FY2023 NDAA: Cyber Personnel Policies

Changes from October 4, 2022 to March 6, 2023

This page shows textual changes in the document between the two versions indicated in the dates above. Textual matter removed in the later version is indicated with ~~red strikethrough~~ and textual matter added in the later version is indicated with blue.

FY2023 NDAA: Cyber Personnel Policies
~~October 4, 2022~~March 6, 2023
Over the past decade, Congress, the Department of Defense (DOD), and other federal agencies Over the past decade, Congress, the Department of Defense (DOD), and other federal agencies
have engaged in several initiatives to enhance cyber defense and warfighting capabilities and have engaged in several initiatives to enhance cyber defense and warfighting capabilities and
Kristy N. Kamarck
build a workforce with the technical skills needed to protect and manage digital infrastructure. build a workforce with the technical skills needed to protect and manage digital infrastructure.
Specialist in Military Specialist in Military
The House-passed (H.R. 7900 The House-passed (H.R. 7900, 117th Congress) and Senate Armed Services Committee (SASC)-) and Senate Armed Services Committee (SASC)-~~reported (S.~~
~~Manpower~~
~~4543) National Defense Authorization Act for Fiscal Year 2023 (FY2023 NDAA) include~~

Manpower reported (S. 4543, 117th Congress) Fiscal Year (FY) 2023 National Defense Authorization Act (NDAA) included several provisions that relate to recruiting, retention, and career management several provisions that relate to recruiting, retention, and career management ~~of DOD military~~
Catherine A. Theohary
of DOD military and civilian personnel in cyber career fields. These provisions fall into three and civilian personnel in cyber career fields. These provisions fall into three ~~broad categories.~~
Specialist in National Specialist in National

broad categories. Security Policy, Cyber and Security Policy, Cyber and
Information Operations  Reserve component (RC) and civilian staffing in response to cyber threats; Reserve component (RC) and civilian staffing in response to cyber threats;
~~Information Operations~~
 Reviews of cyber personnel policies, strategy and planning; and  Reviews of cyber personnel policies, strategy and planning; and

  Cyber-related education and training for DOD’s workforce. Cyber-related education and training for DOD’s workforce.
~~Hibbah Kaileh~~
~~Research Assistant~~
~~In legislative deliberations around the FY2023 NDAA, Congress may consider how these~~

~~proposals intersect with existing federal authorities and programs related to the cyber workforce.~~
~~Several of the proposed provisions would seek more clarity on DOD~~The James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (P.L. 117-263; FY2023 NDAA), enacted on December 27, 2022, adopted many such measures. Several of the enacted provisions require DOD to strengthen organization, plans, organization, plans,

processes, and ongoing implementation of cyber workforce initiatives processes, and ongoing implementation of cyber workforce initiatives and to update Congress through periodic reports through periodic reports
and briefingsand briefings ~~to Congress. These proposed assessments may augment or overlap with prior congressionally mandated reports~~
~~or ongoing reviews. A selected~~ . A list of list of ~~proposed~~selected reporting requirements, deadlines, and responsible officials is provided in the reporting requirements, deadlines, and responsible officials is provided in the
Appendix of this report. Appendix of this report.

Congressional Research Service Congressional Research Service

FY2023 NDAA: Cyber Personnel Policies

Background
The Department of Defense (DOD) first established the U.S. Cyber Command (USCYBERCOM, The Department of Defense (DOD) first established the U.S. Cyber Command (USCYBERCOM,
or CYBERCOM) as a subordinate command under the U.S. Strategic Command or CYBERCOM) as a subordinate command under the U.S. Strategic Command
(USSTRATCOM) in 2010 in response to the growing national cyber threat. Congress elevated (USSTRATCOM) in 2010 in response to the growing national cyber threat. Congress elevated
CYBERCOM to a unified combatant command as part of the National Defense Authorization Act CYBERCOM to a unified combatant command as part of the National Defense Authorization Act
for FY2017 (FY2017 NDAA).1 The military services (Army, Navy, Air Force, Marines Corps, for FY2017 (FY2017 NDAA).1 The military services (Army, Navy, Air Force, Marines Corps,
and Space Force) are responsible for manning, training, and equipping units assigned to and Space Force) are responsible for manning, training, and equipping units assigned to
CYBERCOM. These units make up the Cyber Mission Force (CMF), which executes the CYBERCOM. These units make up the Cyber Mission Force (CMF), which executes the
command’s mission to direct, synchronize, and coordinate cyberspace operations in defense of command’s mission to direct, synchronize, and coordinate cyberspace operations in defense of
U.S. national interests.2 U.S. national interests.2
Cyber Mission Force
The CMF undertakes three types of missions in cyberspace:3 The CMF undertakes three types of missions in cyberspace:3
  Offensive cyberspace operations – missions intended to project power in and – missions intended to project power in and
through cyberspace. through cyberspace.
  Defensive cyberspace operations –– missions to preserve the ability to use missions to preserve the ability to use
cyberspace capabilities and protect data, networks, cyberspace-enabled devices, cyberspace capabilities and protect data, networks, cyberspace-enabled devices,
and other designated systems by defeating ongoing or imminent malicious and other designated systems by defeating ongoing or imminent malicious
cyberspace activity.cyberspace activity.
  Department of Defense Information Network (DODIN) operations – –
operational actions taken to secure, configure, operate, extend, maintain, and operational actions taken to secure, configure, operate, extend, maintain, and
sustain DOD cyberspace and to create and preserve the confidentiality, sustain DOD cyberspace and to create and preserve the confidentiality,
availability, and integrity of the DODIN.availability, and integrity of the DODIN.44CRS In Focus IF10537, Defense Primer: Cyberspace Operations
The CMF’s 133 teams comprise approximately 6,000 servicemembers and civilians, including The CMF’s 133 teams comprise approximately 6,000 servicemembers and civilians, including
reserve component personnel on active duty.5 Reportedly, reserve component personnel on active duty.5 Reportedly, ~~according to FY2021 budget~~
~~documents, DOD expects~~DOD expected the CMF to add 14 more teams to the existing 133 between FY2022 the CMF to add 14 more teams to the existing 133 between FY2022
and FY2024, with four teams to be added in FY2022 and five in FY2023.6 The growth is and FY2024, with four teams to be added in FY2022 and five in FY2023.6 The growth is

projected to add about 600 people, a 10% increase, to 1 P.L. 114-328 §923; 10 U.S.C. §167b; U.S. Cyber Command, Our History, at 1 P.L. 114-328 §923; 10 U.S.C. §167b; U.S. Cyber Command, Our History, at
https://www.cybercom.mil/About/History/. https://www.cybercom.mil/About/History/. ~~Cyberspace is defined by DOD in~~ In the November 2022 DOD Dictionary of Military and Associated Terms, cyberspace is defined as “a global domain within the information a global domain within the information
environment consisting of the interdependent network of information technology infrastructures and resident data, environment consisting of the interdependent network of information technology infrastructures and resident data,
including the internet, telecommunications networks, computer systems, and embedded processors and controllers.including the internet, telecommunications networks, computer systems, and embedded processors and controllers.” For For
additional information, see CRS In Focus IF10537, additional information, see CRS In Focus IF10537, Defense Primer: Cyberspace Operations, by Catherine A. , by Catherine A.
Theohary. Theohary.
2 U.S. Army Cyber Command, “DOD Fact Sheet: Cyber Mission Force,” February 10, 2020, at 2 U.S. Army Cyber Command, “DOD Fact Sheet: Cyber Mission Force,” February 10, 2020, at
https://www.arcyber.army.mil/Info/Fact-Sheets/Fact-Sheet-View-Page/Article/2079594/dod-fact-sheet-cyber-mission-https://www.arcyber.army.mil/Info/Fact-Sheets/Fact-Sheet-View-Page/Article/2079594/dod-fact-sheet-cyber-mission-
force/. force/.
3 Department of Defense Joint Publication 3-12 3 Department of Defense Joint Publication 3-12 Cyberspace Operations, June 8, 2018, , June 8, 2018, ~~available~~ at at
https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_12.pdf. https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_12.pdf.
4 Ibid. The DODIN is the set of information capabilities and associated processes for collecting, processing, storing, 4 Ibid. The DODIN is the set of information capabilities and associated processes for collecting, processing, storing,
disseminating, and managing information on-demand to warfighters, disseminating, and managing information on-demand to warfighters, ~~policy makers~~policymakers, and support personnel, whether , and support personnel, whether
interconnected or stand-alone, including owned and leased communications and computing systems and services, interconnected or stand-alone, including owned and leased communications and computing systems and services,
software (including applications), data, security services, other associated services, and national security systems. software (including applications), data, security services, other associated services, and national security systems.
5 For more information on the Reserve Component, see CRS In Focus IF10540, 5 For more information on the Reserve Component, see CRS In Focus IF10540, Defense Primer: Reserve Forces, by , by
Lawrence Kapp. Lawrence Kapp.
6 Mark Pomerleau, “Army adding more cyber teams,” 6 Mark Pomerleau, “Army adding more cyber teams,” FEDSCOOP, August 17, 2022, August 17, 2022, at at
Congressional Research Service Congressional Research Service

