Challenges in Cybersecurity Education and Workforce Development
link to page 1 
May 16, 2017
Challenges in Cybersecurity Education and
Workforce Development
Introduction
in the training of cybersecurity workers include the rapidly
Increasing awareness of cyberattacks—and the increasing
changing nature of the cybersecurity field and the need to
connectedness of cyber and cyberphysical systems—have
continually maintain and enhance the skill levels of
led to concerns about whether U.S. homes, businesses, and
incumbent workers within the field.
government are prepared to secure themselves in a digitally
integrated world. One of the most frequently raised
Private employers and federal agencies have experienced
concerns pertains to the sufficiency of cybersecurity
difficulty in identifying the specific skills and types of
education, training, and workforce development in the
positions required to successfully protect their systems from
United States. Federal policymakers have raised questions
cyberattacks. In response to this, the National Initiative for
about the quality and quantity of U.S. postsecondary
Cybersecurity Education (NICE), authorized by the
education graduates with cybersecurity credentials (in
Cybersecurity Enhancement Act of 2014, created the NICE
general) and have raised concerns about the civilian and
Cybersecurity Workforce Framework. The purpose of the
military workforce needs of the federal government (in
framework is to develop a “common language” (for private
particular).
industry, government, and academia) that both categorizes
cybersecurity jobs and describes the knowledge, skills, and
A number of federal programs across several agencies have
abilities necessary to perform them successfully.
been implemented in an attempt to address what many
believe to be a nationwide skill shortage in the public and
In particular, the NICE Cybersecurity Workforce
private cybersecurity workforces. Some of these programs
Framework created a high-level grouping of common
have focused on offering education benefits, such as
cybersecurity functions into seven categories that are shown
scholarships or specific training, as a tool for attracting
in Figure 1. This organizing structure is based on extensive
cybersecurity workers. Others have focused on enhancing
job analyses and groups together work and workers that
or certifying the quality of cybersecurity education
share common major functions, regardless of job titles or
programs, or on expanding interest in cybersecurity careers
other occupational terms. These seven categories are further
among youths.
subdivided into specialty areas and work roles that more
precisely define the specific knowledge, skills, and abilities
Challenges
required to perform cybersecurity tasks.
There is a widespread general perception that a shortage of
According to the 2017 GISWS, approximately 30% of the
qualified and highly skilled cybersecurity personnel exists
cybersecurity professionals responding to the survey stated
in the United States and abroad. This perception is
that their organizations have partially or fully adopted the
supported by results from the 2017 Global Information
NICE Cybersecurity Workforce Framework and used it to
Security Workforce Study (GISWS), which predicts a
match skills and content between training and employment.
worldwide shortage of 1.8 million cybersecurity
professionals by 2022.
Figure 1. Cybersecurity Work Categories Under the
NICE Cybersecurity Workforce Framework
A broad consensus exists over the need to train and hire
cybersecurity professionals in response to increased threats
of cyberattacks; however, whether or not this need
constitutes a shortage is debated by various researchers and
stakeholders. For example, the 2015 study “Hackers
Wanted” carried out by the RAND Corporation suggests
that existing federal initiatives, combined with natural
market forces, are sufficient to supply the necessary
quantity and quality of cybersecurity workers for the public
and private sectors in coming years.
A number of challenges exist in successfully hiring and
retaining cybersecurity professionals. This is especially true
in the federal government, where often cited concerns
include the rigidity of the federal pay scales, higher salaries
for comparable jobs in the private sector, time-consuming
and opaque hiring processes, and identifying and
articulating the full range of cybersecurity positions and
Source: National Initiative for Cybersecurity Education (NICE),
needed skillsets across the government. General challenges
http://csrc.nist.gov/nice/framework/.
https://crsreports.congress.gov
Challenges in Cybersecurity Education and Workforce Development
Another challenge commonly faced by employers in both
commitment of participants. Students who receive an award
the private sector and the federal government is worker
must agree to work for a federal agency—or state, local,
retention. The respondents to the 2017 GISWS identified
tribal, or territorial government—for a period equal to the
the following as the employer initiatives most important to
length of time they received scholarship support. Data
the retention of cybersecurity professionals:
provided to CRS by the NSF in December 2016 indicated
that the placement rate for CyberCorps graduates is 94%
offering training programs,
and that total placement since 2002 is 1,980 graduates.
paying for professional security certification expenses,
CyberPatriot
improving compensation packages, and
Partnering with the private sector and academia, DHS and
DOD help cosponsor the Air Force Association’s (AFA)
offering flexible work schedules.
