Leslie Weinstein interviews Wistar “Star” Hardison, Defense Cyber Workforce Governance Program Manager/Workforce Innovation Directorate about the critical topic of workforce development across the DIB and particularly the cybersecurity workforce. How is DoD looking to address current employment gaps and what do we need to do to ensure the proper cyber understanding across the workforce?
Leslie Weinstein (00:18):
Thank you for joining me and sharing your expertise. Can you tell us your name, your title, where you work, and maybe introduce a little bit about what we’re here to talk about today?
Star Hardison
Great, thank you, Leslie. So I’m Star Hardison. I’m with the Department of Defense Chief Information Office. I’ll say DOD CIO from now on because it’s a lot to say. I specifically work in the Workforce Innovation Directorate, and within that directorate I am the governance and policy chief. So, I get to do the interesting work of writing the workforce policy, the cyber workforce policy, and then other areas, interactions with Congress, GAO, the DO D, Inspector General, just to name a few. So it’s a very interesting niche that I’m in. But it’s very impactful while it’s niche, the cyber workforce specifically has been a struggle, not just for DOD, but for every federal agency and I think for commercial companies too.
Leslie Weinstein (01:26):
I know that DOD published the DOD Cyber Workforce Strategy earlier this year. Can you tell us a little bit about that and what the goals of that strategy are and how it maybe influences some of the work you are doing into the policy area?
Star Hardison
Right. So it was time to reinvigorate that document, and so the wyber workforce strategy we published in February/March timeframe of this year, we’re very proud of this document. And it lays out our goals are under four pillars in order to be able to identify, recruit, retain, and develop the best cyber workforce that we can in order to meet the mission of the department. The point of the strategy – it lasts from this year all the way through 2027 – is just to lay out some clear goals and give us some guardrails and some guidelines of what actions we want to get after and achieve to help best develop that workforce, support that workforce, and ensure that we’re recruiting great talent and keeping great talent.
(02:36):
It also has a wonderful implementation plan that goes with it, a complimentary piece that was just released in August. And so as you know from your time in uniform, you’ll see strategic plans released and they become these wonderful documents and sometimes they don’t actually get implemented, they don’t get executed. So we added this implementation plan to go with it in order to, no kidding outline, what are all the actions that we want to take? Assign some clear offices of primary and coordinating responsibility to get after this. We have broad support from across the department. We have the other principal assistants that are on board with this, the undersecretary of defense for personnel and readiness. We have the military services that have said, yes, we’re all in and we’re ready to do what we can in order to support our cyber workforce. So I think the last number I set, I saw the last number that I saw with respect to vacancies across the department is approaching approximately 30,000 in the cyber workforce.
(04:02):
So when you see a number like that, you say, we’ve got to do something. And so having this strategy, having this implementation plan and then having this broad support across the department means that we can hopefully chip away at what that vacancy looks like and get us back to a number that’s smaller, that’s much smaller. It should be smaller, so that we we’re able to do the mission that we’ve been charged to do.
Leslie Weinstein
Wow. 30,000. And that seems on par with everyone else in the world struggling to find that cyber talent. So before talking about 8140 and the current initiatives, let’s talk briefly about 8570 and what that was supposed to get after and how DOD has now moved to 8140. We can walk through that transition because I’ve not heard in circles, people talking about the impact of 8140.
(05:06):
I think maybe it’s been talked about for so long, maybe a decade at this point. People either forgot that it was happening or now that it’s out, don’t think there’s a change. So can you talk about what 8570 was and then maybe introduce 8140 and we can talk about how 8140 is different from 8570?
Star Hardison
Sure, sure, sure. So 8570 is an oldie but goodie, I want to say it was released in approximately 2005. I think I was still in the Navy then. I think I was just a very junior lieutenant commander back then. And I remember it because I was in the Navy’s CIO office at the time and had the opportunity to implement it from that perspective. So 8570, its title was the Information Assurance Workforce Improvement Program, and it was a manual and it gave the department direction on how to ensure our information assurance workforce was qualified to do the work that they were assigned to do.
(06:15):
So it was two broad categories. We had managers and technicians and at various levels within those categories, levels one, two, and three being level, one being entry level and level three being quite experienced. And so we laid that out and required that there be certifications with those different designations. So if you were information assurance technician level one, then you would need to have a certain certification, a civilian certification in order to be qualified to do the work that you were assigned to. And so those were certifications like A+ and Security+ and Network+ and C CNA and so forth. And not to give any favoritism to any one vendor, but those certifications were required in order to be in those positions. And doing that work is a requirement for military, it was for civilian and for contractors. And so within a certain period of time of encumbering a position, if you didn’t hold that certification, you were required to get it, but it very narrowly focused on the information assurance workforce.
