OCR of the Document

View the Document >>

Chief Human Capital Officers Council, “Guidance for Identifying, Addressing, and Reporting Cybersecurity Work Roles of Critical Need,” April 2, 2018. Unclassified.

Guidance for Identifying Addressing and Reporting Cybersecurity Work Roles of Critical Need Introduction The Federal Cybersecurity Workforce Assessment Act of December 2015 Act requires the Federal Government to identify and code positions with information technology cybersecurity and other cyber-related functions The codes represent Work Roles described in the National Initiative for Cybersecurity Education NICE Cybersecurity Workforce Framework After positions are identified and coded the Act then requires Federal agencies to identify and report information technology cybersecurity and other cyber-related Work Roles of Critical Need The following guidance provides agencies with instructions for meeting this requirement Overview WHAT IS REQUIRED 1 WHEN 2 The U S Office of Personnel Management OPM will provide guidance for agencies to identify information technology cybersecurity and other cyber-related roles of critical need including current roles with acute skill shortages and roles with emerging skill shortages April 2018 3 Each agency will April 2019-2022 annually 1 identify information technology cybersecurity and other cyberrelated work roles of critical need in the workforce and 2 submit a report to OPM describing the roles identified and substantiating the critical need designation 1 2 3 The listed requirements and timelines are specified in Section 304 of the Act The Act instructs OPM to provide this guidance in a timely manner but does not establish a due date OPM set a target date of April 2018 to issue the guidance HOW  OPM consulted with stakeholders in establishing Governmentwide guidance for agencies to use in determining and reporting their Work Roles of Critical Need  Using the guidance Human Resources and Chief Information Office staff will work together to identify an agency’s specific Work Roles of Critical Need and then take action to mitigate skill shortages in those Work Roles of Critical Need It is anticipated Work Roles of Critical Need will vary based upon agencies’ missions and priorities  Agencies will annually report to OPM beginning 2019 through 2022 on their Work Roles of Critical Need and progress in mitigating skill shortages in accordance with the instructions provided below and additional reporting guidance posted on the Federal Cybersecurity Workforce Assessment Act FCWAA MAX website OPM will collect agencies’ Work Roles of Critical Needs and identify common needs to address from the Governmentwide perspective Instructions4 STEPS 1-3 COMPLETE AND REPORT BY APRIL 2019 STEP 1 Identify Work Roles of Critical Need  An agency determines their Work Roles of Critical Need o “Work Roles” are those described by OPM’s new 3-digit cybersecurity codes which were derived from National Institute of Standards and Technology NIST Special Publication 800-181 NICE Cybersecurity Workforce Framework o “Work Roles of Critical Need” are Work Roles deemed by the agency as having 4 Departments with components have discretion in applying the reporting aspects of the Instructions They may report consolidated information from among their components into one department-wide report or they may report individual component information All reporting to OPM will be done through the department level Additional guidance will be posted on the FCWAA MAX website Reporting deadlines in the Instructions apply to the civilian workforce and not the non-civilian workforce 2  Greatest skill shortages in terms of 1 staffing levels and or proficiency competency levels and 2 current and emerging shortages AND  Mission criticality or importance i e critical to meeting the agency’s most significant organizational missions priorities challenges etc o An agency may follow their workforce planning process to determine the Work Roles of Critical Need  An agency reports to OPM their list 5 of Work Roles of Critical Need including information to substantiate the designation by April 2019 Additional guidance for developing this report including a reporting template will be posted on the FCWAA MAX website STEP 2 Determine Root Causes of Shortages in Work Roles of Critical Need  An agency determines the root causes of the skill shortages in their identified Work Roles of Critical Need Root causes may involve a range of issues such as but not limited to o o o o o o o Talent pipeline Recruitment and outreach Hiring Retention Development and training Performance management or Resources and budget STEP 3 Develop Action Plan with Metrics and Targets to Address and Mitigate Root Causes and Shortages in Work Roles of Critical Need  An agency o Develops an action plan to address and mitigate the root causes identified in their