[Congressional Record Volume 169, Number 161 (Monday, October 2, 2023)]
[House]
[Pages H4944-H4946]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




    MODERNIZING THE ACQUISITION OF CYBERSECURITY EXPERTS ACT OF 2023

  Mr. COMER. Mr. Speaker, I move to suspend the rules and pass the bill 
(H.R. 4502) to amend title 5, United States Code, to allow Federal 
agencies to establish educational requirements for certain 
cybersecurity positions in the competitive service, and for other 
purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 4502

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Modernizing the Acquisition 
     of Cybersecurity Experts Act of 2023''.

     SEC. 2. EDUCATIONAL REQUIREMENTS FOR COMPETITIVE SERVICE 
                   CYBERSECURITY POSITIONS.

       Section 3308 of title 5, United States Code, is amended--
       (1) by striking ``The Office of Personnel Management'' and 
     inserting ``(a) In General.--Consistent with subsection (b), 
     the Office of Personnel Management''; and
       (2) by adding at the end the following:
       ``(b) Education Requirements for Cybersecurity Positions.--
       ``(1) In general.--With respect to any covered position--
       ``(A) an agency may prescribe a minimum educational 
     requirement for employment in such a position only if a 
     minimum education qualification is required by law to perform 
     the duties of the position in the State or locality where the 
     duties of the position are to be performed; and
       ``(B) an agency may consider education in determining a 
     candidate's satisfaction of any other minimum qualification 
     only if the candidate's education directly reflects the 
     competencies necessary to satisfy that qualification and 
     perform the duties of the position.
       ``(2) Publication.--Not later than one year after the date 
     of the enactment of the Modernizing the Acquisition of 
     Cybersecurity Experts Act of 2023 and annually thereafter, 
     the Office of Personnel Management shall publish on the 
     Office's website--
       ``(A) any changes made to minimum qualifications standards 
     concerning education for covered positions; and
       ``(B) aggregate data indicating the level of educational 
     attainment, sorted by position classification, of all 
     accessions to covered positions.
       ``(3) Covered position defined.--In this subsection, the 
     term `covered position' means--
       ``(A) any position in the competitive service classified 
     under the GS-2210 information technology management series, 
     or any successor series; and
       ``(B) any other position in the competitive service 
     designated as ``cybersecurity'' under the National Initiative 
     for Cybersecurity Education (NICE) Cybersecurity Workforce 
     Framework (NIST Special Publication 800-181), or successor 
     framework.''.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Kentucky (Mr. Comer) and the gentleman from Maryland (Mr. Raskin) each 
will control 20 minutes.
  The Chair recognizes the gentleman from Kentucky.


                             General Leave

  Mr. COMER. Mr. Speaker, I ask unanimous consent that all Members have 
5 legislative days in which to revise and extend their remarks and 
include extraneous material on this measure.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Kentucky?
  There was no objection.
  Mr. COMER. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise in support of H.R. 4502, the Modernizing the 
Acquisition of Cybersecurity Experts Act.
  The Federal Government relies on cybersecurity professionals to 
protect personally identifiable information, defend against cyber 
threats, and build secure government technology.
  To ensure this work is done effectively, the Federal Government 
desperately needs to hire more cybersecurity experts. The United 
States, however, faces a labor shortage of cybersecurity professionals, 
amounting to nearly 700,000 job vacancies.
  Many cybersecurity experts have the right technical skills and 
experience,

[[Page H4945]]

but Federal hiring managers are not allowed to consider them because 
they lack a formal college degree.
  This bureaucracy creates unnecessary barriers to employing some of 
the best and brightest cybersecurity professionals.
  Mr. Speaker, I urge my colleagues to support this simple and 
necessary bill, and I reserve the balance of my time.
  Mr. RASKIN. Mr. Speaker, I yield myself such time as I may consume.
  As ranking member of the House Committee on Oversight and 
Accountability, I rise in strong support of H.R. 4502, the Modernizing 
the Acquisition of Cybersecurity Experts Act.
  I thank my distinguished colleagues, Representative Nancy Mace from 
South Carolina, who is the chair of the Cybersecurity, Information 
Technology, and Government Innovation Subcommittee, and Representative 
Katie Porter, who is the ranking member of the Health Care and 
Financial Services Subcommittee, for their excellent bipartisan work on 
this bill, something that, yes, does still exist in the U.S. House of 
Representatives.
  This year, more than 750,000 cybersecurity jobs in the United States 
will be left unfilled. Each one is a missed opportunity for a talented 
person and also a missed opportunity for our country.
  These are well-paid positions with great job security. They are 
essential to the protection of our government, the prosperity of our 
businesses, and the security of our communities.

