[Senate Report 116-15]
[From the U.S. Government Publishing Office]


                                                            Calendar No. 46
                                                            
116th Congress   }                                        {   Report
                               SENATE                                
1st Session      }                                        {   116-15
_______________________________________________________________________

                                     

                                                        


         FEDERAL ROTATIONAL CYBER WORKFORCE PROGRAM ACT OF 2019

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                 S. 406

   TO ESTABLISH A FEDERAL ROTATIONAL CYBER WORKFORCE PROGRAM FOR THE 
                        FEDERAL CYBER WORKFORCE
                        
                        
                        

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




                 March 25, 2019.--Ordered to be printed
                 
                 
                         _______________
                 
                 U.S. GOVERNMENT PUBLISHING OFFICE
                   
 89-010                  WASHINGTON : 2019                        
                 
                 
                 
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio                    GARY C. PETERS, Michigan
RAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma             MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah                    KAMALA D. HARRIS, California
RICK SCOTT, Florida                  KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming             JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri

                Gabrielle D'Adamo Singer, Staff Director
                   Joseph C. Folio III, Chief Counsel
    Courtney J. Allen, Deputy Chief Counsel for Governmental Affairs
               David M. Weinberg, Minority Staff Director
               Zachary I. Scharm, Minority Chief Counsel
         Alexa E. Noruk, Minority Director of Homeland Security
                     Laura W. Kilbride, Chief Clerk




                                                        Calendar No. 46
                                                        
116th Congress   }                                            {  Report
                                 SENATE
 1st Session     }                                            {  116-15

======================================================================



 
         FEDERAL ROTATIONAL CYBER WORKFORCE PROGRAM ACT OF 2019

                                _______
                                

                 March 25, 2019.--Ordered to be printed

                                _______
                                

 Mr. Johnson, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 406]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 406) to establish a 
Federal rotational cyber workforce program for the Federal 
cyber workforce, having considered the same, reports favorably 
thereon with an amendment and recommends that the bill, as 
amended, do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................4
 IV. Section-by-Section Analysis......................................4
  V. Evaluation of Regulatory Impact..................................5
 VI. Congressional Budget Office Cost Estimate........................6
VII. Changes in Existing Law Made by the Bill, as Reported............7

                         I. PURPOSE AND SUMMARY

    The purpose of S. 406, the Federal Rotational Cyber 
Workforce Program Act of 2019, is to create a rotational cyber 
workforce program in which Federal employees in cyber workforce 
positions can be detailed to another agency to perform cyber 
functions. This program will enable Federal cyber workforce 
employees to enhance their cyber skills with experience from 
executing the cyber missions of other agencies.\1\
---------------------------------------------------------------------------
    \1\On September 26, 2018, the Committee approved S. 3437, Federal 
Rotational Cyber Workforce Program Act of 2018. That bill is 
substantially similar to S. 406. Accordingly, this committee report is 
in large part a reproduction of Chairman Johnson's committee report for 
S. 3437, S. Rep. No. 115-385.
---------------------------------------------------------------------------

              II. BACKGROUND AND NEED FOR THE LEGISLATION

    Federal cyber workforce management challenges have been on 
the High-Risk List of the Government Accountability Office 
(GAO) since 2003.\2\ In that report, GAO stated that ``agencies 
must have the technical expertise they need to select, 
implement, and maintain controls that protect their information 
systems. Similarly, the federal government must maximize the 
value of its technical staff by sharing expertise and 
information. [T]he availability of adequate technical and audit 
expertise is a continuing concern to agencies.''\3\ In 2011, 
GAO reported that many Federal agencies still experienced 
difficulty hiring employees for more technical cyber positions 
or for positions that require other more specialized skills.\4\ 
In its 2017 High Risk List, GAO reported that ``the federal 
government needs to expand its cyber workforce planning and 
training efforts. Federal agencies need to enhance efforts for 
recruiting and retaining a qualified cybersecurity workforce 
and improve cybersecurity workforce planning activities.''\5\
---------------------------------------------------------------------------
    \2\Gov't Accountability Off., GAO-03-121, High-Risk Series: 
Protecting Information Systems Supporting the Federal Government and 
the Nation's Critical Infrastructures 14-15 (Jan. 2003).
    \3\Id.
    \4\Gov't Accountability Off., GAO-12-8, Cybersecurity Human 
Capital: Initiatives Need Better Planning and Coordination 20-22 (Nov. 
2011).
    \5\Gov't Accountability Off., GAO-17-317, High-Risk Series: 
Progress on Many High-Risk Areas, While Substantial Efforts Needed on 
Others 342 (Feb. 2017).
---------------------------------------------------------------------------
    The Federal Cybersecurity Workforce Assessment Act of 2015 
initiated cyber workforce planning efforts by requiring 
agencies to identify cyber positions in the Federal 
workforce.\6\ The Office of Personnel Management (OPM), the 
agency tasked with managing human resources of the Federal 
Government, issued guidance for Federal agencies to identify 
their current cyber workforce positions.\7\ OPM's guidance 
included a deadline of April 2019 for Federal agencies to 
``report their greatest skill shortages; analyze the root cause 
of the shortages; and provide action plans, targets and 
measures for mitigating the critical skill shortages.''\8\ OPM 
stated it would use these agency reports to ``identify common 
needs to address from the Governmentwide perspective.''\9\
---------------------------------------------------------------------------
    \6\Federal Cybersecurity Workforce Assessment Act of 2015, Pub. L. 
No. 114-113, Sec. 303, 129 Stat. 2242, 2975, 2975-77 (2015).
    \7\Memorandum from Mark D. Reinhold, Associate Director, Employee 
Services, Off. of Personnel Mgmt., to Human Resource Directors, U.S. 
Gov't (Apr. 2, 2018).
    \8\Id.
    \9\Id.
---------------------------------------------------------------------------
    On June 23, 2018, the Office of Management and Budget (OMB) 
issued a government reorganization plan for the purposes of 
improving efficiencies in government operations and realigning 
the structure of the Federal Government to effectuate those 
improvements.\10\ Included in the reorganization plan is a 
proposal to address the cyber workforce shortage in the Federal 
Government.\11\ OMB noted:
---------------------------------------------------------------------------
    \10\Off. of Mgmt. and Budget, Exec. Office of the President, 
Delivering Government Solutions in the 21st Century: Reform Plan and 
Reorganization Recommendations 108 (June 21, 2018), available at 
https://www.performance.gov/GovReform/Reform-and-Reorg-Plan-Final.pdf.
    \11\Id.

