[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
EXAMINING DHS'S EFFORTS TO STRENGTHEN ITS CYBERSECURITY WORKFORCE
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON
CYBERSECURITY AND
INFRASTRUCTURE PROTECTION
AND THE
SUBCOMMITTEE ON
OVERSIGHT AND
MANAGEMENT EFFICIENCY
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
MARCH 7, 2018
__________
Serial No. 115-52
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
30-788 PDF WASHINGTON : 2018
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Sheila Jackson Lee, Texas
Mike Rogers, Alabama James R. Langevin, Rhode Island
Lou Barletta, Pennsylvania Cedric L. Richmond, Louisiana
Scott Perry, Pennsylvania William R. Keating, Massachusetts
John Katko, New York Donald M. Payne, Jr., New Jersey
Will Hurd, Texas Filemon Vela, Texas
Martha McSally, Arizona Bonnie Watson Coleman, New Jersey
John Ratcliffe, Texas Kathleen M. Rice, New York
Daniel M. Donovan, Jr., New York J. Luis Correa, California
Mike Gallagher, Wisconsin Val Butler Demings, Florida
Clay Higgins, Louisiana Nanette Diaz Barragan, California
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
Don Bacon, Nebraska
Brendan P. Shields, Staff Director
Steven S. Giaier, Chief Counsel
Michael S. Twinchek, Chief Clerk
Hope Goins, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION
John Ratcliffe, Texas, Chairman
John Katko, New York Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin James R. Langevin, Rhode Island
Brian K. Fitzpatrick, Pennsylvania Val Butler Demings, Florida
Don Bacon, Nebraska Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Kristen M. Duncan, Subcommittee Staff Director
------
SUBCOMMITTEE ON OVERSIGHT AND MANAGEMENT EFFICIENCY
Scott Perry, Pennsylvania, Chairman
J. Luis Correa, California
John Ratcliffe, Texas Kathleen M. Rice, New York
Clay Higgins, Louisiana Nanette Diaz Barragan, California
Thomas A. Garrett, Jr., Virginia Bennie G. Thompson, Mississippi
Ron Estes, Kansas (ex officio)
Michael T. McCaul, Texas (ex
officio)
Diana Bergwin, Subcommittee Staff Director
Erica D. Woods, Interim Subcommittee Minority Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on Cybersecurity
and Infrastructure Protection:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable Scott Perry, a Representative in Congress From the
State of Pennsylvania, and Chairman, Subcommittee on Oversight
and Management Efficiency:
Oral Statement................................................. 4
Prepared Statement............................................. 6
The Honorable J. Luis Correa, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Oversight and Management Efficiency:
Oral Statement................................................. 3
Prepared Statement............................................. 4
The Honorable Michael T. McCaul, a Representative in Congress
From the State of Texas, and Chairman, Committee on Homeland
Security:
Oral Statement................................................. 7
Prepared Statement............................................. 8
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 8
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas:
Prepared Statement............................................. 9
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity and Infrastructure Protection:
Prepared Statement............................................. 12
Witnesses
Mr. Gregory Wilshusen, Director of Information Security Issues,
Government Accountability Office:
Oral Statement................................................. 14
Prepared Statement............................................. 15
Ms. Angela Bailey, Chief Human Capital Officer, Management
Directorate, U.S. Department of Homeland Security:
Oral Statement................................................. 22
Joint Prepared Statement....................................... 23
Ms. Rita Moss, Director, Office of Human Capital, National
Protection and Programs Directorate, U.S. Department of
Homeland Security:
Oral Statement................................................. 28
Joint Prepared Statement....................................... 23
Appendix
Questions From Chairman John Ratcliffe for Gregory C. Wilshusen.. 47
Questions From Honorable Ron Estes for Gregory C. Wilshusen...... 48
Questions From Chairman John Ratcliffe for the Department of
Homeland Security.............................................. 48
Questions From Honorable Ron Estes for the Department of Homeland
Security....................................................... 51
EXAMINING DHS'S EFFORTS TO STRENGTHEN ITS CYBERSECURITY WORKFORCE
----------
Wednesday, March 7, 2018
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity and
Infrastructure Protection, and
Subcommittee on Oversight and
Management Efficiency,
Washington, DC.
The subcommittees met, pursuant to notice, at 2:05 p.m., in
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe
[Chairman of the Cybersecurity and Infrastructure Protection
subcommittee] presiding.
Present: Representatives Ratcliffe, Perry, Katko, Higgins,
Donovan, Garrett, Estes, Fitzpatrick, Correa, Jackson Lee,
Langevin, Barragan, and Demings.
Also present: Representative McCaul.
Mr. Ratcliffe. Good afternoon. The Committee on Homeland
Security, Subcommittees on Cybersecurity and Infrastructure
Protection and Oversight Management Efficiency will come to
order.
The subcommittees are meeting today to examine how the
Department of Homeland Security is working to address its
cybersecurity work force needs. I now recognize myself for an
opening statement.
I would like to begin by thanking our panel for taking the
time to be here to testify today. Your thoughts and opinions
certainly are important as we oversee the implementation of
work force authorities at the Department of Homeland Security.
We have seen cyber attacks affect almost every facet of our
daily lives, with sometimes devastating impact. They remind us
how vulnerable governments and economies are to the very real
threat that our cyber adversaries pose.
As the lead civilian agency for our Federal cybersecurity
posture, the Department of Homeland Security is a key piece of
this equation, especially the National Protection Programs
Directorate. A knowledgeable and skilled cybersecurity work
force at DHS is on the front lines of securing our Federal
networks and protecting our critical infrastructure.
It is against this backdrop that DHS must compete with the
private sector to recruit and to retain the best talent
possible, in order to carry out its cybersecurity mission and
protect our critical infrastructure. In 2014 Congress passed
several pieces of legislation in order to augment the
cybersecurity work force at DHS, including the Homeland
Security, Cybersecurity Workforce Assessment Act and the Border
Patrol Agent Pay Reform Act.
Among other effects, these laws expanded DHS's hiring
authorities and allowed the Department to better recruit and
hire qualified cyber professionals. Unfortunately, these new
authorities have not yet been fully implemented.
Last month, the Government Accountability Office released a
report entitled, ``Urgent need for DHS to take actions to
identify its position and critical skill requirements.'' The
findings are pretty troubling. While DHS has taken actions to
idetify, categorize, and assign employment codes to its
cybersecurity positions, its efforts have been neither timely,
nor complete.
Identifying DHS work force capability gaps and recruiting
to fill them, is a problem that this committee has long
examined. However, GAO found that DHS has not identified its
Department-wide security or cybersecurity critical needs.
Ensuring that DHS collects complete and accurate data on all
filled and vacant cybersecurity positions for identification
and coding efforts is a task that DHS must not ignore, nor fail
to complete. A scatter-shot approach to fulfilling work force
needs without comprehensive data to back up those needs is not
an effective use of Federal resources.
In fact, there may even be the potential of delaying
assistance to critical infrastructure sectors and State and
local governments if DHS does not have an adequate amount of
cyber workers with the correct skills. At the same time, I am
pleased to hear that DHS acknowledged and agreed with all of
the recommendations presented by GAO in this report.
DHS will create a periodic review process for cyber roles
by the end of next month, and, most importantly, DHS promised
to develop Department-wide guidance for identifying areas and
positions of critical need by this summer.
While DHS must work to overcome slow hiring processes and
work force pipeline issues in order to build the essential work
force required to meet its cyber mission, at the end of the day
DHS cannot bring people into the hiring pipeline if it does not
have accurate accounting of what its current and future needs
really are.
NPPD is our Government's premier civilian cybersecurity
agency, a distinction that I hope will soon be bolstered by its
elevation to the Cybersecurity and Infrastructure Security
Agency, with pending legislation over in the Senate.
So let us look at some of the challenges we will be
discussing today as collective opportunities to lead together.
We must get this right, and I believe that we will.
[The statement of Chairman Ratcliffe follows:]
Statement of Chairman John Ratcliffe
March 7, 2018
I would like begin by thanking our panel for taking the time today
to testify. Your thoughts and opinions are very important as we oversee
the implementation of workforce authorities at the Department of
Homeland Security.
We have seen cyber attacks affect almost every facet of our daily
lives with devastating impacts, and they remind us of how vulnerable
governments and economies are to the very real threat that our cyber
adversaries pose. As the lead civilian agency for our Federal
cybersecurity posture, the Department of Homeland Security is a key
piece of this equation, especially the National Protection and Programs
Directorate. A knowledgeable and skilled cybersecurity workforce at DHS
is on the front lines of securing our Federal networks and protecting
critical infrastructure.
Against this backdrop, DHS must compete with the private sector to
recruit and retain the best talent possible in order to carry out its
cybersecurity mission and protect our critical infrastructure. In 2014,
Congress passed several pieces of legislation in order to augment the
cybersecurity workforce at DHS, including the Homeland Security
Cybersecurity Workforce Assessment Act and the Border Patrol Agent Pay
Reform Act. Among other effects, these laws expanded DHS's hiring
authorities and allowed the Department to better recruit and hire
qualified cyber professionals. Unfortunately, these new authorities
have not yet been fully implemented.
Last month, the Government Accountability Office released a report
entitled ``Urgent Need for DHS to Take Actions to Identify Its Position
and Critical Skill Requirements''--and the findings are troubling.
While DHS has taken actions to identify, categorize, and assign
employment codes to its cybersecurity positions, its efforts have been
neither timely nor complete. Identifying DHS workforce capability gaps
and recruiting to fill them is a problem this committee has long
examined; however, GAO found that DHS has not identified its
Department-wide cybersecurity critical needs. Ensuring that DHS
collects complete and accurate data on all filled and vacant
cybersecurity positions for identification and coding efforts is a task
that DHS must not ignore or fail to complete. A scattershot approach to
fulfilling workforce needs without comprehensive data to back those
needs up is not an effective use of Federal resources. In fact, there
may even be the potential of delaying assistance to critical
infrastructure sectors and State and local governments if DHS does not
have an adequate amount of cyber workers with the correct skills.
At the same time, I am pleased to hear that DHS acknowledged and
agreed with all of the recommendations presented by GAO in this report.
DHS will create a periodic review process for cyber roles by the end of
next month, and, most significantly, DHS promised to develop
Department-wide guidance for identifying areas and positions of
critical need by this summer. While DHS must work to overcome slow
hiring processes and workforce pipeline issues in order to build the
essential workforce required to meet its cyber mission, at the end of
the day, DHS cannot bring people into the hiring pipeline if it does
not have accurate accounting of what its current and future needs are.
NPPD is our Government's premier civilian cybersecurity agency--a
distinction that I hope will soon be bolstered by its elevation to the
Cybersecurity and Infrastructure Security Agency with pending
legislation in the Senate. So let us look at some of the challenges we
will be discussing today as collective opportunities to lead together.
We must get this right, and I believe that we will.
Mr. Ratcliffe. The Chair now recognizes the gentleman from
California, Mr. Correa, for any statement that he may have.
Mr. Correa. Thank you, Mr. Chairman. Want to thank you and
Chairman Perry for holding this most important hearing today.
Of course, I want to thank also our witnesses for being here
today. All of you know, watching TV, watching news very
frequently. You hear stories about China, Russia, and others
targeting our cyber system, including our election system and,
of course, our critical infrastructures.
Our National security, our economy, in many ways our daily
lives, depend on a stable, safe, and resilient cyber system.
The Department of Homeland Security plays a critical role in
protecting the Nation's cyber space, which includes not only
our own DHS computers but also those belonging to other
civilian agencies in our critical infrastructure and, of
course, including our collection system.
To fulfill this role, DHS must have cybersecurity work
force that is knowledgeable, well-trained, and dedicated to our
mission. Sadly and unfortunately, according to the GAO, DHS has
not taken the proper and necessary steps to staff the
Department with cyber professionals. Specifically, DHS has not
identified or reported to Congress on its own Department-wide
cybersecurity critical work force needs. Additionally,
according to the GAO, DHS has overstated the number of filled
positions.
Without appropriate tracking DHS is not in the position to
effectively examine its cybersecurity work force, identify its
critical skills gaps or improve its work force planning. DHS
has been given a number of tools to help bolster its work
force, including special hiring authority, allowing DHS to
expedite the hiring process and providing monetary incentives
and also a flexible approach to recruiting and retention of
cyber experts.
I look forward to speaking with the witnesses today about
the specifics of the GAO findings and I want to see how we can
move forward and make sure we safeguard America's
cybersecurity. Mr. Chair, I yield.
[The statement of Ranking Member Correa follows:]
Statement of Ranking Member J. Luis Correa
March 7, 2018
Almost daily, we learn of nefarious attempts by Russia, China, and
others to impact our cyber systems, including election systems and
critical infrastructure.
Our National security, our economy, and in many ways our daily
lives depend on a stable, safe, and resilient cyber space.
The Department of Homeland Security plays a critical role in
protecting the Nation's cyber space, which includes not only DHS's own
computer systems and information, but also those belonging to other
Federal civilian agencies and our critical infrastructure, including
election systems.
To fulfill this role, DHS must have a cybersecurity workforce that
is well-trained, resilient, and dedicated to the mission.
However, according to the Government Accountability Office, DHS has
not taken the steps necessary to staff the Department with cyber
professionals properly.
Specifically, DHS has not identified or reported to Congress on its
Department-wide cybersecurity critical workforce needs.
Additionally, according to GAO, DHS overstated the number of filled
and vacant cybersecurity positions assigned with the proper
identification codes for the specific role.
Without appropriate tracking, DHS will not be positioned to
effectively examine its cybersecurity workforce, identify its critical
skill gaps, or improve its workforce planning.
President Trump has claimed to be in support of strengthening
Federal networks and critical infrastructure, which undoubtedly will
require a more robust workforce.
DHS has been given a range of tools to help bolster the cyber
workforce, including special hiring authority for cybersecurity
positions that allows DHS to expedite the hiring process, provide
monetary incentives, and adopt a nimble approach to recruitment and
retention.
I look forward to speaking with witnesses today about the specifics
of the GAO findings and ways we can move the Department in a positive
direction.
Mr. Ratcliffe. Thank the gentleman. The Chair now
recognizes the Chairman of the subcommittee on Oversight and
Management Efficiency, the gentleman from Pennsylvania, Mr.
Perry, for his opening statement.
Mr. Perry. Good afternoon. I would like to thank Chairman
Ratcliffe for holding this hearing today and including the
Oversight and Management Efficiency subcommittee in this very
important and timely discussion of the Department of Homeland
Security's efforts to strengthen its cybersecurity work force.
I also thank the Ranking Member of the subcommittee, Mr.
Correa, as well as the witnesses that are willing to be here
today.
In today's world our Nation and its critical infrastructure
face an increasingly diverse and sophisticated array of
cybersecurity threats from both State and non-State actors.
Adversaries across the globe have invested heavily in building
out cyber capabilities and have demonstrated an increasing
capacity to successfully execute cyber attacks against the
United States and our allies.
As the lead civilian agency for securing the Nation's
public and private critical infrastructure, which is dependent
on IT systems and electronic data, the Department of Homeland
Security and its work force play a critical role in protecting
the Nation's cyber space.
Given this role, data continuing to show cyber personnel
shortages at DHS must remain a top concern for both DHS and
this committee. Demand for cyber-related positions continues to
outpace the number of individuals qualified to fill them and
agencies like DHS must find a way to compete with the private
sector in attracting highly-skilled cyber workers.
To address these challenges the committee has passed
several pieces of legislation in recent years that were signed
into law, providing DHS with additional hiring authorities to
better recruit and retain a qualified cyber work force. The
Homeland Security Cybersecurity Workforce Assessment Act,
enacted into law as part of the Border Patrol Agency Pay Reform
Act of 2014, Public Law No. 113-277, required DHS to survey its
work force and identify, categorize, and code all vacant and
non-vacant cybersecurity positions.
The Act aimed to help DHS assess its current cyber work
force in order to identify skills gaps and critical needs and
improve strategic work force planning to more effectively
recruit, hire, train, and retain cyber personnel.
Unfortunately, according to a recent U.S. Government
Accountability Office Report, DHS has failed to implement the
actions required by this Act in a timely, accurate, or complete
manner.
GAO audited 6 components and found that the Department has
not met any, any of the deadlines established by the Act. Two-
and-a-half years after the statutory deadline to identify the
code positions, 3 of the 6 components studied still have not
identified all of their cyber positions and, as of August 2017,
the Department has only assigned employment codes to 79 percent
of its identified cyber positions. Further, while DHS has
identified cyber work force capacity and capability gaps, it
has not submitted to Congress and the U.S. Office of Personnel
Management required reports on critical needs aligned with the
National Initiative for Cybersecurity Education's National
Cybersecurity Workforce Framework.
Congress has acted to provide DHS with the tools to help
meet the work force needs demanded by the current cyber threat
environment. The Department's failure to utilize these tools is
unacceptable.
Bureaucratic delays in hiring the personnel needed to
secure our Nation's cyber space are detrimental to our National
security. Sadly, the failure to properly implement cyber-
related hiring authorities is emblematic of the systemic hiring
issues continuing to plague the Department.
A management report released by DHS's Office of the
Inspector General last fall aptly summarized that the
Department and its components continue to encounter significant
hiring difficulties related to long hire times and a lack of
human resource staff, automated system, and processes to
determine needed staff.
Just last week, the Oversight and Management Efficiency
Subcommittee heard testimony on the ineffectiveness and delays
associated with the Department's fitness determination process,
an integral part of the contract work force's on-boarding
process.
These problems are especially alarming, given the
significant responsibilities facing DHS as it prepares to meet
cyber work force needs and undertake the border security-
related hiring surge mandated by the President.
I want to thank our panel for testifying this afternoon and
I look forward to hearing an update on the Department's
implementation of Public Law 113-277's requirements, as well as
how DHS's Management Directorate is working with components to
improve hiring processes.
I thank you and yield back the balance.
[The statement of Chairman Perry follows:]
Statement of Chairman Scott Perry
March 7, 2018
Good afternoon. I would like to thank Chairman Ratcliffe for
holding this hearing today and including the Oversight and Management
Efficiency Subcommittee in this very important and timely discussion on
the Department of Homeland Security's efforts to strengthen its
cybersecurity workforce.
In today's world, our Nation and its critical infrastructure face
an increasingly diverse and sophisticated array of cybersecurity
threats from both state and non-state actors. Adversaries across the
globe have invested heavily in building out cyber capabilities and have
demonstrated an increasing capacity to successfully execute cyber
attacks against the United States and our allies.
As the lead civilian agency for securing the Nation's public and
private critical infrastructure, which is dependent on IT systems and
electronic data, the Department of Homeland Security (DHS) and its
workforce play a critical role in protecting the Nation's cyber space.
Given this role, data continuing to show cyber personnel shortages at
DHS must remain a top concern for both DHS and this committee. Demand
for cyber-related positions continues to outpace the number of
individuals qualified to fill them and agencies like DHS must compete
with the private sector in attracting highly-skilled cyber workers.
To address these challenges, this committee has passed several
pieces of legislation in recent years that were signed into law
providing DHS with additional hiring authorities to better recruit and
retain a qualified cyber workforce. The Homeland Security Cybersecurity
Workforce Assessment Act, enacted into law as part of the Border Patrol
Agent Pay Reform Act of 2014 (Public Law 113-277), required DHS to
survey its workforce and identify, categorize, and code all vacant and
non-vacant cybersecurity positions. The act aimed to help DHS assess
its current cyber workforce in order to identify skills gaps and
critical needs, and improve strategic workforce planning to more
effectively recruit, hire, train, and retain cyber personnel.
Unfortunately, according to a recent U.S. Government and
Accountability Office (GAO) report, DHS has failed to implement the
actions required by this act in a timely, accurate, or complete manner.
