[Senate Report 118-304]
[From the U.S. Government Publishing Office]
Calendar No. 710
118th Congress } { Report
SENATE
2d Session } { 118-304
======================================================================
DHS CYBERSECURITY ON-THE-JOB
TRAINING PROGRAM ACT
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
H.R. 3208
TO AMEND THE HOMELAND SECURITY ACT OF 2002 TO
ESTABLISH A DHS CYBERSECURITY ON-THE-JOB
TRAINING PROGRAM, AND FOR OTHER PURPOSES
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
December 17 (legislative day, December 16), 2024.--Ordered to be
printed
______
U.S. GOVERNMENT PUBLISHING OFFICE
59-010 WASHINGTON : 2025
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
RICHARD BLUMENTHAL, Connecticut JOSH HAWLEY, Missouri
ADAM SCHIFF, California ROGER MARSHALL, Kansas
David M. Weinberg, Staff Director
Alan S. Kahn, Chief Counsel
Christopher J. Mulkins, Director of Homeland Security
Emily A. Ferguson, Professional Staff Member
Devin M. Parsons, Senior Professional Staff Member
William E. Henderson III, Minority Staff Director
Christina N. Salazar, Minority Chief Counsel
Andrew J. Hopkins, Minority Counsel
Kendal B. Tigner, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Calendar No. 710
118th Congress } { Report
SENATE
2d Session } { 118-304
======================================================================
DHS CYBERSECURITY ON-THE-JOB
TRAINING PROGRAM ACT
_______
December 17 (legislative day, December 16), 2024.--Ordered to be
printed
_______
Mr. Peters, from the Committee on Homeland Security and
Governmental Affairs, submitted the following
R E P O R T
[To accompany H.R. 3208]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (H.R. 3208) to amend
the Homeland Security Act of 2002 to establish a DHS
Cybersecurity On-the-Job Training Program, and for other
purposes, having considered the same, reports favorably thereon
with an amendment, in the nature of a substitute, and
recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................3
IV. Section-by-Section Analysis of the Bill, as Reported.............4
V. Evaluation of Regulatory Impact..................................5
VI. Changes in Existing Law Made by the Bill, as Reported............5
I. Purpose and Summary
H.R. 3208, the DHS Cybersecurity On-the-Job Training
Program, codifies the Cybersecurity and Infrastructure Security
Agency (CISA)'s role in providing cybersecurity training to
Department of Homeland Security (DHS) employees who are not
currently in cybersecurity positions. The bill formally
authorizes CISA to provide training related to cybersecurity to
DHS employees, in consultation with the Under Secretary for
Management, including directing CISA to develop curriculum for
the Program and to offer training in line with such curriculum.
The bill also requires CISA to provide an annual report to
Congress for seven years, including information on the number
of employees participating, annual cybersecurity vacancies, the
positions into which Program participants were hired after
training, and a description of metrics used to measure the
success of the Program.
II. Background and Need for the Legislation
Safeguarding federal institutions against cybersecurity
vulnerabilities is a cost saving measure and national security
matter.\1\ Federal agencies are victims of all types of
cyberattacks, from phishing emails, to ransomware, to data
breaches. In Fiscal Year 2023, the total number of cyber
incidents within federal agencies increased from 29,319 to
32,211.\2\ Keeping federal government information secure from
adversaries and cybercriminals is paramount. A key pillar of
this effort, as stipulated in the National Cyber Workforce and
Education Strategy, is to attract skilled cyber personnel and
develop cyber skills of current personnel.\3\ According to
CISA, ``more than 90% of successful cyberattacks start with a
phishing email,'' and Verizon's 2024 report found that 68% of
breaches involved a non-malicious human element, like a person
falling victim to a social engineering attack or making an
error.\4\ Addressing the risks of human error through
cybersecurity training is important for keeping employees up-
to-date on emerging threats, providing information on how to
protect themselves and their organization, and fostering an
environment of cybersecurity awareness, leading to a more
secure and efficient government.\5\
---------------------------------------------------------------------------
\1\White House, National Cybersecurity Strategy (March 2, 2023)
(www.whitehouse.gov/oncd/national-cybersecurity-strategy/); Exec. Order
No. 14028 86 FR 26633 (May 12, 2021).
\2\Office of Management and Budget, Federal Information Security
Modernization Act of 2014 Annual Report Fiscal Year 2023 (June 2024)
(www.whitehouse.gov/wp-content/uploads/2024/06/FY23-FISMA-Report.pdf).
\3\White House, National Cyber Workforce and Education Strategy
(July 31, 2023) (www.whitehouse.gov/wp-content/uploads/2023/07/NCWES-
2023.07.31.pdf).
\4\Cybersecurity and Infrastructure Security Agency, Shields Up:
Guidance for Families (website) (Accessed on: November 25, 2024)
(www.cisa.gov/shields-guidance-families); Verizon, Data Breach
Investigations Report (www.verizon.com/business/resources/reports/dbir/
).
