[Senate Report 113-207]
[From the U.S. Government Publishing Office]
Calendar No. 463
113th Congress } { Report
SENATE
2d Session } { 113-207
_______________________________________________________________________
DHS CYBERSECURITY WORKFORCE
RECRUITMENT AND RETENTION ACT OF 2014
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 2354
TO IMPROVE CYBERSECURITY RECRUITMENT AND RETENTION
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
July 14, 2014.--Ordered to be printed
______
U.S. GOVERNMENT PRINTING OFFICE
39-010 WASHINGTON : 2014
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
THOMAS R. CARPER, Delaware Chairman
CARL LEVIN, Michigan TOM COBURN, Oklahoma
MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio
JON TESTER, Montana RAND PAUL, Kentucky
MARK BEGICH, Alaska MICHAEL B. ENZI, Wyoming
TAMMY BALDWIN, Wisconsin KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota
Gabrielle A. Batkin, Staff Director
John P. Kilvington, Deputy Staff Director
Mary Beth Schultz, Chief Counsel
Stephen R. Vina, Chief Counsel for Homeland Security
Matthew R. Grote, Senior Professional Staff Member
Keith B. Ashdown, Minority Staff Director
Christopher J. Barkley, Minority Deputy Staff Director
Andrew C. Dockham, Minority Chief Counsel
Daniel P. Lips, Minority Director of Homeland Security
Laura W. Kilbride, Chief Clerk
Calendar No. 463
113th Congress } { Report
SENATE
2d Session } { 113-207
======================================================================
DHS CYBERSECURITY WORKFORCE RECRUITMENT AND RETENTION ACT OF 2014
_______
July 14, 2014.--Ordered to be printed
_______
Mr. Carper, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 2354]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 2354) to improve
cybersecurity recruitment and retention, having considered the
same, reports favorably thereon with an amendment and
recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................1
III. Legislative History..............................................3
IV. Section-by-Section Analysis......................................3
V. Evaluation of Regulatory Impact..................................4
VI. Congressional Budget Office Cost Estimate........................5
VII. Changes in Existing Law Made by the Bill, as Reported............6
I. Purpose and Summary
S. 2354, the DHS Cybersecurity Workforce Recruitment and
Retention Act, seeks to strengthen the Department of Homeland
Security's (DHS's) cybersecurity workforce. It would enable DHS
to better compete for cybersecurity talent by giving the
Secretary of Homeland Security greater discretion than
currently possessed when hiring and setting the pay and
benefits of DHS cybersecurity employees.
II. Background and Need for Legislation
Hiring and retaining top cybersecurity talent presents
great challenges to the Federal Government. There simply aren't
enough specially trained experts to fill all of the vacant
positions in government--a problem that is compounded by the
fact that the private sector is also seeking critically needed
cybersecurity professionals and can often pay more than the
government for that talent.\1\
---------------------------------------------------------------------------
\1\See report from the Government Accountability Office,
``Cybersecurity Human Capital: Initiatives Need Better Planning and
Coordination'' at pages 21-22. (November 29, 2011) http://www.http://
gao.gov/products/GAO-12-8 (last viewed June 16, 2014).
---------------------------------------------------------------------------
These personnel challenges occur against the backdrop of an
ever increasing and urgent need for cybersecurity experts.
Every day, sophisticated criminals and nation states are
probing the networks of our government agencies, universities,
major retailers, and critical infrastructure, looking for weak
spots in our defenses. They seek to exploit these weaknesses to
cause disruptions, steal our personal information and trade
secrets, or even worse, cause us physical harm. To combat these
threats, the Department of Homeland Security has an important
cybersecurity mission, including protecting federal networks,
working to improve the security and resiliency of critical
infrastructure, whether in public or private hands, and
investigating and prosecuting cyber criminals.
The Department of Defense is authorized to use a variety of
flexible hiring tools to bring on intelligence personnel,
including cyber experts, more quickly, as well as provide more
competitive compensation, benefits, and incentives.\2\ This
makes federal service in the area of cybersecurity more
attractive. Specifically, the Secretary of Defense may create
new positions for cyber personnel, and may hire employees to
fill those jobs without using the traditional competitive
hiring procedures. In addition, the Secretary has significant
latitude in setting the pay and benefits for these new
positions, adding on regional and other adjustments to pay, and
offering further specific financial incentives. Essentially,
these authorities allow the Defense Department and its
component agency, the National Security Agency, to hire faster,
pay more, and offer retention bonuses. These authorities have
enabled the Department of Defense and the National Security
Agency to build and maintain a strong cybersecurity workforce.