(07:34):
And so now you fast forward to 8140 manual, which is broadly focused on the entire cyber workforce. And that’s evolved over time. That’s 18 years between the release of these two different documents. And so the focus there is still on some sort of a qualification, but on a broader set of the workforce. So it’s the cyber IT, cyber effects, cyber intelligence, AI and cloud and software engineering. I think I got all of those. And with that, there’s a requirement still to have some sort of a credentialing, and I’ll say that word or qualification is probably the better word, but the qualification isn’t so much hinged on you have to have this one certification and you have to go to this one vendor. We’ve given the department broad flexibility now. So if you have been trained in it and can show that you can do the work, then you can be qualified. If you have education, you’ve gone to a college, you can be qualified.
(08:52):
If you have the certification, that’s still valid too. You could be qualified. And if you have just the straight out experience, say you’re the person that gets behind the computer and YouTube videos their way through everything and knows how to do the work and can show they can be do the work, then you’re qualified, too. So the main difference is 8570 was very much focused on the information assurance workforce, 8140 more broadly on the entire cyber workforce, while giving more flexibility on how you can get that level of qualification to do the work.
Leslie Weinstein
And that is a great segue into the DCWF, the framework that outlines all of the work roles that you are talking about, these IT professionals or the effects or the intelligence. So can you talk us through what the DCWF is and how it relates to 8140?
Star Hardison (09:59):
Sure. So in order to be qualified in all of these different positions somewhere, somehow it has to be written down. And we wrote those qualifications, those knowledge skills, abilities and tasks in the defense cyber workforce framework. And so there’s a coding schema, and I believe there’s about just over 70 cyber workforce codes now that you could be qualified to, every person can have up to three cyber workforce codes assigned to them. And again, you have to be knowledgeable and capable to do the work in those work world codes. So again, they’re categorized into those different areas that I mentioned before, cyber it, cybersecurity, cyber effects, intel data, ai and software engineering. And so I have one of them in front of me. So as an example, let’s say you’re an ISSM and information systems security manager. The work world code with that is number 722.
(11:09):
And so if you go to our defense cyber workforce framework, you can look up what the knowledge, skills, and abilities are for that, and then how you can be qualified in that area with respect to education training and work experience.
Leslie Weinstein:
How can from a contractor perspective, because contractors have to be qualified on the first day of the contract, and since this is new, there’s no precedent for what’s acceptable. How do contractors specifically demonstrate their qualification against this matrix of qualification requirements?
Star Hardison:
There’s a few things. First, I’ll back up with respect to 8140, there’s a grace period. We knew that we couldn’t release 8140 on day one and say, okay, everybody be qualified. So with respect to the cybersecurity side of the house, there’s a two year phase in transition time. So about early 2025 is when folks will first need to be qualified in that area.
(12:14):
And then for the rest of the elements of the DCWF, there’s a three year phase in period. So we realized folks are just going to need time to A, digest it and B, figure out the best way for their organizations to get at that. So back to your question, with respect to contractors. So there’s a few things we need to still do to help our industry partners be ready. One of the things is there’s a acquisition regulation that we’re in the process of modifying. So right now it reads all things 8570. And so right now I can’t hold industry accountable to 8140 standard tip because the acquisition regulation doesn’t outline that just yet. So we’re working on that right now to ensure that all that 8140 language is included in the acquisition regulations. And then once that’s in place, then we’ll be able to have our industry partners be accountable to that.
(13:19):
So we’re going to rely on each company to be able to say, if we need an ISSM and they’re a contractor, we’re going to rely on them to see what the knowledge, skills, and abilities and tasks are and look at the credentials and the resume and the ability of that person to be able to say, Hey, yes, this person’s qualified, or no, they’re not. There’s also another piece, and that’s most of the time our contract partners are actually physically working hip to hip with us, which means there’s an opportunity just like for our military and civilian folks to get on the job training the joint qualifications that are usually required when you get into a new position and then to also exhibit that they have the ability to do the work. So there’s that piece that’s also going to work hand in hand with that to ensure we have that fully qualified workforce, whether they be military, civilian or contractor.
