[Senate Report 115-385]
[From the U.S. Government Publishing Office]


                                                     Calendar No. 671
115th Congress      }                        {                Report
                                 SENATE
 2nd Session        }                        {                115-385
_______________________________________________________________________

                                     

                                                      

         FEDERAL ROTATIONAL CYBER WORKFORCE PROGRAM ACT OF 2018

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 3437

           TO ESTABLISH A FEDERAL ROTATIONAL CYBER WORKFORCE
                PROGRAM FOR THE FEDERAL CYBER WORKFORCE
                
                
                
                
                
                

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]











               November 26, 2018.--Ordered to be printed
                                   ______

                      U.S. GOVERNMENT PUBLISHING OFFICE 

89-010                      WASHINGTON : 2018
               
               
               
               
               
               
               
               
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona                 CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio                    THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky                  HEIDI HEITKAMP, North Dakota
JAMES LANKFORD, Oklahoma             GARY C. PETERS, Michigan
MICHAEL B. ENZI, Wyoming             MAGGIE HASSAN, New Hampshire
JOHN HOEVEN, North Dakota            KAMALA D. HARRIS, California
STEVE DAINES, Montana                DOUG JONES, Alabama

                  Christopher R. Hixon, Staff Director
                Gabrielle D'Adamo Singer, Chief Counsel
    Courtney J. Allen, Deputy Chief Counsel for Governmental Affairs
               Margaret E. Daum, Minority Staff Director
       Charles A. Moskowitz, Minority Senior Legislative Counsel
           Julie G. Klein, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk









                                                     Calendar No. 671
115th Congress      }                        {                Report
                                 SENATE
 2nd Session        }                        {                115-385

======================================================================



 
         FEDERAL ROTATIONAL CYBER WORKFORCE PROGRAM ACT OF 2018

                                _______
                                

               November 26, 2018.--Ordered to be printed

                                _______
                                

 Mr. Johnson, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 3437]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 3437) to establish 
a Federal rotational cyber workforce program for the Federal 
cyber workforce, having considered the same, reports favorably 
thereon with an amendment (in the nature of a substitute), and 
recommends that the bill, as amended, do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and the Need for Legislation..........................2
III. Legislative History..............................................4
 IV. Section-by-Section Analysis......................................4
  V. Evaluation of Regulatory Impact..................................5
 VI. Congressional Budget Office Cost Estimate........................6
VII. Changes in Existing Law Made by the Bill, as Reported............6

                         I. PURPOSE AND SUMMARY

    The purpose of S. 3437 is to create a rotational cyber 
workforce program in which Federal employees in cyber workforce 
positions can be detailed to another agency to perform cyber 
functions. This program will enable Federal cyber workforce 
employees to enhance their cyber skills with experience from 
executing the cyber missions of other agencies.

              II. BACKGROUND AND THE NEED FOR LEGISLATION

    Federal cyber workforce management challenges have been on 
the High-Risk List of the Government Accountability Office 
(GAO) since 2003.\1\ In that report, GAO stated that ``agencies 
must have the technical expertise they need to select, 
implement, and maintain controls that protect their information 
systems. Similarly, the federal government must maximize the 
value of its technical staff by sharing expertise and 
information. [T]he availability of adequate technical and audit 
expertise is a continuing concern to agencies.''\2\ In 2011, 
GAO reported that many Federal agencies still experienced 
difficulty hiring employees for more technical cyber positions 
or for positions that require other more specialized skills.\3\ 
In its 2017 High-Risk List, GAO reported that ``the federal 
government needs to expand its cyber workforce planning and 
training efforts. Federal agencies need to enhance efforts for 
recruiting and retaining a qualified cybersecurity workforce 
and improve cybersecurity workforce planning activities.''\4\
---------------------------------------------------------------------------
    \1\ Gov't Accountability Off., GAO-03-121, High-Risk Series: 
Protecting Information Systems Supporting the Federal Government and 
the Nation's Critical Infrastructures 14-15 (Jan. 2003).
    \2\ Id.
    \3\ Gov't Accountability Off., GAO-12-8, Cybersecurity Human 
Capital: Initiatives Need Better Planning and Coordination 20-22 (Nov. 
2011).
    \4\ Gov't Accountability Off., GAO-17-317, High-Risk Series: 
Progress on Many High-Risk Areas, While Substantial Efforts Needed on 
Others 342 (Feb. 2017).
---------------------------------------------------------------------------
    The Federal Cybersecurity Workforce Assessment Act of 2015 
initiated cyber workforce planning efforts by requiring 
agencies to identify cyber positions in the Federal 
workforce.\5\ The Office of Personnel Management (OPM), the 
agency tasked with managing human resources of the Federal 
Government, issued guidance for Federal agencies to identify 
their current cyber workforce positions.\6\ OPM's guidance 
included a deadline of April 2019 for Federal agencies to 
``report their greatest skill shortages; analyze the root cause 
of the shortages; and provide action plans, targets and 
measures for mitigating the critical skill shortages.''\7\ OPM 
stated it would use these agency reports to ``identify common 
needs to address from the Governmentwide perspective.''\8\
---------------------------------------------------------------------------
    \5\ Federal Cybersecurity Workforce Assessment Act of 2015, Pub. L. 
No. 114-113, Sec. 303, 129 Stat. 2242, 2975, 2975-77 (2015).
    \6\Memorandum from Mark D. Reinhold, Associate Director, Employee 
Services, Off. of Personnel Mgmt., to Human Resource Directors, U.S. 
Gov't (Apr. 2, 2018).
    \7\ Id.
    \8\ Id.
---------------------------------------------------------------------------
    On June 23, 2018, the Office of Management and Budget (OMB) 
issued a government reorganization plan for the purposes of 
improving efficiencies in government operations and realigning 
the structure of the Federal Government to effectuate those 
improvements.\9\ Included in the reorganization plan is a 
proposal to address the cyber workforce shortage in the Federal 
Government.\10\ OMB noted:
---------------------------------------------------------------------------
    \9\ Off. of Mgmt. and Budget, Exec. Office of the President, 
Delivering Government Solutions in the 21st Century: Reform Plan and 
Reorganization Recommendations 108 (June 21, 2018), available at 
https://www.performance.gov/GovReform/Reform-and-Reorg-Plan-Final.pdf.
    \10\ Id.

