[Senate Report 118-117]
[From the U.S. Government Publishing Office]
Calendar No. 255
_______________________________________________________________________
118th Congress } { Report
SENATE
1st Session } { 118-117
_______________________________________________________________________
FEDERAL CYBERSECURITY WORKFORCE EXPANSION ACT
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 2256
TO AUTHORIZE THE DIRECTOR OF THE CYBERSECURITY AND
INFRASTRUCTURE SECURITY AGENCY TO ESTABLISH AN
APPRENTICESHIP PROGRAM AND TO ESTABLISH A PILOT
PROGRAM ON CYBERSECURITY TRAINING FOR VETERANS AND
MEMBERS OF THE ARMED FORCES TRANSITIONING TO CIVILIAN LIFE, AND FOR
OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
November 30, 2023.--Ordered to be printed
__________
U.S. GOVERNMENT PUBLISHING OFFICE
49-010 WASHINGTON : 2023
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
RICHARD BLUMENTHAL, Connecticut JOSH HAWLEY, Missouri
LAPHONZA R. BUTLER, California ROGER MARSHALL, Kansas
David M. Weinberg, Staff Director
Lena C. Chang, Director of Governmental Affairs
Devin M. Parsons, Professional Staff Member
William E. Henderson III, Minority Staff Director
Christina N. Salazar, Minority Chief Counsel
Andrew J. Hopkins, Minority Counsel
Laura W. Kilbride, Chief Clerk
Calendar No. 255
118th Congress } { Report
SENATE
1st Session } { 118-117
======================================================================
FEDERAL CYBERSECURITY WORKFORCE EXPANSION ACT
_______
November 30, 2023.--Ordered to be printed
_______
Mr. Peters, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 2256]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 2256) to authorize
the Director of the Cybersecurity and Infrastructure Security
Agency to establish an apprenticeship program and to establish
a pilot program on cybersecurity training for veterans and
members of the Armed Forces transitioning to civilian life, and
for other purposes, having considered the same, reports
favorably thereon with amendments and recommends that the bill,
as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................5
IV. Section-by-Section Analysis of the Bill, as Reported.............5
V. Evaluation of Regulatory Impact..................................8
VI. Congressional Budget Office Cost Estimate........................8
VII. Changes in Existing Law Made by the Bill, as Reported...........11
Purpose and Summary
S. 2256, the Federal Cybersecurity Workforce Expansion Act,
would establish two new pilot programs related to the
cybersecurity workforce. It would create a five-year
cybersecurity apprenticeship pilot program within the
Department of Homeland Security (DHS). Up to 25 apprentices
could participate in this program each year and enter into
service agreements with the federal government upon completion
of the program. The bill also directs DHS, in coordination with
the Department of Veterans Affairs, to establish a five-year
pilot program to provide cybersecurity training at no cost to
veterans and military spouses. Under the bill, DHS would submit
annual reports to Congress on each of these pilot programs, and
the Government Accountability Office (GAO) would conduct an
assessment of each program within four years after it is
established. Finally, the bill would extend from 2022 to 2027
the requirement that federal agencies submit an annual report
to the Office of Personnel Management (OPM) identifying cyber-
related work roles in the agency's workforce.\1\
---------------------------------------------------------------------------
\1\On November 3, 2021, the Committee approved S. 2274, the Federal
Cybersecurity Workforce Expansion Act. That bill, as reported, is
substantially similar to S. 2256. Accordingly, this committee report
is, in many respects, similar to the committee report for S. 2274. See
S. Rept. 117-131.
---------------------------------------------------------------------------
II. Background and Need for the Legislation
There is a national shortage of qualified cybersecurity
personnel. According to CyberSeek, a project supported by the
National Initiative for Cybersecurity Education (NICE) at the
National Institute of Standards and Technology (NIST), there
are over 660,000 cybersecurity job openings in the United
States, including over 8,000 at the federal level, as of August
2023.\2\ A September 2022 State of the Federal Cyber Workforce
report by the Federal Cyber Workforce Management and
Coordinating Working Groups noted that ``[s]ystemic changes to
the development of our cyber workforce are vital for our nation
to sufficiently govern and maintain our critical
infrastructures and data security.'' The report also found that
``increasing cyber attacks and a heightened talent shortage
serves as a wake-up call that the federal government must
reenergize and promote how it is a premier place of employment
for cyber professionals.''\3\
---------------------------------------------------------------------------
\2\Cyberseek, Interactive Map (www.cyberseek.org/heatmap.html)
(accessed Aug. 9, 2023).
