[House Report 118-161]
[From the U.S. Government Publishing Office]


118th Congress }                                          { REPORT 
                        HOUSE OF REPRESENTATIVES
 1st Session   }                                          { 118-161

======================================================================
 
                 DHS CYBERSECURITY ON-THE-JOB TRAINING 
                              PROGRAM ACT

                                _______
                                

 July 27, 2023.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

   Mr. Green of Tennessee, from the Committee on Homeland Security, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 3208]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 3208) to amend the Homeland Security Act of 2002 
to establish a DHS Cybersecurity On-the-Job Training Program, 
and for other purposes, having considered the same, reports 
favorably thereon without amendment and recommends that the 
bill do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     1
Background and Need for Legislation..............................     2
Hearings.........................................................     2
Committee Consideration..........................................     3
Committee Votes..................................................     3
Committee Oversight Findings.....................................     3
C.B.O. Estimate, New Budget Authority, Entitlement Authority, and 
  Tax Expenditures...............................................     3
Federal Mandates Statement.......................................     3
Duplicative Federal Programs.....................................     3
Statement of General Performance Goals and Objectives............     3
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits.......................................................     4
Advisory Committee Statement.....................................     4
Applicability to Legislative Branch..............................     4
Section-by-Section Analysis of the Legislation...................     4

                          Purpose and Summary

    As the interconnectivity of Americans' daily lives 
continues to grow, the threat of malicious cyber activity has 
also grown. We need the right people, with the right skills, in 
the right jobs to confront this threat. Despite this 
increasingly complex threat landscape, some estimates say that 
the U.S. currently has more than 660,000 cyber job openings 
across the public and private sectors.\1\
---------------------------------------------------------------------------
    \1\https://www.cyberseek.org/heatmap.html.
---------------------------------------------------------------------------
    The Department of Homeland Security (DHS) has begun to 
increase its focus on closing its own cybersecurity workforce 
gap. Seven years after Congress gave DHS the authority, the 
Department launched the Cyber Talent Management System (CTMS) 
in November 2021. The main goals of the CTMS initiative are 
``to cut the time it takes to hire cybersecurity professionals, 
redefine how the government evaluates cybersecurity skill sets, 
and facilitate competitive pay rates.''\2\ The full framework 
attempts to aid the agency in defining, attracting, and 
retaining new talent, but public reporting indicates that 
hiring through CTMS has been slow.
---------------------------------------------------------------------------
    \2\https://www.dhs.gov/news/2021/11/15/dhs-launches-innovative-
hiring-program-recruit-and-
retain-world-class-cyber-talent.
---------------------------------------------------------------------------
    Concurrently, the Cybersecurity and Infrastructure Security 
Agency (CISA) was charged in the President's Management Agenda 
with building a modern cyber workforce through skills training. 
CISA has since established the Federal Cyber Defense Skilling 
Academy (FCDSA) which trains current DHS employees to be entry 
level cyber defense analysts.\3\ As CTMS ramps up to hire new 
talent at DHS HQ, Congress must empower CISA to reskill 
existing DHS employees to support the Department's vital 
cybersecurity mission.
---------------------------------------------------------------------------
    \3\https://www.nist.gov/system/files/documents/2022/05/03/
2022%20FEDERAL%20CYBER
SECURITY%20WORK.
---------------------------------------------------------------------------
    H.R. 3208 solidifies CISA's role in providing cybersecurity 
training to DHS employees who are not currently in 
cybersecurity positions. The bill formally authorizes CISA's 
training activities in this space, in consultation with the 
Under Secretary for Management, while also giving them the 
flexibility needed to expand and adapt the program to address 
the growing cyber workforce gap.

                  Background and Need for Legislation

    Given the number of cyber job openings across the United 
States, including over 45,000 of those openings within the 
public sector, DHS must do more to bolster its own cyber 
workforce and that of the federal civilian executive branch. 
Congress has authorized the CTMS program and appropriated 
millions of dollars for the Department to begin to reduce this 
gap. As CTMS matures, this bill will provide a near-term 
solution that further supports Congress' intent to expand the 
Department's cyber talent pipeline.

