[Senate Report 117-131]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 446
117th Congress      }                                   {       Report
                                 SENATE
 2d Session         }                                   {      117-131
_______________________________________________________________________

                                     



             FEDERAL CYBERSECURITY WORKFORCE EXPANSION ACT

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 2274

           TO AUTHORIZE THE DIRECTOR OF THE CYBERSECURITY AND
             INFRASTRUCTURE SECURITY AGENCY TO ESTABLISH AN
            APPRENTICESHIP PROGRAM AND TO ESTABLISH A PILOT
           PROGRAM ON CYBERSECURITY TRAINING FOR VETERANS AND
  MEMBERS OF THE ARMED FORCES TRANSITIONING TO CIVILIAN LIFE, AND FOR 
                             OTHER PURPOSES







[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]








                 July 18, 2022.--Ordered to be printed   
                 
                             _________
                              
                              
                 U.S. GOVERNMENT PUBLISHING OFFICE
                 
29-010                   WASHINGTON : 2022
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
            Lena C. Chang, Director of Governmental Affairs
              Devin M. Parsons, Professional Staff Member
                Pamela Thiessen, Minority Staff Director
            Sam J. Mulopulos, Minority Deputy Staff Director
       Cara G. Mumford, Minority Director of Governmental Affairs
                  Andrew J. Hopkins, Minority Counsel
                     Laura W. Kilbride, Chief Clerk


















                                                      Calendar No. 446
117th Congress      }                                   {       Report
                                 SENATE
 2d Session         }                                   {      117-131

======================================================================



 
             FEDERAL CYBERSECURITY WORKFORCE EXPANSION ACT

                                _______
                                

                 July 18, 2022.--Ordered to be printed

                                _______
                                

 Mr. Peters, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 2274]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 2274) to authorize 
the Director of the Cybersecurity and Infrastructure Security 
Agency to establish an apprenticeship program and to establish 
a pilot program on cybersecurity training for veterans and 
members of the Armed Forces transitioning to civilian life, and 
for other purposes, having considered the same, reports 
favorably thereon with an amendment (in the nature of a 
substitute) and recommends that the bill, as amended, do pass.

                                CONTENTS

                                                                     Page
  I. Purpose and Summary..............................................  1
 II. Background and Need for the Legislation..........................  2
III. Legislative History..............................................  4
 IV. Section-by-Section Analysis of the Bill, as Reported.............  4
  V. Evaluation of Regulatory Impact..................................  7
 VI. Congressional Budget Office Cost Estimate........................  8
VII. Changes in Existing Law Made by the Bill, as Reported...........  10

                         I. Purpose and Summary

    S. 2274, the Federal Cybersecurity Workforce Expansion Act, 
augments cybersecurity workforce development pathways by adding 
two new pilot programs. The bill establishes a five-year 
cybersecurity registered apprenticeship pilot program within 
the Department of Homeland Security (DHS). The bill also 
directs the Secretary of Homeland Security, in coordination 
with the Secretary of Veterans Affairs, to establish a pilot 
program to provide cybersecurity training at no cost to 
veterans and military spouses.

              II. Background and Need for the Legislation

    There is a national shortage of qualified cybersecurity 
personnel. According to CyberSeek, a project supported by the 
National Initiative for Cybersecurity Education (NICE) at the 
National Institute of Standards and Technology (NIST), there 
are nearly 600,000 cybersecurity job openings in the United 
States, including nearly 40,000 in the public sector.\1\
---------------------------------------------------------------------------
    \1\Cyberseek, Interactive Map (www.cyberseek.org/heatmap.html) 
(accessed Dec. 14, 2021).
---------------------------------------------------------------------------
    The consistent shortage of cybersecurity personnel 
represents a high risk to national security. Federal cyber 
workforce management challenges have been on the High-Risk List 
of the Government Accountability Office (GAO) since 2003.\2\ In 
a 2003 High-Risk Series report, GAO stated:
---------------------------------------------------------------------------
    \2\Government Accountability Office, High-Risk Series: Protecting 
Information Systems Supporting the Federal Government and the Nation's 
Critical Infrastructures (GAO-03-121) (Jan. 2003) (www.gao.gov/assets/
gao-03-121.pdf).

