H. Rept. 113-294 - 113th Congress (2013-2014)

Report text available as:

Formatting necessary for an accurate reading of this legislative text may be shown by tags (e.g., <DELETED> or <BOLD>) or may be missing from this TXT display. For complete and accurate display of this text, see the PDF.


House Report 113-294 - HOMELAND SECURITY CYBERSECURITY BOOTS-ON-THE-GROUND ACT

[House Report 113-294]
[From the U.S. Government Publishing Office]


113th Congress                                                   Report
                        HOUSE OF REPRESENTATIVES
 1st Session                                                    113-294

======================================================================



 
        HOMELAND SECURITY CYBERSECURITY BOOTS-ON-THE-GROUND ACT

                                _______
                                

 December 12, 2013.--Committed to the Committee of the Whole House on 
            the State of the Union and ordered to be printed

                                _______
                                

  Mr. McCaul, from the Committee on Homeland Security, submitted the 
                               following

                              R E P O R T

                        [To accompany H.R. 3107]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 3107) to require the Secretary of Homeland 
Security to establish cybersecurity occupation classifications, 
assess the cybersecurity workforce, develop a strategy to 
address identified gaps in the cybersecurity workforce, and for 
other purposes, having considered the same, report favorably 
thereon with an amendment and recommend that the bill as 
amended do pass.
    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Homeland Security Cybersecurity Boots-
on-the-Ground Act''.

SEC. 2. CYBERSECURITY OCCUPATION CLASSIFICATIONS, WORKFORCE ASSESSMENT, 
                    AND STRATEGY.

  (a) Cybersecurity Occupation Classifications.--
          (1) In general.--Not later than 90 days after the date of the 
        enactment of this Act, the Secretary of Homeland Security shall 
        develop and issue comprehensive occupation classifications for 
        individuals performing activities in furtherance of the 
        cybersecurity mission of the Department of Homeland Security.
          (2) Applicability.--The Secretary of Homeland Security shall 
        ensure that the comprehensive occupation classifications issued 
        under paragraph (1) are used throughout the Department of 
        Homeland Security and are made available to other Federal 
        agencies.
  (b) Cybersecurity Workforce Assessment.--
          (1) In general.--Not later than 180 days after the date of 
        the enactment of this Act, the Secretary of Homeland Security, 
        acting through the Chief Human Capital Officer and Chief 
        Information Officer of the Department of Homeland Security, 
        shall assess the readiness and capacity of the Department to 
        meet its cybersecurity mission.
          (2) Contents.--The assessment required under paragraph (1) 
        shall, at a minimum, include the following:
                  (A) Information where cybersecurity positions are 
                located within the Department of Homeland Security, 
                specified in accordance with the cybersecurity 
                occupation classifications issued under subsection (a).
                  (B) Information on which cybersecurity positions 
                are--
                          (i) performed by--
                                  (I) permanent full time departmental 
                                employees, together with demographic 
                                information about such employees' race, 
                                ethnicity, gender, disability status, 
                                and veterans status;
                                  (II) individuals employed by 
                                independent contractors; and
                                  (III) individuals employed by other 
                                Federal agencies, including the 
                                National Security Agency; and
                          (ii) vacant.
                  (C) The number of individuals hired by the Department 
                pursuant to the authority granted to the Secretary of 
                Homeland Security in 2009 to permit the Secretary to 
                fill 1,000 cybersecurity positions across the 
                Department over a three year period, and information on 
                what challenges, if any, were encountered with respect 
                to the implementation of such authority.
                  (D) Information on vacancies within the Department's 
                cybersecurity supervisory workforce, from first line 
                supervisory positions through senior departmental 
                cybersecurity positions.
                  (E) Information on the percentage of individuals 
                within each cybersecurity occupation classification who 
                received essential training to perform their jobs, and 
                in cases in which such training is not received, 
                information on what challenges, if any, were 
                encountered with respect to the provision of such 
                training.
                  (F) Information on recruiting costs incurred with 
                respect to efforts to fill cybersecurity positions 
                across the Department in a manner that allows for 
                tracking of overall recruiting and identifying areas 
                for better coordination and leveraging of resources 
                within the Department.
  (c) Workforce Strategy.--
          (1) In general.--Not later than 180 days after the date of 
        the enactment of this Act, the Secretary of Homeland Security 
        shall develop a comprehensive workforce strategy that enhances 
        the readiness, capacity, training, and recruitment and 
        retention of the cybersecurity workforce of the Department of 
        Homeland Security.
          (2) Contents.--The comprehensive workforce strategy developed 
        under paragraph (1) shall include--
                  (A) a multiphased recruitment plan, including 
                relating to experienced professionals, members of 
                disadvantaged or underserved communities, the 
                unemployed, and veterans;
                  (B) a 5-year implementation plan; and
                  (C) a 10-year projection of Federal workforce needs.
  (d) Information Security Training.--Not later than 270 days after the 
date of the enactment of this Act, the Secretary of Homeland Security 
shall establish and maintain a process to verify on an ongoing basis 
that individuals employed by independent contractors who serve in 
cybersecurity positions at the Department of Homeland Security receive 
initial and recurrent information security training comprised of 
general security awareness training necessary to perform their job 
functions, and role-based security training that is commensurate with 
assigned responsibilities. The Secretary shall maintain documentation 
to ensure that training provided to an individual under this subsection 
meets or exceeds requirements for such individual's job function.
  (e) Updates.--Together with the submission to Congress of annual 
budget requests, the Secretary of Homeland Security shall provide 
updates regarding the cybersecurity workforce assessment required under 
subsection (b), information on the progress of carrying out the 
comprehensive workforce strategy developed under subsection (c), and 
information on the status of the implementation of the information 
security training required under subsection (d).
  (f) GAO Study.--The Secretary of Homeland Security shall provide the 
Comptroller General of the United States with information on the 
cybersecurity workforce assessment required under subsection (a) and 
progress on carrying out the comprehensive workforce strategy developed 
under subsection (c). The Comptroller General shall submit to the 
Secretary, the Committee on Homeland Security of the House of 
Representatives, and the Committee on Homeland Security and 
Governmental Affairs of the Senate a study on such assessment and 
strategy.