          [E]ach Federal department and agency was responsible 
        for addressing its own cybersecurity workforce gaps 
        independently, which has led to disaggregated and 
        redundant Federal programs. As a result, the Government 
        lacks a comprehensive, risk-derived understanding of 
        which cybersecurity skillsets the Federal enterprise 
        needs to develop and which positions are most critical 
        to fill.
          Moreover, the manner in which departments and 
        agencies recruit, hire, retain, and compensate 
        cybersecurity personnel varies by agency. This uneven 
        approach has created internal competition for talent, 
        which in turn creates disparities and discontinuities 
        that degrade agencies' ability to defend networks from 
        malicious actors and respond to cyber incidents. A 
        unified approach to attracting and retaining 
        cybersecurity talent within the Federal Government 
        would better support the Government's cybersecurity 
        enterprise.\12\
---------------------------------------------------------------------------
    \12\Id.

    The reorganization plan calls for the establishment of a 
unified cybersecurity Federal workforce across the 
Government.\13\ In order to unify the cybersecurity workforce, 
Federal agencies are categorizing and cataloguing their 
cybersecurity workforces ``to better understand our current set 
of knowledge, skills, abilities, and identify any gaps.''\14\ 
This inventory of cybersecurity workforce positions will 
provide ``Government-wide insight into where [the] most 
pressing needs are, and, for the first time, enable the 
development of an enterprise-wide approach to the recruitment, 
placement, and training of cybersecurity talent.''\15\
---------------------------------------------------------------------------
    \13\Id.
    \14\Id. at 109.
    \15\Id.
---------------------------------------------------------------------------
    This bill would complement the Federal cyber workforce 
initiatives begun under the Federal Cybersecurity Workforce 
Assessment Act of 2015 and the OMB reorganization plan by 
creating a Federal rotational cyber workforce program in which 
cyber personnel can detail to other agencies to help fill 
skills gaps for agencies' cyber-related functions. S. 406 
requires Federal agencies to determine which cyber positions 
should be eligible for the rotation and report those positions 
to OPM. OPM will then distribute a list of positions available 
for participation in the program to each agency. It also 
requires OPM, the Chief Human Capital Officers Council, and DHS 
to develop an operation plan for the Federal rotational cyber 
workforce program that establishes the procedures and 
requirements for the program, including the employee 
application and selection process and agency management of 
cyber employees participating in the program.
    The bill limits a cyber employee's participation in the 
Federal rotational cyber workforce program to a period of 180 
days, with the option for a 60-day extension. Once a cyber 
employee completes participation in the program, the employee 
is required to return to the Federal agency from which he or 
she was detailed to serve for a period of time that is equal in 
length to the period of the detail.
    The Federal rotational cyber workforce program sunsets five 
years after the date of enactment of this bill. This bill also 
requires GAO to issue a report on the program and any effect 
the program has on improving Federal employees' cyber-related 
skills or on intra-agency and interagency coordination of cyber 
functions and personnel management.

