[Congressional Record Volume 169, Number 161 (Monday, October 2, 2023)]
[House]
[Pages H4944-H4946]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
MODERNIZING THE ACQUISITION OF CYBERSECURITY EXPERTS ACT OF 2023
Mr. COMER. Mr. Speaker, I move to suspend the rules and pass the bill
(H.R. 4502) to amend title 5, United States Code, to allow Federal
agencies to establish educational requirements for certain
cybersecurity positions in the competitive service, and for other
purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 4502
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Modernizing the Acquisition
of Cybersecurity Experts Act of 2023''.
SEC. 2. EDUCATIONAL REQUIREMENTS FOR COMPETITIVE SERVICE
CYBERSECURITY POSITIONS.
Section 3308 of title 5, United States Code, is amended--
(1) by striking ``The Office of Personnel Management'' and
inserting ``(a) In General.--Consistent with subsection (b),
the Office of Personnel Management''; and
(2) by adding at the end the following:
``(b) Education Requirements for Cybersecurity Positions.--
``(1) In general.--With respect to any covered position--
``(A) an agency may prescribe a minimum educational
requirement for employment in such a position only if a
minimum education qualification is required by law to perform
the duties of the position in the State or locality where the
duties of the position are to be performed; and
``(B) an agency may consider education in determining a
candidate's satisfaction of any other minimum qualification
only if the candidate's education directly reflects the
competencies necessary to satisfy that qualification and
perform the duties of the position.
``(2) Publication.--Not later than one year after the date
of the enactment of the Modernizing the Acquisition of
Cybersecurity Experts Act of 2023 and annually thereafter,
the Office of Personnel Management shall publish on the
Office's website--
``(A) any changes made to minimum qualifications standards
concerning education for covered positions; and
``(B) aggregate data indicating the level of educational
attainment, sorted by position classification, of all
accessions to covered positions.
``(3) Covered position defined.--In this subsection, the
term `covered position' means--
``(A) any position in the competitive service classified
under the GS-2210 information technology management series,
or any successor series; and
``(B) any other position in the competitive service
designated as ``cybersecurity'' under the National Initiative
for Cybersecurity Education (NICE) Cybersecurity Workforce
Framework (NIST Special Publication 800-181), or successor
framework.''.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
Kentucky (Mr. Comer) and the gentleman from Maryland (Mr. Raskin) each
will control 20 minutes.
The Chair recognizes the gentleman from Kentucky.
General Leave
Mr. COMER. Mr. Speaker, I ask unanimous consent that all Members have
5 legislative days in which to revise and extend their remarks and
include extraneous material on this measure.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from Kentucky?
There was no objection.
Mr. COMER. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise in support of H.R. 4502, the Modernizing the
Acquisition of Cybersecurity Experts Act.
The Federal Government relies on cybersecurity professionals to
protect personally identifiable information, defend against cyber
threats, and build secure government technology.
To ensure this work is done effectively, the Federal Government
desperately needs to hire more cybersecurity experts. The United
States, however, faces a labor shortage of cybersecurity professionals,
amounting to nearly 700,000 job vacancies.
Many cybersecurity experts have the right technical skills and
experience,
[[Page H4945]]
but Federal hiring managers are not allowed to consider them because
they lack a formal college degree.
This bureaucracy creates unnecessary barriers to employing some of
the best and brightest cybersecurity professionals.
Mr. Speaker, I urge my colleagues to support this simple and
necessary bill, and I reserve the balance of my time.
Mr. RASKIN. Mr. Speaker, I yield myself such time as I may consume.
As ranking member of the House Committee on Oversight and
Accountability, I rise in strong support of H.R. 4502, the Modernizing
the Acquisition of Cybersecurity Experts Act.
I thank my distinguished colleagues, Representative Nancy Mace from
South Carolina, who is the chair of the Cybersecurity, Information
Technology, and Government Innovation Subcommittee, and Representative
Katie Porter, who is the ranking member of the Health Care and
Financial Services Subcommittee, for their excellent bipartisan work on
this bill, something that, yes, does still exist in the U.S. House of
Representatives.
This year, more than 750,000 cybersecurity jobs in the United States
will be left unfilled. Each one is a missed opportunity for a talented
person and also a missed opportunity for our country.
These are well-paid positions with great job security. They are
essential to the protection of our government, the prosperity of our
businesses, and the security of our communities.
{time} 1630
One big barrier to entry for many of these jobs is the requirement
that applicants have a college degree, even if that degree has no
bearing on the technical expertise required to satisfactorily meet the
demands of the job or to successfully perform the work. Remember that
Mark Zuckerberg dropped out of college before he created Facebook.
According to a 2017 study by Harvard Business School, more than 60
percent of employers turned down qualified applicants in the IT field
because they didn't have a college degree. Many such applicants were
turned down even when they sought to fill jobs vacated by individuals
who also didn't have college degrees.