SEC. 3. CYBERSECURITY FELLOWSHIP PROGRAM.

  Not later than 120 days after the date of the enactment of this Act, 
the Secretary of Homeland Security shall submit to the Committee on 
Homeland Security of the House of Representatives and the Committee on 
Homeland Security and Governmental Affairs of the Senate a report on 
the feasibility of establishing a Cybersecurity Fellowship Program to 
offer a tuition payment plan for undergraduate and doctoral candidates 
who agree to work for the Department of Homeland Security for an 
agreed-upon period of time.

SEC. 4. DEFINITION.

  In this Act, the term ``cybersecurity mission'' means activities that 
encompass the full range of threat reduction, vulnerability reduction, 
deterrence, incident response, resiliency, and recovery activities to 
foster the security and stability of cyberspace.

                                CONTENTS

                                                                   Page
      Purpose and Summary.............................................3
      Background and Need for Legislation.............................3
      Hearings........................................................4
      Committee Consideration.........................................6
      Committee Votes.................................................6
      Committee Oversight Findings....................................7
      New Budget Authority, Entitlement Authority, and Tax Expenditure7
      Congressional Budget Office Estimate............................7
      Statement of General Performance Goals and Objectives...........7
      Duplicative Federal Programs....................................8
      Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
      Benefits........................................................8
      Federal Mandates Statement......................................8
      Preemption Clarification........................................8
      Disclosure of Directed Rule Makings.............................8
      Advisory Committee Statement....................................8
      Applicability to Legislative Branch.............................8
      Section-by-Section Analysis of the Legislation..................8

                          Purpose and Summary

    The purpose of H.R. 3107 is to require the Secretary of 
Homeland Security to establish cybersecurity occupation 
classifications, assess the cybersecurity workforce, develop a 
strategy to address identified gaps in the cybersecurity 
workforce, and for other purposes.

