On 25 January 2019, the longest U.S. government shutdown in history came to an end. It’s unclear exactly what impact this closure had on the government’s digital security. A SecurityScorecard report found that the shutdown coincided with a rise of expired SSL certificates protecting .gov domains, thereby producing a slight dip in overall network security ratings. But that same publication also found increases in endpoint security and patching cadence, possibly because many workstations were shut down and because essential employees had time to implement overdue software patches.
The long-term digital security damage caused by shutdown is even more uncertain. As reported by Fedeal Computer Week, House Homeland Security Committee chairman Bennie Thompson (D-Miss.) said it’s likely that the Department of Homeland Security (DHS) and Congress “will be dealing with the consequences of [the shutdown] for months — or even years — to come.” These effects could include difficulties of hiring personnel for federal digital security positions.
Margot Conrad, director of federal workforce programs at the Partnership for Public Service, is well aware of those potential challenges. As she told Nextgov:
If you’re a highly qualified person in the tech field or the cyber field, you’ve got a lot of employers out there that are looking to scoop you up. I do think agencies are really going to be hurting now in terms of recruiting the next generation of talent that [they] desperately need.
These hiring difficulties are a problem for two reasons. First, federal agencies will potentially have a harder time to attract talent, which will translate into a poorer digital security posture overall. Second, their efforts to fulfill the Federal Cybersecurity Workforce Assessment Act (FCWAA) could prove to be more challenging, as they’ll now need to account for even greater numbers of vacant positions in their reporting.
The Federal Cybersecurity Workforce Assessment Act
Enacted by Congress on 18 December 2015 as part of the Consolidated Appropriations Act of 2016 (Public Law 114-113), the Federal Cybersecurity Workforce Assessment Act requires federal agencies to identify all personnel positions involving work responsibilities that are associated with IT and/or digital security. Those agencies must then use NIST Special Publication 800-181, or the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, to assign an employment code to each of these positions.
Once they’ve coded all their positions, they must submit a report to the Office of Personnel Management (OPM) that identifies the percentage of employees in coded positions who have industry certifications, the level of preparedness among other employees to pass certification exams and the implementation of security measures designed to close training and certification gaps. The FCWAA requires that agencies submit a report to the OPM annually through 2022. It’s then up to OPM to interpret these reports and thereby address critical needs in the federal government’s digital security workforce.
Uneven Progress in Fulfilling the FCWAA
Unfortunately, some federal agencies are struggling to fulfill their end of the Act.
In a report published in June 2018, the U.S. Government Accountability Office explains that 21 of 24 agencies covered by the Chief Financial Officers (CFO) Act had submitted baseline assessments. Those three agencies—the Department of Homeland Security, the U.S. Department of Housing and Urban Development and the Small Business Administration—cited a lack of tools and resources for not submitting their assessments. Even then, five reports did not contain all the information they needed, while another six reports registered at most a 42 percent response rate on questions concerning certifications for digital security positions.
These struggles could hamper agencies’ efforts to meet their subsequent obligations under the Act. Of particular relevance is the April 2019 deadline for agencies to submit a report to OPM. This report must indicate every job role within an agency that pertains to digital security, and it must substantiate the “designation of critical need.”
How to Move Forward
It’s currently unclear if some or all of the agencies that hadn’t submitted (complete) reports at the time of GAO’s initial publication have caught up with their FCWAA responsibilities. No doubt the shutdown didn’t help those who might still be at it. Agencies lost as many as 35 days to the closure, time which they could have used to finish their coding and/or write the report.
Given the proximity of the FCWAA’s April 2019 deadline, it’s useful to remind federal agencies of some of the instructions set forth by the OPM for assigning employment codes. These include the following recommendations:
- Make it a team effort: A single individual or team shouldn’t be responsible for assigning codes. Federal agencies should assemble their CIO staff, managers, and HR and classification staff work together in this effort. This collaboration will make the work move more quickly and the final code assignments more accurate.
- Pay careful attention to the codes themselves: Federal agencies should not forget to assign Cybersecurity Data Standard Code “000” to positions that are not involved in information technology, digital security or other computer-related functions. At that point, their teams can assign codes with values ranging from “101” to “999” to jobs that are engaged in these areas. They should use these new three-digit employment codes and not the original two-digit codes.
- Prioritize codes with multi-faceted positions: Some positions involve multiple functions when it comes to digital security. In those cases, classification teams can assign up to three codes for each substantial job function. They should provide these codes in an order that lists their most critical duties first.
Additional coding guidance for federal agencies is available in this OPM memo