          Agencies must have the technical expertise they need 
        to select, implement, and maintain controls that 
        protect their information systems. Similarly, the 
        federal government must maximize the value of its 
        technical staff by sharing expertise and information. 
        The availability of adequate technical and audit 
        expertise is a continuing concern to agencies.\3\
---------------------------------------------------------------------------
    \3\Id.

    In a March 2021 High-Risk Series report, GAO noted that 
``federal agencies continue to face challenges in addressing 
needs related to their cyber workforce'' and that the Office of 
Management and Budget and DHS need to take dedicated action to 
address the cybersecurity workforce shortage.\4\
---------------------------------------------------------------------------
    \4\Government Accountability Office, High-Risk Series: Federal 
Government Needs to Urgently Pursue Critical Actions to Address Major 
Cybersecurity Challenges (GAO-21-288) (Mar. 2021) (www.gao.gov/assets/
gao-21-288.pdf).
---------------------------------------------------------------------------
    The problem of cybersecurity workforce shortages has taken 
on new urgency as the United States faces escalating threats 
from hostile cyber actors. On May 12, 2021, multiple high-
profile cybersecurity incidents including the SolarWinds 
security breach, Microsoft Exchange Server hack, and Colonial 
Pipeline ransomware attack prompted President Biden to issue an 
Executive Order aimed at improving the nation's cybersecurity 
preparedness systems.\5\ As part of the Biden Administration's 
cyber preparedness efforts, DHS Secretary Mayorkas launched a 
60-Day Cybersecurity Workforce Sprint in early May 2021.\6\ On 
July 1, 2021, the Secretary announced that 12% of over 2,000 
vacancies had been filled as a result of the hiring sprint, 
noting that although progress has been made, ``we still have 
more work to do.''\7\
---------------------------------------------------------------------------
    \5\Exec. Order No. 14028, 86 Fed. Reg. 26633 (May 12, 2021).
    \6\Department of Homeland Security, Secretary Mayorkas Urges Small 
Businesses to Protect Themselves Against Ransomware (May 5, 2021) 
(www.dhs.gov/news/2021/05/05/secretary-mayorkas-urges-small-businesses-
protect-themselves-against-ransomware).
    \7\Department of Homeland Security, Secretary Mayorkas Announces 
Most Successful Cybersecurity Hiring Initiative in DHS History (July 1, 
2021) (www.dhs.gov/news/2021/07/01/secretary-mayorkas-announces-most-
successful-cybersecurity-hiring-initiative-dhs).
---------------------------------------------------------------------------
    The Senate Committee on Homeland Security and Governmental 
Affairs has held multiple hearings in the 117th Congress to 
address the government's preparedness, response, and recovery 
efforts with regard to cybersecurity.\8\ During one such 
hearing on September 23, 2021, entitled National Cybersecurity 
Strategy: Protection of Federal and Critical Infrastructure 
Systems, Senator Margaret Hassan asked Jen Easterly, Director 
of the Cybersecurity and Infrastructure Security Agency (CISA), 
about how an apprenticeship program would help address 
workforce challenges at CISA.\9\ Director Easterly said:
---------------------------------------------------------------------------
    \8\See Senate Committee on Homeland Security and Governmental 
Affairs, Hearing on Prevention, Response and Recovery: Improving 
Federal Cybersecurity Post-SolarWinds, 117th Cong. (May 11, 2021); 
Senate Committee on Homeland Security and Governmental Affairs, Hearing 
on Threats to Critical Infrastructure: Examining the Colonial Pipeline 
Cyber Attack, 117th Cong. (June 8, 2021); and Senate Committee on 
Homeland Security and Governmental Affairs, Hearing on National 
Cybersecurity Strategy: Protection of Federal and Critical 
Infrastructure Systems, 117th Cong. (Sep. 23, 2021).
    \9\ Senate Committee on Homeland Security and Governmental Affairs, 
Transcript, Hearing on National Cybersecurity Strategy: Protection of 
Federal and Critical Infrastructure Systems, 117th Cong. (Sep. 23, 
2021) (https://plus.cq.com/doc/congressionaltranscripts-
6351036?4&searchId=9Svfjbqf).
---------------------------------------------------------------------------
          We've already started talking about how we could 
        implement apprenticeships at CISA . . . . I think we 
        need to be as creative as possible in all our 
        approaches to deal with the deficit that we have across 
        the country and then across the federal cyber 
        workforce.\10\
---------------------------------------------------------------------------
    \10\Id.
---------------------------------------------------------------------------
    Fellow witness Chris Inglis, National Cyber Director in the 
Executive Office of the President, agreed with Director 
Easterly's remarks and added that:

