There is a shortage of cybersecurity professionals that is affecting the ability of the United States to fulfil the mandate of the Comprehensive National Cybersecurity Initiative. The purpose of this research is to find solutions to remove the barriers related to security clearance regulations that affect the cybersecurity professional. A fully qualified cybersecurity professional with the ability to obtain a clearance, may be unable to obtain a cybersecurity job because they lack the necessary clearance to apply for a job. A review of several studies and government reports confirmed the shortage of workers and security clearance processing, but none of those studies addressed the problem of the security clearance barriers. It would behoove the federal government to 1) allow students in the final semester of their cybersecurity degree program to begin the clearance investigation for a secret clearance; and/or 2) partner with industry to establish a scholarship program for students designed to develop cybersecurity professionals for government contractors. Each of these options represent a win-win for all parties and is a major step towards accomplishing what President Obama has declared as a national security priority.
2. ◦ This study explores activities required to
employ cyber security workers for the
federal government and
its contractor community
◦ These two sectors comprise an estimated
500,000 workers
who must undergo a significant
background check because
positions which are labelled as "national
security positions".
2
4. DOL Occupational Outlook Handbook does
not contain a definition for cybersecurity
professionals
DOL categories acknowledge positions that
involve people who
◦ plan, coordinate, and maintain an organization's
information security
◦ database administrators plan and coordinate
security measures with network administrators
◦ network engineers "may ... address information
security issues”
4
5. Department of Homeland Security
Secretary Janet Napolitano defines
Cybersecurity professionals as
◦ employees responsible for "... cyber risk
and strategic analysis; cyber incident
response; vulnerability detection and
assessment; intelligence and investigation;
and network and systems engineering“
5
6. ◦ Frost & Sullivan conducted a survey of
10,413 information security professionals
which indirectly defined security
professionals as those
employed as Information Security
professionals and
those who had cyber security as their
primary job function.
6
7. DOD usually takes the lead in defining
elements related to cyberspace and
cybersecurity, but according to GAO
"DOD has defined some key cyber-related
terms but it has not yet fully identified the
specific types of operations and program
elements that are associated with full-
spectrum cyberspace operations"
7
8. Professionals who have information security
as a major part of their job;
those who self-identify as cyber or security
specialists; and,
those who build and maintain the national
critical infrastructure of the computer
systems on which the public and private
sectors have come to rely.
8
10. DHS staffing up to 1,000 positions
over three years from 2009
DOD’s recently established Cyber
Command is also staffing up
NSA is stealing every human being
from all sides
Plus industry has corporate and
contract needs to fulfill
10
11. "... there are not enough cybersecurity
experts within the Federal Government or
private sector to implement the
[Comprehensive National Cybersecurity
Initiative], nor is there an adequately
established Federal cybersecurity career
field" (Obama, 2009).
11
12. Education (lack of)
◦ Science, Technology, Engineering
Security Clearances
◦ U.S. Citizens need only apply
12
13. Cyber positions are classified as “National
Security Positions”
Clearances are required
Requires extensive background check
Direct effect on cyber workforce
13
14. • Clock starts when there is a “need to know” i.e., job
offer
• A job search on Monster.com found 882 positions requiring
a security clearance within 5 miles of DC zip code
• "If you are a Software Engineer and/or Systems
Administrator with an active TS/SCI clearance and Full
Scope Polygraph, please read on!"
14
15. • OPM handles 90% of security
clearances for the feds and contractor
community
• Alphabet agencies conduct their own
clearances
• CIA, DIA, FBI, NGA, NRO, NSA, DoS
• Reciprocity is coming (and so is
Christmas)
15
16. Figure 1
Security Clearance Flowchart
Start
Yes Gather ID, etc and
begin hiring process
PH meets job Is there
Issue Contingency
qualifications (is a BI file
Hire Letter
suitable) at OPM
PH submits
3
No
clearance months
documentation to
HA to
1-year
------
HA requests
Yes background Goal is
investigation Yes
PH Hire 74
passes
HA PH passes days, bu
suita-
bility
inves-
tigation
End t ….
test
No
No Rescind offer
Rescind offer
Legend: BI = background investigation; PH = potential hire; HA = hiring agency
16
17. Many of current jobs will become vacant over the
next 10 years
Workforce must be home-grown due to citizenship
requirement
Great news for those with clearances
◦ Only 2% of those with clearances are unemployed
Companies like Booze Allen stockpile cleared
workers through use of college internships
Small firms are inhibited from bids requiring
cleared personnel
17
18. Potential hires are given contingency letter
pending clearance that can take 3 to 9
months for TS
Some government bids require cleared
personnel be included in bid
If company cannot fill slot then they can
lose contract
Outcome – company with best cyber
expertise but lacking facility clearance may
be locked out of bid.
18
19. Increased emphasis on S.T.E.M.
$260M invested in STEM over next
decade
Growth in STEM jobs is 3X non-STEM
jobs
Government is certifying Universities
with Information Assurance programs
as Centers of Academic Excellence
(124 and counting)
19
20. Feds need to modify security regulations specific to
cybersecurity professionals
◦ Relax the “need to know” rule and run clearance process concurrent
with last semester of college
When they graduate… they can immediately begin work
Grant “facility clearances” to the Centers of Excellence so
that can submit their IA students for clearances
Require a work commitment from student who is granted a
clearance (i.e., student agrees to work for gov for a
minimum of two years)
Centers of Excellence can partner with large cleared
contractors who will agree to hire and clear graduates
20
21. Effect of security clearance barriers on
small businesses that sell IT services
to the government
Are company’s with strong cyber skill
sets being eliminated due to lack of
security clearances
21
22. FURTHER RESEARCH
Effect of security clearance barriers on small businesses that
sell IT services to the government
Are company’s with strong cyber skill sets being eliminated
due to lack of security clearances
NSA designated National Center of Academic
Excellence in Information Assurance Education
22