[Senate Report 115-385] [From the U.S. Government Publishing Office] Calendar No. 671 115th Congress } { Report SENATE 2nd Session } { 115-385 _______________________________________________________________________ FEDERAL ROTATIONAL CYBER WORKFORCE PROGRAM ACT OF 2018 __________ R E P O R T of the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE to accompany S. 3437 TO ESTABLISH A FEDERAL ROTATIONAL CYBER WORKFORCE PROGRAM FOR THE FEDERAL CYBER WORKFORCE [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] November 26, 2018.--Ordered to be printed ______ U.S. GOVERNMENT PUBLISHING OFFICE 89-010 WASHINGTON : 2018 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS RON JOHNSON, Wisconsin, Chairman JOHN McCAIN, Arizona CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio THOMAS R. CARPER, Delaware RAND PAUL, Kentucky HEIDI HEITKAMP, North Dakota JAMES LANKFORD, Oklahoma GARY C. PETERS, Michigan MICHAEL B. ENZI, Wyoming MAGGIE HASSAN, New Hampshire JOHN HOEVEN, North Dakota KAMALA D. HARRIS, California STEVE DAINES, Montana DOUG JONES, Alabama Christopher R. Hixon, Staff Director Gabrielle D'Adamo Singer, Chief Counsel Courtney J. Allen, Deputy Chief Counsel for Governmental Affairs Margaret E. Daum, Minority Staff Director Charles A. Moskowitz, Minority Senior Legislative Counsel Julie G. Klein, Minority Professional Staff Member Laura W. Kilbride, Chief Clerk Calendar No. 671 115th Congress } { Report SENATE 2nd Session } { 115-385 ====================================================================== FEDERAL ROTATIONAL CYBER WORKFORCE PROGRAM ACT OF 2018 _______ November 26, 2018.--Ordered to be printed _______ Mr. Johnson, from the Committee on Homeland Security and Governmental Affairs, submitted the following R E P O R T [To accompany S. 3437] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security and Governmental Affairs, to which was referred the bill (S. 3437) to establish a Federal rotational cyber workforce program for the Federal cyber workforce, having considered the same, reports favorably thereon with an amendment (in the nature of a substitute), and recommends that the bill, as amended, do pass. CONTENTS Page I. Purpose and Summary..............................................1 II. Background and the Need for Legislation..........................2 III. Legislative History..............................................4 IV. Section-by-Section Analysis......................................4 V. Evaluation of Regulatory Impact..................................5 VI. Congressional Budget Office Cost Estimate........................6 VII. Changes in Existing Law Made by the Bill, as Reported............6 I. PURPOSE AND SUMMARY The purpose of S. 3437 is to create a rotational cyber workforce program in which Federal employees in cyber workforce positions can be detailed to another agency to perform cyber functions. This program will enable Federal cyber workforce employees to enhance their cyber skills with experience from executing the cyber missions of other agencies. II. BACKGROUND AND THE NEED FOR LEGISLATION Federal cyber workforce management challenges have been on the High-Risk List of the Government Accountability Office (GAO) since 2003.\1\ In that report, GAO stated that ``agencies must have the technical expertise they need to select, implement, and maintain controls that protect their information systems. Similarly, the federal government must maximize the value of its technical staff by sharing expertise and information. [T]he availability of adequate technical and audit expertise is a continuing concern to agencies.''\2\ In 2011, GAO reported that many Federal agencies still experienced difficulty hiring employees for more technical cyber positions or for positions that require other more specialized skills.\3\ In its 2017 High-Risk List, GAO reported that ``the federal government needs to expand its cyber workforce planning and training efforts. Federal agencies need to enhance efforts for recruiting and retaining a qualified cybersecurity workforce and improve cybersecurity workforce planning activities.''\4\ --------------------------------------------------------------------------- \1\ Gov't Accountability Off., GAO-03-121, High-Risk Series: Protecting Information Systems Supporting the Federal Government and the Nation's Critical Infrastructures 14-15 (Jan. 2003). \2\ Id. \3\ Gov't Accountability Off., GAO-12-8, Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination 20-22 (Nov. 2011). \4\ Gov't Accountability Off., GAO-17-317, High-Risk Series: Progress on Many High-Risk Areas, While Substantial Efforts Needed on Others 342 (Feb. 2017). --------------------------------------------------------------------------- The Federal Cybersecurity Workforce Assessment Act of 2015 initiated cyber workforce planning efforts by requiring agencies to identify cyber positions in the Federal workforce.\5\ The Office of Personnel Management (OPM), the agency tasked with managing human resources of the Federal Government, issued guidance for Federal agencies to identify their current cyber workforce positions.\6\ OPM's guidance included a deadline of April 2019 for Federal agencies to ``report their greatest skill shortages; analyze the root cause of the shortages; and provide action plans, targets and measures for mitigating the critical skill shortages.''\7\ OPM stated it would use these agency reports to ``identify common needs to address from the Governmentwide perspective.''\8\ --------------------------------------------------------------------------- \5\ Federal Cybersecurity Workforce Assessment Act of 2015, Pub. L. No. 114-113, Sec. 303, 129 Stat. 2242, 2975, 2975-77 (2015). \6\Memorandum from Mark D. Reinhold, Associate Director, Employee Services, Off. of Personnel Mgmt., to Human Resource Directors, U.S. Gov't (Apr. 2, 2018). \7\ Id. \8\ Id. --------------------------------------------------------------------------- On June 23, 2018, the Office of Management and Budget (OMB) issued a government reorganization plan for the purposes of improving efficiencies in government operations and realigning the structure of the Federal Government to effectuate those improvements.