---------------------------------------------------------------------------
\2\Codified at 10 U.S.C. Sec. Sec. 1601-1603.
---------------------------------------------------------------------------
Recognizing the challenges of hiring and retaining a top-
tier cyber workforce, then-Secretary of Homeland Security
Napolitano in 2009 asked the Homeland Security Advisory
Council, comprised of leaders from state and local government,
first responder communities, the private sector, and academia,
to study the issue. The group observed in its 2012 report,
Cyberskills Task Force Report, that ``the numbers of
professionals with these mission-critical skills are so limited
that government contractors and federal agencies compete with
one another and the private sector to hire them.''\3\
---------------------------------------------------------------------------
\3\See report from the Homeland Security Advisory Council,
``CyberSkills Task Force Report,'' page 2 (November 2012) http://
www.dhs.gov/sites/default/files/publications/HSAC%20Cyber
Skills%20Report%20-%20Final.pdf (last viewed June 16, 2014).
---------------------------------------------------------------------------
The Council made a number of recommendations to DHS
regarding management and policies for cybersecurity personnel,
which the Department is well underway to implementing. The
Council also made a recommendation to Congress: ``Congress
should grant the Department [of Homeland Security] human
capital flexibilities in making salary, hiring, promotion and
separation decisions identical to those used by the National
Security Agency for hiring and managing its cybersecurity
workforce and other technical experts.''\4\
---------------------------------------------------------------------------
\4\Id. at page 14.
---------------------------------------------------------------------------
This bill seeks to do just that: it gives the Secretary of
Homeland Security similar recruitment and retention authorities
for cybersecurity professionals as currently possessed by the
Secretary of Defense. With these tools, DHS will be able to
hire at speed and salaries comparable to the Department of
Defense. These authorities are needed by DHS to address the
ever-growing cyber threat to our national and economic
security. The bill would also require the Secretary to report
annually on the progress of the program and to ensure adequate
transparency and oversight of the recruitment and retention
program.
III. Legislative History
Chairman Carper introduced S. 2354 on May 20, 2014. The
bill was referred to the Committee on Homeland Security and
Governmental Affairs. The Committee considered S. 2354 at a
business meeting on May 21, 2014.
Senator Portman offered one amendment, requiring DHS to
categorize its cybersecurity workforce and identify its
critical cybersecurity needs and surpluses, and requiring the
Government Accountability Office to report on DHS' progress
toward implementing these measures. The amendment was adopted,
as modified for technical edits, by voice vote on May 21, 2014.
The Committee ordered the bill, as amended, reported
favorably by voice vote on May 21, 2014. Senators present for
both the vote on the amendment and the vote on the bill were
Senators Carper, Pryor, Landrieu, McCaskill, Tester, Begich,
Coburn, Johnson, Portman, and Enzi. Senator Landrieu asked to
be recorded as voting present on the bill.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1. Short title
This section provides the bill's short title, the ``DHS
Cybersecurity Workforce Recruitment and Retention Act of
2014.''
Section 2. Cybersecurity recruitment and retention
This section adds a new section to the Homeland Security
Act regarding cybersecurity recruitment and retention.
Subsection (a) of the new section of the Homeland Security
Act would provide several definitions including for the
following terms: ``appropriate committees of Congress'';
``collective bargaining agreement'', ``excepted service'',
``preference eligible'', ``qualified position'', and ``senior
executive service''.
Subsection (b) of the new section of the Homeland Security
Act would grant the Secretary of Homeland Security the
authority to establish positions in the excepted service as the
Secretary determines necessary to carry out the
responsibilities of the Department relating to cybersecurity,
to appoint individuals to these positions, and fix rates of pay
of individuals appointed to these positions. The subsection
provides that the Secretary shall fix the rates for pay for
positions established under this section in relation to the
rates of pay provided for comparable positions in the
Department of Defense. Under the subsection the Secretary could
also grant additional compensation, incentives, and allowances
consistent with comparable positions authorized by Title 5,
United States Code.\5\ The subsection provides that within 120
days of enactment of this section, the Secretary shall submit a
report to appropriate committees of Congress outlining a plan
for the use of the authorities provided under this section.
---------------------------------------------------------------------------
\5\See, generally, 5 U.S.C. part III.
