[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] REVIEWING FEDERAL IT WORKFORCE CHALLENGES AND POSSIBLE SOLUTIONS ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON INFORMATION TECHNOLOGY OF THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ APRIL 4, 2017 __________ Serial No. 115-6 __________ Printed for the use of the Committee on Oversight and Government Reform [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.fdsys.gov http://www.house.gov/reform ______ U.S. GOVERNMENT PUBLISHING OFFICE 25-717 PDF WASHINGTON : 2017 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 Committee on Oversight and Government Reform Jason Chaffetz, Utah, Chairman John J. Duncan, Jr., Tennessee Elijah E. Cummings, Maryland, Darrell E. Issa, California Ranking Minority Member Jim Jordan, Ohio Carolyn B. Maloney, New York Mark Sanford, South Carolina Eleanor Holmes Norton, District of Justin Amash, Michigan Columbia Paul A. Gosar, Arizona Wm. Lacy Clay, Missouri Scott DesJarlais, Tennessee Stephen F. Lynch, Massachusetts Trey Gowdy, South Carolina Jim Cooper, Tennessee Blake Farenthold, Texas Gerald E. Connolly, Virginia Virginia Foxx, North Carolina Robin L. Kelly, Illinois Thomas Massie, Kentucky Brenda L. Lawrence, Michigan Mark Meadows, North Carolina Bonnie Watson Coleman, New Jersey Ron DeSantis, Florida Stacey E. Plaskett, Virgin Islands Dennis A. Ross, Florida Val Butler Demings, Florida Mark Walker, North Carolina Raja Krishnamoorthi, Illinois Rod Blum, Iowa Jamie Raskin, Maryland Jody B. Hice, Georgia Peter Welch, Vermont Steve Russell, Oklahoma Matt Cartwright, Pennsylvania Glenn Grothman, Wisconsin Mark DeSaulnier, California Will Hurd, Texas John Sarbanes, Maryland Gary J. Palmer, Alabama James Comer, Kentucky Paul Mitchell, Michigan Jonathan Skladany, Staff Director Rebecca Edgar, Deputy Staff Director William McKenna, General Counsel Sean Brebbia, Counsel Michael Flynn, Counsel Kiley Bidelman, Clerk David Rapallo, Minority Staff Director ------ Subcommittee on Information Technology Will Hurd, Texas, Chairman Paul Mitchell, Michigan, Vice Chair Robin L. Kelly, Illinois, Ranking Darrell E. Issa, California Minority Member Justin Amash, Michigan Jamie Raskin, Maryland Blake Farenthold, Texas Stephen F. Lynch, Massachusetts Steve Russell, Oklahoma Gerald E. Connolly, Virginia Raja Krishnamoorthi, Illinois C O N T E N T S ---------- Page Hearing held on April 4, 2017.................................... 1 WITNESSES Mr. Steven Cooper, Former Chief Information Officer, U.S. Department of Commerce Oral Statement............................................... 4 Written Statement............................................ 6 Ms. Elizabeth Hyman, Executive Vice President, Public Advocacy, Comptia Oral Statement............................................... 12 Written Statement............................................ 14 Ms. Lisa Depew, Head of Industry and Academic Outreach, McAfee Oral Statement............................................... 23 Written Statement............................................ 25 Mr. Dan Waddell, Managing Director, (ISC)2 Oral Statement............................................... 34 Written Statement............................................ 36 Mr. Nick Marinos, Director, Information Technology, U.S. Government Accountability Office Oral Statement............................................... 41 Written Statement............................................ 43 Ms. Debora Plunkett, Strategic Advisory Board Member, International Consortium of Minority Cybersecurity Professionals Oral Statement............................................... 63 Written Statement............................................ 65 APPENDIX Statement for the Record of Steven Weber Faculty Director, UC Berkeley Center for Long-Term Cybersecurity, Jesse Goldhammer, Associate Dean, UC Berkeley School of Information and Betsy Cooper, Executive Director, UC Berkeley Center for Long-Term Cybersecurity, submitted by Mr. Hurd........................... 86 REVIEWING FEDERAL IT WORKFORCE CHALLENGES AND POSSIBLE SOLUTIONS ---------- Tuesday, April 4, 2017 House of Representatives, Subcommittee on Information Technology, Committee on Oversight and Government Reform, Washington, D.C. The subcommittee met, pursuant to call, at 2:30 p.m., in Room 2154, Rayburn House Office Building, Hon. Will Hurd [chairman of the subcommittee] presiding. Present: Representatives Hurd, Kelly, Raskin, Connolly, and Krishnamoorthi. Mr. Hurd. The Subcommittee on Information Technology will come to order. And without objection, the chair is authorized to declare a recess at any time. But I don't think we're going to have to today, which is rare for once, right? And I want it say good afternoon to everyone. Thanks for being here. We are at a very pivotal time in our Nation's history. As technology becomes more and more a part of our lives, our society and institutions must keep pace. But the technology itself is only half the equation, as all of you know. Technology still requires people--people to monitor, upgrade, inspect, and safeguard the technology. That is why we are here today: to discuss the human element and the policies we as a Congress need to advance the Federal IT workforce and make sure it is comprised of qualified IT and cybersecurity professionals. Right now, Federal agencies are facing a shortage of IT and cybersecurity professionals in a highly competitive marketplace. During one of our last hearings on this subject, one witness testified that 209,000 cybersecurity jobs went unfilled in 2015. That's a pretty large number. That's why I've been advancing the idea of a Cyber National Guard, which was first brought up to us at a field hearing in Chicago. So thank you, Robin Kelly. And this is really a way to talk about how do we recruit and hire qualified individuals to the Federal IT workforce and then retain their skills in the future on a rotational basis. It's real simple. Most of these hearings I usually know the answer to the questions that I'm going to ask. This is one where I do not. And the idea is this: What are the gaps in the CIOs' offices from GS-13 below. We have to figure out what that gap is, right, and we are working to do that so that we can figure out what are those jobs that we are trying to target. Do we do it by giving high school kids scholarships to go to college? Do we do it by forgiving debt for people that have the jobs who need to go into those positions that we need? If it is giving scholarships, where do we find the money? So that's the first piece. Once we identify the need, the first step is, how do we get young people into their first step being the Federal Government and the dot-gov space? The second piece is, how do we, once they come and work for the government and they go out in the private sector, how do we get them back in on a rotational basis? What are the jobs that would be achieved through that rotational basis? The jobs are going to be different than the ones that we're trying to target by creating some kind of scholarship program. The concept is actually quite simple. And then once we figure out how we get these people back in on a rotational basis, how often will they do that? You know, the National Guard is the proverbial 1 weekend a month, 2 weeks a year, but does that have enough--that's going to impact business processes at that company. Is it 10 days a quarter? Is it 15 days every 6 months? And what are those jobs that those people can be coming back into and working on? These are the steps in the process, I see it three phases, once we identify what jobs we're going to target, and hopefully we have some time to explore these ideas here today. And with that, it is my honor and my privilege to introduce not only the ranking member of this committee, but my good friend, Robin Kelly, from the great State of Illinois. Ms. Kelly. Thank you, Mr. Chairman, and welcome to the witnesses. Mr. Chairman, thank you for calling today's hearing concerning the challenges to hiring IT professionals in the Federal Government. In 2016, GAO said that the persistent cyber threat presented a risk to our national security. We should understand that the inability to attract and retain qualified cyber professionals throughout the government threatens our ability to address cyber threats. So the workforce issue this hearing is concerned with has the potential to impact the safety of each and every American and the stability of our country. America's leading companies are facing a similar situation. (ISC)2 projects a shortage of 1.8 million cyber professionals across both the public and private sector by 2022. We obviously face similar challenges in hiring. Both the public and private sectors face sophisticated cyber threats. Last month, the Justice Department charged two Russian intelligence officers with orchestrating a hack that stole data from 500 million Yahoo users, of which I was one. I shouldn't have to remind anyone that in January of this year our intelligence agencies also found that the Russian Government orchestrated a sustained campaign against our elections using various weapons, including cyber attacks on political parties. While we view the public and private sector as separate, cyber criminals and nefarious state actors do not care about those distinctions. For instance, the data stolen from the Yahoo attack was used to spy on both bank executives and White House employees. Addressing the threat requires that government and the private sector both succeed in finding qualified individuals. For one thing, we desperately need to expand the pool the talent that we are both joining from and keep the professionals that are so critical to protecting the security of our Nation. Talented women and minorities are not just being hired. Currently, women hold 28 percent of science and engineering jobs. Hispanics and African Americans hold 6 percent and 5 percent of those jobs, respectively. We need to improve these numbers as we grow the number of available IT professionals. Another problem was created by the President himself. The President's hiring freeze is obviously a barrier to recruiting and hiring the IT professionals the government needs. Nextgov points out that the hiring freeze sends a message that IT professionals are not valued in the Federal Government. These highly desired candidates could instead choose to go to the private sector where they are heavily recruited. Also, constant calls to cut the Federal workforce and strip them of protections will not help attract needed talent. Who would want to work for an employer that publicly criticizes them and constantly questions the need for them? Candidates with numerous options certainly would not. I look forward to hearing the