          [A]pprenticeships are essential, not simply because 
        they provide experience for its own sake, but they 
        bridge the gap between aspiration that is often 
        supported by training and education and the real 
        experience that employers need or want when you show up 
        at that door.\11\
---------------------------------------------------------------------------
    \11\Id.

    The Federal Cybersecurity Workforce Expansion Act will help 
strengthen the cybersecurity talent pipeline within the federal 
government by establishing a registered apprenticeship pilot 
program at DHS in which participants receive on-the-job 
cybersecurity training. Upon successful completion of the 
program, participants may be appointed to cybersecurity-
specific excepted service positions within a federal agency. 
Appointed participants then enter into a service agreement in 
which they commit to working in the federal government for a 
period of service equal to the length of the apprenticeship.
    The Federal Cybersecurity Workforce Expansion Act also 
directs the Secretary of Homeland Security, in partnership with 
the Secretary of Veterans Affairs, to establish a pilot program 
to provide cybersecurity training at no cost to veterans and 
military spouses. The pilot program will incorporate 
coursework, virtual learning opportunities, and federal work-
based learning opportunities and will lead to a recognized 
postsecondary credential.
    This bill incorporates recommendations from a report 
published by the Cyberspace Solarium Commission in March 2020. 
The report recommends that the federal government ``develop 
work-based learning programs and apprenticeships to supplement 
classroom learning'' as a step to improve cyber-oriented 
education.\12\ Another recommendation calls for designing 
``cybersecurity-specific upskilling and transition assistance 
programs for veterans and transitioning military service 
members to move into federal civilian cybersecurity jobs.''\13\ 
The Federal Cybersecurity Workforce Expansion Act will help 
bring these expert recommendations to fruition and improve our 
national security by augmenting cybersecurity workforce 
development pathways.
---------------------------------------------------------------------------
    \12\Cyberspace Solarium Commission, A Warning From Tomorrow (Mar. 
2020) (drive.google.com/file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view).
    \13\Id. at 44.
---------------------------------------------------------------------------

                        III. Legislative History

    Senator Margaret Hassan (D-NH) introduced S. 2274, the 
Federal Cybersecurity Workforce Expansion Act, on June 24, 
2021, with Senator John Cornyn (R-TX). The bill was referred to 
the Committee on Homeland Security and Governmental Affairs.
    The Committee considered S. 2274 at a business meeting on 
November 3, 2021. During the business meeting, Senator Hassan 
offered a modification to her substitute amendment that was 
adopted by unanimous consent. The substitute amendment made a 
number of changes to the underlying bill, including a change to 
establish the veterans' cybersecurity training pilot program at 
the Department of Homeland Security rather than the Department 
of Veterans Affairs and setting a cap on the number apprentices 
in the cybersecurity apprenticeship pilot program. The 
modification to the substitute amendment cut the language 
authorizing ``such sums as necessary'' to carry out the 
cybersecurity apprenticeship pilot program. As modified, 
Senator Hassan's substitute amendment was adopted by unanimous 
consent.
    Senator Lankford offered an amendment to change the 
standard by which agencies can use direct hire authority, which 
was not adopted by voice vote.
    The bill, as amended by the Hassan modified substitute 
amendment, was ordered reported favorably by voice vote en 
bloc, with Senators Peters, Hassan, Sinema, Rosen, Padilla, 
Ossoff, Portman, Johnson, Lankford, Romney, Scott, and Hawley 
present.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    This section establishes the short title of the bill as the 
``Federal Cybersecurity Workforce Expansion Act.''

