[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]






    REVIEWING FEDERAL IT WORKFORCE CHALLENGES AND POSSIBLE SOLUTIONS

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INFORMATION TECHNOLOGY

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 4, 2017

                               __________

                            Serial No. 115-6

                               __________

Printed for the use of the Committee on Oversight and Government Reform


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                                  ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

25-717 PDF                     WASHINGTON : 2017 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
                             
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
              Committee on Oversight and Government Reform

                     Jason Chaffetz, Utah, Chairman
John J. Duncan, Jr., Tennessee       Elijah E. Cummings, Maryland, 
Darrell E. Issa, California              Ranking Minority Member
Jim Jordan, Ohio                     Carolyn B. Maloney, New York
Mark Sanford, South Carolina         Eleanor Holmes Norton, District of 
Justin Amash, Michigan                   Columbia
Paul A. Gosar, Arizona               Wm. Lacy Clay, Missouri
Scott DesJarlais, Tennessee          Stephen F. Lynch, Massachusetts
Trey Gowdy, South Carolina           Jim Cooper, Tennessee
Blake Farenthold, Texas              Gerald E. Connolly, Virginia
Virginia Foxx, North Carolina        Robin L. Kelly, Illinois
Thomas Massie, Kentucky              Brenda L. Lawrence, Michigan
Mark Meadows, North Carolina         Bonnie Watson Coleman, New Jersey
Ron DeSantis, Florida                Stacey E. Plaskett, Virgin Islands
Dennis A. Ross, Florida              Val Butler Demings, Florida
Mark Walker, North Carolina          Raja Krishnamoorthi, Illinois
Rod Blum, Iowa                       Jamie Raskin, Maryland
Jody B. Hice, Georgia                Peter Welch, Vermont
Steve Russell, Oklahoma              Matt Cartwright, Pennsylvania
Glenn Grothman, Wisconsin            Mark DeSaulnier, California
Will Hurd, Texas                     John Sarbanes, Maryland
Gary J. Palmer, Alabama
James Comer, Kentucky
Paul Mitchell, Michigan

                   Jonathan Skladany, Staff Director
                  Rebecca Edgar, Deputy Staff Director
                    William McKenna, General Counsel
                         Sean Brebbia, Counsel
                         Michael Flynn, Counsel
                         Kiley Bidelman, Clerk
                 David Rapallo, Minority Staff Director

                                 ------                                

                 Subcommittee on Information Technology

                       Will Hurd, Texas, Chairman
Paul Mitchell, Michigan, Vice Chair  Robin L. Kelly, Illinois, Ranking 
Darrell E. Issa, California              Minority Member
Justin Amash, Michigan               Jamie Raskin, Maryland
Blake Farenthold, Texas              Stephen F. Lynch, Massachusetts
Steve Russell, Oklahoma              Gerald E. Connolly, Virginia
                                     Raja Krishnamoorthi, Illinois
                                     
                                     
                                     
                                     
                                     
                                     
                                     
                                     
                                     
                                     
                                     
                                     
                                     
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on April 4, 2017....................................     1

                               WITNESSES

Mr. Steven Cooper, Former Chief Information Officer, U.S. 
  Department of Commerce
    Oral Statement...............................................     4
    Written Statement............................................     6
Ms. Elizabeth Hyman, Executive Vice President, Public Advocacy, 
  Comptia
    Oral Statement...............................................    12
    Written Statement............................................    14
Ms. Lisa Depew, Head of Industry and Academic Outreach, McAfee
    Oral Statement...............................................    23
    Written Statement............................................    25
Mr. Dan Waddell, Managing Director, (ISC)2
    Oral Statement...............................................    34
    Written Statement............................................    36
Mr. Nick Marinos, Director, Information Technology, U.S. 
  Government Accountability Office
    Oral Statement...............................................    41
    Written Statement............................................    43
Ms. Debora Plunkett, Strategic Advisory Board Member, 
  International Consortium of Minority Cybersecurity 
  Professionals
    Oral Statement...............................................    63
    Written Statement............................................    65

                                APPENDIX

Statement for the Record of Steven Weber Faculty Director, UC 
  Berkeley Center for Long-Term Cybersecurity, Jesse Goldhammer, 
  Associate Dean, UC Berkeley School of Information and Betsy 
  Cooper, Executive Director, UC Berkeley Center for Long-Term 
  Cybersecurity, submitted by Mr. Hurd...........................    86

 
    REVIEWING FEDERAL IT WORKFORCE CHALLENGES AND POSSIBLE SOLUTIONS

                              ----------                              


                         Tuesday, April 4, 2017

                  House of Representatives,
            Subcommittee on Information Technology,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 2:30 p.m., in 
Room 2154, Rayburn House Office Building, Hon. Will Hurd 
[chairman of the subcommittee] presiding.
    Present: Representatives Hurd, Kelly, Raskin, Connolly, and 
Krishnamoorthi.
    Mr. Hurd. The Subcommittee on Information Technology will 
come to order. And without objection, the chair is authorized 
to declare a recess at any time. But I don't think we're going 
to have to today, which is rare for once, right? And I want it 
say good afternoon to everyone. Thanks for being here.
    We are at a very pivotal time in our Nation's history. As 
technology becomes more and more a part of our lives, our 
society and institutions must keep pace. But the technology 
itself is only half the equation, as all of you know. 
Technology still requires people--people to monitor, upgrade, 
inspect, and safeguard the technology.
    That is why we are here today: to discuss the human element 
and the policies we as a Congress need to advance the Federal 
IT workforce and make sure it is comprised of qualified IT and 
cybersecurity professionals.
    Right now, Federal agencies are facing a shortage of IT and 
cybersecurity professionals in a highly competitive 
marketplace. During one of our last hearings on this subject, 
one witness testified that 209,000 cybersecurity jobs went 
unfilled in 2015. That's a pretty large number.
    That's why I've been advancing the idea of a Cyber National 
Guard, which was first brought up to us at a field hearing in 
Chicago. So thank you, Robin Kelly. And this is really a way to 
talk about how do we recruit and hire qualified individuals to 
the Federal IT workforce and then retain their skills in the 
future on a rotational basis.
    It's real simple. Most of these hearings I usually know the 
answer to the questions that I'm going to ask. This is one 
where I do not.
    And the idea is this: What are the gaps in the CIOs' 
offices from GS-13 below. We have to figure out what that gap 
is, right, and we are working to do that so that we can figure 
out what are those jobs that we are trying to target. Do we do 
it by giving high school kids scholarships to go to college? Do 
we do it by forgiving debt for people that have the jobs who 
need to go into those positions that we need? If it is giving 
scholarships, where do we find the money?
    So that's the first piece. Once we identify the need, the 
first step is, how do we get young people into their first step 
being the Federal Government and the dot-gov space?
    The second piece is, how do we, once they come and work for 
the government and they go out in the private sector, how do we 
get them back in on a rotational basis? What are the jobs that 
would be achieved through that rotational basis? The jobs are 
going to be different than the ones that we're trying to target 
by creating some kind of scholarship program.
    The concept is actually quite simple. And then once we 
figure out how we get these people back in on a rotational 
basis, how often will they do that? You know, the National 
Guard is the proverbial 1 weekend a month, 2 weeks a year, but 
does that have enough--that's going to impact business 
processes at that company. Is it 10 days a quarter? Is it 15 
days every 6 months? And what are those jobs that those people 
can be coming back into and working on?
    These are the steps in the process, I see it three phases, 
once we identify what jobs we're going to target, and hopefully 
we have some time to explore these ideas here today.
    And with that, it is my honor and my privilege to introduce 
not only the ranking member of this committee, but my good 
friend, Robin Kelly, from the great State of Illinois.
    Ms. Kelly. Thank you, Mr. Chairman, and welcome to the 
witnesses. Mr. Chairman, thank you for calling today's hearing 
concerning the challenges to hiring IT professionals in the 
Federal Government.
    In 2016, GAO said that the persistent cyber threat 
presented a risk to our national security. We should understand 
that the inability to attract and retain qualified cyber 
professionals throughout the government threatens our ability 
to address cyber threats. So the workforce issue this hearing 
is concerned with has the potential to impact the safety of 
each and every American and the stability of our country.
    America's leading companies are facing a similar situation. 
(ISC)2 projects a shortage of 1.8 million cyber professionals 
across both the public and private sector by 2022. We obviously 
face similar challenges in hiring.
    Both the public and private sectors face sophisticated 
cyber threats. Last month, the Justice Department charged two 
Russian intelligence officers with orchestrating a hack that 
stole data from 500 million Yahoo users, of which I was one. I 
shouldn't have to remind anyone that in January of this year 
our intelligence agencies also found that the Russian 
Government orchestrated a sustained campaign against our 
elections using various weapons, including cyber attacks on 
political parties.
    While we view the public and private sector as separate, 
cyber criminals and nefarious state actors do not care about 
those distinctions. For instance, the data stolen from the 
Yahoo attack was used to spy on both bank executives and White 
House employees.
    Addressing the threat requires that government and the 
private sector both succeed in finding qualified individuals. 
For one thing, we desperately need to expand the pool the 
talent that we are both joining from and keep the professionals 
that are so critical to protecting the security of our Nation.
    Talented women and minorities are not just being hired. 
Currently, women hold 28 percent of science and engineering 
jobs. Hispanics and African Americans hold 6 percent and 5 
percent of those jobs, respectively. We need to improve these 
numbers as we grow the number of available IT professionals.
    Another problem was created by the President himself. The 
President's hiring freeze is obviously a barrier to recruiting 
and hiring the IT professionals the government needs. Nextgov 
points out that the hiring freeze sends a message that IT 
professionals are not valued in the Federal Government. These 
highly desired candidates could instead choose to go to the 
private sector where they are heavily recruited.
    Also, constant calls to cut the Federal workforce and strip 
them of protections will not help attract needed talent. Who 
would want to work for an employer that publicly criticizes 
them and constantly questions the need for them? Candidates 
with numerous options certainly would not.
    I look forward to hearing the witnesses' ideas to address 
this issue and expand the pipeline of diverse, qualified, and 
valued candidates. It is important that the candidates we 
recruit to address the next generation of challenges are 
representative of our population at large.
    I'm glad you came to Chicago and got that idea. Thank you, 
Mr. Chairman.
    Mr. Hurd. Thank you, Ranking Member Kelly.
    I'm going to hold the record open for 5 legislative days 
for any members who would like to submit a written statement.
    Now we are going to recognize our panel of expert 
witnesses.
    I'm pleased to welcome Steven Cooper, the former CIO for 
the U.S. Department of Commerce, not a stranger to this 
committee.
    Ms. Elizabeth Hyman, executive vice president of public 
advocacy for CompTIA.
    Thanks for being here, Elizabeth.
    Ms. Lisa Depew, head of industry and academic outreach for 
Intel.
    You guys, I was just down in your facility in Austin.
    Dan Waddell, managing director for (ISC)2.
    Nick Marinos, director of information technology at the 
U.S. Government Accountability Office.
    Thanks for being here, Nick.
    Finally, Ms. Debora Plunkett, a Strategic Advisory Board 
member for the International Consortium of Minority 
Cybersecurity Professionals.
    Welcome to you all. And pursuant to committee rules, all 
witnesses will be sworn in before you testify. So please rise 
and raise your right hand.
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing 
but the truth, so help you God?
    Thank you, and please be seated.
    Let the record reflect that the witnesses answered in the 
affirmative.
    To allow ample time for discussion, I would appreciate if 
you would limit your opening remarks to 5 minutes, and your 
entire written statements have been made part of the record. So 
I appreciate that.
    We are going to start off with Mr. Cooper for your opening 
remarks for 5 minutes.