\3\Cyber Workforce Management and Coordinating Working Group, State
of the Federal Cyber Workforce: A Call for Collective Action (Sept.
2022) (digital.va.gov/wp-content/uploads/2022/10/State-of-the-Federal-
Cyber-Workforce-Report_2022.pdf).
---------------------------------------------------------------------------
The consistent shortage of cybersecurity personnel
represents a high risk to national security. Federal cyber
workforce management challenges have been on the GAO High-Risk
List since 2003.\4\ In that report, GAO stated:
---------------------------------------------------------------------------
\4\Government Accountability Office, High-Risk Series: Protecting
Information Systems Supporting the Federal Government and the Nation's
Critical Infrastructures (GAO-03-121) (Jan. 2003) (www.gao.gov/assets/
gao-03-121.pdf).
---------------------------------------------------------------------------
[A]gencies must have the technical expertise they
need to select, implement, and maintain controls that
protect their information systems. Similarly, the
federal government must maximize the value of its
technical staff by sharing expertise and information. .
. . [T]he availability of adequate technical and audit
expertise is a continuing concern to agencies.\5\
---------------------------------------------------------------------------
\5\Id.
---------------------------------------------------------------------------
Since 2003, the need for a developed and expansive cyber
workforce has continued to intensify. As GAO Director of
Information Security Issues, Gregory C. Wilshusen, stated in
March 2018 testimony before the House Committee on Homeland
Security Subcommittees on Cybersecurity and Infrastructure
Protection and Oversight and Management Efficiency during a
hearing examining the cybersecurity workforce:
The Office of Management and Budget has noted that
the federal government and private industry face a
persistent shortage of cybersecurity and IT talent to
implement and oversee information security protections.
This shortage may leave federal IT systems vulnerable
to malicious attacks. Experienced and qualified
cybersecurity professionals are essential in performing
DHS's work to mitigate vulnerabilities in its own and
other agencies' computer systems and to defend against
cyber threats.\6\
---------------------------------------------------------------------------
\6\Government Accountability Office, Cybersecurity Workforce: DHS
Needs to Take Urgent Action to Identify Its Position and Critical
Skills Requirements (GAO-18-430T) (Mar. 2018) (www.gao.gov/assets/gao-
18-430t.pdf).
---------------------------------------------------------------------------
In the April 2023 High-Risk Series report, GAO recommended
that federal agencies ``take additional actions to address the
federal cybersecurity workforce shortage'' and that the Office
of Management and Budget develop a governmentwide workforce
plan to address the issues facing the cyber workforce.\7\
---------------------------------------------------------------------------
\7\Government Accountability Office, High-Risk Series: Efforts Made
to Achieve Progress Need to Be Maintained and Expanded to Fully Address
All Areas (GAO-23-106203) (Apr. 2023) (www.gao.gov/assets/gao-23-
106203.pdf).
---------------------------------------------------------------------------
The problem of cybersecurity workforce shortages has taken
on increased urgency as the United States faces escalating
threats from hostile cyber actors. In 2021, multiple high-
profile cybersecurity incidents, including SolarWinds,
Microsoft Exchange, and Colonial Pipeline, prompted President
Biden to issue an Executive Order aimed at improving the
nation's cybersecurity preparedness systems.\8\ Furthermore,
critical infrastructure, such as healthcare systems, face an
ever-growing threat from cyber incidents that affect operations
and patient care, illustrated by recent attacks in early 2023
on Tallahassee Memorial HealthCare in Florida and the
University of Michigan Health System.\9\ These cyber attacks
further underscore the urgent need to advance skills of the
nation's cybersecurity workforce.
---------------------------------------------------------------------------
\8\Executive Order No. 14,028, 86 Fed. Reg. 26,633 (May 12, 2021).
\9\Senate Committee on Homeland Security and Governmental Affairs,
Opening Statement of Chairman Gary Peters, Hearing on In Need of a
Checkup: Examining the Cybersecurity Risks to the Healthcare Sector,
118th Cong. (Mar. 16, 2023) (S. Hrg. 118-XX).