GAO audited six components and found that the Department has not met
any of the deadlines established by the act. Two-and-a-half years after
the statutory deadline to identify and code positions, three of the six
components studied still have not identified all of their cyber
positions and, as of August 2017, the Department has only assigned
employment codes to 79 percent of its identified cyber positions.
Further, while DHS has identified cyber workforce capacity and
capability gaps, it has not submitted to Congress and the U.S. Office
of Personnel Management (OPM) required reports on critical needs
aligned with the National Initiative for Cybersecurity Education's
National Cybersecurity Workforce Framework.
Congress has acted to provide DHS with the tools to help meet the
workforce needs demanded by the current cyber threat environment. The
Department's failure to utilize these tools is unacceptable.
Bureaucratic delays in hiring the personnel needed to secure our
Nation's cyber space are detrimental to our National security.
Sadly, the failure to properly implement cyber-related hiring
authorities is emblematic of the systemic hiring issues continuing to
plague the Department. A management report released by DHS's Office of
the Inspector General last fall aptly summarized that the Department
and its components continue to encounter significant hiring
difficulties related to long hire times and a lack of human resources
staff, automated systems, and processes to determine needed staff. Just
last week, the Oversight and Management Efficiency Subcommittee heard
testimony on the ineffectiveness and delays associated with the
Department's fitness determination process, an integral part of the
contract workforce's on-boarding process.
These problems are especially alarming, given the significant
responsibilities facing DHS as it prepares to meet cyber workforce
needs and undertake the border security-related hiring surge mandated
by the President.
I want to thank our panel for testifying this afternoon and I look
forward to hearing an update on the Department's implementation of
Public Law 113-277's requirements, as well as how DHS's Management
Directorate is working with components to improve hiring processes.
Thank you and I yield back the balance of my time.
Mr. Ratcliffe. Thank the gentleman.
The Chair now welcomes and recognizes the Chairman of the
full committee, gentleman from Texas, Mr. McCaul.
Mr. McCaul. Thank you, Chairman Ratcliffe and Ranking
Member Correa for your leadership on this very vital issue.
Every day nation-state actors, such as Russia, China, Iran, and
other cyber criminals are increasingly hacking into U.S.
companies and Government networks to conduct espionage or steal
intellectual property.
With tens of millions of Americans relying on computer
networks and IT for both personal and professional reasons, the
risks apply to almost everyone. Recognizing these threats, I
made strengthening the cybersecurity mission at the Department
of Homeland Security one of my top priorities as Chairman of
the Committee on Homeland Security.
It is an issue that has united both parties. I am proud to
say that we have accomplished a great deal. Just this morning,
the full committee passed a bill that would strengthen the
ability of our cyber response teams to react to attacks on
America's critical infrastructure.
This past December, the House approved my landmark bill to
create a stand-alone operational organization to elevate the
cybersecurity mission of DHS. In recent years, we passed both
bills that clarified the cybersecurity roles and authorities
between the Department of Homeland Security and OMB, and the
FBI and NSA and strengthened the cyber threat information-
sharing system with liability protection as well.
In 2014, we passed an important bill to expedite hiring
authority at the Department to bolster its cybersecurity work
force. At the time, I believe it was made clear that this
authority would help combat cyber threats.
I must say though, unfortunately, the Department has never
used this hiring authority. This hearing today will focus on
some of the reasons for this delay. With the number of threats
that continue to gather by the day, I do find this a bit
disturbing. One of our responsibilities as Members of this
committee is oversight and to make sure that the Department is
fully implementing the work force authorities that we provided
here in the Congress.
To combat cybersecurity threats, we need DHS to hire the
best possible work force because there is just too much at
stake. I am hopeful, always in a positive productive way
though, that we can learn why this delay has happened.
I look forward to working with the Department as always and
other Members of our committee to make sure that these
authorities that have been granted the Department are being
used.
When it comes to Homeland Security, I think the American
people need to have the best possible work force in place.
While I do find this delay troubling, I also want to commend
all three of you for the work that you do day in and day out at
the NCCIC.
I hope I am hearing positive things that the Senate will
actually pass our Cybersecurity and Infrastructure Protection
Agency Bill which will elevate and prioritize the mission of
cybersecurity within the Department.
With that, Mr. Chairman, I yield back.
[The prepared statement of Chairman McCaul follows:]
Statement of Chairman Michael T. McCaul
March 7, 2018
Every day nation-state actors, such as Russia, China, and Iran, and
other cyber criminals are increasingly hacking into U.S. companies and
Government networks to conduct espionage or steal intellectual
property.
With tens of millions of Americans relying on computer networks and
IT for both personal and professional reasons, the risks apply to
almost everyone.
Recognizing these threats, I made strengthening the cybersecurity
mission at DHS one of my top priorities as Chairman of the Committee on
Homeland Security. It's an issue that has united both parties and I am
proud to say we have accomplished a great deal.
Just this morning, the full committee passed a bill that would
strengthen the ability of our cyber response teams to react to attacks
on America's critical infrastructure.
This past December, the House approved my landmark bill to create a
stand-alone, operational organization to elevate the cybersecurity
mission of DHS.
In recent years, we passed bills that clarified the cybersecurity
roles and authorities between DHS and OMB, and strengthened cyber-
threat information sharing.
And in 2014, we passed important legislation to expedite hiring
authority at DHS to bolster its cybersecurity workforce. At the time,
it was made clear that this authority would help combat cyber threats.
Unfortunately, the Department has never used this hiring authority.
The hearing today will focus on some of the reasons for this delay.
With the number of threats that continue to gather by the day, I find
this pretty alarming.
One of our responsibilities as Members of this Committee is to make
sure DHS is fully implementing the workforce authorities provided by
Congress.
To combat cybersecurity threats, we need DHS to hire the best
possible workforce. There is too much at stake.
I am hopeful that we can learn why this delay has happened and I
look forward to working with DHS and the other Members of our committee
to make sure we are using the authorities that have been granted.
When it comes to Homeland Security, the American people need to
have the best possible workforce in place.
Mr. Ratcliffe. Thank the Chairman.
Other Members of the committee are reminded that opening
statements may be submitted for the record. We are pleased to
have a very distinguished panel of witnesses before us today on
this important topic.
[The statements of Ranking Members Thompson and Richmond
and Honorable Jackson Lee follow:]
Statement of Ranking Member Bennie G. Thompson
March 7, 2018
Recruiting and retaining a qualified cybersecurity workforce at the
Department of Homeland Security is a National security imperative.
Every day, we learn more about the efforts of our adversaries--from
Russia and Iran to North Korea and China--to use their cyber tools to
attack our economy, our critical infrastructure, and the pillars of our
democracy, including our election systems.
In the wake of this evolving threat landscape, public and private-
sector critical infrastructure owners and operators to look to the
Department of Homeland Security's National Protection and Programs
Directorate (NPPD) to share information on cyber threats, to provide
cybersecurity assessments, and to deploy incident response teams
following an incident, among other things.
Yet, when Assistant Secretary for Cybersecurity and Communications
Jeanette Manfra testified before this panel last October, she told me
that 24 percent of the fully-funded cybersecurity workforce billets at
NPPD were unfilled.
In 2014, Congress gave DHS hiring authorities on par with the
Department of Defense to address cybersecurity staffing challenges.
Although DHS clamored for these authorities for several years prior to
2014, the Department does not plan to fully implement them until April
2019--5 years after Congress authorized expedited hiring.
We cannot afford to waste that kind of time.
Last month, FBI Director Wray, CIA Director Pompeo, NSA Director
Rogers, and Director of National Intelligence Coats, DIA Director
Ashley, and NGA Director Cardillo all testified before the Senate
Intelligence Committee and unanimously agreed that Russia would
continue its election meddling efforts into the 2018 midterm elections.
Last week, NSA Director Rogers again confirmed that the Russian
government is actively targeting U.S. election systems.
Secretary of State Tillerson also agrees that the Russians are
targeting mid-term elections, yet has not spent any of the funds
Congress appropriated to the agency to address the on-going threat to
the integrity of our elections.
Congress granted the State Department $120 million to counter
Russian election meddling, including $60 million to coordinate anti-
propaganda efforts with agencies like the Department of Homeland
Security.
That said, NPPD has an important role to play in this space and
has, in many ways, stepped up.
I am pleased that it has prioritized services for election
administrators, and that all of the 14 requested risk and vulnerability
assessments will be concluded by next month.
But I understand that NPPD had to shift resources to complete the
assessments, and I am concerned that it will need more resources--and
more trained cybersecurity professionals--to meet the on-going
obligations of the critical infrastructure subsector designation. As
threats to the homeland continue to evolve, NPPD and its partners
throughout DHS, will need a strong, qualified cybersecurity workforce.
Congress has given DHS the authorities and structures it needs to
develop that workforce, and it is on DHS to implement them. Ultimately,
as much as the increased demand for a qualified cybersecurity workforce
poses a challenge, it also creates opportunities.
When DHS finally completes the process for coding its cybersecurity
workforce, it will be able to target recruiting at more diverse talent
pools--from community colleges to veterans' groups. I will be
interested in learning what efforts DHS is undertaking to recruit
untapped talent, as well as cultivate and retain its workforce.
______
Statement of Honorable Sheila Jackson Lee
March 7, 2018
Chairman John Ratcliffe and Ranking Member Richmond, and Chairman
Scott Perry and Ranking Member J. Luis Correa, thank you for this
opportunity for the subcommittees to learn more about ``Examining DHS's
Efforts to Strengthen Its Cybersecurity Workforce.''
This hearing will provide Members with an opportunity to hear from
officials at the Department of Homeland Security (DHS) and the
Government Accountability Office (GAO) about the status of DHS's
efforts to identify, recruit, and retain a skilled cybersecurity
workforce.
I look forward to the testimony of today's witnesses:
Gregory Wilshusen, Director, Information Security,
Government Accountability Office;
Angela Bailey, Chief Human Capitol Officer, Management
Directorate, Department of Homeland Security; and
Rita Moss, Director, Office of Human Capital, National
Protection and Programs Directorate, Department of Homeland
Security.
The cybersecurity field's expanding shortage of professionals with
over a quarter-million positions remaining unfilled in the United
States alone and a predicted shortfall of 1.5 million cybersecurity
professionals by 2019.
The solution must be to grow a greater pool of cybersecurity
professionals that are prepared to fill positions within the Federal
Government.
The challenge before the Homeland Security Committee is finding the
right policy that will accomplish the goal of attracting and retaining
cybersecurity professionals within the Federal Government.
I have focused on this problem and have mapped out a comprehensive
approach to meeting the underlying problem: Increasing the pool of
people who would receive essential education in science, technology,
engineering, and mathematics from kindergarten through advanced degree
programs.
In 2017, I was pleased to have been awarded the Executive Women's
Forum's Women in Cybersecurity Leadership Award for my work in
promoting advances in our cybersecurity policy.
congresswoman jackson lee's legislative efforts to close the
cybersecurity workforce gap
I introduced in the 114th and again in the 115th a compressive
Cyber Security Education and the Workforce Enhancement Act, which seeks
to prepare more women and minority students and early stage to mid-
career professionals within the Federal Government for cybersecurity
jobs. [See accompanying section-by-section]
In this Congress my bill is H.R. 1981, and it amends the Homeland
Security Act to establish within the Department of Homeland Security's
Office of Cybersecurity Education and Awareness Branch the goals of:
Recruiting information assurance, cybersecurity, and
computer security professionals;
Providing grants, training programs, and other support for
kindergarten through grade 12, secondary, and post-secondary
computer security education programs;
Supporting guest lecturer programs in which professional
computer security experts lecture computer science students at
institutions of higher education;
Identifying youth training programs for students to work in
part-time or summer positions at Federal agencies; and
Developing programs to support underrepresented minorities
in computer security fields with programs at minority-serving
institutions, including Historically Black Colleges and
Universities, Hispanic-serving institutions, Native American
colleges, Asian-American institutions, and rural colleges and
universities.
The goal of H.R. 1981 is to address under-representation of women
and minorities in cybersecurity fields of employment.
cybersecurity statistics
In 2016, the Bureau of Labor Statistics reported that African-
Americans comprised only 3 percent of the information security analysts
in the United States, yet comprise nearly 13 percent of the National
population.
Just 2 years ago a security analyst, a position which required a 4-
year degree, was paid on average $88,890 per year.
The top computing security salaries range from $175,000 to $230,00
per year.
The most senior position was chief information security officers
(CISOs), which typically earns $400,000 or more per year.
In 2017 the United States employed nearly 780,000 people in
cybersecurity positions, with approximately 350,000 current
cybersecurity employment vacancies.
In 2017, nearly 65 percent of large U.S. companies have a Chief
Information Security Officer, up from 50 percent in 2016.
Women hold only 11 percent of cybersecurity positions globally,
while filling 25 percent of tech jobs, and comprising 50 percent of the
population.
There is a similar situation with African Americans which comprise
only 7 percent of the cybersecurity workforce, and Hispanics, who
account for 5 percent of cybersecurity positions although they make up
13 percent of the Nation's population.
Finally, two out of three high school students indicate that no one
has ever spoken to them about a career in cybersecurity.
These facts mean that we should not have any shortages for
computing security jobs, but that these vacancies exist because of
barriers to entry like education.
solution for expanding the federal cybersecurity workforce
The solution is expanding the diversity of those who are
cybersecurity professionals by tapping human capital already within the
Federal Government in new hires or mid-career changes, when we identify
that someone has the aptitude and desire to become a computing security
professional.
african american pioneers in computer science
Katherine G. Johnson, of Hidden Figures fame, graduated from
college at age 18. In 1952, she began working at NASA in its
aeronautics area as a ``computer,'' where she performed the
calculations that assured that when astronauts were sent into orbit
they could be safely returned to earth.
Roy Clay Sr. is known as the Godfather of Silicon Valley. Mr. Clay
was at the cutting edge of computing and technology through his
leadership of HP's first foray into the computer market with its 2116A
computer.
He was inducted into Silicon Valley Engineering Council's Hall of
Fame in 2003.
Mark Dean co-created the IBM personal computer and was instrumental
in the development of the company's PC 5150, which was sold to the
public in 1981.
Mr. Dean also contributed to the development of the color PC
monitor, the first gigahertz chip, and the industry standard
Architecture (ISA) system bus.
The personal computers' impact on our world is unmistakable.
In the early days of the computing technology age, computers were
only available to governments and large institutional organizations
because of their size and complexity.
The age of personal computing has paved the way for mobile
computing and handheld computing devices like smart phones.
women and the history of computing
Augusta Ada King-Noel, Countess of Lovelace was an English
mathematician and writer, chiefly known for her work on Charles
Babbage's proposed mechanical general-purpose computer.
She was the first to recognize that the machine had applications
beyond pure calculation, and created the first computer program to give
Babbage's machine instructions to carry out a task.
As a result, she is often regarded as the first to recognize the
full potential of a ``computing machine,'' and the first computer
programmer.
Grace Hopper was an American computer scientist and United States
Navy rear admiral, who became the first programmer of the Harvard Mark
I computer and she invented the first compiler for a computer
programming language.
The Executive Women's Forum (EWF) recognizes the contributions
women have made and seeks to expand opportunities for women.
The Executive Women's Forum was founded in 2002, with a mission of
inspiring leaders, transforming organizations, and building businesses
through education, leadership development, and the creation of trusted
relationships.
Today, the EWF has over a thousand members Nation-wide--from
emerging leaders to senior executives, all of whom benefit from the
organization's programs and events.
EWF members support each other in achieving their goals and
advancing their careers by celebrating each other's accomplishments and
acknowledging the ideas and contributions of the women around us.
Most notably, each year EWF presents Women of Influence Awards to
individuals who have made outstanding contributions in the corporate,
Government/academic, and vendor sectors.
The EWF's, ``2017 Global Information Security Workforce Study:
Women in Cybersecurity'' report delivers troubling statistics on areas
we are missing the mark in maximizing the participation of women in the
cybersecurity workforce.
Fifty-one percent of women report various forms of discrimination
in the cybersecurity workforce.
Women who feel valued in the workplace have also benefited from
leadership development programs in greater numbers than women who feel
undervalued.
In 2016 women in cybersecurity earned less than men at every level.
We know that cybersecurity expertise is a critical component of
National security; however, Federal agencies have traditionally
struggled to recruit, retain, and manage a robust cybersecurity
workforce.
The International Consortium of Minority Cybersecurity
Professionals (IC-MCP) launched in 2014 with a mission to bridge this
``great cyber divide'' in the cybersecurity profession. ICMCP offers
programs and services to these groups to assist them in gaining skills
and visibility to promote their careers, including:
Mentoring opportunities for entry and mid-career
cybersecurity professionals
Networking opportunities
Skills workshops.
In 2015, I was pleased to host the International Consortium of
Minority Cybersecurity Professionals for its first meeting held on
Capitol Hill.
The vision of ICMCP is to build a pipeline of cybersecurity
professionals at all levels, and support them throughout their careers.
ICMCP efforts have the potential to broaden the pool of available
experienced cybersecurity professionals.
This Congress I introduced H.R. 1981, the Cyber Security Education
and Federal Workforce Enhancement Act, which creates programs to
support underrepresented minorities in computer security fields.
I understand that the supply of educated and certified
cybersecurity professionals is too few when compared with the thousands
of positons that are in need of them.
As a result, talented candidates can demand higher salaries, more
flexible hours, and other benefits that are incompatible with the
Federal hiring process.
Priorities within the workforce have also changed.
For instance, millennials change employers more frequently than
their predecessors and place a high value on flexible work schedules
and professional development opportunities.
I strongly believe that we have untapped talent within the Federal
workforce, and we have potential pools of talented young people who are
in underrepresented communities around the Nation that we must reach
during their formative education to prepare them for potential
cybersecurity careers.
We are not supporting DHS with a policy that would allow the agency
to pursue talent regardless of where it might be found.
So long as DHS attempts to compete for cybersecurity talent in the
same market where the private sector businesses are competing, the
results will not change.
We must be creative and engage in broader thinking that does not
limit our view of who can be a cybersecurity professional.
potential for dhs to succeed in recruitment and retention of
cybersecurity professionals
The 2017 Global Information Security Workforce Study: Women in
Cybersecurity issued by the Executive Women's Forum, stresses what we
already know; some segments of the workforce are underrepresented--in
the cybersecurity field. Women professionals make up only 11 percent of
the cybersecurity workforce despite the escalating growth in the field.
The participation of women in cybersecurity is at 11 percent
although women reported higher levels of education.
These underrepresented groups offer an opportunity to increase the
cybersecurity workforce in the near and long term.
This is important because both Gen Y and Gen Z have significant
numbers of minorities who could significantly close the cybersecurity
gap.
I look forward to working with the Chair and Ranking Members on how
H.R. 1981 might offer a path toward increasing diversity in the Federal
cybersecurity workforce.
Thank you.
______
Statement of Ranking Member Cedric L. Richmond
March 7, 2018
Since this is our third hearing on cyber workforce, I assume that
most of us understand the gravity of failing to fill cybersecurity
vacancies throughout the Federal Government and, in particular, at DHS.
So, let me start by saying the same thing I have said at the last three
hearings----
First, if we're serious about ``right-sizing'' the Federal
Government's cyber workforce we need to look beyond 4-year
universities. There is untapped talent in unconventional places, and we
will find it if we look for it.
Second, we need strong and consistent leadership from the White
House. The President must come out and say that the cybersecurity
posture of the Federal Government has a direct impact on our economy,
our National security priorities, our critical infrastructure, and even
the integrity of our elections.
And finally, we have to improve morale at DHS so it can recruit and
retain that cybersecurity talent it needs to carry out its mission.
With respect to DHS's cyber workforce, Congress has been
responsive. We heard DHS when it told us that it was having trouble
competing with the private sector for top cyber candidates, and in 2014
we gave DHS the authority for faster, more flexible hiring.