                       WITNESS STATEMENTS

                   STATEMENT OF STEVEN COOPER

    Mr. Cooper. Chairman Hurd, Ranking Member Kelly, members of 
the subcommittee, thank you for inviting me to appear before 
you today. I am honored to join this panel to offer a few ideas 
regarding the Federal IT workforce.
    Having been trained by the best government lawyers, I would 
like to state at the outset that the opinions and ideas I will 
share are my own and not offered on behalf of any government 
agency or industry organization.
    Mr. Hurd. So noted.
    Mr. Cooper. Thank you.
    I have had the privilege of serving as a public CIO in 
three different departments over the last 15 years before 
retiring in January as the CIO of the Department of Commerce. I 
am honored to have served as an appointee in both Republican 
and Democratic administrations--and as a career govie--all at 
the senior executive level. I share this background because I 
strongly believe in improving the skills, capability, 
effectiveness, and esprit de corps of the Federal IT workforce 
is a bipartisan issue.
    I have directly addressed many of the challenges we will 
likely discuss today and have experienced success in overcoming 
many, but not all, of these challenges and can share my 
experience and learning with the subcommittee.
    I can't cover all that I'd like to in my opening remarks, 
so I want to highlight three persistent challenges which may 
not be as visible or well known to members of the subcommittee, 
industry, and the GAO.
    First, position descriptions. A position description, or 
PD, is required before any recruiting action can occur. Human 
resources reviews and approves all PDs before a position can 
even be posted.
    Very few IT personnel, including myself, are trained and 
skilled at writing robust PDs. The current library of IT PDs 
within an agency or available from OPM do not adequately 
reflect the skills needed by today's workforce, much less what 
is coming at us in the next few years. Too many are obsolete.
    Even more concerning to me, PDs don't even exist for 
emergent roles related to digital forensics, data science, 
artificial intelligence, the internet of things, drone 
technology, autonomous vehicles. I think you get my point.
    In my experience, not having an up-to-date HR-approved PD 
cause delays of up to 6 months in the recruiting process. One 
idea to fix this, with collaboration from OMB, the Federal CIO 
Council, and the Federal Chief Human Capital Officers Council, 
tasked OPM as the lead agency to develop a PD library of 
preapproved current and emerging IT roles available for use by 
any Federal agency. I'd even toss in State and local 
government.
    Second, promotions. When an individual's first hired into 
the Federal workforce, the position they fill carries a grade 
level for pay and promotion purposes. In many agencies the 
person cannot be promoted to a higher grade without competing 
for that position because there is no approved way to do what I 
think of from the private sector and referred to in government 
sometimes as an in-line promotion without competition, 
particularly for supervisory positions. Competition is good, 
and the best do rise to the top.
    And here is the unintended consequence of this process. I 
had some of my most qualified cyber employees leave my offices, 
either for industry or for another department, because we did 
not have open positions for which they could compete to be 
promoted at a time they are were ready; or they were not 
selected and then chose to leave for another agency who could 
offer a promotion.
    My idea to fix this? Again, task OPM as the lead agency to 
create and standardize career ladders by role to allow in-line 
promotions for qualified employees when they are ready for 
promotion. You can kind of get a lot of information about this 
from the private sector.
    Third, filling cybersecurity positions. When I left 
Commerce in January, there were 10 cyber vacancies in my 
office. With a continuing resolution and the hiring freeze in 
place, those positions remain empty as I speak.
    How do we address this shortage? Chairman Hurd has spoken 
previously about the concept of the Cyber National Guard. I 
fully support the concept of having trained, skilled cyber 
personnel at the ready who can be put into service with very 
short notice, much like the FEMA disaster corps, another model.
    Another service model could reflect a formal agreement or 
contract like the military reserves. This Cyber Reserve Corps 
could drill each month alongside their government counterparts 
and could be activated for longer periods of time to assist 
agencies in response to a breach or to assist in deployment of 
new security patches. Those are just two examples.
    I've also spoken previously about a loan employee program, 
similar in concept to the IPA program with academia, which 
could provide skilled IT managers and technical professionals 
for up to 2 years.
    In closing, I know I have not addressed all the challenges 
facing the Federal IT workforce in my opening statement. 
However, I am confident that with the leadership of the 
committee members and the GAO, solutions to existing problems 
can be found in a collaborative partnership between government 
and industry.
    I look forward to your questions.
    [Prepared statement of Mr. Cooper follows:]
    
  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
  
    
      
    Mr. Hurd. Thank you, Mr. Cooper. I look forward to asking 
you questions.
    Ms. Hyman, you're now recognized for 5 minutes.

                  STATEMENT OF ELIZABETH HYMAN

    Ms. Hyman. Terrific. Thank you.
    Good afternoon and thank you, Mr. Chairman, Ranking Member 
Kelly, for inviting us here today. I'm here on behalf of 
CompTIA, which is a nonprofit tech trade association. We 
represent approximately 2,000 member companies, 3,000 academic 
and training partners, and 100,000 registered users for our 
organization.
    Government and the private sector have a shared challenge: 
to have in place the right skilled workforce to utilize 
technology, enhance productivity, and mitigate and manage 
security threats. And this is what I'd like to discuss briefly 
today.
    In many ways the creation of CompTIA certifications--and I 
should add that we are the leading global provider of vendor-
neutral IT workforce certifications, and we in many ways have 
created a de facto framework, along with our brethren 
certification bodies. CompTIA provides a route from entry to 
advanced-level skills called the cybersecurity career pathway 
recommendation, and it takes a beginner in IT and it equips 
them with 5 to 10 years of the equivalent knowledge, skills, 
and abilities needed by all cybersecurity professionals.
    We have sought to share the lessons that we've learned in 
developing and deploying these certifications with the 
government as it has sought to create frameworks and standards 
to train and validate government employee IT skills, and 
particularly in cybersecurity.
    A few successful public-private partnerships for your 
consideration today. The Department of Defense has worked 
closely with the training and certification community as they 
developed its 8570 and successor 8140 initiatives. These 
require that DOD personnel and contractors with information 
assurance responsibilities in their job roles have to have 
industry-recognized certifications.
    Also of note and a part of the fiscal year 2016 omnibus 
appropriations bill is the Federal Cybersecurity Workforce 
Assessment Act, and it directs the Federal Government to take 
stock of the certifications held by the existing cyber 
workforce to determine what skills may be missing currently in 
that workforce.
    NIST has also collaborated with CompTIA and our partner 
Burning Glass to develop a real-time heat map for supply and 
demand of cybersecurity workers in the United States. This is 
called CyberSeek, it is available at CyberSeek.org.
    CompTIA is also supportive of the DHS National Initiative 
for Cybersecurity Careers and Studies, the NICCS portal, and 
the National Initiative for Cybersecurity Education. And in my 
comments I discuss those--the written testimony--at greater 
length.
    I'd also like to share that CompTIA as a certifying body 
regularly conducts research gauging the value and impact of 
certifications. Our research confirms that testing after 
training helps to set a baseline of expertise among staff, 
provide career path guidance, improve the performance of a 
team, retain talented staff, and helps to evaluate staff with 
promotions or career development.
    There's no question that technology sector jobs are 
growing. Nevertheless we struggle to fill job openings every 
year with roughly a million job postings in the IT sector. This 
is not to say that every job posting must or will be filled, 
but with nearly 800,000 tech workers expected to retire through 
2024, this only adds to what we call the skills gap. Therefore, 
we will all need to focus on innovative ways to attract more 
people to tech careers, and particularly in the area of 
cybersecurity, and there's a few areas that I'd like to 
highlight.
    We ourselves have put forward a proposal to be included in 
the fiscal year 2018 NDAA for a ``Service to Cyber Warriors'' 
program that would provide a stipend for veterans and members 
of the Armed Forces to cover the expenses of IT training, 
materials, certifications, and other employment-seeking 
services.
    We also supported the introduction of the State Cyber 
Resiliency Act, which on the workforce front encourages States 
to develop cyber resiliency plans to fulfill the essential 
functions of mitigating talent gaps in the State government 
cybersecurity workforce.
    The DOD Cyber Scholarship Program Act and the Cyber 
Scholarships Opportunity Act were recently introduced in 
Congress. The overarching goal of these legislative proposals 
is to build a robust cybersecurity workforce. These proposals, 
in our view, could only be strengthened by recognizing training 
and industry-recognized certifications as yet another pathway 
in addition to 2- and 4-year college opportunities.
    Finally, CompTIA also supports apprenticeships and 
vocational models for building out our Nation's IT workforce 
and cybersecurity workforce. We are now working with a number 
of House and Senate offices on a legislative proposal, not yet 
introduced, which is called the Championing Apprenticeships for 
New Careers and Employees in Tech Act, with the goal of scaling 
up the number of apprenticeships in our country.
    In summary, we are grateful that you've raised this topic 
today. We strongly believe that the Federal Government can be a 
leader in building the tech workforce. It can do so by 
continuing to support the great work that has already been done 
by DOD, NIST, and other agencies, by insisting that educational 
pathways include not only 2- and 4-year college educational 
programs, but also industry-recognized certifications and 
experiential learning, and by developing and resourcing 
innovative programs that will encourage more people to enter 
into a tech and cybersecurity career through the government.
    And I thank you for the opportunity to share this with you 
and look forward to your questions.
    [Prepared statement of Ms. Hyman follows:]
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
   