---------------------------------------------------------------------------
The Committee on Homeland Security and Governmental Affairs
has held multiple hearings in the wake of cybersecurity attacks
to address the government's preparedness, response, and
recovery efforts.\10\ During a hearing on September 23, 2021,
entitled National Cybersecurity Strategy: Protection of Federal
and Critical Infrastructure Systems, Senator Margaret Wood
Hassan (D-NH) asked Jen Easterly, Director of the Cyber and
Infrastructure Security Agency (CISA), if an apprenticeship
program would help address workforce challenges at CISA.
Director Easterly said, ``We've already started talking about
how we could implement apprenticeships at CISA. . . . I think
we need to be as creative as possible in all our approaches to
deal with the deficit that we have across the country and then
across the federal cyber workforce.'' Fellow witness Chris
Inglis, National Cyber Director in the Executive Office of the
President, agreed with Director Easterly's remarks and added
that ``apprenticeships are essential, not simply because they
provide experience for its own sake, but they bridge the gap
between aspiration that is often supported by training and
education and the real experience that employers need or want
when you show up at that door.''\11\
---------------------------------------------------------------------------
\10\See Senate Committee on Homeland Security and Governmental
Affairs, Hearing on Prevention, Response and Recovery: Improving
Federal Cybersecurity Post-SolarWinds, 117th Cong. (May 11, 2021) (S.
Hrg. 117-XX); Senate Committee on Homeland Security and Governmental
Affairs, Hearing on Threats to Critical Infrastructure: Examining the
Colonial Pipeline Cyber Attack, 117th Cong. (June 8, 2021) (S. Hrg.
117-429); Senate Committee on Homeland Security and Governmental
Affairs, Hearing on National Cybersecurity Strategy: Protection of
Federal and Critical Infrastructure Systems, 117th Cong. (Sep. 23,
2021) (S. Hrg. 117-266); and Senate Committee on Homeland Security and
Governmental Affairs, Hearing on In Need of a Checkup: Examining the
Cybersecurity Risks to the Healthcare Sector, 118th Cong. (Mar. 16,
2023) (S. Hrg. 118-XX).
\11\Senate Committee on Homeland Security and Governmental Affairs,
Transcript, Hearing on National Cybersecurity Strategy: Protection of
Federal and Critical Infrastructure Systems, 117th Cong. (Sep. 23,
2021) (S. Hrg. 117-266) (https://plus.cq.com/doc/
congressionaltranscripts-6351036?4&searchId=9Svfjbqf).
---------------------------------------------------------------------------
In March 2023, the Biden Administration continued efforts
to expand the cyber workforce through the release of a National
Cybersecurity Strategy. The strategy recognized ``the need for
cybersecurity expertise across all sectors of the economy'' and
seeks to ``strengthen and diversify the Federal cyber
workforce, addressing the unique challenges the public sector
faces in recruiting, retaining, and developing the talent and
capacity needed to protect Federal data and IT
infrastructure.''\12\
---------------------------------------------------------------------------
\12\The White House, National Cybersecurity Strategy (Mar. 2023)
(www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-
Strategy-2023.pdf).
---------------------------------------------------------------------------
In July 2023, the White House published an additional
strategy document focused on strengthening cyber education and
training opportunities. The National Cyber Workforce and
Education Strategy highlights the importance of skills-based
approaches like apprenticeship programs:
Integrated education and training models that include
work-based learning, paid internships, externships,
pre-apprenticeships, or registered apprenticeships have
proven to be effective. Through these and other work-
based learning opportunities, cyber workers can earn a
wage as they gain hands-on experience and develop their
skills.
The Federal Cybersecurity Workforce Expansion Act aims to
strengthen the cybersecurity talent pipeline within the federal
government by establishing a registered apprenticeship pilot
program at DHS in which participants receive on-the-job
cybersecurity training. Upon successful completion of the
program, participants may be appointed to cybersecurity-
specific positions within a federal agency. The appointed
program graduates would enter into a service agreement, in
which they commit to working in the federal government for a
period of service equal to the length of the apprenticeship.