(14:21):
Leslie Weinstein:
How do you anticipate this DCWF and aligning to work roles? How will that help you recruit and retain the cyber professionals or the cyber talent that you’re working for these 30,000 vacancies? How is DOD planning to use this 8140 and the DCWF to help with recruiting the right people for those jobs?
Star Hardison:
The great thing about outlining the knowledge, skills and abilities and tasks in one place is it helps us to really describe the position descriptions well as well as do the right job opportunity announcement. In the past, those JOAs job opportunity announcements may have been a little vague. We need a 2210 information technology specialist. Well, that could be a lot of things. But to be able to say, I need an information technology specialist that can do knowledge management or can do systems administration or can do whatever that work role looks like, we’re able to get into that level of granularity.
(15:33):
Not only does it help us to really say we understand the work that we are doing, but we’re able to describe it to a potential candidate and so that they can actually look at their own resumes, their own curriculum vitae and say, yeah, I’m actually qualified to do this work. I’m interested in this kind of work.
Leslie Weinstein:
Yeah, I think that’s totally helpful. I am actually using the NCWF, the NICE framework to help with postings at my job to make sure that I’m getting the right people with the right qualifications. So I think that is what be immensely helpful, making sure that you get the right people and that they’re applying for the job, that they think they’re applying for bait and switch sometimes, or you think you’re getting into one thing and it’s something else.
Star Hardison (16:21):
Let me wiggle into that quick because you brought up something the nice framework. So we foundationally are built off of the NICE framework in the Department of Defense, but we’ve taken it a little further because while a NICE framework is meant for the entirety of the federal workforce and for them to be able to describe their cyber workforce, there’s some areas where we’re truly unique that we do certain work roles, certain work elements that just aren’t performed in the rest of the federal government. But the other thing that’s nice about NICE and nice about the DCWF is that if I’m an ISSM within Department of Defense and say I decide to go someplace else within the federal government, I should be pretty qualified to do that work wherever I go within the federal government because we’re all working from that same lexicon, the same standards.
(17:19):
And so we should be pretty interchangeable and plug and play throughout the workforce. Now, while ideally I want to retain every person that comes in the door, so if you’re a great talent, we want to keep you. But at the same time, if there’s an opportunity for somebody to grow and develop in another part of the federal government, they should be able to do that easily and be able to take their work role coding with them and say, I’m already a 722, I can do this work. I did it.
Leslie Weinstein:
Here is very much like what you’re doing here. Very solid point. I totally missed because I’ve been so DOD-centric that I forget that the civilian agencies sometimes have different lingo entirely. So being able to create a lexicon across the entire federal government is incredibly helpful. Do you have an anticipated timeline on the acquisition regulation update? Just to give people something to track for a timeline, because you said that maybe early 2025 for contractors to expect this, but if we could track a regulation that would be not more helpful, but something that we can hang our hat on and say, oh, we’re tracking this, we see that it’s moving along.
Star Hardison:
Yeah, that’s a good question. So that’s a piece that doesn’t move fast, but we are working closely with our partners in the acquisition and sustainment side of the Department of Defense to get that language into regulation.
(18:51):
I don’t think I have a firm date yet. I want to say within the next year because not only do we have to work within DOD, but we also have to work outside of DOD in order to get this into the acquisition regulation. It is not a fast moving train unfortunately. Contractors should not expect to see this language until the DFARS is updated with this requirement. We are working right now on a bit of a crosswalk to say during industry partners 8570 used to say this and parts of 8140 are somewhat similar. And so the pieces that say 8570 are this within 8140. So continue to do these things that look like 8570. And then once we can broaden that to include all of the changes, then we will get that into regulation, but that at least we’ll be the interim fix until we can get the whole thing into regulation.
Leslie Weinstein (20:04):
And what do you think will be the biggest struggle for industry specifically to implement the changes in 8140? I want to say that our industry partners always want to come to the table qualified to do the work. They bid on the work, they take the time to look for and hire employees in order to do that work. And so I don’t see it so much as a struggle for them to find that talent and to bring that to bear. There may be some pieces that are a little more challenging. So it’s not just the information insurance workforce, it’s everybody. But at same time having a computer science graduate that’s able to be a knowledge manager, that’s not a big leap. And having that education, the certification, the certificates, the apprenticeships even to be able to do that work, I think we’ve made it easier. I’m hoping we’ve made it easier because we did want to provide that level of flexibility not only for our industry partners, but for the entirety of the department.