                  Background and Need for Legislation

    The Department of Homeland Security (DHS) is responsible 
for the prevention of, and defense against threats to United 
States cybersecurity. Such threats come in many forms and 
include threats to individuals, corporations, and the 
Government. The events of September 11, 2001, demonstrate that 
terrorist attacks on the homeland can occur in unconventional 
ways and result in unanticipated consequences to national 
security posture and economic vitality. The U.S. is fortunate 
enough to have an extensive cybersecurity workforce, and this 
workforce is the first line of defense that keeps Americans 
safe, secure, and free from many cyber attacks. However, gaps 
in this workforce still expose vulnerabilities in our Nation's 
ability to reduce cyber threats, deter and respond to 
incidents, and recover from cyberattacks. The Committee notes 
that the Government Accountability Office reported that more 
than one in five jobs at a key cybersecurity component within 
the Department are vacant.
    The Committee also notes that the cadre of professionals 
with cyber mission-critical skills is limited and Federal 
agencies have to compete among themselves and private sector 
employers for staffing. Recognizing this challenge, the 
Homeland Security Advisory Committee (HSAC) `Task Force on 
CyberSkills' issued a series of recommendations that include 
the adoption and maintenance an authoritative list of mission-
critical cybersecurity tasks and the adoption of a sustainable 
model for assessing the competency and progress of the existing 
and future DHS mission-critical cybersecurity workforce.
    It is therefore necessary that DHS develop a comprehensive 
workforce assessment and strategy to address gaps in the 
Nation's cybersecurity workforce.
    The Committee believes that this strategy will enhance the 
readiness, capacity, training, and recruitment and retention of 
DHS's cybersecurity workforce. Legislation is required for DHS 
to develop such a workforce assessment and strategy, identify 
gaps in the cybersecurity workforce, provide information 
security training, and establish and encourage necessary 
coordination and collaboration across the Department. H.R. 
3107, the Homeland Security Cybersecurity Boots-on-the-Ground 
Act, is bipartisan legislation developed from valuable input 
from stakeholders across government and industry.
    This bill provides four major provisions that will help 
identify gaps in the cybersecurity workforce. First, the bill 
directs DHS to develop and issue comprehensive occupation 
classifications for persons performing activities in 
furtherance of the Department's cybersecurity missions. Second, 
the bill requires the Secretary, acting through the Chief Human 
Capital Officer and Chief Information Officer of the 
Department, to assess the readiness and capacity of the 
Department to meet its cybersecurity mission. As a part of the 
assessment, the Department has to identify where positions are 
located, whether these positions are vacant, held by full-time 
employees, or contractors. Additionally, it requires the 
Department to report on the extent to which it has exercised 
special hiring authority to fill cyber positions. Third, the 
bill requires the Secretary to develop a comprehensive 
workforce strategy that enhances the readiness, capacity, 
training, and recruitment and retention of the Department's 
cybersecurity workforce. Finally, the bill requires the 
Secretary to establish and maintain a process to verify that 
individuals employed by independent contractors who serve in 
cybsersecurity positions at the Department receive initial and 
recurrent information security training.

                                Hearings

    No hearings were held on H.R. 3107. However, the Committee 
held oversight hearings on programs and threats that are 
directly relevant to H.R. 3107. Those hearings are listed 
below.

112th Congress.
    The Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies held a hearing on April 
15, 2011, entitled ``The DHS Cybersecurity Mission: Promoting 
Innovation and Securing Critical Infrastructure.'' The 
Subcommittee received testimony from Mr.Sean McGurk, Director, 
National Cybersecurity and Communications Integration Center, 
Department of Homeland Security; Mr.Gerry Cauley, President and 
CEO, North American Electric Reliability Corporation; Ms.Jane 
Carlin, Chair, Financial Services Sector Coordinating Council; 
and Mr.Edward Amoroso, Senior Vice President and Chief Security 
Officer, AT&T.
    On April 24, 2012, the Subcommittee on Cybersecurity, 
Infrastructure Protection, and Security Technologies held a 
hearing entitled ``America is Under Cyber Attack: Why Urgent 
Action is Needed.'' The Subcommittee received testimony from 
Mr.Shawn Henry, Former Executive Assistant Director, Criminal, 
Cyber, Response, and Services Branch, Federal Bureau of 
Investigation, Department of Justice; Mr.James Lewis, Director 
and Senior Fellow, Technology and Public Policy Program, Center 
for Strategic and International Studies; Mr.Gregory C. 
Wilshusen, Director, Information Security Issues, Government 
Accountability Office; Mr.Stuart McClure, Chief Technology 
Officer, McAfee; and Dr. Stephen E. Flynn, Founding Co-
Director, George J. Kostas Research Institute for Homeland 
Security, Northeastern University.