Under the bill, DHS and the Department of Veterans Affairs also
would establish a pilot program to provide cybersecurity
training at no cost to veterans and military spouses. This
pilot program would incorporate coursework, virtual learning,
and work-based learning opportunities and lead to a recognized
postsecondary credential.
This bill incorporates recommendations from a report
published by the Cyberspace Solarium Commission in March 2020.
The report recommended that the federal government ``develop
work-based learning programs and apprenticeships to supplement
classroom learning'' as a step to improve cyber-oriented
education.\13\ Another recommendation called for designing
``cybersecurity-specific upskilling and transition assistance
programs for veterans and transitioning military service
members to move into federal civilian cybersecurity jobs.''\14\
The Federal Cybersecurity Workforce Expansion Act reflects
these recommendations and would augment cybersecurity workforce
development pathways.
---------------------------------------------------------------------------
\13\Cyberspace Solarium Commission, A Warning From Tomorrow (Mar.
2020) (drive.google.com/file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view).
\14\Id. at 44.
---------------------------------------------------------------------------
III. Legislative History
Senator Hassan (D-NH) introduced S. 2256, the Federal
Cybersecurity Workforce Expansion Act, on July 12, 2023, with
Senator John Cornyn (R-TX) as an original cosponsor. The bill
was referred to the Committee on Homeland Security and
Governmental Affairs.
The Committee considered S. 2256 at a business meeting on
July 26, 2023. During the business meeting, S. 2256 was ordered
reported favorably by roll call vote of 7 yeas to 1 nay, with
Senators Peters, Hassan, Sinema, Rosen, Ossoff, Lankford, and
Scott voting in the affirmative and Senator Paul voting in the
negative. Senators Carper, Padilla, Blumenthal, Johnson,
Romney, Hawley, and Marshall voted yea by proxy, for the record
only.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1. Short title
This section establishes the short title of the bill as the
``Federal Cybersecurity Workforce Expansion Act.''
Section 2. Findings
This section includes findings indicating the need for
additional federal cybersecurity professionals.
Section 3. Definitions
This section defines the terms ``Department,''
``institution of higher education,'' and ``Secretary'' for the
purposes of this bill.
Section 4. Cybersecurity apprenticeship pilot program
Subsection (a) defines the terms ``area career and
technical education school,'' ``community college,''
``competitive service,'' ``cyber workforce position,'' ``early
college high school; educational service agency; local
educational agency; secondary school; state educational
agency,'' ``education and training provider,'' ``eligible
entity,'' ``excepted service,'' ``local workforce development
board,'' ``minority-serving institution,'' ``nonprofit
organization,'' ``provider of adult education,'' ``qualified
intermediary,'' ``related instruction,'' ``sponsor,''
``state,'' ``state apprenticeship agency,'' ``state workforce
development board,'' and additional terms from the Workforce
Innovation and Opportunity Act for the purposes of this
section.
Subsection (b) directs the Secretary of Homeland Security
to establish an apprenticeship pilot program within three years
of the bill's enactment. DHS would employ up to 25 apprentices
in cyber workforce positions during each year of the program.
The pilot program would offer learning opportunities based on
the NICE Workforce Framework for Cybersecurity, or a successor
framework, and prepare the participants for cyber workforce
positions within federal agencies. DHS or an eligible entity
receiving a contract, cooperative agreement, or grant would
sponsor the registered apprenticeship program and veterans
would be able to use their educational assistance toward the
program.
Subsection (c) directs the Secretary of Homeland Security
to consult with the Secretary of Labor, the Director of NIST,
the Secretary of Defense, the Director of the National Science
Foundation, and the Director of OPM when developing the
apprenticeship pilot program.
Subsection (d) outlines options available to DHS for
entering into a contract or cooperative agreement with or a
making a grant to an eligible entity for assistance sponsoring
the apprenticeship program. The entity chosen to sponsor the
program must have demonstrated experience in implementing
apprenticeship programs, have knowledge of cybersecurity
workforce development, be able to provide participants with one
or more recognized postsecondary credentials, use instruction
that is specifically aligned with the needs of federal
agencies, and have demonstrated success in connecting
apprenticeship participants with careers relevant to the pilot
program.
Subsection (e) requires any entity seeking a contract,
cooperative agreement, or grant under subsection (d) to submit
an application to DHS with such information as the Secretary
may require.