This degree inflation excludes people from opportunity. In 2022, less
than 40 percent of the population over the age of 24 had a bachelor's
degree.
As technological and cultural advancements continue to transform the
nature of the workplace, businesses and public-sector entities alike
have begun to realize that college degrees are not always effective
proxies for job qualifications and skills. Often, highly capable
candidates became that way precisely because they pursued their own
path in life, a nontraditional route into the workforce. To remain
competitive and to attract top talent, hiring authorities could no
longer allow degree inflation to automatically disqualify more than
half of our workforce.
H.R. 4502 applies the same logic to the Federal cybersecurity
workforce which performs the critical work of defending our Federal
networks and our Federal data from attack. Recognizing the government
must be competitive to attract high-demand cybersecurity talent to
public service, the bill eliminates the requirement that a BA degree is
a prerequisite to Federal hiring for cybersecurity.
Eliminating unnecessary degree requirements isn't just good for
business, it is good for workers and especially minority workers who
are too often excluded from opportunity. In 2022, less than 30 percent
of the Black population had a bachelor's degree. For the Hispanic
population, that number is even lower at 21 percent. Addressing degree
inflation and advancing legislation like this takes steps toward
creating the more inclusive and fair society that the public wants.
This bill contributes to a record of strong bipartisan cooperation to
strengthen Federal cybersecurity and its workforce. Democrats led
passage of the CHIPS and Science Act last year with increased funding
for Federal cyber workforce programs, and the Office of the National
Cyber Director recently published the Biden-Harris administration's
National Cyber Workforce and Education Strategy. This strategy includes
a provision encouraging employers to take a more skills-based approach
to hiring for these cyber positions.
While Republicans in the House continue the crusade to shut down the
government--let's hope they have thought better of it now--I do hope
that Americans see that it is still possible for Congress to come
together on commonsense legislation like this to advance meaningful
opportunity in a well-functioning government.
Mr. Speaker, I urge everyone to support this bill, and I reserve the
balance of my time.
Mr. COMER. Mr. Speaker, I yield 5 minutes to the gentlewoman from
South Carolina (Ms. Mace), the chair of the Oversight Committee
Subcommittee on Cybersecurity Information Technology, and Government
Innovation.
Ms. MACE. Mr. Speaker, I rise today to support our bill, H.R. 4502,
the Modernizing the Acquisition of Cybersecurity Experts Act. I say
``our bill,'' because my colleague Katie Porter from California and I
joined forces.
I don't have a problem with anyone working and reaching across the
aisle. No one wants to shut down the Federal Government. We are not on
a crusade to do that. I just want Congress to follow the law.
There was a law created in 1974, the Budget Impact and Impoundment
Control Act, that requires Congress to have a budget in 12 separate
spending bills. Both sides do it. Both sides are a failure to the
American people because we don't follow the law. We can't expect our
fellow Americans to follow the law when we ourselves are unwilling to
do the work.
Chuck Schumer has 70 percent of Federal Government spending in his
in-box right now. No one wants to do that. I don't oppose us working
across the aisle for government spending or any of that. There is no
crusade to shut down the Federal Government. I just want Congress to do
its job and follow the law.
On to the rest of it. This bill solves a simple problem. You can't
deem one applicant more qualified for a Federal cybersecurity job
solely because he or she has a degree in underwater basket weaving.
I remember the first time I learned to code my first programming
language. I was actually in college, but college didn't teach me to
code. I taught myself to code. There are a lot of kids and students and
adults out there that are teaching themselves to code and finding great
jobs. When I was a coder, my first job, I got paid $35,000 a year.
Because of the demands of these jobs today, it is a much better era for
programmers and engineers.
I have a family member today who never set foot in college. He
recently turned 22. He owns his own home, and he makes significantly
more money than we do as Members of Congress.
Despite the shortage of over 700,000 cybersecurity professionals in
the public and private sector, people who don't attend or finish
college are often barred from consideration for jobs in the field when
they shouldn't be. There are many, many brilliant programmers and
computer whizzes out there. There are some that drop out of Harvard
after a year or two, like Bill Gates. There are many others who have
gone on to have outstanding careers in IT, technology, cybersecurity,
et cetera, and they don't have a college degree.
While the cyber workforce is crucial to our national security, it is
graying rapidly. According to a report issued last year, there are five
times as many cybersecurity workers over the age of 55 as there are
under 30. Only 1 in 16 Federal cybersecurity workers is actually under
the age of 30.
This bill would prohibit mandatory degree requirements for Federal
cybersecurity jobs unless they are legally required to perform the
duties of the position, which is rarely the case.