                              {time}  1630

  One big barrier to entry for many of these jobs is the requirement 
that applicants have a college degree, even if that degree has no 
bearing on the technical expertise required to satisfactorily meet the 
demands of the job or to successfully perform the work. Remember that 
Mark Zuckerberg dropped out of college before he created Facebook.
  According to a 2017 study by Harvard Business School, more than 60 
percent of employers turned down qualified applicants in the IT field 
because they didn't have a college degree. Many such applicants were 
turned down even when they sought to fill jobs vacated by individuals 
who also didn't have college degrees.
  This degree inflation excludes people from opportunity. In 2022, less 
than 40 percent of the population over the age of 24 had a bachelor's 
degree.
  As technological and cultural advancements continue to transform the 
nature of the workplace, businesses and public-sector entities alike 
have begun to realize that college degrees are not always effective 
proxies for job qualifications and skills. Often, highly capable 
candidates became that way precisely because they pursued their own 
path in life, a nontraditional route into the workforce. To remain 
competitive and to attract top talent, hiring authorities could no 
longer allow degree inflation to automatically disqualify more than 
half of our workforce.
  H.R. 4502 applies the same logic to the Federal cybersecurity 
workforce which performs the critical work of defending our Federal 
networks and our Federal data from attack. Recognizing the government 
must be competitive to attract high-demand cybersecurity talent to 
public service, the bill eliminates the requirement that a BA degree is 
a prerequisite to Federal hiring for cybersecurity.
  Eliminating unnecessary degree requirements isn't just good for 
business, it is good for workers and especially minority workers who 
are too often excluded from opportunity. In 2022, less than 30 percent 
of the Black population had a bachelor's degree. For the Hispanic 
population, that number is even lower at 21 percent. Addressing degree 
inflation and advancing legislation like this takes steps toward 
creating the more inclusive and fair society that the public wants.
  This bill contributes to a record of strong bipartisan cooperation to 
strengthen Federal cybersecurity and its workforce. Democrats led 
passage of the CHIPS and Science Act last year with increased funding 
for Federal cyber workforce programs, and the Office of the National 
Cyber Director recently published the Biden-Harris administration's 
National Cyber Workforce and Education Strategy. This strategy includes 
a provision encouraging employers to take a more skills-based approach 
to hiring for these cyber positions.
  While Republicans in the House continue the crusade to shut down the 
government--let's hope they have thought better of it now--I do hope 
that Americans see that it is still possible for Congress to come 
together on commonsense legislation like this to advance meaningful 
opportunity in a well-functioning government.
  Mr. Speaker, I urge everyone to support this bill, and I reserve the 
balance of my time.
  Mr. COMER. Mr. Speaker, I yield 5 minutes to the gentlewoman from 
South Carolina (Ms. Mace), the chair of the Oversight Committee 
Subcommittee on Cybersecurity Information Technology, and Government 
Innovation.
  Ms. MACE. Mr. Speaker, I rise today to support our bill, H.R. 4502, 
the Modernizing the Acquisition of Cybersecurity Experts Act. I say 
``our bill,'' because my colleague Katie Porter from California and I 
joined forces.
  I don't have a problem with anyone working and reaching across the 
aisle. No one wants to shut down the Federal Government. We are not on 
a crusade to do that. I just want Congress to follow the law.
  There was a law created in 1974, the Budget Impact and Impoundment 
Control Act, that requires Congress to have a budget in 12 separate 
spending bills. Both sides do it. Both sides are a failure to the 
American people because we don't follow the law. We can't expect our 
fellow Americans to follow the law when we ourselves are unwilling to 
do the work.
  Chuck Schumer has 70 percent of Federal Government spending in his 
in-box right now. No one wants to do that. I don't oppose us working 
across the aisle for government spending or any of that. There is no 
crusade to shut down the Federal Government. I just want Congress to do 
its job and follow the law.
  On to the rest of it. This bill solves a simple problem. You can't 
deem one applicant more qualified for a Federal cybersecurity job 
solely because he or she has a degree in underwater basket weaving.
  I remember the first time I learned to code my first programming 
language. I was actually in college, but college didn't teach me to 
code. I taught myself to code. There are a lot of kids and students and 
adults out there that are teaching themselves to code and finding great 
jobs. When I was a coder, my first job, I got paid $35,000 a year. 
Because of the demands of these jobs today, it is a much better era for 
programmers and engineers.
  I have a family member today who never set foot in college. He 
recently turned 22. He owns his own home, and he makes significantly 
more money than we do as Members of Congress.
  Despite the shortage of over 700,000 cybersecurity professionals in 
the public and private sector, people who don't attend or finish 
college are often barred from consideration for jobs in the field when 
they shouldn't be. There are many, many brilliant programmers and 
computer whizzes out there. There are some that drop out of Harvard 
after a year or two, like Bill Gates. There are many others who have 
gone on to have outstanding careers in IT, technology, cybersecurity, 
et cetera, and they don't have a college degree.
  While the cyber workforce is crucial to our national security, it is 
graying rapidly. According to a report issued last year, there are five 
times as many cybersecurity workers over the age of 55 as there are 
under 30. Only 1 in 16 Federal cybersecurity workers is actually under 
the age of 30.