1 1

FY2023 NDAA: Cyber Personnel Policies

~~expected to add about 600 people, a 10% increase, to~~ the CMF.7 The new CMF teams are to the CMF.7 The new CMF teams are to
include both civilian and military personnel. Each military service is responsible for recruiting include both civilian and military personnel. Each military service is responsible for recruiting
and training their own CMF units. CYBERCOM has reported that it is in the process of and training their own CMF units. CYBERCOM has reported that it is in the process of
centralizing advanced cyber training, with the Army serving as the executive agent.8 centralizing advanced cyber training, with the Army serving as the executive agent.8
While the CMF is While the CMF is ~~CYBERCOMS~~CYBERCOM’s arm for operating in cyberspace as a warfighting domain, ’s arm for operating in cyberspace as a warfighting domain,
other cyber-related professionals, both military and civilian, make up the overall DOD cyber other cyber-related professionals, both military and civilian, make up the overall DOD cyber
workforce. The workforce. The DOD Office of the Chief Information Officer oversees the management of DOD Office of the Chief Information Officer oversees the management of DOD
information technology and cybersecurity elements of the DOD cyberspace workforce.9 Formerly information technology and cybersecurity elements of the DOD cyberspace workforce.9 Formerly
known as the information assurance workforce, the cybersecurity workforce is defined in DOD known as the information assurance workforce, the cybersecurity workforce is defined in DOD
Directive 8140.01 as “personnel who secure, defend, and preserve data, networks, net-centric Directive 8140.01 as “personnel who secure, defend, and preserve data, networks, net-centric
capabilities, and other designated systems by ensuring appropriate security controls and measures capabilities, and other designated systems by ensuring appropriate security controls and measures
are in place, and taking internal defense actions.”10 are in place, and taking internal defense actions.”10
Cyber Excepted Service
The Cyber Excepted Service (CES) is a DOD enterprise-wide personnel system for managing The Cyber Excepted Service (CES) is a DOD enterprise-wide personnel system for managing
defense civilians in the cyber workforce.11 Congress established the authorities for this system as defense civilians in the cyber workforce.11 Congress established the authorities for this system as
part of the FY2016 NDAA, part of the FY2016 NDAA, ~~in part to~~and these provisions provide DOD with flexible tools to attract and retain provide DOD with flexible tools to attract and retain
civilians with civilians with ~~in-demand~~ cyber skills.12 Prior to this lawcyber skills.12 Prior to this law ~~being enacted~~’s enactment a majority of cyber a majority of cyber
positions were in the competitive service; certain existing competitive service employees were positions were in the competitive service; certain existing competitive service employees were
offered the opportunity to convert to CES.13 The DOD Chief Information Officer (CIO) is offered the opportunity to convert to CES.13 The DOD Chief Information Officer (CIO) is
responsible for developing CES policy and providing recommended policy issuances to the responsible for developing CES policy and providing recommended policy issuances to the
Undersecretary of Defense for Personnel and Readiness. According to the DOD CIO’s office, Undersecretary of Defense for Personnel and Readiness. According to the DOD CIO’s office,
~~there are currently~~as of September 2022 there were 15,000 department employees in the CES, and the Department 15,000 department employees in the CES, and the Department ~~plans~~planned to expand to expand
the number of CES positions in coming years.14 the number of CES positions in coming years.14
Selected Provisions in the FY2023 NDAA
Since the creation of CYBERCOM, Congress has demonstrated concern about whether adequate Since the creation of CYBERCOM, Congress has demonstrated concern about whether adequate
resources, policies, and programs are in place to support a cyber-capable workforce. The House-resources, policies, and programs are in place to support a cyber-capable workforce. The House-

https://www.fedscoop.com/army-adding-more-cyber-teams/. https://www.fedscoop.com/army-adding-more-cyber-teams/.
7 C. Todd Lopez, 7 C. Todd Lopez, "“Cyber Mission Force Set to Add More Teams,Cyber Mission Force Set to Add More Teams,"” DOD News, April 6, 2022, at , April 6, 2022, at
https://www.defense.gov/News/News-Stories/Article/Article/2991699/cyber-mission-force-set-to-add-more-teams/. https://www.defense.gov/News/News-Stories/Article/Article/2991699/cyber-mission-force-set-to-add-more-teams/.
8 Testimony of U.S. Cyber Command Commander General Paul M. Nakasone, in U.S. Congress, Senate Armed 8 Testimony of U.S. Cyber Command Commander General Paul M. Nakasone, in U.S. Congress, Senate Armed
Services Committee, Services Committee, United States Special Operations Command and United States Cyber Command, hearings, 117th hearings, 117th
Congress, 1st sess., March 25, 2021, at https://www.armed-services.senate.gov/imo/media/doc/Nakasone_03-25-21.pdf. Congress, 1st sess., March 25, 2021, at https://www.armed-services.senate.gov/imo/media/doc/Nakasone_03-25-21.pdf.
9 DOD doctrine uses both “cyber workforce” and “cyberspace workforce” as umbrella terms to denote DOD cyber 9 DOD doctrine uses both “cyber workforce” and “cyberspace workforce” as umbrella terms to denote DOD cyber
personnel. For example, see https://dodcio.defense.gov/Cyber-Workforce/CWM.aspx. personnel. For example, see https://dodcio.defense.gov/Cyber-Workforce/CWM.aspx.
10 Department of Defense Directive 8140.01 10 Department of Defense Directive 8140.01 Cyberspace Workforce Management,, ~~October 5, 2020. Available~~ at at
https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/814001p.pdf. The term “information assurance” https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/814001p.pdf. The term “information assurance”
was removed from the DOD Dictionary of Military and Associated Terms. was removed from the DOD Dictionary of Military and Associated Terms.
11 For more information, see CRS In Focus IF11510, 11 For more information, see CRS In Focus IF11510, Defense Primer: Department of Defense Civilian Employees, by , by
Alan Ott. Alan Ott.
12 P.L. 114-92 § 12 P.L. 114-92 §~~1106~~1107; 10 U.S.C. §1599f. ; 10 U.S.C. §1599f.
13 David Knapp et al., 13 David Knapp et al., Employee Conversions to the Cyber Excepted Service, RAND Corporation, Assessing Factors , RAND Corporation, Assessing Factors
and Characteristics Related to Personnel Conversion Decisions, Santa Monica, CA, 2021. and Characteristics Related to Personnel Conversion Decisions, Santa Monica, CA, 2021.
14 14 Comment by Mark Gorak, Principal Director for Resources and Analysis in the DoD CIO’s office, reported in Justin Doubleday, Justin Doubleday, White House developing cyber workforce strategy to be more ‘action oriented,’ September 9, September 9,
2022, 2022, ~~Available at~~ at https://federalnewsnetwork.com/cybersecurity/2022/09/white-house-developing-cyber-workforce-https://federalnewsnetwork.com/cybersecurity/2022/09/white-house-developing-cyber-workforce-
strategy-to-be-more-action-oriented/. strategy-to-be-more-action-oriented/.
Congressional Research Service Congressional Research Service