\5\Management Concepts, Why Basic Cybersecurity Training is
Essential to Federal Workforce Development (blog)
(managementconcepts.com/resource/why-basic-cybersecurity-training-is-
essential-to-federal-workforce-development/); Forbes, How Providing
Staff Awareness Training Improves a Company's Security Posture (January
27, 2023) (www.forbes.com/councils/forbestechcouncil/2023/01/27/how-
providing-staff-awareness-training-improves-a-companys-security-
posture/).
---------------------------------------------------------------------------
For a majority of organizations, hiring additional security
staff is challenging given the lack of qualified individuals
and the competitive nature in hiring those who have adequate
cybersecurity training and skills. A 2024 survey from Fortinet
found that ``70% of respondents agree that the cybersecurity
skills shortage creates additional risks for their
organizations'' and 61% of respondents were discussing or
implementing security awareness and training programs for all
employees.\6\ This challenge is even more stark in the public
sector, where pay differences may be 20 to 50% greater in the
private sector for similar job roles.\7\ Based on these
concerns, training the workforce that is already employed and
dedicated to the organization, as this bill does, provides
needed cyber support to agencies utilizing existing personnel.
This bill allows existing personnel to either stay in their
current positions with an increased knowledge of how to handle
cybersecurity threats or an opportunity to move to dedicated
cybersecurity positions within DHS.
---------------------------------------------------------------------------
\6\Fortinet, 2024 Cybersecurity Skills Gap Report (https://
www.fortinet.com/content/dam/fortinet/assets/reports/2024-
cybersecurity-skills-gap-report.pdf).
\7\StateTech, How Thoughtful Cybersecurity Training Yields Benefits
for Government Workers (February 2, 2022) (statetechmagazine.com/
article/2022/02/how-thoughtful-cybersecurity-training-yields-benefits-
government-workers); RAND, Comparison of Public and Private Sector
Cybersecurity and IT Workforces (February 7, 2023) (www.rand.org/pubs/
research_reports/RRA660-7.html).
---------------------------------------------------------------------------
As of June 2024, there are an estimated 2,000 cyber job
openings just within DHS.\8\ DHS must do more to bolster its
own cyber workforce and that of the federal civilian executive
branch. The DHS Cybersecurity On-the-Job Training Program will
help alleviate the burden on DHS's current cyber workforce and
other federal agency personnel through cross-training current
employees. The training curriculum developed by CISA and the
Under Secretary for Management at DHS must be consistent with
National Institute for Standards and Technology National
Initiative for Cybersecurity Education Framework (NIST NICE),
incorporate existing programs, and offer cybersecurity training
to Department employees and other federal employees. This
legislation also requires the Under Secretary for Management to
annually report to the Secretary of Homeland Security on the
status of cybersecurity position vacancies, efforts to identify
and recruit individuals, encourage participation in the
cybersecurity training program, and conduct outreach to place
graduates of the program in cybersecurity positions.
---------------------------------------------------------------------------
\8\DHS Cyber Hiring Program Got Off on the Wrong Foot, CIO Says,
But Progress is Showing, NextGov (June 26, 2024) (www.nextgov.com/
cybersecurity/2024/06/dhs-cyber-hiring-program-got-wrong-foot-cio-says-
progress-showing/397679/).
---------------------------------------------------------------------------
III. Legislative History
Representatives Sheila Jackson Lee (D-TX), Donald Payne (D-
NJ), Bennie Thompson (D-MS), Steve Cohen (D-TN), Yvette Clarke
(D-NY), and Katherine Clark (D-MA) introduced H.R. 3208, the
DHS Cybersecurity On-the-Job Training Program Act, on May 11,
2023. The bill was referred to the House Committee on Homeland
Security and ordered to be reported favorably by voice vote on
May 17, 2023. The House passed the bill on September 24, 2024.
The bill was received in the Senate and referred to the
Committee on Homeland Security and Governmental Affairs.
The Committee considered H.R. 3208 at a business meeting on
November 20, 2024. At the business meeting, Chairman Peters
offered a substitute amendment to the bill, which clarified the
curriculum for the cybersecurity training program must include
existing initiatives or successor programs and established that
cybersecurity personnel are appropriately compliant with the
NIST NICE framework. The Peters substitute amendment also
clarified that the curriculum would not be required to be
provided to employees, instead, only made available to
employees to voluntarily participate in, and as part of the
annual report, data on skill inventories may be included.
Additionally, the substitute amendment clarified that the
seven-year period for reporting would begin on the date of
enactment. The Committee adopted the Peters substitute
amendment by unanimous consent with Senators Peters, Hassan,
Rosen, Ossoff, Blumenthal, Butler, Lankford, Hawley, and
Marshall present.
The bill, amended by the Peters substitute amendment was
ordered reported favorably by roll call vote of 9 yeas to 0
nays with Senators Peters, Hassan, Rosen, Ossoff, Blumenthal,
Butler, Lankford, Hawley, and Marshall voting in the
affirmative. Senators Carper, Sinema, and Romney voting yea by
proxy, and Senators Paul, Johnson, and Scott voting nay by
proxy for the record only.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1: Short title
Clarifies that this Act will be cited as the ``DHS
Cybersecurity On-the-Job Training Program Act''.
