The U.S. federal government is now keeping pace with rapidly-increasing cyber threats, thanks to better organization and resourcing, but still faces serious cybersecurity workforce deficits.
The U.S. government has been grappling with significant gaps in both the size and skill level of federal cybersecurity staffing for nearly two decades. Although cyber workforce shortages remain an issue, the government has made strides by adding new authorities for hiring, increasing compensation for cyber workers, and training and developing personnel to catch up with the speed of security threats.
ICF experts have outlined the following trends as the most notable changes—and outstanding concerns—in the federal government’s efforts to build a skilled cyber workforce.
New cybersecurity concerns
As technology and automation increase at every level (individual, home, devices, networks), the opportunity for bad actors to attack and disrupt our systems increases likewise. The past few years have brought new vulnerabilities, including our growing reliance on smart devices.
The internet of things, for example, allows individuals to control everything from refrigerators to front doors using technology that connects to apps on their phones. While such platforms provide incredible convenience, they also introduce opportunities for hackers to take control.
Similarly, computer-assisted and autonomous vehicles create pathways for cyber attacks. Imagine the havoc malicious forces could wreak by seizing power over self-driving cars.
The cybersecurity community has serious concerns about organized attacks from nation states and election security as well. Recent events show that foreign actors intend to keep interfering with U.S. systems, infrastructure, and politics through hacking and other means.
Increased automation drives greater convenience, data management, and delivery. However, the risks posed by wide-scale connectivity exacerbates the impact of outages and disruption, particularly with vital infrastructure like electrical grids and water purification processes.
Government agencies and organizations recognize these vulnerabilities but must move swiftly to stay abreast of potential threats. Quick action will continue to pose a challenge for cyber units.
Background on cybersecurity legislature
Back in 2006, the Comprehensive National Cybersecurity Initiative described cybersecurity as an issue of national importance, requiring the cooperative efforts of the U.S. government, the military, the intelligence community, members of the defense industrial base, critical infrastructure owners and operators, and companies involved in critical manufacturing.
Although initiative represented an expression of presidential policy, it buttressed prior initiatives, including the Federal Information Security Management Act, passed by Congress in 2002.
The act mandates: “each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency...”
The act was updated and strengthened in 2014, calling for annual reports to Congress which detail progress made by federal departments and agencies against the implementation, including the imposition of required cybersecurity controls.
Concerns expressed in Congress and other cybersecurity forums led in 2014 to the introduction of S.1691. This bill included provisions of the Department of Homeland Security (DHS) Cybersecurity Workforce Recruitment and Retention Act of 2014. The act provided DHS with additional flexibility to build a cybersecurity workforce; an effort needed government-wide. Notwithstanding these legislative efforts, concerns regarding the federal cybersecurity workforce persisted.
An April 2015 report by the Partnership for Public Service noted:
“In 2013, the National Initiative for Cybersecurity Education created the cybersecurity workforce framework to define and classify cyber workers. The Office of Personnel Management is working to have agencies identify employees whose tasks align with the framework’s seven job categories and 32 specialty areas, but OPM has not announced plans to conduct a government-wide assessment of the cybersecurity workforce.”
The report also pointed to persistent pay gaps for cybersecurity expertise between the federal government and the private sector, adding:
“There is a nationwide shortage of highly qualified cybersecurity experts, and the federal government in particular has fallen behind in the race for this talent—individuals who are essential to protecting our nation’s critical public and private information technology infrastructure.”
Executive branch actions
The Office of Management and Budget (OMB) took action to address these concerns, releasing a 2015 memo that stated:
“Agencies will participate in OPM’s existing special cyber workforce project, which provides cybersecurity job codes by specialty, so that agency leadership can identify the universe of their cyber talent, understand federal-wide challenges for retaining talent, and address gaps accordingly. Agency chief information officers, working collaboratively with chief human capital officers, should use this assessment to identify their top five cyber talent gaps, which will be due to the Office of Personnel Management (OPM) and OMB by December 31, 2015.”
While this effort was laudable, further steps were needed to ensure current skills to safeguard the information for which the federal government is responsible.
In January 2017, OPM issued guidance for coding IT positions using the NICE framework, and directed agencies to comply by April 2018. During the same month, OPM launched a cyber careers portal, which offers a wide range of information and tools for future and current federal cyber workers. It also gives guidance to managers on options for hiring and compensation.