2 2

link to page 6 link to page 6 FY2023 NDAA: Cyber Personnel Policies

passed passed-version (H.R. 7900 (H.R. 7900, 117th Congress) and Senate Armed Services Committee (SASC)-) and Senate Armed Services Committee (SASC)-~~reported~~reported version (S. 4543 (S. 4543), 117th Congress) of the National National
Defense Authorization Act for Fiscal Year 2023 (FY2023 NDAA) Defense Authorization Act for Fiscal Year 2023 (FY2023 NDAA) ~~include~~included several provisions that several provisions that
relate to recruiting, retention, and career management of DOD military and civilian personnel in relate to recruiting, retention, and career management of DOD military and civilian personnel in
cyber career fields (secyber career fields (see Table 1). .
Provisions Provisions enacted in the FY2023 NDAA related to cyber personnel fall into three broad categories: in the FY2023 NDAA related to cyber personnel fall into three broad categories:
 reserve component (RC) and civilian staffing in response to cyber threats;  reserve component (RC) and civilian staffing in response to cyber threats;
 reviews of cyber personnel policies, strategy and planning; and  reviews of cyber personnel policies, strategy and planning; and
 cyber-related education and training for DOD’s workforce.  cyber-related education and training for DOD’s workforce.
Table 1. Selected FY2023 NDAA Provisions Related to Cyber Personnel
House-passed (H.R. 7900), 117th
SASC-Reported (S. 4543, 117th Enacted (P.L. 117-263) Congress) Congress)
Reserve component (RC) and civilian staffing in response to cyber threats
No similar provision No similar provision
Section 512 would Section 512 would ~~authorize~~ have authorized Not adopted. the Secretary of Defense the Secretary of Defense
to order reserve units to active duty to respond to a to order reserve units to active duty to respond to a
significant cyber incident for a continuous period of up significant cyber incident for a continuous period of up
to 365 days. to 365 days.
No similar provision No similar provision
Section 1112 would Section 1112 would ~~establish a civilian cybersecurity~~
~~reserve pilot project to provide manpower to U.S.~~
~~Cyber Command.~~
~~Section 1533 would require DOD to conduct a~~
~~Section 1114 would require DOD to report annually~~
~~comprehensive review of the Cyber Excepted Service~~
~~on Cyber Excepted Service positions~~have Section 1540 adopts the Senate established a civilian cybersecurity provision with an amendment reserve pilot project to provide requiring DOD to engage with a manpower to U.S. Cyber federally funded research and Command. development center (FFRDC) or other non-profit to assess the feasibility and advisability of creating a civilian cybersecurity reserve corps, including consideration of the results of a prior congressionally-mandated report on non-traditional cyber support. Section 1533 would have required Section 1114 would have required Section 1541 adopts elements of DOD to conduct a comprehensive DOD to report annually on CES both House and Senate provisions. review of Cyber Excepted Service positions through 2028. .
policies, including personnel compensation and policies, including personnel compensation and
advancement. advancement.
Reviews of cyber personnel policies, strategy and planning
Section Section ~~1606 would require a DOD study on the~~
~~responsibilities of the military services for organizing,~~
~~training, and presenting the total force to CYBERCOM.~~
~~Section 1531 would require DOD annual reports to be~~
~~Section 1603 would require the Secretary of Defense~~1531 would have required No similar provision. Section 1502 adopts the House DOD annual reports to be provision with an amendment that
submitted with the President’s submitted with the President’s modifies the reporting budget request on CMF budget request on CMF
readiness requirements. and the adequacy of policies, plans, procedures, and the execution of manning, training, and equipping the CMF starting in FY2024. Section 1606 would have required a Section 1533 adopts the Senate DOD study on the responsibilities provision with an amendment to No similar provision. of the military services for modify the scope of the required organizing, training, and presenting report. the total force to CYBERCOM. Congressional Research Service 3 FY2023 NDAA: Cyber Personnel Policies House-passed (H.R. 7900, 117th SASC-Reported (S. 4543, 117th Enacted (P.L. 117-263) Congress) Congress) Section 1503 would have directed Section 1625 would have required Section 1532 adopts House the Secretary of the Navy to ~~and the Chairman of the Joint Chiefs of Staff to develop~~
~~readiness and the adequacy of policies, plans,~~
~~a plan and recommendations to address CMF personnel~~
~~procedures, and the execution of manning, training, and readiness shortfalls.~~
~~equipping the CMF starting in FY2024.~~
~~Section 1610 would require a review of certain cyber~~
~~operations personnel policies, including recruitment,~~
~~retention, professional military education, personnel~~
~~data sharing, structures, and departmental guidance and~~
~~processes.~~
~~Section 1503 would direct the Secretary of the Navy to Section 1625 would require the Secretary of the Navy~~
~~establish and sustain certain Cyber Warfare career~~
~~to report on recommendations for improving cyber~~
~~designators as well as a training pipeline and~~
~~career paths in the Navy.~~
~~implementation plan.~~
~~Section 1532 would require an independent review of~~
~~No similar provision~~
~~the staffing levels of DOD’s Office of the Chief~~
~~Information Officer (CIO).~~
~~Education and Training~~
~~Section 1535 would establish a “Hacking for National~~
~~No similar provision~~
~~Security and Public Service Innovation Program”~~
~~(H4NSPSI) to, in part, support the development and~~
~~acquisition of cyber talent in the federal workforce.~~
~~Congressional Research Service~~

3

~~FY2023 NDAA: Cyber Personnel Policies~~

~~House-passed (H.R. 7900)~~
~~SASC-Reported (S. 4543)~~
~~Section 558 would require the Secretary of Defense to~~
~~No similar provision~~
~~establish a consortium of military~~ the Secretary of the Navy to report provision 1503 with an amendment establish and sustain certain Cyber on recommendations for improving that modifies the timeline Warfare career designators as well cyber career paths in the Navy. requirements for the career as a training pipeline and designators. implementation plan. Section 1536 adopts Senate provision 1625. No similar provision. Section 1603 would have required Section 1534 adopts the Senate the Secretary of Defense and the provision with an amendment to Chairman of the Joint Chiefs of Staff modify the scope of the effort. to develop a plan and recommendations to address CMF personnel readiness shortfalls. No similar provision. Section 1610 would have required a Not adopted. review of certain cyber operations personnel policies, including recruitment, retention, professional military education, personnel data sharing, structures, and departmental guidance and processes. Education and Training Section 558 would have required No similar provision. Several provisions (Sections 557, the Secretary of Defense to 558, and 559) in the House bil establish a consortium of military would have established various and civilian education and civilian education
~~institutions to provide a forum to share information on~~
~~matters of cybersecurity.~~
~~No similar provision~~
~~Section 1111 would establish a program to provide~~
~~financial support for the pursuit of programs in~~
~~disciplines related to cyber or digital technology at~~
~~institutions of higher education.~~
Source: CRS analysis of legislation on Congress.gov.
~~Notes:~~ ~~Several provisions in the House-passed and SASC-reported bil would~~institutions to professional military education provide a forum to share (PME) consortiums and a information on matters of commission. In lieu of this, Section cybersecurity. 557 adopts a requirement for DOD to report on the effectiveness of officer PME by December 1, 2025, with an appraisal of the feasibility and advisability of establishing a consortium. Section 5867 would have required a Section 1111 included a similar Section 1535 adopts the Senate financial support program at provision to House Section 5867. provision and directs the Secretary institutes of higher education of Defense to establish a program designated as a Center of Academic that provides financial support for Excellence in Cyber Education for the pursuit of programs that are the pursuit of programs in critically needed and related to disciplines related to cyber or cyber or digital technology. digital technology. Section 1535 would have No similar provision. Not adopted. established a “Hacking for National Security and Public Service Innovation Program” (H4NSPSI) to, in part, support the development and acquisition of cyber talent in the federal workforce. Source: CRS analysis of legislation on Congress.gov. Congressional Research Service 4 FY2023 NDAA: Cyber Personnel Policies Notes: Several provisions in the House-passed, SASC-reported, and enacted legislation address other aspects of military address other aspects of military
cyber policy beyond the scope of this product, including: organizational structure, roles, and missions; cyber cyber policy beyond the scope of this product, including: organizational structure, roles, and missions; cyber
warfighting architecture; strategy alignment and interagency coordination; cyber innovation incentives; and warfighting architecture; strategy alignment and interagency coordination; cyber innovation incentives; and
foreign military cooperation. foreign military cooperation.
~~Discussion~~
Reserve Component and Civilian Staffing in Response to Cyber
Threats
Some experts have called for leveraging the Reserve Component (RC) to meet increased Some experts have called for leveraging the Reserve Component (RC) to meet increased ~~demand~~
federal government demand for cyber personnel. A 2017 RAND study found that for cyber personnel. A 2017 RAND study found that ~~tens of thousands of~~ over ten thousand reservists either have reservists either have
cyber expertise or are able to cyber expertise or are able to ~~easily~~ acquire cyber-related skills through civilian-based trainingacquire cyber-related skills through civilian-based training,
~~and many~~ ; and many of these individuals express a desire to use these skills in the military.15 In a March 2021 Senate Armed express a desire to use these skills in the military.15 In a March 2021 Senate Armed
Services Committee Hearing, CYBERCOM Commander Services Committee Hearing, CYBERCOM Commander General Paul Nakasone called the ability to Paul Nakasone called the ability to
bring on personnel with relevant private-sector expertise “invaluable.”16 Provisions in the SASC-bring on personnel with relevant private-sector expertise “invaluable.”16 Provisions in the SASC-
reported version of the FY2023 NDAA would reported version of the FY2023 NDAA would ~~expand~~have expanded authorities for activating RC members and authorities for activating RC members and
hiring civilians to respond to “significant cyber incidents.”17 Section 512 of the SASC-reported hiring civilians to respond to “significant cyber incidents.”17 Section 512 of the SASC-reported
bill would bill would ~~amend~~have amended 10 U.S.C. §12304 to authorize the Secretary of Defense to involuntarily 10 U.S.C. §12304 to authorize the Secretary of Defense to involuntarily
activate individuals in the Selected Reserve and Individual Ready Reserve for up to 365 activate individuals in the Selected Reserve and Individual Ready Reserve for up to 365
continuous days to respond to such events.18 There continuous days to respond to such events.18 There ~~are~~were no similar provisions in the House no similar provisions in the House ~~bill.~~-passed bill and this provision was not enacted. Section 1112 of the SASC-reported bill would have required the Secretary of the Army to establish a four-year “Civilian Cybersecurity Reserve” pilot project to augment the CYBERCOM workforce.19 This pilot authority would have allowed the Army to establish criteria for selection and accession into the Civilian Cybersecurity Reserve and would allow for noncompetitive temporary appointments of up to 50 personnel into the competitive service (under 5 U.S.C. §2102) and excepted service (under 5 U.S.C. §2103).20 The enacted FY2023 NDAA does not provide authority for an Army pilot program. Instead, it requires (under Section 1540) that DOD engage with a federally funded research and development center (FFRDC) or other independent

