• 6 months ago
The House Homeland Security Committee holds a hearing on the shortfalls in the cyber security workforce.

Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:

https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript


Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Transcript
00:00:00This hearing is to examine the challenges federal agencies face in recruiting, developing
00:00:09and retaining a skilled cyber workforce that is prepared to secure and defend the homeland
00:00:13against rapidly evolving cyber threats.
00:00:16Specifically, this hearing will identify strategies and solutions to bolster and expand a capable
00:00:20cyber workforce, including by examining the effectiveness of ongoing federal efforts.
00:00:25Fortunately, Chairman Green is unable to join us today due to a death in the family, so
00:00:28I will be presiding over this hearing in his place.
00:00:31I now recognize myself to read Chairman Green's opening statement on his behalf.
00:00:40Experts predict that by the end of 2024, a cyber attack will strike every 13 seconds.
00:00:44That's 6,822 attacks a day, or about 2 million by the end of the year.
00:00:50It's easy to believe those predictions by looking at where we are today.
00:00:53Whether it's Chinese-backed Volt Typhoon infiltrating our critical infrastructure, or major ransomware
00:00:58attacks such as the Change Healthcare Breach, today's complex and growing cyber threat
00:01:03landscape has brought America to an inflection point.
00:01:07To stay ahead of our adversaries, we must improve our cyber defenses.
00:01:11Throughout our history, America's best defense during any conflict has been its people.
00:01:16Our fortitude, work ethic and dedication make us resilient in the face of any threat.
00:01:21Therefore, increasing competition in cyberspace is not, and cannot, be different.
00:01:27The challenge is too big for the public and private sectors to address alone, and our
00:01:31cyber professionals must be equipped with the right tools and skills and offered the
00:01:35right incentives to succeed.
00:01:37It is alarming, then, that our nation is suffering from such a major cyber workforce gap.
00:01:44We currently need at least 500,000 cyber professionals if we hope to protect and defend our way of
00:01:48life.
00:01:49Now that's just not any 500,000 people.
00:01:52We need 500,000 skilled, talented cyber workers dedicated to contending with the threats of
00:01:58today while preparing for the threats of tomorrow.
00:02:02During World War I, walls were papered with the iconic poster of Uncle Sam pointing his
00:02:07finger at every passerby declaring, I want you.
00:02:10It was a call to action that was born out of a time of national crisis, and it was a
00:02:15call that Americans answered.
00:02:18We find ourselves in a similar moment today.
00:02:20Our nation needs a capable cyber workforce to defend the digital infrastructure we depend
00:02:24on daily.
00:02:25We need Americans in critical areas like cloud computing, artificial intelligence, machine
00:02:29learning, and zero trust.
00:02:32We need students with fresh skills and bright ideas.
00:02:35We need tenured professionals with deep-seated expertise.
00:02:38We need mid-career individuals who are inspired to enter the cyber field and have the zeal
00:02:43to learn new skills.
00:02:45And we need Americans to fill entry-level positions that shouldn't require a four-year
00:02:49degree.
00:02:50America's need for cyber talent is the greatest within the federal government.
00:02:54Agencies are facing some of the toughest threats in recent history, each with mounting sophistication
00:02:58and frequency.
00:03:00While agencies work to protect themselves from threats such as malicious insiders, supply
00:03:04chain exploitation, and commercial spyware, they are also protecting, mitigating, and
00:03:09defending against these threats for state and local organizations, small businesses,
00:03:15and civilians.
00:03:17This is a large mandate for such small ranks.
00:03:20So why are we having trouble bringing a talented cyber workforce into public service?
00:03:24Defending our networks requires us to examine this question closely.
00:03:28There are a few key issues at play that I hope our witnesses will discuss further today.
00:03:33While cybersecurity positions are coveted and pay above average levels in many cases,
00:03:38federal cybersecurity pay is just not high enough to compete with similar private sector
00:03:41positions and attract the right talent.
00:03:44Additionally, federal agencies experience an acute skills gap because agencies have
00:03:50historically valued four-year degrees over practical experience.
00:03:55This has unnecessarily narrowed the pool of prospective hires to those who may not have
00:03:59on-the-paper knowledge, but not the requisite competencies.
00:04:04Federal hiring practices compound the issue, often resulting in a bureaucratic, burdensome
00:04:08process that misaligns what agencies say they need with what they actually need.
00:04:14Finally, while career pathways into federal cyber jobs are improving, this simply isn't
00:04:19happening fast enough.
00:04:21The pathways are few and notoriously slow.
00:04:24While much more is needed to be done, both sides of the aisle have recognized that a
00:04:28robust and prepared cyber workforce is at the core of protecting our cyber security
00:04:33interests.
00:04:34In 2017, President Trump issued an Executive Order on Strengthening the Cybersecurity of
00:04:39Federal Networks and Critical Infrastructure, which addressed the growth and sustainment
00:04:43of a skilled cyber workforce.
00:04:45In July 2023, the White House released the National Cyber Workforce Education Strategy,
00:04:50which outlines a roadmap to expand the national cyber workforce, including bolstering access
00:04:54to cyber education and training.
00:04:57Federal agencies have also taken this challenge upon themselves.
00:05:00For example, NSA's National Centers for Academic Excellence in Cybersecurity collaborates
00:05:05with academia to encourage cyber competency development among students and actively engage
00:05:09in solutions to cyber workforce challenges.
00:05:13This program has become the gold standard in cybersecurity education, which is why I
00:05:17think it is important we codify it into law.
00:05:20While my NDAA amendment was not included this year, to do just that, I am now exploring
00:05:24other pathways.
00:05:26As an Army veteran, I believe an ROTC-like program would be an effective and rewarding
00:05:32way to build a prepared cyber workforce across the federal government.
00:05:36Although we have programs that fall into this category today, such as CyberCorps' Scholarship
00:05:40for Service program, we must maximize and scale these efforts, improve retention, and
00:05:45potentially establish other ROTC-like programs quickly to fill a specific skills gap and
00:05:50critical positions.
00:05:53As Chairman of the Committee on Homeland Security, I know that protecting the cyber
00:05:56border is just as important as our efforts to secure our physical border.
00:06:01This is why accelerating the United States' efforts to address the cyber workforce gap
00:06:04has been my top priority this year, so much so that I will soon be introducing legislation
00:06:08to grow our cyber workforce and sustain a steady pipeline each year.
00:06:11I want to thank our witnesses for being here to help us understand the challenges you have
00:06:16experienced, initiatives you have undertaken, and opportunities you see to strengthen our
00:06:20cyber workforce.
00:06:22Your agencies have played a leading role in promoting cyber workforce efforts, so I
00:06:27have no doubt that your unique perspectives will help us chart the path to cultivate a
00:06:30cyber workforce that is prepared to protect and defend our nation from increasingly complex
00:06:35threats in cyberspace.
00:06:42I now recognize Ranking Member Ms. Ramirez from Illinois for her opening statement.
00:06:53Thank you, Chairman Gavarino.
00:06:56Good morning.
00:06:57Before I begin, I want to extend my condolences to Chairman Green and his family as they mourn
00:07:03the passing of his mother-in-law.
00:07:08In closing, I would like to thank the Chairman for holding this hearing on addressing our
00:07:13nation's cyber workforce shortage.
00:07:16As we see increased cyber threats from adversary nation-states and criminal gangs, we continue
00:07:24to invest in developing our cybersecurity talent pool, and it will be essential in defending
00:07:29the federal government and its critical infrastructure.
00:07:32This committee has prioritized addressing the cyber workforce challenges for years,
00:07:38and it's passed important legislation to ensure that DHS and CISA continue to support cyber
00:07:43workforce development.
00:07:45Last Congress, for example, the committee secured the enactment of Representative Swalwell's
00:07:50industrial control systems cybersecurity training legislation.
00:07:54Earlier this Congress, the committee passed Representative Jackson-Lee's legislation
00:07:59authorizing CISA's effort to provide cybersecurity training to DHS employees.
00:08:05I really hope that we can work together to secure passage of Representative Jackson-Lee's
00:08:09important bill by the full House this Congress.
00:08:14And while these legislative efforts have been helpful, we also know that there's still a
00:08:18lot of work to be done.
00:08:20Fortunately, the Biden administration has released a comprehensive cyber workforce and
00:08:24education strategy that sets a roadmap for how the executive branch and Congress can
00:08:29better support workforce development efforts.
00:08:33Considering the wide range of federal agencies, state and local governments, and private entities
00:08:39involved in cyber workforce training and education, this is the kind of leadership from the White
00:08:45House that is critical to ensuring that we have a coordinated, we have a whole-of-government
00:08:50and whole-of-nation effort.
00:08:52I'm glad to see the administration's new report on the workforce strategy implementation,
00:08:57and I do look forward to hearing more today about how the implementation is going and
00:09:02how Congress can support this very critical effort.
00:09:06In particular, I support the administration's commitment to skill-based hiring and efforts
00:09:12like DHS's cyber internship program.
00:09:15I look forward to working with DHS and many of my colleagues here to authorize a cyber
00:09:21internship program available to individuals from high school through grad school so that
00:09:25we ensure that the department continues to develop its next generation of cyber talent.
00:09:31And I appreciate that the federal government has some unique challenges in recruiting and
00:09:35retaining top cyber talent.
00:09:39When the federal government must compete with the private sector that we know offers higher
00:09:43pay and more flexible hiring, we know the federal government risks losing skilled cyber
00:09:50security practitioners.
00:09:51And so I look forward to hearing from the Department of Defense and Homeland Security
00:09:54today on how we can address this challenge.
00:09:57I also hope to hear what authorities Congress can provide to ensure the federal department
00:10:02agencies responsible for leading our cyber defense have the talent necessary to keep
00:10:07our nation secure.
00:10:09And as we consider efforts to address our cyber workforce gap going forward, there are
00:10:14some key points that I want to make sure that we're keeping in mind.
00:10:17First, one key advantage we have over our adversaries, let me say, is our diverse population.
00:10:28To fill cyber workforce positions, we have to focus on outreach to women, to people of
00:10:33color, to rural populations, and others who are not adequately represented currently in
00:10:38the cyber workforce.
00:10:40And we can't simply address cyber workforce shortage without including everyone and doing
00:10:44so with an intentional effort on the part of the government and the private sector.
00:10:49That is why Ranking Member Thompson authored legislation to establish a DHS Intelligence
00:10:55and Cybersecurity Diversity Fellowship Program, and I'm glad to see the diverse young people
00:11:00who have already participated in the program.
00:11:03We must continue to build and expand on similar efforts to bring more people from all walks
00:11:07of life into the federal government's cyber workforce.
00:11:10Additionally, we have seen rapid technological advances in recent years with the growth of
00:11:16artificial intelligence, showing how the skills necessary for cybersecurity are constantly,
00:11:22constantly evolving.
00:11:24We must ensure that our cybersecurity training efforts reflect the latest skills and that
00:11:28our cybersecurity workforce continues to receive adequate training throughout their careers.
00:11:33AI will not solve our cyber workforce shortage, but it will change how cyber defenders do
00:11:40their jobs, so education and training programs have to reflect that reality.
00:11:46Keeping these considerations in mind, I hope that our committee can work together in a
00:11:50bipartisan way to expand and to strengthen our cyber talent pool.
00:11:56Our witness expertise will help inform our efforts, and I look forward to your testimony.
00:12:02Before I close, however, I do want to extend the committee's well wishes to Congresswoman
00:12:08Jackson Lee as she battles pancreatic cancer.
00:12:12As a longstanding member of the Cybersecurity and Infrastructure Protection Subcommittee,
00:12:18Congresswoman Jackson Lee has been a leading advocate for strengthening our nation's cyber
00:12:23workforce, and I look forward to her continued advocacy on this important issue.
00:12:27Chairman, I yield back.
00:12:30Thank you, Ms. Ramirez, and I share your thoughts and our prayers with Ms. Jackson Lee.
00:12:35She is a great member of the subcommittee that I chair, always has great questions and
00:12:40very thoughtful ones, and sometimes ones I wish I came up with myself, so we all wish
00:12:45her a speedy recovery.