Section 2: DHS Cybersecurity on-the-job Training Program
Subsection (a) of the bill amends subtitle A of title XXII
of the Homeland Security Act of 2002 by adding Sec. 2220F, DHS
Cybersecurity on-the-job Training Program.
Subsection (a) of Sec. 2220F establishes a DHS
Cybersecurity On-the-Job Training Program within the Department
of Homeland Security (DHS) and led by the Director of the
Cybersecurity and Infrastructure Security Agency (CISA), in
consultation with the Under Secretary for Management, to
voluntarily train DHS employees who are not currently in a
cybersecurity position for work in matters relating to
cybersecurity at the Department.
Subsection (b) of Sec. 2220F requires the Director of CISA
to develop a curriculum for the Program incorporating any
existing curricula, as appropriate. The curriculum must be
consistent with the National Initiative for Cybersecurity
Education Framework or any successor framework, and with other
means of training and education as determined appropriate by
the Director. The Director shall also develop criteria for
participation and provide cybersecurity training to employees
of the Department and may, as appropriate, provide
cybersecurity training to other federal employees. The Director
of CISA must also provide an annual report to the Committee on
Homeland Security of the House of Representatives and the
Committee on Homeland Security and Governmental Affairs of the
Senate for seven years, including information relating to the
number of employees who participated in the Program in the
preceding year, an identification of the positions into which
employees trained through the Program were hired after such
training, a description of metrics used to measure the success
of the Program, copies of the reports submitted pursuant to
metrics to measure the success of the Program; and any
additional information relating to the duties specified.
Subsection (c) of Sec. 2220F requires that the
Undersecretary for Management submit an annual report on the
status of vacancies in cybersecurity positions throughout the
Department, support efforts by the Director of CISA to identify
and recruit individuals employed by the Department to
participate in the Program, implement policies, including
continuing service agreements, to encourage participation in
the Program by employees throughout the Department, and conduct
outreach to employees who complete the Program regarding
cybersecurity job opportunities within the Department.
Subsection (b) makes clerical changes to the table of
contents of the Homeland Security Act of 2002.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows: (existing law
proposed to be omitted is enclosed in brackets, new matter is
printed in italic, and existing law in which no change is
proposed is shown in roman):
HOMELAND SECURITY ACT OF 2002
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--this Act may be cited as the ``Homeland
Security Act of 2002''.
(b) Table of Contents.--The table of contents for this Act
is as follows:
* * * * * * *
TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
Sec. 2200. Definitions.
Subtitle A--Cybersecurity and Infrastructure Security
* * * * * * *
Sec. 2202F. DHS Cybersecurity On-the-Job Training Program.
* * * * * * *
TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
* * * * * * *
Subtitle A--Cybersecurity and Infrastructure Security
* * * * * * *
SEC. 2220F. DHS CYBERSECURITY ON-THE-JOB TRAINING PROGRAM.
(a) In General.--There is established within the Agency a
``DHS Cybersecurity On-the-Job Training Program'' (in this
section referred to as the Program) to voluntarily train
Department employees who are not currently in a cybersecurity
position for work in matters relating to cybersecurity at the
Department. The Program shall be led by the Director, in
consultation with the Under Secretary for Management.
(b) Duties of the Director.--In carrying out the Program
under subsection (a), the Director--
(1) shall develop a curriculum for the Program,
incorporating any existing curricula as appropriate,
and consistent with the National Initiative for
Cybersecurity Education Framework or any successor
framework, which may include distance learning
instruction, in-classroom instruction within a work
location, on-the-job instruction under the supervision
of experienced cybersecurity staff, or other means of
training and education as determined appropriate by the
director;
(2) shall develop criteria for participation in the
Program;
(3) in accordance with paragraph (1), shall provide
cybersecurity training to employees of the Department
and may, as appropriate, provide cybersecurity training
to other Federal employees; and
(4) shall annually for seven years submit to the
Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security
and Governmental Affairs of the Senate a report that
includes--
(A) information relating to the number of
employees who participated in the Program in
the preceding year;
(B) an identification of the positions into
which employees trained through the Program
were hired after such training;
(C) a description of metrics used to measure
the success of the Program;
(D) copies of the reports submitted pursuant
to (c)(1); and
(E) any additional information relating to
the duties specified in this subsection.
(c) Duties of the Under Secretary for Management.--In
carrying out the Program under subsection (a), the Under
Secretary for Management shall--
(1) submit to the Secretary an annual report on the
status of vacancies in cybersecurity positions
throughout the Department;
(2) support efforts by the Director to identify and
recruit individuals employed by the Department to
participate in the Program;
(3) implement policies, including continuing service
agreements, to encourage participation in the Program
by employees throughout the Department; and
(4) conduct outreach to employees who complete the
Program regarding cybersecurity job opportunities
within the Department.
* * * * * * *
[all]