also facilitates the development of professional
competencies that define future cyber work in the Government
and the private sector alike.
We're reevaluating cyber education and certification,
acknowledging that traditional college degrees are not always
necessary. DOD is exploring faster routes to cybersecurity
qualifications. With the Department of Labor, we're creating
the Federal Cybersecurity Apprenticeship Program to set
standards for critical roles. By partnering with the under
secretary for acquisition and sustainment, DOD CIO is promoting
registered apprenticeship programs to diversify our work force
and remove educational barriers. This approach aims to bring in
skilled workers through nontraditional paths.
The Department of Defense is committed to strengthening our
cybersecurity posture through the development and management of
a highly-skilled cyber work force. A cultural shift in managing
the Department's most valuable asset, our people, is under way.
Thank you for the opportunity to testify this morning. I
look forward to your questions.
[The prepared statement of Ms. Beavers follows:]
Prepared Statement of Leslie A. Beavers
June 26, 2024
Good morning, Chairman Green, Ranking Member Thompson, and esteemed
Members of the committee. The Office of the Department of Defense Chief
Information Officer (DoD CIO) is charged with securing and modernizing
IT, enhancing command capabilities, and fostering a digital work force.
Today, I am honored to discuss the strengthening our Nation's cyber
work force within the Department of Defense (DoD) with you all.
The Department of Defense requires a skilled and motivated work
force to stay ahead of evolving risks and latest technologies. The
Department is identifying and bridging work force gaps to ensure we are
prepared to meet the challenges of today and tomorrow. Specifically,
the DoD Cyber Workforce Strategy and its implementation plan were
designed to further amplify our efforts to secure top talent.
Developing and maintaining our skilled work force is critical and the
introduction of the Cyber Excepted Service (CES) significantly
increased our flexibility in attracting and retaining the specialized
skills necessary for our mission's success. Additionally, we developed
a comprehensive outreach program aimed at recruiting the diverse
abilities needed to fulfill our talent requirements. Together, these
initiatives underscore our commitment to fostering a thriving work
force that can propel the Department, and by extension the Nation,
toward its goals.
federal cohesion and coherence
As part of the on-going effort to strengthen and empower the
Federal work force, especially those with cyber roles, DoD is leading
and coordinating with interagency partners to implement priorities in
the President's Management Agenda. In addition, the DoD CIO was a
crucial partner in helping to shape the content of the National Cyber
Workforce and Education Strategy (NCWES) released in July 2023. Given
this close coordination, DoD can ensure harmonization with Federal
cyber work force efforts with interagency partners and the
implementation of the NCWES through our active engagement in the
National Cyber Workforce and Coordination Group, led by the Office of
the National Cyber Director. One key success of this coordination is
the growing number of institutions obtaining the National Center of
Academic Excellence (NCAE) designation, having increased from 420 to
450. In other words, we have more academic partners at higher education
institutions aligning their curriculum in a way that supports the cyber
work needed in the Federal Government. The continued collaboration with
the interagency ensured Federal Government cohesion that can maximize
cyber talent for the Nation.
cyber workforce strategy and implementation plan
The DoD Cyber Workforce (CWF) Strategy, released in March 2023, and
its implementation plan released in August 2023, remains a top
priority. Our goals are to address work force gaps by recruiting top-
tier cyber professionals, expanding our cyber work force, and enhancing
the skills of our existing talent. This initiative is crucial for
safeguarding our digital and critical infrastructures, ensuring they
are operated securely to defend against cyber risks and protect our
data from adversaries. The CWF Strategy outlines four human capital
pillars--identifying work force requirements, recruiting talent,
developing talent to meet mission requirements, and retaining talent to
resolve the department's work force retention challenge. The successful
execution of the CWF Strategy, through this Implementation Plan
empowers the Department and its components to foster the most capable
and dominant cyber force in the world.
The CWF Strategy and Implementation Plan is an enterprise-wide
talent management program aimed at aligning force capabilities with
present and future cyber requirements. As previously stated, this
effort directly supports the National Cyber Workforce and Education
Strategy and supports administration's consistent effort to modernize
Federal hiring and strengthening the Federal work force starting with
the President's Management Agenda.
As part of the interagency collaboration and in support of NCWES
implementation, DoD is committed to reducing the vacancy rates of its
critical cyber positions by 2 percent per year over the next 2-5 years,
with the goal to reduce the overall cyber work force vacancy rate to
below 15 percent. To accomplish the reduction and bolster cyber
readiness, DoD plans to benefit from the newly-established Cyber
Academic Engagement Office. Additionally, DoD will reduce vacancy rates
by leveraging existing and under-development authorities that support
innovative hiring practices (including skills-based hiring), with
targeted recruiting, retention, and relocation bonuses and other
related pay-related programs. DoD anticipates an additional 2,000
successful cyber work force hiring actions in each year for the next 2-
5 years.
We are cultivating a transformation across the Department to
enhance personnel management practices on a broader scale and promoting
collaboration and partnerships to enrich capability development,
operational efficiency, and career advancement opportunities across the
organization.
development and retention
Professional development through education and training plays a
vital role in supporting and enhancing our cyber work force
capabilities. We have several on-going partnerships and rotation
programs to provide professional development opportunities to our work
force.
The Department recently established the DoD Cyber Academic
Engagement Office (CAEO). This office will oversee cyber-focused
engagement programs, and enhance coherence, coordination, and
management across the enterprise. The primary objective is to
streamline processes and establish a clear pathway for academic
institutions seeking engagement with the DoD, serving as the
consolidated focal point for engagements between the Department of
Defense and academic institutions regarding cyber-related matters.
The Department offers 2 cyber- and IT-focused rotation and exchange
programs that foster innovation and enables the Department to develop
and retain our existing cyber talent. We administer Office of Personnel
Management's Federal Rotational Cyber Workforce Program (FRCWP) and the
DoD Cyber and Information Technology Exchange Program (CITEP) for the
DoD cyber work force. The FRCWP enables cyber-coded Government
civilians to hone or develop cyber knowledge and skills through
applying for, and serving in, rotational details outside their home
agencies across the Federal Government. Rotations promote intra-agency
and interagency knowledge sharing, integration, and coordination of
cyber practices, functions, and personnel management. The DoD CITEP
facilitates a unique opportunity for industry and DoD civilian
employees working in the cyber and IT fields to participate in an
exchange opportunity between the two sectors. Participants share best
practices, gain a better understanding of cross-sector cybersecurity
operations and challenges, and gain exposure to a different
organization's processes.
cyber excepted service (ces)
The Department appreciates Congress' recognition of the need for
flexibilities in attracting, hiring, and retaining quality cyber
personnel. Section 1599f of Title 10, U.S. Code, authorized the CES
personnel system for DoD civilians supporting the U.S. Cyber Command,
providing pay flexibilities to mitigate recruitment and retention
challenges. Similar to the Department of Homeland Security's (DHS)
Cyber Talent Management System (CTMS), the DoD's CES features a
mission-focused occupational structure, qualification-based
professional development, and advancement opportunities without time-
in-grade requirements, along with agile recruitment and retention
strategies, recruitment incentives, and market-based compensation.
Tracking the Cyber Workforce through the DoD Cyber Workforce Health
Report provides leadership with enterprise-wide insights into the cyber
work force through the lens of the DoD Cyberspace Workforce Framework
(DCWF) work roles, enabling them to identify work force gaps and timely
address recruiting and retention challenges. This platform reports on
the state of the civilian and military cyber work force, manage the CES
Targeted Local Market Supplement (TLMS) incentive and provides
commanders with a means of identifying and mitigating work force health
challenges.
cyber work force qualifications
To provide guidance to the Department on the implementation of our
Cyber Workforce Strategy, we released the third publication in the DoD
Cyber Workforce Policy series to set the foundation for managing,
identifying, qualifying, and upskilling our work force according to the
DCWF. The manual plays a crucial role in our work force by setting
forth the qualification standards for every DCWF work role, ensuring
that personnel assigned to cyber positions possess the capability to
meet mission demands effectively.
Since the publication of the DoD Manual 8140.03 on February 15,
2023, the Department has been working aggressively to implement the
qualification of personnel identified as members of the DoD cyber space
work force. The Department has an established time line to ensure
existing civilian and military personnel meet the new foundational and
residential qualification standards by 2025 and 2026 respectively,
across the various cyber work force elements. To address on-going work
force challenges, we incorporated 3 DCWF mission-critical cyber work
roles (to include Cyberspace Operator, Exploitation Analyst, and
Software Developer), with potential for future expansion of the DCWF to
ensure qualified personnel are recruited and retained to support the
cyber mission across the DoD. In addition, the Department is working
concurrently across the Services, OSD, and the 4th Estate to ensure
that cyber work force positions are accurately coded. We continue to
work with our partners from across the Department to improve the
fidelity of our cyber work force coding using key performance
indicators, to in turn report and measure the health of the cyber work
force. Improving the accuracy of our data will further enable the
Department to quickly plan and execute the cyber missions.
academic outreach and partnerships
As cyber space risks continue to evolve in complexity and
frequency, fostering collaboration between the Federal Government and
academic institutions becomes imperative. Earlier this month, we
established in alignment with fiscal year 2024 NDAA Section 1531, the
DoD Cyber Academic Engagement Office (CAEO). My office will use the
enhanced authorities granted to serve as a nexus for forging
partnerships, facilitating information exchange, and nurturing talent
in cyber space work force. Additionally, the CAEO signifies a concerted
effort to track data and metrics regarding academic programs and their
graduates. By systematically monitoring the performance and outcomes of
covered academic engagement programs to include: Primary, secondary, or
post-secondary education programs with a cyber focus; DoD recruitment
and retention programs for civilian and military personnel, including
scholarship programs; academic partnerships focused on establishing
defense civilian and military cyber talent, the DoD can identify
emerging trends, evaluate the effectiveness of educational initiatives,
and strategically allocate resources to areas of critical need. This
data-driven approach ensures academic institutions are equipped to
produce highly-skilled cyber professionals and enables the DoD to adapt
its strategies in response to evolving threats and technological
advancements. The DoD CAEO plays a pivotal role in strengthening the
Nation's cyber defense capabilities by leveraging the expertise and
innovation within academia while fostering a culture of continuous
improvement and collaboration.
The DoD CIO administers the DoD Cyber Service Academy (DoD CSA),
formerly known as the DoD Cyber Scholarship Program (DoD CySP), which
awards scholarships to U.S. Citizens pursuing cyber-related degrees at
designated institutions. Recipients of these scholarships are afforded
experiential learning opportunities through a DoD internship, providing
invaluable exposure to DoD cultures and agencies. This approach not
only enhances the qualifications and capabilities of our work force
members but also initiates the clearance process, ensuring that
applicants are pre-cleared before commencing full-time employment. For
the 2024 cycle, 95 National Centers of Academic Excellence in
Cybersecurity (NCAE-Cs) submitted proposals to support scholars under
the DoD CSA. Of those 95 academic institutions, 6 are Historically
Black Colleges and Universities, and 14 are first-time participants and
nominating students for the recruitment and/or retention programs. The
Department is committed to supporting higher education and to prepare
the DoD work force to address threats against the Department's critical
information systems and networks. The Department is poised to bring the
DoD CSA, to fruition as an additional tool to recruit and retain top
cyber talent. The average cost of a DoD CSA scholarship for one
academic year is $79k per student. Per law, the scholarship includes
tuition, books, fees, stipend, summer internship salary support, a
technology and certification allowance, as well as faculty and
administrative support. The DoD CSA provided scholarship offers to more
than 165 U.S. Citizens in 2024 and aims to maintain this 17 percent
increase per year. In order to allow a whole-of-Government approach, we
are determining the feasibility of allowing students from other Federal
Agencies to take advantage of the DoD CSA on a reimbursable basis. The
Department appreciates the opportunity Congress granted the Department
to expand the DoD CSA to award 1,000 scholarships per year by fiscal
year 2026 and is exploring options to resource this Congressional
requirement. This effort will further bolster the commitments from DoD
and Congress to support higher education to prepare the DoD work force
to combat threats against the Department's critical information system
and networks.
The Department is currently tracking approximately 450 designated
academic institutions that are eligible to participate in the DoD CSA.
Each eligible institution is invited to participate in the DoD CSA
program and determines, based on their internal manpower, if they can
support such a program on campus. Managing a scholarship on campus
requires commitment and resources that may not be available. Any
institution who achieves their designation by January 15, 2025, will be
eligible to participate in the 2025 DoD CSA application cycle.
Thank you for your support on this issue. We are committed and
dedicated in our combined mission of ensuring that our Nation continues
to be a leader in the cyber space landscape and combat any challenges
to our national security. We look forward to continuing to work with
this committee. Thank you for the opportunity to testify this morning,
I look forward to your questions.
Mr. Garbarino. Thank you, Ms. Beavers.
I now recognize Mr. Petersen for 5 minutes to summarize his
opening statement.
STATEMENT OF RODNEY PETERSEN, DIRECTOR, NATIONAL INITIATIVE FOR
CYBERSECURITY EDUCATION, NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY, U.S. DEPARTMENT OF COMMERCE
Mr. Petersen. Thank you, Chairman Garbarino and
Congresswoman Ramirez and Members of the committee.
I am Rodney Petersen. I am the director of the NICE Program
Office at NIST, and I'm pleased to testify before you today.
I want to briefly share three stories. Devonie Nelson
started her journey into the cybersecurity field after
experiencing a series of personal and career setbacks as a
single mom. She eventually chose to pivot careers, from biology
to cybersecurity, and an organization provided her essential
financial support along the way to enable her to complete her
education and eventually acquire a good job as a junior
cybersecurity engineer in a health care company.
Jimmy Minhinnett left high school before completing his
diploma, and for the next 10 years worked hard, physically
demanding shifts as a commercial truck driver. As a result of
the impact of the pandemic on the trucking industry, which
coincided with the death of his father, who had worked in IT,
Jimmy completed a cybersecurity certificate program on weekends
while continuing to work. After acquiring that credential,
Jimmy received a good job as an information security associate
with a financial services company.
Shane Wallace, who grew up in a military family, enlisted
in the Army as a combat medic. He concurrently pursued a degree
in health care administration. He held various leadership
roles, oversaw complex logistics operations, and spearheaded
crucial medical initiatives. His passion for technology led him
to complete a training program on cloud computing for
transitioning veterans that led him into a good job as a junior
engineer.
These are just three stories of individuals who have
pursued a career in cybersecurity through alternative pathways,
and their journey provide the answer to the question for this
hearing, how to find workers to address America's cybersecurity
work force gap.
NICE is best known for the NICE Framework that provides a
common taxonomy for describing cybersecurity work. It's used by
employers, education and training providers, and learners,
including students, job seekers, and employees. The NICE
Framework components of work roles and competency areas are key
to navigating the CyberSeek website, a tool that helps career
seekers discover cybersecurity careers.
NICE also uses its convening power to support a Community
Coordinating Council that includes communities of interest on
topics such as cybersecurity apprenticeships, competitions,
diversity and inclusion, K-12 cybersecurity education, and
more. The Council also includes working groups that help
achieve NICE's strategic plan, goals, and objectives.
The first goal is to promote the discovery of cybersecurity
careers and multiple pathways. We hold a Cybersecurity Career
Week campaign each fall to help career seekers discover the
variety of types of careers in cybersecurity and the multiple
learning pathways.
The second goal is to transform learning to build and
sustain a skilled and diverse work force. We prioritize hands-
on learning experiences and performance-based assessments that
measure capabilities to perform NICE Framework tasks.
The third goal is to modernize the talent management
process to address cybersecurity skills gaps. We support the
capability of organizations and sectors to more effectively
recruit, hire, develop, and retain the talent needed to manage
cybersecurity-related risk.
The fourth goal seeks to expand use of the NICE Framework.
We promote the benefits of standardizing education and work
force programs, including alignment to the NIST Cybersecurity
Framework, the NIST Privacy Framework, and other cybersecurity
guidance.
The final goal in the NICE Strategic Plan seeks to drive
research on effective practices for cybersecurity work force
development. We use those research results to inform programs,
curriculum design, learning opportunities, ensure equity, and
much more.
NICE hosts several key events throughout the year, and
these events bring together stakeholders to showcase best
practices, highlight emerging trends, and inspire action. We
also produce and share several resources, including a
Cybersecurity Apprenticeship Finder and a listing of free and
low-cost on-line cybersecurity learning content.
In conclusion, the recent 15th Annual NICE Conference
served to celebrate the growth and progress toward fulfilling
our mission to create an integrated ecosystem of cybersecurity
education, training, and work force development. However, we
must continuously strive to prepare, grow, and sustain the
cybersecurity work force that the public and private sectors
need to safeguard our national security and promote America's
economic prosperity.
So thank you for the opportunity to testify today on NIST's
cybersecurity, education, and work force activities, and look
forward to answering any questions.
[The prepared statement of Mr. Petersen follows:]
Prepared Statement of Rodney Petersen
June 26, 2024
Chairman Green, Ranking Member Thompson, and Members of the
committee, I am Rodney Petersen, director of the National Initiative
for Cybersecurity Education (NICE) Program Office at the National
Institute of Standards and Technology (NIST) in the Department of
Commerce. I am pleased to testify before you today on behalf of the
NICE program and to illuminate our vision to prepare, grow, and sustain
a cybersecurity work force that safeguards and promotes American's
national security and economic prosperity.
I want to briefly share three stories:
Devonie Nelson is a junior cybersecurity engineer who started her
journey into the cybersecurity field while a single Mom with
significant personal and financial challenges. After graduating with a
biology degree, she experienced a series of personal and career
challenges as a young adult. She eventually enrolled in a Security
Management master's degree program with a concentration in
cybersecurity. Along the way, she discovered a philanthropic
organization that enabled her to persist in her educational journey and
eventually acquire a cybersecurity position at a health care company.
Now, she has dedicated herself to sharing with others her experiences
and the opportunities available to eliminate some of the initial
hurdles faced when entering the cybersecurity field, especially as a
minority first-generation student.
Jimmy Minhinnett was a truck driver who is now an information
security associate with a company in the financial services sector.
Although he understood the impact of technology at a young age thanks
to his father who worked in IT, life circumstances took him in a
different direction. He left high school before completing his diploma
and for the next 10 years worked hard, physically demanding shifts as a
commercial truck driver. As a result of the impact of the pandemic on
the trucking industry--combined with grieving the death of his father--
he decided to pursue a new career and that led to the discovery of a
cybersecurity certificate program that he completed on weekends while
continuing to work. After acquiring that credential, he received a good
job that changed his life.