        [E]ach Federal department and agency was responsible 
        for addressing its own cybersecurity workforce gaps 
        independently, which has led to disaggregated and 
        redundant Federal programs. As a result, the Government 
        lacks a comprehensive, risk-derived understanding of 
        which cybersecurity skillsets the Federal enterprise 
        needs to develop and which positions are most critical 
        to fill.
          Moreover, the manner in which departments and 
        agencies recruit, hire, retain, and compensate 
        cybersecurity personnel varies by agency. This uneven 
        approach has created internal competition for talent, 
        which in turn creates disparities and discontinuities 
        that degrade agencies' ability to defend networks from 
        malicious actors and respond to cyber incidents. A 
        unified approach to attracting and retaining 
        cybersecurity talent within the Federal Government 
        would better support the Government's cybersecurity 
        enterprise.\11\
---------------------------------------------------------------------------
    \11\ Id.

    The reorganization plan calls for the establishment of a 
unified cybersecurity Federal workforce across the 
Government.\12\ In order to unify the cybersecurity workforce, 
Federal agencies are categorizing and cataloguing their 
cybersecurity workforces ``to better understand our current set 
of knowledge, skills, abilities, and identify any gaps.''\13\ 
This inventory of cybersecurity workforce positions will 
provide ``Government-wide insight into where [the] most 
pressing needs are, and, for the first time, enable the 
development of an enterprise-wide approach to the recruitment, 
placement, and training of cybersecurity talent.''\14\
---------------------------------------------------------------------------
    \12\ Id.
    \13\ Id.
    \14\ Id at 109.
---------------------------------------------------------------------------
    This bill would complement the Federal cyber workforce 
initiatives begun under the Federal Cybersecurity Workforce 
Assessment Act of 2015 and the OMB reorganization plan by 
creating a Federal rotational cyber workforce program in which 
cyber personnel can detail to other agencies to help fill 
skills gaps for agencies' cyber-related functions. S. 3437 
requires Federal agencies to determine which cyber positions 
should be eligible for the rotation and report those positions 
to OPM. OPM will then distribute a list of positions available 
for participation in the program to each agency. It also 
requires OPM, the Chief Human Capital Officers Council, and DHS 
to develop an operation plan for the Federal rotational cyber 
workforce program that establishes the procedures and 
requirements for the program, including the employee 
application and selection process and agency management of 
cyber employees participating in the program.
    The bill limits a cyber employee's participation in the 
Federal rotational cyber workforce program to a period of 180 
days, with the option for a 60-day extension. Once a cyber 
employee completes participation in the program, the employee 
is required to return to the Federal agency from which he or 
she was detailed to serve for a period of time that is equal in 
length to the period of the detail.
    The Federal rotational cyber workforce program sunsets five 
years after the date of enactment of this bill. This bill also 
requires GAO to issue a report on the program and any effect 
the program has on improving Federal employees' cyber-related 
skills or on intra-agency and interagency coordination of cyber 
functions and personnel management.

                        III. LEGISLATIVE HISTORY

    S. 3437 was introduced on September 12, 2018, by Senators 
Gary Peters (D-MI) and John Hoeven (R-ND). The bill was 
referred to the Committee on Homeland Security and Governmental 
Affairs on September 12, 2018.
    The Committee considered S. 3437 at a business meeting on 
September 26, 2018. During the business meeting, Senator Peters 
offered a substitute amendment that removed the program's 
exemptions from the Federal Service Labor-Management Relations 
Statute. The substitute amendment was modified to clarify that 
participation in the program is not subject to collective 
bargaining. The amendment, as modified, was adopted by voice 
vote en bloc with Senators Johnson, Portman, Lankford, Enzi, 
Hoeven, McCaskill, Carper, Heitkamp, Peters, Hassan, Harris, 
and Jones present.
    The legislation, as amended, was passed by voice vote en 
bloc with Senators Johnson, Portman, Lankford, Enzi, Hoeven, 
McCaskill, Carper, Heitkamp, Peters, Hassan, Harris, and Jones 
present.

        IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED

Section 1. Short title

    This section established the short title of the bill as the 
``Federal Rotational Cyber Workforce Program Act of 2018.''

Section 2. Definitions

    This section defines the terms ``agency,'' ``Council,'' 
``cyber workforce position,'' ``Director,'' ``employee,'' 
``employing agency,'' ``rotational cyber workforce position,'' 
and ``rotational cyber workforce program.''

Section 3. Rotational cyber workforce positions

    This section determines how agencies will select positions 
that are eligible for participation in the Federal rotational 
cyber workforce program.
    Under subsection (a), the head of an agency determines 
whether a cyber workforce position is eligible for 
participation in the program and submits to the OPM Director a 
notice of such determination.
    Subsection (b) requires the OPM Director, with assistance 
from the Chief Human Capital Officers Council and the 
Department of Homeland Security, to develop a list of 
rotational cyber workforce positions in the program and 
information about each position.
    Subsection (c) requires the OPM Director to distribute the 
list developed under subsection (b) on an annual basis to each 
agency.

Section 4. Rotational cyber workforce program

    This section prescribes the development and operation of 
the Federal rotational cyber workforce program.
    Subsection (a) requires the OPM Director to consult with 
the Chief Human Capital Officers Council and the Chief 
Information Officer for the Department of Homeland Security and 
develop and issue an operation plan for the Federal rotational 
cyber workforce program.
    Subsection (b) lists requirements for the operation plan 
developed in subsection (a). The operation plan must identify 
agencies and establish procedures for participation in the 
program, such as requirements for training, education, and 
career development for participation and any other 
prerequisites or other requirements to participate. The 
operation plan for the program must also include performance 
measures and other accountability measures in order to evaluate 
the program. The plan must ensure voluntary participation in 
the program and agency approval of any participating employee. 
The operation plan must also establish the logistics of 
detailing employees between agencies or at other agencies on a 
non-reimbursable basis, of managing employees detailed in the 
program, and of returning program participants to their 
positions in their employing agencies after participating in 
the program.
    Subsection (c) establishes the process by which employees 
are selected to participate in the program. An employee in a 
cyber workforce position must seek approval from their agency 
to apply for a rotational cyber workforce position included in 
the list of eligible program positions developed under 
subsection 3(b). When selecting participants for a rotational 
cyber workforce position, the agency in which that position is 
located must adhere to the merit system principles. The 
duration of a detail to a rotational cyber workforce position 
under this program is for a period of 180 days to up to 1 year, 
with an option to extend this period for up to an additional 60 
days. Under this subsection, an employee participating in the 
program must enter into a written service agreement with the 
employing agency to complete a period of employment after 
participating in the program.

Section 5. Reporting by GAO

    This section requires GAO to assess and report on the 
operation of the Federal rotational cyber workforce program and 
any effect the program has on improving employees' cyber-
related skills or on intra-agency and interagency coordination 
of cyber functions and personnel management.

Section 6. Sunset

    Under this section, the Federal rotational cyber workforce 
program terminates five years after the date of enactment of 
this bill.

                   V. EVALUATION OF REGULATORY IMPACT

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE

                                     U.S. Congress,
                               Congressional Budget Office,
                                  Washington, DC, October 26, 2018.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 3437, the Federal 
Rotational Cyber Workforce Program Act of 2018.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Matthew 
Pickford.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

S. 3437--Federal Rotational Cyber Workforce Program Act of 2018

    S. 3437 would direct the Office of Personnel Management to 
create policies and procedures to allow federal cybersecurity 
professionals to temporarily move from one agency to another 
for up to one year. The authority would expire in five years. 
CBO estimates that implementing S. 3437 would cost less than 
$500,000 annually over the 2019-2023 period for new 
regulations, additional staff training, and administrative 
expenses. Any spending would be subject to the availability of 
appropriated funds.
    Enacting S. 3437 could affect direct spending by some 
agencies (such as the Tennessee Valley Authority) because they 
are authorized to use receipts from the sale of goods, fees, 
and other collections to cover their operating costs; 
therefore, pay-as-you-go procedures apply. Because most of 
those agencies can make adjustments to the amounts collected, 
CBO estimates that any net changes in direct spending by those 
agencies would not be significant. Enacting the bill would not 
affect revenues.
    CBO estimates that enacting S. 3437 would not significantly 
increase net direct spending or on-budget deficits in any of 
the four consecutive 10-year periods beginning in 2029.
    S. 3437 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act.
    The CBO staff contact for this estimate is Matthew 
Pickford. The estimate was reviewed by H. Samuel Papenfuss, 
Deputy Assistant Director for Budget Analysis.

       VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    Because S. 3437 would not repeal or amend any provision of 
current law, it would make no changes in existing law within 
the meaning of clauses (a) and (b) of paragraph 12 of rule XXVI 
of the Standing Rules of the Senate.

                                  [all]