How Federal Agencies are Approaching Cybersecurity Training Programs
Due in part to priorities being set by the Biden administration, many government organizations are taking steps to emphasize the importance of cybersecurity. A big part of that means implementing training programs as ways to better handle cybersecurity threats, and a handful of proposed legislations aims to do just that.
With cybersecurity becoming a national priority, we can only expect cybercriminals to continue to adapt their methodology in order to stay one step ahead of their targets. Regardless, any institution – public or private – that shrugs off the importance of cybersecurity can expect to be disadvantaged. At the very least, these bills serve as a very basic template for how to implement similar programs at your organization.
Department of Homeland Security
As cyberterrorism becomes a more serious threat to U.S. national security, it’s only natural that the Department of Homeland Security (DHS) would want to expand its training curriculum accordingly. As such, the Senate has passed the National Cybersecurity Preparedness Consortium Act of 2021 – a bill that would authorize the Secretary of Homeland Security to work with cybersecurity consortia for training and other purposes. In other words, the Secretary would be looking to consult with nonprofits and academic institutions to develop cybersecurity training for the Department of Homeland Security.
Who would receive the training under this act? One target group is state and local first responders and officials who would be prepped on how to best respond to cybersecurity risks and incidents, including terrorist threats. However, the program emphasize the important of “community wide coordination” in defending against cybersecurity risks. Thus training would be conducted for members of private industry as well state and local government and critical infrastructure operators. To emphasize this, one of the bill’s priorities is to develop “information sharing programs” to help spread knowledge on cybersecurity as it relates to homeland security, including outreach to universities and colleges.
It’s worth noting that this bill would not require the DHS to implement such a program – it would merely authorize the Secretary to work with cybersecurity consortia. A bill that takes it a step further is the DHS Cybersecurity On-the-Job Training and Employment Apprentice Program Act, which would amend the Homeland Security Act of 2002 to add a section on cybersecurity. This section would require the DHS to establish a program that would designate cybersecurity work to DHS employees.
If passed, the program would require relevant the DHS to establish a training and apprenticeship program to educate its employees on cybersecurity matters on-the-job. First, this would involve reporting to the Secretary of Homeland Security on vacancies in cybersecurity positions in the DHS and developing diagnostic tools to assess an employee’s performance in a cybersecurity role. Then, the relevant DHS members would create a list of positions for the program as well as a curriculum.
The bill affords the DHS much discretion as to how to develop the training program and recruit individuals for the program. That being said, the DHS would remain obligated to consistently communicate with relevant internal authorities regarding the status of the positions under the program and the skills they require.
Federal Acquisition Institue
In a similar vein, the Supply Chain Security Training Act of 2021 sets forth the development of a training program for employees of executive agencies whose jobs involve supply chain risk management responsibilities.
This bill is slightly more specific about its expectations for the training program. It specifies that the bill must be designed to prepare said employees to “perform supply chain risk management activities and mitigate supply chain security threats that arise throughout the acquisition cycle.” While focusing on security at-large, the bill singles out cybersecurity as a priority.
The training program would need to educate employees on “current” supply chain security threats, meaning the program would have to be updated when necessary to account for evolving threats. After 180 days following the development of the training program, the Office of Management and Budget would need to issue guidance to participating executive agencies on how to incorporate the program into their existing procedures and how to identify employees that need to be trained.
Department of Energy
While its focus is on security in the broad sense, the Enhancing Grid Security through Public-Private Partnerships Act has a clear mission when it comes to emerging threats. If passed, the bill would “direct the Department of Energy (DOE) to establish a program to collaborate with federal, state, and private sector entities to assess and improve the cyber and physical security of electric utilities.” The bill would also authorize the DOE to provide guidance, training, and technical assistance to electric utilities.
This bill not only acknowledges cybersecurity as a threat to electric utilities but outlines some methods for dealing with it. For example, it mentions maturity models, self-assessments and auditing as a way to better understand cybersecurity as it relates to relevant utility organizations. While much of the focus is on assistance and sharing best practices, the bill makes many references to training as a key component of a cybersecurity plan.
Although the bill is not too specific about what these programs would entail, it puts an onus of the Secretary of Energy to report to Congress regarding policies, priorities procedures and other actions to enhance cybersecurity as well as plans for their implementation. The report would also include an estimate and analysis of the costs and benefits of these programs.
Office of Management and Budget
Finally, the Artificial Intelligence Training for the Acquisition Workforce Act (also known as the AI Training Act) is perhaps the most ambitious of them all. The bill would require the Director of the Office of Management and Budget to establish an artificial intelligence training program for employees of executive agencies that work in program management, research and development, procurement and contracting, logistics or cost estimation.
The purpose of the program would be to ensure that such employees understand the capabilities and risks of AI, including information on topics such as:
How AI works on a scientific level
Technological features of AI systems
How AI can benefit the federal government
Risks posed by AI, including discrimination and privacy risks
How to mitigate the risks of AI
How to identify reliable, safe and trustworthy AI
Future trends in AI, including trends for homeland and national security and innovation
Since AI is a field in flux, this program would have to be updated at least every two years to account for new information and changes in the AI landscape. This program would be developed in consultation with technologists, scholars and other experts across sectors, taking into account feedback from participants regarding potential improvements to the program.