CyberPatriot program. The program focuses on middle and
Selected Federal Cybersecurity
high school students and has three main components: (1)
Education Initiatives
the National Youth Cyber Defense Competition, (2) AFA
CyberCamps, and (3) the Elementary School Cyber
The federal effort in cybersecurity education, training, and
Education Initiative.
workforce development, though still nascent compared to
federal investments in other educational sectors, spans all
The National Youth Cyber Defense Competition is the
stages of education and types of learners. This includes
longest-running CyberPatriot program activity. It began as a
children and teachers in elementary and secondary schools,
competition between seven teams in 2009. In 2015-2016,
students and faculty at the postsecondary education level,
the competition field included 3,379 registered teams
and incumbent workers in both the federal and private
(comprised of middle or high school students). During the
workforces. Federally supported programs in cybersecurity
competition, teams are tasked with managing the network
training include activities such as scholarship and grant
of a small company and must find cybersecurity
programs, summer camps and academic competitions, and
vulnerabilities while maintaining critical services. Northup-
research on teaching and learning in cybersecurity fields.
Grumman Corporation has provided scholarships to
members of the top three teams since 2011.
The following sections of this InFocus provide an overview
of selected high-profile programs that are broadly
National Collegiate Cyber
illustrative of the primary approaches taken by federal
Defense Competition
initiatives in cybersecurity education and training. This is
Partnering with the private sector and academia, the NSA,
not a complete list of federal efforts in these areas. A
DHS, and the Departments of the Navy and the Army help
number of federal agencies, including the Department of
cosponsor the National Collegiate Cyber Defense
Defense (DOD), the Department of Energy (DOE), the
Competition (CCDC). The CCDC was launched in 2005 as
Department of Homeland Security (DHS), the Department
a college-level cyber competition focusing on the
of Labor (DOL), the National Science Foundation (NSF),
operational aspects of managing and protecting an existing
and the National Security Agency (NSA) host agency-
network infrastructure. The competition is regionally
specific programs and activities in cybersecurity education,
organized. Finalist teams compete for a national
training, and workforce development.
championship. According to a press release on the
National Centers of Academic Excellence in
Raytheon website (Raytheon was the main sponsor in
Cyber Defense
2017), teams from more than 230 IHEs participated in the
2017 competition.
A joint effort of the NSA and DHS, the National Centers of
Academic Excellence in Cyber Defense (CAE-CD)
GenCyber
program accredits cybersecurity education programs at
The GenCyber program sponsors cybersecurity-focused
selected institutions of higher education (IHEs). To obtain
summer camps for students and teachers throughout the
CAE-CD accreditation, an IHE must demonstrate that its
United States. Program goals include increasing interest in
cybersecurity education program has met certain criteria
cybersecurity careers, helping students practice safe online
and maps “curricula to a core set of cyber defense
behaviors and understand the foundational principles of
knowledge.” There are currently over 200 CAE-CD
cybersecurity, and improving teaching methods for the
designated institutions across the United States.
cybersecurity content in the computer science curricula of
CyberCorps: Scholarship for Service
elementary and secondary schools. GenCyber is jointly
funded by the NSA and NSF. A 2015 NSF press release
The NSF’s CyberCorps: Scholarship for Service (SFS)
notes that in that year, 29 universities in 19 states hosted 43
program is a primary source of dedicated federal funding
camps serving 1,400 participants (half of whom were
for scholarships to undergraduate and graduate students in
female).