00:12:50Other members of the committee are reminded that opening statements may be submitted for
00:12:52the record.
00:12:53I'm pleased to have our distinguished witnesses before us today.
00:12:56I ask that our witnesses please rise and raise their right hands.
00:13:02Do you solemnly swear that the testimony you will give before the Committee on Homeland
00:13:06Security of the United States House of Representatives will be the truth, the whole truth, and nothing
00:13:10but the truth, so help you God?
00:13:12Let the record reflect that the witnesses have answered in the affirmative.
00:13:16Thank you.
00:13:17Please be seated.
00:13:18I would now like to formally introduce our witnesses.
00:13:20Mr. Eric Heisen serves as the Chief Information Officer for the Department of Homeland Security.
00:13:26CIO, Mr. Heisen is responsible for strategically aligning the Department's information technology,
00:13:32personnel resources, and assets, including security, infrastructure, and delivery to
00:13:36support core DHS missions and activities.
00:13:39In September 2023, Ms. Heisen was named as the Department of Homeland Security's first
00:13:43Chief Artificial Intelligence Officer.
00:13:46He previously was a Senior Fellow at the National Conference on Citizenship, where he led projects
00:13:50to use technology, data, and design to address pressing public policy challenges.
00:13:57He also worked in state government, helping to launch the California Office of Digital
00:14:00Innovation and Philanthropy, and in philanthropy, supporting nonprofits working to advance immigration
00:14:05and criminal justice reform.
00:14:07Mr. Heisen graduated with honors in Computer Science from Harvard University and has published
00:14:11research in crowdsourcing and workflow design.
00:14:15Ms. Leslie Beavers is a career member of the Senior Executive Service and the DoD's Principal
00:14:20Deputy CIO.
00:14:22In this capacity, she assists the CIO in advising the Secretary of Defense on information management,
00:14:27information technology, and information assurance, as well as non-intelligent space systems,
00:14:32critical satellite communications, navigation, and timing programs, spectrum, and telecommunications
00:14:37matters.
00:14:38Ms. Beavers also leads engagements with the Defense Agencies and Field Activity CIOs and
00:14:43drives strategic resource planning across the IT and cybersecurity domains.
00:14:47Prior to joining the CIO, Ms. Beavers served as the Director of Intelligence, Surveillance,
00:14:52and Reconnaissance Enterprise Capabilities.
00:14:54In this capacity, she led OUSD's Defense Intelligence Digital Transformation Campaign
00:15:01Plan, known as Project Herald.
00:15:03Additionally, Ms. Beavers has over 15 years' experience in the private sector, working
00:15:08in the film, TV, healthcare, and oil and gas industries.
00:15:12She holds a bachelor's degree in political science from the U.S. Air Force Academy and
00:15:17an MBA in finance with honors from South University.
00:15:20Mr. Rodney Peterson is the Director of the National Initiative for Cybersecurity Education,
00:15:25Advancing Cybersecurity Education and Workforce Development at the National Institute of Standards
00:15:29and Technology in the United States.
00:15:32He previously serves as the Managing Director of the EDU Cause Washington Office and is
00:15:38a Senior Government Relations Officer.
00:15:40He founded and directed the EDU Cause cybersecurity program and was the lead for the Higher Education
00:15:46Information Security Council.
00:15:48He also worked at the University of Maryland as the Director of IT Policy and Planning
00:15:52in the Office of the Vice President and Chief Information Officer.
00:15:55He also held the role of Campus Compliance Officer in the Office of the President.
00:16:01He received his law degree from Wake Forest University and bachelor's degrees in political
00:16:04science and business administration from Alma College.
00:16:07He was awarded a certificate as an Advanced Graduate Specialist in Education Policy, Planning,
00:16:11and Administration from the University of Maryland.
00:16:15Mr. Siyun Mo serves as the Assistant National Cyber Director of Cyber Workforce Training
00:16:19and Education at the Office of National Cyber Director.
00:16:22In his role, Mr. Mo leads and coordinates the implementation of the White House's National
00:16:27Cyber Workforce and Education Strategy.
00:16:29He believes in taking a holistic view, doctrine, people, and technology to make advancements
00:16:34in cyber workforce and digital safety awareness.
00:16:37Mo is an expert in the intersection of cybersecurity, technology, and national security with 18
00:16:43years of experience spanning tech, development, policymaking, and political campaigning.
00:16:48Thank the witnesses for being here today.
00:16:50I now recognize Mr. Heisen for five minutes to summarize his opening statement.
00:16:55Chairman Garbarino, Congresswoman Ramirez, and distinguished members of the committee,
00:16:59thank you for the opportunity to testify today.
00:17:02Every day, over 8,000 cybersecurity professionals across the Department of Homeland Security
00:17:07put their skills to use defending our nation.
00:17:10NSA threat hunters search proactively through networks to identify and stop suspicious activities.
00:17:17Secret service agents investigate complex, cyber-enabled financial crimes.
00:17:22Teams from Homeland Security investigations catch perpetrators of child sexual exploitation
00:17:27through cutting-edge digital forensics techniques.
00:17:31And our IT specialists across the Department work to secure our own networks, systems,
00:17:36and data and stay ahead of our adversaries.
00:17:39Our cybersecurity professionals are deeply talented and dedicated to serving their country,
00:17:44but they are too few.
00:17:46The Department has nearly 2,000 vacancies for cybersecurity positions and struggles,
00:17:51like every government agency, to recruit and retain talent in an incredibly competitive
00:17:56field.
00:17:58I have dedicated much of my career to this challenge.
00:18:01After working as a software engineer in Silicon Valley, I left the private sector to co-found
00:18:06the United States Digital Service, which has now recruited hundreds of technologists
00:18:11for government tours of duty.
00:18:13There, I saw how recruiting and retaining tech talent in government requires a comprehensive
00:18:19approach, actively recruiting out to communities, particularly those underrepresented in our
00:18:24field, to build awareness of public service pathways, leveraging flexible compensation
00:18:29and hiring authorities, streamlining our hiring and onboarding processes, and building a culture
00:18:36that fosters innovation and collaboration.
00:18:39Today, I will highlight how we are working to do each of those things in support of our
00:18:43own workforce.
00:18:45In November of 2021, DHS launched the Cybersecurity Talent Management System, or CTMS, a transformational
00:18:52effort that offers hiring processes, compensation systems, and career progression that are far
00:18:59closer to what I was used to seeing in Silicon Valley than to traditional federal HR.
00:19:05Since its launch, we have received nearly 25,000 applications, issued over 345 offers,
00:19:12and currently have 189 employees at all levels working in my office, CISA, and FEMA.
00:19:19While CTMS is delivering significant results, its rollout was not without challenges.
00:19:24It took us too long from receiving the authority to launch the program and begin hiring under
00:19:29it, and our initial rate of hires has been slower than expected.
00:19:33We are learning from these efforts and continuously improving CTMS to position the department
00:19:38for long-term success.
00:19:40In addition, we have established a variety of internship and fellowship programs to create
00:19:45pathways for students and early career professionals, including the Secretary's Honors Program,
00:19:52Cybersecurity Internship Program, and Intelligence and Cybersecurity Diversity Fellowship.
00:19:57These programs have welcomed hundreds of participants to date and are building the future of our
00:20:02cyber workforce.
00:20:04We are also building innovative programs to attract talent in critical cybersecurity enabling
00:20:09fields, such as AI and emerging technologies.
00:20:13For example, this February, we launched the DHS AI Corps, an effort to hire 50 experts
00:20:18to support the use of AI across the department.
00:20:21We've seen incredible interest so far and are well on our way towards this hiring goal,
00:20:26with new AI Corps members coming from top technology companies and from across government
00:20:31and civil society.
00:20:33Finally, training and development of our existing workforce is also vital.
00:20:38We are building a DHS IT Academy to create standard technical orientations for all new
00:20:44employees, develop a rigorous training and rotation program for entry-level hires, and
00:20:49offer upskilling opportunities for employees to learn new and emerging skills.
00:20:55These programs are just some of the tools we are using across DHS to strengthen our
00:20:59cybersecurity workforce.
00:21:01There is no single initiative or policy to address all workforce challenges, and every
00:21:06organization that relies on this talent across the public and private sectors is similarly
00:21:11looking at a combination of efforts.
00:21:13I look forward to our continued partnership with Congress to enable us to attract and
00:21:17retain talent in this incredibly competitive market.
00:21:20Thank you for the opportunity to testify today.
00:21:22I look forward to your questions.
00:21:23Thank you, Mr. Hyson.
00:21:24I now recognize Ms. Beavers for five minutes to summarize her opening statement.
00:21:31Good morning, Chairman Garbarino and Congresswoman Ramirez and distinguished members of the subcommittee.
00:21:41Thank you for the opportunity to address you today on an issue of critical importance to
00:21:45our national security, the Department of Defense's efforts to cultivate and strengthen our cyber
00:21:50workforce.
00:21:52As the Principal Deputy Chief Information Officer, I lead a team dedicated to providing
00:21:56strategic direction, oversight, and technical expertise to secure and modernize the Department's
00:22:03information technology, enhancing warfighting, command, control, and communications, and
00:22:09cultivate a digital workforce.
00:22:12Each of these missions is critical to our warfighters and would be impossible without
00:22:16the right people.
00:22:18The Department of Defense must adapt to emerging threats and develop a skilled workforce to
00:22:22tackle national security challenges in the global landscape.
00:22:26Cyber threats, cloud computing, and software modernization are crucial for safeguarding
00:22:31national interests and supporting warfighters.
00:22:34A skilled workforce is needed to innovate, develop, and implement cyber capabilities
00:22:40for sustained superiority.
00:22:42Last year, the Department of Defense released the DoD Cyber Workforce Strategy, developed
00:22:47in coordination with various components, the Joint Chiefs of Staff, U.S. Cyber Command,
00:22:53and the military services.
00:22:55This strategy aligns with the 2022 National Defense Strategies Imperative to cultivate
00:23:00the workforce we need.
00:23:02The strategy identifies a pressing need for a cultural shift in managing the Department's
00:23:08most valuable asset, our people, and laid the groundwork for a nationwide transformation
00:23:13in cyber education through collaboration among academia, employers, and government leaders.
00:23:21It also creates an opportunity for innovation in the Department's approach to recruiting,
00:23:25training, educating, and certifying our workforce.
00:23:29The strategy aims to achieve success through regular workforce capability assessments,
00:23:35talent management programs, cultural shift, and partnerships to enhance operational effectiveness
00:23:42and career growth.
00:23:43A keystone effort within the Cyber Workforce Strategy is the Cyber Defense Workforce Framework,
00:23:49which is a catalog of cyberspace skills and roles needed across the Department.
00:23:54This framework helps us identify and focus on critical, hard-to-fill specialties, recognizing
00:24:00that it will evolve as it adapts with technology.
00:24:03We are also excited about our newly established Cyber Academic Engagement Office, which will
00:24:09be the consolidated focal point for cyber-related activities carried out between the Department,
00:24:17academic stakeholders, and in the future with federal partners such as the Department
00:24:21of Education, NIST, FBI, and DHS's Cybersecurity and Infrastructure Security Agency to collaborate
00:24:29on cyber education programs for the benefit of the whole of government.
00:24:33We also have educational initiatives like the DoD Cyber Service Academy, which offers
00:24:38scholarships and grants to bolster the nation's cyber workforce and grants scholarships to
00:24:43non-DoD students enrolled in National Centers of Academic Excellence in Cybersecurity, as
00:24:49well as to DoD civilians and service members pursuing master's and doctoral degrees.
00:24:55In 2024, the Cyber Security Academy awarded recruitment scholarships to 174 non-government
00:25:02students supporting their studies in cyberspace-related competencies.
00:25:07To that end, the Department of Defense actively participates in the Office of the National
00:25:12Cyber Director's Federal Cyber Workforce Group.
00:25:15We align our cyber workforce strategies in partnership with the Department of Homeland
00:25:19Security and the Department of Commerce to ensure a whole-of-government approach.
