Agencies will soon be able to provide greater specificity on the critical cybersecurity roles performed by members of their IT workforces, as this month they began to implement a new coding structure to identify those positions.

Nearly two years after the passage of the Federal Cybersecurity Workforce Assessment Act, which requires federal agencies to assign the National Initiative for Cybersecurity Education’s coding structure to its cybersecurity and information technology positions, agencies have begun the process of reviewing and coding relevant positions, with the ultimate goal of determining the critical need agencies have for cybersecurity expertise.

“The next steps, as mandated by the act, are for agencies to complete the coding of their workforce by April 2018,” the Office of Personnel Management’s associate director for employee services, Mark Reinhold, wrote in a recent memo to human resources directors. “After the completion of the position coding, agencies are required to identify information technology, cybersecurity and other cyber-related work roles of critical need among their civilian workforce. Once the work roles of critical need are identified, agencies must submit a report to OPM indicating the roles and substantiating the designation of critical need. This will be due in April 2019 and annually thereafter.”

According to an October National Institute of Standards and Technology document on the NICE coding structure, the government began using cybersecurity personnel codes in 2013, which were two-digits and mapped to the seven “Categories” and 33 “Specialty Areas” described in the first version of the NICE framework.

(October 2017 NIST Document on NICE Framework)
(October 2017 NIST Document on NICE Framework)

However, using this original process, agencies could only assign one code to each role, even if one position performed duties in multiple specialty areas.

The new code formatting is three digits long and maps to the 52 “Work Role” areas of the NICE coding structure. In addition to the greater specificity, this new formatting allows agencies to assign up to three codes to a position.

Once all cyber-related positions are coded, agencies should be better equipped to determine what positions are critically needed to fill gaps in their workforce and to develop plans to address those needs.

In May 2017, Rep. Will Hurd, R-Texas, said that one of the major problems with filling the cybersecurity skills gap in the federal workforce is the lack of standardization in job listings. More precise coding of current cyber positions to a single framework could begin the process of clarifying skills requirements on agency job listings.