Shane Wallace is the product of a military family, and he enlisted
in the Army as a combat medic in 2014. Through his military service, he
demonstrated a relentless commitment to excellence, concurrently
pursuing a degree in Healthcare Administration. His assignments spanned
the globe, where he held various leadership roles, overseeing complex
logistics operations and spearheading crucial medical initiatives. As
he transitioned from military service in 2023, his passion for
technology led him to pursue and graduate from a training program for
transitioning veterans where he developed a competency in cloud
computing that led to an eventual role as a junior engineer with a
private-sector employer.
These are just 3 examples of individuals who have pursued a
cybersecurity career through alternative pathways--and their stories
help to address the focus of this hearing on how to find workers to
address America's cybersecurity work force gap. They shared their
stories earlier this month at the annual NICE Conference & Expo,\1\
which was held in Dallas. However, their stories represent a growing
number of Americans who are getting into good-paying, meaningful
careers in cybersecurity through the many different education or
training pathways available to them.
---------------------------------------------------------------------------
\1\ https://niceconference.org/.
---------------------------------------------------------------------------
NICE's mission is to energize, promote, and coordinate a robust
community working together to create an integrated ecosystem of
cybersecurity education, training, and work force development. This
mission aligns with the administration's broader efforts in modernizing
Federal hiring and strengthening the Federal work force. As part of
this NIST is also supporting broader work force efforts including but
not limited to the President's Management Agenda, the National Cyber
Workforce and Education Strategy implementation, the National Security
Memoradum-3 ``Memorandum on Revitalizing America's Foreign Policy and
National Security Workforce, Institutions, and Partnerships'' and the
AI Executive Order. The NICE Program Office also actively promotes and
supports the Department of Commerce Principles on Highly Effective
Workforce Investments \2\ and the Department of Commerce and Department
of Labor's Good Jobs Principles.\3\ Today's testimony will focus on
signature programs led by NIST beginning with the NICE Workforce
Framework for Cybersecurity (or NICE Framework).
---------------------------------------------------------------------------
\2\ https://www.commerce.gov/issues/workforce-development.
\3\ https://www.dol.gov/general/good-jobs/principles.
---------------------------------------------------------------------------
federal coordination and coherence
As part of the administration-wide effort to connect Americans to
Good Jobs in cyber, NICE coordinates with the White House of Office of
National Cyber Director (ONCD), Office of Management and Budget, and
through the National Cyber Workforce Coordination Group to integrate
and align its work with the President's Management Agenda, National
Cyber Workforce and Education Strategy (NCWES) implementation,
Registered Apprenticeship EO, and Workforce Hub Efforts. For example,
NICE is co-chair of the Working Group on Cyber Skills and Awareness as
well as the Working Group on Cyber Workforce and Education.
nice workforce framework for cybersecurity (nice framework)
The NICE Framework \4\ provides a common taxonomy or lexicon for
describing cybersecurity work. It is used by employers to assess their
work force needs and to shape work force development, including writing
job descriptions that are more consistent and effective across
organizations and sectors. The NICE Framework is also used by education
and training providers to develop content and provide learning
experiences to ensure that students or learners can develop skills and
acquire credentials that attest to their capabilities. It is also used
by learners, including students, job seekers, and employees, to
identify the skills and credentials necessary to enter and advance in
high-quality jobs in the cybersecurity career. The NICE Program Office
released version 1.0.0 of the NICE Framework components in March, which
represents a comprehensive update to the core content of the NICE
Framework (NIST Special Publication 800-181r1). The recently updated
NICE Framework includes 52 Work Roles across 7 categories, 11 new
Competency Areas, and over 2,220 Task, Knowledge, and Skill statements.
---------------------------------------------------------------------------
\4\ https://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-181r1.pdf.
---------------------------------------------------------------------------
cyberseek: interactive cybersecurity jobs heatmap and career pathway
tool
Another signature program of NICE is our partnership with CompTIA
and Lightcast, which has resulted in the production of CyberSeek. The
CyberSeek.org \5\ website is a tool that can help learners discover
cybersecurity careers and policy makers, such as yourself, discover the
dynamics of work force supply and demand across the United States as
well as in States or major metropolitan areas. Lightcast also developed
the Quarterly Cybersecurity Talent Report as a commitment to support
the NCWES from ONCD. It leverages and expands upon data Lightcast
provides to CyberSeek.org. The updates to CyberSeek and the
Cybersecurity Talent Report earlier this month revealed that, for the
past 12 months in the United States, there were 469,930 cybersecurity
job postings, 1,239,018 existing cybersecurity workers, and 85 skilled
cybersecurity workers for every 100 demanded by employers. While these
numbers suggest modest improvements and indicate that we are making
headway, there is still a talent gap of 225,000 cybersecurity workers
needed to meet employer demand. In the DC metropolitan area alone,
there are 66,775 cybersecurity jobs available and 36,908 across the
entire State of Texas.\6\
---------------------------------------------------------------------------
\5\ https://www.cyberseek.org/.
\6\ https://www.cyberseek.org/heatmap.html.
---------------------------------------------------------------------------
nice strategic plan (2021-2025)
The NICE Strategic Plan \7\ and corresponding implementation plan
is another signature program of NICE and establishes our vision,
mission, and values. It also sets forth 5 goals with corresponding
objectives.
---------------------------------------------------------------------------
\7\ https://www.nist.gov/itl/applied-cybersecurity/nice/about/
strategic-plan.
---------------------------------------------------------------------------
promote the discovery of cybersecurity careers and multiple pathways
The first goal is to Promote the Discovery of Cybersecurity Careers
and Multiple Pathways. As you heard earlier, the learning pathways to a
career in cybersecurity can vary from learning experiences in high
school or college leading to an academic degree to training programs or
bootcamps that result in an industry-recognized certification to a
Registered Apprenticeship or other earn and learn experience that
culminates in a certificate of completion. However, providing multiple
learning pathways is not enough if learners do not understand the
variety of types of careers that are available in cybersecurity. That
is why during the third week of October each year, as part of
Cybersecurity Awareness Month, we hold a Cybersecurity Career Week,\8\
that is a campaign to promote the discovery of cybersecurity careers
and share resources that increase understanding and engagement in the
multiple learning pathways and credentials that lead to careers in
cybersecurity. The week is typically kicked off with a Capitol Hill
event hosted by the House Cybersecurity Caucus and Senate Cybersecurity
Caucus and other events throughout the week including the US Cyber Team
Draft Day,\9\ webinars, social media campaigns, and workplace events to
showcase careers in cybersecurity.
---------------------------------------------------------------------------
\8\ https://www.nist.gov/itl/applied-cybersecurity/nice/events/
cybersecurity-career-week.
\9\ https://www.uscybergames.com/draft-day.
---------------------------------------------------------------------------
transform learning to build and sustain a skilled and diverse workforce
The second goal is to Transform Learning to Build and Sustain a
Skilled and Diverse Workforce. There are many opportunities for
innovation in the learning process that will increase the likelihood
that job seekers are job-ready to enter employment. Examples include
more hands-on learning experiences and the use of performance-based
assessments that measure competencies and capabilities to perform NICE
Framework tasks. In an era when ``skills-based approaches'' is the
mantra of employers and educators, we need to improve the quality and
transparency of available credentials that serve to demonstrate and
validate the competencies of a learner. We also need to advocate
multidisciplinary approaches that integrate cybersecurity across
disciplines, recognizing that a basic level of cybersecurity knowledge
and skills are increasingly necessary in almost every career field and
in every sector of the economy. The Cybersecurity Across Disciplines
Conference \10\ is an example of an event that brings together
community and technical college faculty from diverse disciplines to
explore the intersection of cybersecurity within their specific
educational program areas and the critical infrastructure sectors they
serve, including but not limited to manufacturing, health care, retail,
engineering, and finance. And, building on the NICE value to Model
Inclusion, this strategic plan goal emphasizes advocating and enabling
engagement of stakeholders from diverse backgrounds and experiences.
---------------------------------------------------------------------------
\10\ https://www.ncyte.net/about-ncyte/events/cyad-summit-
cybersecurity-across-disciplines.
---------------------------------------------------------------------------
modernize the talent management process to address cybersecurity skills
gaps
The third goal is to Modernize the Talent Management Process to
Address Cybersecurity Skills Gaps. It fundamentally seeks to enhance
the capabilities of organizations and sectors to more effectively
recruit, hire, develop, and retain the talent needed to manage
cybersecurity-related risks. Building on other foundational NIST
publications, such as the Risk Management Framework and Cybersecurity
Framework,\11\ this goal helps organizations to focus on the ``people''
and workplace skills needed in their organizations who work alongside
``technologies'' or ``processes'' to manage cybersecurity risks. A few
examples of reforms that are needed include: Establishing more entry-
level positions and opportunities that provide avenues for growth and
advancement; aligning qualification requirements according to
proficiency levels to reflect the competencies and capabilities needed
to perform tasks in the NICE Framework; encouraging on-going
development and training of employees, including rotational and
exchange programs, to foster and retain talent with diverse skills and
experiences; and reskilling the unemployed, underemployed, incumbent
work force, and transitioning veterans or military spouses to prepare
them for good jobs in cybersecurity.
---------------------------------------------------------------------------
\11\ https://www.nist.gov/cyberframework.
---------------------------------------------------------------------------
expand use of the nice workforce framework for cybersecurity (nice
framework)
The fourth goal seeks to Expand Use of the NICE Workforce Framework
for Cybersecurity or NICE Framework. This goal starts with increasing
awareness of the benefits of the NICE Framework to employers,
educators, and training providers. This goal goes on to ensure that the
NICE Framework is aligned to other NIST resources, including the NIST
Cybersecurity Framework, the NIST Privacy Framework,\12\ and other
cybersecurity, privacy, and risk management publications or guidance.
We are also keenly aware that tasks in the NICE Framework will be
increasingly performed by automated techniques and will need to update
knowledge and skill statements to incorporate appropriate and ethical
use of artificial intelligence in the completion of cybersecurity
tasks. Our international partners, especially developing nations, are
increasingly looking to NIST resources, including the NICE Framework,
as a model for their national efforts. That is why NICE recently
partnered with the State Department to bring individuals representing
over 20 countries to the NICE Conference & Expo earlier this month to
learn more about their cybersecurity work force development efforts and
share how the NICE Framework is being widely used across the United
States.
---------------------------------------------------------------------------
\12\ https://www.nist.gov/privacy-framework.
---------------------------------------------------------------------------
drive research on effective practices for cybersecurity workforce
development
The final goal in the NICE Strategic Plan seeks to Drive Research
on Effective Practices for Cybersecurity Workforce Development. That is
why each month, during our NICE Community Coordinating Council Meeting,
we feature recent reports or research results that spotlight the most
effective and proven practices. Similarly, we use research results to
inform programs and curriculum design, foster continuous learning
opportunities, impact learner success, and ensure equitable access.
Again, supporting the NICE values to Challenge Assumptions, Stimulate
Innovation, Act Based on Evidence, and Evaluate and Improve, we are
working together as a community to pursue objective and reliable
sources of information and using data to inform actions or decisions.
foster communication, facilitate collaboration, and share and leverage
resources
Let me conclude by just highlighting a few other ways in which NICE
fulfills its mission--through its convening power and the development
and dissemination of resources. On a monthly basis, NICE, convenes an
interagency coordinating council of representatives from across Federal
Government departments and agencies and the Executive Office of the
President to coordinate and collaborate on national cybersecurity
education and work force development initiatives. We also convene a
NICE Community Coordinating Council that is co-chaired by a leader from
academia and industry. The Council includes working groups that
correspond to each of the NICE Framework goals and communities of
interest on topics such as cybersecurity apprenticeships, competitions,
diversity and inclusion, K12 cybersecurity education, and more.
To promote and energize a robust community working together, NICE
hosts several key events \13\ each year, including the Annual NICE
Conference and Expo, the Regional Initiative for Cybersecurity
Education and Training Conference for the Americas, a NICE K12
Cybersecurity Education Conference, Cybersecurity Career Week, and a
monthly NICE Webinar Series. These events bring together stakeholders
to increase awareness and understanding, showcase effective practices
and solutions, and expand our horizons by focusing on emerging and
future trends. We also produce and share several resources,\14\ most of
them developed with input from the broader community, including the
NICE Framework Resource Center, the NICE Cybersecurity Apprenticeship
Finder, one-pagers on topics such as Cybersecurity Workforce Demand,
and a listing of Free and Low-Cost On-line Cybersecurity Learning
Content.
---------------------------------------------------------------------------
\13\ https://www.nist.gov/itl/applied-cybersecurity/nice/events.
\14\ https://www.nist.gov/itl/applied-cybersecurity/nice/resources.
---------------------------------------------------------------------------
summary
In conclusion, the recent NICE Conference & Expo held in Dallas was
our 15th annual conference and served to celebrate the establishment of
NICE in 2008 by the Comprehensive National Cybersecurity Initiative.
Over the past 15 years, we've seen considerable growth and progress
toward fulfilling our mission to create an integrated system of
cybersecurity education, training, and work force development. However,
the present and future promises to introduce new challenges and
opportunities, and we must remain vigilant to continuously prepare,
grow, and sustain the cybersecurity work force that the public and
private sector will need to safeguard our national security and promote
America's economic prosperity.
Thank you for the opportunity to testify today on NIST's
Cybersecurity Workforce activities, and I look forward to answering any
questions.
Mr. Garbarino. Thank you, Mr. Petersen.
I now recognize Mr. Mo for 5 minutes to summarize his
opening statement.
STATEMENT OF SEEYEW MO, ASSISTANT NATIONAL CYBER DIRECTOR,
CYBER WORKFORCE, TRAINING, AND EDUCATION, OFFICE OF THE
NATIONAL CYBER DIRECTOR
Mr. Mo. Good morning, Chairman Garbarino, Congresswoman
Ramirez, and distinguished Members of the committee. Thank you
for the opportunity to testify before you today with some of
ONCD's closest Federal partners about the critical demand for
cyber work force.
While this challenge to meet this demand is daunting, this
is also an opportunity. Filling these jobs is necessary to
advance our national security and our economic prosperity.
Whether one serves in the public or the private sector, a
career in cyber can put you on the front lines, protecting and
defending our digital way of life.
There's an abundance of talented individuals in every
corner of our country who can help us meet this demand. It's up
to us to remove barriers and broaden pathways for them to get
into these good-paying, meaningful jobs in cyber.
There are a number of challenges we must overcome to build
the cyber work force this Nation needs.
First, many Americans haven't considered a job in cyber at
all. They may assume the jobs are narrow, highly technical, and
done by a hacker in a hoodie in a dark room. Oftentimes, they
haven't seen anyone like them or they know who has taken a path
into a cyber career. Even for those who are interested, there
are barriers to entry, even if they have the skills to do the
job.
Second, while we have good education and work force
development systems, they're struggling to keep up with the
increasing demand for cyber talent. We need more educators,
training programs, and equipment for hands-on learning of
critical cyber skills.
Third and finally, we know that many of the best solutions
are unique to each community and its partners. Right now, there
are not enough locally-driven efforts to connect individuals to
training, to jobs, and services. We call this the locally-
driven ecosystem model.
The administration is driving a whole-of-Nation approach to
connect Americans to these good-paying, meaningful jobs in
cyber. First, the foundation of this effort is the National
Cyber Workforce and Education Strategy that ONCD developed in
collaboration with 34 Federal agencies and hundreds of key
external stakeholders.
Second, the Federal Government cannot solve this issue
alone, and stakeholder collaboration is critical to success.
Over a hundred organizations have made voluntary commitments to
grow and hire cyber talent.
Third, our approach recognizes that the jobs we need to
fill are not just in IT but across industry and within
companies both large and small. That's why we're making cyber
an integral part of our work force and education priorities to
unlock resources and new partnerships to grow the Nation's
cyber work force in utility companies, agriculture, energy,
health care, education, manufacturing, and more.
As a result, we can report on our initial actions to date.
To open up cyber careers to all Americans and remove
unnecessary barriers, we are focusing on skills. The
administration is leading by example by modernizing the Federal
hiring process and fully embracing skills-based approaches for
IT positions. Furthermore, the pivot extends to Federal IT and
cyber contractors across the country.
To strengthen education in work force development systems
we are identifying Federal investments to expand opportunities
through quality hands-on training and learning programs, such
as cyber clinics and earn-and-learned registered apprenticeship
programs.
The National Security Agency provided grants to launch
cyber clinics in Louisiana, Minnesota, Nevada, and Virginia.
The Department of Labor is now serving more than 13,000 cyber
apprentices across the country as a result of the work
initiated under the 120-Day Cybersecurity Registered
Apprenticeship Sprint with partners and continued through the
Registered Apprenticeship Executive Order.
To increase the use of locally-driven ecosystem models, we
have convened stakeholders across the country to establish or
expand ecosystems and to share best practices.
Most importantly, we know that the best solutions come not
solely from Washington, DC, but from the innovative
partnerships and ideas we find in communities across the
country, just like in each of your district.
We made a lot of progress, and there's a lot more work to
be done. The demand for cyber talent will continue to grow as
the world becomes increasingly digitized. We are committed to
be working with Congress to connect Americans to good-paying,
meaningful jobs in cyber that advance our national security and
economic prosperity.
Thank you for the opportunity to testify today, and I look
forward to your questions.
[The prepared statement of Mr. Mo follows:]
Prepared Statement of Seeyew Mo
June 26, 2024
Chairman Green, Ranking Member Thompson, and distinguished Members
of the committee, thank you for holding this important hearing to
address the challenges facing the Nation's cyber work force. The White
House Office of the National Cyber Director (ONCD) is leaning in to
tackle persistent cybersecurity challenges, protect the Nation, and
foster economic prosperity.
One of these persistent challenges is the dire need for cyber
talent. The problem is clear--we need more talent, not only in the
Federal Government, but also in State, local, Tribal, and territorial
governments, and the private sector. The number of open cyber jobs--
approximately a half-million Nation-wide--is enormous and the trend
line must improve.
With this challenge, there's an opportunity--we have an abundance
of talented individuals in our country who can help us meet this need.
They can enter a career field that--whether they work in Government or
in the private sector--helps secure our Nation. A career with purpose.
A career that offers a good-paying, meaningful job. We must remove
barriers and broaden pathways for these individuals to get into cyber
careers.
Many stakeholders, from Congress and this administration to
industry, academia, and civil society, have been working diligently to
solve the cyber work force challenge. Throughout our 3-year history, we
in ONCD have acknowledged that we are not the first to tackle the
challenges to grow the cyber work force, nor are we alone in our
efforts.