15 Isaac R. Porche III, Caolionn O'Connell, John S. Davis II, et al., 15 Isaac R. Porche III, Caolionn O'Connell, John S. Davis II, et al., Cyber Power Potential of the Army's Reserve
Component. Santa Monica, CA: RAND Corporation, 2017, at Santa Monica, CA: RAND Corporation, 2017, at
https://www.rand.org/pubs/research_reports/RR1490.html. https://www.rand.org/pubs/research_reports/RR1490.html.
16 Testimony of U.S. Cyber Command Commander General Paul M. Nakasone, in U.S. Congress, Senate Armed 16 Testimony of U.S. Cyber Command Commander General Paul M. Nakasone, in U.S. Congress, Senate Armed
Services Committee, Services Committee, United States Special Operations Command and United States Cyber Command, hearings, 117th hearings, 117th
Congress, 1st sess., March 25, 2021, at https://www.armed-services.senate.gov/imo/media/doc/Nakasone_03-25-21.pdf. Congress, 1st sess., March 25, 2021, at https://www.armed-services.senate.gov/imo/media/doc/Nakasone_03-25-21.pdf.
17 Presidential Policy Directive/PPD-41 United States Cyber Incident Coordination defines a significant cyber incident 17 Presidential Policy Directive/PPD-41 United States Cyber Incident Coordination defines a significant cyber incident
as one that is “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of as one that is “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of
the United States or to the public confidence, civil liberties, or public health and safety of the American peoplethe United States or to the public confidence, civil liberties, or public health and safety of the American people.,” July ” July
26, 2016, at https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/presidential-policy-directive-united-26, 2016, at https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/presidential-policy-directive-united-
states-cyber-incident. states-cyber-incident.
18 10 U.S.C. §12304 currently authorizes the President to involuntarily mobilize reservists for certain emergencies 18 10 U.S.C. §12304 currently authorizes the President to involuntarily mobilize reservists for certain emergencies
related to “use or threatened use of a weapon of mass destruction” or “a terrorist attack or threatened terrorist attack in related to “use or threatened use of a weapon of mass destruction” or “a terrorist attack or threatened terrorist attack in
the United States that results, or could result, in significant loss of life or property.” For more information, see CRS the United States that results, or could result, in significant loss of life or property.” For more information, see CRS
Report RL30802, Report RL30802, Reserve Component Personnel Issues: Questions and Answers, by Lawrence Kapp and Barbara , by Lawrence Kapp and Barbara
Salazar Torreon. Salazar Torreon.
19 The congressionally mandated National Commission on Military, National, and Public Service recommended such a project in 2020. National Commission on Military, National, and Public Service, Inspired to Serve, March 2020, p. 81, at https://www.volckeralliance.org/sites/default/files/attachments/Final%20Report%20-%20National%20Commission.pdf. 20 For more on federal civilian service see CRS Report R45635, Categories of Federal Civil Service Employment: A Snapshot, by Jon O. Shimabukuro and Jennifer A. Staman. Congressional Research Service 5~~Congressional Research Service~~

4

link to page link to page 1214 FY2023 NDAA: Cyber Personnel Policies non-profit entity to evaluate the feasibility and advisability of such a reserve corps across DOD. This provision requires the research entity to take into consideration a study on “nontraditional cyber support” required by the FY2021 NDAA.21 This report was to include an evaluation of different reserve models to support DOD cyber operations. Section 1540 also limits the amount of FY2023 appropriated funds that the Under Secretary of Defense for Policy may obligate or expend to not more than 75% until a copy of the FY2021 congressionally-mandated report is submitted to the Armed Services committees. This report was due to the committees in September 2022. ~~FY2023 NDAA: Cyber Personnel Policies~~

~~Section 1112 of the SASC-reported bill would require the Secretary of the Army to establish a~~
~~four-year “Civilian Cybersecurity Reserve” pilot project to augment the CYBERCOM~~
~~workforce.19 This pilot authority would allow the Army to establish criteria for selection into the~~
~~Civilian Cybersecurity Reserve and would allow for noncompetitive temporary appointments of~~
~~up to 50 personnel into the competitive service (under 5 U.S.C. §2102) and excepted service~~
~~(under 5 U.S.C. §2103).20~~
Title 10 of the Title 10 of the U.S. Code includes some existing special authorities that allow DOD to recruit, includes some existing special authorities that allow DOD to recruit,
retain, and develop individuals with cyber or information technology skills. These Cyber retain, and develop individuals with cyber or information technology skills. These Cyber
Excepted Service (CES) authorities Excepted Service (CES) authorities ~~were intended in part to~~ give DOD more flexibility when give DOD more flexibility when
hiring for cyber and IT hiring for cyber and IT jobs.22 Section 1541 of the FY2023 NDAA adopts elements of both House-passed and SASC-reported provisions requiring DOD to conduct a comprehensive review of the CES. Under this provision, the DOD CIO is required to report to the congressional defense committees within 30 days of completing the review with annual updates through September 30, 2028. Reviews of cyber personnel policies, strategy, and planning The FY2023 NDAA requires~~jobs.21 While provisions in the House-passed and SASC-reported bills~~
~~would not amend CES authorities, they would require review of CES policies and positions.~~
~~Section 1533 of H.R. 7900 would require a comprehensive review of pay and compensation~~
~~disparities between CES and the private sector, eligibility criteria for participation in CES, and~~
~~whether there are limitations on the mobility and advancement of civilians in CES. Section 1114~~
~~of the SASC-reported bill would require DOD to report annually on CES positions, workforce~~
~~planning, training, and other aspects of the use and effectiveness of existing authorities.~~
~~Reviews of cyber personnel policies, strategy, and planning~~
~~The House-passed and SASC-reported bills call for~~ several assessments, reports, and briefings on several assessments, reports, and briefings on
the state of the cyber workforce and plans for the recruitment, retention, and career management the state of the cyber workforce and plans for the recruitment, retention, and career management
of this force (of this force (seesee Appendix for a list of reporting requirements). for a list of reporting requirements). ~~Congress might consider how~~
~~these provisions would build on or overlap with research and analysis efforts from prior~~
~~congressionally mandated reviews, for example, the “zero-based review” (ZBR) of the~~ These reporting requirements add to a substantial body of oversight products related to cyber personnel that Congress has required in recent years. Requirements include the “zero-based review” (ZBR) 23 of the “cyber and cyber and
information technology personnel” required information technology personnel” required by section 1652 of the FY2020 NDAA (P.L. 116-92)section 1652 of the FY2020 NDAA (P.L. 116-92)~~, or~~
and reports and briefings regarding cyber personnel education matters required by section 1506 of the reports and briefings regarding cyber personnel education matters required by section 1506 of the
FY2022 NDAA (P.L. 117-81)FY2022 NDAA (P.L. 117-81) 22
~~Section 1531 of the House bill would require~~, among other requirements. Annual Budget-Cycle Reporting Section 1502 of the FY2023 NDAA adopts a House-passed provision requiring the CYBERCOM Commander to submit a report in the CYBERCOM Commander to submit a report in
conjunction with the President’s annual budget request to conjunction with the President’s annual budget request to ~~Congress23~~Congress24 that evaluates the support by that evaluates the support by
military departments for cyberspace operations, and CMF capability, readiness, and resourcing. military departments for cyberspace operations, and CMF capability, readiness, and resourcing.
This reporting requirement This reporting requirement ~~would go into effect~~is first required in the FY2024 budget cycle. The FY2021 NDAA in the FY2024 budget cycle. The FY2021 NDAA
~~also delegates~~delegated responsibility to the CYBERCOM commander for directly controlling and responsibility to the CYBERCOM commander for directly controlling and