---------------------------------------------------------------------------
Subsection (c) of the new section of the Homeland Security
Act would require the Secretary to submit an annual report in
each of the next four years: (1) regarding the process used for
selecting individuals for positions established under the
section; (2) describing how the Secretary plans to fulfill the
critical need of the Department to recruit and retain employees
in qualified positions; (3) providing various metrics on the
employees hired in these positions; and (4) describing training
provided to supervisors of employees hired in these positions.
Subsection (d) of the new section of the Homeland Security
Act would establish a three-year probationary period for all
employees hired under this section.
Subsection (e) of the new section of the Homeland Security
Act would grant to an individual serving in a position on the
date of enactment of this section that is chosen to be
converted to a position in the excepted service under this
section the right to refuse such conversion.
Section 3. Homeland security cybersecurity workforce assessment
Subsection (a) provides a title for this section, the
``Homeland Security Cybersecurity Workforce Assessment Act.''
Subsection (b) provides definitions including for the
following terms: ``appropriate Congressional committees'',
``cybersecurity workforce category'', ``data element code'',
``specialty area'', ``Department'', ``Director'', and
``Secretary''.
Subsection (c) requires the Secretary to identify and
categorize all cybersecurity positions (both open and filled)
across the Department, and report to Congress not one year
later.
Subsection (d) requires the Secretary to identify areas of
critical need for cybersecurity personnel based on the work
under subsection (c). The subsection requires the Director of
the Office of Personnel Management to provide the Secretary
with timely guidance for identifying cybersecurity positions
with current and upcoming shortages. The subsection requires
the Secretary, in consultation with the Director, to identify
specialty areas of critical need for cybersecurity workforce
across the Department and submit a progress report.
Subsection (e) requires the Comptroller General of the
United States to monitor the implementation of this section and
report to Congress not more than three years after enactment of
the legislation.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Congressional Budget Office Cost Estimate
July 3, 2014.
Hon. Tom Carper,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 2354, the DHS
Cybersecurity Workforce Recruitment and Retention Act of 2014.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Jason
Wheelock.
Sincerely,
Douglas W. Elmendorf.
Enclosure.
S. 2354--DHS Cybersecurity Workforce Recruitment and Retention Act of
2014
Summary: S. 2354 would provide the Department of Homeland
Security (DHS) with enhanced authorities to hire and compensate
DHS employees who perform roles that are necessary for the
department to complete its cybersecurity mission. The bill also
would require DHS to identify critical cybersecurity positions
within the department that are vacant, and to report annually
over the next five years on its efforts to fill those
positions. Assuming appropriation of the necessary amounts, CBO
estimates that implementing the bill would cost $104 million
over the 2015-2019 period.
Pay-as-you-go procedures do not apply to this legislation
because it would not affect direct spending or revenues.
S. 2354 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act (UMRA)
and would not affect the budgets of state, local, or tribal
governments.
Estimated cost to the Federal Government: The estimated
budgetary impact of S. 2354 is shown in the following table.
The costs of this legislation fall within budget function 050
(national defense).
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
-----------------------------------------------------
2015-
2015 2016 2017 2018 2019 2019
----------------------------------------------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION
Estimated Authorization Level............................. 0 24 25 26 30 106
Estimated Outlays......................................... 0 23 25 26 30 104
----------------------------------------------------------------------------------------------------------------
Note: Numbers may not sum to totals because of rounding.
Basis of estimate: For this estimate, CBO assumes that the
bill will be enacted near the beginning of fiscal year 2015 and
that spending will follow historical patterns for similar
activities.
DHS Cybersecurity Personnel Authorities
Section 2 would provide DHS with enhanced authority to hire
and compensate DHS employees who perform cybersecurity
functions for the department. Under such authority DHS could
convert eligible positions into the excepted service and would
have expanded flexibility to determine pay and bonuses for
employees in those positions. (Excepted service authorities
allow for expedited hiring of individuals into federal service
by allowing agencies to fill positions without following the
procedures, rules, and classifications required for hiring
employees into the competitive service.)
The Transportation Security Administration (TSA) has hiring
and pay authorities similar to those that would be provided by
S. 2354. CBO analyzed data provided by the Office of Personnel
Management for TSA employees in the field of information
technology management and found that, after accounting for
years of service and education, employees in that category
earned about 15 percent more at TSA than elsewhere at DHS. On
that basis, CBO anticipates that pay for positions established
in the excepted service under this proposal would increase by
about 15 percent above current levels.