    
       
    Mr. Hurd. Thank you.
    And, Ms. Depew, I think I incorrectly identified--it's a 
new thing, right? That is McAfee rather than Intel. But I would 
like to thank you and your colleagues at Intel for planting the 
seed in Chicago on this important topic. And now you're 
recognized for 5 minutes in your opening remarks.

                    STATEMENT OF LISA DEPEW

    Ms. Depew. Good afternoon, Chairman Hurd, Ranking Member 
Kelly, and distinguished members of the subcommittee. Thank you 
for the opportunity to testify today.
    I am Lisa Depew, head of industry and academic outreach for 
McAfee. I've spent nearly 20 years in the technology industry 
in a wide range of engineering positions, focusing the last few 
years on cybersecurity.
    I am pleased to address the committee on Federal IT 
workforce challenges, an important issue McAfee understands 
well. My testimony will briefly describe the problem, offer 
some specific solutions, and recommend cultural changes to 
mitigate our cybersecurity skills shortage.
    In 2016, Intel Security and the Center for Strategic and 
International Studies undertook a study titled ``Hacking the 
Skills Shortage,'' based on global survey of IT professionals. 
Eighty-two percent of those surveyed reported a lack of 
cybersecurity skills within their organization, 71 percent 
agreed that the talent shortfall makes organizations more 
vulnerable to attackers, and 25 percent say that the lack of 
sufficient cybersecurity staff has actually contributed to data 
loss or theft and reputational damage.
    The cybersecurity workforce shortage is projected to reach 
1.8 million by 2022, according to the most recent Global 
Information Security Workforce Study. We see a significant lack 
of diversity in the workforce as well. Bureau of Labor 
Statistics numbers indicate in North America women constitute 
only 14 percent of the information security workforce and 
African Americans comprise only 3 percent of information 
security analysts in the U.S.
    The cybersecurity skills shortage is particularly acute in 
the Federal Government. Tony Scott, the Federal Government's 
former CIO, indicated an estimated 10,000 openings in the 
Federal Government for cyber professionals that couldn't be 
filled because the talent supply simply wasn't available.
    McAfee would like to make the following recommendations for 
closing the skills gap.
    First, expand the current CyberCorps program. The 
CyberCorps Scholarship for Service program is designed to 
increase and strengthen the cadre of Federal information 
assurance specialists that protect government systems and 
networks by supporting collegiate students with funding, 
internships, and work opportunities.
    Policymakers should expand funding for this initiative. For 
context, $40 million pays for roughly 1,500 students to 
complete the scholarship program. We recommend extending 
funding to the $180 million range. Supporting 6,400-plus 
scholarships would make a significant dent in the estimated 
10,000-worker Federal cyber skills deficit.
    Additionally, government should consider creating a 
complementary community college program. A strong security 
operation requires multiple levels of skills, not all of which 
require 4-year or graduate degrees. Having a flexible 
scholarship program at a community college, including practical 
skills training and ability to earn a transferable 2-year 
cybersecurity certificate, could benefit a wide variety of 
applicants, while providing the profession with additional 
necessary skills.
    Private companies could partner with local community 
colleges to establish cybersecurity-focused curricula and offer 
private sector practitioners as guest lecturers. The Federal 
Government could fund all or part of the tuition remission for 
students, with students again working the number of years in 
Federal service equal to time spent in the program.
    Community colleges tend to attract a variety of students, 
including recent high school graduates, but also returning 
veterans and other adults who have pursued alternate careers. 
The community college option could also further ethnic and 
racial diversity. A community college program should not 
substitute, but rather complement the existing CyberCorps 
program.
    In addition to workforce development programs, we must make 
systemic cultural changes to close the cyber skills gap. First, 
we must increase cyber safety awareness. Practicing cyber 
safety must become as routine to America's youth as washing 
hands and putting on their seat belts.
    Additionally, we need to make cybersecurity accessible and 
appealing to a broader range of potential professionals. 
Graduation rates of female engineers are highest in biomedical 
and environmental engineering, fields where students can draw a 
direct correlation to helping humanity. If we better articulate 
the value of cybersecurity in protecting people's personal and 
professional lives, we have a target-rich environment of highly 
skilled girls and women who could be joining the ranks to fill 
that 1.8 million-person deficit.
    In conclusion, there is much we can do to close the 
cybersecurity skills gap. It will take a true public-private 
partnership, expansion of funding and programs, and a 
fundamental shift in cyber safety awareness and the perception 
of cybersecurity as a profession.
    Thank you, and I will be happy to answer any of your 
questions.
    [Prepared statement of Ms. Depew follows:]
    
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
 
      
    Mr. Hurd. Thank you.
    Mr. Waddell, you are recognized for 5 minutes.

                    STATEMENT OF DAN WADDELL

    Mr. Waddell. Thank you, sir.
    Chairman Hurd, Ranking Member Kelly, and distinguished 
members of the subcommittee, let me begin by thanking you for 
inviting me to speak on this very important issue. On behalf of 
the (ISC)2, we will look forward to working with you in the 
coming years to help ensure our country is safe, secure, and 
resilient against cyber attacks and other risks.
    As a matter of introduction, (ISC)2 stands for the 
International Information System Security Certification 
Consortium. We are the largest nonprofit membership body of 
certified cyber, information, software, and infrastructure 
security professionals, with over 123,000 members worldwide, of 
which many are currently employed at or contracted by our 
Federal Government.
    We are known for our certified information systems security 
professional, or CISSP. When employees earn their CISSP or any 
of our other certifications, it shows they have the knowledge 
and skills in order to perform in this field. Ideally, through 
our continuing professional educational requirements, they will 
be qualified throughout their lifetimes. Through our 
certifications, our training and education offerings, and our 
research, internet safety, and scholarship programs, we 
encourage cybersecurity students and professionals to help 
achieve our vision: to inspire a safe and secure cyber world.
    However, accomplishing this vision is made more difficult 
when there is a lack of qualified cybersecurity professionals. 
You've heard the numbers and our study referenced here today, 
the Global Information Security Workforce Study. The 2017 
version of this biannual study took place from June 2016 
through September 2016 via a web-based survey and over 19,000 
cybersecurity professionals from over 170 nations responded. 
And you can find more information on this at iamcybersafe.org.
    We've heard the numbers, 1.8 million by the year 2022, as 
far as a talent gap is concerned. So what can we do 
collectively to solve this crisis?
    Recently, the (ISC)2 executive management team gathered 
recommendations that we believe will be critical to the success 
of the cybersecurity workforce. Specifically, during a 
gathering in December 2016, members of (ISC)2's U.S. Government 
Advisory Council hosted former Federal Chief Information 
Security Officer Greg Touhill and a group of Federal agency 
CISOs and executives to discuss what was necessary to ensure 
the continuation of progress for the new administration.
    As a result of that discussion, we offered several 
recommendations. I will briefly summarize three of them now. 
The entire list can be found in my written testimony.
    One, harden the workforce. Everyone must learn 
cybersecurity. We have to break the commodity focus of simply 
buying technology and stopping there, without focusing on 
training all users. People need patching too. From the intern 
to the CEO, the mindset needs to be cybersecurity is everyone's 
job. To achieve this, we need to encourage cybersecurity cross-
training to promote cyber literacy across all departments 
within Federal agencies.
    Two, incentivize hiring and retention. In today's world a 
sense of mission doesn't always override good pay. Incentives 
work. For example, following the cybersecurity hiring 
authorities passed by Congress in 2014, DHS NPPD provided pay 
incentives at 20 to 25 percent above an employee's annual pay 
to motivate and retain cybersecurity hires. The practice of 
incentive pay needs to be replicated throughout the Federal 
Government in order to attract experts from the private sector.
    This perk also plays a key role in retaining cybersecurity 
talent. According to the Pew Research Center, millennials 
recent surpassed Gen X as the largest generation in the U.S. 
workforce. And our study found that paying for professional 
memberships and training are key drivers in job satisfaction 
with this demographic.
    Three, civil service reform. The civil service system is 
broken and does not meet the government's needs. In our best 
effort to attract and retain top cyber talent, we are 
handicapped by the government's antiquated GS classification 
and pay system that makes it difficult to promote high 
achievers and reposition nonachievers.
    We've talked about the Cyber National Guard concept, which 
would allow the Federal Government to repay student loans of 
both STEM and STEAM graduates who agree to work for a number of 
years in a Federal agency before returning to the private 
sector. This will serve as a natural extension to the existing 
Scholarship for Service program and will help to broaden the 
broader workforce development initiative.
    Through these recommendations and the programs that we 
offer (ISC)2 hopes to establish an open avenue of communication 
with you, your staff, and others in Congress as we all work 
toward strengthen cybersecurity throughout the Federal 
Government, both now and in the future. We see this time of 
transition as an opportunity for our members to be a 
stabilizing force during an intrinsically uncertain process. 
(ISC)2 would like to offer its ongoing support to you and the 
other organizations represented here today by providing 
resources, research, and community.
    Thank you, and I look forward to your questions.
    [Prepared statement of Mr. Waddell follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