Sec. 2. Findings

    This section includes findings indicating the need for 
additional federal cybersecurity professionals.

Sec. 3. Definitions

    This section defines ``Department,'' ``institution of 
higher education,'' and ``Secretary'' in the context of this 
bill.

Sec. 4. Cybersecurity apprenticeship pilot program

    Subsection (a) defines ``area career and technical 
education school,'' ``community college,'' ``competitive 
service,'' ``cyber workforce position,'' ``early college high 
school; educational service agency; local educational agency; 
secondary school; state educational agency,'' ``education and 
training provider,'' ``eligible entity,'' ``excepted service,'' 
``local workforce development board,'' ``minority-serving 
institution,'' ``nonprofit organization,'' ``qualified 
intermediary,'' ``partnerships,'' ``provider of adult 
education,'' ``related instruction,'' ``sponsor,'' ``state,'' 
``state apprenticeship agency,'' ``state workforce development 
board,'' and ``WIOA terms'' in the context of this section.
    Subsection (b) directs the Secretary of Homeland Security 
to establish an apprenticeship pilot program within three years 
of this bill's enactment. There can be up to 25 apprentices who 
will be employed in cyber workforce positions within DHS while 
participating in the program. The learning opportunities in the 
program will be based on the NICE Workforce Framework for 
Cybersecurity, or a successor framework, and prepare the 
participant for a cyber workforce position within a federal 
agency. The program must be a registered apprenticeship and 
approved by the Department of Veterans Affairs as an 
apprenticeship where veterans can use their educational 
assistance.
    Subsection (c) directs the Secretary of Homeland Security 
to consult with the Secretary of Labor, the Director of NIST, 
the Secretary of Defense, the Director of the National Science 
Foundation, and the Director of the Office of Personnel 
Management (OPM) when developing the apprenticeship pilot 
program.
    Subsection (d) outlines options available to the DHS 
Secretary for getting help implementing the apprenticeship 
program including contracts, cooperative agreements, or grants. 
The entity chosen to provide the program must have demonstrated 
experience in implementing apprenticeship programs, have 
knowledge of cybersecurity workforce development, have an 
ability to provide participants with one or more recognized 
postsecondary credentials, use instruction that is specifically 
aligned with the needs of federal agencies, and have 
demonstrated success in connecting apprenticeship participants 
with careers relevant to the program.
    Subsection (e) describes how eligible entities seeking a 
contract, cooperative agreement, or grant under subsection (d) 
must submit an application to the DHS Secretary with such 
information as the Secretary may require.
    Subsection (f) states that the Secretary may prioritize an 
eligible entity in the context of subsection (d) that: (1) is a 
member of an industry or sector partnership that sponsors or 
participates in an apprenticeship program; (2) provides related 
instruction for a registered apprenticeship program; (3) works 
to transition members of the Armed Forces and veterans to 
apprenticeship programs in a relevant sector; (4) plans to 
carry out the apprenticeship program with an entity that 
receives state funding or is operated by a state agency; (5) 
has successfully increased the representation of women, 
minorities, and individuals from other underrepresented 
communities in cybersecurity; or (6) has focused on recruiting 
women, minorities, and individuals from other underrepresented 
communities.
    Subsection (g) directs the DHS Secretary to provide 
technical assistance to eligible entities selected under 
subsection (d) to leverage any existing and relevant federal 
job training and education programs.
    Subsection (h) requires individuals who successfully 
complete the apprenticeship program to enter into an agreement 
in which they accept an offer for a cyber workforce position 
within a federal agency and serve in that position for a length 
of time equal to the length of the apprenticeship program. If 
an individual does not satisfy the requirements of the service 
agreement, they will be required to repay the cost of the 
education and training provided, reduced by an amount factoring 
in the extent to which any service obligations were met. The 
Secretary is authorized to provide a waiver of service or 
repayment requirements as appropriate.
    Subsection (i) specifies that participants in the 
apprenticeship program may be appointed to cybersecurity 
positions in the excepted service.
    Subsection (j) specifies that individuals who successfully 
complete the apprenticeship program may be appointed to 
cybersecurity position in the excepted service.
    Subsection (k) specifies that federal service following the 
apprenticeship program will be subject to the completion of a 
trial period in accordance with any applicable law or 
regulation.
    Subsection (l) requires the Secretary to submit an annual 
report starting two years after the beginning of the 
apprenticeship program that includes a description of: (1) any 
activity carried out by DHS under this section; (2) any 
eligible entity selected and activity carried out under 
subsection (d); (3) best practices used; (4) an assessment of 
the results achieved by the apprenticeship program, including 
the rate of continued employment within a federal agency, the 
demographics of the apprenticeship participants, the rate of 
completion by program participants, and the return on 
investment of the pilot program. This subsection also directs 
the GAO to conduct a study on the apprenticeship pilot program 
within four years after the program is established.
    Subsection (m) sunsets the apprenticeship pilot program in 
five years.

