September 11, 2019

C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y

CYBERSECURITY ROLES ACROSS THE

FEDERAL GOVERNMENT

STAKEHOLDER ENGAGEMENT DIVISION

1

September 11, 2019

September 11, 2019

The Cybersecurity Workforce Challenge

3

Globally

• According (ISC)², the global cybersecurity workforce shortage is projected to reach 1.8 million by 2022

• That’s more than 1 new cybersecurity expert needed every minute*

• The top in demand

work roles are:

• Information Systems

Security Developer

• Information Systems

Security Manager

• Systems Developer

• Research &

Development

Specialist

• Software Developer

There are over 300,000

vacant cybersecurity

jobs in the United States

Domestically Specifically

September 11, 2019

CISA Efforts to Close the Cybersecurity Skills Gap

4

• National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework

• Cybersecurity Workforce Development and Planning Tools and Resources

Workforce

Cybersecurity Education, Training, and Assistance Program (CETAP) Grant / K-12 Curricula

National Centers of Academic Excellence (CAE)CyberCorps®: Scholarship for Service (SFS)Federal Virtual Training Environment (FedVTE) cybersecurity training platform

Education and Training

• National Initiative for Cybersecurity Careers and Studies (NICCS) website- hosting all CE&A resources

• Quarterly outreach efforts to targeted stakeholder groups

Outreach

• Stop. Think. Connect.™

• National Cybersecurity Awareness Month (NCSAM)

Awareness

September 11, 2019

Workforce Development Toolkit and Tools

ADVANCE

PREPARE➢ Assess goals

➢ Evaluate readiness

➢ Inventory workforce

➢ Ongoing workforce

planning

➢ Close skill gaps

➢ Recruit for key skills

➢ Retain staff

➢ Provide continuous

development

o Workforce Planning Capability

Maturity Matrix (CMM)

o Cybersecurity Workforce Planning

Diagnostics

o NICE Framework

o Workforce Mapping Tool

o Team Traits/ Interview Questions

o Recruitment Checklist

o PushButton PD™ Generator Tool

o Retention Tips by Level

o Career Path Template

o NICCS Training Catalog

WO

RK

FO

RC

E D

EV

EL

OP

ME

NT

TO

OL

KIT

PH

AS

ES

TOOLS

BUILD

PLAN

September 11, 2019

Significant Cybersecurity Authorities

6

Clinger-Cohen Act (1996) also known as

the Information Technology Management

Reform Act

Changed how the government managed IT for several decades; allowed agencies to acquire IT

resources more independently; required agencies to appoint a chief information officer (CIO);

increased accountability for IT planning and operations

Federal Information Security

Management Act (2002)

Outlined roles and responsibilities for federal cybersecurity management; required agencies to

develop, document, and implement programs to secure their data and information systems

Federal Information Security

Modernization Act (2014)

Modified the original 2002 law; clarified and updated the responsibilities and authorities of DHS and

OMB in relation to federal agency information security

National Cybersecurity Protection Act

(2014)

Formalized the National Cybersecurity and Communications Integration Center

within DHS to interface and share cybersecurity information across federal and non-federal entities

Federal Information Technology

Acquisition Reform Act (2014)

Expanded the authorities of CIOs; addressed matters like risk management for IT investments, data

center consolidation, IT training, and acquisition/procurement

Cybersecurity Act of 2015 Incentivized information sharing between the federal government and private industry, via DHS, by

providing liability protections for private sector actors that share threat indicators and defensive

measures with DHS; required all civilian agencies to implement EINSTEIN, a DHS program to detect

and block threats to federal networks

Cybersecurity National Security Action

Plan (2016)

Established a commission to expand the nation’s cybersecurity workforce; established a Federal Chief

Information Security Officer and increased government-wide shared services for IT and cybersecurity

September 11, 2019

The Government’s Role in a Cybersecurity Event

By law, every federal agency and state is responsible for its own cybersecurity.