00:25:24DoD understands that interagency collaboration not only establishes standards for cyber across
00:25:31the federal government, it also facilitates the development of professional competencies
00:25:37that define future cyber work in the government and the private sector alike.
00:25:42We're reevaluating cyber education and certification, acknowledging that traditional college degrees
00:25:47are not always necessary.
00:25:49DoD is exploring faster routes to cyber security qualifications.
00:25:54With the Department of Labor, we're creating the Federal Cyber Security Apprenticeship
00:26:00Program to set standards for critical roles.
00:26:04By partnering with the Undersecretary for Acquisition and Sustainment, DoD CIO is promoting
00:26:09registered apprenticeship programs to diversify our workforce and remove educational barriers.
00:26:16This approach aims to bring in skilled workers through non-traditional paths.
00:26:21The Department of Defense is committed to strengthening our cyber security posture through
00:26:25the development and management of a highly skilled cyber workforce.
00:26:29A cultural shift in managing the Department's most valuable asset, our people, is underway.
00:26:35Thank you for the opportunity to testify this morning.
00:26:37I look forward to your questions.
00:26:38Thank you, Ms. Beavers.
00:26:39I now recognize Mr. Peterson for five minutes to summarize his opening statement.
00:26:44Thank you, Chairman Garbarino and Congresswoman Ramirez and members of the committee.
00:26:49I am Rodney Peterson.
00:26:50I am the Director of the NICE Program Office at NIST and I'm pleased to testify before
00:26:55you today.
00:26:56I want to briefly share three stories.
00:26:59Devani Nelson started her journey into the cyber security field after experiencing a
00:27:03series of personal and career setbacks as a single mom.
00:27:07She eventually chose to pivot careers from biology to cyber security and an organization
00:27:13provided her essential financial support along the way to enable her to complete her education
00:27:19and eventually acquire a good job as a junior cyber security engineer in a healthcare company.
00:27:25Jimmy Mahenovit left high school before completing his diploma and for the next 10 years worked
00:27:31hard physically demanding shifts as a commercial truck driver.
00:27:35As a result of the impact of the pandemic on the trucking industry, which coincided
00:27:39with the death of his father who had worked in IT, Jimmy completed a cyber security certificate
00:27:45program on weekends while continuing to work.
00:27:49After acquiring that credential, Jimmy received a good job as an information security associate
00:27:54with a financial services company.
00:27:57Shane Wallace, who grew up in a military family, enlisted in the Army as a combat medic.
00:28:03He concurrently pursued a degree in healthcare administration.
00:28:07He held various leadership roles, oversaw complex logistics operations, and spearheaded
00:28:12crucial medical initiatives.
00:28:14His passion for technology led him to complete a training program in cloud computing for
00:28:19transitioning veterans that led him into a good job as a junior engineer.
00:28:25These are just three stories of individuals who have pursued a career in cyber security
00:28:29through alternative pathways and their journey provide the answer to the question for this
00:28:34hearing, how to find workers to address America's cyber security workforce gap.
00:28:41NICE is best known for the NICE framework that provides a common taxonomy for describing
00:28:45cyber security work.
00:28:47It's used by employers, education and training providers, and learners, including students,
00:28:52job seekers, and employees.
00:28:54The NICE framework components of work roles and competency areas are key to navigating
00:28:59the CyberSeek website, a tool that helps career seekers discover cyber security careers.
00:29:06NICE also uses its convening power to support a community coordinating council that includes
00:29:10communities of interest on topics such as cyber security apprenticeships, competitions,
00:29:16diversity and inclusion, K-12 cyber security education, and more.
00:29:20The council also includes working groups that help achieve NICE's strategic plan goals
00:29:25and objectives.
00:29:26The first goal is to promote the discovery of cyber security careers and multiple pathways.
00:29:32We hold a cyber security career week campaign each fall to help career seekers discover
00:29:36the variety of types of careers in cyber security and the multiple learning pathways.
00:29:42The second goal is to transform learning to build and sustain a skilled and diverse workforce.
00:29:48We prioritize hands-on learning experiences and performance-based assessments that measure
00:29:53capabilities to perform NICE framework tasks.
00:29:57The third goal is to modernize the talent management process to address cyber security
00:30:01skills gaps.
00:30:02We support the capability of organizations and sectors to more effectively recruit, hire,
00:30:08develop, and retain the talent needed to manage cyber security-related risk.
00:30:13The fourth goal seeks to expand use of the NICE framework.
00:30:17We promote the benefits of standardizing education and workforce programs, including alignment
00:30:22to the NIST cyber security framework, the NIST privacy framework, and other cyber security
00:30:27guidance.
00:30:28The final goal in the NICE strategic plan seeks to drive research on effective practices
00:30:33for cyber security workforce development.
00:30:36We use those research results to inform programs, curriculum design, learning opportunities,
00:30:42ensure equity, and much more.
00:30:45NICE hosts several key events throughout the year, and these events bring together stakeholders
00:30:49to showcase best practices, highlight emerging trends, and inspire action.
00:30:54We also produce and share several resources, including a cyber security apprenticeship
00:30:59finder and a listing of free and low-cost online cyber security learning content.
00:31:05In conclusion, the recent 15th annual NICE conference served to celebrate the growth
00:31:10and progress towards fulfilling our mission to create an integrated ecosystem of cyber
00:31:15security education, training, and workforce development.
00:31:18However, we must continuously strive to prepare, grow, and sustain the cyber security workforce
00:31:24that the public and private sectors need to safeguard our national security and promote
00:31:29America's economic prosperity.
00:31:32So thank you for the opportunity to testify today on NIST's cyber security education and
00:31:36workforce activities, and look forward to answering any questions.
00:31:40Thank you, Mr. Peterson.
00:31:43I now recognize Mr. Mo for five minutes to summarize his opening statement.
00:31:47Good morning, Chairman Garbarino, Congresswoman Ramirez, and distinguished members of the
00:31:52committee.
00:31:53Thank you for the opportunity to testify before you today with some of ONCD's closest federal
00:31:57partners about the critical demand for cyber workforce.
00:32:01While this challenge to meet this demand is daunting, this is also an opportunity.
00:32:07Filling these jobs is necessary to advance our national security and our economic prosperity.
00:32:13Whether one serves in the public or the private sector, a career in cyber can put you on the
00:32:18front lines protecting and defending our digital way of life.
00:32:22There's an abundance of talented individuals in every corner of our country who can help
00:32:27us meet this demand.
00:32:29It's up to us to remove barriers and broaden pathways for them to get into these good-paying,
00:32:35meaningful jobs in cyber.
00:32:37There are a number of challenges we must overcome to build the cyber workforce this nation needs.
00:32:42First, many Americans haven't considered a job in cyber at all.
00:32:46They may assume the job are narrow, highly technical, and done by a hacker in a hoodie
00:32:51in a dark room.
00:32:53Oftentimes, they haven't seen anyone like them, or they know who has taken a path into
00:32:58a cyber career.
00:33:00And even for those who are interested, there are barriers to entry, even if they have the
00:33:03skills to do the job.
00:33:05Second, while we have good education and workforce development systems, they are struggling to
00:33:10keep up with the increasing demand for cyber talent.
00:33:13We need more educators, training programs, and equipment for hands-on learning of critical
00:33:18cyber skills.
00:33:19And third and finally, we know that many of the best solutions are unique to each community
00:33:24and its partners.
00:33:25And right now, there are not enough locally-driven efforts to connect individuals to training,
00:33:31to jobs, and services.
00:33:33We call this the locally-driven ecosystem model.
00:33:36The administration is driving a whole-of-nation approach to connect Americans to these good-paying,
00:33:42meaningful jobs in cyber.
00:33:44First, the foundation of this effort is the National Cyber Workforce and Education Strategy
00:33:49that ONC developed in collaboration with 34 federal agencies and hundreds of key external
00:33:55stakeholders.
00:33:56Second, the federal government cannot solve this issue alone, and stakeholder collaboration
00:34:02is critical to success.
00:34:04Over 100 organizations have made voluntary commitments to grow and hire cyber talent.
00:34:10Third, our approach recognizes that the jobs we need to fill are not just in IT, but across
00:34:16industry and within companies, both large and small.
00:34:20That's why we're making cyber an integral part of other workforce and education priorities
00:34:26to unlock resources and new partnerships to grow the nation's cyber workforce in utility
00:34:32companies, agriculture, energy, healthcare, education, manufacturing, and more.
00:34:40As a result, we can report on our initial actions to date.
00:34:45To open up cyber careers to all Americans and remove unnecessary barriers, we are focusing
00:34:50on skills.
00:34:51The administration is leading by example by modernizing the federal hiring process and
00:34:56fully embracing skills-based approaches for IT positions.
00:35:00Furthermore, the pivot extends to federal IT and cyber contractors across the country.
00:35:06To strengthen education and workforce development systems, we are identifying federal investments
00:35:11to expand opportunities through quality hands-on training and learning programs such as cyber
00:35:17clinics and earn and learn registered apprenticeship programs.
00:35:20The National Security Agency provided grants to launch cyber clinics in Louisiana, Minnesota,
00:35:26Nevada, and Virginia, and the Department of Labor is now serving more than 13,000 cyber
00:35:32apprentices across the country.
00:35:34As a result of the work initiated under the 120-day Cyber Security Register Apprenticeship
00:35:40Sprint with partners and continued through the Registered Apprenticeship Executive Order.
00:35:46To increase the use of locally driven ecosystem models, we have convened stakeholders across
00:35:50the country to establish or expand the ecosystems and to share best practices.
00:35:55Most importantly, we know that the best solutions come not solely from Washington, D.C., but
00:36:00from the innovative partnerships and ideas we find in communities across the country,
00:36:05just like in each of your districts.
00:36:08We made a lot of progress and there's a lot more work to be done.
00:36:12The demand for cyber talent will continue to grow as the world becomes increasingly
00:36:16digitized.
00:36:17We are committed to be working with Congress to connect Americans to good-paying, meaningful
00:36:22jobs in cyber that advance our national security and economic prosperity.
00:36:28Thank you for the opportunity to testify today and I look forward to your questions.
00:36:32Thank you, Mr. Moe.
00:36:34I'll just say the committee's not going to hold it against you for stealing some of our
00:36:36cyber talent.
00:36:40They did call votes, like they said they would, so we're going to now take a short recess
00:36:45and we'll reconvene ten minutes after votes, which will probably be in about a half hour
00:36:50or so.
00:36:51We are in recess.
01:21:10The committee will come to order.
01:21:37Thank you all for the witnesses for waiting.
01:21:40Members will now be recognized by order of seniority for their five minutes of questioning.
01:21:43I remind everyone to please keep their questioning five minutes.
01:21:46An additional round of questioning may be called after all members have been recognized.
01:21:49I now recognize myself for five minutes of questions.
01:21:58While we often discuss the workforce gap, we overlook those who are currently in our
01:22:02workforce.
01:22:03They may not possess the right skills to keep up with cyber threat landscape, even though
01:22:08they fill critical roles.
01:22:09Mr. Peterson, what does it mean to be a qualified cyber professional today?
01:22:15So we would turn to qualifications based on our NICE framework that identifies work to
01:22:20be performed and knowledge or skills that a worker would need.
01:22:24And as we've said through our testimony, that can be acquired through a variety of different
01:22:27ways, through education, through training, through on-the-job experience, work-based
01:22:31learning experiences.
01:22:34So for us, qualifications start with something like the NICE framework as a standard.
01:22:39And then I think secondly, to your point, it doesn't always have to come externally.
01:22:44It could be existing workers who can be re-skilled or up-skilled into cybersecurity.
01:22:49Ms. Moa, how do we professionalize the cyber workforce while we move away from four-year
01:22:55degrees?
01:22:56I think that's why I want to focus on skill-based approaches.
01:23:00When you think about skills, once we sort of like figure out how to map out the skills
01:23:05that we need, then match it with, you know, assessment on how someone has the skills,
01:23:13that's how we can do it.
01:23:14The reality here is that you don't need a cyber in your job title to actually be doing
01:23:22cyber work these days, right?
01:23:23So that's sort of like the key point here.
