[Congressional Record Volume 169, Number 161 (Monday, October 2, 2023)] [House] [Pages H4944-H4946] From the Congressional Record Online through the Government Publishing Office [www.gpo.gov] MODERNIZING THE ACQUISITION OF CYBERSECURITY EXPERTS ACT OF 2023 Mr. COMER. Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 4502) to amend title 5, United States Code, to allow Federal agencies to establish educational requirements for certain cybersecurity positions in the competitive service, and for other purposes, as amended. The Clerk read the title of the bill. The text of the bill is as follows: H.R. 4502 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Modernizing the Acquisition of Cybersecurity Experts Act of 2023''. SEC. 2. EDUCATIONAL REQUIREMENTS FOR COMPETITIVE SERVICE CYBERSECURITY POSITIONS. Section 3308 of title 5, United States Code, is amended-- (1) by striking ``The Office of Personnel Management'' and inserting ``(a) In General.--Consistent with subsection (b), the Office of Personnel Management''; and (2) by adding at the end the following: ``(b) Education Requirements for Cybersecurity Positions.-- ``(1) In general.--With respect to any covered position-- ``(A) an agency may prescribe a minimum educational requirement for employment in such a position only if a minimum education qualification is required by law to perform the duties of the position in the State or locality where the duties of the position are to be performed; and ``(B) an agency may consider education in determining a candidate's satisfaction of any other minimum qualification only if the candidate's education directly reflects the competencies necessary to satisfy that qualification and perform the duties of the position. ``(2) Publication.--Not later than one year after the date of the enactment of the Modernizing the Acquisition of Cybersecurity Experts Act of 2023 and annually thereafter, the Office of Personnel Management shall publish on the Office's website-- ``(A) any changes made to minimum qualifications standards concerning education for covered positions; and ``(B) aggregate data indicating the level of educational attainment, sorted by position classification, of all accessions to covered positions. ``(3) Covered position defined.--In this subsection, the term `covered position' means-- ``(A) any position in the competitive service classified under the GS-2210 information technology management series, or any successor series; and ``(B) any other position in the competitive service designated as ``cybersecurity'' under the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NIST Special Publication 800-181), or successor framework.''. The SPEAKER pro tempore. Pursuant to the rule, the gentleman from Kentucky (Mr. Comer) and the gentleman from Maryland (Mr. Raskin) each will control 20 minutes. The Chair recognizes the gentleman from Kentucky. General Leave Mr. COMER. Mr. Speaker, I ask unanimous consent that all Members have 5 legislative days in which to revise and extend their remarks and include extraneous material on this measure. The SPEAKER pro tempore. Is there objection to the request of the gentleman from Kentucky? There was no objection. Mr. COMER. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, I rise in support of H.R. 4502, the Modernizing the Acquisition of Cybersecurity Experts Act. The Federal Government relies on cybersecurity professionals to protect personally identifiable information, defend against cyber threats, and build secure government technology. To ensure this work is done effectively, the Federal Government desperately needs to hire more cybersecurity experts. The United States, however, faces a labor shortage of cybersecurity professionals, amounting to nearly 700,000 job vacancies. Many cybersecurity experts have the right technical skills and experience, [[Page H4945]] but Federal hiring managers are not allowed to consider them because they lack a formal college degree. This bureaucracy creates unnecessary barriers to employing some of the best and brightest cybersecurity professionals. Mr. Speaker, I urge my colleagues to support this simple and necessary bill, and I reserve the balance of my time. Mr. RASKIN. Mr. Speaker, I yield myself such time as I may consume. As ranking member of the House Committee on Oversight and Accountability, I rise in strong support of H.R. 4502, the Modernizing the Acquisition of Cybersecurity Experts Act. I thank my distinguished colleagues, Representative Nancy Mace from South Carolina, who is the chair of the Cybersecurity, Information Technology, and Government Innovation Subcommittee, and Representative Katie Porter, who is the ranking member of the Health Care and Financial Services Subcommittee, for their excellent bipartisan work on this bill, something that, yes, does still exist in the U.S. House of Representatives. This year, more than 750,000 cybersecurity jobs in the United States will be left unfilled. Each one is a missed opportunity for a talented person and also a missed opportunity for our country. These are well-paid positions with great job security. They are essential to the protection of our government, the prosperity of our businesses, and the security of our communities. {time} 1630 One big barrier to entry for many of these jobs is the requirement that applicants have a college degree, even if that degree has no bearing on the technical expertise required to satisfactorily meet the demands of the job or to successfully perform the work. Remember that Mark Zuckerberg dropped out of college before he created Facebook. According to a 2017 study by Harvard Business School, more than 60 percent of employers turned down qualified applicants in the IT field because they didn't have a college degree. Many such applicants were turned down even when they sought to fill jobs vacated by individuals who also didn't have college degrees. This