1

The Effects of U.S. Government Security Regulations on the Cybersecurity Professional

Aleta Wilson, Ph.D.Clay Wilson, Ph.D.

◦This study explores activities required to employ cyber security workers for the federal government and its contractor community

◦These two sectors comprise an estimated 500,000 workers who must undergo a significant

background check because positions which are labelled as "national

security positions".

2

Scope

3

Definition of a Cyber Security Professional

DOL Occupational Outlook Handbook does not contain a definition for cybersecurity professionals

DOL categories acknowledge positions that involve people who◦ plan, coordinate, and maintain an organization's

information security◦ database administrators plan and coordinate

security measures with network administrators ◦ network engineers "may ... address information

security issues”

4

Definition of a Cyber Security Professional - DOL

Department of Homeland Security Secretary Janet Napolitano defines Cybersecurity professionals as ◦employees responsible for "... cyber risk

and strategic analysis; cyber incident response; vulnerability detection and assessment; intelligence and investigation; and network and systems engineering“

5

Definition of a Cyber Security Professional - DHS

◦Frost & Sullivan conducted a survey of 10,413 information security professionals which indirectly defined security professionals as those employed as Information Security

professionals and those who had cyber security as their

primary job function.

6

Definition of a Cyber Security Professional – ISC2

DOD usually takes the lead in defining elements related to cyberspace and cybersecurity, but according to GAO

"DOD has defined some key cyber-related terms but it has not yet fully identified the specific types of operations and program elements that are associated with full-spectrum cyberspace operations"

7

Definition of a Cyber Security Professional – DOD

Professionals who have information security as a major part of their job;

those who self-identify as cyber or security specialists; and,

those who build and maintain the national critical infrastructure of the computer systems on which the public and private sectors have come to rely.

8

Definition of a Cyber Security Professional – for this study

Now that we’ve defined them….

Let’s go get them….

9

DHS staffing up to 1,000 positions over three years from 2009

DOD’s recently established Cyber Command is also staffing up

NSA is stealing every human being from all sides

Plus industry has corporate and contract needs to fulfill

10

Need for Cyber Professionals

"... there are not enough cybersecurity experts within the Federal Government or private sector to implement the [Comprehensive National Cybersecurity Initiative], nor is there an adequately established Federal cybersecurity career field" (Obama, 2009).

11

Need for Cyber Professionals

Education (lack of)◦Science, Technology, Engineering

Security Clearances◦U.S. Citizens need only apply

12

Barriers

Cyber positions are classified as “National Security Positions”

Clearances are required Requires extensive background check Direct effect on cyber workforce

13

Security Clearance Policies and Procedures

• Clock starts when there is a “need to know” i.e., job offer

• A job search on Monster.com found 882 positions requiring a security clearance within 5 miles of DC zip code

• "If you are a Software Engineer and/or Systems Administrator with an active TS/SCI clearance and Full Scope Polygraph, please read on!"

14

Clearance Barrier – Need to Know

• OPM handles 90% of security clearances for the feds and contractor community

• Alphabet agencies conduct their own clearances• CIA, DIA, FBI, NGA, NRO, NSA, DoS

• Reciprocity is coming (and so is Christmas)

15

Clearance Barrier – Reciprocity

16

Start

PH meets job qualifications (is

suitable)

Is there a BI file at OPM

Legend: BI = background investigation; PH = potential hire; HA = hiring agency

Issue Contingency Hire Letter

Yes

No

Gather ID, etc and begin hiring process

PH submits clearance

documentation to HA

HA requests background investigation

Rescind offer

PH passes

HA suita-bility test

Yes

No

PH passes inves-

tigation

Yes

No Rescind offer

End

Hire

Figure 1Security Clearance Flowchart

3 months to 1-year- - - - - -Goal is 74 days, but ….

Many of current jobs will become vacant over the next 10 years

Workforce must be home-grown due to citizenship requirement

Great news for those with clearances◦ Only 2% of those with clearances are unemployed

Companies like Booze Allen stockpile cleared workers through use of college internships

Small firms are inhibited from bids requiring cleared personnel

17

Effects of Security Policies on Cyber Profession

Potential hires are given contingency letter pending clearance that can take 3 to 9 months for TS

Some government bids require cleared personnel be included in bid

If company cannot fill slot then they can lose contract

Outcome – company with best cyber expertise but lacking facility clearance may be locked out of bid.

18

Effects of Security Policies on HRM

Increased emphasis on S.T.E.M. $260M invested in STEM over next decade

Growth in STEM jobs is 3X non-STEM jobs

Government is certifying Universities with Information Assurance programs as Centers of Academic Excellence (124 and counting)

19

Effects of Security Policies on Educational System

Feds need to modify security regulations specific to cybersecurity professionals◦ Relax the “need to know” rule and run clearance process concurrent

with last semester of college When they graduate… they can immediately begin work

Grant “facility clearances” to the Centers of Excellence so that can submit their IA students for clearances

Require a work commitment from student who is granted a clearance (i.e., student agrees to work for gov for a minimum of two years)

Centers of Excellence can partner with large cleared contractors who will agree to hire and clear graduates

20

Conclusion

Effect of security clearance barriers on small businesses that sell IT services to the government

Are company’s with strong cyber skill sets being eliminated due to lack of security clearances

21

Further Research

22

FURTHER RESEARCH Effect of security clearance barriers on small businesses that

sell IT services to the government Are company’s with strong cyber skill sets being eliminated

due to lack of security clearances

NSA designated National Center of Academic Excellence in Information Assurance Education