01:23:25So as we're trying to kind of map out the professionalism, to professionalize the whole
01:23:29cyber workforce, we have to think about broadly the whole workforce in itself.
01:23:34So I have spoken to countless CISOs from Fortune 100, Fortune 500 companies.
01:23:39They are all moving to skills-based hiring, away from degree-based hiring.
01:23:45So for the federal government, what are some of those effective pathways for skills-based
01:23:52training and hiring that you've seen or explored?
01:23:54Yeah, I appreciate that question.
01:23:57When we travel around the country, we see things like registered apprenticeship.
01:24:00It's one of the models.
01:24:02Work-based training is another model that we really like.
01:24:06You know, again, when you take a skills-based approach, we need a fundamental shift in thinking
01:24:11about not on an individual basis, but more of a creating a team with complementary skills.
01:24:20So some of the successful companies, they're trying to build teams with people with advanced
01:24:26cyber skills and people with early entry career skills.
01:24:30Then you kind of like map out and have a team that can do the job and deliver on the mission.
01:24:35So do you work with, you know, you said you were traveling across the country, you know,
01:24:39working with certain apprenticeships.
01:24:41Has there been any work with community colleges or technical schools through talent?
01:24:46Absolutely.
01:24:47The very first visit that the National Cyber Director did was to the Community College
01:24:50of Baltimore County to essentially elevate cyber to make sure that people with two-year
01:24:56college degrees understand that there's a pathway into cyber career.
01:25:01And then we also went to Fayetteville Technical Community College because they kind of have
01:25:06a pathway for veterans and their spouses to get into cyber as well.
01:25:14The key here, though, is it's more than just one institution.
01:25:18This only works if the two-year college are working with the four-year colleges and universities
01:25:24and they are also working with the K-12 school districts locally and the private sector employer
01:25:29involved in telling the schools what they need so that all of them come together to
01:25:34figure out how to build that pipeline.
01:25:36And that's the approach we're pushing here.
01:25:39I appreciate that.
01:25:43I can ask you all questions for a while, but I only have a minute left.
01:25:46I do want to focus on harmonization.
01:25:49At a HSGAC hearing on regulatory harmonization earlier this month, your colleagues stressed
01:25:52how harmonization requires leadership from ONCD and Congress.
01:25:56Blog posts from Director Coker this month also called for Congress to work with the
01:26:00administration to help craft cyber regulatory standards.
01:26:05None of this acknowledges Congress has already done this by passing CERCIA.
01:26:10I'm concerned that the White House is not pushing back enough against duplicative regulation
01:26:14at odds with congressional intent, particularly as the SEC since introduced its cyber incident
01:26:20disclosure rule, which only adds to compliance, leads to public disclosure of sensitive information,
01:26:25drives talents away.
01:26:26I have heard people say that their cyber teams have plenty of burnout and CISOs are leaving
01:26:31because they are now possibly facing personal liability.
01:26:35Why is ONC urging Congress to act on cyber harmonization when we already have done so?
01:26:40Thank you for that question, Congressman.
01:26:42Harmonization is definitely a big part of what ONCD is working on right now, but my
01:26:47remit in the office is implementing the National Cyber Workforce and Education Strategy.
01:26:51I'm happy to work with you and our legislative team to find you the right person to get the
01:26:57answer that you deserve.
01:26:58I will take that on the record and get back to you.
01:27:02I appreciate that.
01:27:03Just repetitiveness.
01:27:04Back to the administration.
01:27:06No more cyber rules, harmonization, please.
01:27:09I now recognize the Ranking Member for five minutes of questioning.
01:27:13Thank you very much, Mr. Chairman.
01:27:17At the outset, let me, in the Chairman's absence, express my condolences to his family.
01:27:26Let me welcome our witnesses to the hearing today.
01:27:32We have Rhode Island, Michigan, Louisiana, and myself, if my accent doesn't give me away,
01:27:38I'm from Mississippi.
01:27:42As a top Democrat on the committee, one of the things that we've been interested in is
01:27:50not only diversifying the workforce, but also saying, if you leave the Beltway, you can
01:27:59find a lot of talented people.
01:28:03We have 100-plus historically black colleges in America, some of the finest kids that I
01:28:11know, but you've got to recruit at their schools, just like you do inside the Beltway, so to
01:28:20speak.
01:28:21So, I'd like each one of you to kind of give me a snapshot of what your agencies are doing
01:28:29to build relationships, especially with smaller historically black colleges across the country,
01:28:37and how the Office of National Cyber Director promotes outreach to smaller HBCUs.
01:28:43We'll start with Mr. Henson.
01:28:47Thank you, Ranking Member.
01:28:48I completely agree with you on the need to expand our outreach far outside the Beltway.
01:28:54We have launched programs and built recruiting partnerships with organizations all across
01:29:00the country, including many HBCUs and minority-serving institutions.
01:29:05That has helped populate the ranks of the Intelligence and Cybersecurity Diversity Fellowship
01:29:10Program, our Cybersecurity Internship Program, and our entry-level cohorts in the Cyber Talent
01:29:16Management System with a wide range of individuals.
01:29:20I'll also add that we can't just focus on bringing talent from around the country into
01:29:26D.C.
01:29:27We have to meet talent where they are.
01:29:29Not everyone wants to work in the National Capital Region.
01:29:33We have stood up offices in other areas, including one in Mississippi, where we have our Legacy
01:29:39Data Center, but as we have moved to the cloud, we have focused on expanding our cybersecurity
01:29:45hiring out of that center in Stennis, Mississippi.
01:29:48We have another one in Arizona as well and are looking to build on that effort.
01:29:53Thank you.
01:29:54Ms. Beavis.
01:29:55Thank you, Ranking Member.
01:29:58The Department of Defense has over 450 schools as part of our National Cybersecurity Academic
01:30:05Excellence Program.
01:30:07They are primarily state schools, and we have expanded that into including the two-year
01:30:14non-degree programs, the two-year degree programs, I should say, as well as a number
01:30:20of scholarships that we have been promoting to bring in non-traditional workforce.
01:30:27We also have a pilot underway that is promising.
01:30:32It's a little early to report too much detail, but we started with about 50,000 non-traditional
01:30:40cyber potential employees, got that curated down to about 6,000 that were qualified and
01:30:47interested, and the most exciting part is this was from populations that had not been
01:30:52part of the DOD pipeline before.
01:30:56There is work to be done, but we have been very aggressive in expanding our recruiting
01:31:02over the years and building out that academic cooperation to include the recent stand-up
01:31:08of our Cyber Academic Engagement Office that I just signed last month for the NDAA from
01:31:1424.
01:31:15So, we will be having more information on this in the future, and I can take for the
01:31:23record to bring back specific numbers if that is what you're looking for.
01:31:27Mr. Peterson.
01:31:29Yeah, thank you for that question.
01:31:33So at NIST, we have a summer undergraduate research fellowship program called SURF, and
01:31:38I'm pleased to report that one of those SURF students is with me today from Hampton University
01:31:42and HBCU.
01:31:44It's one of many ways that we actively recruit and try to involve students from minority-serving
01:31:49institutions.
01:31:51We also have a program called Professional Research Experience Program, or PREP, and
01:31:56that is a grant program with several different institutions, including MSIs, and I, again,
01:32:02currently have a couple students working with us from Morgan State University that
01:32:05are PhD students.
01:32:07And then finally, because of our commitment to diversity and inclusion and the very question
01:32:11that you asked, this fall in October, as part of Cybersecurity Awareness Month, our Cybersecurity
01:32:16Career Week, we'll be doing an event targeted particularly at HBCUs to make sure those students
01:32:21are career-ready and faculty and advisors are available to support them.
01:32:26Thank you.
01:32:27Mr. Lowe.
01:32:28So, just real quick, for us, we're trying to remove barriers and broaden pathways, which
01:32:33means we have to meet people where they're at.
01:32:35So we've been to Norfolk University, which is an HBCU in Virginia, and then we invited
01:32:40about 10 to 12 HBCUs to learn about how to become and get designation for this NCAE program.
01:32:49And on top of that, we are also leaning heavily with our ecosystem stakeholder partners.
01:32:54Those are the ones who engage with the 450 NCAE schools, the 104 SF Scholarship for Service
01:33:01schools, who would actually get the students be interested in cyber.
01:33:06And some of those commitments are about giving hands-on experience and learning to the students
01:33:11in those minority-serving institutions.
01:33:16Last week, National Cyber Day was just in Tulsa, and a few weeks before, we were in
01:33:20Tucson at Pima Community College.
01:33:23Thank you very much.
01:33:24Ms. Chia, I ask unanimous consent to submit into record a statement from the International
01:33:29Federation of Professional and Technical Engineers on AI and Workforce.
01:33:35That objection.
01:33:36I yield back.
01:33:37The gentleman yields back.
01:33:38I now recognize the gentleman from Alabama, Mr. Strong, for five minutes of questioning.
01:33:44Thank you, Mr. Chairman.
01:33:45Ms. Beavers, as you know, employers and defense industrial base prefer applicants with experience
01:33:51and a security clearance.
01:33:53The Cyber Force Incubator Program at the University of Alabama in Huntsville recruits
01:33:58hundreds of students per year, nominates the students for security clearances, and places
01:34:05the students into internships on Redstone Arsenal and within the defense industrial
01:34:10base.
01:34:11Ms. Beavers, how does your office leverage university-based workforce development programs
01:34:17like this one at UAH?
01:34:24So we partner very closely with organizations to bring in students into our scholarship
01:34:34programs as well as internships, and through our Cyber Academic Engagement Office, we will
01:34:43be expanding that partnership to make better use of the opportunities out there with education
01:34:52to bring our supply side even all the way back into the K through 12 and grow the cyber
01:34:59talent starting earlier.
01:35:01So it has been a work in progress for a number of years for the Department of Defense to
01:35:08partner with various academic institutions.
01:35:11It is primarily through our academic engagement program, excuse me, our scholarships, and
01:35:18our National Centers for Academic Excellence.
01:35:22So we're looking forward to really building out our academic engagement because we think
01:35:27of the defense industrial base is a great feeder for capabilities into the Department
01:35:37of Defense.
01:35:38We need a similar type of very robust feeder to bring talent into the Department of Defense
01:35:45from the cyber security perspective as well.
01:35:48I'd agree with you 100%.
01:35:49We actually have a statewide cyber high school in Huntsville, Alabama that's been very successful.
01:35:56Then if you go back just to the local schools there, having science and starting at the
01:36:03high schools and doing internships have proven very beneficial to our industrial base.
01:36:08Mr. Peterson, I understand that the National Institute of Standards and Technology's National
01:36:14Cyber Security Center of Excellence has a requirement to develop guidance related to
01:36:19the cyber security and privacy of genomic data.
01:36:23Universities and other technical organizations, including my district, are meaningfully contributing
01:36:28to the NIST's program.
01:36:31Would the increasing demand for cyber security workforce across the nation, would this effort
01:36:43be expanded to include the involvement of more students?
01:36:49Thank you for that question.
01:36:50I should add that I'm also the interim chief of the Applied Cyber Security Division, which
01:36:54includes that NCCOE facility.
01:36:57I know the director of the NCCOE as well, Sherry Pascoe, is relatively new.
01:37:03Because of our partnership and relationship, we've certainly talked about more academic
01:37:06engagement with the center, both faculty and students as well.
01:37:10We have a pretty robust set of summer interns there this summer and plans to work throughout
01:37:14the year.
01:37:15MITRE is the FFRDC for the center.
01:37:18They likewise have a number of students who would be happy to explore that with you as
01:37:22well and have personally spent a lot of time in Huntsville recognizing the excellent work
01:37:26that's happening in that community.
01:37:28Thank you.
01:37:29My family recently moved there eight generations ago and has never left.
01:37:32As you know, Huntsville is the tip of the spear and we want to be sure that we get the
01:37:37right folks working in the environment.
01:37:39Cyber security is a critical situation.
01:37:42We also have the cyber piece of the FBI currently under construction in Huntsville, where we'll
01:37:48be adding another 2,500 jobs that will do nothing but make Huntsville even stronger.
