Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:50 PM
Connect Directly

Feds Strengthen Cybersecurity Workforce Plans

As the pressure mounts on government to keep its systems secure, efforts to improve the federal cybersecurity, particular hiring practices for cybersecurity pros, are pushing forward.

Federal agencies are making some progress on developing and executing strategies for building a stronger cybersecurity workforce, but much remains to be done, government officials and industry representatives said at a conference this week.

Coordinated efforts to spark improvements in the federal cybersecurity workforce, formerly part of the Comprehensive National Cybersecurity Initiative (CNCI), have been folded into a larger effort, the National Initiative for Cybersecurity Education (NICE), a broader national agenda, announced in April, which includes K-12 education and awareness campaigns as well as federal workforce efforts.

"We want to become a resource to not only get the federal government up to the best level it can be, but to be a leader for the rest of the country," NIST's NICE program lead, Dr. Ernest McDuffie, said in an interview.

In terms of government, NICE includes two tracks of work focused explicitly on improving the federal cybersecurity workforce -- one on workforce structure, and the other on training and professional development. Some of the work under these buckets had already begun when NICE began, but it's beginning to accelerate.

For example, the Office of Personnel Management embarked on a path to sharpen and redefine cybersecurity job policies last November, and that effort is picking up steam. Earlier this year, working groups began re-defining competency models -- key roles and responsibilities -- for cybersecurity pros in government. Soon, OPM will survey agencies to get feedback on draft competency models, and plans to release the final competency models in December.

However, the competency models are only the first step. OPM and auditors have long found cybersecurity pros working in a number of federal job series -- groups of formally defined jobs -- and there's still some consideration of whether the cybersecurity workforce needs its own series to help better define what cybersecurity pros do. OPM is also considering whether hiring authorities and practices need to change, Maureen Higgins, OPM's assistant director for agency support and technology assistance, said in an interview.

Work on workforce structure seems to be moving along, but training and professional development suffer from numerous challenges, such as a muddle of certifications, required skills and training that can sometimes make it difficult for hiring managers to determine who's qualified or just what additional training their employees need.

Some things under consideration in terms of workforce development include the use of a practical, hands-on exam to determine qualifications. "There's some divisiveness here, so we're trying to get to what makes sense here," John Mills, special assistant to the CNCI from the office of the assistant secretary of defense for networks and information integration, said in a presentation.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Deliver a Deadly Counterpunch to Ransomware Attacks: 4 Steps
Mathew Newfield, Chief Information Security Officer at Unisys,  12/10/2019
Intel's CPU Flaws Continue to Create Problems for the Tech Community
Irfan Ahmed, Assistant Professor in the Department of Computer Science at Virginia Commonwealth University,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
PUBLISHED: 2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...
PUBLISHED: 2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.