degree inflation excludes people from opportunity. In 2022, less than 40 percent of the population over the age of 24 had a bachelor's degree. As technological and cultural advancements continue to transform the nature of the workplace, businesses and public-sector entities alike have begun to realize that college degrees are not always effective proxies for job qualifications and skills. Often, highly capable candidates became that way precisely because they pursued their own path in life, a nontraditional route into the workforce. To remain competitive and to attract top talent, hiring authorities could no longer allow degree inflation to automatically disqualify more than half of our workforce. H.R. 4502 applies the same logic to the Federal cybersecurity workforce which performs the critical work of defending our Federal networks and our Federal data from attack. Recognizing the government must be competitive to attract high-demand cybersecurity talent to public service, the bill eliminates the requirement that a BA degree is a prerequisite to Federal hiring for cybersecurity. Eliminating unnecessary degree requirements isn't just good for business, it is good for workers and especially minority workers who are too often excluded from opportunity. In 2022, less than 30 percent of the Black population had a bachelor's degree. For the Hispanic population, that number is even lower at 21 percent. Addressing degree inflation and advancing legislation like this takes steps toward creating the more inclusive and fair society that the public wants. This bill contributes to a record of strong bipartisan cooperation to strengthen Federal cybersecurity and its workforce. Democrats led passage of the CHIPS and Science Act last year with increased funding for Federal cyber workforce programs, and the Office of the National Cyber Director recently published the Biden-Harris administration's National Cyber Workforce and Education Strategy. This strategy includes a provision encouraging employers to take a more skills-based approach to hiring for these cyber positions. While Republicans in the House continue the crusade to shut down the government--let's hope they have thought better of it now--I do hope that Americans see that it is still possible for Congress to come together on commonsense legislation like this to advance meaningful opportunity in a well-functioning government. Mr. Speaker, I urge everyone to support this bill, and I reserve the balance of my time. Mr. COMER. Mr. Speaker, I yield 5 minutes to the gentlewoman from South Carolina (Ms. Mace), the chair of the Oversight Committee Subcommittee on Cybersecurity Information Technology, and Government Innovation. Ms. MACE. Mr. Speaker, I rise today to support our bill, H.R. 4502, the Modernizing the Acquisition of Cybersecurity Experts Act. I say ``our bill,'' because my colleague Katie Porter from California and I joined forces. I don't have a problem with anyone working and reaching across the aisle. No one wants to shut down the Federal Government. We are not on a crusade to do that. I just want Congress to follow the law. There was a law created in 1974, the Budget Impact and Impoundment Control Act, that requires Congress to have a budget in 12 separate spending bills. Both sides do it. Both sides are a failure to the American people because we don't follow the law. We can't expect our fellow Americans to follow the law when we ourselves are unwilling to do the work. Chuck Schumer has 70 percent of Federal Government spending in his in-box right now. No one wants to do that. I don't oppose us working across the aisle for government spending or any of that. There is no crusade to shut down the Federal Government. I just want Congress to do its job and follow the law. On to the rest of it. This bill solves a simple problem. You can't deem one applicant more qualified for a Federal cybersecurity job solely because he or she has a degree in underwater basket weaving. I remember the first time I learned to code my first programming language. I was actually in college, but college didn't teach me to code. I taught myself to code. There are a lot of kids and students and adults out there that are teaching themselves to code and finding great jobs. When I was a coder, my first job, I got paid $35,000 a year. Because of the demands of these jobs today, it is a much better era for programmers and engineers. I have a family member today who never set foot in college. He recently turned 22. He owns his own home, and he makes significantly more money than we do as Members of Congress. Despite the shortage of over 700,000 cybersecurity professionals in the public and private sector, people who don't attend or finish college are often barred from consideration for jobs in the field when they shouldn't be. There are many, many brilliant programmers and computer whizzes out there. There are some that drop out of Harvard after a year or two, like Bill Gates. There are many others who have gone on to have outstanding careers in IT, technology, cybersecurity, et cetera, and they don't have a college degree. While the cyber workforce is crucial to our national security, it is graying rapidly. According to a report issued last year, there are five times as many cybersecurity workers over the age of 55 as there are under 30. Only 1 in 16 Federal cybersecurity workers is actually under the age of 30. This bill would prohibit mandatory degree requirements for Federal cybersecurity jobs unless they are legally required to perform the duties of the position, which is rarely the case. Currently, even entry-level positions in the Federal Government require a 4-year degree. Federal cybersecurity professionals help secure the information of millions of Americans from cybercriminals and hackers sponsored by enemy nation-states. Some of these young people literally have the skills to hack