recommended reading

Bill Would Let DHS Pay Cyber Workers as Much as the Pentagon Pays

Cyber security analysts work in the "watch and warning center" at DHS' cyber defense lab.

Cyber security analysts work in the "watch and warning center" at DHS' cyber defense lab. // Mark J. Terrill/AP File Photo

A Senate committee on Wednesday advanced legislation that would empower the Homeland Security Department to pay DHS cyber recruits as much as Pentagon computer security professionals. There is a shortage of skilled computer security employees at many civilian agencies with heavy cyber responsibilities.

The bill could help DHS compete with the private sector and the U.S. military for scarce talent, say backers in the Homeland Security and Governmental Affairs Committee, which passed the measure by a voice vote. 

But some cybersecurity specialists advising Congress say the bill could be abused to boost information technology hiring that doesn't fill information security staff shortages. 

It has happened before. 

In 2010, then-Homeland Security Department Secretary Janet Napolitano said her department had been granted direct hire authority to add 1,000 new cyber professionals over three years so it could compete with the Defense Department.  However, DHS IT managers hijacked that license, to hire people without cyber skills for regular IT roles, said Alan Paller, director of research for the SANS Institute. 

The Senate bill "included no controls that would stop a repeat of the misuse of hiring authorities," Paller told Nextgov on Wednesday.

An eligible position, according to the legislative text, would be one that "performs, manages, or supervises functions that execute the responsibilities of the department relating to cybersecurity.”

Under current law, Defense can make direct appointments for cyber positions, set rates of basic pay, and provide additional compensation, benefits, incentives, and allowances. Committee members say those authorities give Defense and its Nationals Security Agency an unfair recruiting and retention advantage.

The Senate proposal would provide DHS matching authorities so the department can hire at the same clip and salaries as NSA and other military components, proponents say. 

An amendment agreed to on Wednesday would mandate that Homeland Security follow guidelines by the National Institute of Standards and Technology, called the National Cybersecurity Workforce Framework. The NIST materials include a common vocabulary for cybersecurity work, a uniform classification system for job functions, and specific employment codes.

Paller said the change would not add teeth to the bill. “There is nothing in the framework that enables talent to be assessed,” he said.

The bill, however, includes many reporting and transparency requirements, committee members have pointed out.

Within a year of enactment, and every year after for four years, DHS would be required to hand Congress a "detailed report" that discusses the processes for vetting cyber candidates, giving preference to veterans, and measuring results, among other things. 

The department would have to quantify progress, under the proposal.  

It requires an accounting of the number of cyber employees hired for each occupation and pay grade, people placed in particular offices, and employees who leave the department.  

Four months after enactment of the bill, DHS would have to give lawmakers an execution plan.

In addition, Homeland Security would have to coordinate with the Office of Personnel Management on regulations to carry out the legislation. 

The Justice Department also is trying to bolster its cyber squads. The department has been granted the ability to fast-track cyber job offers through a "direct hire authority," Justice Chief Information Security Officer Melinda Rogers told Nextgov last week.

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.