                                Hearings

    The Committee held the following hearing in the 118th 
Congress that informed H.R. 3208:
    On April 27, 2023, the Subcommittee on Cybersecurity and 
Infrastructure Protection held a hearing entitled ``CISA 2025: 
The State of American Cybersecurity from CISA's Perspective.'' 
The Subcommittee received testimony from the Honorable Jen 
Easterly, Director, Cybersecurity and Infrastructure Security 
Agency.

                        Committee Consideration

    The Committee met on Wednesday, May 17, 2023, a quorum 
being present, to consider H.R. 3208 and ordered the measure to 
be favorably reported to the House by voice vote.

                            Committee Votes

    Clause 3(b) of rule XIII requires the Committee to list the 
recorded votes on the motion to report legislation and 
amendments thereto.
    No recorded votes were requested during consideration of 
H.R. 3208.

                      Committee Oversight Findings

    In compliance with clause 3(c)(1) of rule XIII, the 
Committee advises that the findings and recommendations of the 
Committee, based on oversight activities under clause 2(b)(1) 
of rule X, are incorporated in the descriptive portions of this 
report.

Congressional Budget Office Estimate, New Budget Authority, Entitlement 
                    Authority, and Tax Expenditures

    With respect to the requirements of clause 3(c)(2) of rule 
XIII and section 308(a) of the Congressional Budget Act of 
1974, and with respect to the requirements of clause 3(c)(3) of 
rule XIII and section 402 of the Congressional Budget Act of 
1974, the Committee has requested, but not received, from the 
Director of the Congressional Budget Office a statement as to 
whether this bill contains any new budget authority, spending 
authority, credit authority, or an increase or decrease in 
revenues or tax expenditures. The Committee adopts as its own 
the cost estimate prepared by the Director of the Congressional 
Budget Office upon its release.

                       Federal Mandates Statement

    An estimate of Federal mandates prepared by the Director of 
the Congressional Budget Office pursuant to section 423 of the 
Unfunded Mandates Reform Act was not made available to the 
Committee in time for the filing of this report. The Committee 
adopts as its own the estimate of Federal mandates prepared by 
the Director of the Congressional Budget Office upon its 
release.

                      Duplicative Federal Programs

    Pursuant to clause 3(c) of rule XIII, the Committee finds 
that H.R. 3208 does not contain any provision that establishes 
or reauthorizes a program known to be duplicative of another 
Federal program.

         Statement of General Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of rule XIII, the objective of 
H.R. 3208 is to establish a DHS Cybersecurity On-the-Job 
Training Program.

   Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
                                Benefits

    In compliance with rule XXI, this bill, as reported, 
contains no congressional earmarks, limited tax benefits, or 
limited tariff benefits as defined in clause 9(d), 9(e), or 
9(f) of rule XXI.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                Applicability to the Legislative Branch

    The Committee finds that H.R. 3208 does not relate to the 
terms and conditions of employment or access to public services 
or accommodations within the meaning of section 102(b)(3) of 
the Congressional Accountability Act.

             Section-by-Section Analysis of the Legislation


Section 1. Short title

    This section states the Act may be cited as the ``DHS 
Cybersecurity On-the-Job Training Program Act.''