Sec. 5. Pilot program on cybersecurity training for veterans and 
        military spouses

    Subsection (a) defines the terms ``eligible individual,'' 
``recognized postsecondary credential,'' ``veteran,'' and 
``work-based learning.''
    Subsection (b) directs the DHS Secretary, in consultation 
with the Secretary of Veterans Affairs, to establish a pilot 
program to provide cybersecurity training to veterans and 
military spouses within three years of the enactment of this 
bill.
    Subsection (c) requires the pilot program to incorporate: 
(1) coursework and training that qualifies toward postsecondary 
credit; (2) virtual learning opportunities; (3) hands-on 
learning and performance-based assessments; (4) federal work-
based learning opportunities; and (5) the provision of 
recognized postsecondary credentials to participants who 
complete the program.
    Subsection (d) requires the pilot program to align with the 
NICE Workforce Framework for Cybersecurity or a successor 
framework.
    Subsection (e) directs the DHS Secretary to coordinate with 
the Secretary of Veterans Affairs, Secretary of Defense, 
Secretary of Labor, Director of NIST, and Director of OPM to 
leverage and prevent duplication of existing training, 
platforms, and frameworks within the federal government for 
cybersecurity education and training. The DHS Secretary is 
directed to coordinate with the Secretary of Veterans Affairs 
to ensure that eligible individuals can use existing 
educational assistance to the greatest extent possible. The DHS 
Secretary is directed to coordinate with the Secretary of 
Veterans Affairs, Secretary of Defense, Secretary of Labor, 
Director of OPM, and any other appropriate agencies to identify 
and create interagency opportunities to allow program 
participants to demonstrate competencies necessary to qualify 
for federal employment.
    Subsection (f) authorizes the Secretary to expand existing 
training, platforms, and frameworks or develop and procure 
resources as necessary to carry out the program. The Secretary 
may provide additional funding, staff, or other resources to: 
(1) recruit and retain women, minorities, and individuals from 
other underrepresented communities; (2) provide administrative 
support; (3) ensure ongoing engagement and success of eligible 
individuals participating in the program; (4) connect 
participants who complete the program with job opportunities in 
the federal government; and (5) allocate dedicated positions 
for term employment to enable federal work-based learning 
opportunities.
    Subsection (g) requires the Secretary to submit an annual 
report starting two years after the beginning of the pilot 
program that includes a description of: (1) any activity 
carried by DHS under this section; (2) existing training, 
platforms, and frameworks used; (3) the results achieved by the 
apprenticeship program, including the admittance rate into the 
program, the demographics of program participants, the rate of 
completion by program participants, transfer rates to other 
academic or vocational programs, the rate of continued 
employment within a federal agency, and the median annual 
salary of participants employed after completing the program. 
This subsection also directs the GAO to conduct a study on the 
pilot program within four years after the program is 
established.
    Subsection (h) sunsets the pilot program in five years.