113th Congress.
    On March 13, 2013, the Committee held a hearing entitled 
``DHS Cybersecurity: Roles and Responsibilities to Protect the 
Nation's Critical Infrastructure.'' The Committee received 
testimony from Hon. Jane Holl Lute, Deputy Secretary, U.S. 
Department of Homeland Security; Mr. Anish B. Bhimani, 
Chairman, Financial Services Information Sharing and Analysis 
Center; Mr. Gary W. Hayes, Chief Information Officer, 
Centerpoint Energy; and Ms. Michelle Richardson, Legislative 
Counsel, American Civil Liberties Union.
    On May 16, 2013, the Subcommittee on Cybersecurity, 
Infrastructure Protection, and Security Technologies held a 
hearing entitled ``Facilitating Cyber Threat Information 
Sharing and Partnering with the Private Sector to Protect 
Critical Infrastructure: An Assessment of DHS Capabilities.'' 
The Subcommittee received testimony from Ms. Roberta Stempfley, 
Acting Assistant Secretary, Office of Cybersecurity and 
Communications, U.S. Department of Homeland Security; Mr. Larry 
Zelvin, Director, National Cybersecurity and Communications 
Integration Center, U.S. Department of Homeland Security; and 
Mr. Charles K. Edwards, Acting Inspector General, U.S. 
Department of Homeland Security.
    On October 30, 2013, the Subcommittee on Emergency 
Preparedness, Response, and Communications and the Subcommittee 
on Cybersecurity, Infrastructure Protection, and Security 
Technologies held a joint hearing entitled ``Cyber Incident 
Response: Bridging the Gap Between Cybersecurity and Emergency 
Management.'' The Subcommittee received testimony from Ms. 
Roberta Stempfley, Acting Assistant Secretary, Office of 
Cybersecurity and Communications, National Protection and 
Programs Directorate, U.S. Department of Homeland Security; Mr. 
Charley English, Director, Georgia Emergency Management Agency, 
testifying on behalf of the National Emergency Management 
Association; Mr. Craig Orgeron, Chief Information Officer and 
Executive Director, Department of Information Technology 
Services, State of Mississippi, testifying on behalf of the 
National Association of State Chief Information Officers; Mr. 
Mike Sena, Deputy Director, Northern California Regional 
Intelligence Center, testifying on behalf of the National 
Fusion Center Association; and Mr. Paul Molitor, Assistant Vice 
President, National Electrical Manufacturers Association.

                        Committee Consideration

    The Committee on Homeland Security met on October 29, 2013, 
to consider H.R. 3107, and ordered the measure to be reported 
to the House with a favorable recommendation by voice vote. The 
Committee took the following actions:
    The Committee agreed to H.R. 3107, as amended, by voice 
vote.
The following amendments were offered:

 An Amendment in the Nature of a Substitute to H.R. 3107 
offered by Ms. Clarke (#1); was AGREED TO, as amended, by voice 
vote.
    A unanimous consent request by Mr. McCaul to consider the 
Amendment in the Nature of a Substitute as base text for 
purposes of amendment was not objected to.

 An amendment to the Amendment in the Nature of a Substitute to 
H.R. 3107 offered by Ms. Jackson Lee (#1A); was WITHDRAWN by 
unanimous consent.
     Add at the end of paragraph (2) of section 2(b) the following: (G) 
Information on how many senior, mid- and entry level cybersecurity 
positions are filled by career Federal employees and how many are 
filled by contractors.; was WITHDRAWN by unanimous consent.

 An amendment to the Amendment in the Nature of a Substitute to 
H.R. 3107 offered by Ms. Jackson Lee (#1B); was AGREED TO by 
voice vote.
     Add at the end of section 2 a new subsection entitled ``(g) 
Cybersecurity Fellowship Program.''

 An amendment to the Amendment in the Nature of a Substitute to 
H.R. 3107 offered by Mr. Keating (#1C); was AGREED TO by voice 
vote.
     In paragraph (2) of section 2(a), strike ``may be'' and insert 
``are''.

