DHS to Resume Federal Hiring in September to Address Cyber Security Gap
Since taking office, President Joe Biden’s administration has faced an alarming number of cybersecurity breaches, from the supply chain attack through SolarWinds to the cyber espionage attack exploiting the loopholes. Microsoft Exchange Server email software.
A cybersecurity decree issued in May demands improved IT hygiene in government and requires contractors to report violations, but a presidential decree cannot immediately address a labor shortage or speed up notoriously slow federal hiring practices.
Now, the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency are poised to push forward a series of policy changes to reduce the time it takes to hire cybersecurity professionals, redefine how the government assesses skills in cybersecurity and facilitate competitive rates of pay.
DHS will need to publish the public comment rules to launch the project, known as the Cybersecurity Talent Management System (CTMS).
This is expected to happen in September, said Travis Hoadley, a senior DHS official responsible for overseeing it, in an interview with FCW. In the regulatory program recently released by the Biden administration, CTMS is listed as being in the final phase of settlement with “final action” scheduled for September 2021.
But why did the federal government just put a system online with powers granted to the administration while Biden was still vice president?
“We need to deploy a fairly large human capital system, completely removing the existing general calendar that we have been using” for decades, Brandon Wales, the acting chief of the CISA, told lawmakers. “It took a large-scale rulemaking effort that is now ending. It took longer than anyone wanted, but it looks like we’re about to bring the program online and that we are ready to use it.
DHS’s FY2022 budget rationale documents indicate that the agency has set a goal of hiring 150 cybersecurity professionals in FY2021 and another 150 in FY2022. (The budget documents also show vestiges of the long backlog of the system: one chart noted CTMS was expected to recruit 109 people in fiscal year 2020. The actual number of hires made that year: zero.)
The agency is currently determining what skills and hires it will prioritize once the system, which DHS considers “in the category of a civil service reform pilot,” comes online, Hoadley said. DHS expects the first hires to be integrated by the end of this calendar year.
All of this is happening in an extremely tight labor market.
CyberSeek is a database supported by the Ministry of Commerce and the National Institute of Standards and Technology. According to the latest data from the project, there were around 36,000 cybersecurity public sector job vacancies between April 2020 and March 2021. For comparison, CyberSeek also estimated that around 60,000 workers held positions. of cybersecurity in the public sector during the same period.
Laying the Groundwork: Classification, Hiring and Compensation Changes
The CTMS stems from the Border Pay Reform Act 2014, which gave the DHS secretary the power to establish a new personnel management system specifically for cybersecurity. The broad outlines of the CTMS in its current state took shape in 2019, but eventually experienced delays in their implementation.
One of the main provisions allows the DHS secretary to hire cybersecurity professionals as part of the excepted service, as opposed to the competitive service – the majority of grassroots feds, governed by special civil service rules for hiring, firing and paying – or serving senior executives – senior administrators with their own regulatory structure.
This is expected to help DHS recruit officials more quickly and facilitate travel within DHS itself, between agencies, and in and out of the private sector.
While many public service hiring practices largely depend on the government’s ability to clearly define and anticipate all aspects of a person’s job, in cybersecurity this is simply not a possibility.
The new system will focus on the skills employees need to perform well. This will be accompanied by a shift from self-assessment of expertise, a common practice in federal hiring, to the demonstration of their skills by candidates, for example in a work simulation framework. CTMS designers assess their work against private sector hiring practices for IT positions, Hoadley said.
DHS is also working to resolve chronic compensation issues.
Salary scales like the General Schedule aren’t necessarily market-sensitive for cybersecurity talent, Hoadley said. DHS officials say its upcoming alternative pay plan will better align pay rates with the value of cybersecurity skills in the marketplace and the experience a person brings to the job and won’t be as tied to education.
“Congress was more interested in the department’s ability to truly recruit and retain the kind of talent it takes to execute our cybersecurity mission in the 21st century, recognizing that cybersecurity threats continue to change and evolve, as technology continues to change and evolve, and we need to be able to keep pace with other cybersecurity employers as we compete for a limited talent pool, ”Hoadley said of the 2014 legislation.
CTMS will operate under “applicable labor laws” which render “many cybersecurity employees … ineligible to join a bargaining unit,” Hoadley said.
The American Federation of Government Employees, the largest union representing government employees, declined to comment for this article.
As DHS and CISA meet their hiring goals this year, bringing CTMS online will mean a long overdue update, officials said.
“You can’t really take that foundation from WWII and think about ‘how to nimbly hire and manage cybersecurity professionals in the 21st century? “” Hoadley said. “It takes on a different basis, so that’s what we thought about, and that’s what we hope to achieve with CTMS.”
Natalie Alms is a writer at FCW and covers the Federal Workforce. She recently graduated from Wake Forest University and wrote for the Salisbury (NC) Post. Connect with Natalie on Twitter at @AlmsNatalie.
Justin Katz covers cybersecurity for FCW. Previously, it covered the Navy and the Marine Corps for Homeland Defense, focusing on weapons, vehicle acquisition, and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington DC areas. Connect with him on Twitter at @JustinSKatz.