\9\ Included in the reorganization plan is a proposal to address the cyber workforce shortage in the Federal Government.\10\ OMB noted: --------------------------------------------------------------------------- \9\ Off. of Mgmt. and Budget, Exec. Office of the President, Delivering Government Solutions in the 21st Century: Reform Plan and Reorganization Recommendations 108 (June 21, 2018), available at https://www.performance.gov/GovReform/Reform-and-Reorg-Plan-Final.pdf. \10\ Id. [E]ach Federal department and agency was responsible for addressing its own cybersecurity workforce gaps independently, which has led to disaggregated and redundant Federal programs. As a result, the Government lacks a comprehensive, risk-derived understanding of which cybersecurity skillsets the Federal enterprise needs to develop and which positions are most critical to fill. Moreover, the manner in which departments and agencies recruit, hire, retain, and compensate cybersecurity personnel varies by agency. This uneven approach has created internal competition for talent, which in turn creates disparities and discontinuities that degrade agencies' ability to defend networks from malicious actors and respond to cyber incidents. A unified approach to attracting and retaining cybersecurity talent within the Federal Government would better support the Government's cybersecurity enterprise.\11\ --------------------------------------------------------------------------- \11\ Id. The reorganization plan calls for the establishment of a unified cybersecurity Federal workforce across the Government.\12\ In order to unify the cybersecurity workforce, Federal agencies are categorizing and cataloguing their cybersecurity workforces ``to better understand our current set of knowledge, skills, abilities, and identify any gaps.''\13\ This inventory of cybersecurity workforce positions will provide ``Government-wide insight into where [the] most pressing needs are, and, for the first time, enable the development of an enterprise-wide approach to the recruitment, placement, and training of cybersecurity talent.''\14\ --------------------------------------------------------------------------- \12\ Id. \13\ Id. \14\ Id at 109. --------------------------------------------------------------------------- This bill would complement the Federal cyber workforce initiatives begun under the Federal Cybersecurity Workforce Assessment Act of 2015 and the OMB reorganization plan by creating a Federal rotational cyber workforce program in which cyber personnel can detail to other agencies to help fill skills gaps for agencies' cyber-related functions. S. 3437 requires Federal agencies to determine which cyber positions should be eligible for the rotation and report those positions to OPM. OPM will then distribute a list of positions available for participation in the program to each agency. It also requires OPM, the Chief Human Capital Officers Council, and DHS to develop an operation plan for the Federal rotational cyber workforce program that establishes the procedures and requirements for the program, including the employee application and selection process and agency management of cyber employees participating in the program. The bill limits a cyber employee's participation in the Federal rotational cyber workforce program to a period of 180 days, with the option for a 60-day extension. Once a cyber employee completes participation in the program, the employee is required to return to the Federal agency from which he or she was detailed to serve for a period of time that is equal in length to the period of the detail. The Federal rotational cyber workforce program sunsets five years after the date of enactment of this bill. This bill also requires GAO to issue a report on the program and any effect the program has on improving Federal employees' cyber-related skills or on intra-agency and interagency coordination of cyber functions and personnel management. III. LEGISLATIVE HISTORY S. 3437 was introduced on September 12, 2018, by Senators Gary Peters (D-MI) and John Hoeven (R-ND). The bill was referred to the Committee on Homeland Security and Governmental Affairs on September 12, 2018. The Committee considered S. 3437 at a business meeting on September 26, 2018. During the business meeting, Senator Peters offered a substitute amendment that removed the program's exemptions from the Federal Service Labor-Management Relations Statute. The substitute amendment was modified to clarify that participation in the program is not subject to collective bargaining. The amendment, as modified, was adopted by voice vote en bloc with Senators Johnson, Portman, Lankford, Enzi, Hoeven, McCaskill, Carper, Heitkamp, Peters, Hassan, Harris, and Jones present. The legislation, as amended, was passed by voice vote en bloc with Senators Johnson, Portman, Lankford, Enzi, Hoeven, McCaskill, Carper, Heitkamp, Peters, Hassan, Harris, and Jones present. IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED Section 1. Short title This section established the short title of the bill as the ``Federal Rotational Cyber Workforce Program Act of 2018.'' Section 2. Definitions This section defines the terms ``agency,'' ``Council,'' ``cyber workforce position,'' ``Director,'' ``employee,'' ``employing agency,'' ``rotational cyber workforce position,'' and ``rotational cyber workforce program.'' Section 3. Rotational cyber workforce positions This section determines how agencies will select positions that are eligible for participation in