01:37:53Mr. Chairman, I yield back.
01:37:56I now recognize a gentleman from Louisiana, a member of the subcommittee on cyber, Mr.
01:38:02Carter.
01:38:03Thank you, Mr. Chairman.
01:38:04We face significant shortages in trained personnel.
01:38:18Given this, it's clear that none of our protective systems, whether standards, technologies or
01:38:22regulations can be effective without well-trained workforce.
01:38:28Isn't it imperative to address this critical gap and can you tell us measures that you're
01:38:32taking particularly with HBCUs across the country, junior colleges and community colleges
01:38:40that have a plethora of individuals that may or may not be aware of the opportunities in
01:38:47cyberspace?
01:38:48Mr. Hazen?
01:38:51Thank you, Congressman.
01:38:52We are actively focused both on training and developing our existing workforce, as well
01:38:59as building and strengthening partnerships with academic institutions, including HBCUs.
01:39:05We also know that it starts earlier than entering college, that we are, through CISA, building
01:39:12partnerships to support K-12 curricula for cyber education across the country and have
01:39:19trained thousands of educators this year to date there as well.
01:39:24As we are partnering with academic institutions, we've been focused on expanding our entry-level
01:39:32pathways, knowing that it is more important to bring in talent that is committed to growing
01:39:39and learning and then building out robust training programs through the IT Academy that
01:39:44we are establishing at DHS to rotate entry-level talent throughout the department, give them
01:39:50those experiences and new skills to help them become productive members of our workforce.
01:39:56Thank you.
01:39:57If everyone could just hit it real quickly.
01:39:58We've got a little bit of time, but I'd like to just hear, if you have something to add
01:40:01there, that's fine, if you don't.
01:40:04I'll go.
01:40:06So ONCD is working on increasing the number of HBCU to get the designation for National
01:40:13Cyber Center of Academic Excellence in Cybersecurity.
01:40:16So we're doing that in partnership with the White House initiative on HBCUs.
01:40:20So what we're doing is we're trying to share some of the information with the HBCU administrators
01:40:27so that they know how to kind of get the designation.
01:40:30Do we actively have recruiting job fairs on college campuses across the country to encourage
01:40:36young people?
01:40:37A hundred years ago, when I was in undergraduate school, I remember there was always some type
01:40:41of job fair going on, whether it was the FBI or whatever, different agencies would
01:40:48come in and meet with juniors and seniors to encourage them to potentially.
01:40:54We absolutely do, and I will absolutely defer to my colleagues here on some of the examples
01:40:59of what we are doing.
01:41:00But the key here is that most people, when they see the word cyber, they just don't see
01:41:04themselves doing those jobs, right?
01:41:07But it's weird because our children, I know my kids, can put a computer together and take
01:41:12it apart and do all kinds of programming, but somehow that still has a little bit of
01:41:22fear associated with it.
01:41:23But we know that kids are super bright, particularly when it comes to technology.
01:41:28Which is why it's even more important to, you know, a hearing like today elevates the
01:41:32cyber career and jobs, right?
01:41:34So I think it's up to all of us to be able to go to each and every single individual,
01:41:39even talk to some of the parents about this type of opportunities for them.
01:41:44Ms. Beavers, how are candidates for state and local offices utilizing AI tools to enhance
01:41:52their campaigns, despite concerns from experts and lawmakers about potential generative A1
01:41:58acts on elections, and equally as important, is how are we combating against the nefarious
01:42:05actors who are using AI to portray something that isn't real in the way of someone's likeness
01:42:13or voice?
01:42:14Congressman, I'd like to defer to my distinguished colleague.
01:42:18I'm happy to take that.
01:42:21So Congressman, I agree with your concerns on generative AI in elections.
01:42:26It's an area that CISA is working on actively with state and local election administrators.
01:42:32We need to better train our election administrators on how to reach out to their electorates.
01:42:39We provide no-cost training to thousands of state and local election administrators across
01:42:45the country.
01:42:46Overall, generative AI today I look at as a problem of scale.
01:42:52Video and voice impersonation was possible before generative AI.
01:42:56It is just easier and faster with the tools that are available.
01:43:00One of the areas that I think is particularly promising is looking at content authenticity
01:43:04and making sure that as government officials, as candidates, we can label the information
01:43:10we are putting out as authentic to make sure that it's more difficult to impersonate.
01:43:15Thank you.
01:43:16My time has expired.
01:43:17Thank you, sir.
01:43:18The gentleman yields back.
01:43:19I now recognize the gentleman from Texas, Mr. Pfluger, for five minutes.
01:43:23Thank you, Mr. Chairman.
01:43:24Thank you, Mr. Chairman.
01:43:25I appreciate the witnesses for being here and talking about this issue.
01:43:29I represent Angela State University.
01:43:32It's a cyber center of excellence.
01:43:34They've taken steps in partnership with NSA and other government agencies to start developing
01:43:40the workforce in a way.
01:43:42Here's why this is important to me.
01:43:44When we think about the areas that provide that type of workforce, I think one of the
01:43:52big areas that is really missing is rural America.
01:43:58That's why I'm passionate about what President Ronnie Hawkins is doing, a former retired
01:44:05three-star general from the Air Force, led DOD in its effort to transform the cyber side
01:44:13of our warfighting domain.
01:44:14I'd like to hear, really, from each of you, how can a school like Angela State, a rural-serving
01:44:21institution with 12,000 to 14,000 students throughout the entirety of its programs,
01:44:26how can they be successful, and what's the advice or what's the vector that they need
01:44:33to go, and other institutions like them, to provide this workforce for our country?
01:44:38I'll just start and go down the line.
01:44:41Absolutely.
01:44:42Thank you, Congressman.
01:44:43I strongly agree on the importance of building relationships with rural communities and pathways
01:44:49into public service.
01:44:51For me, participating in the NSA Centers for Academic Excellence in Cybersecurity is a
01:44:56great start.
01:44:57We're a proud partner with the NSA on that program.
01:44:59I would also say, for any training institution right now, recognizing the pace of new developments
01:45:06in this field and ensuring that we are training our workforce, not on any one specific technology
01:45:13that may be out of date very quickly, but on how to stay current, how to leverage increased
01:45:21automated and AI-based systems, and how to really stay on top of new and emerging threats
01:45:27is the most important thing these organizations can be doing.
01:45:29Thank you.
01:45:30Ms. Beavers?
01:45:31I think leveraging the great work that's being done on the cyber workforce, frameworks that
01:45:39have been built that actually identify the qualifications and the skills, and then also
01:45:47exploring opportunities for outreach and fun events that the DOD sponsors, like hackathons
01:45:56and things like that, to really increase the student body's excitement about getting involved.
01:46:04I think encouraging internships would be my recommendation.
01:46:13Which I know that they have focused on that.
01:46:14By the way, they're a minority-serving institution, mostly Hispanic population that comes from
01:46:21our area in West Texas, and they really are proud of that work because they're sending
01:46:26good young men and women into the workforce.
01:46:28Mr. Peters?
01:46:30I'm a product of rural America, so I have a soft spot for what it means.
01:46:34I would just add to the discussion about community colleges.
01:46:37Most community colleges are in rural areas or serving rural populations as well.
01:46:42In addition to the focus of this hearing on the demand, the 500,000 cybersecurity workers,
01:46:47there are a lot of other demographics that are working against us, like declining birth
01:46:51rates and the aging of Americans and the like.
01:46:55We've run a series of webinars this year really focusing on underserved and underrepresented
01:47:00populations, starting with rural America, because there's lots of universities.
01:47:05We had the chancellor of the University of North Dakota system speaking about what they're
01:47:10doing across their vast state that is very rural, and a lot of tribal organizations as
01:47:16well.
01:47:17But specifically to the point, I think there's also a statistic about people tend to stay
01:47:22where they go to college or where they grow up.
01:47:25The pandemic has opened up opportunities for remote work and telework and more flexible
01:47:30opportunities where they may be able to stay in their rural community, but work for a company
01:47:35or a government organization across the country.
01:47:38I think part of the challenge and opportunity is to open up also more of those remote opportunities
01:47:43that maybe previously didn't exist.
01:47:44It's a great point and something that we're also working on, which is extending broadband
01:47:50and access to these communities.
01:47:53There are several committees doing that.
01:47:55We'll leave you the last word.
01:47:56Well, I actually met Charlotte from Angelo State.
01:47:59She invited me to join the Mayor's Cup in San Angelo.
01:48:03I would say I was one of the people who sent her a congratulatory email when the program
01:48:07got a CA designation.
01:48:09The key thing here is that we need to start elevating people's work.
01:48:13A lot of people are doing good work.
01:48:14I think the role of ONCD and the White House is to elevate some of this work so that we
01:48:19can plug them into the ecosystem that they need, right?
01:48:22It's not about just one institution.
01:48:24I don't want folks at Angelo State to think that they are the only one that has to do
01:48:27it all on their own.
01:48:28We can plug them into the ecosystem, get private sector employers involved, get the state and
01:48:33local government involved, so we can all do this together.
01:48:36That's a great point.
01:48:37I hope that if you have not made contact with President Hawkins and Angelo State that you
01:48:40will because they are doing an amazing job.
01:48:43They're not the only ones, but they also have an Air Force base there, Goodfellow Air Force
01:48:49base that does intelligence, and a lot of that intelligence has to do with the issues
01:48:53that you were talking about.
01:48:54I know my time has expired.
01:48:55Thank you, Mr. Chairman.
01:48:56The gentleman yields back.
01:48:57I now recognize the gentleman from Michigan, Mr. Tanidar, for five minutes of questions.
01:49:01Thank you, Chairman and Ranking Member, for this important hearing, and thank you for
01:49:04your witnesses.
01:49:07Mr. Heisen, you mentioned about 2,000 or so cyber security positions being open.
01:49:17How many independent contractors does the department currently hire?
01:49:22Congressman, I don't have an exact number, but it would be certainly our IT contractors
01:49:28number in the many thousands.
01:49:31On an average, what is their compensation?
01:49:36We compensate our contractors for services, not individuals.
01:49:42Some cases, though, individual IT and cyber security personnel can make more working on
01:49:48a contract.
01:49:49In some cases, they are making more in government.
01:49:53Any attempt made to recruit these independent contractors on a long-term employment basis
01:49:59in public service?
01:50:01It's a great point and something we're actively focused on.
01:50:04We're leveraging the cyber talent management system to look at areas where we need more
01:50:09federal technology expertise in our workforce.
01:50:13We've done that with our network operations and security center, where we have been rebalancing
01:50:18what was predominantly a very contract-heavy workforce and are now adding in additional
01:50:24levels through these new hiring authorities of federal personnel.
01:50:27It's something we're looking to expand.
01:50:30Now I understand the United States has a shortage of cyber security experts.
01:50:37Is that the case with other countries especially?
01:50:40What do we know about China?
01:50:42Are they hurting for cyber security experts like the United States is?
01:50:47I can't speak to that in particular.
01:50:48I will say in my conversations with our allies and my peers in those countries that they
01:50:55have similar challenges, but we also through DHS are looking at and committed to expanding
01:51:01pathways to high-skilled immigration so that we can continue to attract the best and the
01:51:05brightest around the world to our country.
01:51:08Yeah, I want to pick up on that high-skilled immigration a little bit because it looks
01:51:14like a lot of good programs have been initiated by and certainly we must provide these trainings
01:51:26to candidates in the United States domestically to train and develop these skills, encourage
01:51:39Americans to enter into these jobs, but while we do that, is there any interest in other
01:51:49special visa programs, immigration programs to encourage expertise that is available across
01:51:58the world?
01:51:59Absolutely, Congressman, and I'll give one particular example with artificial intelligence.
01:52:05In his executive order, President Biden directed the department to take a number of steps to
01:52:10streamline our high-skilled immigration pathways to attract the best in AI and related fields.
01:52:18U.S. Citizenship and Immigration Services has completed or is on track for all six of
01:52:24the taskings they were given in that executive order.
01:52:27That includes simplifying and streamlining our processes as well as publishing standard
01:52:33information to make it easier for AI talent around the world to understand pathways into
01:52:38the United States.