Sec. 6. Federal cybersecurity workforce assessment extension

    This section extends from 2022 to 2025 the requirement that 
each federal agency submit an annual report to OPM identifying 
cyber-related work roles of critical need in the agency's 
workforce.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. Congressional Budget Office Cost Estimate

                                     U.S. Congress,
                               Congressional Budget Office,
                                  Washington, DC, February 3, 2022.
Hon. Gary C. Peters,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 2274, the Federal 
Cybersecurity Workforce Expansion Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Aldo 
Prosperi.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

    The bill would:
           Establish a cybersecurity apprenticeship 
        program
           Create a cybersecurity training program for 
        veterans and spouses of military personnel
           Extend reporting requirements for federal 
        positions related to information technology and 
        cybersecurity
    Estimated budgetary effects would mainly stem from:
           Hiring and training cybersecurity 
        apprentices
           Developing cybersecurity training courses 
        for veterans and military spouses
           Spending veterans' education benefits on 
        cybersecurity training
    Bill summary: S. 2274 would require the Department of 
Homeland Security (DHS) to establish a cybersecurity 
apprenticeship program to recruit and hire people to perform 
information technology and cybersecurity roles for the 
department. DHS also would provide apprentices with training 
courses and career development materials.
    S. 2274 would require DHS to establish a program to provide 
cybersecurity training without charge to veterans who are 
eligible for education benefits administered by the Department 
of Veterans Affairs (VA).
    Estimated Federal cost: The estimated budgetary effects of 
S. 2274 are shown in Table 1. The costs of the legislation fall 
within budget function 050 (national defense).

                                TABLE 1.--ESTIMATED BUDGETARY EFFECTS OF S. 2274
----------------------------------------------------------------------------------------------------------------
                                                                   By fiscal year, millions of dollars--
                                                         -------------------------------------------------------
                                                            2022     2023     2024     2025     2026   2022-2026
----------------------------------------------------------------------------------------------------------------
Cybersecurity Apprentices
    Estimated Authorization.............................        0        2        5        5        5         17
    Estimated Outlays...................................        0        2        5        5        5         17
Curriculum and Training
    Estimated Authorization.............................        0        4        0        0        0          4
    Estimated Outlays...................................        0        2        2        0        0          4
Program Management Staff
    Estimated Authorization.............................        *        1        1        1        1          4
    Estimated Outlays...................................        *        1        1        1        1          4
    Total Changes.......................................
        Estimated Authorization.........................        *        7        6        6        6         25
        Estimated Outlays...............................        *        5        8        6        6         25
----------------------------------------------------------------------------------------------------------------
* = between zero and $500,000.
In addition to the budgetary effects shown above, CBO estimates that enacting S. 2274 would have insignificant
  effects on direct spending and the deficit over the 2022-2031 period.