As the assistant national cyber director for cyber work force,
education, training and awareness, I am honored to lead a team of cyber
work force experts to coordinate the implementation of the National
Cyber Workforce and Education Strategy (NCWES), released by ONCD last
July, and to align that effort with priorities such as the President's
Management Agenda, recent investments in Workforce and Technology Hubs
across the Nation, and efforts to strengthen the work force for in-
demand industries, just to name a few.
I am pleased to testify with some of ONCD's closest Federal
partners here today. The diligent work of these and many other Federal
agencies is helping to expand and strengthen our Nation's cyber work
force throughout every sector of the economy, including Federal, State,
local, Tribal, and territorial governments.
Although the problem we have is clear, the solutions are complex,
and I look forward to updating the committee on how the administration
is advancing both our national security and our economic prosperity by
working to connect more Americans to good-paying, meaningful jobs in
cyber. I will describe, from ONCD's perspective, the challenges we face
meeting the cyber work force demand, articulate the administration's
whole-of-Nation approach, and highlight some initial implementation
successes.
the challenges facing our cyber work force
The United States is completely reliant on a digital backbone that
facilitates everything from the power, gas, and water coming into our
homes to the systems that keep our roads, bridges, airports, banks,
schools, hospitals, businesses, and military facilities functioning.
This connectivity comes with risks, including the vulnerability of
systems and networks to attacks on that digital foundation. There's a
lot we need to do--and are doing--to better protect our Nation and its
critical infrastructure in cyber space.
One thing that is certain is that we need the talent to do the job.
That means that we must find, hire, develop, retain, empower, and
inspire more people to help us fill the approximately half-million open
positions across the Nation, across different industries and sectors,
that are important to the security of our Nation's critical
infrastructure. We need cyber talent not just in information technology
(IT), or finance, but also in manufacturing, utilities, agriculture,
energy, health care, and other sectors and industries.
There are a number of issues facing our work force:
First, many Americans don't see opportunities for themselves
in cyber, often assuming that jobs in cyber are narrow or
highly technical. Further, even when we have individuals that
are interested, willing, and ready to serve, there are barriers
that keep them from these opportunities, such as degree
requirements that may be unnecessary when job seekers have the
skills and experience to fill the need.
Next, demand for cyber workers exceeds the current capacity
of work force development and education systems. We need more
opportunities and pathways to train workers to be cyber-ready.
We also need educators, from K-12 to faculty with doctorates,
with the knowledge to teach cyber, and support to expand hands-
on learning opportunities on the latest technologies and
facilities. Additionally, the training and education
infrastructures that exist today need to adapt to the changing
cyber skills and demands presented by the rapidly-evolving
technological landscape.
Finally, there are not enough locally-driven ecosystems to
develop the pipeline for cyber talent. We can't meet demand
unless academia, Federal and local government, and the private
sector work together to build a pipeline for cyber workers.
Connecting individuals to training, helping them find jobs,
providing wraparound services, and more, requires leadership
and investment from a variety of local stakeholders.
This challenge is compounded by the dynamic nature of the national
security environment and the rapid acceleration of global crises, new
technologies, vulnerable software and systems, and novel threats.
Artificial intelligence (AI), quantum computing, and technologies that
have yet to be invented, will require an agile and dynamic work force
with foundational cyber skills in every industry, sector, and
occupation that can understand, leverage, develop, maintain, and
protect the next generation of advanced cyber capabilities.
The only way we can defend the digital foundation of our modern way
of life is to ensure that everyone has a pathway into a cyber-based
career and our work force is equipped with the skills to meet any
future demands. That's why ONCD is focusing on removing barriers and
broadening pathways.
national cyber workforce and education strategy development
To address these enormous challenges, ONCD undertook a
comprehensive approach to develop a national strategy that addresses
educating, training, and employing the cyber work force.
ONCD acknowledges that the Federal Government, working alone,
cannot adequately address the many challenges we face in filling
current and future cyber work roles with a skilled work force.
Consequently, in the development of the strategy, ONCD collaborated
with 34 Federal agencies, Executive Office of the President (EOP)
components, and hundreds of key external stakeholders to identify
current challenges and best practices, and grasp the true root of the
issues we are facing.
These NCWES guiding principles address the challenges mentioned
above:
First, broaden the appeal of cyber careers to more
Americans.--In order to achieve the best mission outcomes, we
need the best possible team. One of the most effective ways to
grow our supply of cyber talent is to attract people of all
ages, all demographics, and all backgrounds especially those
that are underrepresented in the cyber work force today.
Second, focus on a skills-based approaches.--We must expand
access to cyber skills training and education to all Americans.
When individuals have the skills and abilities to learn new
technologies, it creates a dynamic work force that meets the
demand of new developments and disruptions, like the rapid
expansion of artificial intelligence we are seeing today. We
must encourage the adoption of skills-based approaches to open
up pathways to good-paying jobs for Americans with the skills
to do them, regardless of how they acquire those skills.
Third, encourage ecosystem development.--The strategy aims
to encourage partnerships between public and private
stakeholders that can meet specific regional and sector-based
talent needs. For example, this includes employers
communicating with school systems, academia, and training
programs on the skills needed to fill open jobs and meet the
demand for cyber skills in the future.
To meet these cyber work force challenges, we know that the best
solutions come not solely from Washington, but from the innovative
partnerships and ideas we find in communities such as those in your
districts across the country. I have seen some of the best solutions
come from among local government, employers, school districts, higher
education institutions, and non-profits coming together to solve cyber
work force and education demands. These partnerships create pathways
for potential job candidates to consider a cyber career and connect
them with learning experiences to gain the skills to meet their
communities' needs.
coherence and cohesion in implementation
To advance and coordinate Federal Government cyber work force and
education activities, ONCD established the National Cyber Workforce
Coordination Group (NCWCG), composed of ONCD and Senior Executive
Service-level leadership from Federal agencies that supported the
development of the NCWES. The NCWCG is chaired by ONCD and oversees 3
subordinate working groups--Federal Cyber Workforce Working Group
(FCWWG), the Working Group on Cyber Workforce and Education (WG-CWE),
and the Working Group on Cyber Skills and Awareness (WG-CSA)--pursuing
the objectives in the NCWES. Each of these working groups is co-chaired
by ONCD and one or more Federal agencies.
Through these working groups, agencies are actively participating
in the implementation of the NCWES by leading initiatives and producing
deliverables that respond to the challenges facing cyber education and
work force development. This ensures that NCWES implementation
activities are coordinated and cohesive to maximize progress and the
impact of taxpayer investments.
In addition, ONCD is synchronizing its activities with the goals in
the President's Management Agenda; the directives of National Security
Memorandum 3, ``Revitalizing America's Foreign Policy and National
Security Workforce, Institutions, and Partnerships''; and ensuring that
its strategy for growing and strengthening the cyber work force is in
harmony with other Federal initiatives, including Workforce Hubs, Tech
Hubs, and Technology and Innovation Partnerships. ONCD is also
synchronizing activities in support of President Biden's Executive
Order 14119--``Scaling and Expanding the Use of Registered
Apprenticeships in Industries and the Federal Government and Promoting
Labor-Management Forums,'' and Executive Order 14110--``Safe, Secure,
and Trustworthy Development and Use of Artificial Intelligence.''
The progress we have made thus far is bringing a more unified and
collaborative approach at the national level and laying stronger
groundwork for the development of the cyber work force. By linking
cyber work force development with other work force and education
efforts, this approach is poised to yield a more diverse array of
skilled cyber professionals through consistent and focused education
and training offerings.
ncwes initial implementation progress
Over the past year, this interagency collaboration has yielded
significant progress toward investing in cyber education and work force
development to fill jobs, and consequently have more defenders to
protect our Nation's most critical systems.
Strengthening the Federal Cyber Workforce
On April 29, 2024, the national cyber director announced that the
Biden-Harris administration is modernizing the Federal hiring process,
fully embracing skills-based approaches for information technology
management positions. Aligned with broader strategic hiring objectives,
this modernization effort will include use of registered
apprenticeships programs.
The Office of Personnel Management (OPM) is leading the transition
of the Information Technology (IT) Management job series, numbered
2210, to skills-based hiring and talent development practices. The 2210
job series includes nearly 100,000 IT workers across all Federal
agencies and represents a majority of the Federal IT work force. This
effort is a critical step in removing barriers that prevent qualified
job seekers from entering the Federal cyber work force.
Furthermore, the effort extends to contractors that also play a
role in our Federal cyber work force. The Department of Energy (DOE)
recently announced an effort to pivot to a skills-based approach in IT
and cyber contracts. ONCD is also working with OMB to encourage wider
adoption of Section 39.104 of the Federal Acquisition Regulation (FAR),
which states that when acquiring information technology services,
solicitations must not describe any minimum experience or educational
requirements for contracted personnel.
To continue bringing cyber talent into the Federal Government, the
Tech to Gov Working Group (TTGWG), a workstream of the FCWWG led by
OPM, held a second Tech to Gov Job Fair on April 18, 2024. More than
1,700 attendees from all 50 States registered and met with over 100
agency representatives. Since the first Tech to Gov Job Fair about a
year ago , approximately 150 tentative job offers have been made and
more are under way. Another Tech to Gov job fair is tentatively
scheduled for the fall of 2024.
Some cyber roles require clearances, which can be a barrier to
timely hiring and can cause candidates to accept other job offers due
to clearance delays. Under the Trusted Workforce 2.0 initiative led by
the Security, Suitability, and Credentialing Performance Accountability
Council (PAC), some gains have been realized:
The average amount of time needed to complete a security
clearance background investigation has fallen from 411 to 155
days for a Top Secret clearance and from 173 to 53 days for a
Secret clearance.
In the second quarter of fiscal year 2024, over 27,000 new
hires were cleared using preliminary determinations, a practice
by which agencies clear personnel with clean records for on-
boarding based on the highest-value background checks.
The PAC is working to expand this practice by implementing
ambitious targets of 45 days for Top Secret clearances and 25 days for
Secret clearances.
Expanding and Enhancing America's Cyber Workforce
To promote cyber work force growth opportunities, ONCD continues to
hold outreach events across the country. Over the past year, events
have been held in collaboration with State and local stakeholders to
expand the cyber work force in Arizona, Florida, Georgia, Illinois,
Maryland, Michigan, Nevada, North Carolina, Ohio, Oklahoma,
Pennsylvania, Tennessee, Texas, Virginia, and Washington. These events
help amplify the Biden-Harris administration's work force growth
priorities; highlight needs, solutions, and progress in these
communities; and engage and promote cyber work force and education
ecosystems of stakeholders across all industries and sectors.
Over the course of these travels, ONCD has learned about innovative
and proven best practices from local leaders, which can be shared and
scaled to further enhance and expand the cyber work force across the
Nation. One of these practices is hands-on, work-based learning,
primarily through apprenticeships and paid internships consistent with
the Good Jobs Principles--an initiative to uplift Americans into good-
paying jobs, including cyber jobs.
To further increase access to registered apprenticeships in fields
such as cybersecurity, in 2023 the Department of Labor (DOL) awarded
approximately $108 million in grants and contracts to expand Registered
Apprenticeships in high-growth and in-demand industries. DOL also
worked with other Federal agencies to conduct a registered cyber
apprenticeship sprint and has served more than 13,000 cyber apprentices
to date. To build on this effort, earlier this year, DOL also announced
the availability of nearly $200 million in grants to continue to
support public-private partnerships that expand, diversify, and
strengthen Registered Apprenticeships in education, care, clean energy,
IT/cybersecurity, supply chain, and other in-demand industries.
Many private-sector organizations are conducting their own
voluntary initiatives in support of the NCWES. This private-sector
engagement has created a groundswell of additional commitments to
support cyber career growth opportunities in various sectors spanning
from health care to manufacturing, water and wastewater systems to K-12
education, agriculture and transportation to the Defense Industrial
Base (DIB), and more.
Investments from both public and private sectors are key to our
success. For example, the National Security Agency (NSA), through
grants to National Centers of Academic Excellence in Cybersecurity
(NCAE-C) institutions, launched Cyber Clinics in Louisiana, Minnesota,
Nevada, and Virginia. Cyber Clinics support communities and small
governments that would otherwise not have access to cyber risk
assessment and planning assistance and provide an opportunity for over
200 students to develop competencies while in a supervised learning
environment. The Cyber Clinics model has garnered private-sector
investments of over $25 million that enabled the opening of clinics at
45 more institutions.
moving forward
Though significant progress has been made, more work needs to be
done to continue to deepen and broaden our cyber talent pool to
strengthen and defend our national cyber space. To advance NCWES
implementation, we will work with our partners and stakeholders to:
Explore innovative solutions to engage the public at
different education and career levels to learn cyber skills and
consider a career in cyber.
Encourage the adoption of skills-based approaches by
employers and increase work-based learning opportunities.
Facilitate a hiring surge to fill open Federal cyber
positions by conducting cyber hiring sprints to generate job
offers and continue to support CyberCorps�: Scholarship for
Service.
Seek to expand foundational cyber skills learning
opportunities and increase the capacity of K-12 systems and
higher education institutions to provide impactful
cybersecurity learning experiences.
Look into boosting participation of students and educators
in cyber scholarship programs.
Leverage the collective strength of all Federal agencies to
increase participation and promote the value of veterans,
separating service members, and military spouses in the cyber
work force.
Encourage the development of locally-driven or sector-
specific systems nationwide.
Continue to support Federal coordination of broader talent
initiatives involving tech, cyber, and AI.
The administration will strive to lead by example as we work to
expand the use of skills-based hiring and talent development for
Federal cyber positions and contracts. In addition, Federal agencies
will work with academia to expand concurrent, credit transfer and
articulation opportunities for academic credit, further integrate cyber
across academic disciplines, and increase the availability of low-cost
and no-cost cyber training and education curricula.
closing
Let me close by quoting National Cyber Director Coker on the
importance of our mission.
``We defend cyber space not because it is some distant terrain on which
we battle our adversaries. We defend cyber space because it is
interwoven into our very lives--because it underpins the critical
systems that enable us to work, live, and play--because it is a matter
of national security.''
We need more Americans to join the cyber work force so that all
Americans can benefit from the enormous potential of our interconnected
future. That's why growing and strengthening the cyber work force is a
key pillar of the President's National Cybersecurity Strategy.
The administration will continue to execute the whole-of-Nation
approach conveyed in the NCWES to drive change in the public and
private sectors through engagement and collaboration. The Federal
Government is pursuing activities to respond to the critical need for
cyber workers; encourage more Americans to consider cyber careers,
increase skills-based hiring, talent development, and education
nationwide; address barriers faced by Federal and non-Federal
stakeholders; proactively analyze and monitor the changing labor demand
for cyber skills; and continue to advance our cyber posture, national
security, economy, and society. And ONCD will continue to monitor and
report on the progress of these actions.
We are committed to working together with Congress and other
partners to connect Americans to good-paying, meaningful jobs in cyber.
Thank you for the opportunity to testify today, and I look forward
to your questions.
Mr. Garbarino. Thank you, Mr. Mo.
I'll just say the committee's not going to hold it against
you for stealing some of our cyber talent.
They did call votes like they said they would. We're--so
we're going to now take a short recess, and we'll reconvene 10
minutes after votes, which will probably be in about a half
hour or so. So we are in recess.
[Recess.]
[11:25 a.m.]
Mr. Garbarino [presiding]. The committee will come to
order.
Thank you all, for the witnesses, for waiting.
Members will now be recognized by order of seniority for
their 5 minutes of questioning. I remind everyone to please
keep their questioning to 5 minutes. An additional round of
questioning may be called after all Members have been
recognized.
I now recognize myself for 5 minutes of questions.
While we often discuss the work force gap, we overlook
those who are currently in our work force. They may not possess
the right skills to keep up with cyber threat landscape even
though they fill critical roles.
Mr. Petersen, what does it mean to be a qualified cyber
professional today?
Mr. Petersen. So we would turn to qualifications based on
our NICE Framework that identifies work to be performed and
knowledge or skills that a worker would need. As we've said
through our testimony, that can be acquired through a variety
of different ways: through education, through training, through
on-the-job experience, work-based learning experiences. So for
us, qualifications start with something like the NICE Framework
as a standard.
Then I think, second, to your point, it doesn't always have
to come externally. It could be existing workers who can be
reskilled or upskilled into cybersecurity.
Mr. Garbarino. Mr. Mo, how do we professionalize the cyber
work force while we move away from 4-year degrees?
Mr. Mo. I think that's why we want to focus on skill-based
approaches. When you think about skills, once we sort-of, like,
figure out how to map out the skills that we need, then match
it with, you know--you know, assessment on how someone have the
skills, that's how we can do it.
The reality here is that you don't need a cyber in your job
title to actually be doing cyber work these days, right. So
that's like the key point here. So as we are trying to kind-of
map out the professionalism--to professionalize the whole cyber
work force, we have to think about broadly the whole cyber--the
whole work force in itself.
Mr. Garbarino. So I have spoken to countless CISOs from
Fortune 400, Fortune 500 companies. They are all moving to
skills-based hiring, away from degree-based hiring.
So for the Federal Government, what are--what are some of
those effective pathways you've--or for skills-based training
and hiring that you've seen or explored?
Mr. Mo. Yes, I appreciate that question.
When we travel around the country, we see things like
registered apprenticeships. It's one of the models. Work-based
training is another model that we really like.
You know, again, when you take a skills-based approach, we
need a fundamental shift in thinking about, not only individual
basis but more of a creating a team with complementary skills.
So some of the successful companies, they're trying to build
teams with skills of advanced--people with advanced cyber
skills and people with early--early entry career skills. Then
you kind-of, like, map out and have a team that can do the job
and deliver on the mission.
Mr. Garbarino. So do you work with--you know, you said you
were traveling across the country, you know, working with some
of the registered apprenticeships. Has there been any work with
community colleges or technical schools----
Mr. Mo. Yes.
Mr. Garbarino [continuing]. For talent?
Mr. Mo. Absolutely. The very first visit that the National
Cyber Director did was to the Community College of Baltimore
County to, essentially, elevate cyber to make sure that people
with 2-year college degrees understand that there's a pathway
into cyber career. Then we also went to Fayetteville Technical
Community College because they kind-of have a pathway for
veterans and their spouses to get into cyber as well.
The key here, though, is it's more than just one
institution. This only works if the 2-year colleges are working
with the 4-year colleges and universities and they are also
working with the K-12 school districts locally and the private-
sector employers are involved in telling the schools what they
need, so that all of them come together to figure out how to
build the pipeline. That's the approach we're pushing here.
Mr. Garbarino. I appreciate that.
I can ask you all questions for a while, but I only have a
minute left.