      
    Mr. Hurd. Thank you, sir.
    Mr. Marinos, you're now recognized for 5 minutes.

                   STATEMENT OF NICK MARINOS

    Mr. Marinos. Thank you, sir.
    Chairman Hurd, Ranking Member Kelly, and members of the 
subcommittee, thank you for inviting GAO to testify on 
challenges facing the Federal IT and cybersecurity workforce.
    For context, it's important to note that the Federal 
Government and the Nation's critical infrastructures continue 
to face an ever-increasing and evolving array of cyber threats. 
As the committee's aware, the GAO has designated this as a 
high-risk area for the government for 20 years now.
    It's clear that having a qualified, well trained 
cybersecurity workforce is critical to mitigating these 
threats, and we also know that there is a persistent shortage 
in cyber talent affecting both the public and private sectors.
    Today, I'd like to highlight three key challenges to 
building the government's cyber workforce. The first is 
workforce planning, the second is recruiting and retaining 
talent, and the third is navigating the government's hiring 
process.
    As for workforce planning, the Federal Government hasn't 
always taken a strategic approach. We and others have reported 
over the last several years about difficulties agencies have 
had in assessing the gaps between what skills their workforce 
has today and where they need to be to address current and 
future threats.
    Second, the Federal Government has had a hard time 
recruiting and retaining talent. In recent surveys we conducted 
of Federal chief information officers and chief information 
security officers this was consistently identified as a top 
challenge. In discussions with these officials we heard 
concerns over limitations that agencies had in offering 
competitive salaries and also difficulties in losing top 
government staff to higher-paying jobs outside government.
    Third, we all recognize that the Federal hiring process can 
be lengthy and complex and doesn't always match candidates with 
open positions. We recently reported that agencies may not be 
leveraging the right hiring authorities when working to 
expedite the hiring process.
    Collectively, the three challenges I just described are 
also reasons why GAO has kept strategic human capital 
management as another governmentwide high-risk area since 2001.
    Now I'd like to mention a few of the ongoing efforts within 
the Federal Government aimed at tackling these issues.
    As for the executive branch, in July of last year the 
Office of Management and Budget and the Office of Personnel 
Management jointly issued the Federal cybersecurity workforce 
strategy. This set goals and milestones for agencies to 
identify cybersecurity workforce needs, expand the workforce 
through education and training, recruit and hire highly skilled 
talent, and retain and develop the existing workforce. If 
implemented in full, the strategy could help executive branch 
agencies determine what critical skills they need and how to 
fill those gaps more quickly.
    In addition, Congress has demonstrated its commitment to 
addressing cyber workforce challenges by holding agencies 
accountable through recent legislation. These laws require 
Federal agencies to, for example, identify cybersecurity 
positions of critical need and mitigate shortages. Legislation 
also tasks GAO with monitoring agencies' progress in meeting 
these workforce planning requirements. And in fact, we've 
recently initiated that review in response to this requirement 
and expect to report back to Congress later this year.
    There are also governmentwide efforts underway working to 
increase the supply of qualified cyber professionals. As 
several of the panelists have noted, the CyberCorps scholarship 
program provides tuition assistance to students who are 
studying cybersecurity at the now over 70 participating 
universities in exchange for commitment to Federal service.
    In conclusion, recruiting, developing, and retaining a 
qualified and competent cybersecurity workforce remains a 
critical challenge to the Federal Government. If effectively 
implemented, recent efforts by the executive branch and by 
Congress could help in addressing these issues. We look forward 
to reporting back in the near future on whether progress has 
been made.
    This completes my prepared remarks, and I look forward to 
your questions.
    [Prepared statement of Mr. Marinos follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
        
    Mr. Hurd. Thank you, sir.
    Ms. Plunkett, you are now recognized for 5 minutes.

                  STATEMENT OF DEBORA PLUNKETT

    Ms. Plunkett. Chairman Hurd, Ranking Member Kelly, and 
distinguished members of the subcommittee, it is my pleasure to 
appear before you today as a member of the Strategic Advisory 
Board of the International Consortium of Minority Cybersecurity 
Professionals, a grassroots, not-for-profit organization 
established in 2014 which has contributed to efforts to address 
the great cybersecurity diversity divide. Ultimately, with 
scarce talent and high demand, it is even more critical to 
focus efforts on increasing capacity.
    The cybersecurity workforce shortfall should be of much 
consternation given that cyber crime and information theft, to 
include cyber espionage, are among the most serious economic 
national security challenges that our country faces. In fact, 
as we speak, there are discussions in this Congress regarding 
the potential role that Russia may have played in our recent 
Presidential elections. There is an urgent need for more 
capacity to address this, as well as other current day cyber 
threats.
    It has been reported that the underparticipation by large 
segments of our population represents a loss of opportunity for 
individuals, a loss of talent in the workforce, and a loss of 
creativity in shaping the future of cybersecurity. Not only is 
it a basic equity issue, but it threatens our global economic 
viability.
    According to Frost & Sullivan's 2017 Global Information 
Security Workforce Study, there is a projected shortfall of 1.5 
million people during the next 5 years. Today, however, women 
represent only 11 percent of the total cybersecurity workforce 
and the percentage representation of African Americans and 
Hispanics in cybersecurity has been reported at approximately 
12 percent combined. This data takes on added meaning when we 
consider the projected growth of the U.S. minority population 
over the next few decades.
    The cybersecurity workforce shortfall and the growing 
diversity gap in the United States also reflect the broader 
challenge that the U.S. faces in STEM programs in our schools. 
Until we can get more students matriculating with STEM-related 
degrees these shortfalls will persist. We must be laser focused 
on quality and retention in middle and high school STEM 
programs as these formative years determine the future talent 
pipeline for the cybersecurity workforce. Strategies and 
programs are needed to provide significantly more 
opportunities, to include an infusion of resources to support 
everything from curriculum and faculty development to tuition 
support.
    We also need to develop programs that not only provide 
financial incentives, but that also provide the flexibility to 
move into and out of government and industry more seamlessly 
without the threat of a loss of forward career progression.
    ICMCP has developed five key objectives to address the 
cybersecurity diversity divide that include increasing the 
number of scholarship, internship, and employment opportunities 
for minority STEM students and facilitating increased 
attraction, retention, and professional development and 
advancement.
    Since 2016, ICMCP has awarded almost $200,000 for 
scholarships, certifications, and development, and placed 
dozens of aspirants into internships, cybersecurity positions, 
and/or with mentors.
    Finally, we are very excited to have launched a Security 
Operations Center at an academic institution aimed at ensuring 
students graduate with hands-on skills to augment their 
classroom learning.
    There are also several government-led initiatives, and I 
will just highlight one because others have already been 
mentioned. The CyberCorps Scholarship for Service program is a 
phenomenal program. There is legislation pending to increase 
funding and I would urge you to support it.
    In conclusion, the efforts to date to address the 
cybersecurity workforce shortfalls are commendable, but clearly 
insufficient. More must be done and with the sense of urgency 
commensurate with our understanding of the capabilities and 
intentions of nation-states, as well as other bad actors.
    Sadly, however, with over 200,000 unfilled jobs in cyber 
and with the dismal representation of women and minorities in 
the cybersecurity field, there is much more than can and must 
be done. Several studies have proven that diverse teams win, 
and specifically diversity has been shown to positively impact 
bottom line revenues.
    The greatest tragedy could be our failure to recognize the 
potential for all Americans to contribute to this workforce 
deficit. The time is now to act decisively and courageously, to 
resource efforts, establish new initiatives, and closely track 
progress towards narrowing this gap.
    Thank you for the opportunity to participate, and I look 
forward to your questions.
    [Prepared statement of Ms. Plunkett follows:]
    
