[Federal Register Volume 84, Number 90 (Thursday, May 9, 2019)]
[Presidential Documents]
[Pages 20523-20527]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-09750]
[[Page 20521]]
Vol. 84
Thursday,
No. 90
May 9, 2019
Part III
The President
-----------------------------------------------------------------------
Executive Order 13870--America's Cybersecurity Workforce
Proclamation 9876--National Hurricane Preparedness Week, 2019
Proclamation 9877--National Small Business Week, 2019
Proclamation 9878--Public Service Recognition Week, 2019
Proclamation 9879--Missing and Murdered American Indians and Alaska
Natives Awareness Day, 2019
�
�
� Presidential Documents
�
�
��Federal Register / Vol. 84 , No. 90 / Thursday, May 9, 2019 /
Presidential Documents��
�___________________________________________________________________
�Title 3--
�The President
[[Page 20523]]
Executive Order 13870 of May 2, 2019
America's Cybersecurity Workforce
By the authority vested in me as President by the
Constitution and the laws of the United States of
America, and to better ensure continued American
economic prosperity and national security, it is hereby
ordered as follows:
Section 1. Policy. (a) America's cybersecurity
workforce is a strategic asset that protects the
American people, the homeland, and the American way of
life. The National Cyber Strategy, the President's 2018
Management Agenda, and Executive Order 13800 of May 11,
2017 (Strengthening the Cybersecurity of Federal
Networks and Critical Infrastructure), each emphasize
that a superior cybersecurity workforce will promote
American prosperity and preserve peace. America's
cybersecurity workforce is a diverse group of
practitioners who govern, design, defend, analyze,
administer, operate, and maintain the data, systems,
and networks on which our economy and way of life
depend. Whether they are employed in the public or
private sectors, they are guardians of our national and
economic security.
(b) The United States Government must enhance the
workforce mobility of America's cybersecurity
practitioners to improve America's national
cybersecurity. During their careers, America's
cybersecurity practitioners will serve in various roles
for multiple and diverse entities. United States
Government policy must facilitate the seamless movement
of cybersecurity practitioners between the public and
private sectors, maximizing the contributions made by
their diverse skills, experiences, and talents to our
Nation.
(c) The United States Government must support the
development of cybersecurity skills and encourage ever-
greater excellence so that America can maintain its
competitive edge in cybersecurity. The United States
Government must also recognize and reward the country's
highest-performing cybersecurity practitioners and
teams.
(d) The United States Government must create the
organizational and technological tools required to
maximize the cybersecurity talents and capabilities of
American workers--especially when those talents and
capabilities can advance our national and economic
security. The Nation is experiencing a shortage of
cybersecurity talent and capability, and innovative
approaches are required to improve access to training
that maximizes individuals' cybersecurity knowledge,
skills, and abilities. Training opportunities, such as
work-based learning, apprenticeships, and blended
learning approaches, must be enhanced for both new
workforce entrants and those who are advanced in their
careers.
(e) In accordance with Executive Order 13800, the
President will continue to hold heads of executive
departments and agencies (agencies) accountable for
managing cybersecurity risk to their enterprises, which
includes ensuring the effectiveness of their
cybersecurity workforces.
Sec. 2. Strengthening the Federal Cybersecurity
Workforce. (a) To grow the cybersecurity capability of
the United States Government, increase integration of
the Federal cybersecurity workforce, and strengthen the
skills of Federal information technology and
cybersecurity practitioners, the Secretary of Homeland
Security, in consultation with the Director of the
Office of Management and Budget (OMB) and the Director
of the Office of Personnel Management (OPM), shall
establish a cybersecurity rotational assignment
program, which will serve as a mechanism for knowledge
transfer and a development
[[Page 20524]]
program for cybersecurity practitioners. Within 90 days
of the date of this order, the Secretary of Homeland
Security, in consultation with the Directors of OMB and
OPM, shall provide a report to the President that
describes the proposed program, identifies its resource
implications, and recommends actions required for its
implementation. The report shall evaluate how to
achieve the following objectives, to the extent
permitted by applicable law, as part of the program:
(i) The non-reimbursable detail of information technology and cybersecurity
employees, who are nominated by their employing agencies, to serve at the
Department of Homeland Security (DHS);
(ii) The non-reimbursable detail of experienced cybersecurity DHS employees
to other agencies to assist in improving those agencies' cybersecurity risk
management;
(iii) The use of the National Initiative for Cybersecurity Education
Cybersecurity Workforce Framework (NICE Framework) as the basis for
cybersecurity skill requirements for program participants;
(iv) The provision of training curricula and expansion of learning
experiences to develop participants' skill levels; and
(v) Peer mentoring to enhance workforce integration.
