A special to USLAW NETWORK and USLAW DigiKnow
By Karen Painter Randall, Connell Foley LLP, Roseland, New Jersey
According to a provision in the 2016 omnibus spending package Congress passed on Dec. 18, 2015, government agencies will have new guidelines for keeping track of their cybersecurity workforce. The Federal Cybersecurity Workforce Assessment Act of 2015 is one of several cybersecurity measures bundled in the new budget, which requires each agency to identify all positions that carry out some kind of cyber function. Additionally, agency leaders will assign each position an employment code under the creation of a new National Initiative for Cybersecurity Education.
The bill also includes a timeline to implement this project. First, the National Institute of Standards and Technology (NIST) and Office of Personnel Management (OPM) directors will develop the job-coding structure roughly by June of 2016. Throughout the next nine months, the OPM and NIST directors, along with the Homeland Security Department secretary, will set up the implementation procedures agencies will use to identify cyber, cyber-related and IT-related civilian positions. A plan for non-civilian positions is scheduled sometime within the next 18 months.
Once implementation plans are set, agencies will be required to report the following to Congress:
- The percentage of personnel with IT, cyber or cyber-related job functions who hold “industry-recognized certifications as identified under the National Initiative for Cybersecurity Education.”
- Whether other civilian and non-civilian cyber personnel, who do not hold industry credentials, are prepared to take certification exams.
- A strategy for filling any skills or certification gaps among their employees.
The creation of the National Initiative for Cybersecurity Education comes as more agencies have obtained special authorizations to hire cyber professionals. In November, OPM gave DHS the green light to fill 1,000 cyber positions. Filling critical talent gaps is also one of the main tenets of the Office of Management and Budget’s cybersecurity strategy and implementation plan.
Multiple data breaches at OPM this year are also driving more congressionally mandated reports. The President will also report on the impact OPM data breaches had on all facets of the intelligence community domestically and abroad. Furthermore, this report will describe which agencies are using best cybersecurity practices, what agencies have done to fix cyber vulnerabilities post-breach, and what best practices OPM failed to deploy. That report is due to both congressional intelligence committees within the next four months. In the meantime, the Director of National Intelligence is expected to report to Congress on possible options for responding to future cyberattacks.