Blog

U.S. DoD Puts CPD At Heart of Its New Cyber Workforce Strategy

Mar 02, 2023

By Joe Fay 

Workers told to make more use of cyber ranges, conferences and webinars as skills gap just gets bigger. Joe fay - ISC2 - dod workforce strategy  iStock-1401828576

The US Department of Defense (DoD) is overhauling the recruitment and training of its cyberspace workforce, providing a template for other public and private sector organizations battling both a growing cyber threat and widening skills gap. 

The DoD’s Cyber Workforce Strategy stands as a potential model for how other public and private sector organizations should be reshaping their cybersecurity teams and nurturing talent. 

When the US-based Bipartisan Policy Centre detailed the “Top Risks in Cybersecurity 2023 ”, it highlighted the impact of geopolitical uncertainty, an accelerating cyber arms race, an erratic regulation environment and economic headwinds that are likely to leave employers with the dilemma of reducing cyber investment in systems which are already creaking. 

However, it also singled out the threat of “talent scarcity”, with the US alone estimated to have approximately 700,000 unfilled security jobs by its own measurement, a number that will grow as demand for trained professionals increases. It also said there was a need for increased automation to fuel modernization efforts, and the government should step in “if the private sector is under-resourced and under-staffed.” 

The Biden administration has put the cyber workforce issue at the center of its broad cyber security agenda , alongside SBOMs, a move to memory safe languages, and a focus on cyber resiliency. 

According to a February 2023 slide presentation for the DoD, the “mission” of the Cyber Workforce Strategy is to “Provide the tools, resources, policies and programs that enable the Department’s cyber workforce stakeholders to identify, recruit, develop and retain a more agile and effective cyber workforce.” 

The ultimate DoD vision is to “develop a cyber workforce that is the most capable and dominant force in the world.” The strategy encompasses identifying future workforce needs, and overhauling policies and culture to optimize recruitment, development, and retention of staff. 

How it proposes to do this is outlined in the latest DoD Manual (DoDM) 8140.03 Cyberspace Workforce Qualification & Management Program. The DoD said this replaces a program “that focused solely on qualifying a section of the cybersecurity workforce centered on information assurance and computer network defense professionals using a narrow set of requirements”. 

The latest manual presents a structure that “differs significantly from previous workforce structures. It covers the full spectrum of cyberspace work and is based on work roles for greater specificity in identifying and qualifying the cyber space workforce.” 

Under Cyberspace Workforce Compliance Responsibilities, it states that “Cyberspace is a warfighting domain that requires a knowledgeable and capable cyberspace workforce to meet rapidly evolving missions.” 

The mandate includes a strong focus on continuous education and training – workers will be expected to undertake at least 20 hours of continuous professional development (CPD) or education a year to maintain or enhance their competence. CPD can range from taking industry certifications and professional training, attending meetings and seminars, participating in webcasts, and letting loose on “cyber ranges or other related cyber exercises”. 

It lays out educational requirements and foundational qualifications, but also sets out situations where on-the-job experience may be accepted as an alternative to foundational qualifications. 

White House officials have previously raised the importance of ensuring the cyber workforce is opened to entrants from non-traditional backgrounds. That can mean considering entrants from community or technical colleges, or even those who are, effectively, self-taught. This is likely to add up to a far more diverse intake than one dominated by Computer Science graduates from elite universities. 

But is this enough to fill a skills gap that appears bigger than expected? 

According to the February presentation on the changes, the aim is to develop “an agile and responsive process that can incorporate the ever-changing requirements to align to [an] evolving technical threat landscape.” Hence Cloud and DevSecOps have been added to 39 roles. Overall, the framework consists of 71 roles, including AI, data and software engineering. 

The presentation also showed that applying DoD Cyber Workforce Framework (DCWF) work roles dramatically changes things when it comes to identifying gaps in the workforce. 

When the workforce is classified by the Occupational Series roles used to classify US government jobs, there is a vacancy rate of 24%. 

Once coded work roles are applied, it becomes clear that there is a vacancy rate of 60% for Cyber Defense Forensic Analysts, 66% for Privacy Compliance Manager and 78% for Target Network Analysts. 

That would be daunting for any HR team to manage. Continuous training and providing more routes into the DoD’s cyber workforce might help indeed fill some of this gap. 

But as the Bipartisan Policy Center noted in its report, “Wages for skilled practitioners continue to rise due to this demand, coupled with the scarcity in supply, effectively pricing out many government entities and SMBs. Organizations face trade-offs in cybersecurity risk and leaving these roles unfilled.” 

The US government has competitive challenges when recruiting cybersecurity staff. It’s limited in terms of wage rates and can’t dangle share options to encourage entrants to stay with the organization long term. 

It may be that the DoD has put in place a cyber worker production line that will ultimately benefit the private sector as much as the US government. But that might not be a bad thing.