  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Hurd. Thank you, Ms. Plunkett.
    And before I recognize Robin Kelly for her opening 
questions, I ask unanimous consent that a statement from UC 
Berkeley on the cybersecurity workforce talent be entered into 
the record. Without objection, so ordered.
    Mr. Hurd. I would now like to recognize Ranking Member 
Kelly for 5 minutes.
    Ms. Kelly. Thank you. And thanks to the witnesses.
    Events of the past few years have made clear how vitally 
necessary it is to protect our public and private institutions 
from cyber threats. Attacks against critical infrastructure, 
such as electric grids and nuclear facilities around the world, 
prove that highly skilled and determined enemies are attacking 
real targets all the time, and we need talented people to 
defend against these attacks. It is alarming that as our 
critical need to seriously build and develop a world-leading 
cyber workforce grows, we face a shortage of the very people 
that we need to accomplish this work.
    And I guess to all of you first, whoever wants to answer, 
why don't you think, especially from the young folks, that we 
have more interest, when you think about all the games and 
this, that, and the other, why do you think from younger people 
that this is not one of their, I guess, aspirations, to get 
into this market? And we're talking about cyber, but as I speak 
to my manufacturers even about advanced manufacturing, they 
need technology. They are suffering also. So it's tech in 
general.
    Ms. Hyman. I'm happy to reply in brief.
    So CompTIA has a philanthropic arm, it is called Creating 
IT Futures, and they recently did some research with the group 
IDEO, out of Chicago actually, looking at this exact issue, 
because we are very focused on trying to get younger people 
into the tech pipeline.
    A lot of it has do with exposure to mentors, believe it or 
not, that have good jobs that are interesting to them and that 
they can share that sense of excitement with young people. I 
know that sounds sort of simplistic, but in fact research bears 
it out.
    Recently, we launched something called the NextUp program 
through our philanthropic arm. The idea is to try and match 
young people grades 6 through 10 with mentors throughout the 
tech community so that they're disabused of the idea that a 
tech career is some guy in a hoodie in a basement, but it is 
actually a very multifaceted, colorful career opportunity. And 
we are doing this by partnering with other groups. So we just 
gave, I believe, $150,000 to Tech-Girls, for a program in 
Chicago, in fact, to try and bring together those mentorship 
opportunities.
    So that's one piece of the puzzle, but in fact, in our 
view, a very important one.
    Ms. Kelly. Thank you.
    Mr. Cooper. Let me add a perspective, kind of from inside 
government, although everybody knows I'm retired and not 
officially inside government. But I want to combine a lot of 
what Ms. Plunkett said along with what Ms. Hyman just said.
    I think a significant part of the problem that directly 
addresses how come more younger folks don't come into this 
field, particularly in government, because we in government 
don't do a good job of making it attractive.
    Let me use an example from when I was in the private sector 
with Eli Lilly. We had a very, very formal program that placed 
recruiting teams on a regular basis with the Historically Black 
Universities and Colleges. It was extremely successful. There 
were three or four team members who remained in place, a lot of 
them were alumni of these organizations, joint with other Lilly 
managers and senior people, that visited campuses on an ongoing 
basis to identify early rising talent, the best students coming 
out.
    Lilly then did a number of things, but they had an 80 
percent hire rate of those students identified through that 
program and about a 60 percent career retention rate of those 
people. It included scholarships and things like that.
    So I think a whole lot of it--there is nothing like that 
that I'm aware of in government. I didn't do it, shame on me, 
when I was in government. But we've got to make folks more 
aware of the opportunities, particularly in cyber, in the 
Federal enterprise.
    Ms. Kelly. Yes.
    Mr. Waddell. I just wanted to piggyback on Elizabeth's 
comments from CompTIA. I absolutely agree with what she said.
    At (ISC)2 we are actually trying to get them a little bit 
earlier. We have actually partnered with Garfield, believe it 
or not, to address the 1 through 6 grade level. And it is 
really just going into schools and having a dialogue with these 
kids, because a lot of times they have this impression of the 
hacker in the hoodie and the cyber job that is really all about 
just being behind the keyboard.
    But cybersecurity has so many different roles to play, and 
we found that through this program just by simply inducing 
videos and comic books about just basic internet safety it 
starts the dialogue.
    I've been in schools in Prince William and Fairfax County 
and I've talked to these kids. And they come up and they say, 
``Wow, what do you do for a living? I want to do that. How do I 
get involved?''
    So just by using that character Garfield, believe it or 
not, it really starts that conversation.
    Ms. Kelly. I'm so glad to hear the comments that all of you 
had, because I think it is so important to start young and to 
go into the schools. Because in my district, which is urban, 
suburban, and rural, so the thing that I have to deal with that 
everyone talks about Chicago. But there is a--I'm glad you do--
but there is the south suburbs, I have a rural part of my 
district, and they tend to lose out because they are kind of 
competing with the big city, and they don't have the 
transportation and those kind of things.
    But I do think, like you said, people don't even think 
about doing these things and we have to put it on their minds. 
And then some of my school districts, they don't even--I just 
helped get one area of my district the internet so they could 
go on the world wide web. So, I mean, they don't even have 
that, your phone or your GPS doesn't work. Now it does, but it 
didn't work.
    So we really do need to have that personal relationship and 
whatever your companies can do would be fantastic.
    I'm over time.
    Mr. Hurd. Mr. Raskin from Maryland is recognized.
    Mr. Raskin. Thank you very much, Mr. Chairman.
    And thanks to all the witnesses for your excellent 
testimony.
    I'm someone who is quite perturbed and disturbed about the 
Russian cyber hacking and sabotage of the 2016 election. And 
the best that I can tell is that Vladimir Putin figured that he 
was no military match for the United States, but he could 
launch something like a Manhattan Project for cyber attacks and 
then figure out a way to unleash mayhem in the U.S., Brexit, 
France, Italy, all over the world. And so it seems to me you 
guys are on the front lines of the real defense of America 
against the big threats today.
    But I wonder if you think that the allocation of our 
resources corresponds to the reality of the threats against us. 
President Trump has suggested slashing $56 billion from the 
domestic budget from NIH and from Peace Corps and from HUD and 
Community Development Block Grants, which I think is 
independently a misallocation of our priorities.
    But put that $56 billion directly into the Pentagon and I'm 
wondering if you think if the money is spent the way we have 
traditionally spent it that addresses the threats that are 
really facing the country or if we have to think of the defense 
budget as something that puts cybersecurity right at the heart 
of it now.
    So I don't know if anybody wanted to volunteer to take that 
one.
    Mr. Cooper.
    Mr. Cooper. I'll take a shot at it. I can kind of talk--I 
can color outside the lines a little bit as opposed to joining 
you in previous hearings.
    First of all, I think that the approach we're taking to 
hiring cyber talent is well intended but it gets in the way of 
actually filling an awful lot of these vacancies across the 
Federal enterprise and retaining that talent. Specifically, 
here is what I'm talking about. And please don't hear this as 
criticism, it is not intended this way, it is feedback.
    Appropriations bills require CIOs to spend that taxpayer 
dollars that have been approved within, in my example most 
recently, the Department of Commerce. What if I could pool some 
of that money with fellow CIOs most in need in the Cabinet 
departments and with the Department of Defense to do a couple 
things?
    First of all, why not use pooled hiring? Why do I have to 
end up competing with other CIOs? DHS is more sexy, DOD 
attracts a heck of a lot more people than the Department of 
Commerce, speaking very candidly. It is not a negative, it is 
just reality. But if we could team up and if we could kind of 
have a recruiting team, you guys figure out where it might be 
placed, possibly GSA, possibly OPM, possibly DHS, or possibly 
DHS, DOD combined, but let them do all the hiring for these 
folks.
    Go after the skill sets we need, and that's where these 
folks can give you a lot of detail about the different scope 
and breadth and depth of hiring what talent is required. But I 
couldn't find forensic analysts. I just couldn't compete. There 
was no way in hell.
    Mr. Raskin. But let me come back to something----
    Mr. Cooper. And then take those people and deploy them to 
the highest risk.
    Mr. Raskin. Gotcha. As the departments request their help 
on particular things or creating interagency initiatives for 
cybersecurity.
    So let me come back to something that you actually started 
with, which was the hiring freeze. To what extent does this 
blanket categorical hiring freeze in fact undermine the ability 
to hire and to get in the people we need in the cybersecurity 
field, maybe on an emergency basis?
    Mr. Cooper. Well, my answer is simple. Right now, it's 
having a pretty significant adverse impact.
    Mr. Raskin. Others want to weigh in?
    Mr. Waddell.
    Mr. Waddell. I would say that the impact is not only on the 
agencies themselves because of the open positions, but the 
impact on the cyber workforce that's already there. So now 
you're asking the cyber workforce that's doing their 9 to 5 job 
to now pick up other duties and skills just to help cover it. 
So I think we also need to think about the current folks that 
are there. This shortage is really draining the resources of 
those people.
    I like to use the sports analogy. I think we have too many 
coaches and not enough players, and in order to play defense, 
we need more players. So we need that pathway to help get these 
folks in without the threat of sequestration and hiring freezes 
and the like.
    Mr. Raskin. And as you sweat the people who are there 
harder, it drives them out and then you can't fill their 
