Solarium successor wants the White House to lead on cyber workforce strategy

National Cyber Director Chris Inglis speaks at the  Council of Foreign Relations on April 20, 2022.

National Cyber Director Chris Inglis speaks at the Council of Foreign Relations on April 20, 2022. Drew Angerer/Getty Images

One recommendation: establish cyber excepted service authorities, like the Department of Homeland Security's newly launched cyber hiring initiative, government-wide.

An expert panel is calling on the White House-based Office of the National Cyber Director to steer a governmentwide cybersecurity workforce strategy to address long-standing workforce shortages.

The report, issued Thursday, comes from an offshoot of the congressionally chartered Cyberspace Solarium Commission called CSC 2.0, housed at the nonprofit Foundation for the Defense of Democracies. 

It's a "blueprint to help address the problem," CSC 2.0 co-chair, Rep.Mike Gallagher (R-Wis.), told FCW.

The panel wants National Cyber Director Chris Inglis to use his position to review agencies' cyber budgets, revamp hiring mechanisms across the government and potentially even work with Congress to establish expected service authorities for cyber personnel across the government.

"I think we should be concerned about the jobs that have cyber [or] IT in them that go unfilled," said Inglis, himself a member of the original Solarium Commission, during a Thursday panel discussion held by the Foundation for the Defense of Democracies. 

His role, he continued, is making sure that authorities and resources are aligned across the government.

"We have to make sure we first have a strategy that defines what's missing," Inglis said. "We then have to make use of all the parts that are already there and connect them to that strategy."

There are nearly 600,000 cyber job openings nationwide, and for the government alone, there are almost 39,000 job openings, according to the National Institute of Standards and Technology-based CyberSeek.

Currently, the government's strategy is ad hoc. Federal hiring practices are onerous, and degree and level of experience requirements for jobs often block out entry-level hires. The government's existing cyber workforce is also less diverse than the rest of the federal workforce.

As with another cyber workforce report issued this year by a different expert panel at the National Academy of Public Administration (NAPA), the latest recommendations call on Inglis to coordinate existing, disparate efforts with new leadership and coordination structures.

One key focus is chronic problems with actually hiring cyber workers into government using antiquated and bulky processes.

"We all know how many jobs we'd like to fill, but there aren't any vehicles, or many vehicles, that essentially would take that aspiration and meaningfully assist people" to be hired into government jobs, said Inglis, continuing to point to qualification requirements and saying that the government needs to be more flexible and invest in early career hires. "People who show up today at the front door of a government organization with a bachelor of science in computer science, but no experience in hand, typically are turned away," he said.

The report's authors recommend various fixes, such as working with the Office of Personnel Management to modernize cybersecurity job codes or expand existing direct hire authorities. 

The preference is a third option, though, something report co-author and CSC 2.0 director, Mark Montgomery, called the "Rosetta Stone."

That recommendation is that Inglis push Congress to authorize governmentwide excepted service authorities for cyber personnel, a category distinct from the competitive service -- the majority of rank-and-file feds, governed by particular civil service rules for hiring, firing and pay -- or the administrators of the senior executive service.

The report references the Department of Homeland Security's Cybersecurity Talent Management System, an excepted service system for cyber professionals that launched last fall, but has struggled to scale, only onboarding in a few new hires thus far. 

The Department of Defense has similar hiring authorities. 

"In essence, this option would take the authorities that underpin CTMS and CES and expand them to the whole of the federal government," the report states. "This option would maximize the federal government's flexibility in hiring and managing cyber talent, by creating systems built for the cyber workforce."

Such a move would likely face opposition, Montgomery said Thursday.

"This will be tough. There will be people who fight this both in Congress and in federal government organizations. And it's going to cost money, but … no one ever thought fixing federal cybersecurity workforce was going to be a cheap endeavor," he said. "We really do have to come up with a new hiring mechanism."

The recent NAPA report also referenced CTMS, saying that it should be evaluated and, if successful, scaled to other agencies.

The CSC 2.0 also pushes Inglis to use his office's congressional mandate to assess the effectiveness of cyber policies and annual budget proposals from agencies, and the double-hatting of one top official, Chris DeRusha, as the deputy cyber director and federal chief information security officer out of the Office of Management and Budget, to "review and align" agencies' cybersecurity workforce budgets alongside OMB.

Finally, one of the top challenges is data about the government's cyber workforce, which is inconsistent and siloed within agencies, said Montgomery. 

The NAPA study recommended a cybersecurity data bureau, while this latest report calls for Inglis to focus accountability for existing data mandates and for Congress to extend and amend the law governing data collection on the government's cyber workers, the Federal Cybersecurity Workforce Assessment Act of 2015.