The Presidential Policy Directive (PPD) United States Cyber Incident Coordination,

outlines the federal response to any cyber incident (government or private sector)

▪ The Department of Justice leads the investigative component

▪ The Department of Homeland Security leads asset protection

▪ The Director of National Intelligence leads intelligence support activities

▪ The National Security Council’s (NSC) Cyber Response Group will drive

national policy coordination

▪ The Cyber Unified Coordination Group coordinates national operations

September 11, 2019

High-level Roles

8https://www.belfercenter.org/sites/default/files/files/publication/Understanding%20Federal%20Cyber

security%2004-2018_0.pdf

September 11, 2019

▪ Cybersecurity and Infrastructure Security

Agency (CISA)

▪ Office of Management and Budget (OMB)

▪ National Institute of Standards and

Technology (NIST)

▪ Government Services Agency (GSA)

▪ Department of Defense (DoD)

▪ Office of the Director of National Intelligence

(ODNI)

▪ Department of Justice (DOJ)

▪ Federal Bureau of Investigation (FBI)

▪ Department of State (DOS)

▪ United States Secret Service (USSS)

▪ National Security Agency (NSA)

▪ Federal Security Centers

▪ National Cybersecurity and Communications

Integration Center (NCCIC)

▪ National Cyber Investigative Joint Task Force

(NCIJTF)

▪ National Security Agency Cybersecurity Threat

Operations Center (NCTOC)

▪ Department of Defense Cyber Crime Center (DC3)

▪ Intelligence Community – Security Coordination

Center (IC-SCC)

Agencies with Cybersecurity Responsibility

9

September 11, 2019

As many tools are already available, is the government’s job

complete?

If so, what comes next?

If not, what should the government’s role in cybersecurity workforce

development be?

Do We Have it Right?

10

October is National Cybersecurity Awareness Month (NCSAM)

For more information, contact stopthinkconnect@hq.dhs.gov

September 11, 2019 12

For more information:

cisa.gov

niccs.us-cert.gov

Questions?

Email: Daniel.Stein@cisa.dhs.gov

September 11, 2019

Back-up slides

13

September 11, 2019

▪ Lead agency for asset response during a significant cyber incident, acting through the

National Cybersecurity and Communications Integration Center

▪ Plays a leadership and operational role, supporting federal civilian agencies in their

cybersecurity risk management

▪ Provides a “common baseline” of security to all agencies

▪ Acts a hub for information sharing across the federal government and between the

government and private sector

▪ Promotes widespread adoption of NIST guidance and conducts risk assessments with other

agencies

▪ Assists other agencies in responding to incidents and responsible for critical infrastructure

security

CISA Role

14

September 11, 2019

▪ Develops and oversees the implementation of policies, principles, standards, and

guidelines on information security

▪ Directs federal departments and agencies to report major cyber incidents within

seven days as well as submit to reporting to Congress, CISA, and OMB annually

▪ Develops, communicates, and enforces information security policies and adoption of

standards and guidelines across federal agencies

▪ Provides data and risk-based oversight to federal cybersecurity programs

▪ Supports CISA to reduce adverse impacts of major incidents and vulnerabilities

within the federal government

OMB Role

15

September 11, 2019

▪ Develops standards and guidelines for information systems not related to national

security

▪ Creates Federal information processing standards

▪ Provides guidelines to federal agencies through multi-stakeholder engagement

process with industry (i.e. BIOS management, wireless protocol, supply chain risk

management)

NIST Role

16

September 11, 2019

▪ Supports federal government agencies by identifying and delivering cybersecurity

products and services (i.e. standardized acquisition vehicles)

▪ Promotes cybersecurity of connected devices used by federal agencies, such as

those used in buildings or vehicles

▪ Provides risk advisory as well as assessment, training, and support to election

infrastructure

▪ Plays a smaller role in partnering with agencies to improve the user experience of

government (websites, digitizing internal systems, fixing tech problems)

GSA Role

17

September 11, 2019

▪ Responsible for threat response to cyber incidents affecting DoD assets and the DoD

Information Network (DoDIN)

▪ Supports civil authorities for cyber incidents outside the DoDIN when requested by the lead

federal agency, approved by the appropriate DoD official, directed by the President

▪ Provides support based upon the needs of the incident, the capabilities required, and the

readiness of available forces

▪ Provides intelligence on election infrastructure threats to CISA and helps update

sensors to compromised systems

▪ “Defend forward” to disrupt or halt malicious cyber activity at its source, including

activity that falls below the level of armed conflict

▪ Protects the .mil cyber space

DoD Role

18

September 11, 2019

▪ Lead coordinator for intelligence support during a significant cyber incident, acting

through the Cyber Threat Intelligence Integration Center

▪ Provides intelligence support and related activities to federal asset and threat

agencies

▪ Facilitates the building of situational threat awareness and sharing of related

intelligence; the integrated analysis of threat trends and events; the identification of

knowledge gaps; and the ability to degrade or mitigate adversary threat capabilities

ODNI Role

19

September 11, 2019

▪ Lead agency for threat response during a significant cyber incident, acting through

the Federal Bureau of Investigations (FBI) and National Cyber Investigative Joint