  This bill would prohibit mandatory degree requirements for Federal 
cybersecurity jobs unless they are legally required to perform the 
duties of the position, which is rarely the case.
  Currently, even entry-level positions in the Federal Government 
require a 4-year degree. Federal cybersecurity professionals help 
secure the information of millions of Americans from cybercriminals and 
hackers sponsored by enemy nation-states. Some of these young people 
literally have the skills to hack these critical systems, but they 
can't get their foot in the door for employment at the same agency. We 
are missing out on a tremendous amount of talent.
  Over the past few years, we have seen leaders from both parties at 
all levels

[[Page H4946]]

of government rolling back degree requirements resulting in greater 
economic opportunity for every American, no matter their ZIP Code.
  Many large companies have done away with unnecessary degree 
requirements. If the government was run like a business, I think we 
would be much better off.
  This bipartisan bill codifies--I hope no one's head explodes today--a 
Trump-era executive order maintained by the Biden administration. I can 
think of nothing more bipartisan than this.
  Lastly, I thank my colleague Katie Porter from California for her 
work on this valuable piece of legislation.
  Mr. RASKIN. Mr. Speaker, I yield 4 minutes to the gentlewoman from 
California (Ms. Porter).
  Ms. PORTER. Mr. Speaker, I thank Chairman Comer and Ranking Member 
Raskin for recognizing me.
  I rise today in support of legislation that I partnered on with 
Congresswoman Mace to modernize hiring guidance for Federal 
cybersecurity security jobs. She and I both agree that government 
employees should be the best in the business. Taxpayers deserve nothing 
less from the people we employ.
  How do we get the best of the best into our Federal jobs? Just like 
in any market, it all comes down to one thing: fostering competition.
  For too long, overly restrictive Federal hiring guidance has stifled 
competition and prevented Federal agencies from being able to hire the 
best applicants for cybersecurity jobs if they don't meet all of the 
stringent educational requirements.
  If who gets hired for our Federal jobs always comes down to just one 
credential, our government is going to miss out on some great 
employees.
  No part of the Federal Government should disqualify an individual 
from winning the competition for a Federal job based on whether they 
have one type of educational credential. We are only going to figure 
out who is best to fill a role if we let all qualified candidates show 
us all their qualifications.
  The truth is, there is not one type of educational experience that is 
always going to make a cybersecurity professional the best of the best. 
I am a former college professor, and I know that a lot of people will 
learn skills in their college degree programs that prepare them to be a 
Federal cybersecurity professional. At the same time, I also know that 
college isn't affordable and accessible for everyone, and the reality 
is that many people gain the skills necessary to succeed at Federal 
cybersecurity jobs through other life experiences.
  The door must be open to both types of qualified candidates, and the 
Federal Government should then be able to pick who is most prepared to 
do the job based on a holistic view of the candidates.
  The Modernizing the Acquisition of Cybersecurity Experts, MACE, Act 
stops the Federal Government from ruling out people without a specific 
educational credential. Instead, it lets all qualified applicants 
compete and gives the Federal Government more choices. This is 
something we should be able to agree on regardless of party.
  This bill mirrors an executive order that was issued under President 
Trump and President Biden has chosen to keep it on the books today. It 
has worked under administrations of both parties, and now we need to 
make it permanent in our law.
  Mr. Speaker, I urge my Democratic and Republican colleagues to 
support this bill. We can only have the best Federal cybersecurity 
professionals when we have had the chance to consider all of the 
qualified candidates, and the MACE Act will give us this chance.
  Mr. RASKIN. Mr. Speaker, I yield myself such time as I may consume.
  I thank the distinguished gentlewoman from California for her 
introduction of this legislation with Congresswoman Mace and for her 
leadership here.
  The gentlewoman is absolutely right that there are people who may 
have gotten a college degree and a Ph.D. in some other field but are 
completely unprepared and unqualified to have a cybersecurity 
professional's job in the Federal Government, and there are those who 
never went to college at all who would be excellently prepared based on 
what their professional and life experience has been.
  I thank them for moving in this direction, and I hope we can look at 
some other parts of Federal hiring to make sure we are making 
equivalent adjustments, so we are getting, as the gentlewoman says, the 
best candidates.
  I am wondering--and I would yield to the gentleman for a second, if 
he knows the answer to this.
  Is it just a happy coincidence that the acronym for this legislation 
is the MACE Act? Was that pure coincidence? I don't know.
  In any event, I congratulate Ms. Mace and Ms. Porter on this 
excellent legislation, and I yield back the balance of my time.
  Mr. COMER. Mr. Speaker, the Modernizing the Acquisition of 
Cybersecurity Experts Act will ensure that the Federal Government can 
hire any qualified cybersecurity professional as long as they have the 
right knowledge and skills even if they do not have a fancy degree. I 
encourage my House colleagues to support this commonsense government 
transparency bill, the MACE Act, sponsored by Chairwoman Nancy Mace, 
that will make America smarter and more secure.
  Mr. Speaker, I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from Kentucky (Mr. Comer) that the House suspend the rules 
and pass the bill, H.R. 4502, as amended.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. COMER. Mr. Speaker, on that I demand the yeas and nays.
  The yeas and nays were ordered.
  The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further 
proceedings on this motion will be postponed.

                          ____________________