~~19 The congressionally mandated National Commission on Military, National, and Public Service recommended such a~~
~~project in 2020. National Commission on Military, National, and Public Service, Inspired to Serve, March 2020, p. 81,~~
~~at https://www.volckeralliance.org/sites/default/files/attachments/Final%20Report%20-~~
~~%20National%20Commission.pdf.~~
~~20 For more on federal civilian service see CRS Report R45635,~~ ~~Categories of Federal Civil Service Employment: A~~
~~Snapshot, by Jon O. Shimabukuro and Jennifer A. Staman.~~
21managing the planning, programming, budgeting, and execution (PPBE) of resources starting in the FY2024 budget cycle.25 21 As required by P.L. 116-283 §1730. 22 P.L. 114-92 §1107; 10 U.S.C. §1599f. P.L. 114-92 §1107; 10 U.S.C. §1599f.
2223 A A zero-based review is defined in this context as is defined in this context as a “review in which an assessment is conducted with each item, “review in which an assessment is conducted with each item,
position, or person costed anew, rather than in relation to its size or status in any previous budget.” DOD reported in position, or person costed anew, rather than in relation to its size or status in any previous budget.” DOD reported in
April 2021 that component-level ZBR reviews and recommendations were to be completed by December 2021 and April 2021 that component-level ZBR reviews and recommendations were to be completed by December 2021 and
reported to the Congress by June 2022. See Senate Armed Services Committee, reported to the Congress by June 2022. See Senate Armed Services Committee, Statement by John Sherman, Acting
Chief Information Officer for DOD Before the Senate Armed Services Committee on Cyber Workforce, April 21, 2021, April 21, 2021;
, p. 5 and Molly McIntosh et al., and Molly McIntosh et al., Support to the DOD Cyber Workforce Zero-Based Review; Developing a Repeatable
Process for Conducting ZBRs within DOD, RAND Corporation, Santa Monica, CA, 2022. , RAND Corporation, Santa Monica, CA, 2022.
2324 31 U.S.C. §1105. 25 See P.L. 117-81 §1507. For more on PPBE, see CRS Report R47178, DOD Planning, Programming, Budgeting, and Execution (PPBE): Overview and Selected Issues for Congress, by Brendan W. McGarry. Congressional Research Service 6 link to page 9 FY2023 NDAA: Cyber Personnel Policies Establishing a New Force Generation Model for CYBERCOM Section 1533 of the FY2023 NDAA adopts Section 1606 of the SASC-reported bill requiring DOD to study the prospect of ~~31 U.S.C. §1105.~~
~~Congressional Research Service~~

5

~~FY2023 NDAA: Cyber Personnel Policies~~

~~managing the planning, programming, budgeting, and execution (PPBE) of resources starting in~~
~~the FY2024 budget cycle.24~~
~~Several proposals in the SASC-reported bill would require DOD to consider how it staffs and~~
~~trains the cyber workforce and what the roles and responsibilities of the military services are in~~
~~this regard. Section 1603 of the SASC-reported bill would require DOD to develop a plan to~~
~~address CMF “readiness shortfalls” with recommendations for legislative action in areas, such as~~
~~promotion, assignment, training, and compensation authorities. Section 1610 of the SASC-~~
~~reported bill would require DOD to review and report on policies related to the CYBERCOM~~
~~Commander’s authority under 10 U.S.C. §167b to monitor “the promotion of cyber operation~~
~~forces and coordinating with the military departments regarding the assignment, retention,~~
~~training, professional military education, and special and incentive pays of cyber operation~~
~~forces.”25~~
~~Section 1606 of the SASC-reported bill would require DOD to consider~~ a new force generation a new force generation
model for CYBERCOM.26 model for CYBERCOM.26 ~~This study would include~~The scope of this study includes consideration of use of the RC and consideration of use of the RC and
nonmilitary personnel27 to support CMF teamsnonmilitary personnel27 to support CMF teams~~, along with different training models. The~~
. DOD’s Principal Cyber Advisor and the CYBERCOM Commander CYBERCOM Commander ~~would be~~are responsible for providing a proposed force generation plan responsible for providing a proposed force generation plan
to the Secretary of Defense no later than June 1, 2024, and the Secretary to the Secretary of Defense no later than June 1, 2024, and the Secretary ~~would be~~is required to required to
submit an implementation plan to Congress no later than June 1, 2025. submit an implementation plan to Congress no later than June 1, 2025. ~~This provision of the~~
~~SASC-reported bill also~~Section 1533 explicitly directs the Secretary of Defense to consider whether explicitly directs the Secretary of Defense to consider whether 1) the Navy the Navy
~~should continue to be involved in~~should no longer be responsible for developing and providing personnel and resources to developing and providing personnel and resources to
~~CYBERCOM. In recent years, some observers~~ CYBERCOM, 2) whether a single military service should be responsible for providing forces to CYBERCOM, or 3) whether DOD should “create a separate service to perform the functions and missions currently performed by Cyber Mission Force units generated by multiple military services.” Navy Cyber Career Paths In recent years, some observers have identified the Navy as the least capable of the identified the Navy as the least capable of the
military services for cyberspace operations and cybersecurity.28 The Navy is the only military military services for cyberspace operations and cybersecurity.28 The Navy is the only military
branch without service-retained offensive cyber units and according to critics, lacks sufficient branch without service-retained offensive cyber units and according to critics, lacks sufficient
cyber capabilities, forces, and training.29 cyber capabilities, forces, and training.29 ~~Navy leadership views~~Some in Navy leadership have expressed views of cyber operations as a joint cyber operations as a joint
endeavor, relying on other services’ warfighting capabilities with support from endeavor, relying on other services’ warfighting capabilities with support from ~~its~~the Navy’s cryptologic cryptologic
warfare officerswarfare officers, whose mission differs from that of other cyber operators.30 whose mission differs from that of other cyber operators.30
~~Other provisions~~Provisions in the House-passed and SASC-reported bill in the House-passed and SASC-reported bill ~~would~~ specifically specifically ~~address~~addressed the the
Navy’s cyber career paths.Navy’s cyber career paths. ~~Section 1503 of the House-passed bill would direct~~ The FY2020 NDAA required the Secretary of the Secretary of
~~the Navy to establish and sustain a specific Cyber Warfare Operations career field for uniformed~~
~~personnel, including a training pipeline and implementation plan. The Navy does not currently~~
~~have a dedicated military occupational specialty (called a designator for officers or rating for~~
~~enlisted members) for cyber operations. The House bill would prohibit the Navy from assigning~~
~~servicemembers with non-cyber designators or ratings to a CMF after June 1, 2024. Some critics~~

~~24 P.L. 117-81 §1507. For more on PPBE, see CRS Report R47178,~~ ~~DOD Planning, Programming, Budgeting, and~~
~~Execution (PPBE): Overview and Selected Issues for Congress, by Brendan W. McGarry.~~
~~25 10 U.S.C. §167b.~~
the Navy to submit a report to the congressional defense committees on issues related to improving cyber career paths.31 Section 1536 of the FY2023 NDAA requires the Navy to report on the implementation progress for recommendations made by the FY2020 congressionally-mandated report within 90 days of enactment. Section 1536 also requires a Comptroller General assessment of Government Accountability Office’s implementation with an interim briefing and final report to Congress. Section 1502 of the FY2023 NDAA (discussed in “Annual Budget-Cycle Reporting”) requires DOD to report on the sufficiency of career field management for cyber-related career fields across the entire CMF as part of annual budget submissions. 26 A force generation model is a structured process for providing trained personnel to meet service or joint operational 26 A force generation model is a structured process for providing trained personnel to meet service or joint operational
needs. needs.
27 Section 1606 describes 27 Section 1606 describes nonmilitary personnel as “civilian government employees, contracted experts, commercial personnel as “civilian government employees, contracted experts, commercial
partners, and domain or technology-specific experts in industry or the intelligence community.” partners, and domain or technology-specific experts in industry or the intelligence community.”
28 Lieutenant Commander Derek Bernsen USN, “The Navy Needs a Cyber Course Correction,” 28 Lieutenant Commander Derek Bernsen USN, “The Navy Needs a Cyber Course Correction,” Proceedings Vol.
148/8/1,434, U.S. Naval Institute, August 2022, U.S. Naval Institute, August 2022 ~~available~~, at at
https://www.usni.org/magazines/proceedings/2022/august/navy-https://www.usni.org/magazines/proceedings/2022/august/navy-needs-cyber-course-correction. Mark Pomerleau, “House Armed Services Committee concerned with state of Navy cyber readiness,” FEDSCOOP, July 28, 2022, at https://www.fedscoop.com/house-armed-services-committee-concerned-with-state-of-navy-cyber-readiness/. ~~needs-cyber-course-correction.~~
29 Ibid. 29 Ibid.
30 Ibid. Personnel who support cyber operations are primarily sourced from the Cryptologic Warfare (CW), Information 30 Ibid. Personnel who support cyber operations are primarily sourced from the Cryptologic Warfare (CW), Information
Specialist, Intelligence and Cyber Warfare Engineer communities. The CW community is generally responsible for Specialist, Intelligence and Cyber Warfare Engineer communities. The CW community is generally responsible for
signals intelligence, electronic warfare, and information operations. signals intelligence, electronic warfare, and information operations.
31 P.L. 116-92 §1653. CRS does not have information on whether DOD delivered the congressionally-mandated report to the defense committees on the dates they were due. Congressional Research Service Congressional Research Service