But we also realized that DHS can't manage what it doesn't
measure--so, we directed it to perform a three-step process to assess
its own cybersecurity needs:
Step 1--identify its cybersecurity positions;
Step 2--bring those positions into alignment with formal OPM data
standards, so it can track where cyber positions are located within the
Department and start to address skills gaps;
And Step 3--identify any areas where there are serious gaps in
workforce capabilities, or areas of ``critical need.''
This assessment is supposed to inform a comprehensive cybersecurity
workforce strategy that includes a multi-phased recruitment plan--
targeting a range of potential candidates from experienced
professionals, the unemployed, and disadvantaged communities--to build
a more robust cyber workforce at DHS. This workforce strategy would, in
turn, inform the broader Department-wide Cybersecurity Strategy
required under legislation I authored in 2015.
But DHS has yet to complete its cybersecurity needs assessment and
the deadlines for both these strategies has long passed--yet neither
strategy has been delivered to Congress. In fact, this is the third
Congressional hearing where I have asked about the status of the
Department-wide Cybersecurity Strategy that was due in March 2017.
I expect that today, I will hear the same excuses I have heard
every other time I have asked about the DHS Cybersecurity Strategy: DHS
plans to release the strategy soon, but the new leadership--and there
is, once again, new leadership--needs a chance to review it. As much as
I understand the need to let the new administration set its own policy,
we cannot ignore the fact that these delays are undermining DHS's
ability to carry out its mission.
Moreover, I am troubled by the length of time we are being asked to
wait for the reports we need to do our job as authorizers. Despite
these on-going challenges, I look forward to a productive discussion
about how we can work together to make sure DHS has the tools,
resources, and authorities to maintain a qualified cybersecurity
workforce--and do so in a manner that is timely and responsive to
Congress.
Mr. Ratcliffe. Mr. Greg Wilshusen is the director of
information security issues for the Government Accountability
Office. He leads cybersecurity and privacy-related audits of
the Federal Government and critical infrastructure. Thank you
for taking the time, for being here from what I am sure is very
busy caseload.
Ms. Angela Bailey is the chief human capital officer in the
Management Directorate at DHS. Ms. Bailey came to DHS from the
Office of Personnel Management. I look forward to hearing how
OPM and DHS can work more in unison on cyber work force issues.
Finally, Ms. Rita Moss is the director of the office of
human capital at the National Protection and Programs
Directorate at DHS. She attended the United States Naval
Academy. We thank her for her service there and thank you for
being here before our committees today.
I would now ask all three of our witnesses to stand and
raise your right hand so I can swear you in to testify.
[Witnesses sworn.]
Mr. Ratcliffe. Let the record reflect that the witnesses
have answered in the affirmative. You all may be seated. The
witnesses' full written statements will appear in the record.
The Chair now recognizes, Mr. Wilshusen for 5 minutes for
an opening statement.
STATEMENT OF GREGORY WILSHUSEN, DIRECTOR OF INFORMATION
SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Wilshusen. Chairman Ratcliffe, Chairman Perry, Chairman
McCaul, and Ranking Member Correa. Thank you for the
opportunity to appear at today's hearing to discuss the
Department of Homeland Security's efforts to strengthen its
cybersecurity work force.
My testimony is based on a report we issued last month on
DHS's actions to identify and report on cybersecurity positions
and specialty areas of critical need, as called for by the
Homeland Security Cybersecurity Workforce Assessment Act of
2014.
Before I proceed, if I may, I would like to recognize
members of the audit team who were instrumental in developing
my statement and conducting the work underpinning it. Tamika
Lutin and David Hong who are with me today, led this work while
Chris Carrey, Ben Atwater, Alexander Andreg, Wayne Emillion,
and Louis Rodriguez made significant contributions.
DHS has made important progress in identifying,
categorizing, and assigning the employment codes to its
cybersecurity positions. For example, as of December 2016, it
reported identifying about 10,725 positions.
However, the Department's actions have neither been timely
nor complete. Procedures established by DHS to perform these
activities were issued 13 months past the due dates specified
into 2014 Act and did not include steps for identifying
position vacancies as the act required.
The act also required DHS to assign employment codes
created by OPM to all of its cybersecurity positions. This
action was to be completed by September 2015. However, as of
August 2017, 23 months after the due date, the Department had
not completed the coding assignment process.
In August 2017, the Office of Personnel Management reported
to Congress that DHS had coded 95 percent of the Department's
identified cybersecurity positions. Yet, we determined that
only 79 percent of the positions were coded. The 95 percent
estimate was overstated because DHS excluded uncoded vacant
positions.
DHS has taken steps to identify its work force capability
gaps and reported these to Congress in March 2017. However, it
did not identify or report to Congress its critical
cybersecurity critical needs using the work categories and
specialty areas defined in the National cybersecurity
framework. In addition, the Department has not annually
reported its critical needs to OPM as required and has not
developed plans with clearly-defined time frames for reporting.
To assist the Department, we made six recommendations in
our February report. For example, we recommended that DHS
develop procedures on how to identify and code vacant
cybersecurity positions and develop guidance for identifying
specialty areas of critical need.
To help clarify responsibility and provide accountability,
we recommended that the Department identify for each component
the individual who is responsible for leading the component's
efforts and in performing the work force assessment activities.
We also recommended that each component's procedures for
identifying and coding cyber positions be reviewed to ensure
consistency with Departmental guidelines. DHS concurred with
our recommendations and estimated that it would implement them
all by June, 2018.
Implementing our recommendations should better position the
Department in meeting the requirements of the Homeland Security
Cybersecurity Workforce Assessment Act and help DHS to better
understand its needs for recruiting, hiring, developing, and
retaining the cybersecurity work force with the skills
necessary to accomplish the Department's varied and essential
cybersecurity mission.
Until it does, DHS may lack assurance that it has the data
necessary to effectively manage the recruitment and retention
of a cybersecurity work force that is responsible for
protecting departmental and Federal networks as well as the
Nation's critical infrastructure from cyber threats.
This concludes my opening statement. I would be happy to
answer your questions.
[The prepared statement of Mr. Wilshusen follows:]
Prepared Statement of Gregory C. Wilshusen
March 7, 2018
Chairmen Ratcliffe and Perry, Ranking Members Richmond and Correa,
and Members of the subcommittees: Thank you for the opportunity to
appear at today's hearing to discuss the Department of Homeland
Security's (DHS) efforts to strengthen its cybersecurity workforce. In
its important role of securing the Nation's cyber space, DHS is
responsible for protecting the confidentiality, integrity, and
availability of its own computer systems and information, and for
leading the coordination with partners in the public and private
sectors to protect the computer networks of Federal civilian agencies
and the Nation's critical infrastructure from threats. As such, having
an effective cybersecurity workforce is essential to accomplishing the
Department's mission.
Toward ensuring that it has an effective workforce, the Homeland
Security Cybersecurity Workforce Assessment Act of 2014 (hereafter
referred to as ``the act'') \1\ required DHS to identify all
cybersecurity workforce positions within the Department, determine the
cybersecurity work category and specialty area of such positions, and
assign the corresponding employment code to each cybersecurity
position.\2\ The act also required DHS to identify and report on its
cybersecurity workforce areas of critical need.
---------------------------------------------------------------------------
\1\ The Homeland Security Cybersecurity Workforce Assessment Act of
2014 was enacted as part of the Border Patrol Agent Pay Reform Act of
2014, Pub. L. No. 113-277 Sec. 4,128 Stat. 2995, 3008-3010 (Dec. 18,
2014), 6 U.S.C. Sec. 146.
\2\ The employment codes are standard codes for Federal job
classifications that were developed by the Office of Personnel
Management (OPM), in alignment with the National Initiative for
Cybersecurity Education's National Cybersecurity Workforce Framework.
See Office of Personnel Management, The Guide to Data Standards
(Washington, DC: November 15, 2014).
---------------------------------------------------------------------------
In addition to the aforementioned requirements for DHS, the act
included a provision for GAO to analyze and monitor the Department's
efforts to address its requirements. My testimony today provides an
overview of our recently-issued (February 2018) report, Cybersecurity
Workforce: Urgent Need for DHS to Take Actions to Identify Its Position
and Critical Skill Requirements, based on our review of the its
efforts.\3\
---------------------------------------------------------------------------
\3\ GAO, Cybersecurity Workforce: Urgent Need for DHS to Take
Actions to Identify Its Position and Critical Skill Requirements, GAO-
18-175 (Washington, DC: Feb. 6, 2018).
---------------------------------------------------------------------------
In preparing this statement, we relied on our work supporting the
February report. This work included comparing the Department's actions
to identify, categorize, and assign employment codes to its
cybersecurity positions and to identify its cybersecurity workforce
areas of critical need with the required activities specified in the
act. We analyzed that information, including data on the coding of
cybersecurity workforce positions, and also administered a data
collection instrument to six components of DHS.\4\ Further, we
interviewed relevant officials from the DHS Office of Chief Human
Capital Officer (OCHCO) and from the selected DHS components. We also
interviewed relevant officials at the Office of Personnel Management
(OPM).
---------------------------------------------------------------------------
\4\ The six components we reviewed are: Departmental Management and
Operations, National Protection and Programs Directorate, Science and
Technology Directorate, U.S. Customs and Border Protection, U.S.
Citizenship and Immigration Services, and U.S. Secret Service.
---------------------------------------------------------------------------
The work on which this statement is based was conducted in
accordance with generally accepted Government auditing standards, which
require audits to be planned and performed to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides such a reasonable basis for our findings and
conclusions based on our audit objectives.
background
DHS leads the Federal Government's efforts to secure our Nation's
public and private critical infrastructure information systems against
cyber threats. As part of these efforts, cybersecurity professionals
can help to prevent or mitigate the vulnerabilities that could allow
malicious individuals and groups access to Federal information
technology (IT) systems. The ability to secure Federal systems depends
on the knowledge, skills, and abilities of the Federal and contractor
workforce that designs, develops, implements, secures, maintains, and
uses these systems.
The Office of Management and Budget has noted that the Federal
Government and private industry face a persistent shortage of
cybersecurity and IT talent to implement and oversee information
security protections.\5\ This shortage may leave Federal IT systems
vulnerable to malicious attacks. Experienced and qualified
cybersecurity professionals are essential in performing DHS's work to
mitigate vulnerabilities in its own and other agencies' computer
systems and to defend against cyber threats.
---------------------------------------------------------------------------
\5\ Office of Management and Budget, Federal Cybersecurity
Workforce Strategy, Memorandum M-16-15 (Washington, DC: July 12, 2016).
---------------------------------------------------------------------------
Since 1997, we have identified the protection of Federal
information systems as a Government-wide high-risk area. In addition,
in 2001, we introduced strategic Government-wide human capital
management as another area of high risk.\6\ We have also identified a
number of challenges Federal agencies are facing to ensure that they
have a sufficient cybersecurity workforce with the skills necessary to
protect their information and networks from cyber threats.\7\ These
challenges pertain to identifying and closing skill gaps as part of a
comprehensive workforce planning process, recruiting and retaining
qualified staff, and navigating the Federal hiring process.
---------------------------------------------------------------------------
\6\ GAO, High-Risk Series: Progress on Many High-Risk Areas, While
Substantial Efforts Needed on Others, GAO-17-317 (Washington, DC: Feb.
15, 2017).
\7\ GAO, Cybersecurity: Federal Efforts Are Under Way That May
Address Workforce Challenges, GAO-17-533T (Washington, DC: Apr. 4,
2017).
---------------------------------------------------------------------------
Federal Initiative and Guidance Are Intended to Improve Cybersecurity
Workforces
In recent years, the Federal Government has taken various steps
aimed at improving the cybersecurity workforce. These include
establishing a National initiative to promote cybersecurity training
and skills and developing guidance to address cybersecurity workforce
challenges.
Founded in 2010, the National Initiative for Cybersecurity
Education (NICE) is a partnership among Government, academia, and the
private sector, and is coordinated by the National Institute of
Standards and Technology (NIST). The NICE mission promotes
cybersecurity education, training, and workforce development in
coordination with its partners. The initiative's goal is to increase
the number of skilled cybersecurity professionals in order to boost
National IT security.
In 2013, NICE published the National Cybersecurity Workforce
Framework to provide a consistent way to define and describe
cybersecurity work at any public or private organization, including
Federal agencies.\8\ In 2014, OPM developed guidance for assigning 2-
digit employment codes for each cybersecurity work category and
specialty area identified in the 2013 NICE framework.\9\ Federal
agencies can use the codes to identify cybersecurity positions in
personnel and payroll systems, such the system of the National Finance
Center.\10\
---------------------------------------------------------------------------
\8\ National Institute of Standards and Technology, NICE
Cybersecurity Workforce Framework (Version 1.0) (Gaithersburg, MD:
April 2013).
\9\ Office of Personnel and Management, The Guide to Data Standards
(Washington, DC: November 15, 2014).
\10\ The National Finance Center personnel and payroll systems are
used by DHS and other agencies for processing personnel and payroll
information. In addition, they are DHS's system of record for
employment codes assigned to cybersecurity employees.
---------------------------------------------------------------------------
To further enhance efforts to strengthen the cybersecurity
workforce, NICE subsequently revised the framework in 2017 to include
33 cybersecurity-related specialty areas organized into 7 categories--
securely provision, operate and maintain, protect and defend,
investigate, collect and operate, analyze, and oversee and govern. The
revision defined work roles in specialty areas and cybersecurity tasks
for each work role,\11\ as well as the knowledge, skills, and abilities
that a person should have in order to perform each work role.\12\ Also,
in 2017, OPM issued guidance creating a unique 3-digit employment code
for each cybersecurity work role.\13\ In October 2017, NIST issued
guidance that reflected the finalized 2017 NICE framework and included
a crosswalk of OPM's 2-digit employment codes to the 3-digit codes.\14\
---------------------------------------------------------------------------
\11\ National Institute of Standards and Technology, NICE
Cybersecurity Workforce Framework, Special Publication 800-181
(Gaithersburg, MD: August 2017).
\12\ According to the National Institute of Standards and
Technology, work roles are the most detailed groupings of IT,
cybersecurity, or cyber-related work. Examples of work roles include an
authorizing official, a software developer, or a system administrator.
\13\ Office of Personnel Management, Guidance for Assigning New
Cybersecurity Codes to Positions with Information Technology,
Cybersecurity, and Cyber-Related Functions (Washington, DC: Jan. 4,
2017).
\14\ National Institute of Standards and Technology, OPM Federal
Cybersecurity Coding Structure (Gaithersburg, MD: Oct. 18, 2017).
---------------------------------------------------------------------------
DHS's Cybersecurity Workforce Performs a Wide Range of Critical
Missions
DHS is the third-largest department in the Federal Government,
employing approximately 240,000 people, and operating with an annual
budget of about $60 billion, of which about $6.4 billion was reportedly
spent on IT in fiscal year 2017. In leading the Federal Government's
efforts to secure our Nation's public and private critical
infrastructure information systems, the Department, among other things,
collects and shares information related to cyber threats and
cybersecurity risks and incidents with other Federal partners to enable
real-time actions to address these risks and incidents.
The Department is made up of 15 operational and support components
that perform its critical mission functions. Table 1 describes the 6
components that we included in our review.
------------------------------------------------------------------------
DHS Component Description
------------------------------------------------------------------------
U.S. Customs and Border CBP is to safeguard America's borders,
Protection (CBP) thereby protecting the public from
dangerous people and materials while
enhancing the Nation's global economic
competitiveness by enabling legitimate
trade and travel. CBP's cybersecurity
workforce primarily protects the
component's internal systems, networks,
and data.
Departmental Management and DMO is to provide support to the
Operations (DMO) Secretary and Deputy Secretary in the
overall leadership, direction, and
management of DHS and all of its
components. DMO is responsible for DHS's
budgets and appropriations, expenditure
of funds, information technology
systems, facilities and equipment, and
the identification and tracking of
performance measurements. DMO's
cybersecurity workforce is to develop
and implement DHS's cybersecurity-
related workforce policies and programs
and protect DHS's systems, networks, and
data. As part of DMO, the Office of
Chief Human Capital Officer (OCHCO) is
responsible for personnel policy
development and implementation. The
Office of the Chief Information Officer,
among other things, is to develop and
implement information security programs.
National Protection and NPPD is expected to protect and enhance
Programs Directorate (NPPD) the resilience of the Nation's physical
and cyber infrastructure, working with
partners at all levels of government and
the private and nonprofit sectors, to
share information and build greater
trust to make physical and cyber
infrastructure more secure. NPPD is the
lead component for fulfilling the
Department's National, non-law
enforcement cybersecurity missions, as
well as providing crisis management,
incident response, and defense against
cyber attacks for Federal Government
networks.
U.S. Secret Service (USSS) USSS is to protect designated protectees,
investigate threats against protectees,
as well as investigate financial and
computer-based crimes; it is also
expected to help secure the Nation's
banking and finance critical
infrastructure. USSS's cybersecurity
workforce primarily conducts criminal
investigations and protects its systems,
networks, and data.
Science and Technology S&T is to conduct basic and applied
Directorate (S&T) research, development, demonstration,
testing, and evaluation activities
relevant to DHS. S&T's cybersecurity
workforce is expected to conduct
cybersecurity research and development
for the Homeland Security Enterprise,
and protect its systems, networks, and
data.
U.S. Citizenship and USCIS is responsible for overseeing
Immigration Services (USCIS) lawful immigration to the United States.
Its mission is to provide accurate and
useful information to USCIS customers,
grant immigration and citizenship
benefits, promote an awareness and
understanding of citizenship, and ensure
the integrity of National immigration
system. USCIS's cybersecurity workforce
primarily protects its systems,
networks, and data.
------------------------------------------------------------------------
Source.--GAO analysis of DHS information./GAO-18-430T
DHS Is Required to Assess Its Cybersecurity Workforce
The Homeland Security Cybersecurity Workforce Assessment Act of
2014 required DHS to perform workforce assessment-related activities to
identify and assign employment codes to its cybersecurity positions.
Specifically, the act called for DHS to:
1. Establish procedures for identifying and categorizing
cybersecurity positions and assigning codes to positions
(within 90 days of law's enactment).
2. Identify all filled and vacant positions with cybersecurity
functions and determine the work category and specialty area of
each.
3. Assign OPM 2-digit employment codes to all filled and vacant
cybersecurity positions based on the position's primary
cybersecurity work category and specialty areas, as set forth
in OPM's Guide to Data Standards.\15\
---------------------------------------------------------------------------
\15\ At the time the Homeland Security Cybersecurity Workforce
Assessment Act of 2014 was enacted, DHS was to use OPM's 2014 data
standards guide (Office of Personnel Management, The Guide to Data
Standards (Washington, DC: November 2014). The purpose of the guide is
to help agencies identify and code their cybersecurity positions.
Employment codes can be used in human capital systems to measure areas
of critical need.
---------------------------------------------------------------------------
In addition, after completing the aforementioned activities, the
act called for the Department to take steps to identify and report its
cybersecurity workforce areas of critical need. Specifically, DHS was
to:
4. Identify the cybersecurity work categories and specialty areas
of critical need in the Department's cybersecurity workforce
and report to Congress.
5. Submit to OPM an annual report through 2021 that describes work
categories and specialty areas of critical need and
substantiates the critical need designations.
The act required DHS to complete the majority of these activities
by specific due dates between March 2015 and September 2016.
Within DHS, OCHCO is responsible for carrying out these provisions,
including the coordination of the Department's overall efforts to
identify, categorize, code, and report its cybersecurity workforce
assessment progress to OPM and Congress.
dhs has not fully identified cybersecurity positions or assigned
employment codes in a complete and reliable manner
The act required DHS to establish procedures to identify and assign
the appropriate employment code, in accordance with OPM's Guide to Data
Standards, to all filled and vacant positions with cybersecurity
functions by March 2015.\16\ In addition, DHS's April 2016
Cybersecurity Workforce Coding guidance states that components should
ensure procedures are in place to monitor and to update the employment
codes as positions change over time.\17\
---------------------------------------------------------------------------
\16\ Office of Personnel Management, The Guide to Data Standards
(Washington, DC: November 15, 2014). OPM guidance created unique 2-
digit employment codes for categories and specialty areas identified in
the NICE framework.