positions.
    Mr. Waddell. Right, exactly.
    Mr. Raskin. So you're in a destructive downward cycle 
there.
    Mr. Chairman, thank you very much.
    And I appreciate your testimony.
    Mr. Hurd. Mr. Krishnamoorthi, you're recognized for 5 
minutes.
    Mr. Krishnamoorthi. Thank you, Mr. Chairman.
    First of all, thank you all for coming today. I really 
appreciate Congressman Raskin's line of questions. I'd like to 
build a little bit on what I've heard so far.
    You know, Chairman Hurd has put forth some really good 
ideas about increasing collaboration between the public and 
private sectors. Ms. Depew, you have called for an expansion of 
the CyberCorps program and I wanted to ask you a couple of 
questions about that. One is that my understanding is that--is 
the CyberCorps program limited to folks with a 4-year degree?
    Ms. Depew. I believe at this time it is focused on juniors 
and seniors in a 4-year cybersecurity-focused degree.
    Mr. Krishnamoorthi. Okay. What do you think about 
potentially opening it up to folks in community colleges who 
might specialize in a cybersecurity degree? I'm just concerned 
that perhaps we're limiting our supply of people for these open 
positions by basically excluding people who might specialize in 
a 2-year degree, but possess the requisite skills to do the 
job. I mean, what are your comments on that?
    Ms. Depew. Oh, absolutely. We highly recommend that it be 
expanded to include community colleges. There are a breadth of 
skills necessary to effectively run a Security Operations 
Center and some of those skills can absolutely be obtained via 
certifications, 2-year degrees. It's not just about 4-year or 
advanced degrees to develop those skills and that talent.
    Mr. Krishnamoorthi. I see a lot of heads nodding in 
agreement, including Mr. Waddell from--what an interesting 
name, I think ISC, in parens, squared.
    Mr. Waddell. (ISC)2, yes.
    Mr. Krishnamoorthi. Okay. That seems like a very 
mathematical name there. So please, what are your thoughts?
    Mr. Waddell. I couldn't agree more. I think that--and I 
think limiting it to just the STEM folks, I think, leaves a lot 
of the liberal arts and the communication pieces of the 
cybersecurity job. Look no further than the OPM breach, where I 
think there was just a communication gap between the folks that 
were on the keyboards, and the folks kind of at the top. But 
the folks at the top didn't understand what was the risk of not 
patching these systems. What was the risk of these 
vulnerabilities? And that message just did not get filtered up 
for whatever reason. So, absolutely, couldn't agree more.
    We could--not all positions require a college degree. It's 
a great thing to have, but you can certainly tap into high 
school, a 2-year college and have training and certifications 
to help augment and validate those skills.
    Mr. Krishnamoorthi. Go ahead, Ms. Hyman.
    Ms. Hyman. Yes. I just want to reiterate everything that's 
been said. We share (ISC)2's position as being a certifying 
body. And we've been working for a long time with the 
government to try and suggest that this is a very good 
government way of spending money is to make sure that if you're 
going to have training, you need to have some way to validate 
what that training was about. And so even if you don't have a 
2- or 4-year college degree, there are certifications that an 
individual can take to get them into the beginning of the 
cybersecurity career. And on top of it, I would point out 
there's something called the Government Employ Training Act, 
GETA, which obviously says that it's okay for money to be spent 
for training, but it doesn't explicitly say that it should be 
used for testing. And so when we go to talk to various 
agencies, we learn that, well, they are not specifically 
authorized to use that funding for the purpose of testing. 
Therefore, we're not validating the skills that we've spent 
government money on to make sure an individual understands what 
their cybersecurity responsibilities are.
    So I would commend all of to you address GETA and try to 
make that a more explicit piece within that particular piece of 
law.
    Mr. Krishnamoorthi. That's a great point.
    I think, Chairman Hurd, perhaps we should take a look at 
that.
    I just believe very strongly in vocational, technical 
education, community college education being kind of 
potentially the pathway forward in filling a lot of these open 
technical positions in our country. And so, I think we're--this 
year we're going to be reauthorizing the Carl D. Perkins Career 
and Technical Education Act in the Education and the Workforce 
Committee. I think this is something, perhaps, we should look 
at there as well.
    Ms. Depew, what is the current investment into the 
CyberCorps program?
    Ms. Depew. I believe it was $45 million 2 years ago, $50 
million last year, and it's proposed at $70 million this year.
    Mr. Krishnamoorthi. I mean, what's your thought? Is that 
sufficient to address the shortages that we're seeing in the 
workforce?
    Ms. Depew. So $40 million funds about 1,500 scholarships. 
If there's a 10,000-person deficit, that puts a small dent, but 
not a significant enough one. So I do think we do need to 
investigate at a heavier level. And that could be a combination 
of both a traditional program or expanding to community 
colleges.
    Mr. Krishnamoorthi. Great.
    Final question, what level of funding do you think is 
required?
    Ms. Depew. I think on the order of $180 million would be 
necessary to put a sufficient dent in the problem.
    Mr. Krishnamoorthi. Okay. Thank you very much.
    Thank you, Chairman.
    Mr. Hurd. I want to recognize myself for my line of 
questionings.
    First question goes to you, Mr. Marinos and Mr. Cooper. Why 
is it hard for a CIO to tell me how many positions they don't 
have--that they haven't been able to hire for?
    Mr. Marinos. So, I think, like I mentioned in my statement, 
I see three issues, but I'll probably focus less on the 
recruiting and retention, which others have mentioned. So the 
first one is on strategic planning. It has been a high-risk 
area since 2001 for a reason. Part of the difficulty with 
cybersecurity in particular is that, obviously, with the threat 
constantly changing, so are the needs themselves as well. So--
--
    Mr. Hurd. I get that. But why can't they tell me what they 
need today? Right? Let's start with today----
    Mr. Marinos. Sure.
    Mr. Hurd. --and the difficulty. I would think that I should 
be able to go to any agency head and call them on the phone, 
and they should be able to produce how many positions that they 
have billets for that are unfilled. Is that a--is that a--is 
that a yeoman's work to pull that number out of there?
    Mr. Marinos. So, I think they are working off of an old 
system. I throw it out there. We've got three job series that 
are set up to classify IT and cybersecurity. In that old 
system, it doesn't really provide you much granularity. So 
let's say you want to know how many people do I need in my SOC? 
How many people do I need on incident response? Well, if you're 
looking to hire up, or you're looking to express to the 
committee, to Congress, exactly what you need, you don't have a 
lot to work off of.
    More recently, NIST has put out an updated framework, which 
is supposed to give agencies that ability. I would point out, 
though, that it's a long-term goal, even with the law that was 
mentioned earlier, Federal Cybersecurity Workforce Assessment 
Act, tasked agencies with getting there by 2019. So I think 
it's a real concern that I would share with you, Chairman, that 
I think, ultimately, asking the question up front as to what 
are agencies doing now to shore themselves up is of major 
concern.
    Mr. Hurd. Good copy.
    Mr. Cooper.
    Mr. Cooper. I'm going to give you a little bit more direct 
answer.
    I think it varies a little bit by agency, and quite 
frankly, it varies by CIO. I believe you know, I could give you 
the answer to your question. I still can, even though I'm not 
there. And I think you will find----
    Mr. Hurd. What was the number when you were there?
    Mr. Cooper. The total--in my particular office, when I 
walked in the door, I learn a little bit of research, there 
were 16 cyber-specific vacancies. Okay? Three years later, 
there are 10; but there were another 10 that were not funded. 
So 20 is the need. 10 is officially what the number is that I 
shared with you this morning.
    Mr. Hurd. Got you.
    Mr. Cooper. Additionally, across the entire Department, so 
all 12 bureaus, that number increased, particularly--remember, 
we're coming up on the 2020 decennial Census, so it's a big 
driver. But that number increased to about 97 across the entire 
Department.
    Mr. Hurd. And, Ms. Depew, you said a number has been used 
multiple times. 10,000 is what we think the estimation is in 
the Federal Government of IT professionals. Is that correct?
    Ms. Depew. Yes, that's the number we referenced, yes.
    Mr. Hurd. Mr. Marinos, would you agree with that estimate?
    Mr. Marinos. No. Though I would point out that there have 
been varying estimates out there. I would say that last year, 
there was a goal, I think, around about 7,000, and as of 
January, when OMB provided its report to Congress on FISMA 
compliance, it did report that it met that goal.
    Mr. Hurd. So if we're looking to fill a gap, start saying, 
Hey, we need to get near 10K, 10,000 people, that's good enough 
for--because if we try to produce something that only produces 
10, you know, graduates that can go into jobs, that's not going 
to make a dent. So we need--the magnitude that we're talking 
about is--is around 10,000.
    Next question: So--and, Mr. Cooper, I'm going to start with 
you. Ms. Hyman, I love your perspective. And, Mr. Waddell, and 
if anybody else has perspectives, just please raise your hand, 
and I'll ask you that--this idea of rotational IT workforce, 
and you alluded to it in your opening remarks, what kinds of 
jobs could they be working on, and how would you--how--what are 
the hurdles that we're going to have in making sure CIO has the 
authority to task this rotational workforce? Right?
    Because when I think of rotational, it's you have three 
people for 10 days working on a project, or you can have one 
person for 10 days, and you are able to plan in advance, and 
maybe you get three people to do that. So a project that takes 
30 man-days can be filled by three people.
    What are some of those kinds of projects? And as a former 
CIO, would you have wanted to use--would you want to have that 
kind of capability?
    Mr. Cooper. All right. Let me first clarify. I may have 
accidentally confused members of the subcommittee or even maybe 
colleagues on the panel. I apologize if I did that. Let me 
clarify.
    When I use the term ``rotational,'' here's what I'm 