67

FY2023 NDAA: Cyber Personnel Policies

~~argue that requiring the Navy to establish a dedicated Cyber Warfare Operations career field~~
~~would encourage the Navy to place a higher priority on its offensive cyber mission, while others~~
~~contend that the status quo is adequate and proposed career field changes are unnecessary.31~~
~~Section 1625 of the SASC-passed bill would not require new career designators/ratings, but~~
~~would require the Secretary of the Navy to report on recommendations for improving cyber~~
~~career paths in the Navy.~~
~~Education and Training of DOD’s Cyber Workforce~~
~~Provisions in the FY2023 NDAA bills would seek to develop or strengthen partnerships with~~
~~academic institutions and other federal agency programs to support a pipeline for a federal cyber~~
~~workforce and to support continuing education and training for existing DOD uniformed and~~
~~civilian personnel. These provisions could potentially augment existing DOD programs and~~
~~initiatives such as~~
~~ the Hacking for Defense (HFD) program;~~
~~ federal grants for DOD Cyber Institute pilot programs at institutions of higher~~
~~education;32~~
~~ the University Consortium for Cybersecurity (UC2);33 and~~
~~ capacity building grants and scholarships under the Cyber Scholarship Program~~
~~(CySP).34~~
~~Section 1535 of the House-passed bill would require DOD to establish a “Hacking for National~~
~~Security and Public Service Innovation Program” (H4NSPSI) to, in part, “support the~~
~~development and acquisition” of cyber talent in the federal workforce. The bill would direct the~~
~~DOD-led National Security Innovation Network (NSIN) to coordinate the H4NSPSI effort with~~
~~other federal agencies and academic institutions. NSIN currently sponsors a 10-16 week~~ ~~Hacking~~
~~for Defense~~ ~~(H4D) college course that engages student teams in working on real-world national~~
~~security programs.35 Other agencies sponsor similar programs: for example, Hacking for~~
~~Homeland Security (Department of Homeland Security; DHS) and Hacking for Diplomacy~~
~~(Department of State).36 Section 1535 would encourage DOD to coordinate and partner with~~
~~these and other federal agency-led programs.~~
~~Section 558 of the House-passed bill would require the Secretary of Defense to establish a~~
~~consortium of military and civilian education institutions to provide a forum to share information~~

~~31 Mark Pomerleau, "House Armed Services Committee concerned with state of Navy cyber readiness," FEDSCOOP,~~
~~July 28, 2022, at https://www.fedscoop.com/house-armed-services-committee-concerned-with-state-of-navy-cyber-~~
~~readiness/.~~
~~32 As authorized by the FY2019 NDAA (P.L. 115-232, Section 1640). DOD has established this pilot program at the~~
~~six senior military colleges: Norwich University, in Northfield, Vermont; Texas A&M University, in College Station,~~
~~Texas; The Citadel, in Charleston, South Carolina; Virginia Military Institute, in Lexington, Virginia; Virginia Tech, in~~
~~Blacksburg, Virginia; and the University of North Georgia, in Dahlonega, Georgia. The FY2021 NDAA (P.L. 116-283~~
~~§283) amended the pilot program authority to require a report to Congress by September 30, 2021 on opportunities to~~
~~report on the effectiveness of the Cyber Institutes and on opportunities to expand these to other institutions with ROTC~~
~~units.~~
~~33 As mandated by the FY2020 NDAA (P.L. 116-92, Section 1659).~~
~~34 As authorized by 10 U.S.C. §2200b.~~
~~35 NSIN, Hacking for Defense, at https://www.nsin.mil/hacking-for-defense/.~~
~~36 See https://www.dhs.gov/science-and-technology/hacking-homeland-security and https://www.bmnt.com/hacking-4-~~
~~diplomacy.~~
~~Congressional Research Service~~

7

~~FY2023 NDAA: Cyber Personnel Policies~~

~~on matters related to cybersecurity.37 Functions of this consortium would include sharing~~
~~information on the “education of cyber mission forces.” The consortium would be required to~~
~~conduct annual cyberspace war games with its members. Section 558 would direct the Secretary~~
~~of Defense to coordinate the efforts of this new consortium with the “Consortia of Universities to~~
~~Advise Secretary of Defense on Cybersecurity Matters” previously mandated by Section 1659 of~~
the FY2020 NDAA.38 This consortium, called the University Consortium for Cybersecurity
~~(UC2), was launched on December 7, 2021, and is led by the National Defense University~~
~~College of Information and Cyberspace.39 In deliberations around the FY2023 NDAA, Congress~~
~~might consider whether Section 558 of the House bill would create a parallel consortium, or~~
~~would expand the mandate of the existing consortium.~~
~~In the SASC-reported bill, Section 1111 would~~Section 1532 of the FY2023 NDAA adopts a provision in the House-passed bill directing the Secretary of the Navy to establish and sustain a specific Cyber Warfare Operations career field for uniformed personnel, that is separate and distinct from the existing cryptologic warfare and cryptologic technician career fields. The law also requires the Navy to develop a training pipeline and implementation plan. The Navy does not currently have a dedicated military occupational specialty (called a designator for officers or rating for enlisted members) for cyber operations personnel. The enacted law precludes the Navy from assigning servicemembers with a cryptologic technician rating or cryptologic warfare officer designator to a CMF after October 1, 2025 (the House-passed bill would have required this by June 1, 2024). Some critics argue that requiring the Navy to establish a dedicated Cyber Warfare Operations career field may encourage the Navy to place a higher priority on its cyber mission, while others contend that the status quo was adequate and career field changes are unnecessary.32 Plan for CMF Readiness Shortfalls Section 1534 of the FY2023 NDAA adopts section 1603 of the SASC-reported NDAA bill requiring DOD to develop a plan to address CMF “readiness shortfalls” with recommendations for legislative action in areas such as promotion, assignment, training, and compensation authorities. Section 1534 also incorporates elements of section 1610 of the SASC-reported bill with respect to a review and report on policies related to the CYBERCOM Commander’s authority under 10 U.S.C. §167b to monitor promotions of certain cyber operation forces.33 Section 1534 and other provisions enacted with the FY2023 NDAA require studies, planning, and reports on matters related to recruitment, promotion, retention, and training. Education and Training of DOD’s Cyber Workforce Certain provisions in the FY2023 NDAA seek to develop or strengthen partnerships with academic institutions and other federal agency programs to support a pipeline for a federal cyber workforce and to support continuing education and training for existing DOD uniformed and civilian personnel. Review of Professional Military Education Section 558 of the House-passed bill would have required the Secretary of Defense to establish a consortium of military and civilian education institutions to provide a forum to share information on matters related to cybersecurity.34 Congress previously mandated “one or more consortia of Universities to Advise Secretary of Defense on Cybersecurity Matters” in section 1659 of the FY2020 NDAA.35 The Secretary launched a consortium, called the University Consortium for Cybersecurity (UC2), on December 7, 2021; it is led by the National Defense University College of Information and Cyberspace.36 Other provisions in the House-passed version of the FY2023 32 Mark Pomerleau, “House Armed Services Committee concerned with state of Navy cyber readiness,” FEDSCOOP, July 28, 2022, at https://www.fedscoop.com/house-armed-services-committee-concerned-with-state-of-navy-cyber-readiness/. 33 10 U.S.C. §167b. 34 These institutions include institutes of higher education with established cybersecurity programs; military service academies; professional and joint professional military education schools under 10 U.S.C. §§2151 and 2162; and the Naval Postgraduate School. 35 P.L. 116-92. 36 National Defense University, College of Information and Cyberspace, The Department of Defense University Consortium for Cybersecurity Coordination Center, at https://cic.ndu.edu/UC2/. Congressional Research Service 8 FY2023 NDAA: Cyber Personnel Policies NDAA (Sections 557 and 559 respectively) would have created a consortium of military education institutions and a commission on professional military education to more broadly consider improvements to military education matters. The SASC-reported bill did not include similar provisions. In lieu of establishing these three separate bodies, the enacted FY2023 NDAA (Section 557) requires DOD to report to the Armed Services committees on the effectiveness of professional military education in educating officers in the Armed Forces no later than December 1, 2025. The study’s mandate includes consideration if a consortium of educational institutions is feasible and advisable, and is required to include an evaluation of curriculum to include “special topics” such as cyber security and artificial intelligence. An interim briefing is due to the committees on June 1, 2023. Department of Defense Cyber and Digital Service Academy Section 1535 of the FY2023 NDAA adopts similar provisions in the House-passed and SASC-reported versions of the bill that require the Secretary of Defense, in consultation require the Secretary of Defense, in consultation
with DHS and the Office of Personnel Management (OPM), to establish a with DHS and the Office of Personnel Management (OPM), to establish a program called the “Department of “Department of
Defense Cyber and Digital Service AcademyDefense Cyber and Digital Service Academy.” This program is intended to provide educational scholarships~~” program to provide financial support for the~~
~~pursuit of educational programs at institutions of higher education~~ in “critical” disciplines related in “critical” disciplines related
to cyber or digital technology. Covered disciplines to cyber or digital technology. Covered disciplines ~~would~~ include computer-related arts and include computer-related arts and
sciences, cyber-related engineering, cyber-related law and policy, applied analytics-related sciences, cyber-related engineering, cyber-related law and policy, applied analytics-related
sciences, data management, and digital engineering, including artificial intelligence and machine sciences, data management, and digital engineering, including artificial intelligence and machine
learning. This program learning. This program ~~would~~is authorized to provide up to five years of academic scholarship assistance— provide up to five years of academic scholarship assistance—
similar to Senior Reserve Officer Training Corps (SROTC) scholarships—to qualified students in similar to Senior Reserve Officer Training Corps (SROTC) scholarships—to qualified students in
a course of study in one of the covered disciplines.a course of study in one of the covered disciplines.40 37 Students who accept scholarship funding Students who accept scholarship funding
~~would~~are to incur a federal employment commitment equal to the length of the scholarship. incur a federal employment commitment equal to the length of the scholarship. ~~The~~
~~provision would require at least 50% of the funding authorized for this program~~Repayment provisions would apply for failure to complete the degree requirements or post-graduation federal employment commitment. The provision requires at least 5% of the authorized funding to be directed towards associate’s degrees and 50% of the authorized funding to be directed to to be directed to
institutions of higher education that have institutions of higher education that have ~~used~~ been awarded federal grant funding under DOD’s Cyber federal grant funding under DOD’s Cyber
Scholarship Program (CySP).Scholarship Program (CySP).4138 CySP currently provides recruitment and retention scholarship CySP currently provides recruitment and retention scholarship
support to students and DOD personnel, along support to students and DOD personnel, along with capacity-building grants to institutions.39 Congress directs the scholarship program to begin no later than the 2024 academic year. Hacking for National Security and Public Service Innovation Program Section 1535 of the House-passed bill would have required DOD to establish a “Hacking for National Security and Public Service Innovation Program” (H4NSPSI) to, in part, “support the development and acquisition” of cyber talent in the federal workforce. The bill would have directed the DOD-led National Security Innovation Network (NSIN) to coordinate the H4NSPSI effort with other federal agencies and academic institutions. NSIN currently sponsors a 10-16 week Hacking for Defense (H4D) college course that engages student teams in working on real-world national security programs.40 The SASC-reported billdid not include a similar provision and this initiative was not enacted. The Joint Explanatory Statement to accompany the FY2023 NDAA stated, 37~~with capacity-building grants to institutions.42~~