\17\ U.S. Department of Homeland Security, Office of the Chief
Human Capital Officer, Cybersecurity Workforce Coding (Washington, DC:
April 22, 2016).
---------------------------------------------------------------------------
Further, the Standards for Internal Control in the Federal
Government recommends that management assign responsibility and
delegate authority to key roles and that each component develop
individual procedures to implement objectives. The standards also
recommend that management periodically review such procedures to see
that they are developed, relevant, and effective.\18\
---------------------------------------------------------------------------
\18\ GAO, Standards for Internal Control in the Federal Government,
GAO-14-704G (Washington, DC: Sep 10, 2014).
---------------------------------------------------------------------------
DHS OCHCO developed Departmental procedures in May 2014 and
recommended implementation steps for coding positions with
cybersecurity functions for the Department's components. However, OCHCO
did not update its procedures to include information on identifying
positions and assigning codes until April 2016--13 months after the due
date specified by the act.
In addition, the procedures were not complete because they did not
include information related to identifying and coding vacant positions,
as the act required. Moreover, the Departmental procedures did not
identify the individual within each DHS component who was responsible
for leading and overseeing the identification and coding of the
component's cybersecurity positions.
Further, although components were able to supplement the
Departmental procedures by developing their own component-specific
procedures for identifying and coding their cybersecurity positions,
OCHCO did not review those procedures for consistency with Departmental
guidance. The Department could not provide documentation that OCHCO had
verified or reviewed component-developed procedures. In addition, OCHCO
officials acknowledged that they had not reviewed the components'
procedures and had not developed a process for conducting such reviews.
OCHCO officials stated that several factors had limited their
ability to develop the procedures and to review component-developed
procedures in a timely and complete manner. These factors were: (1) A
delayed Departmental decision until April 2016 as to whether certain
positions should be considered cybersecurity positions; (2) a belief
that each component had the best understanding of their human capital
systems, so procedure development was best left up to each component;
(3) a condition where each of the six selected DHS components recorded
and tracked vacant positions differently; and (4) cybersecurity
specialty areas for vacant positions were not known until a position
description was developed or verified and a hiring action was imminent.
Without assurance that procedures are timely, complete, and reviewed,
DHS cannot be certain that its components have the procedures to
identify and code all positions with cybersecurity functions, as
required by the act.
Accordingly, our February 2018 report included recommendations that
DHS: (1) Develop procedures on how to identify and code vacant
cybersecurity positions, (2) identify the individual in each component
who is responsible for leading that component's efforts in identifying
and coding cybersecurity positions, and (3) establish and implement a
process to periodically review each component's procedures for
identifying component cybersecurity positions and maintaining accurate
coding.\19\ DHS concurred with the recommendations and stated that it
would implement them by April 30, 2018.
---------------------------------------------------------------------------
\19\ GAO-18-175.
---------------------------------------------------------------------------
DHS Has Not Yet Completed Required Identification Activities
The act required DHS to identify all of its cybersecurity
positions, including vacant positions, by September 2015. Further, the
act called for the Department to use OPM's Guide to Data Standards to
categorize the identified positions and determine the work category or
specialty area of each position.\20\
---------------------------------------------------------------------------
\20\ Office of Personnel Management, The Guide to Data Standards
(Washington, DC: November 15, 2014). OPM guidance outlined categories
and specialty areas in alignment with the NICE framework.
---------------------------------------------------------------------------
As of December 2016, the Department reported that it had identified
10,725 cybersecurity positions, including 6,734 Federal civilian
positions, 584 military positions, and 3,407 contractor positions.\21\
Nevertheless, as of November 2017, the Department had not completed
identifying all of its cybersecurity positions and it had not
determined the work categories or specialty areas of the positions. In
explaining why the Department had not identified all its positions,
OCHCO officials stated that components varied in reporting their
identified vacant positions because the Department did not have a
system to track vacancies.
---------------------------------------------------------------------------
\21\ Department of Homeland Security, Comprehensive Cybersecurity
Workforce Update: 2016 Report (Washington, DC: March 16, 2017).
---------------------------------------------------------------------------
Of the 7 work categories and 33 specialty areas in the NICE
framework, DHS reported that its 3 most common work categories were
``protect and defend'', ``securely provision,'' and ``oversight and
development;'' and its 2 most common specialty areas were ``security
program management'' and ``vulnerability assessment and management.''
However, DHS could not provide data to show the actual numbers of
positions in each of these categories and specialty areas.
According to OCHCO officials, the Department was still in the
process of identifying positions for the 2-digit codes and would
continue this effort until the 3-digit codes were available in the
National Finance Center personnel and payroll system in December 2017.
At that time, OCHCO officials stated that the Department intends to
start developing procedures for identifying and coding positions using
the 3-digit codes.
DHS Has Not Completely and Accurately Assigned Employment Codes
The act also required DHS to assign 2-digit employment codes to all
of its identified cybersecurity positions. This action was to be
completed by September 2015.\22\
---------------------------------------------------------------------------
\22\ Identification and code assignment is inclusive of both filled
and vacant positions with cybersecurity functions.
---------------------------------------------------------------------------
However, as of August 2017--23 months after the due date--the
Department had not completed the coding assignment process. Although,
in August 2017, OPM provided a progress report to Congress containing
DHS data which stated that 95 percent of DHS-identified cybersecurity
positions had been coded,\23\ our analysis determined that the
Department had assigned cybersecurity position codes to approximately
79 percent of its identified Federal civilian cybersecurity
positions.\24\ The primary reason for this discrepancy was that DHS did
not include the coding of vacant positions, as required by the act.
Further, OCHCO officials stated they did not verify the accuracy of the
components' cybersecurity workforce data. Without coding cybersecurity
positions in a complete and accurate manner, DHS will not be able to
effectively examine its cybersecurity workforce; identify skill gaps;
and improve workforce planning.
---------------------------------------------------------------------------
\23\ Office of Personnel Management, Progress Report on the
National Cybersecurity Workforce Measurement Initiative (Washington,
DC: August 3, 2017). This report was 20 months late. OPM officials
stated that they did not meet the December 2015 deadline because DHS
had not provided sufficient data at that point.
\24\ Per DHS's August 2017 coding progress dashboard, 5,298 of
6,734 identified positions had been coded. Vacant position coding
progress was not provided.
---------------------------------------------------------------------------
Thus, in our recently-issued report, we recommended that OCHCO
collect complete and accurate data on all filled and vacant
cybersecurity positions when it conducts its cybersecurity
identification and coding efforts. DHS concurred with the
recommendation and stated that, by June 29, 2018, it intends to issue
memorandums to its components that provide instructions for the
components to periodically review compliance and cybersecurity
workforce data concerns to ensure data accuracy.
dhs has not identified or reported its cybersecurity workforce areas of
critical need
According to the act, DHS was to identify its cybersecurity work
categories and specialty areas of critical need in alignment with the
NICE framework and to report this information to the appropriate
Congressional committees by June 2016. In addition, a DHS directive
required the DHS chief human capital officer to provide guidance to the
Department's components on human resources procedures, including
identifying workforce needs.\25\
---------------------------------------------------------------------------
\25\ Department of Homeland Security, Human Capital Line of
Business Integration and Management, Directive No. 258-01 (Feb. 6,
2014).
---------------------------------------------------------------------------
As of February 2018, the Department had not fulfilled its
requirements to identify and report its critical needs. Although DHS
identified workforce skills gaps in a report that it submitted to
Congressional committees in March 2017, the Department did not align
the skills gaps to the NICE framework's defined work categories and
specialty areas of critical need.
In September 2017, OCHCO developed a draft document that attempted
to crosswalk identified Department-wide cybersecurity skills gaps to
one or more specialty areas in the NICE framework. However, the
document did not adequately help components identify their critical
needs by aligning their gaps with the NICE framework because it did not
provide clear guidance to help components determine a critical need in
cases in which a skills gap is mapped to multiple work categories.
According to OCHCO officials, DHS had not identified Department-
wide cybersecurity critical needs that aligned with the framework
partly because OPM did not provide DHS with guidance for identifying
cybersecurity critical needs. In addition, OCHCO officials stated that
the components did not generally view critical skills gaps in terms of
the categories or specialty areas as defined in the NICE framework, but
instead, described their skills gaps using position titles that are
familiar to them. In the absence of relevant guidance to help
components identify their critical needs, DHS and the components are
hindered from effectively identifying and prioritizing workforce
efforts to recruit, hire, train, develop, and retain cybersecurity
personnel.
DHS also did not report cybersecurity critical needs to OPM in
September 2016 or September 2017, as required. Instead, the Department
first reported its cybersecurity coding progress and skills gaps in a
March 2017 report that it sent to OPM and Congress to address several
of the act's requirements.\26\ However, the report did not describe or
substantiate critical need designations because DHS has not yet
identified them.
---------------------------------------------------------------------------
\26\ Department of Homeland Security, Comprehensive Cybersecurity
Workforce Update: 2016 Report (Washington, DC: March 16, 2017).
---------------------------------------------------------------------------
Additionally, DHS had not developed plans or time frames to
complete priority actions--developing a DHS cybersecurity workforce
strategy and completing its initial cybersecurity workforce research--
that OCHCO officials said must be completed before it can report its
cybersecurity critical needs to OPM. According to OCHCO officials, the
report that the Department submitted to Congress in March 2017 had
contained plans and schedules. However, we found that the March 2017
report did not capture and sequence all of the activities that DHS
officials said must be completed in order to report critical needs.
Until DHS develops plans and schedules with time frames for reporting
its cybersecurity critical needs, DHS may not have insight into its
needs for ensuring that it has the workforce necessary to carry out its
critical role of helping to secure the Nation's cyber space.
In our report, we recommended that DHS: (1) Develop guidance to
assist DHS components in identifying their cybersecurity work
categories and specialty areas of critical need that align to the NICE
framework and (2) develop plans with time frames to identify priority
actions to report on specialty areas of critical need.\27\ DHS
concurred with the recommendations and stated that it plans to
implement them by June 2018.
---------------------------------------------------------------------------
\27\ GAO-18-175.
---------------------------------------------------------------------------
In summary, DHS needs to act now to completely and accurately
identify, categorize, and assign codes to all of its cybersecurity
positions, and to identify and report on its cybersecurity workforce
areas of critical need. Implementing the six recommendations we made in
our February 2018 report should better position the Department to meet
the requirements of the 2014 act. Further, doing so will help DHS
understand its needs for recruiting, hiring, developing, and retaining
a cybersecurity workforce with the skills necessary to accomplish the
Department's varied and essential cybersecurity mission.\28\ Until DHS
implements our recommendations, it will not be able to ensure that it
has the necessary cybersecurity personnel to help protect the
Department's and the Nation's Federal networks and critical
infrastructure from cyber threats.
---------------------------------------------------------------------------
\28\ GAO-18-175.
---------------------------------------------------------------------------
Chairmen Ratcliffe and Perry, Ranking Members Richmond and Correa,
and Members of the subcommittees, this concludes my statement. I would
be pleased to respond to your questions.
Mr. Ratcliffe. Thank you, Mr. Wilshusen.
The Chair now recognizes Ms. Bailey for 5 minutes.
STATEMENT OF ANGELA BAILEY, CHIEF HUMAN CAPITAL OFFICER,
MANAGEMENT DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY
Ms. Bailey. Good afternoon Chairman Ratcliffe, Chairman
Perry, Ranking Member Richmond, and Ranking Member Correa, and
distinguished Members of the subcommittees. Thank you for the
opportunity to appear before you today to address cybersecurity
work force issues at the Department of Homeland Security.
As Secretary Nielsen described during her November 2017
confirmation hearing, cyber attacks against our Federal
networks and the control systems that run our critical
infrastructure are continually increasing, with attacks growing
ever more complex and each more sophisticated than the last.
Cyber criminals and nation-states are continually looking for
ways to exploit our hyper-connectivity in reliance on IT
systems.
Our enemies will not rest and neither will we. The
Department cannot strengthen the Nation's cybersecurity and
successfully confront the threats Secretary Nielsen described
without the creativity, intellect, and dedication of world
class cybersecurity experts.
For that reason, supporting the human capital needs of the
Department's cybersecurity work force is a top priority for
senior leadership including me. I recognize the difficulty of
securing the right cybersecurity talent today and tomorrow. But
we must proceed with urgency and ingenuity. I am committed to
thoroughly understanding our work force requirements and
implementing the best possible human capital solutions to
recruit, retain, and manage the cybersecurity talent our
mission demands.
My team and I are working closely with human capital and
cybersecurity leadership across the Department, including the
National Protection and Programs Directorate, the DHS chief
information officer, and our component CIOs on three
priorities.
No. 1, analyze and plan for our complex set of
cybersecurity talent needs. No. 2, recruit and retain the
highly-qualified employees with capabilities vital to mission
success. No. 3, innovate by implementing a new 21st-Century
personnel system to revolutionize cybersecurity talent
management.
I am working with the deputy undersecretary for management,
the assistant secretary for cybersecurity and communications,
the CIO, and the Cybersecurity Workforce Coordinating Council
to finalize the personnel system. The Secretary in coordination
with the director of OPM is also working to prescribe
regulations for the administration of the new system.
While we engage in the regulatory process, we are dedicated
to a host of technical human capital analysis, policy
development, and change management activities to ensure we
launch a system that will be legally defensible, better reflect
the needs of high-caliber cybersecurity talent, and enhance the
Department's ability to execute its mission.
The implementation effort has momentum. I am committed to
making our new cybersecurity personnel system operational. I
would like to increase our collaboration with Congress,
including these subcommittees, to keep you informed to the
progress.
Thank you, again, for our continued support of the
Department's cybersecurity responsibilities and the employees
charged with executing them. I look forward to your questions.
[The joint prepared statement of Ms. Bailey and Ms. Moss
follows:]
Joint Prepared Statement of Angela Bailey and Rita Moss
March 7, 2018
introduction
Chairman Ratcliffe, Chairman Perry, Ranking Member Richmond,
Ranking Member Correa, and distinguished Members of the subcommittees,
thank you for the opportunity to appear before you today to address
cybersecurity workforce issues at the Department of Homeland Security
(DHS).
We are the Department's chief human capital officer and director of
human resources for the National Protection and Programs Directorate
(NPPD). Together, we have over 50 years of experience in Federal human
resources.
We both support the Department's human capital program, which
includes human resources policies and programs; strategic workforce
planning and analysis; recruitment and hiring; pay and leave;
performance management; employee development; executive resources;
employee and labor relations; workforce health and safety; diversity
and inclusion; and human resources information technology. We also
oversee the human resources operational offices delivering all of the
aforementioned services to Headquarters and NPPD employees.
As Secretary Nielsen stated during her November 2017 confirmation
hearing, `` . . . one of the most significant [aspects of the
Department's mission] for our Nation's future is cybersecurity . . .
The scope and pace of cyber attacks against our Federal networks and
the control systems that run our critical infrastructure are
continually increasing, with attacks growing ever more complex and each
more sophisticated than the last. Cyber criminals and nation-states are
continually looking for ways to exploit our hyper connectivity and
reliance on IT systems.''
The Department cannot strengthen the Nation's cybersecurity and
successfully confront the threats Secretary Nielsen described without
the creativity, intellect, and dedication of world-class cybersecurity
experts. For that reason, supporting the human capital needs of the
Department's cybersecurity workforce is a top priority for senior
leadership, including the Secretary.
The Department faces intense competition for cybersecurity talent,
and studies continue to make headlines by quantifying current shortages
of specific cybersecurity skills and projecting future talent gaps. We
recognize the difficulty of securing the right cybersecurity talent
today and tomorrow, but we must proceed with urgency and ingenuity. We
are committed to thoroughly understanding our workforce requirements
and implementing the best possible human capital solutions to recruit,
retain, and manage the cybersecurity talent our mission demands. Our
teams work closely with human capital and cybersecurity technical
leadership across the Department, including within NPPD, and with the
chief information officer (CIO), and our component CIOs on three
priorities:
1. Analyze and Plan for our complex set of cybersecurity talent
needs;
2. Recruit and Retain highly-qualified employees with capabilities
vital to mission success; and
3. Innovate by implementing a new 21st Century personnel system to
revolutionize cybersecurity talent management.
analyze and plan
To effectively manage a workforce, one must begin with a
comprehensive analysis of mission and talent requirements. We would
like to thank Congress for your attention to cybersecurity workforce
planning through the passage of several laws since 2014, and we would
like to thank the Government Accountability Office (GAO) for their
recent review of the Department's implementation of one of those laws,
the Homeland Security Cybersecurity Workforce Assessment Act of 2014.
Emphasizing the importance of these issues helps us focus all of DHS on
a path forward.
Over the last decade, DHS has taken a variety of steps to better
understand and document our cybersecurity workforce, but as GAO
outlined in their February 6, 2018 report (Cybersecurity Workforce:
Urgent Need for DHS to Take Actions to Identify Its Position and
Critical Skill Requirements), there is more work to be done--and done
quickly.
As described in the Department's response letter, we concur with
GAO's six recommendations, and we have taken a series of actions to
address each of them. Each component designated a lead cybersecurity
workforce official, developed updated position coding guidance, and
stepped up communications with component stakeholders critical to
ensuring positions are accurately identified, coded, and tracked.
Additionally, we continue to engage component senior leaders through
the Cyber Workforce Coordinating Council, comprised of senior
membership from both the component CIO and human resources communities,
and the Cybersecurity Technical Review Board, a working-level, cross-
component group to reinforce accountability and awareness. We also
reach out quarterly to advise components of their coding progress,
validate coding data, and address problems in an effort to improve our
progress and the accuracy of our data in this area.
Notably, the Department's cybersecurity workforce planning efforts
and GAO's report focus heavily on the National Initiative for
Cybersecurity Education (NICE) Workforce Framework (NICE Framework).
NICE, led by the National Institute of Standards and Technology (NIST)
of the U.S. Department of Commerce, is a partnership between
Government, academia, and the private sector working to energize and
promote cybersecurity education, training, and workforce development.
The NICE Framework is a reference structure that describes the
interdisciplinary nature of cybersecurity, and it uses a common,
consistent lexicon to categorize and describe cybersecurity work,
including information key knowledge, skills, and abilities. In 2013,
the Office of Personnel Management (OPM) and NICE began collaborating
to ensure agencies could code their Federal positions according to the
NICE Framework in the human resources information technology (HRIT)
systems of shared service providers.
Currently, the Department is focused on transitioning from 2-digit
position codes based on the original version of the Framework to the
new 3-digit, role-based position codes aligned to the latest version of
the Framework. In doing so, DHS is revising personnel records with our
shared service provider (the National Finance Center) that made system
updates to accommodate 3-digit codes at the end of 2017.
We acknowledge GAO's focus on the importance of coding vacant
positions associated with cybersecurity work, and we have charted a
path to do so. Fortunately, the Department has broader efforts under
way to ensure accurate documentation of all DHS position requirements,
including vacant positions. While DHS does not have an enterprise-wide,
automated solution to support such work, we continue to set and refine
data standards with components, patch together multiple datasets, and
lay the groundwork for a future solution as part of our Strategic
Improvement Opportunities (SIOs) process for the DHS HRIT program. We
believe that linking cybersecurity position identification, coding, and
tracking with our ambitious position management project will help to
accelerate both initiatives.
In the coming months, we have a series of actions planned with
components to ensure they enter, validate, and then analyze their data
to determine critical gaps. On-going workforce planning efforts have
demonstrated that the DHS cybersecurity workforce is complex and
varied. We have identified a total population of over 7,400 Federal
civilian positions, as well as over 2,800 United States Coast Guard
military positions and 4,800 contractor positions. The Federal civilian
population includes 18 components and organizations and covers over 40
Federal occupational series, and all 33 specialty areas of the NICE
Cybersecurity Workforce Framework. When we apply the NICE Framework,
the most populous category and specialty area codes at DHS--each
associated with more than 250 positions/employees--are Investigation,
Information Assurance/Compliance, Digital Forensics, Securely
Provision, and Operate and Maintain.