actually talking about. I'm talking about a longer period of 
time, 6 months to up to 2 years. That's what I mean when I say 
``rotational.''
    Contrast that, or compare it with the cyber National Guard 
or the concept of shorter periods of time, both are valuable. 
Which--which would you prefer me to address?
    Mr. Hurd. The shorter period.
    Mr. Cooper. All right. Okay. The shorter period. The types 
of positions that would be very, very valuable for skilled 
people--and there are a whole lot of these folks who are in the 
contractor workforce that support most of the CIO offices 
across the Federal agencies, take something as simple as 
deploying testing and deploying vendor security patches. 
That's--that's something that skilled people and people who are 
trained through some of these programs at a 2-year level, by 
the way--I fully agree. This could be done by community college 
graduates. It would be a tremendous opportunity to build a 
workforce to do that. That's something that people can step in 
and add real value for however much time they are able to do 
that.
    So, literally, that could be 3 days, 2 weeks. If I've got 
somebody skilled, I will take them. And I will take as many as 
those people as I can get, as long as I have some way to know 
that they're skilled, and that's where I fully support all of 
the colleagues sitting to your right around rigorous 
certification. That's terribly, terribly important. Because, 
otherwise, I don't know these people, and I don't know whether 
their skills are right. You give me as many of those people 
short term, I will take them all.
    Ms. Hyman. Yes. Great question. And I agree in terms of the 
short-term purposes. I think maybe in--I'm going to defer to 
some of the true experts on the panel, but also looking at some 
of the cybersecurity--excuse me--logs on a continual basis, so 
long as you have an opportunity--if you are there for 2 or 3 
days, and you're looking at some of the patterns there, there's 
some sort of system to capture that. I don't know if that's 
possible short term. But I was thinking about that. Because 
that is introductory industry analyst type position.
    The other thing, frankly, is using some of these people to 
train your remaining noncybersecurity workforce. The amount of 
human error that contributes to cybersecurity breaches, it's 
usually about 50 percent or higher. And so you could, on a very 
short-term purpose, use some of these individuals to deliver, 
you know, quick training for the regular workforce along those 
lines.
    Mr. Hurd. So, as Mr. Waddell says, harden the workforce.
    Ms. Depew, do you have any comments?
    Ms. Depew. Two thoughts that come on top of head--on top of 
mind are specific coding projects. We always have a multitude 
of ideas that we would like to flesh out. So if somebody had 
advanced coding skills, there are contained projects we could 
do on a short-term basis that I think would be really valuable. 
Another thing I would love to do is put folks with government 
experience in front of some of our products and tell us what we 
need to improve and why they don't work as effectively as we 
need to in your infrastructure. So that would be very 
advantageous to us as well.
    Mr. Waddell. Two things jump out at me for the short-time 
assignments. One is like a site assessment. When I was a 
contractor with the DOD, I was on a 2-week rotation with the 
Army where we went to MetCom and the military entrance 
processes command and tested all the sites. That was a 2-week 
rotation. We went in. We red-teamed. We threw everything we 
could against that site, interviewed the people, did a bunch of 
pin tests, and then cranked out a report and left. I think 
that's probably a really good one for that short-term 
assignment.
    The second one was also a breach response forensics, say, 
for example, you know, some agency organization got hacked, and 
they needed to do forensics on a hard drive, maybe come in and 
just do a real quick recovery of that and then rotate to the 
next breach.
    Mr. Hurd. Ms. Plunkett.
    Ms. Plunkett. So I'd agree with everything that has been 
said. Areas like research and development, developing 
mitigations, product testing, and some level of forensics, I 
think would be ripe. The other areas that would be more 
difficult would be real-time response, because you want to have 
some a priority understanding of the network. It's not 
impossible, particularly if you have someone that's rotating in 
on a regular basis to the same place. But if it really is a 
ready reserve where they would go anywhere, it would be 
difficult to send someone in just to address a threat when they 
don't know the infrastructure and they are not up on the 
current vulnerabilities.
    Mr. Hurd. So, Mr. Marinos, what are the difficulties going 
to be if let's--you know, we have these different kinds of work 
requirements that a short-term rotational workforce could 
address. Help me think in advance of, you know, the problems 
that we're going to see in trying to introduce that into the 
Federal Government? Is that a fair question, these incidents?
    Mr. Marinos. Absolutely. I think the quickest answer is 
coordination. So--I hate to tell you. You know, and you all are 
champions of empowering the CIOs who are doing work for you and 
enforcing FITARA, we're looking at that area very carefully. 
When you think about that, you are thinking a lot about CIO and 
CFO working hand in hand to procurement, working with the CIO. 
Here, you've got a whole different story. You've got the chief 
human capital office working with the CIO and the chief 
information security officer at individual agencies having to 
work together. So, you know, I just kind of throw that out as a 
potential paying point in terms of the coordination.
    If you're thinking about where this fits within the Federal 
Government too, thinking about what DHS' mandate is, the 
National Cybersecurity Communications Integration Center is 
increasing in its--you know, its level of assistance to other 
agencies. That might be a location to consider in terms of 
whether they are going to need assistance to be able to help 
other agencies out.
    But I would go back to what Mr. Cooper has expressed at 
previous hearings as well, which is that if the CIO is not 
actively engaged, then the help may not be going to the right 
places.
    Mr. Hurd. Let's do a quick lightning round. Okay? We'll 
just go down the panel. Where should this cyber National Guard 
sit? And ``I don't know'' is a valid question.
    Mr. Cooper.
    Mr. Cooper. Okay. So the truth is----
    Mr. Hurd. Lightening round.
    Mr. Cooper. The truth is I don't know, but I would argue 
DHS plus OPM plus DOD.
    Ms. Hyman. I don't know, but I would add that there should 
be information back from the Federal cybersecurity workforce 
assessment process so that you could figure out where gaps are 
and what agencies really need to be invested.
    Ms. Depew. I don't have an answer for the National Guard, 
but for the expansion of the scholarship program, we do think 
that the NSF is an appropriate place, because it's 
nonregulatory and it has great respect with the private sector.
    Mr. Hurd. Got you.
    Mr. Waddell. I would say a mix of DHS and DOD.
    Mr. Marinos. I'll add in--I think it's really important for 
the Office of Management and Budget. We had the Federal CIO in 
the previous administration. I think it's important for there 
to be a proactive involvement from that office.
    Mr. Hurd. Okay. Ms. Plunkett.
    Ms. Plunkett. I'd say in a place where there's a real-time 
current cybersecurity mission, it can't be just a place to 
deploy, because that won't--they won't have the right 
understanding of the types of skills that are needed for a 
specific situation. It's got to be in a place where there's 
active cybersecurity mission going on.
    Mr. Hurd. Next question, lightening round. I'm going to 
start with you, Ms. Plunkett. I'm going to go down this way. 
Expand the cyber--so CyberCorps--CyberCorps is only 4-year 
institutions.
    Is that correct, Ms. Depew?
    Ms. Depew. That is my understanding.
    Mr. Hurd. Okay. So is it focused on getting scholarships to 
high school kids that go to college forgive debts? And I would 
say not college--when I say ``college,'' I mean 2- or 4-year 
institutions. So is it to forgive debt or is it people that 
have already gone to school, or do we focus on trying to give 
scholarships to high school kids who go to school, or something 
else?
    Ms. Plunkett. I think it's all of the above. And in 
addition, we need to invest in those high school students while 
they're in high school. We need to look at investigating in 
areas like----
    Mr. Hurd. What gives us the quickest result?
    Ms. Plunkett. To address the immediate need, it's likely 
more for scholarship for service, to get folks who are at the 
end of their degree program through more quick--through debt 
forgiven, get them into the workplace.
    Mr. Hurd. Good copy.
    Mr. Marinos. So as the one current government guy here, I 
can say from GAO's perspective, we've recruited, and we still 
have CyberCorps folks there after decades. So I think there's 
an importance at the undergraduate and graduate level, but I 
think it couldn't hurt if there was an extension of that.
    Mr. Waddell. I quickest I would consider cohort programs 
that retrain folks that are already in another vertical and 
retrain them quickly through a 16-week program and get them in 
entry level. That's the quickest.
    Ms. Depew. I agree the quickest is to leverage what exists 
now and potentially pump up more existing scholarship programs. 
But if you are going to systemically fix the problem, you have 
to start deeper in the pipeline and do something with middle 
school and high school students.
    Ms. Hyman. Same thing, but I would also say, upscaling is 
crucial. And to take that existing workforce pipeline and 
provide not only, again, certifications, but identify a career 
path for these individuals to continue within government 
service with opportunities for training, education, and 
progression.
    Mr. Cooper. Most immediate impact and easiest to implement 
right away, 2-year community college-based degrees plus a 
year's of service Federal obligation. The other stuff I agree 
with, but the most impactful right now, people trained out of 
2-year colleges hit the ground right now, but they require an 
obligation on years of service.
    Mr. Hurd. Ms. Kelly, you're now recognized.
    Ms. Kelly. I have to ask this question, since it's Women's 
Equal Pay Day. When you talk about recruitment and retention, 
what have you seen as far as a difference in pay between men 
and women? Because from something I read, I saw there was like 
a 15- to $16,000 difference.
    Mr. Cooper. I can address that directly. There was a 
disparity. I took a look at it. I tried to do something as best 
I could, but--but I didn't tackle it directly male, female. I 
