The Office of Personnel Management is giving agencies more options for classifying their cybersecurity workforces and vacant positions.
OPM issued guidance Oct. 15 that would help agencies identify and classify cybersecurity positions within their organizations while also authorizing the use of a new “IT Cybersecurity Specialist” job title for positions within the IT 2210 Management Series that do cybersecurity work.
The 2210 series requires that employees have IT knowledge and competencies, while also mandating that the position itself must exist for the primary purpose of IT work and fulfils the IT mission of the agency.
Employees that predominantly use technology for their jobs but do not develop, deliver or support agency IT systems are not considered part of the 2210 series.
The guidance details compensation, incentives and special needs policies for hiring cyber talent.
Other federal positions that are not part of the 2201 series but still do primarily cybersecurity work may still use “cybersecurity” as a parenthetical title so long as the employee’s cyber work is not a collateral duty.
“The cybersecurity workforce is occupationally cross-cutting, multi-faceted, and encompasses a variety of contexts, roles, and occupations. It requires a cadre of different backgrounds and experience to perform the cybersecurity work required by agencies,” the guidance said.
“Cybersecurity work performed by IT Specialists in the 2210 Series must be determined by proper application of the 2200 IT Management [job family standard]. When cybersecurity work is included in other established occupations and covered by more than one occupational series, a classification determination can be made by reviewing the duties and responsibilities assigned to the position.”
Acting Director of the Office of Personnel Management Margaret Weichert explained that the changes were some of the first in a 'portfolio' of recommendations.
OPM has placed particular emphasis on supporting and defining cyber positions and recruiting cyber talent in the federal government, as it falls under the mission objectives of the President’s Management Agenda and the May 2017 cybersecurity executive order.
“Over the years, OPM has proactively collaborated with agency partners and other stakeholders to gain a better understanding of the cybersecurity workforce governmentwide. A critical part of identifying the cybersecurity workforce was defining cybersecurity for consistency throughout the federal government,” OPM Associate Director of Employee Services Mark Reinhold wrote in a memo to human resource directors.
Agencies have also been assigned the responsibility of using the National Initiative for Cybersecurity Education’s coding structure to identify cyber positions as part of the Federal Cybersecurity Workforce Assessment Act.
In determining the grading criteria for a cybersecurity position, OPM guidance states that agencies should either use a specific occupational series that adequately covers the work being done by the cyber employee, or, if such a series does not exist, to select a series that covers a similar standard of work and the qualifications, responsibility and difficulty of the cyber position.
“OPM requires agencies to apply new or updated standards to covered positions within 12 months of the date of issuance. Agencies are encouraged to utilize the new titling guidance as soon as possible in an effort to identify, recruit, select and develop a cadre of high-performing employees performing cybersecurity work,” Reinhold wrote.