New Executive Order Targets America’s Cybersecurity Workforce
Privacy in Focus®
On May 2, 2019, the President issued an Executive Order on America’s Cybersecurity Workforce, which follows several recent Executive branch and legislative actions intended to strengthen cybersecurity in both the public and private sectors. The Executive Order includes several directives aimed at incrementally advancing cybersecurity skills and expertise, and reflects the continued momentum of cybersecurity efforts in industry and government.
Workforce Strengthening
The Executive Order begins by reciting the often discussed challenges in the cybersecurity industry. Broadly speaking, while a robust and skilled workforce is essential to economic and national security, there is a severe shortage of skilled cybersecurity professionals. The federal government plays a unique and critical role in fostering the advancement of cybersecurity talent, and this Executive Order seeks to address the inadequate supply of qualified personnel. Notably, the Executive Order acknowledges that, as a matter of policy, it is critical to facilitate “seamless movement” of cybersecurity professionals between the public and private sectors.
To address these challenges, the Executive Order mandates that agencies implement several directives. First, the federal cybersecurity workforce will benefit from a rotational assignment program, which will enable knowledge transfer and skill advancement of cybersecurity personnel. The program will include detailing nominated employees from and between the U.S. Department of Homeland Security (DHS) and other federal agencies. Program participants must meet requirements established in the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework (NICE Framework), and will also receive peer mentoring.
Requirements and Awards
The NICE Framework will also play an increasingly prominent role in other contexts directly applicable to contractors and industry. For example, the NICE Framework lexicon and taxonomy will be incorporated into knowledge and skill requirements for informational technology and cybersecurity services contracts, and agencies will report on whether contractor personnel have the necessary knowledge and skills to perform the contractual tasks in accordance with the NICE Framework. Similarly, agencies must encourage voluntary integration of the NICE Framework into existing education and workforce developments efforts undertaken by state, local, non-governmental, and private entities.
The federal government will implement other measures designed to develop skills and expertise of the cybersecurity workforce. Federal agencies will utilize cybersecurity aptitude assessments in order to identify and reskill current employees to perform cybersecurity work. Agencies will also re-examine existing awards and decorations for federal and military personnel and establish new awards as necessary to recognize outstanding performance. Finally, an annual cybersecurity competition will be developed for federal civilian employees with the goal of identifying, challenging, and rewarding the best cybersecurity talent. The Executive Order calls for the first competition to be held before the end of 2019.
Awareness and Assessment
The Executive Order also includes provisions directed at more broadly strengthening the nation’s cybersecurity workforce. These high-level directives range from raising awareness of the workforce shortage, transforming the learning environment and educational curriculum, and establishing metrics for evaluating the effectiveness of workforce investments. Federal agencies are also tasked with reporting requirements with respect to the cybersecurity workforce supporting critical infrastructure and defense systems, including identifying skill gaps and recommending curricula for closing such gaps through training and other education.
This Executive Order follows the Administration’s September 2018 National Cyber Strategy and Executive Order 13800, as well as the National Defense Authorization Act for Fiscal Year 2019 (NDAA), each of which featured multiple provisions highlighting the increasing role for industry and federal contractors in cybersecurity. Industry should expect to see continued Executive Branch action and legislation surrounding these issues.
© 2019 Wiley Rein LLP