Federal Cybersecurity Workforce Assessment Act of 2015

The Federal Cybersecurity Workforce Assessment Act is contained in the Consolidated Appropriations Act of 2016 (Public Law 114-113) and was enacted on December 18, 2015.

---

TITLE III—FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT

SEC. 301. SHORT TITLE.
This title may be cited as the ‘‘Federal Cybersecurity Workforce Assessment Act of 2015’’.

SEC. 302. DEFINITIONS.
In this title:

(1)  APPROPRIATE  CONGRESSIONAL  COMMITTEES.—The  term  ‘‘appropriate congressional committees’’ means—
(A)  the Committee on Armed Services of the Senate;
(B)  the Committee on Homeland Security and Governmental Affairs of the Senate;
(C) the Select Committee on Intelligence of the Senate;
(D) the Committee on Commerce, Science, and Transportation of the Senate;
(E)  the Committee on Armed  Services of the House of Representatives;
(F) the Committee on Homeland Security of the House of Representatives;
(G) the Committee on Oversight and Government Reform of the House of Representatives; and
(H) the Permanent Select Committee on Intelligence of the House of Representatives.

(2)  DIRECTOR.—The  term  ‘‘Director’’  means  the  Director of the Office of Personnel Management.

(3)  NATIONAL  INITIATIVE  FOR  CYBERSECURITY  EDUCATION.—The  term  ‘‘National  Initiative  for  Cybersecurity  Education’’ means  the  initiative  under  the  national  cybersecurity  awareness  and  education  program,  as  authorized  under  section  401 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).

(4)  WORK  ROLES.—The  term  ‘‘  work  roles’’  means  a  specialized  set  of  tasks  and  functions  requiring  specific  knowledge, skills, and abilities.

SEC.  303.  NATIONAL  CYBERSECURITY  WORKFORCE  MEASUREMENT INITIATIVE.

(a)  IN GENERAL.—The  head  of  each  Federal  agency  shall—

(1)  identify  all  positions  within  the  agency  that  require the  performance  of  cybersecurity  or  other  cyber-related  functions; and
(2)  assign  the  corresponding  employment  code  under  the National  Initiative  for  Cybersecurity  Education  in  accordance with subsection (b).

(b) EMPLOYMENT CODES.—

(1) PROCEDURES.—

(A) CODING STRUCTURE.—Not later than 180 days after the  date  of  the  enactment  of  this  Act,  the  Director,  in  coordination  with  the  National  Institute  of  Standards  and  Technology,  shall  develop  a  coding  structure  under  the  National Initiative for Cybersecurity Education.

 (B)  IDENTIFICATION  OF  CIVILIAN  CYBER  PERSONNEL.— Not  later  than  9  months  after  the  date  of  enactment  of  this  Act,  the  Director,  in  coordination  with  the  Secretary  of Homeland Security, the Director of the National Institute of  Standards  and  Technology,  and  the  Director  of  National  Intelligence,  shall  establish  procedures  to  implement  the  National   Initiative   for   Cybersecurity   Education   coding   structure  to  identify  all  Federal  civilian  positions  that  require the performance of information technology, cybersecurity, or other cyber-related functions.

(C)    IDENTIFICATION OF NONCIVILIAN CYBER PERSONNEL.—Not later than 18 months after the date of enactment  of  this  Act,  the  Secretary  of  Defense  shall  establish  procedures  to  implement  the  National  Initiative  for  Cybersecurity Education’s coding structure to identify all Federal noncivilian   positions   that   require   the   performance   of   information   technology,   cybersecurity,   or   other   cyber-related functions.

(D) BASELINE  ASSESSMENT  OF  EXISTING  CYBERSECURITY WORKFORCE.—Not  later  than  3  months  after  the  date  on  which  the  procedures  are  developed  under  subparagraphs  (B)  and  (C),  respectively,  the  head  of  each  Federal  agency  shall  submit  to  the  appropriate  congressional  committees of jurisdiction a report that identifies—

(i)  the  percentage  of  personnel  with  information  technology,  cybersecurity,  or  other  cyber-related  job  functions who currently hold the appropriate industry-recognized    certifications    as    identified    under    the    National Initiative for Cybersecurity Education;

(ii)  the  level  of  preparedness  of  other  civilian  and  noncivilian  cyber  personnel  without  existing  credentials to take certification exams; and

(iii)  a  strategy  for  mitigating  any  gaps  identified  in  clause  (i)  or  (ii)  with  the  appropriate  training  and  certification for existing personnel.

(E) PROCEDURES FOR ASSIGNING CODES.—Not later than 3 months after the date on which the procedures are developed  under  subparagraphs  (B)  and  (C),  respectively,  the  head  of  each  Federal  agency  shall  establish  procedures—

(i)  to  identify  all  encumbered  and  vacant  positions with  information  technology,  cybersecurity,  or  other cyber-related functions (as defined in the National Initiative for Cybersecurity Education’s coding structure); and

(ii)  to  assign  the  appropriate  employment  code  to  each  such  position,  using  agreed  standards  and  definitions.

(2)  CODE  ASSIGNMENTS.—Not  later  than  1  year  after  the  date  after  the  procedures  are  established  under  paragraph

(1)(E),  the  head  of  each  Federal  agency  shall  complete  assignment  of  the  appropriate  employment  code  to  each  position within  the  agency  with  information  technology,  cybersecurity, or other cyber-related functions.

(c)  PROGRESS REPORT.—Not  later  than  180  days  after  the  date of  enactment  of  this  Act,  the  Director  shall  submit  a  progress report  on  the  implementation  of  this  section  to  the  appropriate congressional committees.

SEC. 304. IDENTIFICATION OF CYBER-RELATED WORK ROLES OF CRITICAL NEED.

(a)  IN GENERAL.—Beginning  not  later  than  1  year  after  the  date  on  which  the  employment  codes  are  assigned  to  employees  pursuant to section 303(b)(2), and annually thereafter through 2022, the  head  of  each  Federal  agency,  in  consultation  with  the  Director,  the Director of the National Institute of Standards and Technology, and the Secretary of Homeland Security, shall—

(1)  identify  information  technology,  cybersecurity,  or  other  cyber-related   work   roles   of   critical   need   in   the   agency’s   workforce; and

(2) submit a report to the Director that—

(A) describes the information technology, cybersecurity, or  other  cyber-related  roles  identified  under  paragraph  (1); and

(B) substantiates the critical need designations.

(b)  GUIDANCE.—The  Director  shall  provide  Federal  agencies  with  timely  guidance  for  identifying  information  technology,  cybersecurity,  or  other  cyber-related  roles  of  critical  need,  including—

(1) current information technology, cybersecurity, and other cyber-related roles with acute skill shortages; and

(2)  information  technology,  cybersecurity,  or  other  cyber-  related roles with emerging skill shortages.

(c)  CYBERSECURITY NEEDS REPORT.—Not  later  than  2  years  after the date of the enactment of this Act, the Director, in consultation with the Secretary of Homeland Security, shall—

(1) identify critical needs for information technology, cybersecurity,  or  other  cyber-related  workforce  across  all  Federal  agencies; and

(2)  submit  a  progress  report  on  the  implementation  of  this section to the appropriate congressional committees.

SEC.  305.  GOVERNMENT  ACCOUNTABILITY  OFFICE  STATUS  REPORTS.

The Comptroller General of the United States shall—

(1)  analyze  and  monitor  the  implementation  of  sections  303 and 304; and

(2)  not  later  than  3  years  after  the  date  of  the  enactment  of  this  Act,  submit  a  report  to  the  appropriate  congressional  committees  that  describes  the  status  of  such  implementation.