[Senate Report 115-385]
[From the U.S. Government Publishing Office]
Calendar No. 671
115th Congress } { Report
SENATE
2nd Session } { 115-385
_______________________________________________________________________
FEDERAL ROTATIONAL CYBER WORKFORCE PROGRAM ACT OF 2018
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 3437
TO ESTABLISH A FEDERAL ROTATIONAL CYBER WORKFORCE
PROGRAM FOR THE FEDERAL CYBER WORKFORCE
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
November 26, 2018.--Ordered to be printed
______
U.S. GOVERNMENT PUBLISHING OFFICE
89-010 WASHINGTON : 2018
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky HEIDI HEITKAMP, North Dakota
JAMES LANKFORD, Oklahoma GARY C. PETERS, Michigan
MICHAEL B. ENZI, Wyoming MAGGIE HASSAN, New Hampshire
JOHN HOEVEN, North Dakota KAMALA D. HARRIS, California
STEVE DAINES, Montana DOUG JONES, Alabama
Christopher R. Hixon, Staff Director
Gabrielle D'Adamo Singer, Chief Counsel
Courtney J. Allen, Deputy Chief Counsel for Governmental Affairs
Margaret E. Daum, Minority Staff Director
Charles A. Moskowitz, Minority Senior Legislative Counsel
Julie G. Klein, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Calendar No. 671
115th Congress } { Report
SENATE
2nd Session } { 115-385
======================================================================
FEDERAL ROTATIONAL CYBER WORKFORCE PROGRAM ACT OF 2018
_______
November 26, 2018.--Ordered to be printed
_______
Mr. Johnson, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 3437]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 3437) to establish
a Federal rotational cyber workforce program for the Federal
cyber workforce, having considered the same, reports favorably
thereon with an amendment (in the nature of a substitute), and
recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and the Need for Legislation..........................2
III. Legislative History..............................................4
IV. Section-by-Section Analysis......................................4
V. Evaluation of Regulatory Impact..................................5
VI. Congressional Budget Office Cost Estimate........................6
VII. Changes in Existing Law Made by the Bill, as Reported............6
I. PURPOSE AND SUMMARY
The purpose of S. 3437 is to create a rotational cyber
workforce program in which Federal employees in cyber workforce
positions can be detailed to another agency to perform cyber
functions. This program will enable Federal cyber workforce
employees to enhance their cyber skills with experience from
executing the cyber missions of other agencies.
II. BACKGROUND AND THE NEED FOR LEGISLATION
Federal cyber workforce management challenges have been on
the High-Risk List of the Government Accountability Office
(GAO) since 2003.\1\ In that report, GAO stated that ``agencies
must have the technical expertise they need to select,
implement, and maintain controls that protect their information
systems. Similarly, the federal government must maximize the
value of its technical staff by sharing expertise and
information. [T]he availability of adequate technical and audit
expertise is a continuing concern to agencies.''\2\ In 2011,
GAO reported that many Federal agencies still experienced
difficulty hiring employees for more technical cyber positions
or for positions that require other more specialized skills.\3\
In its 2017 High-Risk List, GAO reported that ``the federal
government needs to expand its cyber workforce planning and
training efforts. Federal agencies need to enhance efforts for
recruiting and retaining a qualified cybersecurity workforce
and improve cybersecurity workforce planning activities.''\4\
---------------------------------------------------------------------------
\1\ Gov't Accountability Off., GAO-03-121, High-Risk Series:
Protecting Information Systems Supporting the Federal Government and
the Nation's Critical Infrastructures 14-15 (Jan. 2003).
\2\ Id.
\3\ Gov't Accountability Off., GAO-12-8, Cybersecurity Human
Capital: Initiatives Need Better Planning and Coordination 20-22 (Nov.
2011).
\4\ Gov't Accountability Off., GAO-17-317, High-Risk Series:
Progress on Many High-Risk Areas, While Substantial Efforts Needed on
Others 342 (Feb. 2017).
---------------------------------------------------------------------------
The Federal Cybersecurity Workforce Assessment Act of 2015
initiated cyber workforce planning efforts by requiring
agencies to identify cyber positions in the Federal
workforce.\5\ The Office of Personnel Management (OPM), the
agency tasked with managing human resources of the Federal
Government, issued guidance for Federal agencies to identify
their current cyber workforce positions.\6\ OPM's guidance
included a deadline of April 2019 for Federal agencies to
``report their greatest skill shortages; analyze the root cause
of the shortages; and provide action plans, targets and
measures for mitigating the critical skill shortages.''\7\ OPM
stated it would use these agency reports to ``identify common
needs to address from the Governmentwide perspective.''\8\
---------------------------------------------------------------------------
\5\ Federal Cybersecurity Workforce Assessment Act of 2015, Pub. L.