 An amendment to the Amendment in the Nature of a Substitute to 
H.R. 3107 offered by Mr. Swalwell (#1D); was AGREED TO by voice 
vote.
     In subparagraph (A) of section 2(c)(1), insert before the 
semicolon at the end the following: ``, including relating to mid-
career employees, members of economically disadvantaged or underserved 
communities, the unemployed, and veterans''.

    The Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies met on September 18, 
2013, to consider H.R. 3107, and reported the measure to the 
Full Committee with a favorable recommendation, amended, by 
voice vote. The Subcommittee took the following actions:
    The following amendments were offered:
 An en bloc amendment offered by Mr. Meehan (#1); was AGREED TO 
by voice vote.
     Consisting of the following amendments:
     In subparagraph (A) of section 2(c), strike ``and'' at the end.
     In section 2(c), redesignate subparagraph (B) as subparagraph (C).
     In section 2(c), insert after subparagraph (A) the following:
         (B) a five-year implementation plans; and

     In section 2, add at the end a new subsection entitled ``(f) GAO 
Study.''

                            Committee Votes

    Clause 3(b) of Rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto.
    No recorded votes were requested during consideration of 
H.R. 3107.

                      Committee Oversight Findings

    Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the 
House of Representatives, the Committee has held oversight 
hearings and made findings that are reflected in this report.

   New Budget Authority, Entitlement Authority, and Tax Expenditures

    In compliance with clause 3(c)(2) of Rule XIII of the Rules 
of the House of Representatives, the Committee finds that H.R. 
3107, the Homeland Security Cybersecurity Boots-on-the-Ground 
Act, would result in no new or increased budget authority, 
entitlement authority, or tax expenditures or revenues.

                  Congressional Budget Office Estimate

    Pursuant to clause 3(c)(3) of Rule XIII of the Rules of the 
House of Representatives, a cost estimate provided by the 
Congressional Budget Office pursuant to section 402 of the 
Congressional Budget Act of 1974 was not made available to the 
Committee in time for the filing of this report. The Chairman 
of the Committee shall cause such estimate to be printed in the 
Congressional Record upon its receipt by the Committee.

         Statement of General Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of Rule XIII of the Rules of the 
House of Representatives, H.R. 3107 contains the following 
general performance goals, and objectives, including outcome 
related goals and objectives authorized.
    The performance goals and objectives of H.R. 3107 are based 
on the development of a workforce assessment and strategy to 
improve and identify gaps in the DHS cybersecurity workforce. 
The goal of the workforce assessment required under H.R. 3107 
is to help assess the readiness and capacity of the Department 
to meet its cybersecurity mission. The performance objective of 
the assessment is to provide information on vacancies within 
the Department's cybersecurity workforce, the percentage of 
cybersecurity individuals who received essential training to 
perform their jobs, and recruiting costs incurred with respect 
to efforts to fill cybersecurity positions across the 
Department. The goal of the workforce strategy required under 
H.R. 3107 is to enhance the readiness, capacity, training, and 
recruitment and retention of the cybersecurity workforce of the 
Department. The performance objective of this strategy is to 
develop a multi-phased recruitment plan, an implementation 
plan, and projection of Federal workforce needs as well as to 
provide information security training for independent 
contractors who serve in cybersecurity positions at the 
Department. The Congressional reports from DHS and GAO required 
by this Act will allow Congress to hold the Department 
accountable for the success or failure of its workforce 
assessment and strategy implementation.

                      Duplicative Federal Programs

    The Committee finds that H.R. 3107 does not contain any 
provision that establishes or reauthorizes a program known to 
be duplicative of another Federal program.

   Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
                                Benefits

    In compliance with Rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(e), 9(f), or 9(g) of the Rule 
XXI.

                       Federal Mandates Statement

    An estimate of Federal mandates prepared by the Director of 
the Congressional Budget Office pursuant to section 423 of the 
Unfunded Mandates Reform Act was not made available to the 
Committee in time for the filing of this report. The Chairman 
of the Committee shall cause such estimate to be printed in the 
Congressional Record upon its receipt by the Committee.