Work Roles of Critical Need and 5 Although the Act calls for agencies to describe in their report the Work Roles of Critical Need they identify descriptions of Work Roles are already contained in the NICE Cybersecurity Workforce Framework and OPM cybersecurity coding documents Therefore OPM only needs a list of the Work Roles of Critical Need from agencies and not descriptions of the Work Roles of Critical Need 3 o Establishes metrics and targets for gauging success in mitigating the root causes and shortages in Work Roles of Critical Need and or improving or strengthening the Work Roles of Critical Need  An agency submits to OPM their action plan with metrics and targets based upon the root causes identified by April 2019  Additional reporting guidance will be posted on the FCWAA MAX website STEP 4 AS APPROPRIATE APRIL 2020 AND ONGOING STEP 4 Update Work Roles of Critical Need Root Cause Analysis Action Plan Metrics and Targets As Appropriate April 2020 and Ongoing  An agency periodically reevaluates their Work Roles of Critical Need to ensure they are up to date Any newly-identified Work Roles of Critical Need will necessitate a root cause analysis and potentially revisions to the agency’s action plan metrics and targets  An agency may need to make revisions to their action plan metrics and targets to keep them appropriately focused  An agency immediately reports to OPM any changes to their list of Work Roles of Critical Need action plan metrics or targets STEP 5 REPORT ON PROGRESS ANNUALLY APRIL 2020-2022 STEP 5 Mitigate Shortages in Work Roles of Critical Need  An agency monitors documents and ensures progress against their action plan metrics and targets  “Progress” is viewed as success in mitigating shortages in Work Roles of Critical Need and or improving or strengthening Work Roles of Critical Need  An agency reports to OPM progress against their action plan metrics and targets annually beginning April 2020 through 2022  Additional reporting guidance will be posted on the FCWAA MAX website 4 FUTURE NEXT STEP Date TBD FUTURE NEXT STEP Gain Agency and Governmentwide Views of Work Roles of Critical Need Vacancies  An agency will periodically report to OPM their Work Roles of Critical Need vacancies based upon guidance provided in the near future SUMMARY OF REQUIREMENTS TO ANNUALLY REPORT TO OPM DURING 2019-2022 REPORTING REQUIREMENTS Additional reporting guidance and templates will be posted on the FCWAA MAX website  April 2019 An agency reports to OPM their list of Work Roles of Critical Need including information to substantiate the designation An agency reports to OPM their action plan with metrics and targets based upon the root cause analysis of skill shortages in their Work Roles of Critical Need  April 2020 An agency reports to OPM progress against their action plan metrics and targets This documents how the agency is mitigating shortages in their Work Roles of Critical Need and or improving or strengthening their Work Roles of Critical Need  April 2021 An agency reports to OPM progress against their action plan metrics and targets This documents how the agency is mitigating shortages in their Work Roles of Critical Need and or improving or strengthening their Work Roles of Critical Need  April 2022 An agency reports to OPM progress against their action plan metrics and targets This documents how the agency is mitigating shortages in their Work Roles of Critical Need and or improving or strengthening their Work Roles of Critical Need 5 RESOURCES Federal Cybersecurity Workforce Assessment Act https www congress gov 114 plaws publ113 PLAW-114publ113 pdf pages 735-737 U S Department of Homeland Security DHS National Initiative for Cybersecurity Careers and Studies NICCS Workforce Development Toolkit https niccs uscert gov sites default files documents pdf cybersecurity_workforce_development_toolkit pdf tra ckDocs cybersecurity_workforce_development_toolkit pdf OPM Workforce Planning Best Practices Guide https www opm gov services-for-agencies hrline-of-business migration-planning-guidance workforce-planning-best-practices pdf OPM Scenario-Based Workforce Planning https www opm gov policy-data-oversight humancapital-management reference-materials tools scenario-based-workforce-planning pdf Resources on Federal Cybersecurity Workforce Assessment Act MAX website https community max gov pages viewpage action spaceKey HumanCapital title Cybersecuri ty Workforce Assessment Law Description of Work Roles and 3-Digit Cybersecurity Codes within the Federal Cybersecurity Coding Structure Table 1 Pages 4-11 https www nist gov file 394236 NICE Cybersecurity Workforce Framework https www nist gov itl appliedcybersecurity national-initiative-cybersecurity-education-nice nice-cybersecurity DHS NICCS Framework Interactive Tool https niccs us-cert gov workforcedevelopment cyber-security-workforce-framework 6