witnesses' ideas to address this issue and expand the pipeline of diverse, qualified, and valued candidates. It is important that the candidates we recruit to address the next generation of challenges are representative of our population at large. I'm glad you came to Chicago and got that idea. Thank you, Mr. Chairman. Mr. Hurd. Thank you, Ranking Member Kelly. I'm going to hold the record open for 5 legislative days for any members who would like to submit a written statement. Now we are going to recognize our panel of expert witnesses. I'm pleased to welcome Steven Cooper, the former CIO for the U.S. Department of Commerce, not a stranger to this committee. Ms. Elizabeth Hyman, executive vice president of public advocacy for CompTIA. Thanks for being here, Elizabeth. Ms. Lisa Depew, head of industry and academic outreach for Intel. You guys, I was just down in your facility in Austin. Dan Waddell, managing director for (ISC)2. Nick Marinos, director of information technology at the U.S. Government Accountability Office. Thanks for being here, Nick. Finally, Ms. Debora Plunkett, a Strategic Advisory Board member for the International Consortium of Minority Cybersecurity Professionals. Welcome to you all. And pursuant to committee rules, all witnesses will be sworn in before you testify. So please rise and raise your right hand. Do you solemnly swear or affirm that the testimony you are about to give will be the truth, the whole truth, and nothing but the truth, so help you God? Thank you, and please be seated. Let the record reflect that the witnesses answered in the affirmative. To allow ample time for discussion, I would appreciate if you would limit your opening remarks to 5 minutes, and your entire written statements have been made part of the record. So I appreciate that. We are going to start off with Mr. Cooper for your opening remarks for 5 minutes. WITNESS STATEMENTS STATEMENT OF STEVEN COOPER Mr. Cooper. Chairman Hurd, Ranking Member Kelly, members of the subcommittee, thank you for inviting me to appear before you today. I am honored to join this panel to offer a few ideas regarding the Federal IT workforce. Having been trained by the best government lawyers, I would like to state at the outset that the opinions and ideas I will share are my own and not offered on behalf of any government agency or industry organization. Mr. Hurd. So noted. Mr. Cooper. Thank you. I have had the privilege of serving as a public CIO in three different departments over the last 15 years before retiring in January as the CIO of the Department of Commerce. I am honored to have served as an appointee in both Republican and Democratic administrations--and as a career govie--all at the senior executive level. I share this background because I strongly believe in improving the skills, capability, effectiveness, and esprit de corps of the Federal IT workforce is a bipartisan issue. I have directly addressed many of the challenges we will likely discuss today and have experienced success in overcoming many, but not all, of these challenges and can share my experience and learning with the subcommittee. I can't cover all that I'd like to in my opening remarks, so I want to highlight three persistent challenges which may not be as visible or well known to members of the subcommittee, industry, and the GAO. First, position descriptions. A position description, or PD, is required before any recruiting action can occur. Human resources reviews and approves all PDs before a position can even be posted. Very few IT personnel, including myself, are trained and skilled at writing robust PDs. The current library of IT PDs within an agency or available from OPM do not adequately reflect the skills needed by today's workforce, much less what is coming at us in the next few years. Too many are obsolete. Even more concerning to me, PDs don't even exist for emergent roles related to digital forensics, data science, artificial intelligence, the internet of things, drone technology, autonomous vehicles. I think you get my point. In my experience, not having an up-to-date HR-approved PD cause delays of up to 6 months in the recruiting process. One idea to fix this, with collaboration from OMB, the Federal CIO Council, and the Federal Chief Human Capital Officers Council, tasked OPM as the lead agency to develop a PD library of preapproved current and emerging IT roles available for use by any Federal agency. I'd even toss in State and local government. Second, promotions. When an individual's first hired into the Federal workforce, the position they fill carries a grade level for pay and promotion purposes. In many agencies the person cannot be promoted to a higher grade without competing for that position because there is no approved way to do what I think of from the private sector and referred to in government sometimes as an in-line promotion without competition, particularly for supervisory positions. Competition is good, and the best do rise to the top. And here is the unintended consequence of this process. I had some of my most qualified cyber employees leave my offices, either for industry or for another department, because we did not have open positions for which they could compete to be promoted at a time they are were ready; or they were not selected and then chose to leave for another agency who could offer a promotion. My idea to fix this? Again, task OPM as the lead agency to create and standardize career ladders by role to allow in-line promotions for qualified employees when they are ready for promotion. You can kind of get a lot of information about this from the private sector. Third, filling cybersecurity positions. When I left Commerce in January, there were 10 cyber vacancies in my office. With a continuing resolution and the hiring freeze in place, those positions remain empty as I speak. How do we address this shortage? Chairman Hurd has spoken previously about the concept of the Cyber National Guard. I fully support the concept of having trained, skilled cyber personnel at the ready who can be put into service with very short notice, much like the FEMA disaster corps, another model. Another service model could reflect a formal agreement or contract like the military reserves. This Cyber Reserve Corps could drill each month alongside their government counterparts and could be activated for longer periods of time to assist agencies in response to a breach or to assist in deployment of new security patches. Those are just two examples. I've also spoken previously about a loan employee program, similar in concept to the IPA program with academia, which could provide skilled IT managers and technical professionals for up to 2 years. In closing, I know I have not addressed all the challenges facing the Federal IT workforce in my opening statement. However, I am confident that with the leadership of the committee members and the GAO, solutions to existing problems can be found in a collaborative partnership between government and industry. I look forward to your questions. [Prepared statement of Mr. Cooper follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you, Mr. Cooper. I look forward to asking you questions. Ms. Hyman, you're now recognized for 5 minutes. STATEMENT OF ELIZABETH HYMAN Ms. Hyman. Terrific. Thank you. Good afternoon and thank you, Mr. Chairman, Ranking Member Kelly, for inviting us here today. I'm here on behalf of CompTIA, which is a nonprofit tech trade association. We represent approximately 2,000 member companies, 3,000 academic and training partners, and 100,000 registered users for our organization. Government and the private sector have a shared challenge: to have in place the right skilled workforce to utilize technology, enhance productivity, and mitigate and manage security threats. And this is what I'd like to discuss briefly today. In many ways the creation of CompTIA certifications--and I should add that we are the leading global provider of vendor- neutral IT workforce certifications, and we in many ways have created a de facto framework, along with our brethren certification bodies. CompTIA provides a route from entry to advanced-level skills called the cybersecurity career pathway recommendation, and it takes a beginner in IT and it equips them with 5 to 10 years of the equivalent knowledge, skills, and abilities needed by all cybersecurity professionals. We have sought to share the lessons that we've learned in developing and deploying these certifications with the government as it has sought to create frameworks and standards to train and validate government employee IT skills, and particularly in cybersecurity. A few successful public-private partnerships for your consideration today. The Department of Defense has worked closely with the training and certification community as they developed its 8570 and successor 8140 initiatives. These require that DOD personnel and contractors with information assurance responsibilities in their job roles have to have industry-recognized certifications. Also of note and a part of the fiscal year 2016 omnibus appropriations bill is the Federal Cybersecurity Workforce Assessment Act, and it directs the Federal Government to take stock of the certifications held by the existing cyber workforce to determine what skills may be missing currently in that workforce. NIST has also collaborated with CompTIA and our partner Burning Glass to develop a real-time heat map for supply and demand of cybersecurity workers in the United States. This is called CyberSeek, it is available at CyberSeek.org. CompTIA is also supportive of the DHS National Initiative for Cybersecurity Careers and Studies, the NICCS portal, and the National Initiative for Cybersecurity Education. And in my comments I discuss those--the written testimony--at greater length. I'd also like to share that CompTIA as a certifying body regularly conducts research gauging the value and impact of certifications. Our research confirms that testing after training helps to set a baseline of expertise among staff, provide career path guidance, improve the performance of a team, retain talented staff, and helps to evaluate staff with promotions or career development. There's no question that technology sector jobs are growing. Nevertheless we struggle to fill job openings every year with roughly a million job postings in the IT sector. This is not to say that every job posting must or will be filled, but with nearly 800,000 tech workers expected to retire through 2024, this only adds to what we call the skills gap. Therefore, we will all need to focus on innovative ways to attract more people to tech careers, and particularly in the area of cybersecurity, and there's a few areas that I'd like to highlight. We