OPM then released Interpretive Guidance for Cybersecurity Positions in November 2018 to provide updated information on describing and classifying cybersecurity positions. This document is particularly helpful for human resources specialists who previously had little instruction on how to organize, describe, and assign job classifications to highly technical cybersecurity work.
On top of these advances, the White House issued an executive order related to cybersecurity in May 2017, containing a series of actions to improve cyber workforce development. In March 2018, the President’s Management Agenda was issued, describing a set of goals to advance IT modernization. Both of these documents continue to focus attention on improving IT management and related cyber workforce requirements.
Structures for cyber organizations across government
Previously, cyber roles and organization across agencies had many inconsistencies, largely due to a lack of methods for tracking and measuring staff size and skills. The federal government has since established new roles and units to create faster and more meaningful advances in cybersecurity.
Through required coding using the National Initiative for Cybersecurity Education (NICE) framework, agencies are now coding all IT positions with the applicable skills to ensure that roles reflect information security responsibilities. The U.S. Office of Management and Budget and the U.S. Chief Information Officers Council have also directed agencies to enhance organizational responsibilities, budget, and workforce resources to anticipate, respond, and evade cyber attacks and incidents.
By concentrating power in—and then elevating—these organizations, agencies have increased focus and unitary direction. These enhancements have expanded the scope of cyber efforts and the government’s ability to defend and protect the country from threats.
New developments include the establishment of the Cybersecurity and Infrastructure Security Agency as a major component of the U.S. Department of Homeland Security (DHS), Cybercom within the Department of Defense (DoD), and the federal chief information security officer at the U.S. Office of Management and Budget (OMB).
The restructuring of cybersecurity forces within the government continues to unfold, but progress against missions, such as critical infrastructure protection, implies evolution in a positive direction.
Progress and roadblocks in cybersecurity workforce development
The government has met a number of recent milestones for building a cybersecurity workforce.
In April 2018, the National Initiative for Cybersecurity Education framework was successfully applied to OPM’s general schedule information technology job series to align government IT workers with cybersecurity disciplines. Initially viewed as overly complex, the NICE cybersecurity workforce framework is now being updated and rolled out for all information technology positions, which allows resources to flow more smoothly across the IT organization. Previously, there was a lot of variation among organizations in terms of mission, needs, methodologies, system risks, and cyber workforce requirements. Today, new organizations and cyber policies are reducing inconsistencies to streamline efficacy.
However, room for improvement remains in a few key areas.
Methods for documenting and measuring needed cyber skills are still inconsistent or missing in many cases. These tasks are usually handled on an agency-by-agency basis. However, as agencies become more experienced applying the NICE framework, this gap is expected to be addressed. Moreover, a group of agencies is currently working together to prepare cyber career paths using NICE, providing better standardization in the near future.
One additional issue remains: our team here at ICF has found that cyber and IT workers are often averse to assessing their IT skill levels. We think this occurs due to fear of poor performance reviews or potential job security concerns. As workers experience opportunities to improve their skills as a result of the assessments, these concerns will likely decrease.
Efforts to reduce the proliferation of cybersecurity-related credentials and informed insight—which certifications are best in specific circumstances—have also moved slowly.
This is a challenging problem with multiple drivers, including financial incentives for organizations that develop and offer differing certifications. The ideal solution would be a recognized, single certification organization reflecting cyber work as a profession and serving as the gold standard for cyber certifications.
The final cybersecurity workforce shortage deals with temporary staffing. In the case of a massive breach, the government may need a surge of workers or access to specific expertise if the event involves atypical circumstances. Although DHS has been actively engaged in developing a full strategy to address these situations, both in the public and private sectors, it is still in progress. As with all emergency situations, rapidly bringing resources to bear is essential to resolve and ameliorate cyber breaches.
Emerging technologies and obsolete skills
The government is engaged in a wide scale information modernization effort, as framed in the management agenda. This major IT shift from older forms of technology to emerging technologies may also increase the gap among existing staff.
Technologies are constantly evolving, such as artificial intelligence, blockchain, cloud computing, and robotic process automation, requiring increased cyber vigilance and oversight. Combined with the internet of things, autonomous vehicles, and foreign attacks on elections and infrastructure, the existing workforce is challenged with staying on top of all the cybersecurity skills needed to manage new, and sometimes unanticipated or discontinuous, threats.
As of June 2018, OPM’s Fedscope database showed that 52 percent of IT workers are aged 50 years or older, while 3 percent of IT workers are 20 to 29 years of age. This large IT workforce segment has in-depth experience with federal systems. However, as IT modernization gains speed across agencies, skills that were previously required are becoming obsolete, particularly regarding cyber vulnerabilities.