these critical systems, but they can't get their foot in the door for employment at the same agency. We are missing out on a tremendous amount of talent. Over the past few years, we have seen leaders from both parties at all levels [[Page H4946]] of government rolling back degree requirements resulting in greater economic opportunity for every American, no matter their ZIP Code. Many large companies have done away with unnecessary degree requirements. If the government was run like a business, I think we would be much better off. This bipartisan bill codifies--I hope no one's head explodes today--a Trump-era executive order maintained by the Biden administration. I can think of nothing more bipartisan than this. Lastly, I thank my colleague Katie Porter from California for her work on this valuable piece of legislation. Mr. RASKIN. Mr. Speaker, I yield 4 minutes to the gentlewoman from California (Ms. Porter). Ms. PORTER. Mr. Speaker, I thank Chairman Comer and Ranking Member Raskin for recognizing me. I rise today in support of legislation that I partnered on with Congresswoman Mace to modernize hiring guidance for Federal cybersecurity security jobs. She and I both agree that government employees should be the best in the business. Taxpayers deserve nothing less from the people we employ. How do we get the best of the best into our Federal jobs? Just like in any market, it all comes down to one thing: fostering competition. For too long, overly restrictive Federal hiring guidance has stifled competition and prevented Federal agencies from being able to hire the best applicants for cybersecurity jobs if they don't meet all of the stringent educational requirements. If who gets hired for our Federal jobs always comes down to just one credential, our government is going to miss out on some great employees. No part of the Federal Government should disqualify an individual from winning the competition for a Federal job based on whether they have one type of educational credential. We are only going to figure out who is best to fill a role if we let all qualified candidates show us all their qualifications. The truth is, there is not one type of educational experience that is always going to make a cybersecurity professional the best of the best. I am a former college professor, and I know that a lot of people will learn skills in their college degree programs that prepare them to be a Federal cybersecurity professional. At the same time, I also know that college isn't affordable and accessible for everyone, and the reality is that many people gain the skills necessary to succeed at Federal cybersecurity jobs through other life experiences. The door must be open to both types of qualified candidates, and the Federal Government should then be able to pick who is most prepared to do the job based on a holistic view of the candidates. The Modernizing the Acquisition of Cybersecurity Experts, MACE, Act stops the Federal Government from ruling out people without a specific educational credential. Instead, it lets all qualified applicants compete and gives the Federal Government more choices. This is something we should be able to agree on regardless of party. This bill mirrors an executive order that was issued under President Trump and President Biden has chosen to keep it on the books today. It has worked under administrations of both parties, and now we need to make it permanent in our law. Mr. Speaker, I urge my Democratic and Republican colleagues to support this bill. We can only have the best Federal cybersecurity professionals when we have had the chance to consider all of the qualified candidates, and the MACE Act will give us this chance. Mr. RASKIN. Mr. Speaker, I yield myself such time as I may consume. I thank the distinguished gentlewoman from California for her introduction of this legislation with Congresswoman Mace and for her leadership here. The gentlewoman is absolutely right that there are people who may have gotten a college degree and a Ph.D. in some other field but are completely unprepared and unqualified to have a cybersecurity professional's job in the Federal Government, and there are those who never went to college at all who would be excellently prepared based on what their professional and life experience has been. I thank them for moving in this direction, and I hope we can look at some other parts of Federal hiring to make sure we are making equivalent adjustments, so we are getting, as the gentlewoman says, the best candidates. I am wondering--and I would yield to the gentleman for a second, if he knows the answer to this. Is it just a happy coincidence that the acronym for this legislation is the MACE Act? Was that pure coincidence? I don't know. In any event, I congratulate Ms. Mace and Ms. Porter on this excellent legislation, and I yield back the balance of my time. Mr. COMER. Mr. Speaker, the Modernizing the Acquisition of Cybersecurity Experts Act will ensure that the Federal Government can hire any qualified cybersecurity professional as long as they have the right knowledge and skills even if they do not have a fancy degree. I encourage my House colleagues to support this commonsense government transparency bill, the MACE Act, sponsored by Chairwoman Nancy Mace, that will make America smarter and more secure. Mr. Speaker, I yield back the balance of my time. The SPEAKER pro tempore. The question is on the motion offered by the gentleman from Kentucky (Mr. Comer) that the House suspend the rules and pass the bill, H.R. 4502, as amended. The question was taken. The SPEAKER pro tempore. In the opinion of the Chair, two-thirds being in the affirmative, the ayes have it. Mr. COMER. Mr. Speaker, on that I demand the yeas and nays. The yeas and nays were ordered. The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further proceedings on this motion will be postponed. ____________________