Section. 2. DHS Cybersecurity On-the-Job Training Program

    This section amends the Homeland Security Act of 2002 to 
establish a DHS Cybersecurity On-the-Job Training Program 
within CISA to provide training to DHS employees not currently 
in a cybersecurity position for work in matters relating to 
cybersecurity at DHS.
    This section further directs CISA to develop a curriculum 
for the Program, incorporating any existing curricula as 
appropriate, which may include distance learning, in-classroom 
learning, on-the-job instruction, or other means of training 
and education. The section requires the curriculum to be 
consistent with the National Initiative for Cybersecurity 
Education (NICE) Framework. The Committee expects CISA to 
utilize the most updated NICE Framework and to measure success 
of the Program using metrics developed in line with the 
framework, adjusting curriculum and trainings, as appropriate, 
to maximize the effectiveness of the Program.
    This section also directs CISA to develop criteria for 
participation in the Program and to offer training in line with 
curriculum developed under this Act. CISA is required to 
provide an annual report to Congress for seven years, including 
information on the number of employees participating, the 
positions into which Program participants were hired after 
training, a description of metrics used to measure the success 
of the Program, and copies of the required report on annual 
cybersecurity vacancies.
    This section further directs the DHS Under Secretary for 
Management to support the Program by submitting to the DHS 
Secretary an annual report on cybersecurity vacancies at DHS, 
identifying and recruiting individuals for the Program, 
implementing policies (including continuing service agreements) 
to encourage Program participation, and conducting outreach to 
Program participants on job opportunities after completing the 
Program.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (new matter is 
printed in italics and existing law in which no change is 
proposed is shown in roman):

                     HOMELAND SECURITY ACT OF 2002

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

  (a) Short Title.--This Act may be cited as the ``Homeland 
Security Act of 2002''.
  (b) Table of Contents.--The table of contents for this Act is 
as follows:

Sec. 1. Short title; table of contents.
     * * * * * * *

      TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

     * * * * * * *

          Subtitle A--Cybersecurity and Infrastructure Security

     * * * * * * *
Sec. 2220F. DHS Cybersecurity On-the-Job Training Program.

           *       *       *       *       *       *       *


TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

           *       *       *       *       *       *       *


Subtitle A--Cybersecurity and Infrastructure Security

           *       *       *       *       *       *       *


SEC. 2220F. DHS CYBERSECURITY ON-THE-JOB TRAINING PROGRAM.

  (a) In General.--There is established within the Agency a 
``DHS Cybersecurity On-the-Job Training Program'' (in this 
section referred to as the ``Program'') to voluntarily train 
Department employees who are not currently in a cybersecurity 
position for work in matters relating to cybersecurity at the 
Department. The Program shall be led by the Director, in 
consultation with the Under Secretary for Management.
  (b) Duties of the Director.--In carrying out the Program 
under subsection (a), the Director--
          (1) shall develop a curriculum for the Program, 
        incorporating any existing curricula as appropriate, 
        and consistent with the National Initiative for 
        Cybersecurity Education Framework or any successor 
        framework, which may include distance learning 
        instruction, in-classroom instruction within a work 
        location, on-the-job instruction under the supervision 
        of experienced cybersecurity staff, or other means of 
        training and education as determined appropriate by the 
        Director;
          (2) shall develop criteria for participation in the 
        Program;
          (3) in accordance with paragraph (1), shall provide 
        cybersecurity training to employees of the Department 
        and may, as appropriate, provide cybersecurity training 
        to other Federal employees; and
          (4) shall annually for seven years submit to the 
        Committee on Homeland Security of the House of 
        Representatives and the Committee on Homeland Security 
        and Governmental Affairs of the Senate a report that 
        includes--
                  (A) information relating to the number of 
                employees who participated in the Program in 
                the preceding year;
                  (B) an identification of the positions into 
                which employees trained through the Program 
                were hired after such training;
                  (C) a description of metrics used to measure 
                the success of the Program;
                  (D) copies of the reports submitted pursuant 
                to (c)(1); and
                  (E) any additional information relating to 
                the duties specified in this subsection.
  (c) Duties of the Under Secretary for Management.--In 
carrying out the Program under subsection (a), the Under 
Secretary for Management shall--
          (1) submit to the Secretary an annual report on the 
        status of vacancies in cybersecurity positions 
        throughout the Department;
          (2) support efforts by the Director to identify and 
        recruit individuals employed by the Department to 
        participate in the Program;
          (3) implement policies, including continuing service 
        agreements, to encourage participation in the Program 
        by employees throughout the Department; and
          (4) conduct outreach to employees who complete the 
        Program regarding cybersecurity job opportunities 
        within the Department.

           *       *       *       *       *       *       *


                                  [all]