01:52:41Currently, our immigration system is so broken.
01:52:48Many skilled workforce, and I have spoken with many CEOs of technology companies and
01:52:55their frustration is that it takes forever through the country quotas and the long lines
01:53:03that getting these skilled workforce to get the right visa, whether it is a H-1B visa
01:53:11or a green card, this process is taking years, if not decades, and that's hampering our ability
01:53:19to hire talent.
01:53:22What can be done to streamline some of this broken immigration system?
01:53:28I completely agree and fundamentally we at the department look forward to continuing
01:53:34to work with Congress where ultimately we need to see many of these reforms.
01:53:39We are doing everything we can to streamline processing within the bounds of current law.
01:53:44With H-1Bs, for example, this year for this H-1B cycle, we launched new technologies and
01:53:51a new online process that makes it easier and faster for companies and individuals to
01:53:57apply for those visas and for us to process them.
01:54:00We are doing everything we can within the confines of the law.
01:54:04Thank you so much.
01:54:05I yield back.
01:54:06The gentleman yields back.
01:54:07I now recognize the gentleman from Mississippi, Mr. Zell, for five minutes of questioning.
01:54:11Thank you, Mr. Chairman.
01:54:12Thank you for holding this very important meeting and thank you all for being here today.
01:54:17My district is home to several community colleges and higher education institutions that are
01:54:22leading the charge in bringing students into the cyber workforce.
01:54:27Mississippi Gulf Coast Community College hosts the Mississippi Cyber Initiative, which is
01:54:31a group of public and private organizations that support over 15 law enforcement agencies
01:54:37and Keesler Air Force Base cyber-related activities.
01:54:41I think we can learn a lot from these similar programs as I know there's been some discussion
01:54:45about that today.
01:54:47Mr. Peterson, despite these programs and similar programs that you mentioned in your testimony,
01:54:53we're still facing a severe shortage of cyber workers.
01:54:57With the current programs in place, do you have any estimate how long it's going to take
01:55:01to fill 500,000?
01:55:02I know that's a big question growing and any idea how long it's going to take for us to
01:55:08fill that gap?
01:55:12So unfortunately, I don't have the crystal ball to tell you how long and I think sometimes
01:55:16the answer is not how long or how many, but what are enterprises doing to managing their
01:55:21risk and that's something certainly NIST is very committed to, to giving cybersecurity
01:55:26and privacy risk management frameworks that allow organizations to take the combination
01:55:31of technology processes and people to minimize the risk.
01:55:35I think the numbers in and of themselves don't really indicate the activity that's happening
01:55:39at the organizations or how new and emerging technologies may help to fill that gap.
01:55:45So the estimate is really not in time, but really in focus on what's going to minimize
01:55:50the risk of an enterprise.
01:55:52Thank you.
01:55:53I'd kind of like to focus a little more on our national security implications.
01:55:57Even though cybersecurity jobs are well paid and offer high levels of job security, I think
01:56:02the lack of public awareness plays a role in our current workforce shortage.
01:56:08Mr. Peterson, what can Congress and institutions like this one in my district do to enhance
01:56:13public awareness and encourage students to see cybersecurity as a vital role in defending
01:56:19our country?
01:56:20Well, Congressman, I'm pleased to say I actually visited Gulfport Community College last year
01:56:27and they were hosting an event along with the Department of Commerce and the Department
01:56:31of Education on raising the bar.
01:56:33And what was impressive to me is how they brought together the stakeholders, not only
01:56:37locally, but across the state and across the region to really focus on the opportunities
01:56:43that exist, not only at community colleges, but in local communities to help individuals
01:56:48who are, quite frankly, below the poverty level have a career and opportunity in cybersecurity.
01:56:54Some of the stories I shared at the beginning are just one of the many ways that individuals
01:56:59can come into a cybersecurity career, thanks to the efforts of community colleges like
01:57:03the one in your district.
01:57:05We've really worked hard to try to get that off the ground and keep people interested.
01:57:10So, Ms. Beavers, with the current gap, I imagine that the Department of Defense DOD
01:57:16has to hire independent contractors.
01:57:20Do you have any idea how many independent contractors DOD has hired to alleviate the
01:57:26gap and how much do they get paid?
01:57:29Congressman, we have in the neighborhood of about 60,000 contractors within our cyber
01:57:34workforce within the Department of Defense.
01:57:38Like my distinguished colleague mentioned, it's under a contract, so I would have to
01:57:43get back to you for average income.
01:57:47Sure.
01:57:48I understand that, but I know we could save some money if we could get regular folks hired
01:57:54working full-time doing that, and let's all try to do our part.
01:57:58I want to do everything I can to support you.
01:58:02Being my background in law enforcement is working in partnership with the community
01:58:08colleges and the military is just very important to us.
01:58:10With that, Mr. Chairman, I yield back.
01:58:12Thank you.
01:58:13The gentleman yields back.
01:58:14I now recognize the gentleman from Rhode Island, Mr. Magaziner, for five minutes of questioning.
01:58:20Thank you, Chairman, and thank you to our witnesses.
01:58:22A robust cybersecurity workforce is vitally important to our national security, our homeland
01:58:28security and our economic security as well because, of course, in the private sector
01:58:34billions and billions of dollars are stolen a year from average Americans because of cyber
01:58:40breaches to private companies as well as to government agencies.
01:58:45Cyber is also an opportunity to provide good-paying jobs for young people in a very promising
01:58:51and growing field.
01:58:53Cybersecurity jobs pay well.
01:58:55They're available.
01:58:56There are job openings all across the country, and we have to train the workforce to meet
01:59:00that need.
01:59:01Before I go any further, I just want to recognize my predecessor, former Congressman Jim Langevin,
01:59:07for his work on this committee, a longtime champion of cybersecurity and continues to
01:59:14do that cybersecurity work now in the private sector, including in his leadership at the
01:59:19Rhode Island College Institute for Cybersecurity and Emerging Technologies, which is a really
01:59:25exciting hub that we are building in Rhode Island under Jim's leadership to do our part
01:59:29to meet these emerging workforce needs.
01:59:33So for young people who are interested in cybersecurity, we have to promote pathways
01:59:36into careers.
01:59:37We have to provide educational opportunities at the K-12 level, at colleges and universities,
01:59:43and also alternative credentialing programs as well, and we need to grow the pipeline
01:59:48of cyber workers for the federal government and the private sector as well.
01:59:54Let me start with Mr. Mo.
01:59:57Can you speak specifically to the K-12 arena and what we as a Congress can be doing and
02:00:04should be doing to better support school districts, particularly in under-resourced communities
02:00:09who may be interested in creating pathways and curricula to get young people introduced
02:00:15to cybersecurity at an early age?
02:00:17I appreciate that question.
02:00:20Thank you so much.
02:00:22One of the things that we push for in the strategy is to make sure that we are teaching
02:00:27cyber concepts earlier in one's education.
02:00:32In middle school, when they're exploring career and whatnot, we want them to be able to know
02:00:36that cyber is a pathway.
02:00:38So there are a couple of programs I will just bring it up.
02:00:41It's CTE CyberNet.
02:00:42It's one way that we are teaching educators so that they can teach students about the
02:00:47cyber skills.
02:00:48We also have gen cyber camps that NSA and others have run.
02:00:53And then the other thing is because we, you know, K-12 education policy generally run
02:00:59out of state governments, we have been partnering with private sector and various organizations
02:01:06to make sure that we're pushing some of the cyber education.
02:01:09There are commitments to gamified cyber, for example, to make sure that kids play some
02:01:13gamified games.
02:01:14There are also commitments to teach more cyber skills to girls and kids in K-12.
02:01:23So those are how we are going about it in terms of making sure that we're bringing some
02:01:28of this cyber stuff along in the K-12 arena.
02:01:31Terrific.
02:01:33And Mr. Peterson, as has been discussed already, good jobs in cybersecurity don't necessarily
02:01:39require a four-year degree, but they do require training.
02:01:42Can you speak specifically about the role of community colleges and what we could be
02:01:46doing to better support cybersecurity programs at those institutions?
02:01:51Yeah, so earlier a question was asked about what are we doing to support community colleges,
02:01:56and I'm really pleased and proud that the National Science Foundation has regularly
02:02:00invested in a national center.
02:02:02Currently it's the National Cybersecurity Training and Education Program run out of
02:02:06Whatcom Community College.
02:02:08They're a national resource to community colleges.
02:02:10They convene them.
02:02:11They prepare them.
02:02:12They actually mentor them to become national centers of academic excellence as well.
02:02:17So we need to raise and elevate the importance of community colleges, not only because of
02:02:22their accessibility, but quite frankly, they're very skills-focused.
02:02:26They're hands-on.
02:02:27They're performance-based, and a lot of students can leave those programs either with a degree
02:02:31or a certificate or some type of credential and go directly into the workforce.
02:02:35Many of them go on to a four-year school, but the two-year colleges play an absolutely
02:02:40essential role in helping address the workforce shortage we're talking about today.
02:02:45Thank you.
02:02:46And finally, you know, where the Homeland Security Committee and the Department of Homeland
02:02:49Security has the need to attract cybersecurity talent as well.
02:02:54I just flag, I love, you know, the bipartisanship that's been exhibited in this hearing.
02:02:58I think we are all concerned about the need to attract and retain cyber talent.
02:03:03I will flag that in the Homeland Security Appropriations Bill that we are going to be
02:03:07considering on the floor later today.
02:03:10My colleagues across the aisle are proposing a $2 million cut to Mr. Hyson's office relative
02:03:16to last year, and $6 million below the administration's recommended amount.
02:03:21So I just suggest that perhaps we revisit that.
02:03:23This is a time to be doubling down on these recruitment efforts, and Mr. Hyson, if you
02:03:28can just talk about what you need in order to be able to recruit cyber talent to DHS.
02:03:34Thank you, Congressman.
02:03:36And the president's budget for fiscal year 25 does include those investments in my office
02:03:40and across DHS.
02:03:41There is some specific funding we've requested there in artificial intelligence to help us
02:03:46build out our core capabilities to train our workforce to be ready for AI and to leverage
02:03:54and bring AI expertise into the department for cybersecurity and other purposes.
02:03:59So perhaps we can all work together to try to plus up that funding as we go through the
02:04:03appropriations process.
02:04:04And I'll yield back.
02:04:05Thank you, gentlemen.
02:04:06Yields back.
02:04:07I now recognize the gentleman from Louisiana, Mr. Higgins, for five minutes of questions.
02:04:10Thank you, Mr. Chairman.
02:04:12Mr. Peterson, according to your background, sir, you are our education specialist here.
02:04:24You're clearly facing a challenge in filling the roles that our nation needs in cybersecurity
02:04:36and the cyber tech performance realm.
02:04:44The workforce challenges across every industry are quite significant, including health care
02:04:53and manufacturing.
02:04:54I mean, we can't get enough welders.
02:04:57So it should be no surprise in a nation that is noted for its work ethic, if we can't get
02:05:04enough welders, we're probably going to have problems getting enough cyber workers.
02:05:10Are you familiar with what the term is being called, the disconnected youth or the disconnected
02:05:16generation?
02:05:19For the benefit of Americans tuning in, we're talking about an alarmingly large percentage
02:05:26of what's referred to as Gen Z that is neither working nor in school.
02:05:32Traditionally, historically, that was the deal.
02:05:37As you became a young adult American, you went to work or you went to school.
02:05:42Some cases did both.
02:05:46So if this is the generation that that's the demographic that we would seek to fill cyber
02:05:56positions from, and if that generation of Americans is not interested in working or
02:06:03going to school, how are we going to pull them into training?
02:06:07Do you have some insight into that?
02:06:09And then I have a follow up question for you, sir.
02:06:13Thank you for the question.
02:06:14And I am very familiar with that demographic, also known as opportunity youth.
02:06:19They're 18 to 25-year-olds who, as you said, either didn't complete their education or
02:06:24are currently unemployed.
02:06:25I think that is one of many populations that we consider underserved or underrepresented
02:06:31that we need to target and lift up.
