Cyberspace Solarium Commission releases outline for National Cyber Director to strengthen federal cyber workforce

The U.S. Cyberspace Solarium Commission released a blueprint for the National Cyber Director (NCD) to strengthen the federal cyber workforce and recommends actions for Congress to support efforts to grow the workforce. The FY 2021 NDAA established the NCD position and associated office in order to ‘serve as the principal advisor to the President on cybersecurity and policy and strategy,’ to include the personnel and management programs of federal departments and agencies. Congress intended for the NCD to have a leadership role in addressing the cyber workforce challenge.

The outline provides a path forward for the NCD to grow and strengthen the federal cyber workforce and coordinate federal support for national cyber workforce development. The NCD will need legislative support in many cases, so the second section of the memorandum recommends actions Congress can take to support federal efforts to grow the cyber workforce. These actions include extending the Federal Cybersecurity Workforce Data Collection Act, establishing a Federal Cyber Workforce Development Institute, and authorizing a Federal Excepted Cyber Service.

While these recommendations focus on the federal government in the first instance, the federal and national cyber workforces ultimately draw from the same community of professionals, so effective approaches must address both. Accordingly, the third section of this memorandum outlines actions private-sector leaders can take to support the NCD’s priorities and national cyber workforce development. 

For more than a decade, report after report has documented the growing number of unfilled cyber positions, both in the U.S. government and nationwide, offering strategies and recommendations to address the shortfall. Unfortunately, these strategies and recommendations have too often gone ignored. The congressionally mandated Cyberspace Solarium Commission revealed in September 2020 that systemic barriers were stymieing existing workforce development efforts. 

“A lack of centralized leadership, insufficient coordination across the federal government, a nonexistent federal strategy to guide priorities and resources, and ineffective organizational structures all combined to limit the potential of the very programs designed to strengthen and diversify the federal and national cyber workforces,” the Cyberspace Solarium Commission said in its report. 

The outline also said that ensuring cyber jobs are filled with highly competent individuals will not guarantee success in protecting national cybersecurity, but not filling those positions will certainly fail. “The country’s cyber professionals are dedicated and skilled, but there are not enough of them. In the United States, there are almost 600,000 open cybersecurity jobs across the private sector and federal, state, and local governments — a remarkable gap considering that the field currently employs just over a million professionals,” it added. 

A comparable shortfall exists in the government’s online workforce, with nearly 39,000 openings compared to a total employed public-sector cybersecurity workforce of just over 75,000, the Cyberspace Solarium Commission said. “This gap continues to grow despite a decade of studies that identify the same recurrent problems, and despite years of valuable initiatives by dedicated champions for cyber workforce development from the National Institute for Standards and Technology (NIST), the Department of Homeland Security (DHS), the Department of Defense (DoD), the National Science Foundation (NSF), and beyond.” 

Meanwhile, lawmakers and their congressional committees have attempted to prioritize this issue for years, passing laws such as the Cybersecurity Enhancement Act of 2014 and the Federal Cybersecurity Workforce Assessment Act of 2015 (FCWAA). In addition, bills currently under consideration, such as the America COMPETES Act of 2022 and the Federal Cybersecurity Workforce Expansion Act, also contain provisions designed to boost the workforce. Similarly, congressional appropriators continue to demonstrate their ongoing support for development.

Some of the recommendations to help the NCD address the challenges of workforce development for the federal government and coordinate the federal role in nationwide workforce development include establishing a process for ongoing cyber workforce data collection and evaluation, setting up relevant leadership, and coordination structures, and review and align cyber workforce budgets. It also suggested creating a cyber workforce development strategy for the federal government and revamping cyber hiring authorities and pay flexibilities government-wide.

While the Cyberspace Solarium Commission report focuses predominantly on recommendations for the NCD, the executive branch cannot operate without authorization and appropriation from Congress. To support federal cyber workforce development, Congress should amend the Federal Cybersecurity Workforce Assessment Act of 2015 and increase support for the CyberCorps: Scholarship for Service Program. It must also provide incentives to develop entry-level employees into mid-career talent and strive for clarity in roles and responsibilities for cyber workforce development. 

It also called upon Congress to exercise oversight of federal cyber workforce development in each department and agency, establish cyber excepted service authorities government-wide, and expand appropriations for existing efforts in workforce development. 

The Cyberspace Solarium Commission report said that progress on cyber workforce development could not advance in a government silo. The public-sector workforce is a subset of the larger national workforce, so the NCD must be a part of the community of federal departments and agencies working with private-sector partners to address national cyber workforce challenges. Moreover, the NCD’s strategic intent includes working with the private sector to inform and drive initiatives that depend on all parties’ expertise, authorities, and resources. 

The effort makes this a fundamentally two-sided exercise, and so this memo offers the recommendations below for private-sector partners, the report said. The private sector can play an important role by increasing its investment in the cyber workforce and developing shared resources.

Last August, the Cyberspace Solarium Commission released its 2021 implementation report that found that of 82 original recommendations made by the Commission in March last year, about 35 percent have been implemented or are nearing implementation, and an additional approximately 44 percent are on track to implementation. In addition, several recommendations from the Commission’s subsequent white papers are also moving towards implementation.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.