No. 114-113, Sec. 303, 129 Stat. 2242, 2975, 2975-77 (2015).
\6\Memorandum from Mark D. Reinhold, Associate Director, Employee
Services, Off. of Personnel Mgmt., to Human Resource Directors, U.S.
Gov't (Apr. 2, 2018).
\7\ Id.
\8\ Id.
---------------------------------------------------------------------------
On June 23, 2018, the Office of Management and Budget (OMB)
issued a government reorganization plan for the purposes of
improving efficiencies in government operations and realigning
the structure of the Federal Government to effectuate those
improvements.\9\ Included in the reorganization plan is a
proposal to address the cyber workforce shortage in the Federal
Government.\10\ OMB noted:
---------------------------------------------------------------------------
\9\ Off. of Mgmt. and Budget, Exec. Office of the President,
Delivering Government Solutions in the 21st Century: Reform Plan and
Reorganization Recommendations 108 (June 21, 2018), available at
https://www.performance.gov/GovReform/Reform-and-Reorg-Plan-Final.pdf.
\10\ Id.
[E]ach Federal department and agency was responsible
for addressing its own cybersecurity workforce gaps
independently, which has led to disaggregated and
redundant Federal programs. As a result, the Government
lacks a comprehensive, risk-derived understanding of
which cybersecurity skillsets the Federal enterprise
needs to develop and which positions are most critical
to fill.
Moreover, the manner in which departments and
agencies recruit, hire, retain, and compensate
cybersecurity personnel varies by agency. This uneven
approach has created internal competition for talent,
which in turn creates disparities and discontinuities
that degrade agencies' ability to defend networks from
malicious actors and respond to cyber incidents. A
unified approach to attracting and retaining
cybersecurity talent within the Federal Government
would better support the Government's cybersecurity
enterprise.\11\
---------------------------------------------------------------------------
\11\ Id.
The reorganization plan calls for the establishment of a
unified cybersecurity Federal workforce across the
Government.\12\ In order to unify the cybersecurity workforce,
Federal agencies are categorizing and cataloguing their
cybersecurity workforces ``to better understand our current set
of knowledge, skills, abilities, and identify any gaps.''\13\
This inventory of cybersecurity workforce positions will
provide ``Government-wide insight into where [the] most
pressing needs are, and, for the first time, enable the
development of an enterprise-wide approach to the recruitment,
placement, and training of cybersecurity talent.''\14\
---------------------------------------------------------------------------
\12\ Id.
\13\ Id.
\14\ Id at 109.
---------------------------------------------------------------------------
This bill would complement the Federal cyber workforce
initiatives begun under the Federal Cybersecurity Workforce
Assessment Act of 2015 and the OMB reorganization plan by
creating a Federal rotational cyber workforce program in which
cyber personnel can detail to other agencies to help fill
skills gaps for agencies' cyber-related functions. S. 3437
requires Federal agencies to determine which cyber positions
should be eligible for the rotation and report those positions
to OPM. OPM will then distribute a list of positions available
for participation in the program to each agency. It also
requires OPM, the Chief Human Capital Officers Council, and DHS
to develop an operation plan for the Federal rotational cyber
workforce program that establishes the procedures and
requirements for the program, including the employee
application and selection process and agency management of
cyber employees participating in the program.
The bill limits a cyber employee's participation in the
Federal rotational cyber workforce program to a period of 180
days, with the option for a 60-day extension. Once a cyber
employee completes participation in the program, the employee
is required to return to the Federal agency from which he or
she was detailed to serve for a period of time that is equal in
length to the period of the detail.
The Federal rotational cyber workforce program sunsets five
years after the date of enactment of this bill. This bill also
requires GAO to issue a report on the program and any effect
the program has on improving Federal employees' cyber-related
skills or on intra-agency and interagency coordination of cyber
functions and personnel management.
III. LEGISLATIVE HISTORY
S. 3437 was introduced on September 12, 2018, by Senators
Gary Peters (D-MI) and John Hoeven (R-ND). The bill was
referred to the Committee on Homeland Security and Governmental
Affairs on September 12, 2018.
The Committee considered S. 3437 at a business meeting on
September 26, 2018. During the business meeting, Senator Peters
offered a substitute amendment that removed the program's
exemptions from the Federal Service Labor-Management Relations
Statute. The substitute amendment was modified to clarify that
participation in the program is not subject to collective
bargaining. The amendment, as modified, was adopted by voice
vote en bloc with Senators Johnson, Portman, Lankford, Enzi,
Hoeven, McCaskill, Carper, Heitkamp, Peters, Hassan, Harris,
and Jones present.
The legislation, as amended, was passed by voice vote en
bloc with Senators Johnson, Portman, Lankford, Enzi, Hoeven,
McCaskill, Carper, Heitkamp, Peters, Hassan, Harris, and Jones
present.
IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED
Section 1. Short title
This section established the short title of the bill as the
``Federal Rotational Cyber Workforce Program Act of 2018.''
Section 2. Definitions
This section defines the terms ``agency,'' ``Council,''
``cyber workforce position,'' ``Director,'' ``employee,''
``employing agency,'' ``rotational cyber workforce position,''
and ``rotational cyber workforce program.''
Section 3. Rotational cyber workforce positions
This section determines how agencies will select positions
that are eligible for participation in the Federal rotational
cyber workforce program.
Under subsection (a), the head of an agency determines
whether a cyber workforce position is eligible for
participation in the program and submits to the OPM Director a
notice of such determination.
Subsection (b) requires the OPM Director, with assistance
from the Chief Human Capital Officers Council and the
Department of Homeland Security, to develop a list of
rotational cyber workforce positions in the program and
information about each position.
Subsection (c) requires the OPM Director to distribute the
list developed under subsection (b) on an annual basis to each
agency.
Section 4. Rotational cyber workforce program
This section prescribes the development and operation of
the Federal rotational cyber workforce program.
Subsection (a) requires the OPM Director to consult with
the Chief Human Capital Officers Council and the Chief
Information Officer for the Department of Homeland Security and
develop and issue an operation plan for the Federal rotational
cyber workforce program.
Subsection (b) lists requirements for the operation plan
developed in subsection (a). The operation plan must identify
agencies and establish procedures for participation in the
program, such as requirements for training, education, and
career development for participation and any other
prerequisites or other requirements to participate. The
operation plan for the program must also include performance
measures and other accountability measures in order to evaluate
the program. The plan must ensure voluntary participation in
the program and agency approval of any participating employee.
The operation plan must also establish the logistics of
detailing employees between agencies or at other agencies on a
non-reimbursable basis, of managing employees detailed in the
program, and of returning program participants to their
positions in their employing agencies after participating in
the program.
Subsection (c) establishes the process by which employees
are selected to participate in the program. An employee in a
cyber workforce position must seek approval from their agency
to apply for a rotational cyber workforce position included in
the list of eligible program positions developed under
subsection 3(b). When selecting participants for a rotational
cyber workforce position, the agency in which that position is
located must adhere to the merit system principles. The
duration of a detail to a rotational cyber workforce position
under this program is for a period of 180 days to up to 1 year,
with an option to extend this period for up to an additional 60
days. Under this subsection, an employee participating in the
program must enter into a written service agreement with the
employing agency to complete a period of employment after
participating in the program.
Section 5. Reporting by GAO
This section requires GAO to assess and report on the
operation of the Federal rotational cyber workforce program and
any effect the program has on improving employees' cyber-
related skills or on intra-agency and interagency coordination
of cyber functions and personnel management.
Section 6. Sunset
Under this section, the Federal rotational cyber workforce
program terminates five years after the date of enactment of
this bill.
V. EVALUATION OF REGULATORY IMPACT
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
U.S. Congress,
Congressional Budget Office,
Washington, DC, October 26, 2018.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 3437, the Federal
Rotational Cyber Workforce Program Act of 2018.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Matthew
Pickford.
Sincerely,
Keith Hall,
Director.
Enclosure.
S. 3437--Federal Rotational Cyber Workforce Program Act of 2018
S. 3437 would direct the Office of Personnel Management to
create policies and procedures to allow federal cybersecurity
professionals to temporarily move from one agency to another
for up to one year. The authority would expire in five years.
CBO estimates that implementing S. 3437 would cost less than
$500,000 annually over the 2019-2023 period for new
regulations, additional staff training, and administrative
expenses. Any spending would be subject to the availability of
appropriated funds.
Enacting S. 3437 could affect direct spending by some
agencies (such as the Tennessee Valley Authority) because they
are authorized to use receipts from the sale of goods, fees,
and other collections to cover their operating costs;
therefore, pay-as-you-go procedures apply. Because most of
those agencies can make adjustments to the amounts collected,
CBO estimates that any net changes in direct spending by those
agencies would not be significant. Enacting the bill would not
affect revenues.
CBO estimates that enacting S. 3437 would not significantly
increase net direct spending or on-budget deficits in any of
the four consecutive 10-year periods beginning in 2029.
S. 3437 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act.
The CBO staff contact for this estimate is Matthew
Pickford. The estimate was reviewed by H. Samuel Papenfuss,
Deputy Assistant Director for Budget Analysis.
VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
Because S. 3437 would not repeal or amend any provision of
current law, it would make no changes in existing law within
the meaning of clauses (a) and (b) of paragraph 12 of rule XXVI
of the Standing Rules of the Senate.
[all]