(a) Workforce assessment
(1) In general
Not later than 180 days after December 18, 2014, and annually thereafter for 3 years, the Secretary shall assess the cybersecurity workforce of the Department.
(2) Contents
The assessment required under paragraph (1) shall include, at a minimum—
(A) an assessment of the readiness and capacity of the workforce of the Department to meet its cybersecurity mission;
(B) information on where cybersecurity workforce positions are located within the Department;
(C) information on which cybersecurity workforce positions are—
(i) performed by—
(I) permanent full-time equivalent employees of the Department, including, to the greatest extent practicable, demographic information about such employees;
(II) independent contractors; and
(III) individuals employed by other Federal agencies, including the National Security Agency; or
(ii) vacant; and
(D) information on—
(i) the percentage of individuals within each Cybersecurity Category and Specialty Area who received essential training to perform their jobs; and
(ii) in cases in which such essential training was not received, what challenges, if any, were encountered with respect to the provision of such essential training.
(b) Workforce strategy
(1) In general
The Secretary shall—
(A) not later than 1 year after December 18, 2014, develop a comprehensive workforce strategy to enhance the readiness, capacity, training, recruitment, and retention of the cybersecurity workforce of the Department; and
(B) maintain and, as necessary, update the comprehensive workforce strategy developed under subparagraph (A).
(2) Contents
The comprehensive workforce strategy developed under paragraph (1) shall include a description of—
(A) a multi-phased recruitment plan, including with respect to experienced professionals, members of disadvantaged or underserved communities, the unemployed, and veterans;
(B) a 5-year implementation plan;
(C) a 10-year projection of the cybersecurity workforce needs of the Department;
(D) any obstacle impeding the hiring and development of a cybersecurity workforce in the Department; and
(E) any gap in the existing cybersecurity workforce of the Department and a plan to fill any such gap.
(c) Updates
The Secretary submit 1 to the appropriate congressional committees annual updates on—
(1) the cybersecurity workforce assessment required under subsection (a); and
(2) the progress of the Secretary in carrying out the comprehensive workforce strategy required to be developed under subsection (b).
Editorial Notes
Codification
Section was enacted as part of the Cybersecurity Workforce Assessment Act, and not as part of the Homeland Security Act of 2002 which comprises this chapter.
Statutory Notes and Related Subsidiaries
Homeland Security Cybersecurity Workforce Assessment
Pub. L. 113–277, §4, Dec. 18, 2014, 128 Stat. 3008, provided that:
"(a)
"(b)
"(1)
"(A) the Committee on Homeland Security and Governmental Affairs of the Senate;
"(B) the Committee on Homeland Security of the House of Representatives; and
"(C) the Committee on House Administration of the House of Representatives.
"(2)
"(3)
"(4)
"(5)
"(c)
"(1)
"(A) identify all cybersecurity workforce positions within the Department;
"(B) determine the primary Cybersecurity Work Category and Specialty Area of such positions; and
"(C) assign the corresponding Data Element Code, as set forth in the Office of Personnel Management's Guide to Data Standards which is aligned with the National Initiative for Cybersecurity Education's National Cybersecurity Workforce Framework report, in accordance with paragraph (2).
"(2)
"(A)
"(i) to identify open positions that include cybersecurity functions (as defined in the OPM Guide to Data Standards); and
"(ii) to assign the appropriate employment code to each such position, using agreed standards and definitions.
"(B)
"(i) each employee within the Department who carries out cybersecurity functions; and
"(ii) each open position within the Department that have been identified as having cybersecurity functions.
"(3)
"(d)
"(1)
"(A) identify Cybersecurity Work Categories and Specialty Areas of critical need in the Department's cybersecurity workforce; and
"(B) submit a report to the Director that—
"(i) describes the Cybersecurity Work Categories and Specialty Areas identified under subparagraph (A); and
"(ii) substantiates the critical need designations.
"(2)
"(A) current Cybersecurity Work Categories and Specialty Areas with acute skill shortages; and
"(B) Cybersecurity Work Categories and Specialty Areas with emerging skill shortages.
"(3)
"(A) identify Specialty Areas of critical need for cybersecurity workforce across the Department; and
"(B) submit a progress report on the implementation of this subsection to the appropriate congressional committees.
"(e)
"(1) analyze and monitor the implementation of subsections (c) and (d); and
"(2) not later than 3 years after the date of the enactment of this Act, submit a report to the appropriate congressional committees that describes the status of such implementation."
Definitions
Pub. L. 113–246, §2, Dec. 18, 2014, 128 Stat. 2880, provided that: "In this Act [enacting this section and provisions set out as a note under section 101 of this title]—
"(1) the term 'Cybersecurity Category' means a position's or incumbent's primary work function involving cybersecurity, which is further defined by Specialty Area;
"(2) the term 'Department' means the Department of Homeland Security;
"(3) the term 'Secretary' means the Secretary of Homeland Security; and
"(4) the term 'Specialty Area' means any of the common types of cybersecurity work as recognized by the National Initiative for Cybersecurity Education's National Cybersecurity Workforce Framework report."
1 So in original.