Agencies will need tools to evaluate the skills and experience of mature IT workers to identify areas for reskilling in new and emerging technologies. Workforce shaping methods, such as voluntary separation incentive payments, might also enable restructuring of the IT workforce to create opportunities to recruit needed skills. Innovative concepts, such as reverse mentoring with more junior IT workers paired to support more experienced workers, are another potential solution.
Comprehensive cyber workforce training and development is incredibly important for the next phase of U.S. cybersecurity staffing. From “soft skills” that improve team dynamics and cyber leadership to “splinter” skills that allow us to address unique and previously unidentified threats, the entire workforce must understand their roles in federal cyber defense to defend against ever-increasing threats successfully.
Proven methodology to meet the cybersecurity workforce challenge
The cybersecurity landscape is dynamic—it’s continually changing. Agencies require cyberworkers capable of meeting the cybersecurity challenge associated with changing architecture, applications, and networks (e.g., enterprise, cloud, hybrid, mobility, and digital interactive). Federal agencies can benefit from a thorough cyber workforce analysis that includes documenting and measuring the types, number, and competencies of cyber workers needed to protect systems and support their agency’s mission.
This cyber workforce analysis model, created by ICF, has three key elements: composition, quantity, and competency. Each component can be defined by answering a series of questions:
- Composition: What types of cybersecurity workers does your agency need? How should the cybersecurity organization be structured? Do cultural indicators (e.g., teamwork and leadership) reflect an environment built on trust? How can an agency evaluate when federal workers and contractors are most suitable for cyber protection needs?
- Quantity: How many cybersecurity workers does your agency need, and what is the appropriate balance between federal or contract workers? What is the best model for engaging a core of skilled professionals while building the capacity to employ additional resources to meet new challenges?
- Competency: What skills do your agency’s cybersecurity workers need to have? How can skills be evaluated and competency gaps closed?
Perhaps the most meaningful aspect of the model is the workforce gap analysis—the area of divergence that points an agency to its most significant vulnerabilities or mission risks. When applied to an agency’s cyber workforce, the model makes clear which gaps are most likely to compromise mission success: insufficient understanding of the type of cyber workers needed, inadequate cyberskills, or scarce numbers of cyber workers.
Workforce analysis results in reports that describe the cyber workforce in detail, inform agency leadership about mission risks based on valid workforce information. The analysis offers an initial roadmap for corrective action to address identified weaknesses. Equally important, this step is the first in a repeatable process to document and measure the scope and progress of the agency’s cyber workforce over time.
The changing nature of cyber jobs requires increasingly flexible human resource systems and support. As various gaps and accompanying risks are identified, including lack of proficiency, an insufficient number of cyber workers, and severe levels of turnover in cyber positions, agency leadership must rapidly develop and implement workforce solutions to address these gaps.
Here at ICF, we’ve successfully used the following strategies to address workforce gaps:
- Improvements to workforce composition, e.g., development of new organizational structures and position descriptions that reflect changing work requirements.
- Improvements to staffing and recruitment, e.g., through more targeted job announcements aligned to newly developed IT and cyber positions; and offerings of bonuses, student loan repayments, and other incentives from the federal government.
- Improvements to retention, e.g., through specialized incentives (retention bonuses or allowances), cross-training, and financial support for advanced education opportunities.
- Specialized training and development to address proficiency gaps and ameliorate skill deficiencies. This includes technical and team-building skills, leadership development, staff mentoring, and career paths. We also recommend the identification of specific cyber certifications needed by the agency.
- Options for specialized programs or authorities such as expanded use of direct hire authorities or designation of special salary rates—some now widely available, and others more tailored to specific cyber workforce shortages. These new authorities are being fully implemented within the Department of Defense and Department of Homeland Security, and are likely applicable in other agencies.
As technology increasingly transforms at incredible speed, the threats posed by cyber attacks and intrusions will grow even faster. Therefore, federal agencies must constantly examine its workforce to assess how to prevent or minimize these risks.
The challenges implicit in ensuring a strong cybersecurity workforce are not easy to resolve. To ensure mission success and reduce cybersecurity risks, federal agencies must analyze, document, measure, and track their cybersecurity workforce. Agencies will be able to meet their current and future cyber needs and reduce risk through a systematic, repeatable process that generates valid and reliable information about their cybersecurity workforce.
Discover additional tips and resources for cybersecurity workforce development.