ourselves have put forward a proposal to be included in the fiscal year 2018 NDAA for a ``Service to Cyber Warriors'' program that would provide a stipend for veterans and members of the Armed Forces to cover the expenses of IT training, materials, certifications, and other employment-seeking services. We also supported the introduction of the State Cyber Resiliency Act, which on the workforce front encourages States to develop cyber resiliency plans to fulfill the essential functions of mitigating talent gaps in the State government cybersecurity workforce. The DOD Cyber Scholarship Program Act and the Cyber Scholarships Opportunity Act were recently introduced in Congress. The overarching goal of these legislative proposals is to build a robust cybersecurity workforce. These proposals, in our view, could only be strengthened by recognizing training and industry-recognized certifications as yet another pathway in addition to 2- and 4-year college opportunities. Finally, CompTIA also supports apprenticeships and vocational models for building out our Nation's IT workforce and cybersecurity workforce. We are now working with a number of House and Senate offices on a legislative proposal, not yet introduced, which is called the Championing Apprenticeships for New Careers and Employees in Tech Act, with the goal of scaling up the number of apprenticeships in our country. In summary, we are grateful that you've raised this topic today. We strongly believe that the Federal Government can be a leader in building the tech workforce. It can do so by continuing to support the great work that has already been done by DOD, NIST, and other agencies, by insisting that educational pathways include not only 2- and 4-year college educational programs, but also industry-recognized certifications and experiential learning, and by developing and resourcing innovative programs that will encourage more people to enter into a tech and cybersecurity career through the government. And I thank you for the opportunity to share this with you and look forward to your questions. [Prepared statement of Ms. Hyman follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you. And, Ms. Depew, I think I incorrectly identified--it's a new thing, right? That is McAfee rather than Intel. But I would like to thank you and your colleagues at Intel for planting the seed in Chicago on this important topic. And now you're recognized for 5 minutes in your opening remarks. STATEMENT OF LISA DEPEW Ms. Depew. Good afternoon, Chairman Hurd, Ranking Member Kelly, and distinguished members of the subcommittee. Thank you for the opportunity to testify today. I am Lisa Depew, head of industry and academic outreach for McAfee. I've spent nearly 20 years in the technology industry in a wide range of engineering positions, focusing the last few years on cybersecurity. I am pleased to address the committee on Federal IT workforce challenges, an important issue McAfee understands well. My testimony will briefly describe the problem, offer some specific solutions, and recommend cultural changes to mitigate our cybersecurity skills shortage. In 2016, Intel Security and the Center for Strategic and International Studies undertook a study titled ``Hacking the Skills Shortage,'' based on global survey of IT professionals. Eighty-two percent of those surveyed reported a lack of cybersecurity skills within their organization, 71 percent agreed that the talent shortfall makes organizations more vulnerable to attackers, and 25 percent say that the lack of sufficient cybersecurity staff has actually contributed to data loss or theft and reputational damage. The cybersecurity workforce shortage is projected to reach 1.8 million by 2022, according to the most recent Global Information Security Workforce Study. We see a significant lack of diversity in the workforce as well. Bureau of Labor Statistics numbers indicate in North America women constitute only 14 percent of the information security workforce and African Americans comprise only 3 percent of information security analysts in the U.S. The cybersecurity skills shortage is particularly acute in the Federal Government. Tony Scott, the Federal Government's former CIO, indicated an estimated 10,000 openings in the Federal Government for cyber professionals that couldn't be filled because the talent supply simply wasn't available. McAfee would like to make the following recommendations for closing the skills gap. First, expand the current CyberCorps program. The CyberCorps Scholarship for Service program is designed to increase and strengthen the cadre of Federal information assurance specialists that protect government systems and networks by supporting collegiate students with funding, internships, and work opportunities. Policymakers should expand funding for this initiative. For context, $40 million pays for roughly 1,500 students to complete the scholarship program. We recommend extending funding to the $180 million range. Supporting 6,400-plus scholarships would make a significant dent in the estimated 10,000-worker Federal cyber skills deficit. Additionally, government should consider creating a complementary community college program. A strong security operation requires multiple levels of skills, not all of which require 4-year or graduate degrees. Having a flexible scholarship program at a community college, including practical skills training and ability to earn a transferable 2-year cybersecurity certificate, could benefit a wide variety of applicants, while providing the profession with additional necessary skills. Private companies could partner with local community colleges to establish cybersecurity-focused curricula and offer private sector practitioners as guest lecturers. The Federal Government could fund all or part of the tuition remission for students, with students again working the number of years in Federal service equal to time spent in the program. Community colleges tend to attract a variety of students, including recent high school graduates, but also returning veterans and other adults who have pursued alternate careers. The community college option could also further ethnic and racial diversity. A community college program should not substitute, but rather complement the existing CyberCorps program. In addition to workforce development programs, we must make systemic cultural changes to close the cyber skills gap. First, we must increase cyber safety awareness. Practicing cyber safety must become as routine to America's youth as washing hands and putting on their seat belts. Additionally, we need to make cybersecurity accessible and appealing to a broader range of potential professionals. Graduation rates of female engineers are highest in biomedical and environmental engineering, fields where students can draw a direct correlation to helping humanity. If we better articulate the value of cybersecurity in protecting people's personal and professional lives, we have a target-rich environment of highly skilled girls and women who could be joining the ranks to fill that 1.8 million-person deficit. In conclusion, there is much we can do to close the cybersecurity skills gap. It will take a true public-private partnership, expansion of funding and programs, and a fundamental shift in cyber safety awareness and the perception of cybersecurity as a profession. Thank you, and I will be happy to answer any of your questions. [Prepared statement of Ms. Depew follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you. Mr. Waddell, you are recognized for 5 minutes. STATEMENT OF DAN WADDELL Mr. Waddell. Thank you, sir. Chairman Hurd, Ranking Member Kelly, and distinguished members of the subcommittee, let me begin by thanking you for inviting me to speak on this very important issue. On behalf of the (ISC)2, we will look forward to working with you in the coming years to help ensure our country is safe, secure, and resilient against cyber attacks and other risks. As a matter of introduction, (ISC)2 stands for the International Information System Security Certification Consortium. We are the largest nonprofit membership body of certified cyber, information, software, and infrastructure security professionals, with over 123,000 members worldwide, of which many are currently employed at or contracted by our Federal Government. We are known for our certified information systems security professional, or CISSP. When employees earn their CISSP or any of our other certifications, it shows they have the knowledge and skills in order to perform in this field. Ideally, through our continuing professional educational requirements, they will be qualified throughout their lifetimes. Through our certifications, our training and education offerings, and our research, internet safety, and scholarship programs, we encourage cybersecurity students and professionals to help achieve our vision: to inspire a safe and secure cyber world. However, accomplishing this vision is made more difficult when there is a lack of qualified cybersecurity professionals. You've heard the numbers and our study referenced here today, the Global Information Security Workforce Study. The 2017 version of this biannual study took place from June 2016 through September 2016 via a web-based survey and over 19,000 cybersecurity professionals from over 170 nations responded. And you can find more information on this at iamcybersafe.org. We've heard the numbers, 1.8 million by the year 2022, as far as a talent gap is concerned. So what can we do collectively to solve this crisis? Recently, the (ISC)2 executive management team gathered recommendations that we believe will be critical to the success of the cybersecurity workforce. Specifically, during a gathering in December 2016, members of (ISC)2's U.S. Government Advisory Council hosted former Federal Chief Information Security Officer Greg Touhill and a group of Federal agency CISOs and executives to discuss what was necessary to ensure the continuation of progress for the new administration. As a result of that discussion, we offered several recommendations. I will briefly summarize three of them now. The entire list can be found in my written testimony. One, harden the workforce. Everyone must learn cybersecurity. We have to break the commodity focus of simply buying technology and stopping there, without focusing on training all users. People need patching too. From the intern to the CEO, the mindset needs to be cybersecurity is everyone's job. To achieve this, we need to encourage cybersecurity cross- training to promote cyber literacy across all departments within Federal agencies. Two, incentivize hiring and retention. In today's world a sense of mission doesn't always override good pay. Incentives