Currently, even entry-level positions in the Federal Government
require a 4-year degree. Federal cybersecurity professionals help
secure the information of millions of Americans from cybercriminals and
hackers sponsored by enemy nation-states. Some of these young people
literally have the skills to hack these critical systems, but they
can't get their foot in the door for employment at the same agency. We
are missing out on a tremendous amount of talent.
Over the past few years, we have seen leaders from both parties at
all levels
[[Page H4946]]
of government rolling back degree requirements resulting in greater
economic opportunity for every American, no matter their ZIP Code.
Many large companies have done away with unnecessary degree
requirements. If the government was run like a business, I think we
would be much better off.
This bipartisan bill codifies--I hope no one's head explodes today--a
Trump-era executive order maintained by the Biden administration. I can
think of nothing more bipartisan than this.
Lastly, I thank my colleague Katie Porter from California for her
work on this valuable piece of legislation.
Mr. RASKIN. Mr. Speaker, I yield 4 minutes to the gentlewoman from
California (Ms. Porter).
Ms. PORTER. Mr. Speaker, I thank Chairman Comer and Ranking Member
Raskin for recognizing me.
I rise today in support of legislation that I partnered on with
Congresswoman Mace to modernize hiring guidance for Federal
cybersecurity security jobs. She and I both agree that government
employees should be the best in the business. Taxpayers deserve nothing
less from the people we employ.
How do we get the best of the best into our Federal jobs? Just like
in any market, it all comes down to one thing: fostering competition.
For too long, overly restrictive Federal hiring guidance has stifled
competition and prevented Federal agencies from being able to hire the
best applicants for cybersecurity jobs if they don't meet all of the
stringent educational requirements.
If who gets hired for our Federal jobs always comes down to just one
credential, our government is going to miss out on some great
employees.
No part of the Federal Government should disqualify an individual
from winning the competition for a Federal job based on whether they
have one type of educational credential. We are only going to figure
out who is best to fill a role if we let all qualified candidates show
us all their qualifications.
The truth is, there is not one type of educational experience that is
always going to make a cybersecurity professional the best of the best.
I am a former college professor, and I know that a lot of people will
learn skills in their college degree programs that prepare them to be a
Federal cybersecurity professional. At the same time, I also know that
college isn't affordable and accessible for everyone, and the reality
is that many people gain the skills necessary to succeed at Federal
cybersecurity jobs through other life experiences.
The door must be open to both types of qualified candidates, and the
Federal Government should then be able to pick who is most prepared to
do the job based on a holistic view of the candidates.
The Modernizing the Acquisition of Cybersecurity Experts, MACE, Act
stops the Federal Government from ruling out people without a specific
educational credential. Instead, it lets all qualified applicants
compete and gives the Federal Government more choices. This is
something we should be able to agree on regardless of party.
This bill mirrors an executive order that was issued under President
Trump and President Biden has chosen to keep it on the books today. It
has worked under administrations of both parties, and now we need to
make it permanent in our law.
Mr. Speaker, I urge my Democratic and Republican colleagues to
support this bill. We can only have the best Federal cybersecurity
professionals when we have had the chance to consider all of the
qualified candidates, and the MACE Act will give us this chance.
Mr. RASKIN. Mr. Speaker, I yield myself such time as I may consume.
I thank the distinguished gentlewoman from California for her
introduction of this legislation with Congresswoman Mace and for her
leadership here.
The gentlewoman is absolutely right that there are people who may
have gotten a college degree and a Ph.D. in some other field but are
completely unprepared and unqualified to have a cybersecurity
professional's job in the Federal Government, and there are those who
never went to college at all who would be excellently prepared based on
what their professional and life experience has been.
I thank them for moving in this direction, and I hope we can look at
some other parts of Federal hiring to make sure we are making
equivalent adjustments, so we are getting, as the gentlewoman says, the
best candidates.
I am wondering--and I would yield to the gentleman for a second, if
he knows the answer to this.
Is it just a happy coincidence that the acronym for this legislation
is the MACE Act? Was that pure coincidence? I don't know.
In any event, I congratulate Ms. Mace and Ms. Porter on this
excellent legislation, and I yield back the balance of my time.
Mr. COMER. Mr. Speaker, the Modernizing the Acquisition of
Cybersecurity Experts Act will ensure that the Federal Government can
hire any qualified cybersecurity professional as long as they have the
right knowledge and skills even if they do not have a fancy degree. I
encourage my House colleagues to support this commonsense government
transparency bill, the MACE Act, sponsored by Chairwoman Nancy Mace,
that will make America smarter and more secure.
Mr. Speaker, I yield back the balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the
gentleman from Kentucky (Mr. Comer) that the House suspend the rules
and pass the bill, H.R. 4502, as amended.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds
being in the affirmative, the ayes have it.
Mr. COMER. Mr. Speaker, on that I demand the yeas and nays.
The yeas and nays were ordered.
The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further
proceedings on this motion will be postponed.
____________________