DHS poised to remake federal hiring in September to confront cybersecurity gap

Since taking office, President Joe Biden's administration has faced an alarming number of cybersecurity breaches, from the supply chain attack waged via SolarWinds to the cyber espionage attack exploiting flaws in Microsoft Exchange Server email software.

A cybersecurity executive order issued in May mandates improved computer hygiene inside government and puts contractors on the hook for reporting breaches, but a presidential edict can't immediately counter a workforce shortage or speed up notoriously slow federal hiring practices.

Now, the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency are poised to advance a series of policy changes to cut the time it takes to hire cybersecurity professionals, redefine how the government evaluates cybersecurity skill sets and facilitate competitive pay rates.

DHS will have to publish the rules for public comment to go live with the project, known as the Cybersecurity Talent Management System (CTMS).

That's scheduled to occur in September, Travis Hoadley, a senior DHS official charged with overseeing it, said in an interview with FCW. In the Biden administration's newly released regulatory agenda, CTMS is listed as being in the final rule stage with a "final action" scheduled for September 2021.

But why is the federal government just now bringing online a system with authorities granted to the administration when Biden was still vice president?

"We have to roll out a fairly significant human capital system, completely doing away with the existing general schedule that we have used" for decades, Brandon Wales, the acting CISA chief, told lawmakers in May. "That required a large-scale rulemaking effort that is finishing up now. It's taken longer than anything anyone wanted, but it appears that we are on the cusp of getting the program live and we're ready to use it.

DHS's fiscal year 2022 budget justification documents indicate the agency has set itself the goal of hiring 150 cybersecurity professionals in fiscal year 2021 and an additional 150 in fiscal year 2022. (The budget documents also show remnants of the system's long delay: a chart noted CTMS was supposed to bring in 109 personnel during fiscal year 2020. The actual number of hires achieved that year: zero.)

The agency is currently determining what skills and hires it'll prioritize once the system, which DHS views "in the category of a civil service reform pilot," is live, Hoadley said. DHS plans for the first hires to onboard by the end of this calendar year.

All of this is happening in an extremely tight labor market.

CyberSeek is a database backed by the Department of Commerce and the National Institute of Standards and Technology. According to the project's latest data, there were approximately 36,000 public-sector cybersecurity job openings between April 2020 and March 2021. By comparison, CyberSeek also estimated about 60,000 workers were employed in public-sector cybersecurity positions during that same time period.

Laying the foundation: Changes in classification, hiring and compensation

CTMS stems from the 2014 Border Pay Reform Act, which granted the DHS secretary authority to establish a new personnel system specifically for cybersecurity. The broader outlines for CTMS in its current state took form in 2019 but ultimately saw delay after delay in their implementation.

One of the chief provisions allows the DHS secretary to hire cybersecurity professionals under the excepted service, as opposed to the competitive service -- the majority of rank-and-file feds, governed by particular civil service rules for hiring, firing and pay -- or the senior executive service -- high-level administrators with their own regulatory structure.

The expectation is that this should help DHS bring officials on more quickly and allow for easier movement within DHS itself, among agencies and in and out of the private sector.

Although many hiring practices in the civil service largely depend on the government's ability to clearly define and anticipate all aspects of a person's job, in cybersecurity, that simply is not a possibility.

The new system will emphasize the skills employees need to perform well. That will be accompanied by a shift away from self-rating of expertise, a common practice in federal hiring, to having job candidates show their skills, for instance in a work simulation setting. The designers of CTMS are benchmarking their work off of private-sector hiring practices for cyber positions, Hoadley said.

DHS is also gunning to fix chronic compensation issues.

Pay scales like the General Schedule aren't necessarily market-sensitive for cybersecurity talent, Hoadley said. DHS officials say that its forthcoming alternative compensation scheme will better align pay rates with the value of cybersecurity skills in the marketplace and the experience a person brings to the job and not be as tethered to education.

"Congress was most interested in the department's ability to really recruit and retain the type of talent that it takes to execute our cybersecurity mission in the 21st century, acknowledging that cybersecurity threats continue to change and evolve, technology continues to change and evolve, and we need to be able to keep pace with other cybersecurity employers as we compete for a limited pool of talent," Hoadley said of the 2014 legislation.

CTMS will be operating under "applicable labor laws" that make "many cybersecurity employees … ineligible to join a bargaining unit," Hoadley said.

The American Federation of Government Employees, the largest union representing government employees, declined to comment for this article.

Regardless of whether DHS and CISA meet their hiring goals this year, bringing CTMS online will mean an update that has been long overdue, officials say.

"You can't really take that World War II foundation and think about 'how do you hire and manage with agility cybersecurity professionals in the 21st century?'" Hoadley said. "It takes a different foundation, so that's what we've been thinking about, and that's what we're hoping to put in place with CTMS."