work. For example, following the cybersecurity hiring authorities passed by Congress in 2014, DHS NPPD provided pay incentives at 20 to 25 percent above an employee's annual pay to motivate and retain cybersecurity hires. The practice of incentive pay needs to be replicated throughout the Federal Government in order to attract experts from the private sector. This perk also plays a key role in retaining cybersecurity talent. According to the Pew Research Center, millennials recent surpassed Gen X as the largest generation in the U.S. workforce. And our study found that paying for professional memberships and training are key drivers in job satisfaction with this demographic. Three, civil service reform. The civil service system is broken and does not meet the government's needs. In our best effort to attract and retain top cyber talent, we are handicapped by the government's antiquated GS classification and pay system that makes it difficult to promote high achievers and reposition nonachievers. We've talked about the Cyber National Guard concept, which would allow the Federal Government to repay student loans of both STEM and STEAM graduates who agree to work for a number of years in a Federal agency before returning to the private sector. This will serve as a natural extension to the existing Scholarship for Service program and will help to broaden the broader workforce development initiative. Through these recommendations and the programs that we offer (ISC)2 hopes to establish an open avenue of communication with you, your staff, and others in Congress as we all work toward strengthen cybersecurity throughout the Federal Government, both now and in the future. We see this time of transition as an opportunity for our members to be a stabilizing force during an intrinsically uncertain process. (ISC)2 would like to offer its ongoing support to you and the other organizations represented here today by providing resources, research, and community. Thank you, and I look forward to your questions. [Prepared statement of Mr. Waddell follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you, sir. Mr. Marinos, you're now recognized for 5 minutes. STATEMENT OF NICK MARINOS Mr. Marinos. Thank you, sir. Chairman Hurd, Ranking Member Kelly, and members of the subcommittee, thank you for inviting GAO to testify on challenges facing the Federal IT and cybersecurity workforce. For context, it's important to note that the Federal Government and the Nation's critical infrastructures continue to face an ever-increasing and evolving array of cyber threats. As the committee's aware, the GAO has designated this as a high-risk area for the government for 20 years now. It's clear that having a qualified, well trained cybersecurity workforce is critical to mitigating these threats, and we also know that there is a persistent shortage in cyber talent affecting both the public and private sectors. Today, I'd like to highlight three key challenges to building the government's cyber workforce. The first is workforce planning, the second is recruiting and retaining talent, and the third is navigating the government's hiring process. As for workforce planning, the Federal Government hasn't always taken a strategic approach. We and others have reported over the last several years about difficulties agencies have had in assessing the gaps between what skills their workforce has today and where they need to be to address current and future threats. Second, the Federal Government has had a hard time recruiting and retaining talent. In recent surveys we conducted of Federal chief information officers and chief information security officers this was consistently identified as a top challenge. In discussions with these officials we heard concerns over limitations that agencies had in offering competitive salaries and also difficulties in losing top government staff to higher-paying jobs outside government. Third, we all recognize that the Federal hiring process can be lengthy and complex and doesn't always match candidates with open positions. We recently reported that agencies may not be leveraging the right hiring authorities when working to expedite the hiring process. Collectively, the three challenges I just described are also reasons why GAO has kept strategic human capital management as another governmentwide high-risk area since 2001. Now I'd like to mention a few of the ongoing efforts within the Federal Government aimed at tackling these issues. As for the executive branch, in July of last year the Office of Management and Budget and the Office of Personnel Management jointly issued the Federal cybersecurity workforce strategy. This set goals and milestones for agencies to identify cybersecurity workforce needs, expand the workforce through education and training, recruit and hire highly skilled talent, and retain and develop the existing workforce. If implemented in full, the strategy could help executive branch agencies determine what critical skills they need and how to fill those gaps more quickly. In addition, Congress has demonstrated its commitment to addressing cyber workforce challenges by holding agencies accountable through recent legislation. These laws require Federal agencies to, for example, identify cybersecurity positions of critical need and mitigate shortages. Legislation also tasks GAO with monitoring agencies' progress in meeting these workforce planning requirements. And in fact, we've recently initiated that review in response to this requirement and expect to report back to Congress later this year. There are also governmentwide efforts underway working to increase the supply of qualified cyber professionals. As several of the panelists have noted, the CyberCorps scholarship program provides tuition assistance to students who are studying cybersecurity at the now over 70 participating universities in exchange for commitment to Federal service. In conclusion, recruiting, developing, and retaining a qualified and competent cybersecurity workforce remains a critical challenge to the Federal Government. If effectively implemented, recent efforts by the executive branch and by Congress could help in addressing these issues. We look forward to reporting back in the near future on whether progress has been made. This completes my prepared remarks, and I look forward to your questions. [Prepared statement of Mr. Marinos follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you, sir. Ms. Plunkett, you are now recognized for 5 minutes. STATEMENT OF DEBORA PLUNKETT Ms. Plunkett. Chairman Hurd, Ranking Member Kelly, and distinguished members of the subcommittee, it is my pleasure to appear before you today as a member of the Strategic Advisory Board of the International Consortium of Minority Cybersecurity Professionals, a grassroots, not-for-profit organization established in 2014 which has contributed to efforts to address the great cybersecurity diversity divide. Ultimately, with scarce talent and high demand, it is even more critical to focus efforts on increasing capacity. The cybersecurity workforce shortfall should be of much consternation given that cyber crime and information theft, to include cyber espionage, are among the most serious economic national security challenges that our country faces. In fact, as we speak, there are discussions in this Congress regarding the potential role that Russia may have played in our recent Presidential elections. There is an urgent need for more capacity to address this, as well as other current day cyber threats. It has been reported that the underparticipation by large segments of our population represents a loss of opportunity for individuals, a loss of talent in the workforce, and a loss of creativity in shaping the future of cybersecurity. Not only is it a basic equity issue, but it threatens our global economic viability. According to Frost & Sullivan's 2017 Global Information Security Workforce Study, there is a projected shortfall of 1.5 million people during the next 5 years. Today, however, women represent only 11 percent of the total cybersecurity workforce and the percentage representation of African Americans and Hispanics in cybersecurity has been reported at approximately 12 percent combined. This data takes on added meaning when we consider the projected growth of the U.S. minority population over the next few decades. The cybersecurity workforce shortfall and the growing diversity gap in the United States also reflect the broader challenge that the U.S. faces in STEM programs in our schools. Until we can get more students matriculating with STEM-related degrees these shortfalls will persist. We must be laser focused on quality and retention in middle and high school STEM programs as these formative years determine the future talent pipeline for the cybersecurity workforce. Strategies and programs are needed to provide significantly more opportunities, to include an infusion of resources to support everything from curriculum and faculty development to tuition support. We also need to develop programs that not only provide financial incentives, but that also provide the flexibility to move into and out of government and industry more seamlessly without the threat of a loss of forward career progression. ICMCP has developed five key objectives to address the cybersecurity diversity divide that include increasing the number of scholarship, internship, and employment opportunities for minority STEM students and facilitating increased attraction, retention, and professional development and advancement. Since 2016, ICMCP has awarded almost $200,000 for scholarships, certifications, and development, and placed dozens of aspirants into internships, cybersecurity positions, and/or with mentors. Finally, we are very excited to have launched a Security Operations Center at an academic institution aimed at ensuring students graduate with hands-on skills to augment their classroom learning. There are also several government-led initiatives, and I will just highlight one because others have already been mentioned. The CyberCorps Scholarship for Service program is a phenomenal program. There is legislation pending to increase funding and I would urge you to support it. In conclusion, the efforts to date to address the cybersecurity workforce shortfalls are commendable, but clearly insufficient. More must be done and with the sense of urgency commensurate with our understanding of the capabilities and intentions of nation-states, as well as other bad actors. Sadly, however, with over 200,000 unfilled jobs in cyber and with the dismal representation of women and minorities in the cybersecurity field, there is much more than can and must be done. Several studies have proven that