I do want to focus on harmonization. Mr. Mo, at a HSGAC
hearing on regulatory harmonization earlier this month, your
colleagues stressed how harmonization requires leadership from
ONCD and Congress. Blog posts from Director Coker this month
also called for Congress to work with the administration to
help craft cyber regulatory standards. None of this
acknowledges Congress has already done this by passing CIRCIA.
I'm concerned that the White House is not pushing back
enough against duplicative regulation at odds with
Congressional intent, particularly as the SEC since introduced
its cyber incident disclosure rule which only adds to
compliance, leads to public disclosure of sensitive
information, drives talents away. I have heard people say that
their cyber teams have plenty of burnout and CISOs are leaving
because they are now possibly facing personal liability.
Why is ONC urging Congress to act on cyber harmonization
when we already have done so?
Mr. Mo. Thank you for that question, Congressman.
Harmonization is definitely a big part of what ONCD is
working on right now, but my remit in the office is
implementing the National Cyber Workforce and Education
Strategy.
I'm happy to--happy to work with you and our legislative
team to find you the right person to get the answer that you
deserve. I will take that on the record and get back to you.
Mr. Garbarino. I appreciate that.
Just repetitiveness, back to the administration, no more
cyber rules. Harmonization, please.
I now recognize the Ranking Member for 5 minutes of
questions.
Mr. Thompson. Thank you very much, Mr. Chairman.
At the outset, let me, in the Chairman's absence, express
my condolences to his family.
Let me welcome our witnesses to the hearing today. We have
Rhode Island, Michigan, had Louisiana, and myself. If my accent
doesn't give me away, I'm from Mississippi. As a top Democrat
on the committee, one of the things that we've been interested
in is not only diversifying the work force but also saying, if
you leave the beltway, you can find a lot of talented people.
We have a hundred-plus historically Black colleges in
America, some of the finest kids that I know. But you got to
recruit at their schools just like, you know, you do inside the
beltway, so to speak.
So I'd like each one of you to kind-of give me a snapshot
of what your agencies are doing to build relationships,
especially with smaller historically Black colleges across the
country, and how the Office of National Cyber Director promotes
outreach to smaller HBCUs.
We'll start with Mr. Hysen.
Mr. Hysen. Thank you, Ranking Member. I completely agree
with you on the need to expand our outreach far outside the
beltway.
We have launched programs and built recruiting partnerships
with organizations all across the country, including many HBCUs
and minority-serving institutions. That has helped populate the
ranks of the Intelligence and Cybersecurity Diversity
Fellowship Program, our Cybersecurity Internship Program, and
our entry-level cohorts in the Cyber Talent Management System
with a wide range of individuals.
I'll also add that we can't just focus on bringing talent
from around the country into the District of Columbia. We have
to meet talent where they are. Not everyone wants to work in
the National Capital region. We have stood up offices in other
areas, including one in Mississippi where we have our legacy
data center. But as we have moved to the cloud, we have focused
on expanding our cybersecurity hiring out of that center in
Stennis, Mississippi. Have another one in Arizona as well and
are looking to build on that effort.
Mr. Thompson. Thank you.
Ms. Beavers.
Ms. Beavers. Thank you, Ranking Member.
Department of Defense has over 450 schools as part of our
national cybersecurity academic excellence program. They are
primarily State schools, and we have expanded that into
including the 2-year nondegree programs--the 2-year degree
programs, I should say, as well as a number of scholarships
that we have been promoting to bring in nontraditional work
force.
We also have a pilot under way that is promising. It's a
little early to report too much detail, but we started with
about 50,000 nontraditional cyber potential employees. Got that
curated down to about 6,000 that were qualified and interested.
The most exciting part is this was from populations that had
not been part of the DOD pipeline before.
So there is work to be done, but we have been very
aggressive in expanding our recruiting over the years and
building out that academic cooperation, to include the recent
stand-up of our Cyber Academic Engagement Office that I just
signed last month per the NDAA from 2024.
So we will be having more information on this in the
future, and I can take for the record to bring back specific
numbers if that is what you're looking for.
Mr. Thompson. Mr. Petersen.
Mr. Petersen. Yes, thank you for that question.
So at NIST we have a Summer Undergraduate Research
Fellowship program, called SURF, and I'm pleased to report that
one of those SURF students is with me today from Hampton
University, an HBCU. It's one of many ways that we actively
recruit and try to involve students from minority-serving
institutions.
We also have a program called Professional Research
Experience Program, or PREP, and that is a grant program with
several different institutions, including MSIs. I, again,
currently have a couple students working with us from Morgan
State University that are Ph.D. students.
Then, finally, because of our commitment to diversity and
inclusion and the very question that you asked, this fall in
October as part of Cybersecurity Awareness Month, our
Cybersecurity Career Week will be doing an event targeted
particularly at HBCUs to make sure those students are career-
ready, and faculty and advisors are available to support them.
Mr. Thompson. Thank you.
Mr. Mo.
Mr. Mo. Real quick is that, for us, is that we're trying to
remove barriers and broadening pathways, which means we have to
meet people where they're at. So we've been to Norfolk
University, which is an HBCU in Virginia, and then we invited
about 10 to 12 HBCUs to learn about how to become and get
designation for this NCAE program.
On top of that, we are also leaning heavily with our
ecosystem stakeholder partners. Those are the ones who engage
with the 450 NCAE schools, the 104 SF--Scholarship for Service
schools who would actually get the students be interested in
cyber, and some of those commitments are about getting hands-on
experience and learning to those students in those minority-
serving institutions.
Last week, National Cyber Director was just in Tulsa, and a
few weeks before we were in Tucson at Piedmont Community
College.
Mr. Thompson. Thank you very much.
Mr. Chair, I ask unanimous consent to submit into the
record a statement from the International Federation of
Professional and Technical Engineers on AI and work force.
Mr. Garbarino. Without objection.
[The information follows:]
Statement of the International Federation of Professional and Technical
Engineers (IFPTE)
Wednesday, May 22, 2024
The International Federation of Professional and Technical
Engineers (or IFPTE) represents 90,000 professional employees in the
private sector, and public sector, including NASA, the Boeing Company,
Navy shipyards, the Army Corps of Engineers, the Social Security
Administration, the Tennessee Valley Authority, and Pacific Gas and
Electric. We thank Chairman Green and Ranking Member Thompson for the
opportunity to submit a statement for the record.
Many of our members are STEM workers, some of whom work directly
with Artificial Intelligence and data science, develop and deploy AI
technologies, manage cybersecurity in their organizations, and utilize
tools and work processes that involve AI. Many more of our members are
professionals whose job is to design, engineer, research, maintain, and
innovate. Our members working in Federal, State, and local government
agencies provide essential public services, support critical
infrastructure operations, and contribute to homeland security and
national defense.
Our Members are keenly interested in tools and technologies that
improve their productivity and the work they do. Like many Americans,
our members are also deeply concerned about the risks and uncertainty
that evolutionary AI technologies will bring. AI has the potential to
replace human discretion in decision making with algorithmic decision
making in instances that introduce new and significant risks to
national security and the rights of Americans. As AI technologies
proliferate in the critical infrastructure and national security realm,
law makers and policy makers need to prioritize the public interest and
make sure that Americans' rights and national security are prioritized
in the development of AI over the profit-making priorities of the
private sector. Congress and the Executive branch should also ensure
that the Federal procurement process for AI services and technologies
does not result in the commodification of public data, the
privatization of inherently Governmental duties and functions, or the
loss of Federal oversight of contracted services.
IFPTE strongly supports a worker-centered approach to AI research,
development, and deployment. Where workers are represented by unions,
employers should be engaging with those workers, through collective
bargaining and through labor-management partnerships to make sure these
technologies are solving problems, not creating new risks,
inefficiencies, and vulnerabilities. Involving the front-line work
force in decisions on designing and deploying technology, whether it's
AI technology or other automated decision making that impacts how work
is done, so we can ensure the solutions address actual problems,
provide real remedies, and are implemented in a manner that accounts
for risks, protects the public interest, and helps verify that
technology and tools are working as intended. Workers can help
determine the validity of data and whether the veracity of data is
suitable for AI applications.
For example, IFPTE members who operate locks and dams under the
Army Corps of Engineers are urging caution as the Corps of Engineers
begins to implement remote off-site operations of these critical
infrastructures and reduce or eliminate on-site operators who are the
eyes and ears on the inland waterways. Front-line Federal workers
operating and maintaining locks and dams and the vessel operators using
the inland waterways understand that removing on-site personnel and
human decision makers creates numerous risks for the continuity of
command over this national transportation asset. Remotely operating the
navigational lock and dams would leave this national transportation
asset vulnerable to cyber intrusions, physical security threats,
breakdowns, or failures that would otherwise be addressed by trained
on-site operators. Lack of on-site human operators could imperil the
transportation of critical supply chains, including wheat and grain,
energy products, and other major commodities, as well as material to
support our armed forces. While modernization of these critical
infrastructures can improve safety and reliability, these dynamic and
unpredictable environments require communication, human judgment, and
situational awareness and cannot be reduced to algorithmic models,
remote sensors, and automated controls.
When it comes to creating guardrails for innovative and
breakthrough technologies, legislators and policy makers must not be
guided by the notion that technology can replace workers. The risk of
displacing or subordinating human discretion to analytic modeling in a
crisis can lead to the loss of knowledge and understanding of critical
systems and processes, flawed failure analysis and incorrect
assumptions, and disastrous consequences for critical infrastructure.
If implemented with transparency and accountability, with well-defined
and enforced civil rights protections and safety standards, with good
governance and the public interest in mind, and with worker
engagement--AI has the potential to provide valuable tools for how
Americans will work.
America's AI policy needs a clear policy goal that puts worker
engagement and bargaining over AI before implementation and ideally,
before design. Workers can bring their intimate familiarity with work
processes into the AI design process to reduce risks, catch problems
upstream where they can be addressed, and produce better outcomes.
Workers can also help pinpoint instances where human judgment and
situational awareness should not be displaced by algorithmic models,
and where AI-driven automated decision making might miss information,
creating security risks or threatening civil rights. Our Nation's AI
policy should commit to investing in training workers to understand how
to responsibly use AI and make sure that workers and authorities
responsible for providing oversight of AI are empowered to do so.
Mr. Thompson. I yield back.
Mr. Garbarino. The gentleman yields back.
I now recognize the gentleman from Alabama, Mr. Strong, for
5 minutes of questioning.
Mr. Strong. Thank you, Mr. Chairman.
Ms. Beavers, as you know, employers in defense industrial
base prefer applicants with experience and a security
clearance. The Cyber Force Incubator program at the University
of Alabama in Huntsville recruits hundreds of students per
year, nominates the students for security clearances, and
places the students into internships on Redstone Arsenal and
within the defense industrial base.
Ms. Beavers, how does your office leverage university-based
work force development programs like this one at UAH?
Ms. Beavers. So we partner very closely with organizations
to bring in students into our scholarship programs, as well as
internships. Through our Cyber Academic Engagement Office, we
will be expanding that partnership to make better use of the
opportunities out there with education to bring our supply side
even all the way back into the K-12 and grow the cyber talent
starting earlier.
So it has been a work in progress for a number of years for
the Department of Defense to partner with various academic
institutions. It is primarily through our academic engagement
program--or excuse me--our scholarships and our National
Centers for Academic Excellence.
So we're looking forward to really building out our
academic engagement, because we think of the--the defense
industrial base is a great feeder for capabilities into the
Department of Defense. We need a similar type of very robust
feeder to bring talent into the Department of Defense from the
cybersecurity perspective as well.
Mr. Strong. I'd agree with you 100 percent. We actually
have a State-wide cyber high school in Huntsville, Alabama,
that's been very successful. Then if you go back just to the
local schools there, having science and starting at the high
schools and doing internships has proven very beneficial to our
industrial base.
Mr. Petersen, I understand that the National Institute of
Standards and Technology's National Cybersecurity Center of
Excellence has a requirement to develop guidance related to the
cybersecurity and privacy of genomic data. Universities and
other technical organizations, including my district, are
meaningfully contributing to the NIST's program progress in
establishing the standards and best practices for cyber
protection and genomic data.
With the increasing demand for cybersecurity work force
across the Nation, would this effort be expanded to include the
involvement of more students?
Mr. Petersen. Thank you for that question. I should add
that I'm also the interim chief of the Applied Cybersecurity
Division, which includes that NCCoE facility.
Mr. Strong. Great.
Mr. Petersen. I know the director of the NCCoE as well;
Cheri Pascoe's relatively new. Because of our partnership and
relationship, we've certainly talked about more academic
engagement with the center, both faculty and students as well.
We have a pretty robust set of summer interns there this
summer and plans to work throughout the year. MITRE is the
FFRDC for the center. They, likewise, have a number of
students. So we'd be happy to explore that with you as well,
and have personally spent a lot of time in Huntsville
recognizing the excellent work that's happening in that
community.
Mr. Strong. Thank you.
My family recently moved there 8 generations ago and has
never left. As you know, Huntsville is the tip of the spear. We
want to be sure that we get the right folks working in the
environment, and cybersecurity is a critical situation. We also
have the cyber piece of the FBI currently under construction in
Huntsville, where we'll be adding another 2,500 jobs that will
do nothing but make Huntsville even stronger.
Mr. Chairman, I yield back.
Mr. Garbarino. The gentleman yields back.
I now recognize the gentleman from Louisiana, a Member of
my--the Subcommittee on Cyber, Mr. Carter.
Mr. Carter. Thank you, Mr. Chairman.
[Inaudible] face significant shortages in trained
personnel. Given this, it's clear that none of our protective
systems, whether standards, technologies, or regulations, can
be effective without well-trained work force.
Isn't it imperative to address this critical gap? Can you
tell us measures that you're taking, particularly with HBCUs
across the country, junior colleges, and community colleges
that have a plethora of individuals that may or may not be
aware of the opportunities in cyber space?
Mr. Hysen.
Mr. Hysen. Thank you, Congressman.
We are actively focused both on training and developing our
existing work force, as well as building and strengthening
partnerships with academic institutions, including HBCUs.
We also know that it starts earlier than entering college,
that we are, through CISA building partnerships, to support K-
12 curricula for cyber education across the country, and have
trained thousands of educators this year to date there as well.
As we are partnering with academic institutions, we've been
focused on expanding our entry-level pathways, knowing that it
is more important to bring in talent that is committed to
growing and learning and then building out robust training
programs through the IT academy that we are establishing at DHS
to rotate entry-level talent throughout the Department, give
them those experiences and new skills to help them become
productive members of our work force.
Mr. Carter. Thank you.
If everyone could just hit it real quickly, we've got a
little bit of time, but I'd like to just hear if you have
something to add. That's fine if you don't.
Mr. Mo. I'll go. So ONCD is working on increasing the
number of HBCU to get the designation for a National Cyber
Center of Excellence in Cybersecurity. So we're doing that in
partnership with the White House Initiative on HBCUs. So what
we're doing is we're trying to share some of the information
with the HBCU administrators so that they know how to kind-of
get that designation.
Mr. Carter. Do we actively have recruiting job fairs on
colleges campuses across the country to encourage young people?
A hundred years ago when I was in undergraduate school, I
remember there was always some type of job fair going on,
whether it was the FBI or whatever. Different agencies would
come in and meet with juniors and seniors to encourage them to
potentially----
Mr. Mo. We absolutely do, and I will absolutely defer to my
colleagues here on some of the examples of what we are doing.
But the key here is that most people, when they see the word
``cyber,'' they just don't see themselves doing those jobs,
right. So a----
Mr. Carter. But it's weird, because our children--I know my
kids can put a computer together and take it apart and do all
kinds of programming, but somehow that still has a little bit
of fear associated with it. But we know that kids are super
bright, particularly when it comes to technology.
Mr. Mo. Which is why it's even more important to--you know,
a hearing like today elevates the cyber career and jobs, right.
So I think it's up to all of us to be able to go to each and
every single individual, even talk to some of the parents about
this type of opportunities for them.
Mr. Carter. Ms. Beavers, how are candidates for State and
local offices utilizing AI tools to enhance their campaigns
despite concerns from experts and lawmakers about potential
generative AI attacks on elections? Equally as important is,
how are we combatting against the nefarious actors who are
using AI to portray something that isn't real in the way of
someone's likeness or voice?
Ms. Beavers. Congressman, I'd like to defer to my
distinguished colleague, Mr. Hysen.
Mr. Carter. Certainly.
Mr. Hysen. I'm happy to take that, sir.
Mr. Carter. Yes, sir.
Mr. Hysen. So, Congressman, I agree with your concerns on
generative AI and elections. It's an area that CISA is working
on actively with State and local election administrators. We
need to better train our election administrators on how to
reach out to their electorates. We are--we provide no-cost
training to thousands of State and local election
administrators across the country.
Overall, generative AI today I look at as a problem of
scale. There--video and voice impersonation was possible before
generative AI. It is just easier and faster with the tools that
are available.
One of the areas that I think is particularly promising is
looking at content authenticity and making sure that, as
Government officials, as candidates, we can label the
information we are putting out as authentic to make sure that
it's more difficult to impersonate.
Mr. Carter. Thank you. My time has expired.
Thank you, sir.
Mr. Garbarino. The gentleman yields back.
I now recognize the gentleman from Texas, Mr. Pfluger, for
5 minutes.
Mr. Pfluger. Thank you, Mr. Chairman.
I appreciate the witnesses for being here and talking about
this issue.
I represent Angelo State University. It's a cyber center of
excellence. They've taken steps, in partnership with NSA and
other Government agencies, to start developing the work force
in a way.
Here's why this is important to me. When we think about the
areas that provide that type of work force, I think one of the
big areas that is really missing is rural America. That's why
I'm passionate about what president Ronnie Hawkins is doing,
former retired three-star general from the Air Force, led DOD
in its effort to transform the cyber side of our warfighting
domain.
I'd like to hear, really from each of you, how can a school
like Angelo State, a rural-serving institution with 12- to
14,000 students throughout the entirety of its programs, how
can they be successful and what do they--what's the advice or
what's the vector that they need to go and other institutions
like them, to provide this work force for our country?
We'll just start and go down the line.
Mr. Hysen. Absolutely. Thank you, Congressman. I strongly
agree on the importance of building relationships with rural
communities and pathways into public service.
Participating in the NSA Centers for Academic Excellence in
Cybersecurity is a great start. We're a proud partner with the
NSA on that program.
I would also say, for any training institution right now,
recognizing the pace of new developments in this field and
ensuring that we are training our work force not on any one
specific technology that may be out of date very quickly, but
on how to stay current, how to leverage increased automated and
AI-based systems, and how to really stay on top of new and
emerging threats is the most important thing these
organizations can be doing.
Mr. Pfluger. Thank you.
Ms. Beavers.