                        III. LEGISLATIVE HISTORY

    S. 406 was introduced on February 7, 2019, by Senators Gary 
Peters (D-MI), John Hoeven (R-ND), Margaret Hassan (D-NH), and 
Ron Johnson (R-WI). The bill was referred to the Committee on 
Homeland Security and Governmental Affairs on February 7, 2019.
    The Committee considered S. 406 at a business meeting on 
February 13, 2019. The legislation was passed by voice vote en 
bloc with Senators Johnson, Portman, Paul, Lankford, Romney, 
Scott, Enzi, Hawley, Peters, Carper, Hassan, Harris, Sinema, 
and Rosen present.
    Consistent with Committee rules, the Committee reports the 
bill with a technical and conforming amendment.

        IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED

Section 1. Short title

    This section established the short title of the bill as the 
``Federal Rotational Cyber Workforce Program Act of 2019.''

Section 2. Definitions

    This section defines the terms ``agency,'' ``Council,'' 
``cyber workforce position,'' ``Director,'' ``employee,'' 
``employing agency,'' ``rotational cyber workforce position,'' 
and ``rotational cyber workforce program.''

Section 3. Rotational cyber workforce positions

    This section determines how agencies will select positions 
that are eligible for participation in the Federal rotational 
cyber workforce program.
    Under subsection (a), the head of an agency determines 
whether a cyber workforce position is eligible for 
participation in the program and submits to the OPM Director a 
notice of such determination.
    Subsection (b) requires the OPM Director, with assistance 
from the Chief Human Capital Officers Council and the 
Department of Homeland Security, to develop a list of 
rotational cyber workforce positions in the program and 
information about each position.
    Subsection (c) requires the OPM Director to distribute the 
list developed under subsection (b) on an annual basis to each 
agency.

Section 4. Rotational cyber workforce program

    This section prescribes the development and operation of 
the Federal rotational cyber workforce program.
    Subsection (a) requires the OPM Director to consult with 
the Chief Human Capital Officers Council and the Chief 
Information Officer for the Department of Homeland Security and 
develop and issue an operation plan for the Federal rotational 
cyber workforce program.
    Subsection (b) lists requirements for the operation plan 
developed in subsection (a). The operation plan must identify 
agencies and establish procedures for participation in the 
program, such as requirements for training, education, and 
career development for participation and any other 
prerequisites or other requirements to participate. The 
operation plan for the program must also include performance 
measures and other accountability measures in order to evaluate 
the program. The plan must ensure voluntary participation in 
the program and agency approval of any participating employee. 
The operation plan must also establish the logistics of 
detailing employees between agencies or at other agencies on a 
non-reimbursable basis, of managing employees detailed in the 
program, and of returning program participants to their 
positions in their employing agencies after participating in 
the program.
    Subsection (c) establishes the process by which employees 
are selected to participate in the program. An employee in a 
cyber workforce position must seek approval from their agency 
to apply for a rotational cyber workforce position included in 
the list of eligible program positions developed under 
subsection 3(b). When selecting participants for a rotational 
cyber workforce position, the agency in which that position is 
located must adhere to the merit system principles. The 
duration of a detail to a rotational cyber workforce position 
under this program is for a period of 180 days to up to 1 year, 
with an option to extend this period for up to an additional 60 
days. Under this subsection, an employee participating in the 
program must enter into a written service agreement with the 
employing agency to complete a period of employment after 
participating in the program.

Section 5. Reporting by GAO

    This section requires GAO to assess and report on the 
operation of the Federal rotational cyber workforce program and 
any effect the program has on improving employees' cyber-
related skills or on intra-agency and interagency coordination 
of cyber functions and personnel management.

Section 6. Sunset

    Under this section, the Federal rotational cyber workforce 
program terminates five years after the date of enactment of 
this bill.

                   V. EVALUATION OF REGULATORY IMPACT

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE

                                                 February 28, 2019.
Hon. Ron Johnson, Chairman, 
Committee on Homeland Security and Governmental Affairs,
U.S. Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 406, the Federal 
Rotational Cyber Workforce Program Act of 2019.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is David Hughes.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

    S. 406 would direct the Office of Personnel Management to 
create policies and procedures to allow federal cybersecurity 
professionals to temporarily move from one agency to another 
for up to one year. That authority would expire five years 
following enactment.
    CBO estimates that implementing S. 406 would cost less than 
$500,000 annually over the 2019-2024 period for new 
regulations, staff training, and administrative expenses. Any 
spending would be subject to the availability of appropriated 
funds.
    Enacting S. 406 could affect direct spending by some 
agencies (such as the Tennessee Valley Authority) because they 
are authorized to use receipts from the sale of goods, fees, 
and other collections to cover their operating costs. Because 
most of those agencies can adjust the amounts collected, CBO 
estimates that any net changes in direct spending by those 
agencies would be negligible.
    The CBO staff contact for this estimate is David Hughes. 
The estimate was reviewed by H. Samuel Papenfuss, Deputy 
Assistant Director for Budget Analysis.

       VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    Because S. 406 would not repeal or amend any provision of 
current law, it would make no changes in existing law within 
the meaning of clauses (a) and (b) of paragraph 12 of rule XXVI 
of the Standing Rules of the Senate.