                        Preemption Clarification

    In compliance with section 423 of the Congressional Budget 
Act of 1974, requiring the report of any Committee on a bill or 
joint resolution to include a statement on the extent to which 
the bill or joint resolution is intended to preempt State, 
local, or Tribal law, the Committee finds that H.R. 3107 does 
not preempt any State, local, or Tribal law.

                  Disclosure of Directed Rule Makings

    The Committee estimates that H.R. 3107 would require no 
directed rule makings.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  Applicability to Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             Section-by-Section Analysis of the Legislation


Section 1.   Short Title.
    This section provides that the bill may be cited as the 
``Homeland Security Cybersecurity Boots-on-the-Ground-Act.''

Sec. 2.   Cybersecurity Occupation Classifications, Workforce 
Assessment, and Strategy.

  (a)  Cybersecurity Occupation Classifications.

    This subsection requires the Secretary to develop and issue 
comprehensive occupation classifications for persons performing 
activities in furtherance of the Department's cybersecurity 
missions. The Secretary shall ensure that the classifications 
are used throughout the Department and made available to other 
Federal agencies. These comprehensive classifications must be 
made no later than 90 days after the enactment of this Act.
    Based on extensive oversight, the Committee has found that 
there currently is no comprehensive occupation classification 
for the Department's cybsersecurity workforce. The Committee 
believes that the Department needs to provide necessary 
occupation classifications to better assess and develop a 
workforce strategy. TheCommittee intends that workforce 
occupation classifications are at the discretion of the 
Secretary so long as these classifications are consistent 
throughout the Department and made available to other Federal 
agencies. The Committee strongly encourages DHS to develop 
workforce categorizations that are consistent with those used 
by the public sector and other Federal agencies. The Committee 
furthermore strongly encourages DHS to implement workforce 
categorizations that are aligned to market-based salaried 
positions in order to attract and retain quality cybersecurity 
professionals.

  (b)  Cybersecurity Workforce Assessment.

    This subsection requires the Secretary, acting through the 
Chief Human Capital Officer and Chief Information Officer of 
the Department, to assess the readiness and capacity of the 
Department to meet its cybersecurity mission. This assessment 
must be conducted no later than 180 days after the enactment of 
this Act. The assessment shall, at a minimum, include the 
following: Information where cybersecurity positions are 
located within the Department; information on which 
cybersecurity positions are performed by permanent full time 
departmental employees, individuals employed by independent 
contractors, and individuals employed by other Federal 
agencies; the number of individuals hired by the Department 
pursuant to the authority granted to the Secretary in 2009 to 
permit the Secretary to fill 1,000 cybersecurity positions over 
a three year period; information on vacancies within the 
Department's cybersecurity supervisory workforce; information 
on the percentage of individuals within each cybersecurity 
occupation classification who received essential training to 
perform their jobs; and information on recruiting costs 
incurred with respect to efforts to fill ybersecurity positions 
across the Department.
    The contents of the assessment prescribed are the minimum 
contents required. However, the Committee strongly encourages 
DHS to include other aspects necessary for effective assessment 
of the cybersecurity workforce. The Committee expects that each 
of the prescribed elements of the assessment be developed and 
published in sufficient detail in order to enable DHS to create 
and implement a workforce strategy described in subsection (c) 
and identify any gaps in the cybersecurity workforce.

  (c)  Workforce Strategy.

    In this subsection, the contents of the workforce strategy 
are prescribed. This subsection requires the Secretary, not 
later than 180 days after the enactment of this Act, to develop 
a comprehensive workforce strategy that enhances the readiness, 
capacity, training, and recruitment and retention of the 
Department's cybersecurity workforce. This workforce strategy 
shall include a multiphased recruitment plan, a 5-year 
implementation plan, and a 10-year projection of Federal 
workforce needs. By including a specific timeframe, the 
Committee encourages DHS to address near-term, midterm, and 
long-term aspects of the plan. The workforce strategy is to be 
developed in a manner that is not constrained by fiscal 
resources to address both short-term and long-term strategies. 
The Committee furthermore expects DHS to write the strategy in 
an organized hierarchal manner structured around specified 
objectives, goals, and measures. The Committee also recognizes 
that strategies can change due to unforeseen circumstances, and 
encourages DHS to actively update and republish the strategy 
regularly as needed.

