Clearance barriers to Cyber Security Profession
-
Upload
aletarw -
Category
Technology
-
view
1.043 -
download
0
description
Transcript of Clearance barriers to Cyber Security Profession
1
The Effects of U.S. Government Security Regulations on the Cybersecurity Professional
Aleta Wilson, Ph.D.Clay Wilson, Ph.D.
◦This study explores activities required to employ cyber security workers for the federal government and its contractor community
◦These two sectors comprise an estimated 500,000 workers who must undergo a significant
background check because positions which are labelled as "national
security positions".
2
Scope
3
Definition of a Cyber Security Professional
DOL Occupational Outlook Handbook does not contain a definition for cybersecurity professionals
DOL categories acknowledge positions that involve people who◦ plan, coordinate, and maintain an organization's
information security◦ database administrators plan and coordinate
security measures with network administrators ◦ network engineers "may ... address information
security issues”
4
Definition of a Cyber Security Professional - DOL
Department of Homeland Security Secretary Janet Napolitano defines Cybersecurity professionals as ◦employees responsible for "... cyber risk
and strategic analysis; cyber incident response; vulnerability detection and assessment; intelligence and investigation; and network and systems engineering“
5
Definition of a Cyber Security Professional - DHS
◦Frost & Sullivan conducted a survey of 10,413 information security professionals which indirectly defined security professionals as those employed as Information Security
professionals and those who had cyber security as their
primary job function.
6
Definition of a Cyber Security Professional – ISC2
DOD usually takes the lead in defining elements related to cyberspace and cybersecurity, but according to GAO
"DOD has defined some key cyber-related terms but it has not yet fully identified the specific types of operations and program elements that are associated with full-spectrum cyberspace operations"
7
Definition of a Cyber Security Professional – DOD
Professionals who have information security as a major part of their job;
those who self-identify as cyber or security specialists; and,
those who build and maintain the national critical infrastructure of the computer systems on which the public and private sectors have come to rely.
8
Definition of a Cyber Security Professional – for this study
Now that we’ve defined them….
Let’s go get them….
9
DHS staffing up to 1,000 positions over three years from 2009
DOD’s recently established Cyber Command is also staffing up
NSA is stealing every human being from all sides
Plus industry has corporate and contract needs to fulfill
10
Need for Cyber Professionals
"... there are not enough cybersecurity experts within the Federal Government or private sector to implement the [Comprehensive National Cybersecurity Initiative], nor is there an adequately established Federal cybersecurity career field" (Obama, 2009).
11
Need for Cyber Professionals
Education (lack of)◦Science, Technology, Engineering
Security Clearances◦U.S. Citizens need only apply
12
Barriers
Cyber positions are classified as “National Security Positions”
Clearances are required Requires extensive background check Direct effect on cyber workforce
13
Security Clearance Policies and Procedures
• Clock starts when there is a “need to know” i.e., job offer
• A job search on Monster.com found 882 positions requiring a security clearance within 5 miles of DC zip code
• "If you are a Software Engineer and/or Systems Administrator with an active TS/SCI clearance and Full Scope Polygraph, please read on!"
14
Clearance Barrier – Need to Know
• OPM handles 90% of security clearances for the feds and contractor community
• Alphabet agencies conduct their own clearances• CIA, DIA, FBI, NGA, NRO, NSA, DoS
• Reciprocity is coming (and so is Christmas)
15
Clearance Barrier – Reciprocity
16
Start
PH meets job qualifications (is
suitable)
Is there a BI file at OPM
Legend: BI = background investigation; PH = potential hire; HA = hiring agency
Issue Contingency Hire Letter
Yes
No
Gather ID, etc and begin hiring process
PH submits clearance
documentation to HA
HA requests background investigation
Rescind offer
PH passes
HA suita-bility test
Yes
No
PH passes inves-
tigation
Yes
No Rescind offer
End
Hire
Figure 1Security Clearance Flowchart
3 months to 1-year- - - - - -Goal is 74 days, but ….
Many of current jobs will become vacant over the next 10 years
Workforce must be home-grown due to citizenship requirement
Great news for those with clearances◦ Only 2% of those with clearances are unemployed
Companies like Booze Allen stockpile cleared workers through use of college internships
Small firms are inhibited from bids requiring cleared personnel
17
Effects of Security Policies on Cyber Profession
Potential hires are given contingency letter pending clearance that can take 3 to 9 months for TS
Some government bids require cleared personnel be included in bid
If company cannot fill slot then they can lose contract
Outcome – company with best cyber expertise but lacking facility clearance may be locked out of bid.
18
Effects of Security Policies on HRM
Increased emphasis on S.T.E.M. $260M invested in STEM over next decade
Growth in STEM jobs is 3X non-STEM jobs
Government is certifying Universities with Information Assurance programs as Centers of Academic Excellence (124 and counting)
19
Effects of Security Policies on Educational System
Feds need to modify security regulations specific to cybersecurity professionals◦ Relax the “need to know” rule and run clearance process concurrent
with last semester of college When they graduate… they can immediately begin work
Grant “facility clearances” to the Centers of Excellence so that can submit their IA students for clearances
Require a work commitment from student who is granted a clearance (i.e., student agrees to work for gov for a minimum of two years)
Centers of Excellence can partner with large cleared contractors who will agree to hire and clear graduates
20
Conclusion
Effect of security clearance barriers on small businesses that sell IT services to the government
Are company’s with strong cyber skill sets being eliminated due to lack of security clearances
21
Further Research
22
FURTHER RESEARCH Effect of security clearance barriers on small businesses that
sell IT services to the government Are company’s with strong cyber skill sets being eliminated
due to lack of security clearances
NSA designated National Center of Academic Excellence in Information Assurance Education