Task Force

▪ Provides threat response activities such as conducting appropriate law enforcement

and national security investigative activities at the affected entity's site; collecting

evidence and gathering intelligence; providing attribution; linking related incidents;

identifying additional affected entities; identifying threat pursuit and disruption

opportunities; developing and executing courses of action to mitigate the immediate

threat; and facilitating information sharing and operational coordination with asset

response

DOJ Role

20

September 11, 2019

▪ Collects and coordinates the sharing of relevant intelligence and other information

between FBI domestic personnel and FBI staff assigned to Legal Attaché offices

around the world

▪ Coordinates the sharing of intelligence among and between federal agencies and

international intelligence and law enforcement elements

▪ Produces and shares analytical products, including those that assess threats to the

homeland and inform related planning, capability development, and operational

activities

▪ Coordinates with ODNI mission and support centers that provide unique capabilities

for homeland security partners

FBI Role

21

September 11, 2019

▪ Represents the United States in all global diplomatic engagements across the full

range of international policy imperatives, including cyber issues

▪ Leverages its diplomats in the embassies and posts around the globe to provide

international diplomatic support for cyber incident response around the clock

▪ Coordinates diplomatic outreach related to cyber incidents

▪ Many federal departments and agencies actively maintain and leverage multilateral and

bilateral partnerships

DOS Role

22

September 11, 2019

▪ Maintains a national network of Electronic Crimes Task Forces, combining the

resources of academia, private sector, and SLTT law enforcement

▪ Prevents, detects, and investigates electronic crimes, including potential terrorist

attacks against critical infrastructure and financial payment systems

USSS Role

23

September 11, 2019

▪ The National Security Agency Cybersecurity Threat Operations Center (NCTOC) is

the 24/7/365 NSA element that characterizes and assesses foreign cybersecurity

threats.

▪ Informs partners of current and potential malicious cyber activity through its analysis

of foreign intelligence, with a focus on adversary computer network attacks,

capabilities, and exploitations

▪ Provides technical assistance to U.S. Government departments and agencies upon

request

NSA Role

24

September 11, 2019

▪ National Cybersecurity and Communications Integration Center (NCCIC) As an

operational element of CISA, the NCCIC is the primary platform to coordinate the

federal government’s asset response to cyber incidents. The NCCIC is authorized

under Section 3 of the National Cybersecurity Protection Act of 2014.

▪ National Cyber Investigative Joint Task Force (NCIJTF) is a multi-agency center

hosted by the FBI and is the primary platform to coordinate the Federal

Government’s threat response. The NCIJTF is chartered under paragraph 31 of

National Security Presidential Directive-54/Homeland Security Presidential Directive-

23.

Federal Security Centers

25

September 11, 2019

▪ Cyber Threat Intelligence Integration Center (CTIIC) Operated by the Office of the

Director of National Intelligence, the CTIIC is the primary platform for intelligence

integration, analysis, and supporting activities for the Federal Government. CTIIC

also provides integrated all-source analysis of intelligence related to foreign cyber

threats or cyber incidents affecting U.S. national interests.

▪ U.S. Cyber Command (USCYBERCOM) Joint Operations Center (JOC) The

USCYBERCOM JOC directs the U.S. military’s cyberspace operations and defense

of the DoDIN. USCYBERCOM manages both the threat and asset responses for the

DoDIN during incidents affecting the DoDIN and receives support from the other

centers, as needed.

Federal Security Centers (cont.)

26

September 11, 2019

▪ National Security Agency Cybersecurity Threat Operations Center (NCTOC) is

the 24/7/365 NSA element that characterizes and assesses foreign cybersecurity

threats. The NCTOC informs partners of current and potential malicious cyber activity

through its analysis of foreign intelligence, with a focus on adversary computer

network attacks, capabilities, and exploitations. Upon request, the NCTOC also

provides technical assistance to U.S. Government departments and agencies.

▪ Department of Defense Cyber Crime Center (DC3) supports law enforcement,

counterintelligence, information assurance, network defense, and critical

infrastructure protection communities through digital forensics, focused threat

analysis, and training. DC3 provides analytical and technical capabilities to federal

agency mission partners conducting national cyber incident response.

Federal Security Centers (cont.)

27

September 11, 2019

▪ Intelligence Community – Security Coordination Center (IC-SCC) monitors and

oversees the integrated defense of the IC Information Environment in conjunction

with IC mission partners and in accordance with the authority and direction of the

Office of the Director of National Intelligence Chief Information Officer.

Federal Security Centers (cont.)

28