diverse teams win, and specifically diversity has been shown to positively impact bottom line revenues. The greatest tragedy could be our failure to recognize the potential for all Americans to contribute to this workforce deficit. The time is now to act decisively and courageously, to resource efforts, establish new initiatives, and closely track progress towards narrowing this gap. Thank you for the opportunity to participate, and I look forward to your questions. [Prepared statement of Ms. Plunkett follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you, Ms. Plunkett. And before I recognize Robin Kelly for her opening questions, I ask unanimous consent that a statement from UC Berkeley on the cybersecurity workforce talent be entered into the record. Without objection, so ordered. Mr. Hurd. I would now like to recognize Ranking Member Kelly for 5 minutes. Ms. Kelly. Thank you. And thanks to the witnesses. Events of the past few years have made clear how vitally necessary it is to protect our public and private institutions from cyber threats. Attacks against critical infrastructure, such as electric grids and nuclear facilities around the world, prove that highly skilled and determined enemies are attacking real targets all the time, and we need talented people to defend against these attacks. It is alarming that as our critical need to seriously build and develop a world-leading cyber workforce grows, we face a shortage of the very people that we need to accomplish this work. And I guess to all of you first, whoever wants to answer, why don't you think, especially from the young folks, that we have more interest, when you think about all the games and this, that, and the other, why do you think from younger people that this is not one of their, I guess, aspirations, to get into this market? And we're talking about cyber, but as I speak to my manufacturers even about advanced manufacturing, they need technology. They are suffering also. So it's tech in general. Ms. Hyman. I'm happy to reply in brief. So CompTIA has a philanthropic arm, it is called Creating IT Futures, and they recently did some research with the group IDEO, out of Chicago actually, looking at this exact issue, because we are very focused on trying to get younger people into the tech pipeline. A lot of it has do with exposure to mentors, believe it or not, that have good jobs that are interesting to them and that they can share that sense of excitement with young people. I know that sounds sort of simplistic, but in fact research bears it out. Recently, we launched something called the NextUp program through our philanthropic arm. The idea is to try and match young people grades 6 through 10 with mentors throughout the tech community so that they're disabused of the idea that a tech career is some guy in a hoodie in a basement, but it is actually a very multifaceted, colorful career opportunity. And we are doing this by partnering with other groups. So we just gave, I believe, $150,000 to Tech-Girls, for a program in Chicago, in fact, to try and bring together those mentorship opportunities. So that's one piece of the puzzle, but in fact, in our view, a very important one. Ms. Kelly. Thank you. Mr. Cooper. Let me add a perspective, kind of from inside government, although everybody knows I'm retired and not officially inside government. But I want to combine a lot of what Ms. Plunkett said along with what Ms. Hyman just said. I think a significant part of the problem that directly addresses how come more younger folks don't come into this field, particularly in government, because we in government don't do a good job of making it attractive. Let me use an example from when I was in the private sector with Eli Lilly. We had a very, very formal program that placed recruiting teams on a regular basis with the Historically Black Universities and Colleges. It was extremely successful. There were three or four team members who remained in place, a lot of them were alumni of these organizations, joint with other Lilly managers and senior people, that visited campuses on an ongoing basis to identify early rising talent, the best students coming out. Lilly then did a number of things, but they had an 80 percent hire rate of those students identified through that program and about a 60 percent career retention rate of those people. It included scholarships and things like that. So I think a whole lot of it--there is nothing like that that I'm aware of in government. I didn't do it, shame on me, when I was in government. But we've got to make folks more aware of the opportunities, particularly in cyber, in the Federal enterprise. Ms. Kelly. Yes. Mr. Waddell. I just wanted to piggyback on Elizabeth's comments from CompTIA. I absolutely agree with what she said. At (ISC)2 we are actually trying to get them a little bit earlier. We have actually partnered with Garfield, believe it or not, to address the 1 through 6 grade level. And it is really just going into schools and having a dialogue with these kids, because a lot of times they have this impression of the hacker in the hoodie and the cyber job that is really all about just being behind the keyboard. But cybersecurity has so many different roles to play, and we found that through this program just by simply inducing videos and comic books about just basic internet safety it starts the dialogue. I've been in schools in Prince William and Fairfax County and I've talked to these kids. And they come up and they say, ``Wow, what do you do for a living? I want to do that. How do I get involved?'' So just by using that character Garfield, believe it or not, it really starts that conversation. Ms. Kelly. I'm so glad to hear the comments that all of you had, because I think it is so important to start young and to go into the schools. Because in my district, which is urban, suburban, and rural, so the thing that I have to deal with that everyone talks about Chicago. But there is a--I'm glad you do-- but there is the south suburbs, I have a rural part of my district, and they tend to lose out because they are kind of competing with the big city, and they don't have the transportation and those kind of things. But I do think, like you said, people don't even think about doing these things and we have to put it on their minds. And then some of my school districts, they don't even--I just helped get one area of my district the internet so they could go on the world wide web. So, I mean, they don't even have that, your phone or your GPS doesn't work. Now it does, but it didn't work. So we really do need to have that personal relationship and whatever your companies can do would be fantastic. I'm over time. Mr. Hurd. Mr. Raskin from Maryland is recognized. Mr. Raskin. Thank you very much, Mr. Chairman. And thanks to all the witnesses for your excellent testimony. I'm someone who is quite perturbed and disturbed about the Russian cyber hacking and sabotage of the 2016 election. And the best that I can tell is that Vladimir Putin figured that he was no military match for the United States, but he could launch something like a Manhattan Project for cyber attacks and then figure out a way to unleash mayhem in the U.S., Brexit, France, Italy, all over the world. And so it seems to me you guys are on the front lines of the real defense of America against the big threats today. But I wonder if you think that the allocation of our resources corresponds to the reality of the threats against us. President Trump has suggested slashing $56 billion from the domestic budget from NIH and from Peace Corps and from HUD and Community Development Block Grants, which I think is independently a misallocation of our priorities. But put that $56 billion directly into the Pentagon and I'm wondering if you think if the money is spent the way we have traditionally spent it that addresses the threats that are really facing the country or if we have to think of the defense budget as something that puts cybersecurity right at the heart of it now. So I don't know if anybody wanted to volunteer to take that one. Mr. Cooper. Mr. Cooper. I'll take a shot at it. I can kind of talk--I can color outside the lines a little bit as opposed to joining you in previous hearings. First of all, I think that the approach we're taking to hiring cyber talent is well intended but it gets in the way of actually filling an awful lot of these vacancies across the Federal enterprise and retaining that talent. Specifically, here is what I'm talking about. And please don't hear this as criticism, it is not intended this way, it is feedback. Appropriations bills require CIOs to spend that taxpayer dollars that have been approved within, in my example most recently, the Department of Commerce. What if I could pool some of that money with fellow CIOs most in need in the Cabinet departments and with the Department of Defense to do a couple things? First of all, why not use pooled hiring? Why do I have to end up competing with other CIOs? DHS is more sexy, DOD attracts a heck of a lot more people than the Department of Commerce, speaking very candidly. It is not a negative, it is just reality. But if we could team up and if we could kind of have a recruiting team, you guys figure out where it might be placed, possibly GSA, possibly OPM, possibly DHS, or possibly DHS, DOD combined, but let them do all the hiring for these folks. Go after the skill sets we need, and that's where these folks can give you a lot of detail about the different scope and breadth and depth of hiring what talent is required. But I couldn't find forensic analysts. I just couldn't compete. There was no way in hell. Mr. Raskin. But let me come back to something---- Mr. Cooper. And then take those people and deploy them to the highest risk. Mr. Raskin. Gotcha. As the departments request their help on particular things or creating interagency initiatives for cybersecurity. So let me come back to something that you actually started with, which was the hiring freeze. To what extent does this blanket categorical hiring freeze in fact undermine the ability to hire and to get in the people we need in the cybersecurity field, maybe on an emergency basis? Mr. Cooper. Well, my answer is simple. Right now, it's having a pretty significant adverse impact. Mr. Raskin. Others want to weigh in? Mr. Waddell. Mr. Waddell. I would say that the impact is not only on the agencies themselves because of the open positions, but the impact on the cyber workforce that's already there. So now you're asking the cyber workforce that's doing their 9 to 5 job to now pick up other duties and skills just to help cover it. So I think we also need to think about the current folks that are there. This shortage is really draining the