~~37 These institutions include institutes of higher education with established cybersecurity programs; military service~~
~~academies; professional and joint professional military education schools under 10 U.S.C. §§2151 and 2162; and the~~
~~Naval Postgraduate School.~~
~~38 P.L. 116-92.~~
~~39 National Defense University, College of Information and Cyberspace, The Department of Defense University~~
~~Consortium for Cybersecurity Coordination Center, at https://cic.ndu.edu/UC2/.~~
40 For more on SROTC, see CRS In Focus IF11235, For more on SROTC, see CRS In Focus IF11235, Defense Primer: Senior Reserve Officer Training Corps, by Kristy , by Kristy
N. Kamarck. N. Kamarck.
4138 This grant program is authorized by 10 U.S.C. §2200b. This grant program is authorized by 10 U.S.C. §2200b.
42 39 DOD Cyber Exchange, DOD Cyber Scholarship Program, at https://public.cyber.mil/cw/cdp/dcysp/. DOD Cyber Exchange, DOD Cyber Scholarship Program, at https://public.cyber.mil/cw/cdp/dcysp/.
~~Congressional Research Service~~

8

~~Appendix. Selected Reporting Requirements~~
~~Table A-1. Selected Reporting Requirements Proposed in the FY2023 NDAA~~
~~Reporting Entity~~
~~Due Date for Report~~
~~Section~~
~~Matters to be Studied and Reported~~
~~to Congress~~
~~SASC Section~~
~~Civilian Cybersecurity Reserve Pilot Project~~
~~Secretary of the Army~~
~~Implementation plan~~
~~1112~~
~~- Number and diversity of program participants;~~
~~within one year and 60~~
~~days fol owing~~
~~- ethical considerations;~~
~~enactment,~~
~~- effectiveness in adding to Army capacity; and~~
~~Annual briefings~~
~~- evaluation of eligibility requirements.~~

~~- Evaluation of the pilot program.~~
~~Government~~
~~3 years fol owing pilot~~
~~Accountability Office~~
~~establishment~~
~~(GAO)~~
~~House Section~~
~~Annual reports on support by military departments for cyberspace operations~~
~~CYBERCOM~~
~~FY2024 budget request~~
~~1531~~
~~- Whether military departments are meeting CYBERCOM’s validated requirements;~~
~~Commander~~
~~(and annually~~
~~thereafter)~~
~~- adequacy of military department policies, procedures, execution, and investment in~~
~~- manning, training, equipping,~~
~~- assignment to CMF (including assignment duration),~~
~~- investment in CMF capabilities, and~~
~~- cyberspace-related military occupational specialties, designators, ratings, or specialty~~
~~codes; and~~
~~- readiness of CMF and cyberspace operations forces.~~
~~SASC Section~~
~~Correcting cyber mission force readiness shortfalls~~
~~Secretary of Defense~~
~~180 days fol owing~~
~~1603~~
~~- Analysis of options and a plan to increase personnel in key cyber roles, to include~~
~~and Chairman of Joint~~
~~enactment~~
~~Chiefs of Staff~~
~~- number of personnel needed,~~
~~- proper mix of civilian/military/contractor,~~
~~- use of existing, alternate, or standardized compensation models, and~~
~~- modifying career paths for consecutive assignments or multiple rotations; and~~
~~- modifying promotion systems.~~
~~CRS-9~~

~~Reporting Entity~~
~~Due Date for Report~~
~~Section~~
~~Matters to be Studied and Reported~~
~~to Congress~~
~~SASC Section~~
~~Total force generation for the Cyberspace Operations Forces~~
~~Secretary of Defense~~
~~Progress briefings 90~~
~~1606~~
~~- Which military services (including consideration of a separate service) should organize, train,~~

~~days after enactment~~
~~and equip military and civilian assets for assignment to CYBERCOM;~~
~~and every 180 days~~

~~thereafter~~
~~- sufficiency of accession and training models for Cyberspace Operations Forces;~~
~~- whether Cyberspace Operations Forces are appropriately organized;~~
~~Principal Cyber Advisor Recommendations to~~
~~and CYBERCOM~~
~~Secretary of Defense~~
~~- shortfalls in work roles and skil s;~~
~~Commander~~
~~Before June 1, 2024.~~
~~- unique or training-intensive roles and plans for development and retention in those roles;~~
~~Secretary of Defense~~
~~Implementation plan to~~
~~- whether compensation, career management, evaluations, and training are appropriate;~~

~~Congress by June 1,~~
~~- use of nonmilitary and/or reserve component personnel to augment CMF teams; and~~
~~2025~~
~~- proper mix of civilian/military/contractor.~~
~~SASC Section~~
~~Review of certain cyber operations personnel policies~~
~~Secretary of Defense~~
~~180 days fol owing~~
~~1610~~
~~- The respective roles of the military departments and CYBERCOM with respect to:~~
~~enactment~~
~~- the recruitment, retention, professional military education, and promotion of certain~~
~~cyber operations personnel;~~
~~- the sharing of personnel data between the military departments and CYBERCOM; and~~
~~- structures, departmental guidance, and processes developed between the military~~
~~departments and U.S. Special Operations Command that could be used as a model for~~
~~CYBERCOM.~~

~~- Findings of the Secretaries of the military departments and CYBERCOM commander with~~
~~Secretary of Defense~~
~~90 days after review is~~
~~respect to the review and updates made fol owing the report, including recommendations for~~
~~submitted~~
~~legislative or administrative action.~~
~~House Section~~
~~Independent review of posture and staffing levels for the office of the CIO~~
~~Independent Review~~
~~30 days after review~~
~~1532~~
~~- Any limitations on the CIO’s office imposed by staffing levels; and~~
~~(non-DOD entity)~~
~~complete~~
~~- composition of civilian, military, and contractor personnel assigned to the CIO’s office.~~
~~House Section~~
~~Comprehensive review of Cyber Excepted Service (CES)~~
~~DOD Chief Information 30 days after review~~
~~1533~~
~~- Structural limitations on the mobility or advancement for civilians in the CES;~~
~~Officer~~
~~complete~~
~~- pay/compensation disparities between CES and comparable private sector employees; and~~
~~- eligibility criteria for participation in the CES.~~
~~CRS-10~~