  (d)  Information Security Training.

    This subsection sets forth the requirements for information 
security training of the cybersecurity workforce. It requires 
the Secretary to establish and maintain a process to verify 
that individuals employed by independent contractors who serve 
in cybsersecurity positions at the Department receive initial 
and recurrent information security training. The Committee 
believes that it is essential for the cybersecurity workforce 
to be properly trained in all areas necessary to protect 
cybersecurity. Such training is to include both general 
security awareness role-based security training. The Committee 
also believes that it is necessary for DHS to train all 
independent contractors so that the entire cybersecurity 
workforce, not just DHS employees, is adequately prepared to 
respond to or prevent threats and attacks. This subsection also 
requires that training include recurrent information training. 
It is the Committee's belief that recurrent training is 
necessary to ensure that the cybersecurity workforce is 
prepared to handle the continually changing nature of cyber 
threats and attacks. Lastly, this subsection requires that the 
Secretary shall maintain documentation to ensure that training 
provided to an individual meets or exceeds requirements for 
such individual's job function.

  (e)  Updates.

    This subsection requires the Secretary to provide updates 
regarding the cybsersecurity workforce assessment, information 
on the progress of carrying out the comprehensive workforce 
strategy, and information on the status of the implementation 
of information security training. The Committee believes that 
updates are important to ensure development of the Department's 
cybersecurity workforce and to continually satisfy the 
workforce mission. The bill does not specify when updates must 
be given, and allows DHS flexibility in providing such 
information. However, the Committee believes that these updates 
are necessary to determine the progress and status of the 
implementation of the workforce assessment and strategy, as 
well as information security training. The Committee strongly 
encourages the Secretary to provide regular updates on a 
consistent basis.

  (f)  GAO Study.

    This subsection requires the Secretary to provide the 
Comptroller General of the United States information on the 
cybersecurity workforce assessment and progress on carrying out 
the comprehensive workforce strategy developed. This subsection 
also requires the GAO to submit to the relevant Congressional 
committees a study on such assessment and strategies. The 
Committee's intent of this subsection is to direct GAO to 
gather data and evaluate DHS's workforce assessment and 
strategies. The Committee believes that the Department does not 
adequately meet its cybersecurity workforce needs and this 
independent assessment will inform the relevant Congressional 
committees of the Department's progress on addressing this 
issue. The GAO report will provide important inputs for 
continuing Congressional oversight and provide additional 
transparency for the American public.

Sec. 3.   Definition.
    In this section, the term ``cybersecurity mission'' is 
defined as activities that encompass the full range of threat 
reduction, vulnerability reduction, deterrence, incident 
response, resiliency, and recovery activities to foster the 
security and stability of cyberspace. The Committee believes 
that determining the cybersecurity mission of the Department is 
essential to protecting critical infrastructure and developing 
a workforce that is able to prevent and respond to cyber 
threats and attacks. The purpose of defining cybsersecurity 
mission in this bill is to codify into statute the full range 
of activities necessary for the Department to fulfill when 
developing and assessing its cybersecurity workforce.
    Since this bill only addresses the workforce assessment and 
strategy of cybersecurity, it is the Committee's intent that 
the basic definition described in this section suffice for such 
purposes. However, the Committee recognizes that cybersecurity 
missions have a significantly broader role in cybersecurity 
protection and threat reduction and that the definition herein 
may not suffice for these broader purposes. Therefore, the 
Committee strongly encourages the Secretary to develop a set of 
effective and efficient Departmental processes for 
cybersecurity missions that define, designate, and support the 
broader cybersecurity and critical infrastructure protection 
mission.

Sec. 4.   Cybersecurity Fellowship Program.
    This section requires the Secretary to submit to the 
appropriate Congressional Committees a report on the 
feasibility of establishing a Cybersecurity Fellowship Program 
to offer a tuition payment plan for undergraduate and doctoral 
candidates who agree to work for the Department for an agreed-
upon period of time. The Committee believes that, if feasible, 
a Cybersecurity Fellowship Program would help fill gaps in the 
cybersecurity workforce and provide recent graduates with 
career opportunities.