DHS and NPPD officials assured House lawmakers last week that they’re pushing forward on efforts to strengthen the cybersecurity workforce in the face of GAO criticism over their processes and a talent pool that’s often being drained by the private sector.
“A scattershot approach to fulfilling workforce needs without comprehensive data to back up those needs is not an effective use of federal resources,” said Chairman John Ratcliffe (R-Texas) at the outset of the House Homeland Security joint hearing of the Cybersecurity and Oversight subcommittees. “In fact, there may even be the potential of delaying assistance to critical infrastructure sectors and state and local governments if DHS does not have an adequate amount of cyber workers with the correct skills.”
Gregory Wilshusen, director of information security issues at the Government Accountability Office, told lawmakers that as of December 2016, DHS identified 10,725 cyber positions; as of August 2017, 23 months after the September 2015 due date, “the department had not completed the coding assignment process.”
“In August 2017, the Office of Personnel Management reported to Congress that DHS had coded 95 percent of the department’s identified cybersecurity positions,” he said. “Yet, we determined that only 79 percent of the positions were coded. The 95 percent estimate was overstated because DHS excluded uncoded vacant positions.”
DHS “did not identify or report to Congress its critical cybersecurity critical needs using the work categories and specialty areas defined in the national cybersecurity framework” and also “has not annually reported its critical needs to OPM as required” or “developed plans with clearly defined timeframes for reporting,” the GAO official added.
Wilshusen said DHS agreed that GAO’s recommendations, including ensuring accountability and consistency in identifying and coding vacant positions, would be implemented by this June.
“Until it does, DHS may lack assurance that it has the data necessary to effectively manage the recruitment and retention of a cybersecurity workforce that is responsible for protecting departmental and federal networks as well as the nation’s critical infrastructure from cyber threats,” he said.
Angela Bailey, chief human capital officer in the Department of Homeland Security’s management directorate, declared that “our enemies will not rest and neither will we,” and assured the committee that “supporting the human capital needs of the department’s cybersecurity workforce is a top priority for senior leadership including me.”
“I recognize the difficulty of securing the right cybersecurity talent today and tomorrow. But we must proceed with urgency and ingenuity,” she said. “I am committed to thoroughly understanding our workforce requirements and implementing the best possible human capital solutions to recruit, retain, and manage the cybersecurity talent our mission demands.”
Bailey said she’s working with the National Protection and Programs Directorate, the DHS chief information officer, and component CIOs on three priorities: “One, analyze and plan for our complex set of cybersecurity talent needs. Two, recruit and retain the highly qualified employees with capabilities vital to mission success. And three, innovate by implementing a new 21st century personnel system to revolutionize cybersecurity talent management.”
Rita Moss, director of human capital at the National Protection and Programs Directorate, told lawmakers that NPPD “has been working closely with the department in developing systems and programs to effectively recruit and retain cybersecurity talent.”
“Over the last year, we have invested a lot of energy and effort in developing our metrics such as stats on internal movement, location of lag times in hiring, grade distribution, etc., and analyzing our processes. We are now utilizing that data to determine what gaps exists and develop new strategies to address them,” she said. “NPPD has also been very adept and creative in leveraging the various authorities granted to us as well as existing OPM regulations and workplace flexibilities to attract and retain our talent. We are actively exercising various hiring authorities such as direct hire, internships, and noncompetitive hiring, incentive programs such as student loan repayment and retention incentives and recruitment strategies such as social media and onsite interviewing to attract and retain our cyber workforce.”
Rep. Tom Garrett (R-Va.) said to Bailey, “You said our enemies will not rest and neither will we. But as I look at this list of GAO findings, there were at least 395 nights that we went to bed and rested before we accomplished items on this list.”
“Has anyone who is previously responsible for a legally mandated task subsequently been promoted after having failed to accomplish that task in a timely manner?” Garrett asked. “I am dead serious. Because in the world from which I come as a prosecutor, as an elected official and as a soldier, you get an assignment with a drop dead date and you do the assignment. You guys are great. I apologize that my enmity is attacking you. But we serve the American people. And these threats are not anything to worry about until they happen.”
“They have got a lot of competing priorities sitting on their plate. And this is by far one of their most important. But they have to do that in context of everything else that they are trying to do at the same time,” Bailey replied after telling Garrett no one had been fired for missing a congressional deadline. “So the very same workforce that is trying to do the coding and, which, by the way, we have as of today over 6,000 positions coded into three digit. I realize that that is not the substantial progress that you are looking for.”
Under questioning about openings, Moss said the NPDD has had 1,087 cyber positions over the past two years and filled about 500 of them, but also lost some cyber specialists to attrition. “It is not that we are not hiring individuals,” she said. “We are also trying to overcome the deficit.”
“When NPPD first stood up, the urgency was to hire people that are competent and skilled. There is a limited number of people that are competent and skilled in cyber talent,” Moss added. “So now, we are trying to grow people from within by hiring people at lower grade level.”
Wilshusen said DHS must “recognize that is going to be challenging in terms of hiring those types of individuals because they are in demand, not only across federal agencies, but also in the private sector.”
“So it is going to really be imperative to make sure that we know exactly what type of individual with the skill sets that we need in order to accomplish our mission,” he said. “And that is one of the steps that DHS still needs to do.”
Bailey said the department understands that all cyber positions should be coded under the three-digit code by the end of next month.
“Our cyber workforce, as people move in and out, as positions move in and out, as our enemy comes up with new and advanced ways of doing things, we are always going to be redefining what it is to be cybersecurity,” she said.