the Federal rotational cyber workforce program. Under subsection (a), the head of an agency determines whether a cyber workforce position is eligible for participation in the program and submits to the OPM Director a notice of such determination. Subsection (b) requires the OPM Director, with assistance from the Chief Human Capital Officers Council and the Department of Homeland Security, to develop a list of rotational cyber workforce positions in the program and information about each position. Subsection (c) requires the OPM Director to distribute the list developed under subsection (b) on an annual basis to each agency. Section 4. Rotational cyber workforce program This section prescribes the development and operation of the Federal rotational cyber workforce program. Subsection (a) requires the OPM Director to consult with the Chief Human Capital Officers Council and the Chief Information Officer for the Department of Homeland Security and develop and issue an operation plan for the Federal rotational cyber workforce program. Subsection (b) lists requirements for the operation plan developed in subsection (a). The operation plan must identify agencies and establish procedures for participation in the program, such as requirements for training, education, and career development for participation and any other prerequisites or other requirements to participate. The operation plan for the program must also include performance measures and other accountability measures in order to evaluate the program. The plan must ensure voluntary participation in the program and agency approval of any participating employee. The operation plan must also establish the logistics of detailing employees between agencies or at other agencies on a non-reimbursable basis, of managing employees detailed in the program, and of returning program participants to their positions in their employing agencies after participating in the program. Subsection (c) establishes the process by which employees are selected to participate in the program. An employee in a cyber workforce position must seek approval from their agency to apply for a rotational cyber workforce position included in the list of eligible program positions developed under subsection 3(b). When selecting participants for a rotational cyber workforce position, the agency in which that position is located must adhere to the merit system principles. The duration of a detail to a rotational cyber workforce position under this program is for a period of 180 days to up to 1 year, with an option to extend this period for up to an additional 60 days. Under this subsection, an employee participating in the program must enter into a written service agreement with the employing agency to complete a period of employment after participating in the program. Section 5. Reporting by GAO This section requires GAO to assess and report on the operation of the Federal rotational cyber workforce program and any effect the program has on improving employees' cyber- related skills or on intra-agency and interagency coordination of cyber functions and personnel management. Section 6. Sunset Under this section, the Federal rotational cyber workforce program terminates five years after the date of enactment of this bill. V. EVALUATION OF REGULATORY IMPACT Pursuant to the requirements of paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee has considered the regulatory impact of this bill and determined that the bill will have no regulatory impact within the meaning of the rules. The Committee agrees with the Congressional Budget Office's statement that the bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would impose no costs on state, local, or tribal governments. VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE U.S. Congress, Congressional Budget Office, Washington, DC, October 26, 2018. Hon. Ron Johnson, Chairman, Committee on Homeland Security and Governmental Affairs, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 3437, the Federal Rotational Cyber Workforce Program Act of 2018. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Matthew Pickford. Sincerely, Keith Hall, Director. Enclosure. S. 3437--Federal Rotational Cyber Workforce Program Act of 2018 S. 3437 would direct the Office of Personnel Management to create policies and procedures to allow federal cybersecurity professionals to temporarily move from one agency to another for up to one year. The authority would expire in five years. CBO estimates that implementing S. 3437 would cost less than $500,000 annually over the 2019-2023 period for new regulations, additional staff training, and administrative expenses. Any spending would be subject to the availability of appropriated funds. Enacting S. 3437 could affect direct spending by some agencies (such as the Tennessee Valley Authority) because they are authorized to use receipts from the sale of goods, fees, and other collections to cover their operating costs; therefore, pay-as-you-go procedures apply. Because most of those agencies can make adjustments to the amounts collected, CBO estimates that any net changes in direct spending by those agencies would not be significant. Enacting the bill would not affect revenues. CBO estimates that enacting S. 3437 would not significantly increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029. S. 3437 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act. The CBO staff contact for this estimate is Matthew Pickford. The estimate was reviewed by H. Samuel Papenfuss, Deputy Assistant Director for Budget Analysis. VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED Because S. 3437 would not repeal or amend any provision of current law, it would make no changes in existing law within the meaning of clauses (a) and (b) of paragraph 12 of rule XXVI of the Standing Rules of the Senate. [all]