Past data calls have identified a great deal of information about
component recruitment and retention challenges and staffing gaps. For
the population of 7,400 civilian positions, we are averaging a vacancy
rate of 10 percent and an attrition rate of 5 percent, but in some
components, both rates are regularly above 20 percent. In addition,
components have cited all portions of the NICE Cybersecurity Workforce
Framework to describe their current and projected shortages of
positions/employees.
DHS must now dig deeper to isolate and monitor priority skills and
mission roles, including those where shortages exist or are
anticipated. The Framework is a helpful tool for describing critical
roles and shortages, but we cannot stop there. Some DHS cybersecurity
work is highly specialized, requiring industry, sector, or mission-
specific skills and knowledge not captured by the Framework's general
structures and definitions. In cases where DHS work is unique or
specificity is critical to describing the talent needed to meet the
Department's mission objectives, DHS will document such detail, and, as
appropriate, report it to Congress along with the data elements
outlined in statute.
recruit and retain
Our understanding of both our current and future workforce needs
informs our recruitment and retention strategy. The Department must
ensure we are attracting, hiring, and keeping the best cybersecurity
talent, and given the competitive cybersecurity labor market, DHS must
leverage all available tools to ensure we keep attrition and vacancy
rates at acceptable levels. OCHCO has a team dedicated to attracting
talent to the Department by improving our employment brand and
developing and implementing Department-wide recruitment strategies, to
include the use of available hiring flexibilities such as the DHS
Schedule A cybersecurity hiring authority and the Government-wide IT
(information security) direct hire authority.
OCHCO works closely with recruiters and human capital leadership
from across components, and holds regular meetings of our Corporate
Recruiting Council. This Council oversees the creation and monitoring
of targeted recruitment plans for specific DHS mission-critical
occupations, including cybersecurity. As part of a long-term effort to
improve cybersecurity recruiting, our staffs manage cybersecurity
pipeline development and outreach activities focused on 2- and 4-year
academic institutions, including the National Centers of Academic
Excellence in Cyber Defense and Cyber Operations, National and local
community organizations, and professional associations. In fiscal year
2017 and fiscal year 2018 to date, we have engaged with over 1,300
students from 122 academic institutions, including 40 National Centers
of Academic Excellence.
In addition, OCHCO operates the Secretary's Honors Program Cyber
Student Volunteer Initiative, which offers students temporary
assignments in DHS cybersecurity-focused field offices. Approximately
6,500 students from over 400 academic institutions have applied to the
program since its inception in 2013, and 258 have completed assignments
alongside our cybersecurity professionals. While this is a great
starter program, we are enhancing and expanding component-specific and
Government-wide programs, such as the Intelligence & Analysis
Internship Program and the CyberCorps�: Scholarship for Service
program. Now, thanks to Congressional support, all are paid internships
that lead to full-time Federal/DHS cyber-specific jobs.
Creating interest in DHS cybersecurity work and attracting top
applicants is only part of the recruitment equation. Reducing the
burden and length of the hiring process for candidates is equally
critical. DHS is focusing on hiring process improvement for all
occupations, including those related to cybersecurity and information
technology. Our teams have worked to gather all available hiring
process data to assist components in identifying barriers,
reengineering steps, setting better operational targets, and
identifying opportunities for additional automation. We are also
focusing on forging smart partnerships across DHS components, lines of
business, and Federal agencies to ensure that DHS human resources
personnel are aware of leading practices and can collaborate to achieve
economies of scale.
One of the key hiring improvement strategies we have deployed is
joint recruiting and special hiring events. The Department has held
successful joint cybersecurity, veterans, intern, and recent graduate
events that brought together multiple components to a single location
enabling on-site interviews and on-the-spot tentative job offers in the
same day. As a direct result of these events, the Department was able
to hire nearly 700 new employees with a reduced time-to-hire. With the
cybersecurity event alone, we were able to bring on board approximately
300 employees, cutting the time-to-hire by up to 6 weeks in most cases.
The Department has also ramped up participation in similar hiring
events with Federal partners, including the CyberCorps�: Scholarship
for Service Job Fair and Federal CIO Council's Federal Tech/Cyber
Hiring and Recruitment Event. Based on previous success, the Department
will hold another DHS cybersecurity hiring event later this year in
Washington, DC.
Innovative interventions to speed hiring and reduce vacancies are
just the first part of a larger Departmental strategy to do
cybersecurity human capital better and smarter. Human capital
flexibilities are most useful when human resources practitioners
understand them and deploy them appropriately to target the
Department's most critical job candidates and personnel. We remain
committed to ensuring that the DHS human resources community receives
additional cybersecurity-focused training and guidance.
Since 2016, OCHCO has released over 15 simplified guidance
documents to help human capital and cybersecurity personnel across the
Department understand existing human capital tools, such as direct hire
authority and recruitment incentives; dispel myths; and identify how
these human capital tools can best support cybersecurity talent.
Furthermore, we are working closely with OPM and other DHS component
human resources directors to ensure human resources specialists across
DHS stay on the forefront of any new developments and understand the
full set of recruitment and retention tools at their disposal. For
example, we are building a DHS H.R. Academy with both formal and
informal training as well as rotational and internship opportunities.
The Department rolled out the first Academy course in data analytics in
the fall of 2017, and we anticipate delivering career path guides by
the summer of 2018.
In addition to increased training on all available retention
flexibilities, we are working with human capital leadership across
components on specific retention interventions. In 2017, OCHCO built
upon successful NPPD practices and released a Department-wide retention
incentive plan for cybersecurity employees, which should help
components retain highly skilled talent by financially recognizing the
significant training and certification accomplishments of employees. We
are also exploring ways to increase the use of student loan repayment
and tuition assistance, and with OPM and the rest of the Federal human
resources community, we are considering possible compensation
flexibilities.
Despite current and past efforts, we find that attrition rates for
cybersecurity professionals in some DHS organizations remain much
higher than the rates for other occupations. Our analysis indicates
that work in the field of cybersecurity is increasingly project-based,
and we recognize that the prospect of a decades-long Federal civil
service career may not appeal to cybersecurity professionals. We are
passionate about continuing to explore these retention challenges with
experts in both human capital and cybersecurity across components.
innovate
While we are committed to developing some immediate fixes with DHS
human capital and cybersecurity leadership, our primary cybersecurity
human capital focus is accelerating the implementation of a new
cybersecurity-focused personnel system, which will change the methods,
policies, and process used to recruit, hire, retain, and develop
cybersecurity employees. We believe this will revolutionize how DHS
hires, manages, and retains our best cybersecurity talent.
The Department appreciates that Congress passed the Border Patrol
Agent Pay Reform Act of 2014. Section 3 amended the Homeland Security
Act of 2002 to grant the Secretary the authority to create a
cybersecurity focused personnel system exempt from many of the
restrictions governing the conventional civil service. This authority
allows for a variety of human capital management changes, including
alternative methods for defining jobs, conducting hiring, and
compensating employees.
Department leadership is aware of the time that has elapsed since
the law's passage. We also recognize that implementing such an
authority represents new territory and is a significant personnel
transformation for the Department. Successful design, implementation,
and maintenance of a new Federal personnel system is extremely complex,
and requires highly specialized Federal human capital expertise. The
design and subsequent implementation and execution of such a system all
present unique challenges that require technical knowledge related to
pay setting and administration, labor market analysis, psychometric
research, regulation drafting, change management, etc. Despite these
challenges, we are making progress in implementing such a system.
After Congress granted the Secretary this additional authority, the
Department began an initial research and analysis process that included
benchmarking with other Federal agencies, fact-finding with the
Department of Defense and OPM, and the development of a slate of
possible human capital changes. Since both of us arrived at DHS in
2016, we have redoubled the effort to source specialized talent for the
project, and OCHCO established a dedicated human capital policy team,
which includes a well-experienced, senior advisory cadre. We have
strengthened the Department's collaboration with OPM, and established
regular working meetings between OCHCO, OPM, and the DHS Office of the
General Counsel. In addition, the deputy under secretary for management
reinitiated the Cyber Workforce Coordinating Council, which as
previously mentioned, includes membership from both the component CIO
and human resources communities.
Our teams have completed research on all the major alternative
personnel systems since the 1970's, and by combining leading practices
and many new ideas, have designed a flexible, 21st Century personnel
system tailored to the evolving, project-based field of cybersecurity.
Our conclusion is that the current civil service system cannot
adequately address the cybersecurity talent challenges the Department
faces, and making simple modifications or cosmetic changes to the
current Title 5, will not suffice.
The General Schedule (GS) was created by the Classification Act of
1949, during the Truman administration, but in reality, many of its
foundational principles date back to the Classification Act of 1923.
The Federal workforce is no longer primarily composed of narrowly-
defined, clerical jobs, and we are not using long tables of clerks or a
secretarial pool to combat cybersecurity threats. If we are to attract,
hire, compensate, and retain top cybersecurity talent, we need to
recognize a variety of truths, including:
Jobs are becoming increasingly non-standard and complex;
Employee expectations no longer map to the 30-year Federal
career; and
A highly competitive labor market exists for cybersecurity
talent--of which the Federal Government is only one employer.
To modernize the civil service for cybersecurity work, we need to
revisit some of the foundational theories and structures that underlie
how we have managed Federal human capital for decades, and we need to
update them for the 21st Century. Some key shifts include:
Streamlined, Proactive Hiring
20th Century: Recruitment is focused on posting a
position-specific announcement, praying the right
candidates apply, allowing candidates to self-rate their
skills, and comparing applicants to rigid--often outdated--
occupation-based standards
21st Century: Strategically recruit from a variety of
sources on an on-going basis, and use up-to-date,
cybersecurity-focused standards and validated tools to
screen, assess, and select talent
Market-Sensitive Pay
20th Century: GS pay rules are based on tenure, and apply
regardless of the field of work
21st Century: Increase the focus on an individual's
knowledge, skills, and capabilities and use a pay structure
and compensation procedures that are designed with the
cybersecurity labor market in mind
Flexible, Dynamic Career Paths
20th Century: Temporary assignments and details are
exceptions to the norm, and static career paths limit
advancement to a single occupational series or vertical,
tenure-based career ladder
21st Century: Accommodate dynamic careers with streamlined
movement between the Government and private sector, across
components, and through a variety of permanent/non-
permanent assignments
Development-Focused Performance Management
20th Century: The annual performance assessment is the
main opportunity for award and pay progression, and the
process has become complex and burdened with paperwork
21st Century: Simplify annual performance ratings, and
focus more on continuous, development-focused feedback
about employee contributions and skills increases to inform
adjustments to pay, assignments, etc.
We are working with the deputy under secretary for management, the
assistant secretary for cybersecurity and communications, the CIO, and
the Cyber Workforce Coordinating Council to finalize the personnel
system. The new system will ultimately serve front-line cybersecurity
professionals, so it is critical that all interested parties at the
Department provide input and have a stake in our shared solution. The
Secretary, in coordination with the acting director of OPM, is also
working to prescribe regulations for the administration of the new
system. While we engage in the regulatory process, we are dedicated to
a host of technical human capital analysis, policy development, and
change management activities to ensure that we launch a system that
will be legally defensible, better reflect the needs of high-caliber
cybersecurity talent, and enhance the Department's ability to execute
its mission.
The implementation effort has momentum, but we are seeking to
increase our pace. The cybersecurity threats facing our Nation will not
pause while we evolve the Department's approach to cybersecurity human
capital. We are committed to making our new cybersecurity service
personnel system operational and we would like to increase our
collaboration with Congress, including these subcommittees, to keep you
informed of the progress we make and the obstacles we encounter.
Thank you again for your interest in our Nation's cybersecurity and
your continued support of the Department's cybersecurity
responsibilities and the employees charged with executing them.
Mr. Ratcliffe. Thank you, Ms. Bailey.
The Chair now recognizes Ms. Moss for 5 minutes.
STATEMENT OF RITA MOSS, DIRECTOR, OFFICE OF HUMAN CAPITAL,
NATIONAL PROTECTION AND PROGRAMS DIRECTORIATE, U.S. DEPARTMENT
OF HOMELAND SECURITY
Ms. Moss. Chairman Ratcliffe, Chairman Perry, Ranking
Member Correa, and distinguished Members of the subcommittee,
thank you for the opportunity to appear before you today.
The Department of Homeland Security serves a critical role
in safeguarding and securing cyber space, a core homeland
mission. DHS's National Protection and Programs Directorate,
NPPD leads the Nation's efforts to ensure the security and
resilience of our cyber and physical infrastructure.
I am the human resources director for NPPD, with almost 25
years of leadership experience in Federal human capital. I came
to DHS just over a year ago. In this role I am responsible for
planning, developing, directing, and evaluating NPPD's human
capital strategy and operations.
As a component of DHS, we are very much aligned with the
Department's approach and guidance in effectively recruiting
and retaining cybersecurity talent, which is in high demand in
Government as well as in the private sector and is a key
imperative of the NPPD mission.
NPPD has been working closely with the Department in
developing systems and programs to effectively recruit and
retain cybersecurity talent. We are thoroughly engaged at every
level in the design and development of the new personnel system
for cyber positions.
NPPD is represented at the SES level by our deputy
assistant secretary for cybersecurity and communications who
co-leads the Cybersecurity Workforce Coordinating Council. I
support the council as NPPD's human capital expert.
NPPD cybersecurity managers and employees at the working
level are also engaged in numerous working groups and focus
groups to inform the design and impact of the new system. We
believe that our needs are well-represented and our input is
valued.
In my role as H.R. director for NPPD, I have made data
analytics a priority. As an organization, we cannot figure out
where we are going, what barriers exist or develop effective
solutions without first understanding what is working and what
is not working in our efforts to recruit and retain cyber
talent.
Over the last year, we have invested a lot of energy and
effort in developing our metrics such as stats on internal
movement, location of lag times in hiring, grade distribution,
et cetera, and analyzing our processes. We are now utilizing
that data to determine what gaps exist and develop new
strategies to address them.
NPPD has also been very adept and creative in leveraging
the various authorities granted to us as well as existing OPM
regulations and workplace flexibilities to attract and retain
our talent. We are actively exercising various hiring
authorities such as direct hire, internships, and
noncompetitive hiring, incentive programs such as student loan
repayment, and retention incentives and recruitment strategies
such as social media and on-site interviewing to attract and
retain our cyber work force. We will continue to do so and
provide those insights into the development of the new
personnel system.
I want to conclude my testimony by thanking the committee
for passing the Cybersecurity and Infrastructure Security
Agency Act of 2017. Earlier today, your colleagues in the
Senate took the next step to move this bill forward. If
enacted, this legislation will mature and streamline NPPD.
Importantly, it will rename our organization to clearly reflect
our essential mission.
Establishing our brand under a renamed agency is essential
to our work force, our recruitment efforts and effective
stakeholder engagement. We must ensure that NPPD is
appropriately organized to address cybersecurity threats both
now and in the future.
We appreciate this committee's leadership. Thank you for
your interest in growing and developing the Nation's
cybersecurity work force. I look forward to your questions as
well.
Mr. Ratcliffe. Thank you, Ms. Moss.
We will turn now to questions from the Members. The Chair
now recognizes the gentleman from Virginia, Mr. Garrett for 5
minutes.
Mr. Garrett. Thank you, Mr. Chairman.
I am incredibly frustrated and I have a finite amount of
time and Mr. Wilshusen, I presume I am close to pronouncing
that correctly. You are going to miss the brunt of this because
you are from GAO.
You attended the Naval Academy. You understand the concept
that a leader is responsible for all unit he accomplishes or
fails to accomplish, right? They taught that in the Army
leadership. I am sure the Navy is no different.
Ms. Bailey, you said our enemies will not rest and neither
will we. But as I look at this list of GAO findings, there were
at least 395 nights that we went to bed and rested before we
accomplished items on this list.
So you have people on this committee--Ms. Demings, who has
a carrier in law enforcement, so too Mr. Higgins. Chairman
McCaul, he was a Federal prosecutor. Mr. Perry, he was in the
military. We have an FBI agent. I was in the military and was a
prosecutor and I can darn guarantee you that there were a lot
of nights that we had stuff that we were mandated to do that we
didn't go to bed. That we literally didn't rest because we were
mandated to do it.
So while I look at Public Law 13277, and I look at these
bullets, established procedures to identify and categorize and
cybersecurity positions within 90 days March 2015, 13 months
behind. Identify all positions with cyber functions and
determine specialty areas within 9 months, still incomplete.
Assign 2-digit codes to all cybersecurity positions based on
priority work category within 9 months, incomplete.
Identify cybersecurity--and this is from September 2015,
identify cybersecurity work rules to the critical needs of
Congress, June, 2016, not yet identified. There is one more.
Report critical needs to OPM annually, assigned September 2016.
Not yet addressed.
Now, I got a series of questions for each of you and again
you escaped this. Again, thank you for your service, right? I
know what you do isn't easy, but if our enemies aren't resting
and they are not. I just was fortunate enough to meet with the
foreign ministers from the Baltic States, right--Estonia,
Latvia, Lithuania--who understand something about cyber
attacks.
I have spoken with people from the Ukraine who understand
something about cyber attacks. I understand that there are a
lot of people who really concerned with things like EMP. The
reality is as you all know; a cascading cyber threat could kill
50 percent of the population in this country in 12 months.
I am not making this stuff up. So these are the laws passed
by Congress under the Constitution of the United States and
here are my questions. I am going to give them to you in a
litany and then give each of you time.
What is your level of accountability? What is your fear if
you miss a date that's established by law? What is the worst
thing you think can happen? When was the last time someone was
fired for not accomplishing a task mandated by law?
I am dead serious. I want to know who and what did they
fail to do? Has anyone who is previously responsible for a
legally-mandated task subsequently been promoted after having
failed to accomplish that task in a timely manner?
I am dead serious. Because in the world from which I come
as a prosecutor, as an elected official, and as a soldier, you
get an assignment with a drop-dead date and you do the
assignment. You guys are great. I apologize that my enmity is
attacking you. But we serve the American people. These threats
are not anything to worry about until they happen. So has
anyone who is responsible for one of these tasks that haven't
been accomplished subsequently been promoted, who failed to
accomplish the task and what were they promoted to? Why?
So, again, what is your level of accountability? What is
your greatest fear that could happen possibly if you don't do
something Congress directs you by law to do? Have we promoted
anyone who failed to accomplish these tasks?
What do we intend to do to be more responsive in the
future? I hate to think that it is like being the parent to a
17-year-old who goes, ``Yes, sir, I will do it.'' Then never
does it and giggles behind your back.
Because Congress is supposed to matter and I think in our
hearts we want the same thing. So I got--I am sorry about 45
seconds for each of you.
Thank you for you indulgence. I am not--and again, it is
not a personal attack. But I mean you get it. You all know this
is wrong, 13, 16, 18 months out.
Ms. Bailey. I was scrambling to write down your questions,
sir. So I don't fully----
Mr. Garrett. OK. Well, here is my biggest one. Has anyone
failed to accomplish a legally-mandated task by virtue of
Public Law 13277 been subsequently promoted?
Ms. Bailey. No, sir.
Mr. Garrett. Has anyone ever been fired for failure to make
a time line mandated by law by Congress?
Ms. Bailey. No.
Mr. Garrett. So what is the greatest fear of an individual
who is tasked with these particular responsibilities should
they fail to accomplish that task? What is their fear? I won't
get promoted. In the Army it was I want a good evaluation, so
that I can get promoted ahead of my peers.
What is the fear of someone who goes home one night
thinking, well, I am not going to finish this today knowing
that it is past the deadline?