02:06:33This is not a problem that's solved just by getting rid of four-year degrees.
02:06:38We need people with two-year degrees, four-year degrees, but we also need to address the needs
02:06:42of that population you described who need mentoring, they need opportunities.
02:06:47Registered apprenticeships, as we've already talked about, may be a great foot in the door
02:06:51for them to get some workplace experience and have a job opportunity.
02:06:55But that is a very much critical population, not only for cybersecurity, but for other
02:07:00skilled trades that we need across the country to make sure we're helping support those individuals.
02:07:06So with your background in education and your position with the National Initiative
02:07:12for Cybersecurity Education, what would you recommend to Congress, sir, and to this committee?
02:07:22How could the legislative branch use Article I authorities to work with our sovereign states
02:07:29and our educational institutions at every level, certificate and collegiate level, educational
02:07:39opportunities for this generation of Americans that we're going to have to rely upon to get
02:07:47engaged in the cyber workforce?
02:07:49What would you recommend?
02:07:50Yeah, so I would start with think locally.
02:07:54And you authorized NIST to give these grants called Regional Alliances and Multi-Stakeholder
02:07:59Partnerships to stimulate cybersecurity education and workforce development in your communities.
02:08:05We gave out 18 grants this past year.
02:08:08We're about to announce 15 more community grants.
02:08:11Say that again, please, sir.
02:08:12You gave out what?
02:08:1318 grants this past fiscal year, and we're about to announce 15 more based on an appropriation
02:08:19from the Congress.
02:08:20But this really brings local communities together, local schools, local community colleges,
02:08:26universities, training organizations, nonprofits, economic development organizations, even individuals
02:08:32like yourself, to make sure you're addressing the needs of local employers in your locality
02:08:37or region.
02:08:38So a lot of what we're talking about is at the national level, which is great resources,
02:08:42but where the rubber really meets the road is in your districts and your communities.
02:08:46And that grant program, much like the ecosystem work that's described in the National Cyber
02:08:51Workforce and Education Strategy, is about strengthening local ecosystems.
02:08:58Thank you, sir, for your very insightful answer.
02:09:00I concur, Mr. Chairman.
02:09:02We have to work at the sovereign state and local level within the states to address the
02:09:07cyber workforce challenge.
02:09:09Thank you, sir.
02:09:10The gentleman yields back.
02:09:11I now recognize the gentleman from Maryland, Mr. Ivey, for five minutes of questions.
02:09:17Thank you, Mr. Chairman.
02:09:18Let me pick up where you just left off, Mr. Peterson.
02:09:21My district is Prince George's County, sort of the inner part.
02:09:24I'm between D.C. and Steny Hoyer, and it goes all the way up to, I call it the research
02:09:29triangle area, where we have the University of Maryland, we've got NASA at one corner,
02:09:33we've got the Agriculture Research Center, we've got NOAA there, and just a few miles
02:09:37up from that triangle area, there's NSA, Fort Meade, and FDA.
02:09:42Naval Academy also is huge on cyber.
02:09:45So, you know, the regional grants piece that you just mentioned, I was wondering if that's
02:09:50something that is available in my immediate area, and if so, tell me about it.
02:09:57Yeah, so as I said, we recently funded 18.
02:10:00We're in the process of merit reviewing applications for 15 additional awards, and this is money
02:10:05appropriated by Congress that may be available for additional grants in the future.
02:10:10That is absolutely one opportunity that could be available to your constituents.
02:10:14All right, and this would be an application piece that's going to be coming in the near
02:10:19future?
02:10:20Yeah, a notice of funding opportunity that would be publicly announced.
02:10:23What's the timeline, roughly, for when the next 15 are going to be coming available?
02:10:27Well, the current 15, the deadline occurred in May, so we're currently reviewing and we'll
02:10:33award those later this summer or early fall.
02:10:36Whether there's future awards is dependent on appropriations.
02:10:39All right, Mr. Mo, I wanted to follow up with you.
02:10:42I think Mr. Magaziner asked you about teaching, what cyber skills are being taught, and you
02:10:48mentioned that you want to make sure that they're available, and I'm looking at sort
02:10:52of the, I was going to say K through 12, but it's probably more realistically middle school
02:10:57and high school.
02:10:58What specific cyber skills are we talking about that public schools should be making
02:11:03available, say, at the high school level?
02:11:06What we are pushing, thank you so much for the question, what we are pushing in the strategy
02:11:09is the idea of the foundational cyber skills.
02:11:13So it's not a skill on a particular technology, it's about a skill in which you know how to
02:11:19use technology, you can port your skills from one technology to another.
02:11:24It's about things like pattern recognition, understanding abstraction, as well as problem
02:11:31solving.
02:11:32So the reason why we're pushing for those foundational skills in K through 12 and middle
02:11:35school is because once you have those skills, you can use those skills to learn other technical
02:11:42skills, right?
02:11:43So I've seen school districts that actually go the route of certifications, I've seen
02:11:48school districts that go the route of hands-on learning on some of those curriculum that
02:11:53we have online, but for us to be able to future-proof our workforce and make sure that we build
02:12:00a dynamic workforce that can use any sort of technology in the future, we need to push
02:12:06foundational cyber skills.
02:12:07All right, so those would be coming through, just to really try and narrow this down, math
02:12:12and science classes that are offered?
02:12:15Well, career, yeah, math, science, there are career technical education curriculum sometimes
02:12:19depending on the pathways of the schools locally.
02:12:22So those are where those skills are generally taught.
02:12:25Okay, and are there particular programs that are available, maybe not in my district, but
02:12:31it's anywhere in the country, where they actually are, they were put together with this in mind
02:12:36to prepare students to be able to go into this line of work and develop these specific
02:12:42skills?
02:12:43Right now, a lot of those are done through, like, you know, CTE CyberNet has a way to
02:12:47kind of teach some of those cyber skills and they, by the time they get to the student,
02:12:52it's about problem-solving with technology.
02:12:54And the CTE, is that available at the high school level or is that the?
02:12:59Middle school and high school level.
02:13:00Middle school, okay.
02:13:01Then I did have a question about the contractors piece, because I think somebody said there
02:13:06are 60,000 contractors, is that what you, Ms. Beavers?
02:13:09Yes, Congressman.
02:13:10Okay.
02:13:11So, I'm looking at a document here that was put out by the State of Maryland that says
02:13:17that cybersecurity and information security jobs do not yet have a defined standard industrial
02:13:24classification number, and I wanted to know if that is the case for the federal government
02:13:30or not.
02:13:31So, the Department of Defense has been on this journey for nearly 15 years now to actually
02:13:36categorize and classify.
02:13:38I got 40 seconds.
02:13:40So, I will have to take that for the record.
02:13:44I think that's our best estimate.
02:13:47Let me tell you why I'm asking.
02:13:49In part, because I want to make sure that from a contracting standpoint, we want diversity
02:13:55about students and the like who get a chance to obtain these skills.
02:14:00I also want to make sure there's diversity with the opportunity to get the contracts.
02:14:04And so, if you have the codes in place, that's one of the ways that the government monitors
02:14:08and can track how the contracts are being made available and whether they're being done
02:14:15in a diverse way or not.
02:14:17So, if you can get back to me, if you could give me a written response on that, and if
02:14:21you could give me a general sense, too, of, and you're with DOD, what DOD, she nodded
02:14:27for the record.
02:14:28Yes, Congressman.
02:14:29Flashback to trial.
02:14:32If you can give me a sense, too, of what the Department of Defense is doing to make sure
02:14:37that it's doing, making outreach efforts to make sure that there are diverse opportunities
02:14:42for contractors and that there's a diverse field of contractors that are providing the
02:14:47work for the federal government.
02:14:49And thank you for your indulgence, Mr. Chairman, and I yield back.
02:14:52Gentleman yields back.
02:14:53I now recognize the gentleman from New York, Mr. D'Esposito, for five minutes of questioning.
02:14:57Well, thank you, Mr. Chairman, and thank you all for being here this, I guess now this
02:15:00afternoon.
02:15:03I guess right now, almost 85% of federal cyber positions are telework eligible.
02:15:10While I don't always agree with everyone working from home, obviously it's a reality that we
02:15:15are all dealing with.
02:15:20Obviously it's something that CISA has leveraged, so Mr. Heisen, how does DHS ensure that there
02:15:26are strong cybersecurity practices upheld for the remote workforce?
02:15:33Thank you, Congressman.
02:15:34It's been something that has been a new and evolving challenge since the beginning of
02:15:38the COVID-19 pandemic.
02:15:40We have updated our annual required cybersecurity trainings for all employees to make sure that
02:15:46they are incorporating safe cybersecurity practices for telework and remote work.
02:15:53Among other things, that includes things like thinking about and being aware of smart devices
02:15:58that are in your workspace that may be recording, as well as looking at the security of your
02:16:03home network.
02:16:04We will continue to do that.
02:16:05Now I'm going to take it a little bit closer to home.
02:16:08Unfortunately, on Long Island, where both Mr. Garbarino and myself, Mr. Laloda and Mr.
02:16:14Suozzi represent, we have witnessed successful cyber attacks that have greatly disrupted
02:16:19not only local government, but obviously the quality of life for the people that we serve.
02:16:25It's clear that both the public and the private sector are having issues with filling all
02:16:30of the cybersecurity roles that are currently open.
02:16:33This is really for any of you.
02:16:35How do these workforce issues extend to and impact, like I mentioned, local municipalities
02:16:41and leave them open to an attack such as the one I referred to?
02:16:46I can say I think we see those challenges every day through our work, largely through
02:16:51CISA with state and local governments.
02:16:55It's one of the reasons why when we developed our new state and local cybersecurity grant
02:17:00program, which launched two years ago, we made developing state and local cybersecurity
02:17:05workforce a key element that we are looking for municipalities and state governments to
02:17:11apply for funding for.
02:17:14I was also excited to see the newly released Commerce, Justice, Science, and Related Agencies
02:17:20Appropriations Bill.
02:17:22There was funding that I requested for an updated IT system for the Nassau County Police
02:17:27Department to help them prevent from future cybersecurity attacks.
02:17:32Bolstering our systems is obviously one thing that, again, those local municipalities can
02:17:38do to guard against cyber attacks.
02:17:41What are some of the, and this is again for any of you, what are some of the short-term
02:17:44solutions for these localities that us as Congress can work towards to help our cyber
02:17:51workforce?
02:17:52Thank you so much for that question.
02:17:56I think registered apprenticeship is one way to do it because it allows people with
02:18:01the potential to do the work to also learn on the job.
02:18:05One of the things that we want to make sure is that we have those quality pathways, and
02:18:09then we can then match folks who are interested to do the work where we need it to be.
02:18:17The other option is cyber clinics.
02:18:20We have funded four cyber clinics so far from the federal government.
02:18:26Cyber clinics as a clinic model allows students who are in college today to also practice
02:18:33those skills and have those hands-on experience while helping the public, in this case private
02:18:40and local government as well.
02:18:45The cyber clinics that you referenced, how do you do the outreach, or is that funding
02:18:52that's provided to an organization, or how is the outreach to get individuals onto those
02:18:59clinics?
02:19:00Right now it's done on a cyber clinic by cyber clinic basis, and then that's where we kind
02:19:06of come in.
02:19:07We're trying to kind of make sure that everyone is coordinated and make sure that as part
02:19:12of the cyber clinic they reach out to DR students to get more students, as well as
02:19:17each cyber clinic sort of have their own mission, and for us it's to kind of influence the mission,
02:19:24make sure that they serve a particular constituency that we need them to be.
02:19:29And how has the attendance, so to speak, been to the first four clinics that you've supported?
02:19:35We just started that funding, so I can take that back for the record and perhaps provide
02:19:40your office with that information.
02:19:41That'd be great.
02:19:42With that, my time's expired.
02:19:43Mr. Chairman, I yield back.
02:19:44The gentleman yields back.
02:19:45We are going to now, I'm going to start a second round because I can't, I have questions.
02:19:52I want to follow up, my colleague from New York just asked you about this, you talked
02:19:58about the state local grant program.