resources of those people. I like to use the sports analogy. I think we have too many coaches and not enough players, and in order to play defense, we need more players. So we need that pathway to help get these folks in without the threat of sequestration and hiring freezes and the like. Mr. Raskin. And as you sweat the people who are there harder, it drives them out and then you can't fill their positions. Mr. Waddell. Right, exactly. Mr. Raskin. So you're in a destructive downward cycle there. Mr. Chairman, thank you very much. And I appreciate your testimony. Mr. Hurd. Mr. Krishnamoorthi, you're recognized for 5 minutes. Mr. Krishnamoorthi. Thank you, Mr. Chairman. First of all, thank you all for coming today. I really appreciate Congressman Raskin's line of questions. I'd like to build a little bit on what I've heard so far. You know, Chairman Hurd has put forth some really good ideas about increasing collaboration between the public and private sectors. Ms. Depew, you have called for an expansion of the CyberCorps program and I wanted to ask you a couple of questions about that. One is that my understanding is that--is the CyberCorps program limited to folks with a 4-year degree? Ms. Depew. I believe at this time it is focused on juniors and seniors in a 4-year cybersecurity-focused degree. Mr. Krishnamoorthi. Okay. What do you think about potentially opening it up to folks in community colleges who might specialize in a cybersecurity degree? I'm just concerned that perhaps we're limiting our supply of people for these open positions by basically excluding people who might specialize in a 2-year degree, but possess the requisite skills to do the job. I mean, what are your comments on that? Ms. Depew. Oh, absolutely. We highly recommend that it be expanded to include community colleges. There are a breadth of skills necessary to effectively run a Security Operations Center and some of those skills can absolutely be obtained via certifications, 2-year degrees. It's not just about 4-year or advanced degrees to develop those skills and that talent. Mr. Krishnamoorthi. I see a lot of heads nodding in agreement, including Mr. Waddell from--what an interesting name, I think ISC, in parens, squared. Mr. Waddell. (ISC)2, yes. Mr. Krishnamoorthi. Okay. That seems like a very mathematical name there. So please, what are your thoughts? Mr. Waddell. I couldn't agree more. I think that--and I think limiting it to just the STEM folks, I think, leaves a lot of the liberal arts and the communication pieces of the cybersecurity job. Look no further than the OPM breach, where I think there was just a communication gap between the folks that were on the keyboards, and the folks kind of at the top. But the folks at the top didn't understand what was the risk of not patching these systems. What was the risk of these vulnerabilities? And that message just did not get filtered up for whatever reason. So, absolutely, couldn't agree more. We could--not all positions require a college degree. It's a great thing to have, but you can certainly tap into high school, a 2-year college and have training and certifications to help augment and validate those skills. Mr. Krishnamoorthi. Go ahead, Ms. Hyman. Ms. Hyman. Yes. I just want to reiterate everything that's been said. We share (ISC)2's position as being a certifying body. And we've been working for a long time with the government to try and suggest that this is a very good government way of spending money is to make sure that if you're going to have training, you need to have some way to validate what that training was about. And so even if you don't have a 2- or 4-year college degree, there are certifications that an individual can take to get them into the beginning of the cybersecurity career. And on top of it, I would point out there's something called the Government Employ Training Act, GETA, which obviously says that it's okay for money to be spent for training, but it doesn't explicitly say that it should be used for testing. And so when we go to talk to various agencies, we learn that, well, they are not specifically authorized to use that funding for the purpose of testing. Therefore, we're not validating the skills that we've spent government money on to make sure an individual understands what their cybersecurity responsibilities are. So I would commend all of to you address GETA and try to make that a more explicit piece within that particular piece of law. Mr. Krishnamoorthi. That's a great point. I think, Chairman Hurd, perhaps we should take a look at that. I just believe very strongly in vocational, technical education, community college education being kind of potentially the pathway forward in filling a lot of these open technical positions in our country. And so, I think we're--this year we're going to be reauthorizing the Carl D. Perkins Career and Technical Education Act in the Education and the Workforce Committee. I think this is something, perhaps, we should look at there as well. Ms. Depew, what is the current investment into the CyberCorps program? Ms. Depew. I believe it was $45 million 2 years ago, $50 million last year, and it's proposed at $70 million this year. Mr. Krishnamoorthi. I mean, what's your thought? Is that sufficient to address the shortages that we're seeing in the workforce? Ms. Depew. So $40 million funds about 1,500 scholarships. If there's a 10,000-person deficit, that puts a small dent, but not a significant enough one. So I do think we do need to investigate at a heavier level. And that could be a combination of both a traditional program or expanding to community colleges. Mr. Krishnamoorthi. Great. Final question, what level of funding do you think is required? Ms. Depew. I think on the order of $180 million would be necessary to put a sufficient dent in the problem. Mr. Krishnamoorthi. Okay. Thank you very much. Thank you, Chairman. Mr. Hurd. I want to recognize myself for my line of questionings. First question goes to you, Mr. Marinos and Mr. Cooper. Why is it hard for a CIO to tell me how many positions they don't have--that they haven't been able to hire for? Mr. Marinos. So, I think, like I mentioned in my statement, I see three issues, but I'll probably focus less on the recruiting and retention, which others have mentioned. So the first one is on strategic planning. It has been a high-risk area since 2001 for a reason. Part of the difficulty with cybersecurity in particular is that, obviously, with the threat constantly changing, so are the needs themselves as well. So-- -- Mr. Hurd. I get that. But why can't they tell me what they need today? Right? Let's start with today---- Mr. Marinos. Sure. Mr. Hurd. --and the difficulty. I would think that I should be able to go to any agency head and call them on the phone, and they should be able to produce how many positions that they have billets for that are unfilled. Is that a--is that a--is that a yeoman's work to pull that number out of there? Mr. Marinos. So, I think they are working off of an old system. I throw it out there. We've got three job series that are set up to classify IT and cybersecurity. In that old system, it doesn't really provide you much granularity. So let's say you want to know how many people do I need in my SOC? How many people do I need on incident response? Well, if you're looking to hire up, or you're looking to express to the committee, to Congress, exactly what you need, you don't have a lot to work off of. More recently, NIST has put out an updated framework, which is supposed to give agencies that ability. I would point out, though, that it's a long-term goal, even with the law that was mentioned earlier, Federal Cybersecurity Workforce Assessment Act, tasked agencies with getting there by 2019. So I think it's a real concern that I would share with you, Chairman, that I think, ultimately, asking the question up front as to what are agencies doing now to shore themselves up is of major concern. Mr. Hurd. Good copy. Mr. Cooper. Mr. Cooper. I'm going to give you a little bit more direct answer. I think it varies a little bit by agency, and quite frankly, it varies by CIO. I believe you know, I could give you the answer to your question. I still can, even though I'm not there. And I think you will find---- Mr. Hurd. What was the number when you were there? Mr. Cooper. The total--in my particular office, when I walked in the door, I learn a little bit of research, there were 16 cyber-specific vacancies. Okay? Three years later, there are 10; but there were another 10 that were not funded. So 20 is the need. 10 is officially what the number is that I shared with you this morning. Mr. Hurd. Got you. Mr. Cooper. Additionally, across the entire Department, so all 12 bureaus, that number increased, particularly--remember, we're coming up on the 2020 decennial Census, so it's a big driver. But that number increased to about 97 across the entire Department. Mr. Hurd. And, Ms. Depew, you said a number has been used multiple times. 10,000 is what we think the estimation is in the Federal Government of IT professionals. Is that correct? Ms. Depew. Yes, that's the number we referenced, yes. Mr. Hurd. Mr. Marinos, would you agree with that estimate? Mr. Marinos. No. Though I would point out that there have been varying estimates out there. I would say that last year, there was a goal, I think, around about 7,000, and as of January, when OMB provided its report to Congress on FISMA compliance, it did report that it met that goal. Mr. Hurd. So if we're looking to fill a gap, start saying, Hey, we need to get near 10K, 10,000 people, that's good enough for--because if we try to produce something that only produces 10, you know, graduates that can go into jobs, that's not going to make a dent. So we need--the magnitude that we're talking about is--is around 10,000. Next question: So--and, Mr. Cooper, I'm going to start with you. Ms. Hyman, I love your perspective. And, Mr. Waddell, and if anybody else has perspectives, just please raise your hand, and I'll ask you that--this idea of rotational IT workforce, and you alluded to it in your opening remarks, what kinds of jobs could they be working on, and how would you--how--what are the hurdles that we're going to have in making sure CIO has the authority to task this rotational workforce? Right? Because when I think of rotational, it's you have three people for 10 days working on a project, or you can have one person for 10 days, and you are able to plan in advance, and maybe you get three people to do that. So a project that takes 30 man-days can be filled by three people. What are some of those kinds of projects? And as a former CIO, would you have wanted to use--would you want to have that kind of capability? Mr. Cooper. All