~~Reporting Entity~~
~~Due Date for Report~~
~~Section~~
~~Matters to be Studied and Reported~~
~~to Congress~~
~~SASC Section~~
~~Report on Cyber Excepted Service~~
~~Secretary of Defense~~
~~One year fol owing~~
~~1114~~
~~- A description of the hiring and selection process for the CES;~~
~~enactment and annually~~
~~until 2028~~
~~- plans for recruitment and retention in the CES;~~
~~- assessment of training provided to CES supervisors;~~
~~- assessment of barriers to CES participation;~~
~~- assessment of implementation of CYBERCOM recruitment and retention under 10 U.S.C.~~
~~§1599f; and~~
~~- performance metrics including;~~
~~- number of employees by occupation, grade, and level or pay band,~~
~~- placement of employees by military department, agency, and component,~~
~~- number of veterans hired,~~
~~- number of separations by occupation, grade, and level or pay band,~~
~~- number and amounts of incentives paid, and~~
~~- number of employees that declined transfer to CES positions.~~
~~House Section~~
~~Establishment~~ 40 NSIN, Hacking for Defense, at https://www.h4d.us/. Congressional Research Service 9 FY2023 NDAA: Cyber Personnel Policies We recognize the success of the National Security Innovation Network (NSIN) in encouraging the entry of new innovators into the national security community and believe that such a model has applicability for challenges faced by the Department of Defense and by other Federal departments and agencies. We encourage the Secretary of Defense to use existing authorities to strengthen NSIN and create additional opportunities for collaboration and shared experience between the Department of Defense, other Federal agencies, the private sector, and academia through the expansion of existing programs, partnerships, and activities, including, but not limited to, 351 such activities as Hacking for Defense, Hacking for Homeland Security, Hacking for Diplomacy, Hacking for Space, and Hacking for Manufacturing. We believe that such efforts are an important part of the Department’s efforts to invest in the future of national security innovation by inspiring a new generation to public service, supporting the diversity of the United States’ national security innovation workforce, and modernizing government decision-making processes.41 41 Joint Explanatory Statement to Accompany the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, p. 351, at https://rules.house.gov/sites/republicans.rules118.house.gov/files/BILLS-117HR7776EAS-RCP117-70-JES.pdf. Congressional Research Service 10 Appendix. Selected Reporting Requirements Table A-1. Selected Reporting Requirements in the FY2023 NDAA Section of Reporting Entity FY2023 NDAA Matter to be Studied and Reported Due Date for Report to Congress Section 1540 Feasibility and advisability of a DOD civilian Secretary of Defense (as contracted with Report required Within one year of date of enactment (Dec. cybersecurity reserve. an FFRDC or other independent non- 27. 2023). profit entity) Report required by Section 1730 of the Secretary of Defense Appropriated funds limited until DOD delivers report. FY2021 NDAA on nontraditional cyber support. Section 1502 Annual reports on support by military CYBERCOM Commander FY2024 budget request (and annually thereafter) departments for cyberspace operations Section 1534 Plan for correcting cyber mission force Secretary of Defense, Chairman of Joint Briefing required within 180 days of enactment (June 29, 2023). readiness shortfalls Chiefs of Staff, and Secretaries of Military Departments Section 1533 Study and implementation plan for total Secretary of Defense Progress briefings required within 90 days of enactment force generation for the Cyberspace (March 27, 2023) and every 180 days thereafter. Operations Forces Principal Cyber Advisor and Recommendations to Secretary of Defense before June 1, CYBERCOM Commander 2024. Secretary of Defense Implementation plan submitted to Congress by June 1, 2025. Section 1541 Comprehensive review of Cyber Excepted DOD Chief Information Officer and Report required within 30 days after review completion. Service (CES). Under Secretary of Defense for Annual updates until September 30, 2028. Personnel and Readiness Section 1532 Implementation plan for the establishment Secretary of the Navy Within 90 days of enactment (March 27, 2023). of cyber operations designator and rating for the Navy. CRS-11 Section of Reporting Entity FY2023 NDAA Matter to be Studied and Reported Due Date for Report to Congress CYBERCOM verification that the Navy’s CYBERCOM Within
~~Secretary of the Navy~~
~~One year fol owing~~
~~1503~~
~~- Certification that the Navy has~~
~~enactment~~
~~- established a separate Cyber Operations career designator,~~
~~- identified responsibilities for staffing and training the career field,~~
~~- established a training pipeline,~~
~~- established adequate funding for training,~~
~~- inventoried flag officer positions related to career field,~~
~~- established an implementation plan for fil ing CMF positions; and~~
~~- provided anticipated end-strength changes related to the new career designator.~~

~~- CYBERCOM verification that the Navy’s report satisfies requirements.~~
~~CYBERCOM~~
60 days after Navy 60 days after Navy
report submittedreport submitted. report satisfies requirements. Section 1536 Report on recommendations from Navy
~~SASC Section~~
~~Report on Recommendations from Navy Civilian Career Path Study~~
~~Secretary of the Navy~~
~~90 days fol owing~~
~~1625~~
~~- Recommendations from the cited study that relate to improving cyber career paths in the~~
~~enactment~~
~~Navy.~~
~~CRS-11~~

~~Reporting Entity~~
~~Due Date for Report~~
~~Section~~
~~Matters to be Studied and Reported~~
~~to Congress~~

~~GAO~~
~~180 days after Navy~~
~~report submitted~~
~~House Section~~
~~Establishment of consortium of institutions of military education for cybersecurity matters~~
~~Secretary of Defense~~
~~Interim report 180 days~~
~~558~~
~~- Organization, activities, funding, actions, milestones, and research of the consortium.~~
~~fol owing enactment~~

~~Annual reports in 2024~~
~~- 2028~~
~~SASC Section~~
~~Department of Defense Cyber and Digital Service Academy~~
~~Secretary of Defense~~
~~Every two years~~
~~1111~~
~~- Evaluation of program effectiveness in recruiting and retaining scholarship recipients in the~~
~~federal workforce.~~
Source: CRS analysis of legislation on Congress.gov.
~~Language in the SASC report (S.Rept. 117-130) accompanying the FY2023 NDAA also directs DOD to report to the Armed Services~~
~~Committees on the following personnel-related topics:~~
~~ CMF manning, to include each services’ manning requirements, CMF specialties, recruiting and retention challenges, education~~
~~and training needs, and options to improve recruitment, retention, and career competency (by June 1, 2023);~~
~~ Information on the services’ and components’ use of recruitment and retention incentives (e.g., bonuses) to servicemembers in~~
~~cyber career tracks over the past decade (by December 31, 2022); and~~
~~ Evaluation by the Army, Navy and Air Force of the adaptability of the Marine Corps “Cyber Auxiliary” approach to train,~~
~~educate, assist, and mentor servicemembers in cyber career paths (by December 30, 2022).43~~

~~43 U.S. Marine Corps, “Marine Corps Cyber Auxiliary,” at https://www.hqmc.marines.mil/Agencies/Deputy-Commandant-for-Information/Information-Maneuver-~~
~~Division/Marine-Corps-Cyber-Auxiliary/.~~
~~CRS-12~~

~~FY2023 NDAA: Cyber Personnel Policies~~

~~Author Information~~

~~Kristy N. Kamarck~~
~~Hibbah Kaileh~~
~~Specialist in Military Manpower~~
~~Research Assistant~~

~~Catherine A. Theohary~~

~~Specialist in National Security Policy, Cyber and~~
~~Information Operations~~

Secretary of the Navy Report required within 90 days of enactment (March 27, Civilian Career Path Study with 2023). implementation plans. Review of the Navy’s implementation of Government Accountability Office Report required within 180 days of Navy’s report submission. recommendations. Section 557 Report on the effectiveness of Professional Secretary of Defense with the Chairman Interim report on June 1, 2023. Military Education (PME). of the Joint Chiefs of Staff and Final report on December 1, 2025. Secretaries of military departments Section 1535 Information about recruitment, hiring, and Secretary of Defense in consultation Report at a minimum of every two years fol owing retention for scholarship recipients of the with the Office of Personnel implementation (start date is 2024 academic year). Department of Defense Cyber and Digital Management Service Academy. Source: CRS analysis of legislation on Congress.gov. CRS-12 FY2023 NDAA: Cyber Personnel Policies Author Information Kristy N. Kamarck Catherine A. Theohary Specialist in Military Manpower Specialist in National Security Policy, Cyber and Information Operations Acknowledgments Hibbah Kaileh contributed to research for this report.
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan
shared staff to congressional committees and Members of Congress. It operates solely at the behest of and shared staff to congressional committees and Members of Congress. It operates solely at the behest of and
under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other
than public understanding of information that has been provided by CRS to Members of Congress in than public understanding of information that has been provided by CRS to Members of Congress in
connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not
subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in
its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or
material from a third party, you may need to obtain the permission of the copyright holder if you wish to material from a third party, you may need to obtain the permission of the copyright holder if you wish to
copy or otherwise use copyrighted material. copy or otherwise use copyrighted material.

Congressional Research Service Congressional Research Service
R47270 R47270 · VERSION ~~1 · NEW~~3 · UPDATED
13 13