Subsection (f) allows DHS to prioritize an eligible entity
in the context of subsection (d) if the entity: (1) is a member
of an industry or sector partnership that sponsors or
participates in an apprenticeship program; (2) provides related
instruction for a registered apprenticeship program; (3) works
to transition members of the military and veterans to
apprenticeship programs in a relevant sector; (4) plans to
carry out the apprenticeship program with an entity that
receives state funding or is operated by a state agency; (5)
has successfully increased the representation of women,
minorities, and individuals from other underrepresented
communities in cybersecurity; or (6) focuses on recruiting
women, minorities, and individuals from other underrepresented
communities.
Subsection (g) directs DHS to provide technical assistance
to eligible entities selected under subsection (d) to leverage
any existing and relevant federal job training and education
programs.
Subsection (h) requires pilot program participants to enter
into a service agreement in which they agree to serve in a
cyber workforce position within a federal agency, if offered
such a position after completion of the apprenticeship program,
for a length of time equal to the length of the apprenticeship
program. If an individual does not satisfy the requirements of
the service agreement, they would need to repay the cost of the
education and training provided, reduced by an amount factoring
in the period of service they completed. The Secretary may
waive the service or repayment requirements in certain
circumstances, such as if compliance would involve hardship to
the individual.
Subsection (i) specifies that participants in the
apprenticeship program may be appointed to cybersecurity
positions in the excepted service.
Subsection (j) specifies that individuals who successfully
complete the apprenticeship program may be appointed to
cybersecurity positions in the excepted service.
Subsection (k) provides that federal service following the
apprenticeship program would be subject to the completion of a
trial period in accordance with any applicable law or
regulation.
Subsection (l) requires DHS to submit an annual report
starting two years after the beginning of the apprenticeship
pilot program that includes: (1) any activity carried out by
DHS under this section; (2) any eligible entity selected under
subsection (d) and activities carried out by that entity; (3)
best practices used; and (4) an assessment of the results
achieved by the apprenticeship program, including the rate of
continued employment within a federal agency, the demographics
of participants in the apprenticeship, the rate of completion
by program participants, and the return on investment of the
pilot program. This subsection also directs GAO to conduct a
study on the apprenticeship pilot program within four years
after the program is established.
Subsection (m) sunsets the apprenticeship pilot program
after five years.
Section 5. Pilot program on cybersecurity training for veterans and
military spouses
Subsection (a) defines the terms ``eligible individual,''
``recognized postsecondary credential,'' ``veteran,'' and
``work-based learning'' for the purposes of this section.
Subsection (b) directs the DHS Secretary, in consultation
with the Secretary of Veterans Affairs, to establish a pilot
program within three years of the bill's enactment to provide
cybersecurity training to veterans and military spouses.
Subsection (c) requires the pilot program to incorporate:
(1) coursework and training that qualifies toward postsecondary
credit; (2) virtual learning opportunities; (3) hands-on
learning and performance-based assessments; (4) federal work-
based learning opportunities; and (5) the provision of
recognized postsecondary credentials to participants who
complete the pilot program.
Subsection (d) requires the pilot program to align with the
NICE Workforce Framework for Cybersecurity or a successor
framework.
Subsection (e) directs the DHS Secretary to coordinate with
the Secretary of Veterans Affairs, Secretary of Defense,
Secretary of Labor, Director of NIST, and Director of OPM to
leverage existing training, platforms, and frameworks within
the federal government for cybersecurity education and
training, to prevent duplication of efforts. DHS must
coordinate with the Department of Veterans Affairs to ensure
that eligible individuals can use existing educational
assistance to the greatest extent possible. DHS must coordinate
with the Departments of Veterans Affairs, Defense, and Labor,
as well as OPM and any other appropriate agencies, to identify
and create interagency opportunities that allow program
participants to acquire competencies and capabilities necessary
to qualify for federal employment.
Subsection (f) authorizes the DHS Secretary, in
coordination with the Secretary of Veterans Affairs, to expand
existing training, platforms, and frameworks or develop and
procure resources as necessary to carry out the program. DHS
may provide additional funding, staff, or other resources to:
(1) recruit and retain women, minorities, and individuals from
other underrepresented communities; (2) provide administrative
support; (3) ensure ongoing engagement and success of eligible
individuals participating in the program; (4) connect
participants who complete the program with job opportunities in
the federal government; and (5) allocate dedicated positions
for term employment to enable federal work-based learning
opportunities.