(b) Consistent with applicable law and to the
maximum extent practicable, the Administrator of
General Services, in consultation with the Director of
OMB and the Secretary of Commerce, shall:
(i) Incorporate the NICE Framework lexicon and taxonomy into workforce
knowledge and skill requirements used in contracts for information
technology and cybersecurity services;
(ii) Ensure that contracts for information technology and cybersecurity
services include reporting requirements that will enable agencies to
evaluate whether personnel have the necessary knowledge and skills to
perform the tasks specified in the contract, consistent with the NICE
Framework; and
(iii) Provide a report to the President, within 1 year of the date of this
order, that describes how the NICE Framework has been incorporated into
contracts for information technology and cybersecurity services, evaluates
the effectiveness of this approach in improving services provided to the
United States Government, and makes recommendations to increase the
effective use of the NICE Framework by United States Government
contractors.
(c) Within 180 days of the date of this order, the
Director of OPM, in consultation with the Secretary of
Commerce, the Secretary of Homeland Security, and the
heads of other agencies as appropriate, shall identify
a list of cybersecurity aptitude assessments for
agencies to use in identifying current employees with
the potential to acquire cybersecurity skills for
placement in reskilling programs to perform
cybersecurity work. Agencies shall incorporate one or
more of these assessments into their personnel
development programs, as appropriate and consistent
with applicable law.
(d) Agencies shall ensure that existing awards and
decorations for the uniformed services and civilian
personnel recognize performance and achievements in the
areas of cybersecurity and cyber-operations, including
by ensuring the availability of awards and decorations
equivalent to citations issued pursuant to Executive
Order 10694 of January 10, 1957 (Authorizing the
Secretaries of the Army, Navy, and Air Force To Issue
Citations in the Name of the President of the United
States to Military and Naval Units for Outstanding
Performance in Action), as amended. Where necessary and
appropriate, agencies shall establish new awards and
decorations to recognize performance and achievements
in the areas of cybersecurity and cyber-operations. The
Assistant to the President for National Security
Affairs may recommend to agencies that any cyber
unified coordination group or similar ad hoc
interagency group that has addressed a significant
cybersecurity
[[Page 20525]]
or cyber-operations-related national security crisis,
incident, or effort be recognized for appropriate
awards and decorations.
(e) The Secretary of Homeland Security, in
consultation with the Secretary of Defense, the
Director of the Office of Science and Technology
Policy, the Director of OMB, and the heads of other
appropriate agencies, shall develop a plan for an
annual cybersecurity competition (President's Cup
Cybersecurity Competition) for Federal civilian and
military employees. The goal of the competition shall
be to identify, challenge, and reward the United States
Government's best cybersecurity practitioners and teams
across offensive and defensive cybersecurity
disciplines. The plan shall be submitted to the
President within 90 days of the date of this order. The
first competition shall be held no later than December
31, 2019, and annually thereafter. The plan for the
competition shall address the following:
(i) The challenges and benefits of inviting advisers, participants, or
observers from non-Federal entities to observe or take part in the
competition and recommendations for including them in future competitions,
as appropriate;
(ii) How the Department of Energy, through the National Laboratories, in
consultation with the Administrator of the United States Digital Service,
can provide expert technical advice and assistance to support the
competition, as appropriate;
(iii) The parameters for the competition, including the development of
multiple individual and team events that test cybersecurity skills related
to the NICE Framework and other relevant skills, as appropriate. These
parameters should include competition categories involving individual and
team events, software reverse engineering and exploitation, network
operations, forensics, big data analysis, cyber analysis, cyber defense,
cyber exploitation, secure programming, obfuscated coding, cyber-physical
systems, and other disciplines;
(iv) How to encourage agencies to select their best cybersecurity
practitioners as individual and team participants. Such practitioners
should include Federal employees and uniformed services personnel from
Federal civilian agencies, as well as Department of Defense active duty
military personnel, civilians, and those serving in a drilling reserve
capacity in the Armed Forces Reserves or National Guard;
(v) The extent to which agencies, as well as uniformed services, may
develop a President's Cup awards program that is consistent with applicable
law and regulations governing awards and that allows for the provision of
cash awards of not less than $25,000. Any such program shall require the
agency to establish an awards program before allowing its employees to
participate in the President's Cup Cybersecurity Competition. In addition,
any such program may not preclude agencies from recognizing winning and
non-winning participants through other means, including honorary awards,
informal recognition awards, rating-based cash awards, time-off awards,
Quality Step Increases, or other agency-based compensation flexibilities as
appropriate and consistent with applicable law; and
(vi) How the uniformed services, as appropriate and consistent with
applicable law, may designate service members who win these competitions as
having skills at a time when there is a critical shortage of such skills
within the uniformed services. The plan should also address how the
uniformed services may provide winning service members with a combination
of bonuses, advancements, and meritorious recognition to be determined by
the Secretaries of the agencies concerned.