Ms. Beavers. So the--I think leveraging the great work
that's being done on the cyber work force frameworks that have
been built that actually identify the qualifications and the
skills, and then also exploring opportunities for outreach and
fun events that the DOD sponsors, like hackathons and things
like that, to really increase the--the student body's
excitement about getting involved. So I think--and encouraging
internships would be my recommendation.
Mr. Pfluger. Which I know that they have focused on that.
By the way, they're a minority-serving institution, mostly
Hispanic population that comes from our area in West Texas, and
they really are proud of that work, because they're sending
good young men and women into the work force.
Mr. Petersen.
Mr. Petersen. Yes. So I'm a product of rural America, so I
have a soft spot for what it means. I would just add to the
discussion about community colleges, most community colleges
are in rural areas or serving rural populations as well.
In addition to the focus of this hearing on the demand, the
500,000 cybersecurity workers, there are a lot of other
demographics that are working against us, like declining birth
rates and, you know, the aging of Americans and then the like.
So we've run a series of webinars this year really focusing on
underserved and underrepresented populations, starting with
rural America. Because there's lots of universities--we had the
chancellor of the University of North Dakota system speaking
about what they're doing across their vast State that is very
rural, and a lot of Tribal organizations as well.
But specifically to the point, I think there's also a
statistic about people tend to stay where they go to college or
where they grow up. So the pandemic has opened up opportunities
for remote work and telework and more flexible opportunities
where they may be able to stay in their rural community but
work, you know, for a company or a Government organization
across the country. So I think part of the challenge and
opportunity is to open up also more of those remote
opportunities that maybe previously didn't exist.
Mr. Pfluger. That's a great point. Something that we're
also working on, which is extending broadband and access to
these communities, and there are several committees doing that.
We'll leave you the last word.
Mr. Mo. Well, I actually met Charlotte from Angelo State.
She invited me to join the Mayor's Cup----
Mr. Pfluger. That's fantastic.
Mr. Mo [continuing]. In San Angelo. I would say I was one
of the people who sent her congratulation in a email when the
program got a CA designation. The key thing here is that we
need to start elevating people's work.
A lot of people are doing good work. I think the role of
ONCD in the White House is to elevate some of this work so that
we can plug them into the ecosystem that they need, right. It's
not about just one institution. I don't want folks at Angelo
State to think that they are the only one that has to do it all
on their own. Want to plug them into the ecosystem, get
private-sector employers involved, get the State and local
government involved so we can all do this together.
Mr. Pfluger. That's a great point. I hope that if you have
not made contact with President Hawkins at Angelo State, that
you will, because they are doing an amazing job. They're not
the only ones, but they also have an Air Force base there,
Goodfellow Air Force Base, that does intelligence, and a lot of
that intelligence has to do with the issues that you're talking
about.
I know my time has expired. Thank you, Mr. Chairman.
Mr. Garbarino. The gentleman yields back.
I now recognize the gentleman from Michigan, Mr. Thanedar,
for 5 minutes of questions.
Mr. Thanedar. Thank you, Chairman and Ranking Member, for
this important hearing. Thank you for witnesses.
Mr. Hysen, you mentioned about 2,000 or so cybersecurity
positions being opened. How many independent contractors does
the Department currently hire?
Mr. Hysen. Congressman, I don't have an exact number, but
it would be, certainly in our IT contractors number, in the
many thousands.
Mr. Thanedar. On an average, what is their compensation?
Mr. Hysen. We compensate our contractors for services, not
individuals. In some cases, though, individual IT and
cybersecurity personnel can make more working on a contract, in
some cases they are making more in Government.
Mr. Thanedar. So any attempt made to recruit these
independent contractors on a long-term employment basis in
public service?
Mr. Hysen. It's a great point and something we're actively
focused on. We're leveraging the cyber talent management system
to look at areas where we need more Federal technology
expertise in our work force. We've done that with our network
operations and security center where we have been rebalancing
what was predominantly a very contract-heavy work force and are
now adding in additional levels through these new hiring
authorities of Federal personnel. It's something we're looking
to expand.
Mr. Thanedar. OK. Now, I understand United States has a
shortage of cybersecurity experts. Is that the case with other
countries, especially--what do we know about China? Are they
hurting for cybersecurity experts like United States is?
Mr. Hysen. I can't speak to that in particular. I will say,
in my conversations with our allies and my peers in those
countries, they have similar challenges. But we also, through
DHS, are looking at expa---and committed to expanding pathways
to high-skilled immigration so that we can continue to attract
the best and the brightest around the world to our country.
Mr. Thanedar. Yes, I want to pick up on that high-skilled
immigration a little bit, because looks like a lot of good
programs have been initiated by--and certainly we must provide
these trainings to, you know, candidates in the United States
domestically, to train and develop these skills, encourage
Americans to enter into these jobs.
But while we do that, is there any interest in either
special visa programs, immigration programs to encourage
expertise that is available across the world?
Mr. Hysen. Absolutely, Congressman. I'll give one
particular example with artificial intelligence. In his
Executive Order, President Biden directed the Department to
take a number of steps to streamline our high-skilled
immigration pathways to attract the best in AI and related
fields. U.S. Citizenship and Immigration Services has completed
or is on track for all six of the taskings they were given in
that Executive Order. That includes simplifying and
streamlining our processes, as well as publishing standard
information to make it easier for AI talent around the world to
understand pathways into the United States.
Mr. Thanedar. Currently, our immigration system is so--so
broken, many skilled work force--and I have spoken with many
CEOs of technology companies, and their frustration is that it
takes forever through the country quotas and the long lines
that getting the skilled work force to get the right visa,
whether it is a H-1B visas or their green card, this process is
taking years, if not decades, and that's hampering our ability
to hire talent.
What can be done to streamline some of this broken
immigration system?
Mr. Hysen. I completely agree. Fundamentally, we at the
Department look forward to continuing to work with Congress
where, ultimately, we need to see many of these reforms.
We are doing everything we can to streamline processing
within the bounds of current law. With H-1Bs, for example, this
year for this H-1B cycle, we launched new technologies and a
new on-line process that makes it easier and faster for
companies and individuals to apply for those visas and for us
to process them. So we're doing everything that we can within
the confines of law.
Mr. Thanedar. Thank you so much. I yield back.
Mr. Garbarino. The gentleman yields back.
I now recognize the gentleman from Mississippi, Mr. Ezell,
for 5 minutes of questioning.
Mr. Ezell. Thank you, Mr. Chairman. Thank you for holding
this very important meeting, and thank you all for being here
today.
My district is home to several community colleges and
higher education institutions that are leading the charge and
bringing students into the cyber work force. Mississippi Gulf
Coast Community College hosts the Mississippi Cyber Initiative,
which is a group of public and private organizations that
support over 15 law enforcement agencies and Keesler Air Force
Base cyber-related activities. I think we can learn a lot from
these similar programs, and I know there's been some discussion
about that today.
Mr. Petersen, despite these programs and similar programs
that you mention in your testimony, we're still facing a severe
shortage of cyber workers. With the current programs in place,
do you have any estimate how long it's going to take to fill
500,000? I know that's a big question. Any idea how long it's
going to take for us to fill that gap?
Mr. Petersen. So, unfortunately, I don't have the crystal
ball to tell you how long. I think sometimes the answer is not
how long or how many, but what are enterprises doing to
managing their risk.
That's something certainly NIST is very committed to, to
giving cybersecurity and privacy risk management frameworks
that allow organizations to take the combination of technology
processes and people to minimize their risk. I think the
numbers, in and of themselves, don't really indicate the
activity that's happening at the organizations or how new and
emerging technologies may help to fill that gap.
So the estimate is really not in time but really in focus
on what's going to minimize the risk of an enterprise.
Mr. Ezell. Thank you.
I'd kind-of like to focus a little more on our national
security implications. Even though cybersecurity jobs are well-
paid and offer high levels of job security, I think the lack of
public awareness plays a role in our current work force
shortage.
Mr. Petersen, what can Congress and institutions like this
one in my district do to enhance public awareness, encourage
students to see cybersecurity as a vital role in defending our
country?
Mr. Petersen. Well, Congressman, I'm pleased to say I
actually visited Gulfport Community College last year, and they
were hosting an event, along with the Department of Commerce
and the Department of Education, on raising the bar. What was
impressive to me is how they brought together the stakeholders,
not only locally, but across the State and across the region,
to really focus on the opportunities that exist, not only at
community colleges, but in local communities, to help
individuals who are, quite frankly, below the poverty level,
have a career and opportunity in cybersecurity.
Some of the stories I shared at the beginning are just one
of the many ways that individuals can come into a cybersecurity
career thanks to the efforts of community colleges like the one
in your district.
Mr. Ezell. Yes. We've really worked hard to try to get that
off the ground and keep people interested, you know.
So, Ms. Beavers, with the current gap, I imagine that the
Department of Defense, DOD, has to hire independent
contractors.
Do you have any idea how many independent contractors DOD
has hired to alleviate the gap, and how much do they get paid?
Ms. Beavers. Congressman, we have in the neighborhood of
about 60,000 contractors within our cyber work force within the
Department of Defense. Like my distinguished colleague
mentioned, it's under a contract.
Mr. Ezell. Right.
Ms. Beavers. So I would have to get back to you for average
income.
Mr. Ezell. Sure. I understand that. But, you know, I know
we could save some money if we could get regular folks hired,
working full-time doing that and, you know, let's all try to do
our part. I want to do everything I can to support you. You
know, being my background in law enforcement is working in
partnership with the community colleges, and the military is
just very important to us.
With that, Mr. Chairman, I yield back. Thank you.
Mr. Garbarino. The gentleman yields back.
I now recognize the gentleman from Rhode Island, Mr.
Magaziner, for 5 minutes of questioning.
Mr. Magaziner. Thank you, Chairman. Thank you to our
witnesses.
A robust cybersecurity work force is vitally important to
our national security, our homeland security, and our economic
security as well. Because, of course, in the private sector,
billions and billions of dollars are stolen a year from average
Americans because of cyber breaches to private companies as
well as to Government agencies.
Cyber is also an opportunity to provide good-paying jobs
for young people in a very promising and growing field.
Cybersecurity jobs pay well, they're available, there are job
openings all across the country, and we have to train the work
force to meet that need.
Before I go any further, I just want to recognize my
predecessor, former Congressman Jim Langevin, for his work on
this committee, a long-time champion of cybersecurity, and
continues to do that cybersecurity work now in the private
sector, including in his leadership at the Rhode Island College
Institute for Cybersecurity and Emerging Technologies, which is
a really exciting hub that we are building in Rhode Island
under Jim's leadership, to do our part to meet these emerging
work force needs.
So for young people who are interested in cybersecurity, we
have to promote pathways into careers, we have to provide
educational opportunities at the K-12 level, at colleges and
universities, and also alternative credentialing programs as
well. We need to grow the pipeline of cyber workers for the
Federal Government and the private sector as well.
Let me start with Mr. Mo. Can you speak specifically to the
K-12 arena and what we as a Congress can be doing and should be
doing to better support school districts, particularly in
underresourced communities who may be interested in creating
pathways and curricula to get young people introduced to
cybersecurity at an early age?
Mr. Mo. I appreciate that question. Thank you so much.
One of the things that we push for in the strategy is to
make sure that we are teaching cyber concepts earlier in one's
education. In middle school, when they're exploring career and
whatnot, we want them to be able to know that cyber is a
pathway.
So there are a couple of programs I would just pay--you
know, bring it up. It's CTE CyberNet. It's one way that we are
teaching educators so that they can teach students about the
cyber skills. We also have GenCyber camps that, you know, NSA
and others have run.
Then the other thing is because we--you know, K-12
education policy is generally run out of State governments, we
have been partnering with private sector and various
organizations to make sure that we're pushing some of those
cyber education. There are commitments to gamified cyber, for
example, to make sure that kids play some gamified games. There
are also commitments to teach more cyber skills to girls and
kids in K-12.
So those are how we are going about it in terms of making
sure that we're bringing some of the cyber stuff along in the
K-12 arena.
Mr. Magaziner. Terrific.
Mr. Petersen, as has been discussed already, good jobs in
cybersecurity don't necessarily require a 4-year degree, but
they do require training. Can you speak specifically about the
role of community colleges and what we could be doing to better
support cybersecurity programs at those institutions?
Mr. Petersen. Yes. Earlier a question was asked about what
are we doing to support community colleges, and I'm really
pleased and proud that the National Science Foundation has
regularly invested in a national center, currently is the
National Cybersecurity Training and Education program run out
of Whatcom Community College. They're a national resource to
community colleges. They convene them, they prepare them, they
actually mentor them to become national centers of academic
excellence as well.
So we need to raise and elevate the importance of community
colleges, not only because of their accessibility, but, quite
frankly, they are very skills-focused. They're hands-on,
they're performance-based. A lot of students can leave those
programs either with a degree or a certificate or some type of
credential and go directly into the work force. Many of them go
on to a 4-year school.
But the 2-year colleges play an absolutely essential role
in helping address the work force shortage we're talking about
today.
Mr. Magaziner. Thank you.
Finally, you know, we're the Homeland Security Committee,
and the Department of Homeland Security has the need to attract
cybersecurity talent as well. I'd just flag, I love, you know,
the bipartisanship that's been exhibited in this hearing. I
think we are all concerned about the need to attract and retain
cyber talent.
I will flag that in the Homeland Security appropriations
bill that we are going to be considering on the floor later
today, my colleagues across the aisle are proposing a $2
million cut to Mr. Hysen's office relative to last year and $6
million below the administration's recommended amount. So I'd
just suggest that perhaps we revisit that. This is a time to be
doubling down on these recruitment efforts.
Mr. Hysen, if you can just talk about what you need in
order to be able to recruit cyber talent to DHS.
Mr. Hysen. Thank you, Congressman. The President's budget
for fiscal year 2025 does include those investments in my
office and across DHS.
There is some specific funding we've requested there in
artificial intelligence to help us build out our core
capabilities to train our work force to be ready for AI and to
leverage and bring AI expertise into the Department for
cybersecurity and other purposes.
Mr. Magaziner. So perhaps we can all work together to try
to plus-up that funding as we go through the appropriations
process.
I'll yield back. Thank you, Chairman.
Mr. Garbarino. The gentleman yields back.
I now recognize the gentleman from Louisiana, Mr. Higgins,
for 5 minutes of questions.
Mr. Higgins. Thank you, Mr. Chairman.
Mr. Petersen, according to your background, sir, you are
our education specialist here. We are clearly facing a
challenge in filling the roles that our Nation needs in
cybersecurity and the cyber tech performance realm. The work
force challenges across every industry are quite significant,
including health care and manufacturing. I mean, we can't get
enough welders. So it should be no surprise in a Nation
that's--that is noted for its work ethic, if we can't get
enough welders, we're probably going to have problems getting
enough cyber workers.
Are you familiar with the terms being called the
disconnected youth or the disconnected generation? For the
benefit of Americans tuning in, we're talking about an
alarmingly large percentage of what's referred to as Gen Z that
is neither working, nor in school. Traditionally, historically,
that was the deal. As you became a young adult American, you
went to work or you went to school; some cases did both.
So if this is the generation that--that's the demographic
that we would seek to fill cyber positions from, and if that
generation of Americans is not interested in working or going
to school, how are we going to pull them into training? Do you
have some insight into that? Then I have a follow-up question
for you, sir.
Mr. Petersen. Thank you for the question.
I am very familiar with that demographic, also known as
opportunity youth. They're 18- to 25-year-olds who, as you
said, either didn't complete their education or are currently
unemployed. I think that is one of many populations that we
consider underserved or underrepresented that we need to target
and lift up.
You know, this is not a problem that's solved just by, you
know, getting rid of 4-year degrees. We need people with 2-year
degrees, 4-year degrees. But we also need to address the needs
of that population you described who need mentoring, they need
opportunities. Registered apprenticeships, as we've already
talked about, may be a great foot in the door for them to get
some workplace experience and have a job opportunity.
But that is a very much critical population, not only for
cybersecurity, but for other skilled trades that we need across
the country, to make sure we're helping support those
individuals.
Mr. Higgins. So with your background in education and your
position with the National Initiative for Cybersecurity
Education, what would you recommend to Congress, sir, and to
this committee, how could the Legislative branch use Article I
authorities to--to work with our sovereign States and our
educational institutions at every level, certificate and
collegiate level, educational opportunities for this generation
of Americans that we're going to have to rely upon to get
engaged in the cyber work force? What would you recommend?
Mr. Petersen. Yes. So I would start with think locally. You
authorize NIST to give these grants called Regional Alliances
and Multistakeholder Partnerships to stimulate cybersecurity
education and work force development in your communities. We
gave out 18 grants this past year. We're about to announce 15
more community grants.
Mr. Higgins. Say that again, please, sir. You gave out
what?
Mr. Petersen. Eighteen grants this past fiscal year, and
we're about to announce 15 more based on an appropriation from
the Congress.
But this really brings local communities together, local
schools, local community colleges, universities, training
organizations, nonprofits, economic development organizations,
even individuals like yourself, to make sure you're addressing
the needs of local employers in your locality or region.
So a lot of what we're talking about is at the national
level, which is great resources, but where the rubber really
meets the road is in your districts and your communities. That
grant program, much like the ecosystem work that's described in
the National Cyber Workforce and Education Strategy, is about
strengthening local ecosystems.
Mr. Higgins. Thank you, sir, for your very insightful
answer.
I concur, Mr. Chairman. We have to work at the sovereign
State and local level within the States to address the cyber
work force challenge. Thank you, sir.
Mr. Garbarino. The gentleman yields back.
I now recognize the gentleman from Maryland, Mr. Ivey, for
5 minutes of questions.
Mr. Ivey. Thank you, Mr. Chairman.
Let me pick up where you just left off, Mr. Petersen. My
district is Prince George's County, sort-of the inner part. I'm
between D.C. and Steny Hoyer. It goes all the way up to--I call
it the research triangle area, where you have the University of
Maryland, we've got NASA at one corner, we've got the
Agricultural Research Center, we've got NOAA there. Just a few
miles up from that triangle area, there's NSA Fort Meade and
FDA. Naval Academy also is huge on cyber.
So, you know, the regional grants piece that you just
mentioned, I was wondering if that's something that is
available in my immediate area. If so, tell me about it.
Mr. Petersen. Yes. So as I said, we recently funded 18.
We're in the process of merit reviewing applications for 15
additional awards. This is money appropriated by Congress that
may be available for additional grants in the future.
So that is absolutely one opportunity that could be
available to your constituents.
Mr. Ivey. All right. This would be an application piece
that's going to be coming in the near future?
Mr. Petersen. Yes. A notice of funding opportunity that
would be publicly announced.
