House leader presses CISA to help oversee talent acquisition ‘ROTC program’

A top lawmaker on the House Homeland Security Committee plans to file a bill that would give the Cybersecurity and Infrastructure Security Agency a key role in overseeing the nation’s cybersecurity talent pipeline.

Two sources familiar with Speaker Mark Green’s (R-Tenn.) plans said his upcoming cyber employment bill aims to create something like a Reserve Officers’ Training Corps (ROTC) for cyber employment personnel.

A committee aide who was not authorized to speak publicly about the upcoming bill said the bill would create a “skills-based, ROTC-like cyber talent pipeline.” The bill also “leverages CISA as the nation’s federal cybersecurity agency to train, retain, and attract cybersecurity professionals and promote the collective defense of our federal civilian networks,” the aide added.

“We are looking at filling the cybersecurity staffing gap across all federal civilian agencies, and CISA will play a role in that process,” the adviser said.

Another source familiar with Green’s bill said the bill would encourage skills-based cybersecurity education in postsecondary and vocational schools. The source said the planned program is aimed at helping fill vacant cybersecurity positions at federal, state and local government agencies.

CISA’s exact role is still unclear as Green’s team continues to draft the rules. However, CISA falls under the jurisdiction of the Homeland Security Committee, unlike other federal workforce and education agencies like the Office of Personnel Management or the National Science Foundation.

The Green bill program would likely complement the NSF Cybercorps Scholarship-for-Service program, which funds scholarships for students at four-year colleges and universities who agree to work for a federal agency after graduation.

Green has said the workforce bill is his top priority this year. In July, Green and CISA Director Jen Easterly spoke about the cybersecurity workforce shortage during a visit to Vanderbilt University.

“America’s cybersecurity workforce gap poses a significant national security risk—a vulnerability that criminals and our adversaries can exploit,” Green said, according to a Vanderbilt news release. “The public and private sectors must join forces to strengthen our cyber talent pipeline to develop, attract, and retain the skilled professionals needed to protect the critical infrastructure Americans rely on every day.

CyberSeek, a research project funded by the National Institute of Standards and Technology, estimates there are nearly 470,000 open cybersecurity positions nationwide.

Skill-Based Hiring

The workforce gap has been a big topic in cybersecurity policy conversations in recent years. The White House released a national cyberforce and education strategy last year aimed at getting more people into the cyberforce.

“If we don’t address this issue, I’m afraid we won’t be able to meet the policy and procedural challenges that we face without a skilled workforce,” Mark Montgomery, executive director of the Cyberspace Solarium Commission 2.0, said in an interview.

The upcoming bill, which emphasizes “skills-based” training in colleges and vocational schools, is in line with federal and private sector initiatives to focus on skills in hiring, rather than just four-year college degrees and experience.

The White House Office of the National Cybersecurity Director and OPM are leading an effort to change all government IT positions to merit-based hiring by next summer.

“There’s a certain amount of settling that happens with a four-year degree,” Tara Wisniewski, vice president of advocacy, global markets and member engagement at ISC2, said in an interview.

“People are starting to question the return on investment,” Wisniewski added. “People really need to be able to move much faster in cyberspace, and it’s really about continuous learning, as opposed to a degree-level learning scenario. Those kinds of innovative strategies are really starting to emerge.”

CISA Employee Role

While CISA is involved in cybersecurity training and education programs, a potential role overseeing a nationwide workforce would be a significant expansion of the cyber agency’s operations.

Montgomery, however, said CISA already has an obligation to coordinate intergovernmental activities.

“I think they understand the security environment and the technology environment, so they can be well-positioned to identify the types of schools and programs that might best serve future government service,” he said.

Wisniewski said CISA will also be well-positioned to leverage its regional presence to forge partnerships with state and local education systems, as well as local industry.

“If we focus on clusters, is that a way to make the connections that people seem to have trouble making?” she asked.

Developing the cybersecurity workforce has been a largely bipartisan issue in Congress.

Lawmakers earlier this year reintroduced the bipartisan, bicameral Federal Cybersecurity Expansion Act. The bill would create a registered cybersecurity apprenticeship program at CISA, as well as a pilot program at the Department of Veterans Affairs to provide cybersecurity training to veterans.

Earlier this week, the Senate Homeland Security and Governmental Affairs Committee introduced a bill that would require the development of a plan to establish a federal cybersecurity workforce development institute.

But any legislation related to cyberworkforce, including Green’s upcoming bill, faces a tight legislative window this fall amid the presidential election. But Congress has agreed in the past to include cybersecurity legislation in defense authorization bills that must be passed, as well as in budget appropriations.

“If the chairman of a major committee is very interested in an issue, he has a chance,” Montgomery said of Green’s bill.