Ms. Bailey. I think if I could answer it this way. I don't
know that it is fear. I think it is actually just
disappointment that they don't have the ability to perhaps get
everything done in a given day that they try to get it done.
So they have got a lot of competing priorities sitting on
their plate. This is by far one of their most important. But
they have to do that in context of everything else that they
are trying to do at the same time.
So the very same work force that is trying to do the coding
and which by the way we have as of today over 6,000 positions
are coded into 3-digit. I realize that that is not the
substantial progress that you are looking for, but----
Mr. Garrett. I don't want progress. Pardon, I don't try to
be mean to you and I know I am over. I want completion by the
assigned date or you coming to us going here is why we are not
going to finish in time.
Ms. Bailey. Understand, Sir.
Mr. Garrett. Again, I am not trying to beat you guys up.
Ms. Bailey. We have a time----
Mr. Garrett. I know it is not easy.
OK, again, I thank the Chair for his indulgence. But please
take this sense of urgency. This is a bipartisan thing where we
are protecting the same people. We need to be better about
holding you to account and you need to be better about looking
at this timing going, ``Darn, this is hard. We are going to get
it done.''
Because that is what we do in law enforcement, that is what
we do in the military, that is what our teachers do when they
are first year teachers, lesson planning. It is what we owe all
the citizens we serve.
Thank you. Apologize for going over.
Mr. Ratcliffe. The gentleman yields back.
The Chair recognizes the gentleman from California, Mr.
Correa.
Mr. Correa. Thank you, Mr. Chairman.
Just a question to DHS, my colleague stated the issues and
I, we have given you flexibility. We have given you incentives
to hire folks, to get people on-line, to fill these vacancies.
Ms. Bailey, you pointed out there is a lot of--it sounds
like you don't have the resources, individuals that are
supposed to execute just aren't getting around to executing. I
am not going to put words in your mouth, but my question to you
is what other resources do you need to fill these vacancies?
Of course, the other question if you can, there are some
errors I would imagine, errors in coding of some of these
positions. Do we know how many vacancies we actually have?
Ms. Moss. Ms. Bailey, please.
Ms. Moss. In terms of hiring, I looked at our numbers right
before while preparing for this. Over the last 2 years, we have
approximately 1,077--I am sorry, 1,087 cyber positions.
We actually hired over 500 during that time frame. So we
were actually hiring a lot of people throughout the course of
the last few years. We also are suffering attrition along with
the rest of the cyber work force in Government and out of
Government. So although hiring is occurring, attrition is also
occurring. So it is not that we are not hiring individuals. We
are also trying to overcome the deficit----
Mr. Correa. That is a plausible explanation.
Ms. Moss. Yes.
Mr. Correa. So my question is: How do we get you over? How
do we help you get there to make sure that we are fully staffed
in this critical area of Government?
Ms. Moss. I am not certain that any new legislation is
needed. We are implementing, as Ms. Bailey said, new cyber
talent management system I think will give us more
flexibilities. We are also hiring people that are younger
interns that we are growing and developing within the
organization.
So, I think that will help shape our work force. When NPPD
first stood up, the urgency was to hire people that are
competent and skilled. There is a limited number of people that
are competent and skilled in cyber talent. So now, we are
trying to grow people from within by hiring people at lower
grade level----
Mr. Correa. Ms. Moss and Ms. Bailey, I am not going to put
any words in your mouth, but it sounds to me that you are going
through a growth process here.
Ms. Moss. Yes.
Mr. Correa. It is still going to take time to get there?
Ms. Moss. We are growing, yes.
Mr. Correa. It is a critical area and we are still going to
have some problems getting there. What about the issue of
miscoding on some of these positions? Do we actually know how
many positions are vacant? Or is that something that is still a
floating number out there?
Ms. Moss. We actually know how many positions are vacant.
We are in the process now of updating our coding to the 3-digit
code. So, we are training our managers in how to use the new
NICE framework to code their positions so that is under way
currently as we speak.
Mr. Correa. The same question to the GAO, sir. In your
opinion, what can we do to speed up hiring of some of these
folks to see these most important positions that we need to
have filled right away?
Mr. Wilshusen. Well, I think one of the first things is to
identify what your critical needs are to make sure that you are
hiring the right people with the----
Mr. Correa. Prioritizing?
Mr. Wilshusen. Skills that you need. Prioritizing----
Mr. Correa. Can we do that? Or is that----
Mr. Wilshusen. Well, that is one of the things that have
yet to be done----
Mr. Correa. Has failed to be done.
Mr. Wilshusen [continuing]. To identify the specialty areas
of critical need. So, I think that is going to be key, it's
being able to know what type of staff, what type of skillsets
do you need and then go out and try to hire them. Recognize
that is going to be challenging in terms of hiring those types
of individuals because they are in demand, not only across
Federal agencies, but also in the private sector.
So it is going to really be imperative to make sure that we
know exactly what type of individual with the skillsets that we
need in order to accomplish our mission. That is one of the
steps that DHS still needs to do.
Mr. Correa. I would like to look at both of these agencies,
come up with a list of recommendations to what is it that we
need to do to help you get there to finish your job. Again,
this is not a finger pointing, but rather trying to figure out
what the bottlenecks are and trying to move past them.
Mr. Chair, I yield the remainder of my time.
Mr. Ratcliffe. Thank the gentleman.
The Chair now recognizes the gentleman from Pennsylvania,
Mr. Perry.
Mr. Perry. Thanks, Mr. Chairman.
Ms. Bailey, I am looking at some information from the GAO
study here that says that as a requirement of the act of 2014,
you are supposed to--your agency is supposed to assign the 2-
digit employment codes and that as far as I can tell for this,
it is still on-going.
Now, I understand there is subsequent legislation that
requires a 3-digit code. So in light of that, are you still
trying to assign the 2-digit codes or have you abandoned that
and now are moving to the 3-digit code? Or is there a reason to
have both? Or is that----
Ms. Bailey. Yes, sir. So the 3-digit code builds off the 2-
digit code and what it does is it just makes it a further
refinement, I think is the best way to describe this.
Mr. Perry. OK.
Ms. Bailey. So the 2-digit code work has continued, always
will continue. What we are doing is refining that by adding in
the 3-digit code.
Mr. Perry. So when you say--I just want to understand this,
so when you say always will continue, does that mean it will
never be done or----
Ms. Bailey. Correct. Our cyber work force as people move in
and out, as positions move in and out, as our enemy comes up
with new and advanced ways of doing things, we are always going
to be redefining what it is to be cybersecurity.
Mr. Perry. OK. I agree with you and I get that. I figured
that would be your answer. But at some point you have a base of
information and then you are modifying from that to keep up
with the current times, right? I mean----
Ms. Bailey. Correct.
Mr. Perry. So to me, at some point, everything is going to
be assigned to 2- or 3-digit code, everything. Then you are
going to have to change it to keep up.
Ms. Bailey. Right.
Mr. Perry. So my question is when is that going to happen,
because the due date was September 2015 for the 2-digit code.
It is March 2018 right now, so----
Ms. Bailey. Right. We have assigned--we actually, I just
want to clarify something. Although, we have not been provided
I think what you would say formal guidance in everything, we
have been at this since 2011. So we meet in almost a monthly
basis in working with the components to put together the kinds
of guidance that they actually need, which is why Ms. Moss is
able to continue on. They are not sitting around waiting on
formal guidance.
So by April, the end of April, 2018, which is to be next
month, this Department will have all of its cyber positions
coded under the 3-digit code. We have a commitment to do that.
We have talked to both the DAS and the under secretary within
management along with component leadership. Everybody
understands that this is something that we have got to finalize
by April 2018.
Mr. Perry. So we are talking about at the end of April,
because we are talking a month away.
Ms. Bailey. Yes.
Mr. Perry. Less than a month away.
Ms. Bailey. Correct.
Mr. Perry. So you are saying at the end of April this is
not going to be an issue.
Ms. Bailey. At the end of April.
Mr. Perry. At least this component of it.
Ms. Bailey. Correct.
Mr. Perry. Which is, well, I think it is way too long. I
empathize with Mr. Garrett's position because I feel the same
way. It just takes too long. We had a hearing last week
regarding the hiring practices, including for cybersecurity
positions and as it relates to the fitness determination as a
part of the on-boarding process.
What I came away with is that the Department--this is my
impression, for whatever reason has some aversion to the risk
of hiring somebody. If there is anything at all that is
flagged, they just drag their feet.
The contractor can't find out what the problem is. Nobody
knows what the fitness standard is. There is nothing published.
It is amorphous, it changes from position to position. It costs
the American taxpayer a huge amount of money. It puts everybody
further and further behind. The cybersecurity issue is an
issue, believe it or not, I imagine other Members do, I go home
to my district and people ask me about it. They are concerned
about it and then they want to know what they can do and what
is being done. Quite honestly, I don't have a lot of good
answers for them.
So, what I also got out of that hearing is that there is
nothing required legislatively for the Department to change its
procedures and practices. I see absolutely no reason why the
contracting officer needs to be involved in that part of the
process, right?
The contracting officer makes sure that the contract is fit
and the contractor is performing the work as appropriate. He
doesn't need to be involved, he or she doesn't need to be
involved in the hiring process, yet, a would-be contractor has
to go to them to find out what the issue is. Why they can't
hire somebody.
They go to somebody else and then they come back and they
say, ``Well, we can't tell you. And we don't know when it is
going to get better and we can't tell you why.'' Why can't you?
Why can't you--you are the CHCO, right? That's the chief human
capital officer.
Ms. Bailey. Yes.
Mr. Perry. You are the CHCO.
Ms. Bailey. Right.
Mr. Perry. Why can't you just change that and streamline
that? That we put you in charge because you are smart, you are
capable, and you can make decisions. Why is that not happening?
Ms. Bailey. Well, if it is contractors, it doesn't actually
fall under my----
Mr. Perry. But the process, the process of hiring.
Ms. Bailey. Right. So the process of hiring, yes, does fall
under me, but I partner with our chief security officer with
regard to that.
Mr. Perry. OK. Who is in charge, you or the security
officer?
Ms. Bailey. With regard to the security process, it would
be Rich McComb, our chief security officer. But we have
partnered, I will tell you in the 2 years since I have been at
DHS, we have issued reciprocity guidance that has gone out to
everyone.
We are now at the 70 to 80 percent of our cases in which we
can do reciprocity. We actually do it. We have issued guidance
to say that if somebody is not going to be able to pass their
security clearance and you know that, then revoke the offer and
move on to the next----
Mr. Perry. But this is before the clearance, right? This is
before the--this is fitness. These are the fitness standards. I
forget the other one, one is for contractors and one for
employees.
Ms. Bailey. Right.
Mr. Perry. With all due respect, the hearing I had last
week tells me that whatever process you implemented 2 years ago
is not sufficiently working. With all due respect.
Ms. Bailey. OK.
Mr. Perry. So I would invite you to revisit that. I am
happy to have a discussion with you.
Mr. Chairman, I yield.
Mr. Ratcliffe. Chair now recognizes the gentlelady from
Florida, Ms. Demings, for 5 minutes.
Mrs. Demings. Thank you so much, Mr. Chairman.
Thank you to our witnesses for being here. It is a tough
job. But I do share the sense of urgency with my colleagues. It
is an important job. I was in another place this morning
talking about we have enemies in this country who spend every
waking minute trying to figure out how they can defeat our
systems, and so this is an important work.
Ms. Bailey, you indicated that you are not sitting around
waiting for guidance, but I would think that some guidance
would be helpful in terms of recruiting and training and
retaining, preparing our current work force. So could you
please describe for the committee any guidance that has been
developed and dispersed at the Department to assist in
identifying cyber work force needs?
Ms. Bailey. Yes. I mean, what I should have said is the
components weren't sitting around waiting for formal guidance.
But with regard to the guidance, we have actually, in working
with the Human Capital Leadership Council, we have put out
several, at least 15 different pieces of guidance quite frankly
on what are all the hiring authorities that you can use today,
what are some of the best recruiting methods that we can
actually use, how do we go ahead and retain these folks given
the authorities that we currently have in place today, what are
the things that we know that we need to actually implement with
regard to our new personnel system and where we want to go.
So we actually have been holding design sessions with the
subject-matter experts along with the hiring, or the H.R.
specialists to actually make sure that we are identifying what
the specific needs are, because we do know what our critical
needs are. We have over 33 different specialty areas that have
been identified for cybersecurity, which ranges within 40
different occupations.
We are using a 21st-Century NICE framework of coding and
then we have to take that after we code these positions. We
have to turn around and try to recruit, hire, and pay people on
a first part of the 20th-Century system, because the two aren't
actually matched together. So while we have all this good
coding that is going on every hearing, and it is absolutely
critical and it is important, we have to live in the system in
which we have to operate until today.
So when I go out and we try recruit somebody, we have a
question that we ask ourselves all the time. How are you going
to get top talent when in some cases if they have a bachelor's
degree they are only equivalent to a GS-5, which means that I
can only pay them about $3 more than the minimum wage in most
States.
So we are absolutely going to have a recruiting problem
when we have those kinds of pay scales associated with the GS
schedule, which is why we have put a tremendous amount of
effort into designing this new personnel system that we plan to
roll out in the very near future. We have to go through the
regulatory process, make sure that everything is aligned. We
have briefed OMB on it. We have briefed the CIO council at the
White House on it. We brief OPM on it next week. So we are
making significant----
Mrs. Demings. So you are encouraged by the new process that
you hope to roll out very soon.
Ms. Bailey. I am extremely encouraged, because what we have
done, as we have said, we live in a 21st-Century world. We can
no longer just put Band-Aids on a 20th-Century system and call
it a day, because it is not working. So if we are going to do
all this work over here in coding in the 21st-Century codes,
which make absolutely perfect sense, makes no sense to me
whatsoever that we have to turn around and try to recruit,
hire, and retain and pay people in a system that was designed
in the 1940's. So those are some of the things that we are
actually working on together to make sure that we can get
implemented.
Mrs. Demings. Ms. Moss, anything you would like to add to
that statement?
Ms. Moss. I would say in terms of actual operations, that
is certainly true. We have a hard time. We do leverage OPM
flexibilities in terms of recruitment incentives, retention
incentives, but that is a paper process. There are a lot of
hoops to jump through so that elongates our hiring process. So
we have found workarounds, but we are looking for a long-term
solution, which we are going to get with the new system that is
being developed.
Mrs. Demings. OK.
Thank you, Mr. Chairman. I yield back.
Mr. Ratcliffe. I thank the gentlelady.
Chair now recognizes the gentleman from New York, Mr.
Donovan, for 5 minutes.
Mr. Donovan. Thank you, Mr. Chairman.
You answered most of my questions just now, because the
Chairman held a roundtable with some other people from industry
a while back. We had folks from Microsoft, Intel, Facebook,
Google, a couple of other companies. Just to put things in
perspective, you are talking to a guy whose VCR still flashes
12, so I do not understand any of this stuff.
But they told us the difficulty they are having recruiting.
They have 500,000 jobs right now that they cannot fill and I
think in 10 years it will be a million. They are looking to
start trying to get interest in young people into the jobs that
are going to be needed to be filled by industry. I can't even
imagine how difficult it is for you to recruit at the pay
scales.
In some places and many of my colleagues here have served
in the military and military seems to have difficulty, but some
incentives to retain talent in especially special areas that
are needed. Is there a category for like essential services in
our Government that we could get out of the GS classification
ratings and say this is a need that we have to fill? And maybe
we don't follow those protocols.
As you said, Ms. Bailey, that was set up in 1940. Is there
a mechanism in place now for that?
Ms. Bailey. Well, actually Congress gave us--thank you--
gave us that authority to actually write our own rules. So what
we are doing right now is we are completely not just
reinvigorating, we are redesigning and stepping away from the
traditional classification and qualification system, because it
does not work for what we are trying to hire today.
I would tell you, with respect to the military, in fact,
NPPD has over a 50 percent of NPPD's staff in this area are
veterans, so that is remarkable. It is a highly sought-after
source for us to recruit from, is from the veteran population.
But thank you to the Congress we do have the authority now
to go ahead and actually do what you are suggesting, because we
are never going to be able to make the significant progress we
want to make by putting another step on the GS, right, or by
raising something by just one degree. That is never going to
work. You have to re-think.
First of all, the talent we are trying to hire does not
want a 30-year career with the Federal Government. They just
don't. That is OK. So we have to figure out ways to have
legislation, which it wouldn't necessarily take for in the
competitive side. But with our new authority that we have been
given, we are actually baking into that disability for folks to
go in and out of Government without having to be restrained by
time in grade and all the ridiculous rules that folks are under
these days, that really actually is a detraction for them to
actually want to come back into the Government.
We want them to work for us for 3 to 5 years. We want them
to leave and go to the companies that you just mentioned. But
then we want to stay in touch with them and we want to bring
them back, so that we can have this infusion of both private
sector and Federal sector, and that is what our new personnel
system will actually allow us to do.
Mr. Donovan. The other thought I had was possibly if
industry, again, is having their own difficulties in
recruiting. But I do not know if you would call it on a loan
basis or something, but the real talented people whose are
getting paid these very reasonable salaries in the private
sector would be able to come in and work for their Government
as a--I do not want to say a loaner from J.P. Morgan, but a
program where we could take some talent from industry and for
some, whether it is a love of country or whatever incentive we
could give companies to loan us some of their talented people
to help us in some of the things that you are dealing with
might be another idea.
Mr. Chairman, after Ms. Bailey I will yield the remainder
of my time.
Yes, Ms. Bailey, would you comment on that?
Ms. Bailey. I was just going to say that, yes, like the
Loaned Executive Program is something that we use. We also
bring folks into what is called IPA, which is basically
academic talent and stuff. So there are different hiring
authorities that we can use to have an infusion of that talent
come in and we do make use of those, so thank you.
Mr. Donovan. Wonderful. Thank you very much.
I yield the remainder of my time, Mr. Chairman.
Mr. Ratcliffe. I thank the gentleman.
Chair now recognize the gentlelady from Texas, Ms. Sheila
Jackson Lee, for 5 minutes.
Ms. Jackson Lee. I thank the Chairman very much and I
appreciate very much this particular hearing.
I want to thank the full committee, the subcommittee Chair,
and subcommittee Ranking Member and full committee Chair and
full committee Ranking Member on working with me on my zero-day
legislation, which I think is the underpinning of what we are
talking about in terms of having that staff, that experienced
staff to deal with the ultimate events that may happen both in
the public sector and the private sector, and having them be
qualified and having a continuing channeling of staff.
I would like to--staff personnel that are dealing with the
issue of cybersecurity, which some years ago, Mr. Chairman, as
you well know, cybersecurity was under Transportation Security
and Infrastructure. We began looking at where cyber impacts us,
which is everywhere from water systems, sewer systems, the
electric grid and beyond. So I believe that it is important to
take note of a number of statistics that I hope to get a
hearing on particular legislation that I have.
Just like to cite the Bureau of Labor Statistics in 2016
reported that African-Americans comprise only 3 percent of the
information security analysts in the United States yet comprise
13 percent of the population. The numbers at one time, top
computing security salaries, $175,000, $230,000. I think we had
positions in the Government at $88,000. In 2017, the United
States employed nearly 780,000 people in cybersecurity
positions with approximately 350,000 vacancies. In 2017, nearly
65 percent of large U.S. companies had a chief information
security officer, which is good. It is up from 50 percent.
Women hold only 11 percent of cybersecurity positions globally
filling 25 percent of tech jobs and comprising 50 percent of
the population. There is a similar situation with African-
Americans, Hispanics, who account for 5 percent of
cybersecurity positions, African-Americans 7 percent.