right. Let me first clarify. I may have accidentally confused members of the subcommittee or even maybe colleagues on the panel. I apologize if I did that. Let me clarify. When I use the term ``rotational,'' here's what I'm actually talking about. I'm talking about a longer period of time, 6 months to up to 2 years. That's what I mean when I say ``rotational.'' Contrast that, or compare it with the cyber National Guard or the concept of shorter periods of time, both are valuable. Which--which would you prefer me to address? Mr. Hurd. The shorter period. Mr. Cooper. All right. Okay. The shorter period. The types of positions that would be very, very valuable for skilled people--and there are a whole lot of these folks who are in the contractor workforce that support most of the CIO offices across the Federal agencies, take something as simple as deploying testing and deploying vendor security patches. That's--that's something that skilled people and people who are trained through some of these programs at a 2-year level, by the way--I fully agree. This could be done by community college graduates. It would be a tremendous opportunity to build a workforce to do that. That's something that people can step in and add real value for however much time they are able to do that. So, literally, that could be 3 days, 2 weeks. If I've got somebody skilled, I will take them. And I will take as many as those people as I can get, as long as I have some way to know that they're skilled, and that's where I fully support all of the colleagues sitting to your right around rigorous certification. That's terribly, terribly important. Because, otherwise, I don't know these people, and I don't know whether their skills are right. You give me as many of those people short term, I will take them all. Ms. Hyman. Yes. Great question. And I agree in terms of the short-term purposes. I think maybe in--I'm going to defer to some of the true experts on the panel, but also looking at some of the cybersecurity--excuse me--logs on a continual basis, so long as you have an opportunity--if you are there for 2 or 3 days, and you're looking at some of the patterns there, there's some sort of system to capture that. I don't know if that's possible short term. But I was thinking about that. Because that is introductory industry analyst type position. The other thing, frankly, is using some of these people to train your remaining noncybersecurity workforce. The amount of human error that contributes to cybersecurity breaches, it's usually about 50 percent or higher. And so you could, on a very short-term purpose, use some of these individuals to deliver, you know, quick training for the regular workforce along those lines. Mr. Hurd. So, as Mr. Waddell says, harden the workforce. Ms. Depew, do you have any comments? Ms. Depew. Two thoughts that come on top of head--on top of mind are specific coding projects. We always have a multitude of ideas that we would like to flesh out. So if somebody had advanced coding skills, there are contained projects we could do on a short-term basis that I think would be really valuable. Another thing I would love to do is put folks with government experience in front of some of our products and tell us what we need to improve and why they don't work as effectively as we need to in your infrastructure. So that would be very advantageous to us as well. Mr. Waddell. Two things jump out at me for the short-time assignments. One is like a site assessment. When I was a contractor with the DOD, I was on a 2-week rotation with the Army where we went to MetCom and the military entrance processes command and tested all the sites. That was a 2-week rotation. We went in. We red-teamed. We threw everything we could against that site, interviewed the people, did a bunch of pin tests, and then cranked out a report and left. I think that's probably a really good one for that short-term assignment. The second one was also a breach response forensics, say, for example, you know, some agency organization got hacked, and they needed to do forensics on a hard drive, maybe come in and just do a real quick recovery of that and then rotate to the next breach. Mr. Hurd. Ms. Plunkett. Ms. Plunkett. So I'd agree with everything that has been said. Areas like research and development, developing mitigations, product testing, and some level of forensics, I think would be ripe. The other areas that would be more difficult would be real-time response, because you want to have some a priority understanding of the network. It's not impossible, particularly if you have someone that's rotating in on a regular basis to the same place. But if it really is a ready reserve where they would go anywhere, it would be difficult to send someone in just to address a threat when they don't know the infrastructure and they are not up on the current vulnerabilities. Mr. Hurd. So, Mr. Marinos, what are the difficulties going to be if let's--you know, we have these different kinds of work requirements that a short-term rotational workforce could address. Help me think in advance of, you know, the problems that we're going to see in trying to introduce that into the Federal Government? Is that a fair question, these incidents? Mr. Marinos. Absolutely. I think the quickest answer is coordination. So--I hate to tell you. You know, and you all are champions of empowering the CIOs who are doing work for you and enforcing FITARA, we're looking at that area very carefully. When you think about that, you are thinking a lot about CIO and CFO working hand in hand to procurement, working with the CIO. Here, you've got a whole different story. You've got the chief human capital office working with the CIO and the chief information security officer at individual agencies having to work together. So, you know, I just kind of throw that out as a potential paying point in terms of the coordination. If you're thinking about where this fits within the Federal Government too, thinking about what DHS' mandate is, the National Cybersecurity Communications Integration Center is increasing in its--you know, its level of assistance to other agencies. That might be a location to consider in terms of whether they are going to need assistance to be able to help other agencies out. But I would go back to what Mr. Cooper has expressed at previous hearings as well, which is that if the CIO is not actively engaged, then the help may not be going to the right places. Mr. Hurd. Let's do a quick lightning round. Okay? We'll just go down the panel. Where should this cyber National Guard sit? And ``I don't know'' is a valid question. Mr. Cooper. Mr. Cooper. Okay. So the truth is---- Mr. Hurd. Lightening round. Mr. Cooper. The truth is I don't know, but I would argue DHS plus OPM plus DOD. Ms. Hyman. I don't know, but I would add that there should be information back from the Federal cybersecurity workforce assessment process so that you could figure out where gaps are and what agencies really need to be invested. Ms. Depew. I don't have an answer for the National Guard, but for the expansion of the scholarship program, we do think that the NSF is an appropriate place, because it's nonregulatory and it has great respect with the private sector. Mr. Hurd. Got you. Mr. Waddell. I would say a mix of DHS and DOD. Mr. Marinos. I'll add in--I think it's really important for the Office of Management and Budget. We had the Federal CIO in the previous administration. I think it's important for there to be a proactive involvement from that office. Mr. Hurd. Okay. Ms. Plunkett. Ms. Plunkett. I'd say in a place where there's a real-time current cybersecurity mission, it can't be just a place to deploy, because that won't--they won't have the right understanding of the types of skills that are needed for a specific situation. It's got to be in a place where there's active cybersecurity mission going on. Mr. Hurd. Next question, lightening round. I'm going to start with you, Ms. Plunkett. I'm going to go down this way. Expand the cyber--so CyberCorps--CyberCorps is only 4-year institutions. Is that correct, Ms. Depew? Ms. Depew. That is my understanding. Mr. Hurd. Okay. So is it focused on getting scholarships to high school kids that go to college forgive debts? And I would say not college--when I say ``college,'' I mean 2- or 4-year institutions. So is it to forgive debt or is it people that have already gone to school, or do we focus on trying to give scholarships to high school kids who go to school, or something else? Ms. Plunkett. I think it's all of the above. And in addition, we need to invest in those high school students while they're in high school. We need to look at investigating in areas like---- Mr. Hurd. What gives us the quickest result? Ms. Plunkett. To address the immediate need, it's likely more for scholarship for service, to get folks who are at the end of their degree program through more quick--through debt forgiven, get them into the workplace. Mr. Hurd. Good copy. Mr. Marinos. So as the one current government guy here, I can say from GAO's perspective, we've recruited, and we still have CyberCorps folks there after decades. So I think there's an importance at the undergraduate and graduate level, but I think it couldn't hurt if there was an extension of that. Mr. Waddell. I quickest I would consider cohort programs that retrain folks that are already in another vertical and retrain them quickly through a 16-week program and get them in entry level. That's the quickest. Ms. Depew. I agree the quickest is to leverage what exists now and potentially pump up more existing scholarship programs. But if you are going to systemically fix the problem, you have to start deeper in the pipeline and do something with middle school and high school students. Ms. Hyman. Same thing, but I would also say, upscaling is crucial. And to take that existing workforce pipeline and provide not only, again, certifications, but identify a career path for these individuals to continue within government service with opportunities for training, education, and progression. Mr. Cooper. Most immediate impact and easiest to implement right away, 2-year community college-based degrees plus a year's of service Federal obligation. The other stuff I agree with, but the most impactful right now, people trained out of 2-year colleges hit the ground right now, but they require an obligation on years of service. Mr. Hurd. Ms. Kelly, you're now recognized. Ms. Kelly. I have to ask this question, since it's Women's Equal Pay Day. When you talk about recruitment and retention, what have you seen as far as a difference in pay between men and women? Because from something I read, I saw there was like a 15- to $16,000 difference. Mr. Cooper. I