(f) The Director of OMB shall, in consultation with
appropriate agencies, develop annually a list of
agencies and subdivisions related to cybersecurity that
have a primary function of intelligence,
counterintelligence, investigative, or national
security work, including descriptions of such
functions. The Director of OMB shall provide this list
to the President, through the
[[Page 20526]]
Deputy Assistant to the President for Homeland Security
and Counterterrorism (DAPHSCT), every year starting
September 1, 2019, for consideration of whether those
agencies or subdivisions should be exempted from
coverage under the Federal Labor-Management Relations
Program, consistent with the requirements of section
7103(b)(1) of title 5, United States Code.
Sec. 3. Strengthening the Nation's Cybersecurity
Workforce. (a) The Secretary of Commerce and the
Secretary of Homeland Security (Secretaries), in
coordination with the Secretary of Education and the
heads of other agencies as the Secretaries determine is
appropriate, shall execute, consistent with applicable
law and to the greatest extent practicable, the
recommendations from the report to the President on
Supporting the Growth and Sustainment of the Nation's
Cybersecurity Workforce (Workforce Report) developed
pursuant to Executive Order 13800. The Secretaries
shall develop a consultative process that includes
Federal, State, territorial, local, and tribal
governments, academia, private-sector stakeholders, and
other relevant partners to assess and make
recommendations to address national cybersecurity
workforce needs and to ensure greater mobility in the
American cybersecurity workforce. To fulfill the
Workforce Report's vision of preparing, growing, and
sustaining a national cybersecurity workforce that
safeguards and promotes America's national security and
economic prosperity, priority consideration will be
given to the following imperatives:
(i) To launch a national Call to Action to draw attention to and mobilize
public- and private-sector resources to address cybersecurity workforce
needs;
(ii) To transform, elevate, and sustain the cybersecurity learning
environment to grow a dynamic and diverse cybersecurity workforce;
(iii) To align education and training with employers' cybersecurity
workforce needs, improve coordination, and prepare individuals for lifelong
careers; and
(iv) To establish and use measures that demonstrate the effectiveness and
impact of cybersecurity workforce investments.
(b) To strengthen the ability of the Nation to
identify and mitigate cybersecurity vulnerabilities in
critical infrastructure and defense systems,
particularly cyber-physical systems for which safety
and reliability depend on secure control systems, the
Secretary of Defense, the Secretary of Transportation,
the Secretary of Energy, and the Secretary of Homeland
Security, in coordination with the Director of OPM and
the Secretary of Labor, shall provide a report to the
President, through the DAPHSCT, within 180 days of the
date of this order that:
(i) Identifies and evaluates skills gaps in Federal and non-Federal
cybersecurity personnel and training gaps for specific critical
infrastructure sectors, defense critical infrastructure, and the Department
of Defense's platform information technologies; and
(ii) Recommends curricula for closing the identified skills gaps for
Federal personnel and steps the United States Government can take to close
such gaps for non-Federal personnel by, for example, supporting the
development of similar curricula by education or training providers.
(c) Within 1 year of the date of this order, the
Secretary of Education, in consultation with the
DAPHSCT and the National Science Foundation, shall
develop and implement, consistent with applicable law,
an annual Presidential Cybersecurity Education Award to
be presented to one elementary and one secondary school
educator per year who best instill skills, knowledge,
and passion with respect to cybersecurity and
cybersecurity-related subjects. In developing and
implementing this award, the Secretary of Education
shall emphasize demonstrated superior educator
accomplishment--without respect to research,
scholarship, or technology development--as well as
academic achievement by the educator's students.
(d) The Secretary of Commerce, the Secretary of
Labor, the Secretary of Education, the Secretary of
Homeland Security, and the heads of other
[[Page 20527]]
appropriate agencies shall encourage the voluntary
integration of the NICE Framework into existing
education, training, and workforce development efforts
undertaken by State, territorial, local, tribal,
academic, non-profit, and private-sector entities,
consistent with applicable law. The Secretary of
Commerce shall provide annual updates to the President
regarding effective uses of the NICE Framework by non-
Federal entities and make recommendations for improving
the application of the NICE Framework in cybersecurity
education, training, and workforce development.
Sec. 4. General Provisions. (a) Nothing in this order
shall be construed to impair or otherwise affect:
(i) the authority granted by law to an executive department or agency, or
the head thereof; or
(ii) the functions of the Director of OMB relating to budgetary,
administrative, or legislative proposals.
(b) This order shall be implemented consistent with
applicable law and subject to the availability of
appropriations.
(c) This order is not intended to, and does not,
create any right or benefit, substantive or procedural,
enforceable at law or in equity by any party against
the United States, its departments, agencies, or
entities, its officers, employees, or agents, or any
other person.
(Presidential Sig.)
THE WHITE HOUSE,
May 2, 2019.
[FR Doc. 2019-09750
Filed 5-8-19; 11:15 am]
Billing code 3295-F9-P