Those numbers are simply to look or give us the parameters
of the space that we should be in in our recruiting and
collaboration on the question of providing a pathway for
individuals. So, Mr. Chairman, I am interested in having a
hearing on H.R. 1981, the Cyber Security Education Workforce
Enhancement Act, which I have introduced. But I do want to ask
both Ms. Bailey and Ms. Moss, and I want to thank Mr. Wilshusen
for his product of DHS's needs to take urgent action to
identify its position in critical skills requirements.
So I see that there is a beginning structure that you all
are working on. This legislation penetrates outside of the
immediate need and begins to build a farm team. So recruiting
information, assuring cybersecurity, and providing computer
security professionals, this particular office would be called
the Office of Cyber Security Education Awareness branch
providing grants training and other support for kindergarten
through grade 12, secondary and post-secondary computer
security education programs, guest lecturer programs,
identifying youth training programs, developing programs to
support the underrepresented and working with a number of
organizations that would have outreach to those organizations.
So, Ms. Bailey and Ms. Moss, I would hope that those kinds
of outreach, though you may have them, having them more
established and getting the farm team established, that will
ultimately fit into the scheme of young people coming in from a
diverse background, staying a couple of years and then going
out and coming back in, which I think is an excellent model.
Could you work with that added outreach that my legislation
speaks of?
Ms. Bailey. I will start and then Rita can elaborate on
this a little bit more. So the answer is yes. We actually have
been having these conversations with regard to where do you
start the outreach, where do you actually start the recruiting?
I am of the belief that really we need to start this actually
in elementary school and then we need to build it from there.
The public school systems are actually begging us to help
them establish what the curriculum is that we need for these
folks to be successful, because not everybody is going to be on
a 2- or 4-year college track. Some are going to come straight
out of high school. But when we have a system today that when
you come out of high school, the most that you can probably
make is around minimum wage, it is not going to help them
sustain or actually be able to support their families or
anything else.
If we are going to hire from all segments of society, which
is what our basic merit principle--not suggest--require as part
of the statute, then I think that, to your point, we need to
establish programs and such in which we can actually attract
from all segments of society.
Ms. Jackson Lee. Thank you.
Ms. Moss.
Ms. Bailey. So getting into the schools I think is
important.
Ms. Jackson Lee. Thank you.
Ms. Moss.
Ms. Moss. OK. Yes, cybersecurity education is part of our
mission at NPPD, so we are certainly passionate about that and
we are happy to see that you are passionate about it as well.
In the mean time, one of the things that we have started doing
is looking at the Scholarship For Service, pathway intern
programs to reach out to a more diverse population of students.
So we are using those tools right now to leverage diversity
across our cyber work force.
Ms. Jackson Lee. Thank you.
Mr. Chairman, I am prepared to yield back. I wanted to ask
unanimous consent to put H.R. 1981 in the record.
Mr. Ratcliffe. Without objection.*
---------------------------------------------------------------------------
* The information has been retained in comittee files and is also
available at https://www.congress.gov/115/bills/hr1981/BILLS-
115hr1981ih.pdf.
---------------------------------------------------------------------------
Ms. Jackson Lee. And would further encourage discussions
about hearings on the very points that the two witnesses have
made that expands the opportunity. I just mention coding is
something that can be taught out of high school and they can go
into a very, very productive employment that would have young
people supporting families and being very productive. So I look
forward to it.
I thank the witnesses very much for their testimony. I
yield back.
Mr. Ratcliffe. I thank the gentlelady.
The Chair now recognizes the gentleman from Louisiana, Mr.
Higgins, for 5 minutes.
Mr. Higgins. Thank you, Mr. Chairman.
I thank the Americans before us for testifying today.
Ms. Bailey, thank you for your service. In your written
statement, you identified three priorities, the second of which
was to recruit and retrain, and retain, highly-qualified
employees with capabilities vital to mission success. The
relationship with DHS and your effort to recruit and retain, is
there any mechanism to recruit out of our college campuses?
Ms. Bailey. Oh, absolutely. I mean, that is----
Mr. Higgins. Can you share that with us, please?
Ms. Bailey. So with regard to our college campuses, some of
the things that we make sure that we do is last year alone, we
actually spoke to over 1,300 students at 122 different
universities and colleges across the United States, and that
includes both 2-year and 4-year colleges. So to that extent----
Mr. Higgins. That is encouraging. That is the answer we
anticipated and hoped to hear. It states that DHS has reported
at least 12 of 15 components as having cybersecurity positions.
However, DHS could not provide data to show the actual numbers
of positions in each of these categories in specialty areas.
So how are we, and this means you, how are you connecting
the dots between the jobs that you are discussing with our
students at American universities and connecting the location
of the residents of these young Americans to the jobs that
would be associated in the specialty areas of cybersecurity if
you don't know what those specialty areas are? How are you
having a complete conversation with a young American that is,
say, a sophomore or junior in college and will consider
entering a career with DHS and serving the country in that way?
Might I add that money for a soldier, sailor, airman, or
Marine is not the motivating factor of serving, it is service
to country. I would suggest that service in protecting our
homeland should be reflective of that same patriotic spirit. I
believe these positions can be filled despite the lack of
funding as it is referred to today, and if we can appeal to the
patriotic spirit of young Americans in colleges. These are the
young men and women that are coming out of there which have
21st-Century cyber skills that none of us have.
If you haven't been able to identify the specialty
positions within the various components of DHS, then how are
you having a complete conversation with a young American man or
woman at a college university in Louisiana or Alabama or
Florida or California?
Ms. Bailey. Well, sir, we have identified. We have
identified that we have over 33 specialty areas. We have mapped
them to the NICE framework. What we have not done timely is
coded all those positions into our payroll system and make sure
that we have accounted for them, but we have done that work. We
know exactly what our specialty areas are. We know exactly
where the different--and we have had to map those against the
40 different occupational series, so we know exactly what it is
that we need.
We know where those positions are in every single
component. We know that the top series are things like IT
specialist info, computer forensics, coders, law enforcement.
We have a law enforcement element of this. We have intel
analysts that are part of this and we have management and
program analysts, just to name a few.
Mr. Higgins. That is also an encouraging answer. So you are
helping us here fill in some blanks. Let me just ask. If I am a
student in the IT field at University of Louisiana in
Lafayette, one of the top IT universities in the country, and
there is a component of DHS in my area where I live and I speak
to a recruiter for DHS, can you identify a job for me when I
graduate in 2019 or 2020 that I may want to pursue? Because
from our hearing last week, it takes a year to get hired. So if
I wanted to pursue that job, can you connect me with that job
if I am a student right now at a university in America?
Ms. Bailey. Absolutely. To what Ms. Moss was speaking
about, that is where we use things like the Pathways Program,
which is the internship program. So we can actually hire that
student out of the university as you suggested. We can hire
them today. We can get them trained where they can work for us
over the summers, they can work for us on their spring breaks,
their winter breaks. Then at the end of that, we can what is
called convert them today, convert them full-time into the
position of which we need into that future.
Mr. Higgins. All right. Well, these are encouraging
answers.
I have several other questions. Mr. Chairman, permission to
submit my answers in writing to the witnesses. I yield back.
Mr. Ratcliffe. I thank the gentleman.
Chair now recognizes the gentleman from Rhode Island, Mr.
Langevin, for 5 minutes.
Mr. Langevin. Thank you, Mr. Chairman.
I want to thank all of our witnesses for your testimony
here today on a very important topic.
Ms. Bailey and Ms. Moss, I know that we have touched on the
topic I want to address on work force, but your testimony
describes DHS's initiatives to accelerate recruiting and hiring
for cybersecurity professionals and to retain cyber staff
through financial incentives. Yet, DHS cannot hire its way out
of its work force shortages obviously, nor can it hope to
compete with the private sector on compensation. So what
investment is DHS making to train its work force and to develop
cybersecurity skills in-house?
Ms. Moss. At NPPD, one of the things that we utilize is the
NICE framework to identify certifications that are critical for
the success of the cyber mission. So we incentivize our
employees to get those certifications through retention
incentives. We currently have a number of employees. I would
say a majority of our cybersecurity work force that get
incentives to get certain certifications. So we are very much
encouraging certification and additional training for our cyber
work force.
Ms. Bailey. We then used that, their excellent work that
they did. We actually rolled this out Department-wide because
one of the things we want to make sure of is that within the
cybersecurity community within DHS that we did not have the
haves and the have-nots. So we took the excellent work that
NPPD did and we work with our cyber council with the component
leadership.
To Ms. Moss' point, we actually have identified all the
kinds of certifications whether it is specific ones to a cyber
or it is things like critical thinking, decision making,
teamwork, those kinds of things because they go hand-in-hand
with this. So we made sure that outlined everything that we
expect of our work force, and then we provide that through
their individual development plans and then through tuition
assistance and things like that to ensure that they get the
accreditation that we actually need for them to accomplish
their mission.
Mr. Langevin. OK. Thank you. What about investments is DHS
making into rotational job assignments to develop and retain
cybersecurity staff?
Ms. Bailey. I am sorry, sir. Vocational?
Mr. Langevin. Rotational.
Ms. Bailey. Oh, rotational?
Mr. Langevin. Yes.
Ms. Bailey. Do you know if you are--OK. So for rotational--
we were just conversing here just to see which. Rotational
assignments, actually, what we just started was a joint duty
program, which is an excellent way for us to do these
rotational assignments, to take people even sometimes outside
of their cybersecurity and introduce them maybe to law
enforcement or introduce them to intelligence or human
resources for that matter. Because what we are really trying to
do is create well-rounded professionals that can perform a
variety of functions within DHS.
So we also do have a robust rotational program as well, and
that includes rotations inside DHS and outside DHS. But we are
large enough and our components are diverse enough that we can
really provide folks with a very robust rotational experience
that gives them I think things that would be needed for their
career advancement.
Mr. Langevin. Have you considered expanding those
experiences to include positions in State government, for
example? I know that my State of Rhode Island and other States
around the country are hungry for DHS professionals to come in
and either them to learn from State experience and what are the
challenges they are facing and as well as learning from DHS
staff.
Ms. Bailey. I will take that back, sir. It is an excellent
idea. We just kind of got it going, but I tell you, folks are
extremely excited about this so I would be glad to take that
back.
Mr. Langevin. Thank you.
Go ahead.
Ms. Moss. I am sorry. I would also add. I am surprised Ms.
Bailey did not mention this because we have talked about it
several times. As part of the new cyber personnel system, part
of that will be project management--I am sorry--project-based
assignments, so that is going to be a huge part of the new
cyber personnel system as well as a concept for that program.
Mr. Langevin. Great. Thank you.
Ms. Bailey, I know that many of the Members here including
the Chairman are supporters of the Scholarship For Service
program run by NSF and OPM and the Department. I have certainly
been consistently impressed by the caliber of participants and
alumni in the program that I have met. I must say that the
annual D.C. job fair, in fact, it is one of my favorite events
to attend. How has SFS student helped alleviate the cyber work
force deficit facing the Department?
Ms. Bailey. I am going to let Rita speak to the specifics
because NPPD knocks it out of the park when it comes to SFS. It
is something that go back to whenever I worked even in the
Department of Defense for something that I have been a huge
supporter of. So you are absolutely right, this is high-caliber
folks that we have been able to get in. It is starting to, I
think, chip away especially at the entry level. We are using
this quite significantly.
Ms. Moss. We participated in the virtual job fairs and the
in-person job fairs and have been able to hire on the spot a
number of individuals into this program. We do not have the
long-term results of that yet, but it is very effective in
terms of getting them in and familiarizing them with our
mission and DHS.
Mr. Langevin. Very good. Thank you. I know that when I have
been to those job fairs as you just pointed out, they are
offering jobs on the spot we have had some 75 or 80 Government
departments and agencies there with actual job offers and hired
pretty quickly. So great opportunity for these young people and
we are getting return on investment by having them in the
Government for a period of time, and so part of their payback
for their Scholarship For Service program.
So I have other questions, Mr. Chairman, that I will submit
for the record. But thank you and I will yield back.
Mr. Ratcliffe. I thank the gentleman.
I now recognize myself for 5 minutes.
Mr. Wilshusen, I will start with you. Both the Government
and the private sector used a NICE framework to chart out work
roles so that cybersecurity workers as well as the people
responsible for hiring them can better develop their career
paths in cybersecurity.
Your report, the GAO report, points to misalignments
between what DHS has identified as a skill gap and the
specialty areas in the NICE framework. For instance, the DHS
work role entitled development operations is related to 12
different specialty areas in the NICE framework. So I guess my
question is, since the overarching goal is matching DHS work
roles with the NICE framework and not the other way around,
shouldn't DHS maybe consider changing the categorization of the
specialty areas to reflect that and to simplify the process?
Mr. Wilshusen. Well, the specialty areas are actually part
of the National cybersecurity framework that NICE program and
NIST have set up and that is one that is in use throughout the
entire Federal Government.
What DHS has done is identified I guess the competencies
and proficiency levels as part of its technical capability gaps
in its program. There is, you are correct, between those
competencies a, I guess, a one-to-many relationship. I think
DHS has come up with a mapping, if you will, from our
conversion table from their competencies to the work in
specialty areas of the NICE program.
The reason why I guess the specialty areas are important in
categorizing the positions according to that is the fact that
that is something that provides a common lexicon and something
that can be used throughout the Federal Government as well as
throughout the Department. So that was one of the reasons why
OPM and indeed the law requires agencies to use the specialty
areas identified in the NICE National cybersecurity framework
for identifying their cybersecurity positions.
Mr. Ratcliffe. OK. Thanks for that.
Ms. Bailey, you said something and I want to make sure that
the record is clear, because I thought it was maybe
inconsistent with what I read in this report. So on page No. 8
of the report it says as of November 2017 the Department had
not completed identifying all of its cybersecurity positions
and it had not determined the work categories or specialty
areas of the positions. That is from the report. Did I hear you
testify differently?
Ms. Bailey. We have gone through and we have identified the
33 different specialty areas and used this crosswalk and mapped
things to that. So I think in some ways there is a smidge of a
disagreement here perhaps with how it is being characterized.
So for us, our positions, they are all coded, but we have
identified the positions that we are aware of. We have
identified these positions. I can't even remember the date, but
we had almost 95 percent of the positions that were filled.
You correct me if I am wrong, but I think what part of the
issue here is that we hadn't actually identified our vacant
positions. We had identified our filled positions. So of our
filled positions, we had mapped those to the 33 different
specialty areas, the critical need areas and also then the 40
different occupations. So I just want to be careful in how I am
saying this, that of the positions that we coded and we took
care of, we have mapped all of them against that.
Mr. Ratcliffe. OK. I want to make sure the record is clear.
Ms. Bailey. Yes.
Mr. Ratcliffe. So there is that smidge of a difference
accurately characterized in your opinion, Mr. Wilshusen?
Mr. Wilshusen. I would say there is a couple of things, one
is Ms. Bailey is correct, it is part of the reason why there is
a difference between what was coded in terms of 95 percent
versus 79 percent had to do with the vacant positions that were
not being coded. But at the same time, we are still noting
throughout the time that the number of cybersecurity positions
were also supposed to be identified at a certain time by law.
What we are finding is that these numbers keep increasing.
For example, back in I think it was--let me just get the exact
date here. It was back in I would say it was December 2016 they
had identified about 10,725 cybersecurity positions. More
recently, we saw a draft report where DHS has identified over
14,000 cybersecurity positions. So any part of that could be
the vacancies that are now being recognized but also I think it
is the Department that is also expanding the identification of
these cybersecurity positions throughout the Department.
Mr. Ratcliffe. OK. Thank you.
Ms. Moss, I want to wrap up and ask you a question. You
have had a number of questions from other members about cyber
work force development and how that ties into educational
effort. So I wanted to get on the record, and if someone asked
you this specifically, I did not catch it. But I am interested
to hear how your office works with SECIR, the Stakeholder
Engagement and Cyber Infrastructure Resilience, office in its
education and outreach efforts and how or whether those enhance
the cybersecurity initiatives in your organization.
Ms. Moss. SECIR is heavily involved in the centers for
academic excellence, which is the driver for the Scholarship
For Service program. As I noted before, we are heavily engaged
in the Scholarship For Service and we do a lot of hirings
surrounding Scholarship For Service.
There is one other point. Also with the NICE framework,
they are involved in the development of the NICE framework,
identifying the certifications that are important for the cyber
mission. As I noted, we use those certifications to incentivize
our folks through incentive pay.
Mr. Ratcliffe. Terrific. OK.
Thank you all for being here today. We really appreciate
your testimony. I thank the Members for being here and for
their questions. As you have heard, Members of the committee do
have some additional questions for some of you, so we will ask
them to submit those and ask you to respond to those in
writing. Pursuant to the committee Rule VII(D), the hearing
record will remain open for a period of 10 days and----
Mr. Correa. Mr. Chair, before you--just a couple of
comments, if I may.
Mr. Ratcliffe. You bet.
Mr. Correa. I just wanted to reiterate my question which is
how can we help you get there, how can we help you do your job?
No. 2, hopefully we will have another committee hearing soon to
follow up on how we can help DHS fulfill their mission. Thank
you.
Mr. Ratcliffe. You bet. I think that is a sentiment that
has been expressed by a number of Members, but I appreciate the
gentleman's comments. With that, that will conclude our
hearing. Without objection, the subcommittee stands adjourned.
[Whereupon, at 3:25 p.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Chairman John Ratcliffe for Gregory C. Wilshusen
Question 1. Across all GAO's recommendations for action, how would
you recommend DHS prioritize accomplishing these recommendations given
the overarching task of addressing critical workforce needs?
Answer. To address its critical cybersecurity workforce needs, DHS
should give top priority to accomplishing the six recommendations in
our February 2018 report on the Department's efforts to identify its
cybersecurity workforce positions and critical needs.\1\ Further, of
the six recommendations, I recommend that the Department first
implement our recommendations to:
---------------------------------------------------------------------------
\1\ GAO, Cybersecurity Workforce: Urgent Need for DHS to Take
Actions to Identify Its Position and Critical Skills Requirements, GAO-
18-175 (February 6, 2018).
---------------------------------------------------------------------------
Collect complete and accurate data from its components on
all filled and vacant cybersecurity positions when it conducts
its cybersecurity identification and coding efforts, and
Develop guidance to assist DHS components in identifying
their cybersecurity work categories and specialty areas of
critical need that align to the National Initiative for
Cybersecurity Education Framework.
Implementing these two recommendations is especially important
because they are essential to helping DHS identify the critical skills
and cybersecurity personnel that the Department will need. Earlier this
month, we sent a letter to Secretary Nielsen highlighting the two
recommendations as priorities for the Department to address.\2\ Beyond
these two recommendations, however, DHS should also implement the other
four recommendations that we made in in the report to bolster its
cybersecurity workforce assessment efforts.
---------------------------------------------------------------------------
\2\ Comptroller General of the United States Gene Dodaro, 2018
Homeland Security Priority Recommendations, letter to the Honorable
Kirstjen Nielsen, Secretary of Homeland Security (Washington, DC: April
3, 2018). This letter is not publicly available.
---------------------------------------------------------------------------
The six recommendations are aligned with the requirements presented
in the Homeland Security Workforce Assessment Act of 2014, which
required DHS to identify, categorize, and code its cybersecurity
positions.\3\ We found that the Department did not complete these
activities by their statutorily-defined due dates, and efforts to do so
are still on-going.
---------------------------------------------------------------------------
\3\ The Homeland Security Cybersecurity Workforce Assessment Act of
2014 was enacted as part of the Border Patrol Agent Pay Reform Act of
2014, Pub. L. No. 113-277, � 4,128 Stat. 2995, 3008-3010 (Dec. 18,
2014), 6 U.S.C. � 146.
---------------------------------------------------------------------------
Without sufficiently completing all of these activities, the
Department will not be positioned to effectively examine its
cybersecurity workforce, identify skill gaps, and improve workforce
planning to address its critical workforce needs. DHS concurred with
each of our recommendations and stated that it plans to complete
actions to address all six of the recommendations by June 29, 2018.