According to DHS, approximately 1,500 employees, mostly in
the general schedule grades GS-13, GS-14, and GS-15, would move
into a new pay plan for cybersecurity specialists under this
provision. However, CBO estimates that 100 of those individuals
are in TSA, and would not see a pay increase. For the remaining
1,400 employees, based on the difference in pay and the number
and grades of the affected employees, CBO estimates that
implementing this provision would cost $104 million over the
2016-2019 period, assuming appropriation of the necessary
amounts.
Homeland Security Cybersecurity Workforce Assessment
S. 2354 also would require DHS to identify critical
cybersecurity positions within the department that are
currently unfilled, and to report annually over the next five
years on its efforts to fill such positions. In conducting the
analysis and preparing those reports, CBO expects that DHS
would be able to draw on its current efforts and utilize
several previous reports--such as the National Cybersecurity
Workforce Framework, the Information Technology Workforce
Assessment for Cybersecurity, and DHS's Coordinated Recruiting
and Outreach Strategy; therefore, we estimate that implementing
the new requirements would not have a significant cost.
Pay-As-You-Go Considerations: None.
Intergovernmental and private-sector impact: S. 2354
contains no intergovernmental or private-sector mandates as
defined in UMRA.
Estimate prepared by: Federal costs: Jason Wheelock; Impact
on state, local, and tribal governments: Melissa Merrell;
Impact on the private sector: Elizabeth Bass.
Estimate approved by: Theresa Gullo, Deputy Assistant
Director for Budget Analysis.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
S. 2354 as reported are shown as follows (existing law proposed
to be omitted is enclosed in brackets, new matter is printed in
italic, and existing law in which no change is proposed is
shown in roman):
HOMELAND SECURITY ACT OF 2002
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) * * *
(b) Table of Contents.--The table of contents for this Act
is as follows:
* * * * * * *
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION
* * * * * * *
Subtitle C--Information Security
Sec. 221. Procedures for information sharing.
* * * * * * *
Sec. 226. Cybersecurity recruitment and retention
* * * * * * *
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION
* * * * * * *
Subtitle C--Information Security
* * * * * * *
SEC. 226. CYBERSECURITY RECRUITMENT AND RETENTION.
(a) Definitions.--In this section:
(1) Appropriate committees of congress.--The term
``appropriate committees of Congress'' means the
Committee on Homeland Security and Governmental Affairs
and the Committee on Appropriations of the Senate and
the Committee on Homeland Security and the Committee on
Appropriations of the House of Representatives.
(2) Collective bargaining agreement.--The term
``collective bargaining agreement'' has the meaning
given that term in section 7103(a)(8) of title 5,
United States Code.
(3) Excepted service.--The term ``excepted service''
has the meaning given that term in section 2103 of
title 5, United States Code.
(4) Preference eligible.--The term ``preference
eligible'' has the meaning given that term in section
2108 of title 5, United States Code.
(5) Qualified position.--The term ``qualified
position'' means a position, designated by the
Secretary for the purpose of this section, in which the
incumbent performs, manages, or supervises functions
that execute the responsibilities of the Department
relating to cybersecurity.
(6) Senior executive service.--The term ``Senior
Executive Service'' has the meaning given that term in
section 2101a of title 5, United States Code.
(b) General Authority.--
(1) Establish positions, appoint personnel, and fix
rates of pay.--
(A) General authority.--The Secretary may--
(i) establish, as positions in the
excepted service, such qualified
positions in the Department as the
Secretary determines necessary to carry
out the responsibilities of the
Department relating to cybersecurity,
including positions formerly identified
as--
(I) senior level positions
designated under section 5376
of title 5, United States Code;
and
(II) positions in the Senior
Executive Service;
(ii) appoint an individual to a
qualified position (after taking into
consideration the availability of
preference eligibles for appointment to
the position); and
(iii) subject to the requirements of
paragraphs (2) and (3), fix the
compensation of an individual for
service in a qualified position.
(B) Construction with other laws.--The
authority of the Secretary under this
subsection applies without regard to the
provisions of any other law relating to the
appointment, number, classification, or
compensation of employees.
(2) Basic pay.--
(A) Authority to fix rates of basic pay.--In
accordance with this section, the Secretary
shall fix the rates of basic pay for any
qualified position established under paragraph
(1) in relation to the rates of pay provided
for employees in comparable positions in the
Department of Defense and subject to the same
limitations on maximum rates of pay established
for such employees by law or regulation.
(B) Prevailing rate systems.--The Secretary
may, consistent with section 5341 of title 5,
United States Code, adopt such provisions of
that title as provide for prevailing rate
systems of basic pay and may apply those
provisions to qualified positions for employees
in or under which the Department may employ
individuals described by section 5342(a)(2)(A)
of that title.