    Basis of estimate: For this estimate, CBO assumes that S. 
2274 will be enacted in the middle of fiscal year 2022 and that 
the required pilot programs would begin in fiscal year 2023. 
CBO also expects that cybersecurity apprentices would serve for 
a two-year term. Outlays are based on historical spending 
patterns for existing or similar programs.
    Spending subject to appropriation: CBO estimates that 
implementing the bill would cost $25 million over the 2022-2026 
period. Such spending would be subject to the availability of 
appropriated funds.
    Cybersecurity Apprentices. S. 2274 would require DHS to 
recruit and hire apprentices to fill a range of information 
technology and cybersecurity roles across the department. On 
the basis of information from the Department of Labor about the 
average duration and salaries of apprenticeships, CBO expects 
that each apprentice would serve for two years at an average 
annual cost of about $85,000 for salaries and benefits. CBO 
anticipates that DHS would hire the first cohort of apprentices 
in 2023 and that each cohort would include 25 people, the 
maximum annual number of new hires permitted under S. 2274. 
Because each cohort would serve for two years, CBO expects that 
DHS would employ 50 cyber apprentices each year once the second 
cohort is hired. On that basis and accounting for the effects 
of anticipated inflation, CBO estimates that salaries and 
benefits expenses of apprentices hired under S. 2274 would 
total $17 million over the 2023-2026 period.
    Curriculum and Training. S. 2274 would require DHS to 
develop cybersecurity training courses for the apprenticeship 
and veteran training programs authorized under the bill. CBO 
expects that DHS would contract with private-sector 
cybersecurity firms to design the curricula for these courses 
and create the online platforms to access the training. Based 
on the costs of similar programs at DHS, CBO estimates that 
cyber training services and materials would cost about $4 
million.
    Program Management Staff. Using information about similar 
training programs, CBO anticipates that DHS would need five 
full-time employees to create and manage these new programs. 
CBO estimates that staff salaries would average about $1 
million annually over the 2022-2026 period.
    Direct Spending: Several provisions in S. 2274 would have 
insignificant effects on direct spending over the 2022-2031 
period.
    Cybersecurity Training for Veterans and Military Spouses. 
CBO expects that some veterans who are eligible for education 
benefits administered by VA would increase their use of those 
benefits as a result of the cybersecurity training program. 
Conversely, some veterans who otherwise would have used their 
benefits to enroll in a postsecondary education program would 
instead use them for cybersecurity training (which would 
typically cost less). The costs of VA education benefits are 
paid from mandatory appropriations. CBO estimates that the 
changes in the use of benefits would have insignificant net 
effects on direct spending over the 2022-2031 period.
    Cyber Security Workforce Assessment Extension. S. 2274 
would extend, from 2022 to 2025, the reporting requirements 
established under the Federal Cybersecurity Workforce 
Assessment Act. Enacting that extension could affect direct 
spending by some agencies that use fees, receipts from the sale 
of goods, and other collections to cover operating costs. CBO 
estimates that any net changes in direct spending by those 
agencies would be negligible because most of them can adjust 
amounts collected to accommodate changes in operating costs.
    Pay-As-You-Go considerations: The Statutory Pay-As-You-Go 
Act of 2010 establishes budget-reporting and enforcement 
procedures for legislation affecting direct spending or 
revenues. CBO estimates that enacting S. 2274 would have 
insignificant effects on direct spending and the deficit.
    Increase in long-term deficits: None.
    Mandates: None.
    Estimate prepared by: Federal Costs: Aldo Prosperi 
(Department of Homeland Security); Paul B.A. Holland 
(Department of Veterans Affairs); Mandates: Brandon Lever.
    Estimate reviewed by: David Newman, Chief, Defense, 
International Affairs, and Veterans' Affairs Cost Estimates 
Unit, Leo Lex, Deputy Director of Budget Analysis; Theresa 
Gullo, Director of Budget Analysis.

       VII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
the bill, as reported, are shown as follows: (existing law 
proposed to be omitted is enclosed in brackets, new matter is 
printed in italic, and existing law in which no change is 
proposed is shown in roman):

UNITED STATES CODE

           *       *       *       *       *       *       *


TITLE 5--GOVERNMENT ORGANIZATION AND EMPLOYEES

           *       *       *       *       *       *       *


PART I--THE AGENCIES GENERALLY

           *       *       *       *       *       *       *


CHAPTER 3--POWERS

           *       *       *       *       *       *       *



SEC. 301. DEPARTMENTAL REGULATIONS

           *       *       *       *       *       *       *


STATUTORY NOTES

           *       *       *       *       *       *       *



FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT

           *       *       *       *       *       *       *



SEC. 304. IDENTIFICATION OF CYBER RELATED WORK ROLES OF CRITICAL NEED

    (a) In General.--Beginning not later than 1 year after the 
date on which the employment codes are assigned to employees 
pursuant to section 303(b)(2), and annually thereafter through 
[2022] 2025, the head of each Federal agency, in consultation 
with the Director, the Director of the National Institute of 
Standards and Technology, and the Secretary of Homeland 
Security, shall--
          (1) identify information technology, cybersecurity, 
        or other cyber-related roles of critical need in the 
        agency's workforce; and
          (2) submit a report to the Director that--
                  (A) describes the information technology, 
                cybersecurity, or other cyber-related roles 
                identified under paragraph (1); and
                  (B) substantiates the critical need 
                designations.

           *       *       *       *       *       *       *


                                  [all]