The recruitment and retention of skilled personnel for the federal cybersecurity workforce has been an issue for many years. Congress and the Executive Branch have tried to address issues several times. This piecemeal approach may have confused the situation as much as helped it, according to the Congressional Research Service.
The Federation of American Scientists has made available a report from the CRS titled The Federal Cybersecurity Workforce: Background and Congressional Oversight Issues for the Departments of Defense and Homeland Security. The report was released Jan. 8.
The report details the various authorizations for hiring and for exceptions in pay and benefits that have been implemented in the last several years. The authors call attention to the lack of consistency and oversight, while highlighting the progress made thus far.
Three challenges to developing and maintaining the federal cybersecurity workforce are identified in the CRS report.
The first challenge is common to both the public and private sectors. The demand for skilled professionals surpasses the supply. The second challenge is skill gaps in the federal workforce; areas where training in the latest cyber topics is needed. The final challenge is that many federal agencies have failed to address cybersecurity workforce needs as part of their overall strategic workforce planning.
The report notes that DoD and DHS site several reasons for these challenges. They include the length and complexity of the hiring process, the GS pay system and the security clearance process.
Hiring and Pay Flexibilities
Congress has passed three laws that provide flexibility to the DoD and DHS in the hiring of federal cybersecurity employees. The CRS notes that the agencies have been equally “flexible” in defining which positions fall under the provisions of these statutes.
The Office of Personnel Management has made some temporary decisions that allow agencies to move beyond the usual boundaries when hiring and compensating cybersecurity employees. Additional hiring has been authorized and both the job description as well as the occupational series have been identified for these actions. Agencies can move these positions into the excepted service where they are not subject to competitive hiring requirements. The agencies can also set their own pay scales outside the GS schedule, including various methods of additional compensation that are not normally available to federal agencies.
The CRS points to several ongoing issues. All of the additional flexibility seems to be lacking Congressional reporting requirements and oversight. In addition, the agencies involved have no clear picture of how many cybersecurity employees they have or that they may need. Finally, the agencies have no clear policies on the use of flexibilities such as increased compensation and dropping competitive hiring requirements.