did it on an equity-based basis around roles, and that was more 
palatable to my HR counterparts.
    Ms. Hyman. We don't have the data specifically on that 
question, but I will say, obviously, women are underrepresented 
in the tech fields. And I think we have to pay attention to 
getting more women in so that we can also drive up salaries.
    Ms. Kelly. Right. Because they are underrepresented, that 
might be one of the reasons why they are not going to get equal 
pay.
    Then the other question is, I know we're talking about how 
to get young people involved. But when people are laid off from 
a career they've had, some people--you know, we always say, we 
should put them back into training and skills and blah, blah, 
blah. And some people would say, oh, people that get laid off 
in their 40s or 50s, they don't want to go back in and learn 
something.
    Have you found that, or do you have many people that you 
work with, Mr. Waddell, Ms. Hyman, that are older, but younger 
than me?
    Ms. Hyman. Yes. Talking a little bit about our 
philanthropic arm, they also have developed something called 
the IT-Ready program, and it looks at folks that have been 
displaced, put out of work, as well as younger people in 
underrepresented populations.
    I don't have specific numbers for you, but what I can say 
is that these types of programs, it's not just a simple matter 
of retraining somebody.
    The--when we take somebody on for the IT-Ready program, 
we've assessed them, whether there's an aptitude for 
technology. There's a good 8 weeks to 10 weeks of training. 
There's support services that go with it. How do you interview 
for your job? And then we place them into an internship or 
apprenticeship, so that there's an opportunity then to turn 
that into a full-time job.
    We've had, I believe, over 85 percent success rate with 
this program, but the issue is scaling it up. We probably have 
about 800 people annually. You know, we have a lot of work to 
do.
    Mr. Waddell. Yes. I just wanted to give you some facts, 
some figures, from our 2017 report specifically about the wage 
gap.
    The wage gap of women at the director level and above has 
narrowed from salaries reported in 2015; however, women are 
still paid 3 percent less than men in equivalent roles. At the 
manager level, the gap has remained relatively the same, with 
women earning 4 percent less than men. The gap at the 
nonmanagerial level has widen to 6 percent from 4 percent in 
2015.
    Ms. Plunkett. You know, what we found is that we actually 
have been successful at retraining folks who are either laid 
off, or are looking for a career change. And the answer has 
been a combination of, certainly, academic training, but then, 
exposure to operational cybersecurity capabilities as we might 
find in the ESOC or the SOC or the ICMCP has been piloting, 
where they've had some hands-on experience in an academic 
experience. So that when they go into the workplace, they've 
touched the code; they've touched the machines; they have 
touched in, an operational kind of way, systems, so they can 
hit the ground running.
    Mr. Hurd. Mr. Raskin is now recognized.
    Mr. Raskin. Mr. Chairman, thank you. Just one final 
question.
    If Members of Congress, like members of this panel, wanted 
to do a job fair or a higher education fair, college fair, 
career opportunities fair, who is the best person to contact 
about creating a cybersecurity careers presence there? Do you 
guys do that?
    Mr. Waddell. Yes. We do. I think all of us on here do some 
sort of job fair. I'll just give you an interesting, very quick 
story. I offered a table at our career fair to DHS, US-CERT a 
couple of years ago, and the deputy director at the time, Brad 
Nix, said, I'd love to come, but by the time we get there, all 
the positions--all the folks would be gone, and we wouldn't 
have an opportunity to capture them, because it just takes them 
so long to get them into the system. Average is at about 6 
months. So I don't know if the problem is the career fair 
themselves. It's just--we need to streamline the onboarding and 
hiring process to get those folks in quickly--quicker.
    Mr. Raskin. Yes, Ms. Plunkett.
    Ms. Plunkett. Can I just add, the process by which we 
actually match aspirants or candidates with good jobs is an 
area that could use some help. And, certainly, ICMCP would be 
absolutely willing to participate in a job fair. We have lots 
of young people coming to us looking for those opportunities.
    Mr. Raskin. That's great. Well, I'll definitely take your 
information. And I don't know whether you are deterred by the 
hiring freeze in terms of doing this, but I suppose it makes 
sense in any event to go forward and do it.
    Mr. Hurd. Well, I'd like to notify my colleague, in places 
like DOD, the IT professionals are considered must-haves, and 
so the hiring freeze is not impacting them.
    Mr. Raskin. Okay.
    Mr. Hurd. And many of the other Federal agencies could have 
that same interpretation.
    Mr. Raskin. Thank you, Mr. Chairman.
    Mr. Hurd. Ms. Hyman, can your cybersecurity career path 
positions descriptions, could they be used as the foundation 
for Mr. Cooper's idea of working with the Federal CIO counsel 
and OPM on having pre-approved positions?
    Ms. Hyman. Yes. So what we've done with our certifications 
is that we've mapped them to the National Initiative for 
Cybersecurity Education, which looks at knowledge, skills, and 
abilities across different uses for cybersecurity. And the 8140 
program, the successor to the DOD 8570 program, which is their 
information assurance requirements, they're actually going to 
be mapping many of their requirements to the 81--to the NICE 
initiatives. So what you're starting to see is, across 
different government agencies, sort of a similar lexicon about 
what cybersecurity knowledge, skills, and abilities are. And 
we're not the only certifying body that has mapped our 
certifications to NICE.
    Mr. Hurd. Good copy.
    Mr. Cooper, 18F and USDS, can their business model be used 
to address some of these--how would I best say it?
    Mr. Cooper. Some the shortcomings?
    Mr. Hurd. --some of the shortcomings, yes.
    Mr. Cooper. Yes, I actually believe it could.
    I think they've done a lot of learning from their first 
approach, or first foray, through U.S. Digital Services, I 
think it has been a positive learning. I would support that, 
and I think that you could probably pull that group together 
with a Federal CIO when named, and the Federal CIO counsel 
appropriate interaction with the HR community. But, yes, I do 
think that could work.
    Mr. Hurd. Ms. Depew, the Cyber--I don't know why I can't 
remember that--CyberCorps program, my understanding is that the 
funds go to the universities, and the universities are the ones 
that are the selecting individuals to potentially receive that. 
Is that a correct understanding of the program?
    Ms. Depew. I would--yes.
    Mr. Hurd. So my question is--and is that restricting us by 
having just those participant--the schools that are 
participating in that, and the only other option would be, you 
have some entity in the Federal Government that administers 
these programs, which I'm always circumspect about whether we 
can pull off something like that in order to have kids apply 
and go to the school of their choice--their choosing. Am I--am 
I thinking about this problem the right way?
    Ms. Depew. I think that's fair. I would have to--I'm 
curious how they choose which schools if the schools opt in or 
if they were targeted. I was looking through the list myself, 
looking for which schools were near some of our campuses, 
because it would be nice to be able to offer some local 
teachers. And I didn't see a multitude in the States and cities 
where our campuses were, which is another reason a community 
college-based program would open that aperture and have more 
availability to a broader----
    Mr. Hurd. Got you.
    Mr. Cooper.
    Mr. Cooper. One quick thought, which honestly just occurred 
to me listening to our conversation, it might be interesting to 
talk to the military academies about adding kind of a cyber 
curriculum. They have the basics, but with a goal of actually 
training cyber officers who don't necessarily go through direct 
military. They are in the military, but they come back to, you 
know, not just DOD, civilian agencies as well, might be an 
interesting thing to explore.
    Mr. Hurd. 10 seconds, final question. Everybody gets 10 
seconds, final statement: What should we be walking away here 
or something that we haven't--we haven't discussed or you 
haven't been able to bring up?
    Ms. Plunkett, I'm going to start with you.
    Ms. Plunkett. I'd say let's not--I recommend you not focus 
on what's working. Scholarship for service is working. Needs 
more resources. Focus on capacity at lower levels, middle 
school, high school. Focus on 2-year colleges. Focus on SOC 
experiences where folks can get operational experiences and 
then jump right into the workforce.
    Mr. Hurd. 10 seconds.
    Mr. Marinos. I think your continued focus of oversight is 
really important here. We can't afford to wait, and I'm 
concerned about the longer term focus of where our initiatives 
are going.
    Mr. Hurd. Thank you.
    Mr. Waddell. Scale up fine pockets of excellence of things 
that are working such as the cyber pay incentive program at 
DHS, MPPD that has been shown to attract and retain talent.
    Ms. Depew. The threat landscape is always changing. It's 
not like certain degrees where they fix routine process, so you 
need to consider that when you're recruiting your diverse 
workforce and training them for how to think not what the 
differing knowledge is.
    Ms. Hyman. It might also be useful to take a look at the 
current National Guard personnel that are actually certified in 
cybersecurity capabilities just to get a sense of what that 
rotational workforce might look like.
    Mr. Cooper. Set up a new program along the line of what we 
talked about for veterans and unemployed workers, jointly 
funded, public-private partnership, graduates of 2-year, 4-year 
program, whatever, rigorous certification. Companies that hire 
these people receive additional acquisition points in 
competitive procurements, based upon the number of people they 
are hiring out of this program and competitive solicitations.
    Mr. Hurd. I'd like to thank our witnesses for taking the 
time to appear before us today.
    I ask unanimous consent that members have 5 legislative 
days to submit questions for the record.
    Without objection, so ordered.
    And if there's no further business, without objection, this 
subcommittee stands adjourned.
    [Whereupon, at 3:55 p.m., the subcommittee was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
               
               
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 [all]