Mr. Ivey. What's the time line, roughly, for when the next
15 are going to be coming available?
Mr. Petersen. Well, the current 15, the deadline occurred
in May. So we're currently reviewing and will award those later
this summer or late fall. Whether there's future awards is
dependent on appropriations.
Mr. Ivey. All right. Mr. Mo, I wanted to follow up with
you. I think Mr. Magaziner asked you about teaching, what cyber
skills are being taught. You mentioned that they are--you want
to make sure that they're available. I'm looking at sort-of
the--I was going to say K-12, but it's probably more
realistically middle school and high school.
What specific cyber skills are we talking about that public
schools should be making available, say, at the high-school
level?
Mr. Mo. What we are pushing--thank you so much for the
question. What we are pushing in the strategy is the idea of
the foundational cyber skills. So it's not a skill on a
particular technology. It's about a skill in which you know how
to use technology. You can put your skills from one technology
to another. It's about things like pattern recognition,
understanding abstraction, as well as problem solving.
The reason why we're pushing for those foundational skills
in K-12 and middle school is because, once you have those
skills, you can use those skills to learn other technical
skills, right. So I've seen school districts that actually go
the route of certifications, I've seen school districts that go
the route of hands-on learning on some of those curriculum that
we have on-line.
But for us to be able to future-proof our work force and
make sure that we build a dynamic work force, that can use any
sort of technology in the future, we need to push foundational
cyber skills.
Mr. Ivey. All right. So those would be coming through--just
to really try and narrow this down--math and science classes
that are offered?
Mr. Mo. Career--yes. Math, science, career technical
education curriculum sometimes, depending on the pathways of
the schools locally. So those are where those skills are
generally taught.
Mr. Ivey. OK. Are there particular programs that are
available, maybe not in my district, but anywhere in the
country where they actually are--they were put together with
this in mind, to prepare students to be able to go into this
line of work and develop these specific skills?
Mr. Mo. Right now, a lot of those are done through like--
you know, CTE CyberNet has a way to kind-of teach some of those
cyber skills, and they--by the time they get to the student,
it's about, like, problem-solving with technology or something
like that.
Mr. Ivey. The CTE, is that available at the high school
level, or is that the----
Mr. Mo. Middle school and high school level.
Mr. Ivey. Middle school, OK.
Then I did have a question about the contractors' piece.
Because I think somebody said there are 60,000 contractors. Is
that you, Ms. Beavers?
Ms. Beavers. Yes, Congressman.
Mr. Ivey. OK. So I'm looking at a document here--this is
put out by the State of Maryland--that says that cybersecurity
and information security jobs do not yet have a defined
standard industrial classification number.
I wanted to know if that is the case for the Federal
Government or not.
Ms. Beavers. So the Department of Defense has been on this
journey for nearly 15 years now to actually categorize and
classify----
Mr. Ivey. I've got 40 seconds.
Ms. Beavers. So I will have to take that for the record. I
think that our best estimate----
Mr. Ivey. OK. Let me tell you why I'm asking. In part,
because I want to make sure that, from a contracting
standpoint, we want diversity about students and the like who
are--get a chance to obtain these skills. Also want to make
sure there's diversity with the opportunity to get the
contracts.
So if you have the codes in place, that's one of the ways
that the Government monitors and can track how the contracts
are being made available and whether they're being done in a
diverse way or not.
So if you can get back to me, if you can give me a written
response on that, and if you can give me a general sense too
of--you're with DOD? What--she nodded, for the record.
Ms. Beavers. Yes, Congressman.
Mr. Ivey. Flashback to trial. If you can give me a sense
too of what the Department of Defense is doing to make sure
that it's doing--making outreach efforts to make sure that
there are diverse opportunities for contractors and that
there's a diverse field of contractors that are providing the
work for the Federal Government.
Thank you for your indulgence, Mr. Chairman. I yield back.
Mr. Garbarino. The gentleman yields back.
I now recognize the gentleman from New York, Mr.
D'Esposito, for 5 minutes of questioning.
Mr. D'Esposito. Well, thank you, Mr. Chairman.
Thank you all for being here this--I guess now this
afternoon.
I guess right now almost 85 percent of Federal cyber
positions are telework-eligible. While I don't always agree
with everyone working from home, obviously it's a reality that
we are all dealing with. Obviously, it's something that has
leverage.
So, Mr. Hysen, how does DHS ensure that there are strong
cybersecurity practices upheld for the remote work force?
Mr. Hysen. Thank you, Congressman. It's been something that
has been a new and evolving challenge since the beginning of
the COVID-19 pandemic.
We have updated our annual required cybersecurity trainings
for all employees to make sure that they are--that they are
incorporating safe cybersecurity practices for telework and
remote work. Among other things, that includes things like
thinking about and being aware of smart devices that are in
your work space that may be recording, as well as looking at
the security of your home network. We will continue to do that.
Mr. D'Esposito. Now I'm going to take it a little bit
closer to home. Unfortunately, on Long Island, where both Mr.
Garbarino and myself and Mr. LaLota and Mr. Suozzi represent,
we have witnessed successful cyber attacks that have greatly
disrupted not only local government but, obviously, the quality
of life for the people that we serve. It's clear that both the
public and the private sector are having issues with filling
all of the cybersecurity roles that are currently open.
So this is really for any of you. How do these work force
issues extend to and impact, like I mentioned, local
municipalities, and leave them open to an attack such as the
one I referred to?
Mr. Hysen. I can say I think we see that--those challenges
every day through our work, largely through CISA, with State
and local governments. It's one of the reasons why, when we
developed our new State and local cybersecurity grant program,
which launched 2 years ago, we made developing State and local
cybersecurity work force a key element that we are looking for
municipalities and State governments to apply for funding for.
Mr. D'Esposito. OK. I was also excited to see the newly-
released Commerce, Justice, Science, and Related Agencies
appropriations bill. There was funding that I requested for an
updated IT system for the Nassau County Police Department to
help them prevent from future cybersecurity attacks.
Bolstering our systems is obviously one thing that, again,
those local municipalities can do to guard against cyber
attacks. What are some of the--and this is, again, for any of
you. What are some of the short-term solutions for these
localities that us as Congress can work toward to help our
cyber work force?
Mr. Mo. Thank you so much for that question.
I think registered apprenticeship is one way to do it
because it allows people with the potential to do the work to
also learn on the job.
One of the things that we want to make sure is that we have
those quality pathways. Then we also have--we can then match
folks who are interested to do the work where we need it to be.
The other option, it's cyber clinics. We have funded 4
cyber clinics so far in the Federal--from the Federal
Government. Cyber clinics, you know, as a clinic model, allows
students who are in college today to also practice those skills
and have those hands-on experience, while helping the public,
in this case, private and local government as well.
Mr. D'Esposito. The cyber clinics that you referenced, how
do you do the outreach, or is that funding that's provided to
an organization, or how does--how is the outreach to get
individuals on to those clinics?
Mr. Mo. Right now, it's done on a cyber-clinic-by-cyber-
clinic basis.
Mr. D'Esposito. OK.
Mr. Mo. Then--you know, that's why--that's where we kind-of
come in. We're trying to kind of make sure that everyone is
coordinated and, you know, make sure that, as part of the cyber
clinic, they reach out to their students----
Mr. D'Esposito. OK.
Mr. Mo [continuing]. To get more students, as well as each
cyber clinic sort of have their own mission. For us, it's to
kind-of influence the mission, make sure that they, you know,
serve a particular constituency that we need them to be.
Mr. D'Esposito. How has the attendance, so to speak, been
to the first 4 clinics that you supported?
Mr. Mo. We just started that funding. So, you know, I can
take that back for the record and perhaps provide your office
with that information.
Mr. D'Esposito. That'd be great.
With that, my time's expired. Mr. Chairman, I yield back.
Mr. Garbarino. The gentleman yields back.
I'm going to start a second round, because I can, of
questions.
Mr. Hysen, I want to follow up. My colleague from New York
just asked you about this. You talked about the State and local
grant program. Has that money--the first round of that money
gone out yet to the States?
Mr. Hysen. Chairman, my understanding is that it is the
$185 million that we allocated in fiscal 2022, that that has
started to go out. But it's a program that my office doesn't
directly administer, so I would have to follow up for more
details.
Mr. Garbarino. Let's follow up, because I know--I believe
the money has gone out to the States, but I don't know how much
of the actual grants have gone to State--to the localities, the
counties, the towns who really face the problem. They can't
afford to have a CISO.
My county in Suffolk County in Long Island got hit with a
major cyber attack. If you can follow up and let us know where
that money is, how far it is in going out to the actual people
it's supposed to go to, that would be great--greatly
appreciated.
Mr. Hysen. Absolutely.
Mr. Garbarino. Thank you.
I also, Mr. Hysen, I want to focus on--your testimony
highlights the strides DHS has made in hiring through
Cybersecurity Talent Management System, or CTMS. The Department
announced yesterday that the first 10 hires for its AI--its
first 10 hires for the AI corps.
In this committee's February hearing with Secretary
Mayorkas, I sounded the alarm over CISA's lack of operational
technology or OT staff. A GAO report in March found that CISA
has only 4 employees and 5 contractors on hand to respond to
attacks on OT infrastructure.
I believe you have made some hires since then specifically
for OT, but can you tell me what DHS is doing specifically to
attract OT technical staff?
Mr. Hysen. Absolutely. It's an area that CISA has been very
significantly prioritizing. We developed, I believe, specific
positions under CTMS to specifically reach out to talent with
expertise in OT security and industrial control systems and
related fields. I know we've had several rounds of
solicitations, and I do believe we brought some staff on board.
Mr. Garbarino. Now, you have CTMS, which was meant to
streamline the hiring of cyber workers--through exemptions
from--that many of the other Federal hiring go through.
Can you tell me under the CTMS how many employees have been
hired under CTMS and how many are still going through--still
going through the traditional process?
I have a number here that says, by 2023, CISA had only
hired 80 people through CTMS, while still making majority of
its 516 hires through the traditional process. What is DHS
doing to make sure that CTMS is being utilized more so we can
get people on-boarded?
Mr. Hysen. Thank you. Yes. That number is for CISA's own
hiring. We're at 189 across my office, CISA, and FEMA today.
CTMS is not going to be the answer for every position.
Traditional Title 5 hiring will still play an important role.
That's why we're looking to streamline through leveraging
direct hire authority from OPM and other sources of traditional
hiring, but we are pushing to aggressively expand CTMS. We
have--are working to bring it on board with additional
components. We are also looking across the offices that are
already using it to expand utilization for some of their
existing hires.
Mr. Garbarino. OK. This is for anybody who really wants to
answer it. We've talked about moving away to--move away 4-year
degrees, even some away from 2-year degrees, focusing on
skills-based, maybe some certifications.
Is there a role for the Federal Government to come up
with--for coming up with a approved list of certification
courses or programs or curriculum, so not just the Federal
Government but States can use it, companies can use it, as a
basis for, all right, these are the type of certifications,
these are the type of skills that we want to see? Is that
something that the Federal Government should be coming up with,
that we should be coming up with, or is that really not the
role for the Federal Government?
Anybody just jump in. Mr. Mo, you want to go? Go ahead.
Mr. Mo. Yes. I appreciate that question.
What I would say is that technology is changing so fast. By
the time--you know, if it go through some form of process, the
skills that we'll be looking for, as well as the type and the
curriculum, would have changed, right. So that's why one thing
about skills-based, it's not about--sometimes it's not even
about the specific skills, right--it is about the specific
skills, which is what the framework is providing us.
But the approach itself give us a new way of thinking about
this. That is, we just want to make sure that folks have the
basic skills to learn new additional skills.
Mr. Garbarino. I know I don't want to be the be-all,
because passing legislation or doing regulations takes forever,
and this moves very quickly. But, you know, a lot of people
don't know where to start. Not everybody has a CISO.
I mean, is it worthwhile for us to come up with, you know,
a base minimum standard? Maybe not legislatively but, you know,
offer--have CISA come up with a minimum standard or minimum you
should--these are the things you should be looking for, these
are the certifications you should be having.
Mr. Hysen, you can jump in.
Mr. Hysen. Chairman, I believe that aligning to the NICE
Framework is the right way to do that. As my colleague said, I
think the specific certifications are changing so rapidly, but
I do think saying that we need certifications or other
demonstrations that candidates meet baseline skills with some
flexibility to apply that in different ways would be most
valuable.
Mr. Garbarino. I appreciate it. My second 5 minutes is up.
I now recognize the Ranking Member, Mr. Thompson, for 5
minutes of questions.
Mr. Thompson. Well, thank you very much, Mr. Chairman.
Kind-of in line with the Chairman's questions,
historically, the Federal Government's long, cumbersome hiring
process has undermined its ability to recruit cyber talent.
Clearance processes and suitability assessments, in particular,
created unacceptable delays between offers and on-boarding.
Sometimes by the time you make the offer, that person's no
longer available.
So what are your agencies doing to expedite on-boarding of
cyber talent?
I guess as a second piece to it is, how is ONCD supporting
these efforts?
So, Mr. Mo, I'll kind-of see if you can backfield the
answers.
Mr. Hysen. I'm intimately familiar with those challenges,
Ranking Member. It starts with administration-wide initiatives,
like the Trusted Workforce 2.0 effort that is streamlining
suitability and security clearance processes. Government-wide,
we're seeing great results through the early stages of
implementation.
But we're also actively looking to streamline which
positions actually need a clearance. If you're not going into a
SCIF looking at Classified material, we shouldn't be holding up
your hiring on that. So we have been looking to reduce
requirements, expand the use of interim clearances at both the
Secret and Top Secret level, which can be issued faster as
well.
Another key element of CTMS is that it keeps candidates in
a ready talent pool so that when we have vacancies arise, we
can reach out to candidates that have gone through the first
stages of their assessment process already and then just start
from there, which is significantly--can significantly reduce
time to hire.
Mr. Thompson. So, technically, it's not one size fit all?
Mr. Hysen. Absolutely.
Mr. Thompson. OK. Ms. Beavers.
Ms. Beavers. The Department of Defense has a similar
program, the Cyber Excepted Service, which has some direct hire
authorities, which enables us to bring folks in quicker. We've
also revised our hiring policies to eliminate the time and
grade requirements and the previous grade requirements, so it's
skills-based. But there are--there is additional work that
could be done to help us expedite that with greater flexibility
in salaries and things like that.
So we are still continuing to work on reducing the time to
hire, particularly within this valuable work force.
Mr. Mo. So we have made a little bit of progress in terms
of the security clearance times, right. So the average numbers
for Top Secret went from 411 to 155 days, and for Secret went
from 173 to 53 days. PAC has set a very aggressive target that
they're executing on for Top Secret to be 45 days and Secret to
be 25 days.
But if you take a step back in terms of like the whole
hiring process, you know, there's a clearance, but there's also
like how we can move faster to get an inner agency. One of the
things that ONCD is coordinating with our partner at Office of
Personnel Management and OMB is the idea of a pool hiring
process so that we have like one certificate that multiple
agencies can jump on.
So we have found that that has sort-of-like reduced the
time for folks to be on-boarded in terms of--there are others
such as like Tech to Gov hiring event that we do. We have--we
have at least 2 of those events already with about 1,700 people
being interested in jobs, and we have offered 150 tentative job
offers.
So we're doing, you know--like a lot of things in Federal
hiring, there's a lot of like--there's no one single solution,
there's no silver bullet. We're keeping to--we are fixing a lot
of these similar processes along the way.
Another effort that ONCD is driving is to make sure that we
have job descriptions that are more focused on skills that are
sort-of-like usable by, you know, multiple different agencies.
Obviously, this is done in conjunction through the working
groups that we have and which all the partners here are a part
of, so that that is something that will, you know, slim down on
the hiring process from job posting to candidates on-boarding.
Mr. Thompson. You know, one of the challenges that I find
as a Member, and very rarely do I not come in contact with
somebody who is looking for a job, but they say, I go to these
fairs, they give me the brochures, but there's nothing between
the job fair and the brochures that hold me.
I think somewhere, if we can give people hope that this
jobs fair is not just a check-the-box kind of deal, we might
get some good people. But the confidence that it's not more
than a check-the-box event for that staffer to meet whatever
their numbers are--help me out--how do--are we changing that
perception?
Mr. Hysen. Ranking Member, I think it's a shift from
strictly thinking about hiring to thinking about talent and
recruiting. There's a key difference in applying for a
Government job versus a private-sector job where, if you apply
for a Government job, you get automated emails from USAJOBS
when you hit different stages. In many private-sector roles,
particularly in cybersecurity, you have a recruiter who is
actively talking to you and working with you through that
process, which can still in some cases be longer.
That's why there's been some efforts from OMB to build out
Federal talent teams that go beyond just H.R. specialists in
hiring and build those relationships with candidates throughout
the hiring process. I do think that's something we need to
expand.
Ms. Beavers. I would like to highlight that the Department
of Defense is also pursuing that type of a hiring pipeline
development. So we are maturing the Cyber Excepted Service to
be more aligned with the civilian hiring practices. Hence, the
pilot that I mentioned earlier.
Mr. Mo. I just think that we have to meet people where
they're at. A lot of times, you know, some of the success
stories that we've heard is because the professors told the
students that, yep, the process takes longer, but once you
kind-of get the job and get the clearance as you're an intern,
that's how we kind-of pull some of the people in.
So a lot of times it's about educating our stakeholders and
partners on the ground that this is real, right. Then there's
some accountability that some relationship and partnerships are
being formed, and that's what ONCD is trying to do when we
kind-of go around the country to talk to those folks. We're
trying to establish those real relationships that will make
sure that they will tell their students that these are real
opportunities and with some more explanation that they know
what to expect.
Mr. Thompson. Thank you.
Mr. Garbarino. The gentleman yields back.
In closing, I just want to say thank you to all the
witnesses for coming today. This--sorry about votes screwing
up, and I wish we had some more participation.
I do know that this committee takes this issue very
seriously. I know the Chairman takes this issue very seriously,
as I said in his opening--when I read his opening statement. He
will be submitting legislation soon to help address the
shortfall both on the--specifically in the Federal agencies.
We definitely take this issue very seriously, and I thank
you all. Be ready to expect some questions for the record to be
submitted. I know I have some that--I could have gone another 4
or 5 times, and I'm sure my colleagues could have as well. But
I do really want to thank you all for being here today and for
your patience during votes.
So the Members of this committee, like I said, may have
some additional questions for witnesses, and we would ask
witnesses to respond to these in writing.
Pursuant to committee rule VII(D), the hearing record will
be held open for 7 days.
Without objection, this committee stands adjourned.
[Whereupon, at 12:37 p.m., the committee was adjourned.]