cybersecurity-related majors. In addition to CyberCorps
scholarships, SFS program funding may be awarded to
IHEs for capacity building purposes (e.g., institutional
Boris Granovskiy, Analyst in Education Policy
development) in cybersecurity education. As the name
IF10654
implies, the CyberCorps scholarship requires a service
https://crsreports.congress.gov
Challenges in Cybersecurity Education and Workforce Development
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10654 · VERSION 2 · NEW
May 16, 2017
Challenges in Cybersecurity Education and
Workforce Development
Introduction
in the training of cybersecurity workers include the rapidly
Increasing awareness of cyberattacks—and the increasing
changing nature of the cybersecurity field and the need to
connectedness of cyber and cyberphysical systems—have
continually maintain and enhance the skill levels of
led to concerns about whether U.S. homes, businesses, and
incumbent workers within the field.
government are prepared to secure themselves in a digitally
integrated world. One of the most frequently raised
Private employers and federal agencies have experienced
concerns pertains to the sufficiency of cybersecurity
difficulty in identifying the specific skills and types of
education, training, and workforce development in the
positions required to successfully protect their systems from
United States. Federal policymakers have raised questions
cyberattacks. In response to this, the National Initiative for
about the quality and quantity of U.S. postsecondary
Cybersecurity Education (NICE), authorized by the
education graduates with cybersecurity credentials (in
Cybersecurity Enhancement Act of 2014, created the NICE
general) and have raised concerns about the civilian and
Cybersecurity Workforce Framework. The purpose of the
military workforce needs of the federal government (in
framework is to develop a “common language” (for private
particular).
industry, government, and academia) that both categorizes
cybersecurity jobs and describes the knowledge, skills, and
A number of federal programs across several agencies have
abilities necessary to perform them successfully.
been implemented in an attempt to address what many
believe to be a nationwide skill shortage in the public and
In particular, the NICE Cybersecurity Workforce
private cybersecurity workforces. Some of these programs
Framework created a high-level grouping of common
have focused on offering education benefits, such as
cybersecurity functions into seven categories that are shown
scholarships or specific training, as a tool for attracting
in Figure 1. This organizing structure is based on extensive
cybersecurity workers. Others have focused on enhancing
job analyses and groups together work and workers that
or certifying the quality of cybersecurity education
share common major functions, regardless of job titles or
programs, or on expanding interest in cybersecurity careers
other occupational terms. These seven categories are further
among youths.
subdivided into specialty areas and work roles that more
precisely define the specific knowledge, skills, and abilities
Challenges
required to perform cybersecurity tasks.
There is a widespread general perception that a shortage of
According to the 2017 GISWS, approximately 30% of the
qualified and highly skilled cybersecurity personnel exists
cybersecurity professionals responding to the survey stated
in the United States and abroad. This perception is
that their organizations have partially or fully adopted the
supported by results from the 2017 Global Information
NICE Cybersecurity Workforce Framework and used it to
Security Workforce Study (GISWS), which predicts a
match skills and content between training and employment.
worldwide shortage of 1.8 million cybersecurity
professionals by 2022.
Figure 1. Cybersecurity Work Categories Under the
NICE Cybersecurity Workforce Framework
A broad consensus exists over the need to train and hire
cybersecurity professionals in response to increased threats
of cyberattacks; however, whether or not this need
constitutes a shortage is debated by various researchers and
stakeholders. For example, the 2015 study “Hackers
Wanted” carried out by the RAND Corporation suggests
that existing federal initiatives, combined with natural
market forces, are sufficient to supply the necessary
quantity and quality of cybersecurity workers for the public
and private sectors in coming years.
A number of challenges exist in successfully hiring and
retaining cybersecurity professionals. This is especially true
in the federal government, where often cited concerns
include the rigidity of the federal pay scales, higher salaries
for comparable jobs in the private sector, time-consuming
and opaque hiring processes, and identifying and
articulating the full range of cybersecurity positions and
Source: National Initiative for Cybersecurity Education (NICE),
needed skillsets across the government. General challenges
http://csrc.nist.gov/nice/framework/.
https://crsreports.congress.gov
Challenges in Cybersecurity Education and Workforce Development
Another challenge commonly faced by employers in both
commitment of participants. Students who receive an award
the private sector and the federal government is worker
must agree to work for a federal agency—or state, local,
retention. The respondents to the 2017 GISWS identified
tribal, or territorial government—for a period equal to the
the following as the employer initiatives most important to
length of time they received scholarship support. Data
the retention of cybersecurity professionals:
provided to CRS by the NSF in December 2016 indicated
that the placement rate for CyberCorps graduates is 94%
offering training programs,
and that total placement since 2002 is 1,980 graduates.
paying for professional security certification expenses,
CyberPatriot
improving compensation packages, and
Partnering with the private sector and academia, DHS and
DOD help cosponsor the Air Force Association’s (AFA)
offering flexible work schedules.
