CISA head Jen Easterly and National Cyber Director Chris Inglis at their Senate confirmation hearing, June 10, 2021

CISA head Jen Easterly and National Cyber Director Chris Inglis at their Senate confirmation hearing, June 10, 2021 Kevin Dietsch/Getty Images

A New NAPA Report Backs a Shift in Leadership for Cyber Workforce Development

A new study from the National Academy of Public Administration recommends that the newly established Office of the National Cyber Director develop and implement a coordinated, multi-sector strategy for the cybersecurity workforce, which faces chronic workforce shortages.

There are more than a half-million open jobs in the U.S. requiring some cybersecurity expertise, and the government should do more to coordinate resources and training to expand the pipeline for those positions, according to a new, congressionally-mandated report from the National Academy of Public Administration.

The report, which was required under the terms of the 2021 appropriations bill, was designed to look at cybersecurity workforce programs at the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, but ended up recommending that the Office of the National Cyber Director (ONCD), a new post based at the National Security Council in the White House, take charge of coordinating a multi-sector effort.  

The NAPA report indicates ONCD's central location and mandate make it a better fit to coordinate cybersecurity workforce programs as compared to CISA's Cybersecurity Defense Education and Training (CDET) program.

"Unclear mission focus has been a feature of CDET since its creation," the report states. "Changing priorities led to disruptions and reorganizations and caused key staff at senior and nonsenior levels to leave the organization, limiting CISA’s effectiveness. As a result, other agencies report challenges identifying the right CDET point of contact for questions about organizational priorities and workforce development programs."

Overall, a lack of coordination creates the risk of overlap and duplication as well as hindering the  "federal government's ability to tap the capabilities and resources in the private sector, academia, and other levels of government."

As far as current efforts by CISA to develop the cyber workforce, the panel says that the agency is meeting Congress' goals of scalability, diversity and excellence. But it will need more authorities from Congress to better partner with educational and training institutions, as well as more staff at CISA for this work. 

A CISA spokesperson told FCW that "addressing the cyber workforce shortage both within the federal government and nationwide remains a top priority for CISA. We value NAPA’s research and recommendations. We look forward to building on our current initiatives and collaborating with partners to help develop a cyber workforce of the future that’s reflective of the great diversity of our nation."

The Office of the National Cyber Director, currently led by Chris Inglis, will need resources and authority to assume these responsibilities. The report doesn't get into the weeds about what, if any, legislative changes are needed to support this new role, but states that "Congress should ensure the ONCD has the budget and performance assessment authority to lead and coordinate the programs that will develop the needed workforce, including authorities to drive agency implementation of these programs."

The scope of the problem is daunting. According to the CyberSeek database, there are nearly 600,000 cybersecurity and cybersecurity-adjacent job openings in the United States. But according to the NAPA report, "there is no governmentwide strategy for developing a national cybersecurity workforce to set priorities and focus attention and resources," despite disparate efforts among various individual agencies and programs. 

To be successful, Inglis and his team would have to address outdated and clunky hiring processes within government; an industry-wide reliance on four-year degrees and requirements for certain "excessive" levels of experience that can make it difficult for workers to enter the field. 

In the federal government, for example, efforts to reskill federal employees into cyber roles ran into problems when the program graduates couldn't be easily hired because of requirements that they have one year of experience. 

Cybersecurity hiring managers will need new ways to test the capabilities of job applicants if the field wants to move away from the strict requirements for entry, the report says. The report suggests experiential learning in education curricula or apprenticeships and on-the-job training.

The report also comments on efforts at DHS to address such challenges by building its own cyber-specific human resources system with more flexibility for hiring and pay. 

NAPA says that the program, called the Cybersecurity Talent Management System, should be quickly evaluated with an eye to expanding enhanced pay and hiring flexibility both within DHS and at other agencies. 

The report also includes recommendations on encouraging more people to enter the cyber field in the first place, with a focus on outreach to communities currently underrepresented.