(21:16):
Correct me if I’m wrong or I feel like DOD was the only federal agency that had this really hard and fast certificate requirement with 8570. I don’t think I saw it at any other agency where you had to have a SEC plus or a CISSP. Other agencies had more flexible qualifications. So is this DOD moving more in line with the other federal agencies?
Star Hardison:
I think it’s us just being responsive to what reality was actually showing us is that if you had – so I’m a Navy veteran, so if you had a sailor that went to an A school or a C school where they learned a lot of this information in their training in order to be an information technology specialist, to have them go back and take a course that may have been somewhat expensive and then sit for a certification exam seemed redundant and seemed like a waste of their time, I already know this information and let me show you, I can do it.
(22:23):
So it’s allowing for some flexibility rather than the more rigid direction that we had before.
Leslie Weinstein:
Yeah, I think that is a really interesting aspect. I didn’t guess realize until talking to you about this. So I appreciate gaining that understanding that it’s more flexibility instead of adding, because in my mind, when I looked at this potential qualification matrix now for every work role, I was like, oh my goodness, they’re going to have to do seven different things instead of one, but understand it allows, allows more flexibility and qualification. I think that makes a lot of sense. So I think that will definitely help with the 30,000 vacancies that DOD is facing and having to compete for the same talent that large tech companies and other federal agencies compete for there. What other efforts are you working on as the policy person for the cyber workforce? Are there other things that are in the pipeline that you can talk about that are also going to help alleviate this vacancy huge amount of vacancies or other efforts that you’re looking at to help with the cyber workforce?
Star Hardison (23:20):
Right. So 8140 is going to be ever present for us. So definitely the one thing that I do with some regularity is just the continuous look on how we can update and improve that instruction. A piece of DOD CIO that, I don’t want to say broke apart, but we saw that there was a need for a more concentrated effort was with the standup of the chief data and artificial intelligence officer. There’s a lot of pieces that are missing now that they’ve stood up. And so just ensuring that they’re included in all of the policies and that as we’re further defining what is the artificial intelligence workforce, what is the data workforce, what are the work roles that look that are associated with that? Just being a good partner with them and then ensuring that the pieces involved with them are included are our policy.
Leslie Weinstein:
Is anything else that you want to talk about about any of these topics that we haven’t, like an angle thing or something that we haven’t really addressed or that you think is interesting that people or industry would be interested in?
Star Hardison:
The Department of Defense is very much interested in having the best and brightest in our cyber workforce. And so we look at it from various angles, from kindergarten all the way through the doctorate level. So we’re interested in partnering with academia. We’re interested in partnering with the local kindergarten class. We want to make sure that everybody has broad exposure to the fact that the Department of Defense has a cyber workforce, that that workforce exists in uniform, but it also exists as a civilian, which I find many of my civilian counterparts don’t realize that there’s a civilian piece to the Department of Defense workforce.
(25:43):
And so we’re interested in exposing as many people as we can to what we do and how exciting our missions are, how important our missions are. And we would love to have as many people who are interested in this kind of work come and be with us, whether they come with us for a short period of time as a reservist, whether they come as an industry partner through an exchange program, or whether they come to us through some sort of a pipeline like our cyber scholarship program where they earn a degree through us and then they get employed by us. So we have a large swath and wide variety of programs available to identify, recruit, retain, and develop that workforce.
(26:36):
The department is keenly interested in having that strong defense cyber workforce. And so really thankful for the opportunity to be here today. And thank you for your interest in all that we’re doing. Thank you for sharing all of this. I
Leslie Weinstein:
I have some maybe gotcha questions. Do you have a website or a place people can go to find out more specifically about the cyber scholarship? I recall learning about it when I worked in DOD CIO, but I don’t think I’ve ever met anybody who has done it. Where can people go who might be interested in something like that?
Star Hardison:
Right, so if you go out to our cyber.mil website – public.cyber.mil – that’s our website. There’s a link to our cyber scholarship program. It explains what the program is, it explains when the application period opens, and I think we even have a few testimonials out there from students who have applied for and then subsequently been hired, applied for the scholarship, and then have subsequently been hired by the department.
Leslie Weinstein:
Thank you for your time. This has been really helpful and congratulations on becoming a civilian because we were contractors together. That’s great that you’ve become a real boy, as Pinocchio would say.
