The Office of Personnel Management knows the federal government has a shortage of cybersecurity talent, but to diagnose where those gaps exist, the agency has been on a tangled odyssey to define what a cybersecurity job exactly is.
The latest chapter in the quest to classify what makes a cyber professional is OPM’s new interpretive guidance for cybersecurity, which the agency described to federal human resources managers in an Oct. 15 memo.
“Over the years, OPM has proactively collaborated with agency partners and other stakeholders to gain a better understanding of the cybersecurity workforce governmentwide. A critical part of identifying the cybersecurity workforce was defining cybersecurity for consistency throughout the federal government,” said Mark Reinhold, OPM associate director of employee services.
The guidance aims to pin down what, up until recently, has been an uphill battle: the established skills, job roles and classifications needed to monitor and maintain the federal government’s cyber workforce.
Because the requisite skill sets of cybersecurity professionals can span multiple defined job categories and are continually taking shape as technology evolves, OPM cited 14 years of federal policies that have tried to define cybersecurity occupations in order to know how to recruit for them.
The interpretive guidance aims to streamline those efforts by creating a basic IT cybersecurity position title within the General Schedule’s IT Job Family Standard, GS-2200. The guidance also allows agencies to apply cybersecurity as a “parenthetical title,” providing flexibility in recruiting for other job titles that may include cyber components the majority of the time.
The guidance identifies cybersecurity competencies that span across four defined occupation series — IT management, electronics engineering, computer engineering and telecommunications — allowing agencies to recruit talent from each series and determine how those competencies should be applied to individual cyber positions.
The guidance also adheres to baseline job roles specified in the National Initiative for Cybersecurity Education’s (NICE) National Cybersecurity Workforce Framework to establish a commonality across the cyber workforce.
By leveraging both the GS-2200 classification and allowing agencies to determine the mix of competencies they can apply to each position, OPM’s guidance allows for agency HR leaders to interpret what level of expertise, certification and compensation is warranted for each job. If the job intersects with multiple occupations series, the guidance provides steps for agencies to assess where the job fits on the GS and Senior Executive Series of senior leadership levels.
Agencies will still have to leverage OPM’s Federal Cybersecurity Coding Structure to identify the skills needed for vacant cyber and IT positions. The coding structure was first established as part of the Federal Cybersecurity Workforce Assessment Act of 2015 to help assess technology skills gaps within federal agencies.
Efforts to finalize agency reporting on that coding structure have been ongoing, with OPM officials directing Chief Human Capital Officer Act agencies to provide it with full reports of its cyber and IT skills gaps by April 30, 2019.
Strengthening the cybersecurity workforce is a key initiative within the President’s Management Agenda and a focus of the White House’s IT modernization efforts.