Subsection (g) requires the DHS Secretary to submit an
annual report starting two years after the beginning of the
pilot program that includes a description of: (1) any activity
carried by DHS under this section; (2) existing training,
platforms, and frameworks used; and (3) the results achieved by
the apprenticeship program, including the admittance rate into
the pilot program, the demographics of program participants,
the rate of completion by program participants, transfer rates
to other academic or vocational programs, the rate of continued
employment within a federal agency, and the median annual
salary of participants employed after completing the program.
This subsection also directs GAO to conduct a study on the
pilot program within four years after the program is
established.
Subsection (h) sunsets the pilot program established by
this section after five years.
Section 6. Federal cybersecurity workforce assessment extension
This section extends from 2022 to 2027 the requirement that
each federal agency submit an annual report to OPM identifying
cyber-related work roles of critical need in the agency's
workforce.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Congressional Budget Office Cost Estimate
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The bill would:
Establish a cybersecurity apprenticeship
program
Create a cybersecurity training program for
veterans and spouses of military personnel
Extend reporting requirements for federal
positions related to information technology and
cybersecurity
Estimated budgetary effects would mainly stem from:
Hiring and training cybersecurity
apprentices
Developing cybersecurity training courses
for veterans and military spouses
Spending veterans' education benefits on
cybersecurity training
Bill summary: S. 2256 would require the Department of
Homeland Security (DHS) to establish a cybersecurity
apprenticeship program to recruit and hire people to perform
information technology and cybersecurity roles for the
department. DHS also would provide apprentices with training
courses and career development materials.
In addition, S. 2256 would require DHS to establish a
program to provide cybersecurity training without charge to
veterans who are eligible for education benefits administered
by the Department of Veterans Affairs (VA).
Estimated Federal cost: The estimated budgetary effects of
S. 2256 are shown in Table 1. The costs of the legislation fall
within budget function 050 (national defense).
TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER S. 2256
----------------------------------------------------------------------------------------------------------------
By fiscal year, millions of dollars--
----------------------------------------------------------------
2023 2024 2025 2026 2027 2028 2023-2028
----------------------------------------------------------------------------------------------------------------
Cybersecurity Apprentices
Estimated Authorization...................... 0 0 2 5 5 5 17
Estimated Outlays............................ 0 0 2 5 5 5 17
Curriculum and Training
Estimated Authorization...................... 0 0 8 0 0 0 8
Estimated Outlays............................ 0 0 5 3 0 0 8
Program Management Staff
Estimated Authorization...................... 0 * 1 1 1 2 5
Estimated Outlays............................ 0 * 1 1 1 2 5
Total Changes
Estimated Authorization...................... 0 * 11 6 6 7 30
Estimated Outlays............................ 0 * 8 9 6 7 30
----------------------------------------------------------------------------------------------------------------
* = between zero and $500,000.
In addition to the budgetary effects shown above, CBO estimates that enacting S. 2256 would have insignificant
effects on direct spending and the deficit over the 2023-2033 period.
Basis of estimate: For this estimate, CBO assumes that S.
2256 will be enacted early in fiscal year 2024 and that the
required pilot programs would begin to operate in 2025. CBO
also expects that cybersecurity apprentices would serve for a
two-year term. Under S. 2256, the authority to operate the
pilot programs would terminate five years after their
establishment. Outlays are estimated using historical spending
patterns for existing or similar programs.
Spending subject to appropriation: CBO estimates that
implementing the bill would cost $30 million over the 2023-2028
period. Such spending would be subject to the availability of
appropriated funds.
Cybersecurity Apprentices. S. 2256 would require DHS to
recruit and hire apprentices to fill a range of information
technology and cybersecurity roles across the department. On
the basis of information from the Department of Labor about the
average duration and salaries of similar government
apprenticeship programs, CBO expects that each apprentice would
serve for two years at an average annual cost of about $92,000
for salaries and benefits. CBO anticipates that each cohort of
apprentices would include 25 people, the maximum annual number
of new hires permitted under S. 2256, and that DHS would hire
the first cohort in 2025. Because each cohort would serve for
two years, CBO expects that DHS would employ 50 cyber
apprentices each year once the second cohort is hired. On that
basis and accounting for the effects of anticipated inflation,
CBO estimates that compensation for apprentices hired under S.