CyberPatriot program. The program focuses on middle and
Selected Federal Cybersecurity
high school students and has three main components: (1)
Education Initiatives
the National Youth Cyber Defense Competition, (2) AFA
CyberCamps, and (3) the Elementary School Cyber
The federal effort in cybersecurity education, training, and
Education Initiative.
workforce development, though still nascent compared to
federal investments in other educational sectors, spans all
The National Youth Cyber Defense Competition is the
stages of education and types of learners. This includes
longest-running CyberPatriot program activity. It began as a
children and teachers in elementary and secondary schools,
competition between seven teams in 2009. In 2015-2016,
students and faculty at the postsecondary education level,
the competition field included 3,379 registered teams
and incumbent workers in both the federal and private
(comprised of middle or high school students). During the
workforces. Federally supported programs in cybersecurity
competition, teams are tasked with managing the network
training include activities such as scholarship and grant
of a small company and must find cybersecurity
programs, summer camps and academic competitions, and
vulnerabilities while maintaining critical services. Northup-
research on teaching and learning in cybersecurity fields.
Grumman Corporation has provided scholarships to
members of the top three teams since 2011.
The following sections of this InFocus provide an overview
of selected high-profile programs that are broadly
National Collegiate Cyber
illustrative of the primary approaches taken by federal
Defense Competition
initiatives in cybersecurity education and training. This is
Partnering with the private sector and academia, the NSA,
not a complete list of federal efforts in these areas. A
DHS, and the Departments of the Navy and the Army help
number of federal agencies, including the Department of
cosponsor the National Collegiate Cyber Defense
Defense (DOD), the Department of Energy (DOE), the
Competition (CCDC). The CCDC was launched in 2005 as
Department of Homeland Security (DHS), the Department
a college-level cyber competition focusing on the
of Labor (DOL), the National Science Foundation (NSF),
operational aspects of managing and protecting an existing
and the National Security Agency (NSA) host agency-
network infrastructure. The competition is regionally
specific programs and activities in cybersecurity education,
organized. Finalist teams compete for a national
training, and workforce development.
championship. According to a press release on the
National Centers of Academic Excellence in
Raytheon website (Raytheon was the main sponsor in
Cyber Defense
2017), teams from more than 230 IHEs participated in the
2017 competition.
A joint effort of the NSA and DHS, the National Centers of
Academic Excellence in Cyber Defense (CAE-CD)
GenCyber
program accredits cybersecurity education programs at
The GenCyber program sponsors cybersecurity-focused
selected institutions of higher education (IHEs). To obtain
summer camps for students and teachers throughout the
CAE-CD accreditation, an IHE must demonstrate that its
United States. Program goals include increasing interest in
cybersecurity education program has met certain criteria
cybersecurity careers, helping students practice safe online
and maps “curricula to a core set of cyber defense
behaviors and understand the foundational principles of
knowledge.” There are currently over 200 CAE-CD
cybersecurity, and improving teaching methods for the
designated institutions across the United States.
cybersecurity content in the computer science curricula of
CyberCorps: Scholarship for Service
elementary and secondary schools. GenCyber is jointly
funded by the NSA and NSF. A 2015 NSF press release
The NSF’s CyberCorps: Scholarship for Service (SFS)
notes that in that year, 29 universities in 19 states hosted 43
program is a primary source of dedicated federal funding
camps serving 1,400 participants (half of whom were
for scholarships to undergraduate and graduate students in
female).
cybersecurity-related majors. In addition to CyberCorps
scholarships, SFS program funding may be awarded to
IHEs for capacity building purposes (e.g., institutional
Boris Granovskiy, Analyst in Education Policy
development) in cybersecurity education. As the name
IF10654
implies, the CyberCorps scholarship requires a service
https://crsreports.congress.gov
Challenges in Cybersecurity Education and Workforce Development
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10654 · VERSION 2 · NEW