Perhaps their most important resources are the personnel who must distill legislative and regulatory requirements into actionable programs, and then manage and oversee those programs to improve the security postures of their agencies. These personnel are the "boots on the ground" in the federal information security battle space, and they constitute the CISO's best chance of winning the battle against those who wish to do harm to federal information, systems and networks.
The Federal Information Security Management Act, among its various inadequacies, failed to recognize the need to classify and professionalize this workforce. The Office of Personnel Management has apparently embraced FISMA's silence on the matter, and has inexplicably resisted creating a job series for the cybersecurity professional.
We have an assortment of career series - a music specialist is a 1051, broom and brush making is 3511, baking is 7402, and so forth - but none for cybersecurity.
For at least the past decade, OPM has been content to allow federal agencies to use the very general 2210 category for information technology specialists to hire and develop specialized cybersecurity professionals. However, cybersecurity is a field that is changing and growing more rapidly than any other field involving federal employees. For OPM not to create a job series for this specialized and dynamic field is at least an oversight and at most a declaration of bureaucratic indifference.
Over the past year, Congress has taken up its pen in an attempt to reform the FISMA legislation, and just a few weeks ago, the White House contributed its suggestions. The good news is that S.413, the draft Senate bill entitled Cybersecurity and Internet Freedom Act (see Senate Bill Eyes Cybersecurity Reform) charges OPM with developing a cybersecurity workforce strategy within 180 days and with establishing an occupation classification within one year of the bill being passed. But the lingering questions remain: Why is legislation necessary to compel OPM to take action on such an obvious area of need, and why did OPM refuse to take the initiative over the past decade? We have an assortment of career series - a music specialist is a 1051, broom and brush making is 3511, baking is 7402, and so forth - but none for cybersecurity.
The White House, in its May 12 cybersecurity legislative proposal (see (see White House Unveils Cybersecurity Legislative Agenda)), avoided any mention of creating a job series, but noted:
"The recruitment and retention of highly-qualified cybersecurity professionals is extremely competitive, so we need to be sure that the government can recruit and retain these talented individuals. Our legislative proposal will give DHS more flexibility in hiring these individuals. It will also permit the government and private industry to temporarily exchange experts, so that both can learn from each others' expertise."
These are good points, but it is noteworthy that the White House's proposed hiring authorities and related provisions only apply to DHS, and not to the other agencies. The word is that OPM balked, and the White House therefore limited its proposed authorities and provisions to DHS, creating the hopefully unintended consequence of a disastrous talent drain from other agencies to DHS.
How this plays out for the CISO will be interesting to watch. The creation of an actual job series for the cybersecurity professional is an essential tool in the CISO's toolbox, allowing the CISO to recruit, hire, train, develop, promote, advance, retain and adequately compensate professionals with the necessary knowledge, skills and abilities to defend our federal critical information infrastructure. Every federal CISO will welcome this development, and if a talent drain to DHS's more incentivized environment can be prevented, then every federal agency will see an increase in the overall quality of its efforts to improve the security of their respective enterprises.
Congress deserves a booming round of applause for its efforts to recognize, classify and professionalize the federal cybersecurity workforce. If a bill can be passed in the near term that enacts the workforce provisions contained in S.413, then the next decade will see far greater professionalization than the last decade with respect to the cybersecurity career field.
The White House deserves a small "golf clap" for at least empowering DHS, but missed an opportunity to extend the provisions across the executive branch. OPM gets a solid thumbs-down for having ignored this important requirement over the past decade, and for forcing Congress to legislate them into action. When the legislation passes, let's hope that OPM can overcome its inexplicable reluctance and produce the right outcome.