02:20:01Has that money, the first round of that money, gone out yet to the states?
02:20:06Chairman, my understanding is that it is the $185 million that we allocated in fiscal
02:20:1522 that that has started to go out, but it's a program that my office doesn't directly
02:20:19administer, so I would have to follow up for more details.
02:20:21Let's follow up, because I know, I believe the money has gone out to the states, but
02:20:24I don't know how much of the actual grants have gone to state, to the localities, the
02:20:31counties, the towns who really face the problem, they can't afford to have a CISO.
02:20:36My county, Suffolk County in Long Island, got hit with a major cyber attack.
02:20:40If you can follow up and let us know where that money is, how far it is in going out
02:20:47to the actual people it's supposed to go to, that would be great, I'd really appreciate
02:20:50it.
02:20:51Thank you.
02:20:52I also want to emphasize, I want to focus on your testimony highlights the strides DHS
02:20:55has made in hiring through the Cybersecurity Talent Management System, or CTMS, and the
02:21:01department announced yesterday that the first 10 hires for its first 10 hires for AI Corps.
02:21:08In this committee's February hearing with Secretary Mayorkas, I sounded the alarm over
02:21:11CISO's lack of operational technology or OT staff.
02:21:15GAO report in March found that CISO has only four employees and five contractors on hand
02:21:20to respond to attacks on OT infrastructure.
02:21:23I believe you have made some hires since then specifically for OT, but can you tell me what
02:21:29DHS is doing specifically to attract OT technical staff?
02:21:33Absolutely.
02:21:34It's an area that CISO has been very significantly prioritizing.
02:21:38We developed, I believe, specific positions under CTMS to specifically reach out to talent
02:21:46with expertise in OT security and industrial control systems and related fields.
02:21:51I know we've had several rounds of solicitations and I do believe we brought some staff on
02:21:56board.
02:21:58Now you have CTMS, which was meant to streamline the hiring of cyber workers through exemptions
02:22:04from many of the other federal hiring go through.
02:22:09Can you tell me under the CTMS how many employees have been hired under CTMS and how many are
02:22:15still going through the traditional process?
02:22:20I have a number here that says by 2023 CISA had only hired 80 people through CTMS while
02:22:26still making a majority of its 516 hires through the traditional process.
02:22:31What is DHS doing to make sure that CTMS is being utilized more so we can get people on
02:22:39board?
02:22:40Yes, and that number is for CISA's own hiring.
02:22:42We're at 189 across my office, CISA and FEMA today.
02:22:46CTMS is not going to be the answer for every position.
02:22:50Traditional Title V hiring will still play an important role.
02:22:53That's why we're looking to streamline through leveraging direct hire authority from OPM
02:22:57and other sources of traditional hiring, but we are pushing to aggressively expand CTMS.
02:23:03We are working to bring it on board with additional components.
02:23:07We are also looking across the offices that are already using it to expand utilization
02:23:13for some of their existing hires.
02:23:15Okay.
02:23:16This is for anybody who really wants to answer.
02:23:21We've talked about moving away to 40-year degrees, even some away from two-year degrees,
02:23:27focusing on skills-based, maybe some certifications.
02:23:29Is there a role for the federal government to come up with, for coming up with an approved
02:23:36list of certification courses or programs or curriculum so not just the federal government,
02:23:44but states can use it, companies can use it as a basis for, all right, these are the type
02:23:49of certifications, these are the type of skills that we want to see.
02:23:51Is that something that the federal government should be coming up, that we should be coming
02:23:55up with?
02:23:56Or is that really not the role for the federal government?
02:24:01And anybody, just jump in.
02:24:02Isabel, you want to go?
02:24:03Go ahead.
02:24:04Yeah.
02:24:05I appreciate that question.
02:24:06What I would say is that technology is changing so fast.
02:24:07By the time, you know, if you go through some form of process, the skills that we'll be looking
02:24:13for as well as the type and the curriculum would have changed, right?
02:24:18So that's why when we think about skills-based, it's not about, sometimes it's not even about
02:24:22the specific skills, right?
02:24:23It is about the specific skills, which is what the framework is providing us.
02:24:27But the approach itself gives us a new way of thinking about this.
02:24:30And that is, we just want to make sure that folks have the basic skills to learn new additions.
02:24:34I know we don't want to be the be-all and end-all because passing legislation or doing
02:24:38regulations takes forever and just moves very quickly.
02:24:41But, you know, a lot of people don't know where to start.
02:24:44Not everybody has a CISO.
02:24:45I mean, is it worthwhile for us to come up with a base minimum standard?
02:24:49Maybe not legislatively, but, you know, offer, have CISA come up with a minimum standard
02:24:54or minimum, these are the things you should be looking for, these are certifications you
02:24:57should be having.
02:24:58Mr. Eisen, you can jump in.
02:24:59Chairman, I believe that aligning to the NICE framework is the right way to do that.
02:25:04As Mike said, I think these specific certifications are changing so rapidly, but I do think saying
02:25:11that we need certifications or other demonstrations that candidates meet baseline skills with
02:25:17some flexibility to apply that in different ways would be most valuable.
02:25:22I appreciate it.
02:25:23My second five minutes is up.
02:25:24I now recognize the Ranking Member, Mr. Thompson, for five minutes of questions.
02:25:28Well, thank you very much, Mr. Chairman.
02:25:30And kind of in line with the Chairman's questions, historically the federal government's long,
02:25:40cumbersome hiring process has undermined its ability to recruit cyber talent.
02:25:46Clearance processes and suitability assessments, in particular, created unacceptable delays
02:25:52between offers and onboarding, and sometimes by the time you make the offer, that person
02:26:01is no longer available.
02:26:03So what are your agencies doing to expedite onboarding of cyber talent?
02:26:09And I guess as a second piece to it is, how is ONCD supporting these efforts?
02:26:16So Mr. Mower, I'll kind of see if you can backfill the answers.
02:26:23I'm intimately familiar with those challenges, Ranking Member.
02:26:27It starts with administration-wide initiatives like the Trusted Workforce 2.0 effort that
02:26:32is streamlining suitability and security clearance processes government-wide.
02:26:38We're seeing great results through the early stages of implementation.
02:26:42But we're also actively looking to streamline which positions actually need a clearance.
02:26:48If you're not going into a SCIF looking at classified material, we shouldn't be holding
02:26:53up your hiring on that.
02:26:55So we have been looking to reduce requirements, expand the use of interim clearances at both
02:27:00the secret and top secret level, which can be issued faster as well.
02:27:06Another key element of CTMS is that it keeps candidates in a ready talent pool so that
02:27:12when we have vacancies arise, we can reach out to candidates that have gone through the
02:27:17first stages of their assessment process already and then just start from there, which can
02:27:23significantly reduce time to hire.
02:27:26So technically, it's not one-size-fits-all.
02:27:28Absolutely.
02:27:29Okay.
02:27:30Ms. Beavers?
02:27:31The Department of Defense has a similar program, the Cyber Accepted Service, which has some
02:27:37direct hire authorities, which enables us to bring folks in quicker.
02:27:41We've also revised our hiring policies to eliminate the time and grade requirements
02:27:49and the previous grade requirements.
02:27:51So it's skills-based.
02:27:52But there is additional work that could be done to help us expedite that with greater
02:28:04flexibility in salaries and things like that.
02:28:06So we are still continuing to work on reducing the time to hire, particularly within this
02:28:12valuable workforce.
02:28:17So we have made a little bit of progress in terms of the security clearance times, right?
02:28:22So the average numbers for top secret went from 411 to 155 days, and for secret went
02:28:28from 173 to 53 days.
02:28:31PEC has set a very aggressive target that they are executing on for top secret to be
02:28:3545 days and secret to be 25 days.
02:28:38But if you take a step back in terms of the whole hiring process, there is a clearance,
02:28:45but there's also how we can move faster to get an interagency.
02:28:49One of the things that ONCD is coordinating with our partner at Office of Personnel Management
02:28:53and OMB is the idea of a pool hiring process so that we have one certificate that multiple
02:28:59agencies can jump on.
02:29:01So we have found that that has reduced the time for folks to be onboarded.
02:29:07In terms of the other stuff, such as tech to gov hiring event that we do, we have at
02:29:14least two of those events already with about 1,700 people being interested in jobs, and
02:29:20we have offered 150 tentative job offers.
02:29:23So we're doing, you know, like a lot of things in federal hiring, there's a lot of like there's
02:29:28no one single solution, there's no silver bullet.
02:29:31We're keeping, we are fixing a lot of the smaller processes along the way.
02:29:36Another effort that ONCD is driving is to make sure that we have job descriptions that
02:29:42are more focused on skills that are sort of like usable by, you know, multiple different
02:29:47agencies and obviously this is done in conjunction with the working groups that we have in which
02:29:51all the partners here are part of, so that that is something that will, you know, slim
02:29:56down on the hiring process from job posting to candidates onboarding.
02:30:03You know, one of the challenges that I find as a member, and very rarely do I not come
02:30:12in contact with somebody who's looking for a job, but they say I go to these fairs, they
02:30:19give me the brochures, but there's nothing between the job fair and the brochures that
02:30:26hold me.
02:30:28I think somewhere if we can give people hope that this jobs fair is not just a check the
02:30:39box kind of deal, we might get some good people, but the confidence that it's not more than
02:30:49a check the box event for that staffer to meet whatever their numbers are.
02:30:56Help me out.
02:30:57How do, are we changing that perception?
02:31:00Remember, I think it's a shift from strictly thinking about hiring to thinking about talent
02:31:07and recruiting.
02:31:08There's a key difference in applying for a government job versus a private sector job
02:31:12where if you apply for a government job, you get automated emails from USA Jobs when you
02:31:17hit different stages.
02:31:19In many private sector roles, particularly in cybersecurity, you have a recruiter who
02:31:23is actively talking to you and working with you through that process, which can still
02:31:28in some cases be longer.
02:31:30That's why there's been some efforts from OMB to build out federal talent teams that
02:31:35go beyond just HR specialists in hiring and build those relationships with candidates
02:31:40throughout the hiring process.
02:31:41I do think that's something we need to expand.
02:31:44I would like to highlight that the Department of Defense is also pursuing that type of a
02:31:50hiring pipeline development.
02:31:54We are maturing the cyber accepted service to be more aligned with the civilian hiring
02:31:58practices, hence the pilot that I mentioned earlier.
02:32:03I just think that we have to meet people where they're at.
02:32:10A lot of times, some of the success stories that we've heard is because the professors
02:32:15told the students that, yep, the process takes longer, but once you get the job and get the
02:32:20clearance as you're an intern, that's how we'll kind of pull some of the people in.
02:32:23A lot of times, it's about educating our stakeholders and partners on the ground that this is real.
02:32:30Then there's some accountability that some relationship and partnerships are being formed,
02:32:35and that's what ONC is trying to do when we kind of go around the country to talk to those
02:32:38folks.
02:32:39We're trying to establish those real relationships that will make sure that they will tell their
02:32:44students that these are real opportunities and with some more explanation that they know
02:32:50what to expect.
02:32:51Thank you.
02:32:52The gentleman yields back.
02:32:53In closing, I just want to say thank you to all the witnesses for coming today.
02:33:03Sorry about votes screwing up, and I wish we had some more participation.
02:33:06I do know that this committee takes this issue very seriously.
02:33:11I know the chairman takes this issue very seriously, as I said when I read his opening
02:33:15statement.
02:33:16He will be submitting legislation soon to help address the shortfall, specifically in
02:33:23the federal agencies.
02:33:26We definitely take this issue very seriously, and I think you all should be ready to expect
02:33:31some questions for the record to be submitted.
02:33:33I know I have some that I could have gone another four or five times, and I'm sure my
02:33:37colleagues could have as well.
02:33:40I do really want to thank you all for being today and for your patience during votes.
02:33:44The members of this committee, like I said, may have some additional questions for witnesses,
02:33:48and we would ask witnesses to respond to these in writing.
02:33:52Pursuant to Committee Rule 7D, the hearing record will be held open for seven days.
02:33:57That objection?
02:33:58This committee stands adjourned.

Recommended