2256 would total $17 million over the 2023-2028 period.
Curriculum and Training. S. 2256 would require DHS to
develop cybersecurity training courses for the apprenticeship
and veteran training programs authorized under the bill. CBO
expects that DHS would contract with private-sector
cybersecurity firms to design the curricula for those courses
and create online platforms to access the training. Based on
the costs of similar programs at DHS, CBO estimates that cyber
training services and materials would cost about $8 million
over the 2023-2028 period.
Program Management Staff. Using information about similar
training programs, CBO anticipates that DHS would need five
full-time employees to create and manage the new programs. CBO
estimates that their compensation would total $5 million over
the 2023-2028 period.
Cybersecurity Workforce Assessment Extension. S. 2256 would
extend, from 2022 to 2027, the reporting requirements
established under the Federal Cybersecurity Workforce
Assessment Act. Satisfying those requirements would increase
spending subject to appropriation by less than $500,000 over
the 2023-2028 period, CBO estimates. That extension also would
affect some agencies that finance operations from sources other
than discretionary appropriations; those effects are discussed
below under the heading ``Direct Spending.''
Direct spending: Several provisions in S. 2256 would have
insignificant effects on direct spending over the 2023-2033
period, in CBO's estimation.
Cybersecurity Training for Veterans and Military Spouses.
CBO expects that some veterans and their spouses who are
eligible for education benefits administered by VA would
increase their use of those benefits as a result of the
cybersecurity training program. At the same time, some veterans
who otherwise would have used their benefits to enroll in a
postsecondary education program would instead use them for
cybersecurity training (which would typically cost less). The
costs of VA education benefits are paid from mandatory
appropriations. CBO estimates that the changes in the use of
benefits would have insignificant net effects on direct
spending over the 2023-2033 period.
Cybersecurity Workforce Assessment Extension. As described
above under the heading ``Spending Subject to Appropriation,''
S. 2256 would extend the reporting requirements established
under the Federal Cybersecurity Workforce Assessment Act.
Enacting that extension could affect direct spending by some
agencies that use fees, receipts from the sale of goods, and
other collections to cover operating costs. CBO estimates that
any net changes in direct spending by those agencies would be
negligible because most of them can adjust amounts collected to
accommodate changes in operating costs.
Pay-As-You-Go considerations: The Statutory Pay-As-You-Go
Act of 2010 establishes budget-reporting and enforcement
procedures for legislation affecting direct spending or
revenues. CBO estimates that enacting the bill would have
insignificant effects on direct spending and the deficit over
the 2023-2033 period.
Increase in long-term net direct spending and deficits:
None.
Mandates: None.
Estimate prepared by: Federal Costs: Aldo Prosperi
(Department of Homeland Security), Paul B.A. Holland
(Department of Veterans Affairs), Mandates: Brandon Lever.
Estimate reviewed by: David Newman, Chief, Defense,
International Affairs, and Veterans' Affairs Cost Estimates
Unit; Kathleen FitzGerald, Chief, Public and Private Mandates
Unit; Christina Hawley Anthony, Deputy Director of Budget
Analysis.
Estimate approved by: Phillip L. Swagel, Director,
Congressional Budget Office.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in brackets, new matter is
printed in italic, and existing law in which no change is
proposed is shown in roman):
FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT ACT OF 2015
* * * * * * *
SEC. 304. IDENTIFICATION OF CYBER RELATED WORK ROLES OF CRITICAL NEED.
(a) In General.--Beginning not later than 1 year after the
date on which the employment codes are assigned to employees
pursuant to section 303(b)(2), and annually thereafter through
[2022]2027, the head of each Federal agency, in consultation
with the Director, the Director of the National Institute of
Standards and Technology, and the Secretary of Homeland
Security, shall--
(1) identify information technology, cybersecurity,
or other cyber-related work roles of critical need in
the agency's workforce; and
(2) submit a report to the Director that--
(A) describes the information technology,
cybersecurity, or other cyber-related roles
identified under paragraph (1); and
(B) substantiates the critical need
designations.
* * * * * * *