A P P E N D I X I
----------
Questions From Chairman Mark E. Green, MD for Eric Hysen
Question 1. How can the Cybersecurity and Infrastructure Security
Agency (CISA) leverage its existing relationships across the public and
private sectors to better coordinate U.S. cyber work force efforts?
Answer. The Cybersecurity and Infrastructure Security Agency (CISA)
works to enhance coordination by fostering partnerships, promoting
diversity, and learning from successful models. Simply put, CISA and
the U.S. Department of Homeland Security (DHS) understand that
collaboration with the private sector is at the heart of our
cybersecurity mission. In regard to work force efforts, CISA's Cyber
Innovation Fellows Initiative allows some of the Nation's most skilled
and experienced practitioners and experts to bring their perspectives
to CISA on a short-term basis to advance our national mission to reduce
cyber risk at scale. The initiative seeks to innovate the agency's
approach to cybersecurity while also providing awareness of CISA's
mission to enhance participants' skills and knowledge. As of September
2023, CISA on-boarded all 6 individuals selected for the initiative.
DHS also believes it is essential to focus on outreach efforts to
underrepresented groups, including women, people of color, and rural
populations. By actively engaging with these communities, CISA plays a
key role in translating that belief into reality by attracting diverse
talent to the cybersecurity field.
Question 2. What aspect of the cyber talent pipeline--training at
specific skill levels, upskilling, or reskilling--is CISA best-suited
to help, based on its existing expertise?
Answer. CISA is best-suited to upskilling individuals within the
cyber talent pipeline. Leveraging its existing expertise, CISA can
enhance the skills of current professionals by providing targeted
training and specialized knowledge. This approach helps bridge the gap
between existing capabilities and the evolving demands of the
cybersecurity field. The most prominent example of this approach in
action among existing Federal employees is the Federal Cyber Defense
Skilling Academy. The Academy provides full-time Federal employees an
opportunity to focus on professional growth through an intense, full-
time, 3-month accelerated training program. This includes a variety of
pathways tied to various cyber work roles, including pathways for
employees interested in becoming cyber defense analysts, cyber defense
forensic analysts, cyber defense incident responders, and vulnerability
assessment analysts.
Question 3. How has the Department of Homeland Security (DHS)
benefited from the CyberCorps Scholarship for Service program, and how
can the program be improved to better meet the Department's work force
needs?
Answer. The CyberCorps Scholarship for Service (SFS) program
recruits and trains IT professionals, industrial control system
security experts, and security managers. These graduates contribute
directly to DHS's mission of safeguarding critical information
infrastructure. DHS is proud to be among the top 10 agencies that hire
CyberCorps SFS students. In fiscal year 2023, DHS hired 67 total SFS
participants. SFS provides scholarships covering up to 3 years of
support for cybersecurity undergraduate and graduate (MS or PhD)
education. The scholarships are funded through grants awarded by the
National Science Foundation. Recipients receive tuition and fees, an
annual stipend, and other financial incentives. Students engage in
well-established cybersecurity programs, hands-on experiences, cyber
competitions, and opportunities for professional development. Regarding
improvements, DHS will continue to work with CyberCorps SFS to:
Tailor SFS programs to specific DHS needs to better align
graduates with agency requirements;
Strengthen outreach efforts to underrepresented groups to
diversify the talent pool and address work force gaps; and
Enhance job placement assistance to help SFS graduates
continue to find relevant positions within DHS.
Question 4. How does DHS coordinate with other Federal agencies to
fill its cyber work force gaps, if at all? Do you think that DHS would
benefit from closer collaboration with other agencies?
Answer. The DHS Office of the Chief Human Capital Officer actively
collaborates with other agencies to address its cyber work force gaps
and acknowledges closer collaboration would likely benefit efforts to
strengthen the Nation's cybersecurity work force. Current efforts
include participation in the National Cyber Workforce and Education
Strategy, published by the White House Office of the National Cyber
Director (ONCD). This strategy encourages coordination at the White
House level to meet cyber work force demands, focusing on skills-based
hiring, talent development, and the creation of cyber work force and
education ecosystems. DHS also plays a key role in the Interagency
Federal Cyber Career Pathway Working Group, established by the
Department of Defense, DHS/CISA, and the U.S. Department of Veterans
Affairs. This group collaborates to advance cyber work force
development. Some other examples of interagency working groups that DHS
collaborates with include the ONCD and the Office of Management and
Budget (OMB) Federal Cyber Workforce Working Group, and along with the
U.S. Department of Energy and the Office of Personnel Management (OPM),
DHS participated in the Cybersecurity Apprenticeship Sprint to expand
pathways into the cyber work force. More broadly, DHS supports the
Workforce Priority and Cybersecurity work of the President's Management
Agenda.
Question 5. Given the cyber work force gap continues to grow every
year, and threat actors continue to evolve, do you think that we need
to change who we consider to be in the ``cyber work force''? Please
explain.
Answer. Yes.
As mentioned in my testimony, I am an advocate for an expansive
view of cybersecurity talent. Cybersecurity is a vital part of every
stage of the software and IT development life cycle. We must ensure all
employees involved in this process are equipped to understand how their
roles contribute to cybersecurity, from designers and program managers
through network operators and help desk technicians. While
cybersecurity-focused programs are critical, complementary efforts such
as the DHS AI Corps, that bake cybersecurity into enabling an adjacent
talent, also have a role to play.
The cyber work force encompasses a wide range of Information
Technology (IT), Cybersecurity, Cyber Effects, Intelligence, and
support/enabler work roles as codified by my colleagues in the U.S.
Department of Defense (DoD) in the DoD Cyber Workforce Framework
(DCWF). DHS and DOD will continue to evolve to address operational,
technological, and work force driven requirements for digital talent.
Question 6a. DHS is currently sprinting to hire 50 new employees in
its Artificial Intelligence (AI) Corps.
What skills is DHS looking for, and how is it assessing candidates?
Answer. DHS is looking for AI professionals who can leverage recent
technological advancements to harness the benefits of AI and
significantly expand its responsible use to improve delivery of
services and operational effectiveness at DHS. These AI professionals
will have experience in: applying advanced technical or policy
knowledge in AI/Machine Learning (ML); delivering or integrating
technology or products using AI/ML; making decisions or providing
recommendations, and securing leadership buy in and/or stakeholder
consensus, to influence policies, projects, or programs; defining
effective objectives and product goals and formulating/tracking
measures of success; developing and refining digital interfaces and
services using user-centered design principles to enhance the
experience and accessibility; and leading cross-functional teams.
DHS is expediting the hiring for AI-related positions using
Government-wide direct hire authority, as authorized by OPM with
additional support from the AI and Tech Talent Taskforce to address
critical needs and increase AI capabilities in the Federal Government.
Evaluation methods include multi-hurdle assessments including
reviewing, relevant experience, technical skills, and interviews. DHS
assesses candidates based on their technical knowledge and practical
experience as DHS is in support of skills-based-hiring and approaches
as led by OPM with support from OMB and ONCD. Interviews, technical
discussions, and scenario-based assessments help evaluate suitability
for the AI Corps.
Question 6b. Is the AI Corps a scalable model, and can we replicate
it for cybersecurity? Why or why not?
Answer. The AI Corps leverages best practices from successful
hiring processes like those I helped build at the U.S. Digital Service
that is also an example of scaling what works across Government. We are
eager to share these practices with other agencies. As such, it can be
replicated for cybersecurity. However, successful replication to
cybersecurity--or any domain--depends on adapting the model to specific
needs while considering the unique challenges and skill requirements in
the cybersecurity domain. The current process requires a significant
amount of administrative effort covering hiring, preparation,
recruitment, and on-boarding all led by agency leadership, hiring
managers, H.R. specialists and agency talent teams. Any successful
replication and scaling will require more efficient processes,
supported by Government-wide implementation of the Hiring Experience
Joint M-Memo M-24-16 recently released by OMB and OPM. This guidance
summarizes flexible hiring authorities and expanded recruiting
opportunities that enable the use and integration of industry standard
applicant tracking and assessment tools. Such recruiting and tool
modernization is dependent on availability of funding. Finally,
increased cross-agency collaboration across talent teams, specifically
with Government subject-matter experts, is essential to both the
current model and any replica.
Question 7a. How can AI improve our ability to recruit, train, and
equip cyber talent?
Answer. AI can enhance recruitment, training, and equipping of
cyber talent by identifying potential candidates through analysis of
large datasets, automating initial screening processes to save time for
human recruiters, and providing AI-driven simulations and training
platforms. These platforms allow cyber professionals to practice real-
world scenarios and improve their skills within virtual environments
that simulate cyber threats, enabling hands-on learning and skill
development. Additionally, use of AI to automate completion of mundane
and repetitive tasks provides measurable amounts of time back to DHS
personnel, further improving our ability to recruit, train, and equip
cyber talent. Essentially, AI can make our personnel more effective and
efficient to further improve our staffing goals. However, as we seek to
leverage AI in these processes, we must be mindful of potential bias in
AI systems and ensure AI use does not lead to disparate impacts across
any factor. Any serious consideration in using AI tools for personnel
policy should follow the governance guidance set forth by AI M-Memo M-
24-10: Advancing Governance, Innovation, and Risk Management for Agency
Use of AI.
Question 7b. How can AI improve our ability to detect critical
infrastructure vulnerabilities?
Answer. AI algorithms can analyze network traffic, system logs, and
other data sources to detect anomalies and potential vulnerabilities.
ML models can learn from historical attack patterns and identify
suspicious behavior. Predictive analytics can help prioritize
vulnerabilities based on potential impacts, allowing organizations to
allocate resources effectively.
Question 7c. Are there common skills across cyber and emerging
technology fields, such as AI, that can help fill work force gaps
across disciplines, and ensure U.S. workers remain nimble to work force
needs?
Answer. Skills such as data analysis, programming, and
understanding complex systems are valuable across various technology
domains, including AI and cybersecurity. Cross-disciplinary training
programs can help bridge gaps and create a more versatile work force.
Encouraging continuous learning and adaptability ensures employees
remain agile in response to evolving work force needs.
Question 8. What are some of the cyber threats DHS has observed at
our physical border?
Answer. DHS employs a wide range of software systems and
operational technology involved in border security and faces numerous
cyber threats that pose significant risks to operations and data
integrity. Data breaches and unauthorized access are critical concerns,
as malicious actors aim to infiltrate databases containing sensitive
information related to border operations, immigration, and travelers.
Unauthorized access could lead to compromise of personal details,
surveillance footage, and operational plans. Our border infrastructure
relies heavily on technology, including surveillance cameras, sensors,
and communications networks, which if vulnerable could be exploited to
compromise operations. Additionally, our adversaries have attempted to
jam U.S. Customs and Border Protection's (CBP) detection technologies.
Additionally, disruptions to communications equipment deployed at
remote sites, and communications capabilities of CBP sensors deployed
in austere environments, remains a cyber threat. Risk of cyber attacks
at our physical detection sites is very real and remains a concern when
managing the integrity and survivability of domain awareness
capabilities along our physical borders.
The complexity of supply chains for procuring technology and
equipment for border security exacerbates these risks, as adversaries
may compromise hardware or software components during manufacturing or
distribution, and in doing so compromise security. Sophisticated threat
actors, including nation-states, may target border security
infrastructure for espionage, disruption, or cyber-espionage
activities. In response to this threat, Executive Order 14116, issued
on February 21, 2024, addresses cybersecurity risks to our port
infrastructure. This underscores the importance of monitoring and
addressing diverse threats across all areas of border security
infrastructure: To ensure effective border security at land, air, and
seaports, DHS must continuously monitor and address these evolving
threats, in consultation with appropriate interagency partners,
implement robust cybersecurity measures, and maintain vigilance against
both external and internal threats.
Question 9. How has DHS leveraged the National Institute of
Standards and Technology's (NIST) National Initiative for Cybersecurity
Education (NICE) Workforce Framework for Cybersecurity?
Answer. The National Institute of Standards and Technology's (NIST)
National Initiative for Cybersecurity Education (NICE) Framework
provides standardized language to describe cybersecurity work and
workers, ensuring consistent communication across organizations,
regardless of where or for whom the work is performed. The Department
adheres to OPM guidance, systematically assigning NIST NICE Framework
Cyber Work Roles to all IT, cyber, and cyber-related positions. This
approach facilitates comprehensive tracking and categorization of the
entire cyber work force, including both filled and vacant positions,
thereby enhancing organizational oversight and strategic planning.
Furthermore, the Department's Cybersecurity Talent Management
System (CTMS) relied upon the NICE Cybersecurity Workforce Framework to
develop its technical capabilities library. Each of the 17 technical
capabilities is mapped to the NICE Work Roles, and every individual
assignment (i.e., billet) is aligned with those roles to identify
specific cybersecurity needs across the Department. The CTMS Technical
Capabilities Learning Menus are also aligned to the NICE Framework Work
Roles.
The NICE Framework is valuable for training and education. DHS
works closely with the NICE Interagency Coordinating Council. DHS
aligns its training programs with the framework to ensure they address
necessary skills and competencies. This framework serves as a reference
source for work force development, planning, and education. By
leveraging this framework, DHS ensures a more effective and coordinated
approach to cybersecurity education and work force development.
Question 10. How is DHS thinking about recruiting cyber workers
under the age of 30? More broadly, what incentives or opportunities do
you think would attract younger professionals to join the Federal work
force?
Answer. DHS actively addresses historical challenges in recruiting
and retaining cybersecurity talent by offering competitive
compensation, leveraging CTMS, and creating targeted programs. By
addressing these challenges, DHS is better-positioned to attract
younger professionals to join the Federal work force and contribute to
national security efforts.
Through CTMS, DHS implemented several strategies for recruiting
young talent. CTMS uses innovative marketing and branding capabilities
to promote and amplify DHS careers within the new DHS Cybersecurity
Service, resulting in a continued increase in visitors to our unique
application portal and apply clicks. CTMS is designed to effectively
recruit, develop, and retain top-tier cybersecurity professionals. CTMS
screens applicants based on technical capabilities and streamlines the
hiring process for hiring managers by establishing talent pools.
Applicants in the talent pool completed hurdled assessments and are
added to relevant match lists. This saves applicants from having to
apply multiple times.
Talent Pools also enable CTMS to more closely compete with industry
time-to-hire for highly sought-after talent, which is often a key
consideration in recruiting younger talent. CTMS has statutory and
regulatory flexibilities to offer market-sensitive salaries and
advanced compensation for DHS Cybersecurity Service employees based on
expertise and mission contributions.
On-going professional development and training are specifically
budgeted for each Cybersecurity Service employee and are critical
factors of their performance expectations and their ability to advance
the DHS mission. CTMS offers flexible, capability-focused career paths
which incentivize career longevity and reduce costs associated with on-
going attrition and recruitment. By offering salaries commensurate with
the private sector and opportunities to continue developing
cybersecurity knowledge and skills, DHS is better-suited to recruit and
retain young professional cyber talent.
I believe we also succeed in recruiting younger professionals into
the Federal cybersecurity work force through a more expansive view of
cybersecurity hiring. For example, Secretary Mayorkas established the
Secretary's Honors Program to recruit talented recent graduates,
providing opportunities for young professionals to contribute to
critical missions within DHS. Along with the Intelligence &
Cybersecurity Fellowship Program championed by this committee and my
office's Cybersecurity Internship Program, the Department casts a wide
net in targeting this specific demographic. Most recently, we also have
sought services from fellows through the General Services
Administration's U.S. Digital Corps Program. This program serves as one
of the premier programs to attract early career technology talent,
including talent with skills relevant to a variety of cybersecurity
disciplines, into the Federal Government.
Question 11. As nation-state actors increasingly target our
critical infrastructure, do you believe the current DHS work force has
the right skillset and training to fulfill its Sector Risk Management
Agency (SRMA) responsibilities? Why or why not?
Answer. It is necessary for our work force to possess essential
skills and training to fulfill our Sector Risk Management Agency (SRMA)
responsibilities, and DHS will continue to ensure our personnel are
appropriately trained. Each SRMA is tasked with coordinating and
collaborating with relevant Federal departments, agencies, critical
infrastructure owners, operators, and other stakeholders. Their sector-
specific expertise is crucial for implementing National Security
Memorandum 22 and managing activities pertinent to their sectors.
SRMAs provide sector-specific expertise to identify and mitigate
vulnerabilities within their sectors. Their on-going training and skill
development are essential for effective incident mitigation. SRMAs
support the Secretary of Homeland Security by providing annual sector-
specific critical infrastructure information, ensuring transparency and
accountability in safeguarding critical assets. Overall, the continuous
development and alignment of SRMA skills are crucial for adapting to
evolving risks and challenges in cybersecurity.
Question 12. What changes or improvements can we make to the
training of our cyber work force to ensure that they instinctively
prioritize security in their product development?
Answer. As mentioned in my testimony, I agree with the intent of
this question and believe the answer is to take an expansive view of
cybersecurity talent. Cybersecurity is a vital part of every stage of
the software and technology development life cycle. Cybersecurity
programs are critical, and I believe complementary efforts focused on
emerging technologies need to bake cybersecurity into their recruiting
efforts because the skills are adjacent.
It is also true that non-adjacent employees in DHS must now build
basic technical awareness skills in security technology and
cybersecurity. As mentioned in my testimony, we are redesigning our
annual Cybersecurity Awareness Training and we launch regular phishing
exercises to keep all employees sharp on their personal contributions
to the Department's cybersecurity. The message to our cybersecurity
work force and our overall work force is that cybersecurity is the
responsibility of all DHS employees. In turn, this message ensures
cybersecurity will become part of all programmatic development long
before front-line employees reach out to my cybersecurity personnel for
assistance or approvals.
Similarly, my Defense partners are working to ensure a trained and
capable cyber work force through the use of the DCWF. These work roles
identify core knowledge, skills, abilities, and tasks that specify
cybersecurity requirements regardless of the type of cyber or cyber-
related work performed.
Like DOD, every DHS employee has a responsibility to identify and
report potential cyber risks.
Questions From Chairman Mark E. Green, MD for Leslie Beavers
Question 1a. Why do you think there are so few individuals under
the age of 30 in the Federal cyber work force?
Answer. Response was not received at the time of publication.
Question 1b. How effective do you anticipate ``hackathons'' to be?
Answer. Response was not received at the time of publication.
Question 2. While we want to train more people, national security
still remains the top concern. How is DoD thinking about recruiting a
remote cyber work force that is itself cybersecure?
Answer. Response was not received at the time of publication.
Question 3. From your engagements across the country, is salary the
primary reason Americans choose private-sector cyber jobs over Federal
ones?
Answer. Response was not received at the time of publication.