(3) Additional compensation, incentives, and
allowances.--
(A) Additional compensation based on title 5
authorities.--The Secretary may provide
employees in qualified positions compensation
(in addition to basic pay), including benefits,
incentives, and allowances, consistent with,
and not in excess of the level authorized for,
comparable positions authorized by title 5,
United States Code.
(B) Allowances in nonforeign areas.--An
employee in a qualified position whose rate of
basic pay is fixed under paragraph (2)(A) shall
be eligible for an allowance under section 5941
of title 5, United States Code, on the same
basis and to the same extent as if the employee
was an employee covered by such section 5941,
including eligibility conditions, allowance
rates, and all other terms and conditions in
law or regulation.
(4) Plan for execution of authorities.--Not later
than 120 days after the date of enactment of this
section, the Secretary shall submit a report to the
appropriate committees of Congress with a plan for the
use of the authorities provided under this subsection.
(5) Collective bargaining agreements.--Nothing in
paragraph (1) may be construed to impair the continued
effectiveness of a collective bargaining agreement with
respect to an office, component, subcomponent, or
equivalent of the Department that is a successor to an
office, component, subcomponent, or equivalent of the
Department covered by the agreement before the
succession.
(6) Required regulations.--The Secretary, in
coordination with the Director of the Office of
Personnel Management, shall prescribe regulations for
the administration of this section.
(c) Annual Report.--Not later than 1 year after the date of
enactment of this section, and every year thereafter for 4
years, the Secretary shall submit to the appropriate committees
of Congress a detailed report that--
(1) discusses the process used by the Secretary in
accepting applications, assessing candidates, ensuring
adherence to veterans' preference, and selecting
applicants for vacancies to be filled by an individual
for a qualified position;
(2) describes--
(A) how the Secretary plans to fulfill the
critical need of the Department to recruit and
retain employees in qualified positions;
(B) the measures that will be used to measure
progress; and
(C) any actions taken during the reporting
period to fulfill such critical need;
(3) discusses how the planning and actions taken
under paragraph (2) are integrated into the strategic
workforce planning of the Department;
(4) provides metrics on actions occurring during the
reporting period, including--
(A) the number of employees in qualified
positions hired by occupation and grade and
level or pay band;
(B) the placement of employees in qualified
positions by directorate and office within the
Department;
(C) the total number of veterans hired;
(D) the number of separations of employees in
qualified positions by occupation and grade and
level or pay band;
(E) the number of retirements of employees in
qualified positions by occupation and grade and
level or pay band; and
(F) the number and amounts of recruitment,
relocation, and retention incentives paid to
employees in qualified positions by occupation
and grade and level or pay band; and
(5) describes the training provided to supervisors of
employees in qualified positions at the Department on
the use of the new authorities.
(d) Three-Year Probationary Period.--The probationary
period for all employees hired under the authority established
in this section shall be 3 years.
(e) Incumbents of Existing Competitive Service Positions.--
(1) In general.--An individual serving in a position
on the date of enactment of this section that is
selected to be converted to a position in the excepted
service under this section shall have the right to
refuse such conversion.
(2) Subsequent conversion.--After the date on which
an individual who refuses a conversion under paragraph
(1) stops serving in the position selected to be
converted, the position may be converted to a position
in the excepted service.
* * * * * * *
TITLE 5, UNITED STATES CODE
* * * * * * *
PART III--EMPLOYEES
* * * * * * *
Subpart B--Employment and Retention
* * * * * * *
CHAPTER 31--AUTHORITY FOR EMPLOYMENT
* * * * * * *
Subchapter II--The Senior Executive Service
* * * * * * *
Sec. 3132. Definitions and exclusions
(a) For the Purpose of This Subchapter.--
(1) * * *
* * * * * * *
(2) ``Senior Executive Service position'' means any
position in an agency which is classified above GS-15
pursuant to section 5108 or in level IV or V of the
Executive Schedule, or an equivalent position, which is
not required to be filled by an appointment by the
President by and with the advice and consent of the
Senate, and in which an employee--
(A) * * *
* * * * * * *
but does not include--
(i) any position in the Foreign
Service of the United States; [or]
(ii) an administrative law judge
position under section 3105 of this
title; or
(iii) any position established as a
qualified position in the excepted
service by the Secretary of Homeland
Security under section 226 of the
Homeland Security Act of 2002;
* * * * * * *
[all]
