§146. Cybersecurity workforce assessment and strategy

(a) Workforce assessment

(1) In general

Not later than 180 days after December 18, 2014, and annually thereafter for 3 years, the Secretary shall assess the cybersecurity workforce of the Department.

(2) Contents

The assessment required under paragraph (1) shall include, at a minimum-

(A) an assessment of the readiness and capacity of the workforce of the Department to meet its cybersecurity mission;

(B) information on where cybersecurity workforce positions are located within the Department;

(C) information on which cybersecurity workforce positions are-

(i) performed by-

(I) permanent full-time equivalent employees of the Department, including, to the greatest extent practicable, demographic information about such employees;

(II) independent contractors; and

(III) individuals employed by other Federal agencies, including the National Security Agency; or

(ii) vacant; and

(D) information on-

(i) the percentage of individuals within each Cybersecurity Category and Specialty Area who received essential training to perform their jobs; and

(ii) in cases in which such essential training was not received, what challenges, if any, were encountered with respect to the provision of such essential training.

(b) Workforce strategy

(1) In general

The Secretary shall-

(A) not later than 1 year after December 18, 2014, develop a comprehensive workforce strategy to enhance the readiness, capacity, training, recruitment, and retention of the cybersecurity workforce of the Department; and

(B) maintain and, as necessary, update the comprehensive workforce strategy developed under subparagraph (A).

(2) Contents

The comprehensive workforce strategy developed under paragraph (1) shall include a description of-

(A) a multi-phased recruitment plan, including with respect to experienced professionals, members of disadvantaged or underserved communities, the unemployed, and veterans;

(B) a 5-year implementation plan;

(C) a 10-year projection of the cybersecurity workforce needs of the Department;

(D) any obstacle impeding the hiring and development of a cybersecurity workforce in the Department; and

(E) any gap in the existing cybersecurity workforce of the Department and a plan to fill any such gap.

(c) Updates

The Secretary submit ¹ to the appropriate congressional committees annual updates on-

(1) the cybersecurity workforce assessment required under subsection (a); and

(2) the progress of the Secretary in carrying out the comprehensive workforce strategy required to be developed under subsection (b).

( Pub. L. 113–246, §3, Dec. 18, 2014, 128 Stat. 2880 .)

Editorial Notes

Codification

Section was enacted as part of the Cybersecurity Workforce Assessment Act, and not as part of the Homeland Security Act of 2002 which comprises this chapter.

Statutory Notes and Related Subsidiaries

Homeland Security Cybersecurity Workforce Assessment

Pub. L. 113–277, §4, Dec. 18, 2014, 128 Stat. 3008 , provided that:

"(a) Short Title.-This section may be cited as the 'Homeland Security Cybersecurity Workforce Assessment Act'.

"(b) Definitions.-In this section:

"(1) Appropriate congressional committees.-The term 'appropriate congressional committees' means-

"(A) the Committee on Homeland Security and Governmental Affairs of the Senate;

"(B) the Committee on Homeland Security of the House of Representatives; and

"(C) the Committee on House Administration of the House of Representatives.

"(2) Cybersecurity work category; data element code; specialty area.-The terms 'Cybersecurity Work Category', 'Data Element Code', and 'Specialty Area' have the meanings given such terms in the Office of Personnel Management's Guide to Data Standards.

"(3) Department.-The term 'Department' means the Department of Homeland Security.

"(4) Director.-The term 'Director' means the Director of the Office of Personnel Management.

"(5) Secretary.-The term 'Secretary' means the Secretary of Homeland Security.

"(c) National Cybersecurity Workforce Measurement Initiative.-

"(1) In general.-The Secretary shall-

"(A) identify all cybersecurity workforce positions within the Department;

"(B) determine the primary Cybersecurity Work Category and Specialty Area of such positions; and

"(C) assign the corresponding Data Element Code, as set forth in the Office of Personnel Management's Guide to Data Standards which is aligned with the National Initiative for Cybersecurity Education's National Cybersecurity Workforce Framework report, in accordance with paragraph (2).

"(2) Employment codes.-

"(A) Procedures.-Not later than 90 days after the date of the enactment of this Act [Dec. 18, 2014], the Secretary shall establish procedures-

"(i) to identify open positions that include cybersecurity functions (as defined in the OPM Guide to Data Standards); and

"(ii) to assign the appropriate employment code to each such position, using agreed standards and definitions.

"(B) Code assignments.-Not later than 9 months after the date of the enactment of this Act, the Secretary shall assign the appropriate employment code to-

"(i) each employee within the Department who carries out cybersecurity functions; and

"(ii) each open position within the Department that have been identified as having cybersecurity functions.

"(3) Progress report.-Not later than 1 year after the date of the enactment of this Act, the Director shall submit a progress report on the implementation of this subsection to the appropriate congressional committees.

"(d) Identification of Cybersecurity Specialty Areas of Critical Need.-

"(1) In general.-Beginning not later than 1 year after the date on which the employment codes are assigned to employees pursuant to subsection (c)(2)(B), and annually through 2021, the Secretary, in consultation with the Director, shall-

"(A) identify Cybersecurity Work Categories and Specialty Areas of critical need in the Department's cybersecurity workforce; and

"(B) submit a report to the Director that-

"(i) describes the Cybersecurity Work Categories and Specialty Areas identified under subparagraph (A); and

"(ii) substantiates the critical need designations.

"(2) Guidance.-The Director shall provide the Secretary with timely guidance for identifying Cybersecurity Work Categories and Specialty Areas of critical need, including-

"(A) current Cybersecurity Work Categories and Specialty Areas with acute skill shortages; and

"(B) Cybersecurity Work Categories and Specialty Areas with emerging skill shortages.

"(3) Cybersecurity critical needs report.-Not later than 18 months after the date of the enactment of this Act, the Secretary, in consultation with the Director, shall-

"(A) identify Specialty Areas of critical need for cybersecurity workforce across the Department; and

"(B) submit a progress report on the implementation of this subsection to the appropriate congressional committees.

"(e) Government Accountability Office Status Reports.-The Comptroller General of the United States shall-

"(1) analyze and monitor the implementation of subsections (c) and (d); and

"(2) not later than 3 years after the date of the enactment of this Act, submit a report to the appropriate congressional committees that describes the status of such implementation."

Definitions

Pub. L. 113–246, §2, Dec. 18, 2014, 128 Stat. 2880 , provided that: "In this Act [enacting this section and provisions set out as a note under section 101 of this title]-

"(1) the term 'Cybersecurity Category' means a position's or incumbent's primary work function involving cybersecurity, which is further defined by Specialty Area;

"(2) the term 'Department' means the Department of Homeland Security;

"(3) the term 'Secretary' means the Secretary of Homeland Security; and

"(4) the term 'Specialty Area' means any of the common types of cybersecurity work as recognized by the National Initiative for Cybersecurity Education's National Cybersecurity Workforce Framework report."

¹ So in original.