can address that directly. There was a disparity. I took a look at it. I tried to do something as best I could, but--but I didn't tackle it directly male, female. I did it on an equity-based basis around roles, and that was more palatable to my HR counterparts. Ms. Hyman. We don't have the data specifically on that question, but I will say, obviously, women are underrepresented in the tech fields. And I think we have to pay attention to getting more women in so that we can also drive up salaries. Ms. Kelly. Right. Because they are underrepresented, that might be one of the reasons why they are not going to get equal pay. Then the other question is, I know we're talking about how to get young people involved. But when people are laid off from a career they've had, some people--you know, we always say, we should put them back into training and skills and blah, blah, blah. And some people would say, oh, people that get laid off in their 40s or 50s, they don't want to go back in and learn something. Have you found that, or do you have many people that you work with, Mr. Waddell, Ms. Hyman, that are older, but younger than me? Ms. Hyman. Yes. Talking a little bit about our philanthropic arm, they also have developed something called the IT-Ready program, and it looks at folks that have been displaced, put out of work, as well as younger people in underrepresented populations. I don't have specific numbers for you, but what I can say is that these types of programs, it's not just a simple matter of retraining somebody. The--when we take somebody on for the IT-Ready program, we've assessed them, whether there's an aptitude for technology. There's a good 8 weeks to 10 weeks of training. There's support services that go with it. How do you interview for your job? And then we place them into an internship or apprenticeship, so that there's an opportunity then to turn that into a full-time job. We've had, I believe, over 85 percent success rate with this program, but the issue is scaling it up. We probably have about 800 people annually. You know, we have a lot of work to do. Mr. Waddell. Yes. I just wanted to give you some facts, some figures, from our 2017 report specifically about the wage gap. The wage gap of women at the director level and above has narrowed from salaries reported in 2015; however, women are still paid 3 percent less than men in equivalent roles. At the manager level, the gap has remained relatively the same, with women earning 4 percent less than men. The gap at the nonmanagerial level has widen to 6 percent from 4 percent in 2015. Ms. Plunkett. You know, what we found is that we actually have been successful at retraining folks who are either laid off, or are looking for a career change. And the answer has been a combination of, certainly, academic training, but then, exposure to operational cybersecurity capabilities as we might find in the ESOC or the SOC or the ICMCP has been piloting, where they've had some hands-on experience in an academic experience. So that when they go into the workplace, they've touched the code; they've touched the machines; they have touched in, an operational kind of way, systems, so they can hit the ground running. Mr. Hurd. Mr. Raskin is now recognized. Mr. Raskin. Mr. Chairman, thank you. Just one final question. If Members of Congress, like members of this panel, wanted to do a job fair or a higher education fair, college fair, career opportunities fair, who is the best person to contact about creating a cybersecurity careers presence there? Do you guys do that? Mr. Waddell. Yes. We do. I think all of us on here do some sort of job fair. I'll just give you an interesting, very quick story. I offered a table at our career fair to DHS, US-CERT a couple of years ago, and the deputy director at the time, Brad Nix, said, I'd love to come, but by the time we get there, all the positions--all the folks would be gone, and we wouldn't have an opportunity to capture them, because it just takes them so long to get them into the system. Average is at about 6 months. So I don't know if the problem is the career fair themselves. It's just--we need to streamline the onboarding and hiring process to get those folks in quickly--quicker. Mr. Raskin. Yes, Ms. Plunkett. Ms. Plunkett. Can I just add, the process by which we actually match aspirants or candidates with good jobs is an area that could use some help. And, certainly, ICMCP would be absolutely willing to participate in a job fair. We have lots of young people coming to us looking for those opportunities. Mr. Raskin. That's great. Well, I'll definitely take your information. And I don't know whether you are deterred by the hiring freeze in terms of doing this, but I suppose it makes sense in any event to go forward and do it. Mr. Hurd. Well, I'd like to notify my colleague, in places like DOD, the IT professionals are considered must-haves, and so the hiring freeze is not impacting them. Mr. Raskin. Okay. Mr. Hurd. And many of the other Federal agencies could have that same interpretation. Mr. Raskin. Thank you, Mr. Chairman. Mr. Hurd. Ms. Hyman, can your cybersecurity career path positions descriptions, could they be used as the foundation for Mr. Cooper's idea of working with the Federal CIO counsel and OPM on having pre-approved positions? Ms. Hyman. Yes. So what we've done with our certifications is that we've mapped them to the National Initiative for Cybersecurity Education, which looks at knowledge, skills, and abilities across different uses for cybersecurity. And the 8140 program, the successor to the DOD 8570 program, which is their information assurance requirements, they're actually going to be mapping many of their requirements to the 81--to the NICE initiatives. So what you're starting to see is, across different government agencies, sort of a similar lexicon about what cybersecurity knowledge, skills, and abilities are. And we're not the only certifying body that has mapped our certifications to NICE. Mr. Hurd. Good copy. Mr. Cooper, 18F and USDS, can their business model be used to address some of these--how would I best say it? Mr. Cooper. Some the shortcomings? Mr. Hurd. --some of the shortcomings, yes. Mr. Cooper. Yes, I actually believe it could. I think they've done a lot of learning from their first approach, or first foray, through U.S. Digital Services, I think it has been a positive learning. I would support that, and I think that you could probably pull that group together with a Federal CIO when named, and the Federal CIO counsel appropriate interaction with the HR community. But, yes, I do think that could work. Mr. Hurd. Ms. Depew, the Cyber--I don't know why I can't remember that--CyberCorps program, my understanding is that the funds go to the universities, and the universities are the ones that are the selecting individuals to potentially receive that. Is that a correct understanding of the program? Ms. Depew. I would--yes. Mr. Hurd. So my question is--and is that restricting us by having just those participant--the schools that are participating in that, and the only other option would be, you have some entity in the Federal Government that administers these programs, which I'm always circumspect about whether we can pull off something like that in order to have kids apply and go to the school of their choice--their choosing. Am I--am I thinking about this problem the right way? Ms. Depew. I think that's fair. I would have to--I'm curious how they choose which schools if the schools opt in or if they were targeted. I was looking through the list myself, looking for which schools were near some of our campuses, because it would be nice to be able to offer some local teachers. And I didn't see a multitude in the States and cities where our campuses were, which is another reason a community college-based program would open that aperture and have more availability to a broader---- Mr. Hurd. Got you. Mr. Cooper. Mr. Cooper. One quick thought, which honestly just occurred to me listening to our conversation, it might be interesting to talk to the military academies about adding kind of a cyber curriculum. They have the basics, but with a goal of actually training cyber officers who don't necessarily go through direct military. They are in the military, but they come back to, you know, not just DOD, civilian agencies as well, might be an interesting thing to explore. Mr. Hurd. 10 seconds, final question. Everybody gets 10 seconds, final statement: What should we be walking away here or something that we haven't--we haven't discussed or you haven't been able to bring up? Ms. Plunkett, I'm going to start with you. Ms. Plunkett. I'd say let's not--I recommend you not focus on what's working. Scholarship for service is working. Needs more resources. Focus on capacity at lower levels, middle school, high school. Focus on 2-year colleges. Focus on SOC experiences where folks can get operational experiences and then jump right into the workforce. Mr. Hurd. 10 seconds. Mr. Marinos. I think your continued focus of oversight is really important here. We can't afford to wait, and I'm concerned about the longer term focus of where our initiatives are going. Mr. Hurd. Thank you. Mr. Waddell. Scale up fine pockets of excellence of things that are working such as the cyber pay incentive program at DHS, MPPD that has been shown to attract and retain talent. Ms. Depew. The threat landscape is always changing. It's not like certain degrees where they fix routine process, so you need to consider that when you're recruiting your diverse workforce and training them for how to think not what the differing knowledge is. Ms. Hyman. It might also be useful to take a look at the current National Guard personnel that are actually certified in cybersecurity capabilities just to get a sense of what that rotational workforce might look like. Mr. Cooper. Set up a new program along the line of what we talked about for veterans and unemployed workers, jointly funded, public-private partnership, graduates of 2-year, 4-year program, whatever, rigorous certification. Companies that hire these people receive additional acquisition points in competitive procurements, based upon the number of people they are hiring out of this program and competitive solicitations. Mr. Hurd. I'd like to thank our witnesses for taking the time to appear before us today. I ask unanimous consent that members have 5 legislative days to submit questions for the record. Without objection, so ordered. And if there's no further business, without objection, this subcommittee stands adjourned. [Whereupon, at 3:55 p.m., the subcommittee was adjourned.] APPENDIX ---------- Material Submitted for the Hearing Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] [all]