Question 4. How do you coordinate across Federal agencies to fill
cyber work force gaps, if at all? Do you think that you have unique
challenges or that you would benefit from closer collaboration?
Answer. Response was not received at the time of publication.
Question 5. How does the DoD's Cyber Workforce Framework build on
the NICE Framework? As you have implemented the Framework, have you
identified any gaps?
Answer. Response was not received at the time of publication.
Question 6. Given the cyber work force gap continues to grow every
year, and threat actors continue to evolve, do you think that we need
to change how we think about who is in the ``cyber work force''?
Answer. Response was not received at the time of publication.
Question 7a. What role should the Federal Government play in cyber
work force training and education?
Answer. Response was not received at the time of publication.
Question 7b. Are there specific areas where can the Federal
Government help and focus its efforts? What training and educational
efforts would be better handled by the private sector?
Answer. Response was not received at the time of publication.
Question 8. How can AI lower the barrier to entry for skilling?
Will better AI improve our ability to detect critical infrastructure
vulnerabilities?
Answer. Response was not received at the time of publication.
Question 9. How do you think about cyber work force development in
the context of outpacing China?
Answer. Response was not received at the time of publication.
Questions From Chairman Mark E. Green, MD for Rodney Petersen
Question 1. How are you thinking about standards developments
around emerging technologies, such as AI, for cyber training?
Answer. Response was not received at the time of publication.
Question 2. From your engagements across the country, is salary the
primary reason Americans choose private-sector cyber jobs over Federal
ones?
Answer. Response was not received at the time of publication.
Question 3. How does NIST ensure that NICE Framework keeps pace
with--or stays ahead of--current and emerging cyber threats?
Answer. Response was not received at the time of publication.
Question 4. How does NIST coordinate with allies are partners to
standardize competencies?
Answer. Response was not received at the time of publication.
Question 5. How do you coordinate across Federal agencies to fill
cyber work force gaps, if at all? Do you think that you have unique
challenges or that you would benefit from closer collaboration?
Answer. Response was not received at the time of publication.
Question 6. How does the DoD's Cyber Workforce Framework build on
the NICE Framework? As you have implemented the Framework, have you
identified any gaps?
Answer. Response was not received at the time of publication.
Question 7. Given the cyber work force gap continues to grow every
year, and threat actors continue to evolve, do you think that we need
to change how we think about who is in the ``cyber work force''?
Answer. Response was not received at the time of publication.
Question 8. In the wake of generative AI tools that lower the
barrier to entry to cyber attacks, how can we improve our outreach to
average Americans to make sure they know how to exercise strong cyber
hygiene practices?
Answer. Response was not received at the time of publication.
Question 9a. What role should the Federal Government play in cyber
work force training and education?
Answer. Response was not received at the time of publication.
Question 9b. Are there specific areas where can the Federal
Government help and focus its efforts? What training and educational
efforts would be better handled by the private sector?
Answer. Response was not received at the time of publication.
Questions From Chairman Mark E. Green, MD for Seeyew Mo
Question 1. How does ONCD view its role in cultivating the next
generation cyber work force, with its implementation of its National
Cyber Workforce and Education Strategy, in relation to CISA?
Answer. Response was not received at the time of publication.
Question 2. From your engagements across the country, is salary the
primary reason Americans choose private-sector cyber jobs over Federal
ones?
Answer. Response was not received at the time of publication.
Question 3. How do you coordinate across Federal agencies to fill
cyber work force gaps, if at all? Do you think that you have unique
challenges or that you would benefit from closer collaboration?
Answer. Response was not received at the time of publication.
Question 4. One of the strategic objectives of the ONCD Cyber Work
Force Strategy is to ``improve career pathways in the Federal cyber
work force.'' How is ONCD coordinating and promoting efforts to achieve
this objective?
Answer. Response was not received at the time of publication.
Question 5. Given the cyber work force gap continues to grow every
year, and threat actors continue to evolve, do you think that we need
to change how we think about who is in the ``cyber work force''?
Answer. Response was not received at the time of publication.
Question 6a. What role should the Federal Government play in cyber
work force training and education?
Answer. Response was not received at the time of publication.
Question 6b. Are there specific areas where can the Federal
Government help and focus its efforts? What training and educational
efforts would be better handled by the private sector?
Answer. Response was not received at the time of publication.
Question 7. Do you anticipate that your work force will still be
prepared to fulfill its responsibilities as new rules come into effect,
such as the final CIRCIA rule?
Answer. Response was not received at the time of publication.
A P P E N D I X I I
----------
Letter From the Society for Human Resource Management (SHRM)
June 26, 2024.
Chairman Mark E. Green,
Committee on Homeland Security, U.S. House of Representatives, H2-176
Ford House Office Building, Washington, DC 20515.
Ranking Member Bennie G. Thompson,
Committee on Homeland Security, U.S. House of Representatives, H2-117
Ford House Office Building, Washington, DC 20515.
Dear Chairman Green and Ranking Member Thompson: SHRM thanks the
House Committee on Homeland Security for holding today's important
hearing on America's cyber work force shortage. According to SHRM
research, only 59 percent of H.R. executives feel they are well or
somewhat prepared to deal with cybersecurity risks.
As the world's largest H.R. professional society, SHRM recognizes
the urgent need to strengthen our Nation's cybersecurity talent
pipeline. The shortage of over 500,000 cybersecurity professionals in
the United States presents a significant challenge that requires
collaborative efforts from both the public and private sectors.
In 2023, SHRM proudly joined the White House National Cyber
Workforce and Education Strategy, making our Cyber Resource Kit for
H.R. professionals publicly available at no cost. Developed in
conjunction with SANS, the toolkit will allow H.R. practitioners to
learn how to assess and recruit skilled applicants in the cyber work
force system.
1. Hosting educational sessions for CEOs on the importance of
cybersecurity for organizations.
2. Developing key considerations for cybersecurity work force
development in relation to workplace technology.
3. Supporting initiatives to train new cybersecurity professionals
and connect them with employers.
4. Conducting research on cybersecurity as a key economic
opportunity lever.
We believe that by addressing challenges such as the lack of
accessible cyber education and training, as well as difficulties in
hiring and re-skilling professionals, we can collectively work toward
closing the cyber work force gap.
SHRM stands ready to collaborate with Congress and other
stakeholders to develop effective legislative solutions that will
strengthen our Nation's cybersecurity talent pipeline. We look forward
to the outcomes of this important hearing and to supporting future
initiatives that enhance America's cyber work force.
Thank you again for your leadership on this critical issue.
Emily M. Dickens,
Chief of Staff, Head of Government Affairs & Corporate Secretary.
______
Letter From the Western Governors' Association
July 3, 2024.
The Honorable Mark E. Green,
Chairman, Committee on Homeland Security, House of Representatives, H2-
176 Ford House Office Building, Washington, DC 20515.
The Honorable Bennie G. Thompson,
Ranking Member, Committee on Homeland Security, House of
Representatives, H2-117 Ford House Office Building, Washington,
DC 20515.
Dear Chairman Green and Ranking Member Thompson: In light of the
subcommittee's June 26, 2024, hearing, Finding 500,000: Addressing
America's Cyber Workforce Gap, attached please find Western Governors'
Association (WGA) Policy Resolution 2022-05, Cybersecurity. The
resolution recommends supporting civilian cybersecurity reserves to
bolster the National Guard and enhancing education programs like
CyberCorps, the National Institute of Standards and Technology's
National Initiative for Cybersecurity Education, and the National
Centers of Academic Excellence in Cybersecurity to address work force
shortages.
I request that you include this document in the permanent record of
the hearing, as it articulates Western Governors' collective and
bipartisan policy positions and recommendations on this important
issue.
Thank you for your consideration of this request. Please contact me
if you have any questions or require further information.
______
Policy Resolution 2022-05
cybersecurity
a. background
1. In the age of automation, digitization, big data, artificial
intelligence, and machine-to-machine learning, the United
States' capabilities to prevent, detect, and respond to cyber
attacks are of ever-growing importance to our society. The
cybersecurity of our Nation is an all-of-Government and
industry-wide endeavor.
2. Aging information technology (IT) infrastructure and systems
pose serious cybersecurity risks and increase vulnerabilities
for Government and organizations. Due to the long-standing
financial and national security implications of prior
cybersecurity breaches resulting in data theft and other
adverse outcomes, modernizing these systems to help prevent
successful cyber attacks and better safeguard our data is
imperative.
3. The COVID-19 pandemic has transformed society and accelerated
the shift to a virtual environment, further increasing
vulnerabilities across systems as threat actors become more
complex and wide-spread. Ransomware attacks, a type of
malicious software attack that threatens to publish sensitive
information or impedes access to data or computer systems until
the victim pays a ransom to the attacker, have grown by 148
percent due to the rise in remote activities. These attacks can
shut down public and private-sector operations, posing
particular challenges to critical infrastructure functions.
4. Cybersecurity is especially imperative for critical
infrastructure, which includes the Nation's electric grid,
energy resource supply and delivery chains, finance,
communications, election systems, the chemical industry,
commercial facilities, critical manufacturing, defense
industrial base, emergency services, food and agriculture,
Government facilities, health care and public health,
information technology, transportation, and water and
wastewater systems. Large-scale cyber incidents, including the
SolarWinds and Colonial Pipeline attacks, demonstrate the risk
cyber crime now presents to national security.
5. Addressing cybersecurity needs across critical infrastructure
sectors is further complicated by the increasing
interdependency and interconnectedness of our Nation's data
systems to a myriad of non-critical infrastructure systems and
a dynamic threat environment. Effective cybersecurity programs
require strategic and functional relationships and information
sharing between Federal, State, and local levels of government,
and the public and private sectors.
6. The cybersecurity of their States and the Nation is a high
priority of Western Governors. State governments are
responsible for securing public networks, the State's digital
assets, and citizen data, as well as coordinating their
cybersecurity efforts with Federal agencies and potentially
affected private entities (e.g., utilities, financial
institutions, transportation, and health). Governors lead
efforts to plan and implement State cybersecurity programs,
respond to cyber attacks, and investigate intrusions.
7. National Guard cyber protection teams, serving in 59 cyber
units, provide invaluable assistance to States across the
country with threat assessment and cyber incident response and
remediation. Currently, States can mobilize Guard members
through State Active Duty (SAD) and Title 32 of the U.S. Code.
Supported by State funds, Governors can activate SAD for
disasters or homeland defense, although State constitutions or
statutes often constrain deployment of the Guard to State
emergencies. Title 32 gives Governors the authority to order
the Guard to duty, using Federal funds, with the approval of
the President or the Secretary of Defense. However, this
process can create barriers to rapid and nimble action in the
face of cyber attacks. While both of these functions are vital
resources, potential exists to further leverage the
capabilities of the National Guard for the cybersecurity
posture of States.
8. Although State and local governments remain significant targets
for cyber attacks, they often lack adequate funding to address
these issues and modernize their systems. According to a study
by Deloitte and the National Association of State Chief
Information Officers, State cybersecurity budgets comprise less
than 3 percent of their overall IT budgets.
9. Prior to the passage of Public Law 117-58, the Infrastructure
Investment and Jobs Act, the Homeland Security Grant Program
was the primary Federal mechanism to provide cybersecurity
funding to State, local, territorial, and Tribal governments.
Over the years, less than 4 percent of that funding was
allocated to cybersecurity. Such low levels of funding have
been insufficient for States to meet their pressing, and
rapidly growing, cybersecurity needs. The Infrastructure
Investment and Jobs Act sought to address this issue by
establishing a much-needed stand-alone cybersecurity grant
program for State and local governments, marking a huge
increase in Federal support for State and local cybersecurity
efforts.
10. The $1 billion program will be administered by the Federal
Emergency Management Agency (FEMA) for 4 years, with the
Cybersecurity and Infrastructure Security Agency (CISA) serving
in an advisory role. Funding will be distributed to States,
Tribes, and territories, who must allocate about 80 percent to
their localities. States must also meet varying match
requirements to share the financial burden and account for
cybersecurity costs in their budgets.
11. State election systems remain targets of foreign interference.
As Governors, we remain committed to protecting our States'
election systems. There is nothing more fundamental to the
enduring success of our American democracy, and we take
seriously our responsibility to protect the integrity and
security of our elections. This is an imminent national
security threat that transcends party lines. This is a matter
of protecting and preserving fair elections--the underpinning
of our democracy.
12. The Office of Management and Budget and Department of Homeland
Security May 2018 Federal Cybersecurity Risk Determination
Report and Action Plan concluded that 71 of 96 Federal agencies
are at risk or high risk of cyber intrusions. It also
determined that Federal agencies are not equipped to determine
how threat actors seek to gain access to their information.
This deficiency results in ineffective allocations of the
agencies' limited cyber resources.
13. Currently, there is a severe deficit of cyber workers,
especially in Government. Our Nation cannot defend itself
without a well-trained, experienced cyber work force. The
public sector must dedicate resources to ``K through gray''
cybersecurity education, training, work-based learning and
apprenticeships, and recruitment programs and encourage the
private sector to do the same through effective policy.
14. While investments in work force development and human capital
are a key component in addressing work force shortages, States
can leverage other tools to meet the scale of these challenges.
Technology and innovation will be needed to alleviate work
force strains and keep pace with a wide range of attacks while
also reducing burdens associated with operational functions.
b. governors' policy statement
1. Western Governors urge Congress to improve coordination of
Congressional oversight and legislative activity on
cybersecurity, including by reducing the number of committees
in Congress that have jurisdiction over this issue.
2. Western Governors support modernizing our systems to be more
resilient to minimize vulnerabilities and protect against
unauthorized access to information and data theft. We request
that FEMA and CISA work collaboratively with Governors in
executing the newly-created State and local cybersecurity grant
program to ensure the funds are administered in a flexible and
measurable manner to all States, Tribes, and territories.
Designated, flexible, and measurable cybersecurity funding
would help ensure that States, Tribes, and territories have
resources to build resilient systems and meet growing
cybersecurity challenges.
3. The Federal Government has a responsibility to provide adequate
funding for States to meet election security needs. Western
Governors encourage Congress and the administration to work
cooperatively with States in developing election security
legislation and mandates, and to fully fund implementation.
4. Federal agencies must engage in early, meaningful, substantive,
and on-going consultation with Governors or their designees on
all aspects of cybersecurity. Western Governors advise the
Federal Government to clearly define the roles for State
representatives in CISA's recently-established Joint Cyber
Defense Collaborative.
5. Western Governors recommend that the Federal Government continue
the DHS State, Local, Tribal, and Territorial Engagement
Program, which provides cybersecurity risk briefings and
resources to Governors and other officials. The Governors also
support CISA Central, with which State chief information
officers regularly interact.
6. The Federal Government must continue to clarify the roles and
responsibilities of Federal agencies in preventing, preparing
for, and responding to cyber attacks. Centralized authority,
points of contact, and formalized communication pathways are
necessary to address increasingly complex threats. In addition,
these pathways must occur at each level within government and
other organizations.
7. The Federal Government must also improve agency coordination to
use often-constrained security resources more efficiently and
harmonize disparate regulations that put an unnecessary burden
on State governments. Western Governors urge Congress to
provide appropriations for the Office of the National Cyber
Director commensurate with the importance of the office's
position in leading Federal coordination efforts.
8. The National Institute for Standards and Technology (NIST)
Cybersecurity Framework and other standards can facilitate
effective, consistent, and risk-based decision making in
Government and industry. Real-world simulations of attacks on
critical infrastructure are essential to prepare our Nation for
potential threats.
9. The Federal Government should build a stronger international
framework for cyber crime and use the full range of economic
tools, including travel and financial sanctions, to deter cyber
attacks organized, supported, or harbored by nation-states.
10. Western Governors recognize the need for States, Tribes, and
territories to work together to address gaps or vulnerabilities
in these systems to reduce disruptions. The public sector,
particularly the Federal Government, must take steps to
mitigate global supply chain and national critical
infrastructure risks (e.g. ransomware) in collaboration with
the private sector.
11. Western Governors implore Congress and the administration to
reduce bureaucratic burdens and change restrictive guidance
related to deploying the National Guard under USC Title 32 for
cybersecurity prevention, detection, and response activities.
Clarifying the use of the National Guard for these purposes and
streamlining the approval process would improve State capacity
to confront cyber attacks, contain threats, and help protect
neighboring jurisdictions. Western Governors also support
efforts to develop civilian cybersecurity reserves, which help
alleviate work force shortages and augment National Guard
forces.
12. The administration should propose, and Congress should provide,
long-term authorization and sufficient appropriations for high-
quality cybersecurity education and work force development
programs to grow and sustain the cybersecurity work force,
including those that target underrepresented populations, those
that include rotational components to retain personnel, and
work-based learning opportunities such as apprenticeships. The
Federal Government should also expand the CyberCorps:
Scholarship for Service program and continue to support
educational initiatives, such as NIST's Initiative for
Cybersecurity Education and National Centers of Academic
Excellence in Cyber Defense.
13. Government and industry should increase the cybersecurity
awareness of Government and private employees through training
and education. Western Governors encourage the Federal
Government to develop a national cybersecurity literacy and
awareness campaign to educate citizens about how to stay safe
on-line and prevent effective cyber attacks.
14. Western Governors support incentives for the creation of and
participation in programs that encourage information sharing
across all levels government, industry verticals, and regions.
We also support other policies that incentivize the private
sector to improve cybersecurity and share information regarding
cyber threats as early as possible, including policies to
improve access to information or create common standards for
information sharing. The Federal Government should emphasize
the benefits of information sharing, while alleviating private-
sector concerns with this essential communication. The Federal
Government and States should continue to investigate liability
protections, such as safe harbor provisions, for entities that
report cyber intrusions.
15. Our Nation requires innovation in detecting, preventing, and
responding to continually-evolving cyber threats. More research
is required to understand the use of blockchain and encryption
by perpetrators and its utility for defense against cyber
threats, and address vulnerabilities of other emerging
technologies, including connected vehicles and internet of
things devices. The Federal Government should provide funding
and technical assistance for these and other types of
cybersecurity research and development.
c. governors' management directive
1. The Governors direct WGA staff to work with Congressional
committees of jurisdiction, the Executive branch, and other
entities, where appropriate, to achieve the objectives of this
resolution.
2. Furthermore, the Governors direct WGA staff to consult with the
Staff Advisory Council regarding its efforts to realize the
objectives of this resolution and to keep the Governors
apprised of its progress in this regard.
This resolution will expire in December 2024. Western Governors
enact new policy resolutions and amend existing resolutions on a
semiannual basis. Please consult http://www.westgov.org/resolutions for
the most current copy of a resolution and a list of all current WGA
policy resolutions.