Question 2. GAO's report points to the commitment of DHS leadership
as essential to successfully address the issues and management
weaknesses identified in its audit. What more can DHS do, at the
Secretary level, as well as the CHCO level, to ensure that
implementation of cybersecurity authorities is a Department-wide
priority?
Answer. DHS can take several actions to ensure that the
implementation of cybersecurity authorities is a Department-wide
priority. Specifically, the Secretary can: (1) Communicate the
importance of maximizing the use of its existing hiring authorities and
flexibilities for filling cybersecurity needs; and (2) hold senior
managers and leaders, such as the Chief Human Capital Officer (CHCO),
accountable for fulfilling their responsibilities. Identifying the
individual in each component who is responsible for leading that
component's efforts in identifying and coding cybersecurity positions
as we recommended in our February 2018 report is an important step for
establishing that accountability. By setting the tone at the top, the
Secretary will underscore the imperative of implementing the
Department's cybersecurity authorities.
In addition, consistent with the recommendations in our February
2018 report, the CHCO can: (1) Ensure that the components report
accurate and timely information to leadership so that leadership will
be informed of the extent to which the Department is making progress in
identifying its cybersecurity positions and critical skills
requirements; and (2) provide more guidance to components on the
importance of using the National Initiative for Cybersecurity Education
Cybersecurity Workforce Framework and how the work roles align to DHS's
cybersecurity positions. By taking urgent and diligent action now to
implement the recommendations in our February 2018 report, DHS should
be better positioned to fulfill the requirements of the Homeland
Security Workforce Assessment Act of 2014; accurately identify its
cybersecurity positions and critical needs; and implement its
cybersecurity authorities.
Question From Honorable Ron Estes for Gregory C. Wilshusen
Question. What do continuing hiring issues, like those identified
by GAO's report, say about the overall maturity of DHS as a cohesive
agency, 15 years after the Department's formation?
Answer. DHS's challenges in identifying its cybersecurity workforce
positions and critical skill requirements indicate that the Department
has not matured to the point where its human capital management
functions are fully integrated and cohesive across the Department. As
we reported in February 2018,\4\ DHS did not completely and reliably
identify and assign employment codes for cybersecurity positions
because its processes were manual, undocumented, and resource-
intensive. For example, the Department used manual data calls to
collect information and understand components' coding efforts. In
addition, the Department did not have documented processes to collect
and verify data from its component agencies. Officials in the
Department's Office of the Chief Human Capital Officer stated that the
number of cybersecurity workforce personnel frequently changed, they
could not review workforce data for reliability, as such a review was
resource-intensive.
---------------------------------------------------------------------------
\4\ GA0-18-175.
---------------------------------------------------------------------------
If implemented, the six recommendations that we made to DHS in our
February 2018 report should help address the concerns we noted with
regard to the Department's identification of its cybersecurity
workforce positions and critical skill requirements, and the associated
management weaknesses. DHS concurred with all of our recommendations
and stated that it was working to implement them.
Questions From Chairman John Ratcliffe for the Department of Homeland
Security
Question 1a. One of the key reforms signed into law in 2014 were
expedited hiring authorities for mission-critical cybersecurity
positions that allowed DHS the flexibility to better recruit qualified
cybersecurity personnel. However, those legislatively-mandated
authorities have yet to be used to on-board a single cybersecurity
worker nearly 4 years later.
When do you anticipate these expedited hiring authorities to be
used for the first time?
Answer. DHS leadership and components are pushing to launch the new
personnel system as quickly as possible, with a goal of hiring the
first cadre of employees in 2019. In the Border Patrol Agent Pay Reform
Act of 2014 (Pub. L. No. 113-277), which added a new section (codified
at 6 United States Code (U.S.C.) Sec. 147) to the Homeland Security Act
of 2002, Congress granted the Secretary new cybersecurity-focused human
capital authority. The Secretary's authority allows DHS to create a new
personnel system with alternative methods for defining jobs, conducting
hiring, and compensating employees.
We have taken the time to craft a solution that we believe will
allow the Department to compete in the competitive market for
cybersecurity talent, and will solve our cybersecurity recruitment and
retention challenges for the long term. The Department is grateful to
Congress for this opportunity, and we are excited about the new
personnel system. Due to the complex nature of implementing a new
personnel system in the Federal Government, the Department's
examination of comparable efforts by other Federal agencies has shown
that it generally takes several years to complete.
As the Office of the Chief Human Capital Officer finalizes the
design and prepares new policies and business processes, the Secretary
is working to prescribe required regulation, in coordination with the
Director of the Office of Personnel Management.
Question 1b. Why has it taken so long for the expedited hiring
process to be implemented?
Answer. From a historical perspective, our examination of
comparable efforts by other Federal agencies has shown that
implementing a new Federal personnel system is complex, and can often
take several years. There are a variety of factors that make
implementing a new personnel system, including new processes for
hiring, especially challenging.
First, the talent required to build a new personnel system is
specialized and rare. DHS had to recruit and contract to build a team
of expert industrial and organizational psychologists, Federal human
capital policy experts, certified compensation specialists, economists,
and employment and regulatory attorneys.
Second, DHS is working to update some foundational human resources
concepts dating back to the first half of the 20th Century. Our systems
for defining or classifying jobs, conducting hiring, and administering
pay are based on laws from the 1940's. The Federal workforce has
evolved from being predominantly clerical, and much of the
cybersecurity workforce DHS requires is highly technical, with valuable
senior-level expertise.
In replacing hundreds of pages of human capital regulation and
policy that took decades to develop, and creating a system that looks
to the future, DHS has to be methodical, avoiding the re-creation of
bureaucratic barriers that impede us today. In the conventional civil
service world (governed by title 5 U.S.C. and title 5 of the Code of
Federal Regulations), so much is automatic and mechanical. An agency
hires a person based on a brief assessment against rigid--often
outdated--standards. A fixed table sets their pay, and pay increases
are directly linked to time. As such, the payroll system has been
programmed to automatically execute many pay increases. The
conventional, tenure-based civil service assumes that someone gets
better at doing a job after the passage of time, and will be their best
at the job after 30 years. With cybersecurity and most work today,
years of experience matter, but they are not the sole determinant of
whether someone will be successful. To replace tenure as the main
measurement tool, it is necessary to more thoroughly analyze
candidates' skills prior to hiring them.
Third, DHS must take great care to ensure its new approaches to
hiring and pay setting are fair and consistent. There are Merit System
Principles to be upheld, and a variety of laws and regulations
governing employment in the United States that must be taken into
consideration. For example, the Uniform Guidelines on Employee
Selection Procedures guide compliance of hiring and selection processes
with requirements of Federal law prohibiting employment practices that
discriminate on grounds of race, color, religion, sex, and National
origin. Similarly, Title VII of the Civil Rights Act of 1964 prohibits
employment-related discrimination against any individual because of
race, color, religion, sex, or National origin. Also, the Equal Pay Act
requires that men and women in the same workplace be given equal pay
for equal work, which informs pay policies. In implementing new hiring
and pay processes, DHS must incorporate the requirements of such laws,
which often requires careful study, testing, and the generation of a
variety of official documentation.
Fourth, DHS is trying to learn from the prior human capital
experiments and failures. Many agencies that received similar authority
in the past yielded to the inertia of the conventional civil service
system, and made modest--sometimes cosmetic--changes to their
approaches to hiring, compensation, etc. They have often seen modest
results. There are also several examples of more innovative personnel
systems that, after great investment, were summarily canceled due to
litigation. DHS is focused on learning from these mistakes of the past
so as not to repeat them.
Question 2a. You testified that ``by the end of April 2018, this
Department will have all of its cyber positions coded under the three-
digit code.'' However, GAO noted that the number of identified cyber
positions continues to increase over the years as this identification
process moves along. I am concerned that positions cannot be coded if
they continue to change or increase.
How certain are you that all cyber positions across components have
been identified?
Answer. Cybersecurity workforce planning and analysis--of which
position coding is one element--is an on-going activity. For several
years, DHS has been tracking a core of several thousand positions with
cybersecurity responsibilities, but as definitions have changed and
Government-wide awareness of the criticality of cybersecurity has
increased, the population has fluctuated. In the transition to 3-digit
position codes, components are closely scrutinizing their workforces
and refining past analyses. Our new processes will yield accurate and
current counts, ensure newly-created positions are appropriately coded,
and monitor the accuracy of aggregate and component-level position data
over time.
Question 2b. Will these positions be coded with only 3-digit codes
or both 3-digit and 2-digit codes?
Answer. DHS will only use the 3-digit codes from which data about
2-digit codes can be extrapolated. DHS will code positions using 3-
digit, Work Role codes in accordance with Pub. L. No. 114-113, but will
continue to collect and report data about the Specialty Areas and
Categories (2-digit codes) associated with cybersecurity positions
required by Pub. L. No. 113-246 and Pub. L. No. 113-277 (see response
to 3b).
Question 3a. The GAO report states that ``According to OPM
officials within Employee Services, agencies are not expected to
continue coding to the 2-digit data standard and, instead, are to adopt
the 3-digit data standard and complete coding the 3-digit standard by
April 2018.'' However, in your testimony you said that DHS will
continue to work on 2-digit codes.
Is producing both 2-digit and 3-digit codes a duplication of effort
and efficient use of resources?
Answer. Starting in 2018, DHS will only be coding positions using 3
digits, but we will also be monitoring and reporting data by the 2-
digit coding structure, as required by statute (see response to 3b).
While the Department would welcome Congress' assistance in streamlining
and simplifying its current set of overlapping cybersecurity workforce
planning requirements, which result in largely duplicative work and
multiple oversight reviews, DHS does not expect this 2- versus 3-digit
code issue itself to be problematic. The National Initiative for
Cybersecurity Education (NICE) Workforce Framework has a nested
structure, with Work Roles (3-digit codes) representing the most
granular level. Coding at the Work Role-level should allow for easy
analysis of the necessarily aligned, higher-level Specialty Areas and
Categories of the NICE Framework.
Question 3b. Why is the 2-digit coding effort continuing?
Answer. DHS is in the unique position of managing a series of
cybersecurity workforce planning actions in alignment with three laws:
The Border Patrol Agent Pay Reform Act of 2014 (Pub. L. No. 113-277);
the Cybersecurity Workforce Assessment Act (Pub. L. No. 113-246); and
the Federal Cybersecurity Workforce Assessment Act of 2015 (Pub. L. No.
114-113).
While Pub. L. No. 114-113 requires 3-digit coding by the Work Roles
outlined in the latest version of the NICE Workforce Framework, Pub. L.
Nos. 113-277 and 113-246 both require on-going reporting organized
around the NICE Specialty Areas and Categories, which were the basis
for 2-digit codes.
DHS will code positions using 3-digit, role-based codes, but will
continue to collect and report data about the Specialty Areas and
Categories associated with cybersecurity positions. As mentioned
earlier, it would be more effective and practical if these requirements
were streamlined.
Question 4. GAO reported that DHS components record and track
vacant positions differently, and DHS responded that because of this
issue, OCHCO could therefore not issue Department-wide guidance on
vacant cyber positions. What are the specific changes that your office
is making to standardize guidance so that all components are working
from the same playbook?
Answer. DHS does not have a Department-wide information technology
solution to track vacant positions, but the Office of the Chief Human
Capital Officer (OCHCO) identified this issue as a Human Resources
Information Technology (HRIT) Strategic Improvement Opportunity (SIO).
In addressing this SIO, OCHCO established a process for components to
report standardized position data tables for all vacant and filled
Federal civilian positions.
DHS released revised cybersecurity position coding guidance on
March 19, 2018. The guidance includes instructions for components to
code both vacant and filled cybersecurity positions in the Department's
National Finance Center (NFC) personnel system, but it also requires
components to report filled and vacant cybersecurity positions via the
position data table process. New position coding guidance will ensure
OCHCO has consistent visibility into each component's coding of vacant
cybersecurity positions via NFC and the position data table process.
Question 5a. Describe your interactions with OCHCO in fulfilling
the requirements of Public Law No. 113-277. How has OCHCO helped NPPD
in recruiting and retaining the workforce necessary for NPPD to carry
out its essential cybersecurity mission?
Question 5b. In what ways do you feel that the interactions between
OCHCO and NPPD's Office of Human Capital could be improved?
Answer. OCHCO has shown commitment to NPPD in its effort to recruit
and retain the workforce necessary to carry out our essential
cybersecurity mission. Our teams work closely together, across human
capital and the cybersecurity technical leadership (across the
Department), this includes the chief human capital officer, the chief
information officer (CIO), and the component CIOs on three priorities:
1. Analyze and plan for our complex set of cybersecurity talent
needs;
2. Recruit and retain highly qualified employees with capabilities
vital to mission success; and
3. Innovate by implementing a new 21st Century personnel system to
revolutionize cybersecurity talent management.
Additionally, NPPD CS&C leadership along with the NPPD CHCO are
active members on the DHS Cyber Workforce Coordination Council. As a
collaborative team, we are committed to thoroughly understanding our
workforce requirements and implementing the best possible human capital
solutions to recruit, retain, and manage the cybersecurity talent our
mission demands.
Additionally, OCHCO supports NPPD's use of incentives (e.g.,
retention, recruitment, and student loan repayment) to attract and
retain talent.
We've also leveraged authorities that provide flexibilities in our
hiring, such as the DHS Schedule A cybersecurity hiring authority and
the Government-wide IT (information security) direct hire authority. We
maximize these authorities through open and continuous announcements or
at hiring events. OCHCO has led joint hiring events for the Department
which has assisted NPPD in filling critical cybersecurity roles across
the organization. NPPD works closely together with other DHS human
capital leaders and recruiters across components. NPPD participates in
the OCHCO-led Corporate Recruiting Council, which oversees the creation
and monitoring of targeted recruitment plans for specific DHS mission-
critical occupations, including cybersecurity. As part of a long-term
effort to improve cybersecurity recruiting, the OCHCO staff manages the
cybersecurity pipeline development and outreach activities focused on
2- and 4-year academic institutions, including the National Centers of
Academic Excellence in Cyber Defense and Cyber Operations, National and
local community organizations, and professional associations. NPPD has
leveraged these outreach events; in fiscal years 2016--fiscal year 2017
to date, we've had more than 58 CyberCorps Scholarship for Service
(SFS) students in our program and anticipate hiring more than 70
students for fiscal year 2018. We've also had great success in
leveraging the Pathways Intern Program, the PMF Program, and volunteer
intern programs.
NPPD's Office of Human Capital and OCHCO have a very collaborative
relationship and we are consistently engaged on major DHS initiatives.
Examples of interactions include our involvement in the development of
the competencies to support the DHS Cyber Talent Management System
(CTMS); NPPD subject-matter experts served on panels to develop
competencies for the cyber workforce alongside other cyber SMEs across
DHS. Also, CHCO leadership has conducted a 2-day listening tour at
NPPD, visiting every NPPD subcomponent to be briefed on each of their
missions and human capital challenges. OCHCO has also leveraged the
opportunity to meet with NPPD employees, affording them the opportunity
to have an open dialog.
Questions From Honorable Ron Estes for the Department of Homeland
Security
Question 1. What do continuing hiring issues, like those identified
by GAO's report, say about the overall maturity of DHS as a cohesive
agency, 15 years after the Department's formation?
Answer. The Department continues to mature and identify
opportunities for increased collaboration and coordination among
components. The Department's recruiting and hiring processes have
matured significantly since its inception. DHS improved its time-to-
hire in many of our mission-critical occupations. DHS is committed to
creating a good applicant experience throughout the process from first
point of contact to the final job offer and even through the employee
life cycle. Our recent joint hiring events in cyber, veterans,
students, and women in law enforcement are good examples of the
Department's cohesive approach to hiring, as are our HRIT project,
Human Capital Operational Plan (HCOP), Primary Mission Critical
Occupations (PMCO) charts, Recruitment Outreach and Marketing Matrix
(ROMM), and Strategic Outreach and Recruitment (SOAR) Plan.
Question 2. With data continuing to show shortages of specific
cyber skills and talent gaps in the Department's cybersecurity
workforce, what hiring improvement strategies, programs, and incentives
has OCHCO developed to help recruit and retain highly-skilled
professionals in the Federal workforce?
Answer. While OCHCO focuses on accelerating the implementation of a
new cybersecurity-focused personnel system, the office simultaneously
has looked at ways to improve cybersecurity recruitment and retention
within the current system.
OCHCO developed and released over 15 simplified guidance documents
to help human capital and cybersecurity personnel across the Department
understand existing human capital tools (such as direct hire authority
and recruitment incentives), dispel myths, and identify how these human
capital tools can best support cybersecurity talent. We are also
working closely with OPM and other DHS component human resources
directors to ensure human resources specialists across DHS stay on the
forefront of any new developments and understand the full set of
recruitment and retention tools at their disposal. This effort includes
the new DHS H.R. Academy, which is aimed at training human resources
professionals to improve the human capital support provided to all
critical missions, including cybersecurity.
To address the cyber skills and talent gap challenges, OCHCO
continues to focus its cyber recruitment and hiring efforts in several
targeted areas. The first is increasing the recruitment of GS 5-9
employees. Attracting young professionals requires a targeted
engagement and outreach program with post-secondary academic
institutions as well as K-12. In fiscal years 2017 and 2018, OCHCO
engaged with more than 1,300 students from 122 academic institutions,
which includes 40 Centers of Academic Excellence. Additionally, OCHCO
operates the Corporate Recruiting Council, which ensures cross-
component coordination of recruitment activities and strategy
development for mission-critical occupations, including cybersecurity.
OCHCO also leads an outreach program focused on academic institutions
and associations, including the National Centers of Academic Excellence
in Cyber Defense and Cyber Operations. To improve the pipeline for
talent, OCHCO is focused on providing greater internship offerings
across DHS, including opportunities associated with the CyberCorps�:
Scholarship for Service.
The Department plans to continue engagement with industry partners
in 2018 to meet our human capital needs. The proposed plans include:
Partnering with the Department of Defense to pilot their
cybersecurity skills training program at DHS; and
Engaging with industry stakeholders and science, technology,
engineering, and math organizations to develop a comprehensive
cyber pipeline curriculum for post-secondary and K-12 schools.
With regard to retention, OCHCO collaborated with the Office of the
Chief Information Officer and other components to develop the
Department's Cybersecurity Retention Incentive Plan, which helps
components financially recognize significant training and certification
accomplishments of cybersecurity employees. In addition, OCHCO assists
components in their understanding of retention tools, such as tuition
assistance, and is exploring strategies for encouraging their increased
use across the Department.
Question 3a. I want to ensure that DHS has the proper workforce to
carry out its cybersecurity mission. What is NPPD's biggest
cybersecurity skill gap or critical need?
Question 3b. Would you say that NPPD has the adequate resources,
manpower in particular, to function at the peak of its capability on a
day-to-day basis?
Answer. The National Protection and Programs Directorate (NPPD)
continues to evaluate the needs and requirements of its workforce,
particularly in the face of new and emerging threats. We have reviewed
every position in our workforce, aligning and coding all cybersecurity
positions alongside the National Initiative for Cybersecurity Education
(NICE) Cybersecurity Workforce Framework. Based on the NICE work roles,
NPPD's greatest cyber skill gap/need includes:
Cyber Defense Analyst;
Cyber Forensics Analyst;
Cyber Incident Responder; and
Cyber Operator.
NPPD, like other Federal and private-sector organizations, strives
to recruit and retain qualified cybersecurity personnel. To that end,
NPPD continues to face challenges in quickly hiring qualified employees
to join its cybersecurity workforce. Potential hires must go through a
lengthy clearance and internal suitability process, which delays on-
boarding qualified individuals. Coupled with attrition due to the pay
and fringe benefits for cybersecurity positions in the private sector,
the result is significant competition for high-performing and qualified
employees. NPPD continues to assess its resources, particularly in line
with the authorities it has been granted to execute across the various
cybersecurity mission areas.
[all]